Example: Configuring port security in userLoginWithOUI mode

Network configuration

As shown in Figure 95, a client is connected to the device through HundredGigE 1/0/1. The device authenticates the client with a RADIUS server in ISP domain sun. If the authentication succeeds, the client is authorized to access the Internet.

The RADIUS server at 192.168.1.2 acts as the primary authentication server and the secondary accounting server. The RADIUS server at 192.168.1.3 acts as the secondary authentication server and the primary accounting server. The shared key for authentication is name, and the shared key for accounting is money.
All users use the authentication, authorization, and accounting methods of ISP domain sun.
The RADIUS server response timeout time is 5 seconds. The maximum number of RADIUS packet retransmission attempts is 5. The device sends real-time accounting packets to the RADIUS server at 15-minute intervals, and sends usernames without domain names to the RADIUS server.

Configure HundredGigE 1/0/1 to allow only one 802.1X user and a user that uses one of the specified OUI values to be authenticated.

Figure 95: Network diagram

Procedure

The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference.

Make sure the host and the RADIUS server can reach each other.

Configure AAA:

# Configure a RADIUS scheme named radsun.

<Device> system-view
[Device] radius scheme radsun
[Device-radius-radsun] primary authentication 192.168.1.2
[Device-radius-radsun] primary accounting 192.168.1.3
[Device-radius-radsun] secondary authentication 192.168.1.3
[Device-radius-radsun] secondary accounting 192.168.1.2
[Device-radius-radsun] key authentication simple name
[Device-radius-radsun] key accounting simple money
[Device-radius-radsun] timer response-timeout 5
[Device-radius-radsun] retry 5
[Device-radius-radsun] timer realtime-accounting 15
[Device-radius-radsun] user-name-format without-domain
[Device-radius-radsun] quit

# Configure ISP domain sun.

[Device] domain sun
[Device-isp-sun] authentication lan-access radius-scheme radsun
[Device-isp-sun] authorization lan-access radius-scheme radsun
[Device-isp-sun] accounting lan-access radius-scheme radsun
[Device-isp-sun] quit

Configure 802.1X:
# Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP.
```
[Device] dot1x authentication-method chap
```
# Specify ISP domain sun as the mandatory authentication domain for 802.1X users on HundredGigE 1/0/1.
```
[Device] interface hundredgige 1/0/1
[Device-HundredGigE1/0/1] dot1x mandatory-domain sun
[Device-HundredGigE1/0/1] quit
```

Configure port security:

# Enable port security.

[Device] port-security enable

# Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.)

[Device] port-security oui index 1 mac-address 1234-0100-1111
[Device] port-security oui index 2 mac-address 1234-0200-1111
[Device] port-security oui index 3 mac-address 1234-0300-1111
[Device] port-security oui index 4 mac-address 1234-0400-1111
[Device] port-security oui index 5 mac-address 1234-0500-1111

# Set the port security mode to userLoginWithOUI.

[Device] interface hundredgige 1/0/1
[Device-HundredGigE1/0/1] port-security port-mode userlogin-withoui
[Device-HundredGigE1/0/1] quit

Verifying the configuration

# Verify that HundredGigE 1/0/1 allows only one 802.1X user to be authenticated.

[Device] display port-security interface hundredgige 1/0/1
Global port security parameters:
   Port security          : Enabled
   AutoLearn aging time   : 30 min
   Disableport timeout    : 30 s
   MAC move               : Denied
   Authorization fail     : Online
   NAS-ID profile         : Not configured
   Dot1x-failure trap     : Disabled
   Dot1x-logon trap       : Disabled
   Dot1x-logoff trap      : Disabled
   Intrusion trap         : Disabled
   Address-learned trap   : Disabled
   Mac-auth-failure trap  : Disabled
   Mac-auth-logon trap    : Disabled
   Mac-auth-logoff trap   : Disabled
   Open authentication    : Disabled
   OUI value list         :
       Index :  1       Value : 123401
       Index :  2       Value : 123402
       Index :  3       Value : 123403
       Index :  4       Value : 123404
       Index :  5       Value : 123405

 HundredGigE1/0/1 is link-up
   Port mode                      : userLoginWithOUI
   NeedToKnow mode                : Disabled
   Intrusion protection mode      : NoAction
Security MAC address attribute 
       Learning mode              : Sticky
       Aging type                 : Periodical
   Max secure MAC addresses       : Not configured
   Current secure MAC addresses   : 1
   Authorization                  :Permitted
   NAS-ID profile                 : Not configured
   Free VLANs                     : Not configured
   Open authentication            : Disabled

# Display information about the online 802.1X user to verify 802.1X configuration.

[Device] display dot1x

# Verify that the port also allows one user whose MAC address has an OUI among the specified OUIs to pass authentication.

[Device] display mac-address interface hundredgige 1/0/1
MAC Address     VLAN ID   State          Port/NickName            Aging
1234-0300-0011  1         Learned        HGE1/0/1                 Y

prev	up	next
Example: Configuring port security in autoLearn mode	home	Example: Configuring port security in macAddressElseUserLoginSecure mode