Example: Configuring port security in macAddressElseUserLoginSecure mode
Network configuration
As shown in Figure 96, a client is connected to the device through HundredGigE 1/0/1. The device authenticates the client by a RADIUS server in ISP domain sun. If the authentication succeeds, the client is authorized to access the Internet.
Configure HundredGigE 1/0/1 of the device to meet the following requirements:
Allow more than one MAC authenticated user to log on.
For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X authentication. Allow only one 802.1X user to log on.
Use the MAC address of each user as the username and password for authentication. A MAC address is in the hexadecimal notation with hyphens, and letters are in upper case.
Set the total number of MAC authenticated users and 802.1X authenticated users to 64.
Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses.
Figure 96: Network diagram
Procedure
Make sure the host and the RADIUS server can reach each other.
Configure RADIUS authentication/accounting and ISP domain settings. (See "Example: Configuring port security in userLoginWithOUI mode.")
Configure port security:
# Enable port security.
<Device> system-view [Device] port-security enable
# Use MAC-based accounts for MAC authentication. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.
[Device] mac-authentication user-name-format mac-address with-hyphen uppercase
# Specify the MAC authentication domain.
[Device] mac-authentication domain sun
# Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP.
[Device] dot1x authentication-method chap
# Set port security's limit on the number of MAC addresses to 64 on the port.
[Device] interface hundredgige 1/0/1 [Device-HundredGigE1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Device-HundredGigE1/0/1] port-security port-mode mac-else-userlogin-secure
# Specify ISP domain sun as the mandatory authentication domain for 802.1X users.
[Device-HundredGigE1/0/1] dot1x mandatory-domain sun
# Set the NTK mode of the port to ntkonly.
[Device-HundredGigE1/0/1] port-security ntk-mode ntkonly [Device-HundredGigE1/0/1] quit
Verifying the configuration
# Verify the port security configuration.
[Device] display port-security interface hundredgige 1/0/1 Global port security parameters: Port security : Enabled AutoLearn aging time : 30 min Disableport timeout : 30 s MAC move : Denied Authorization fail : Online NAS-ID profile : Not configured Dot1x-failure trap : Disabled Dot1x-logon trap : Disabled Dot1x-logoff trap : Disabled Intrusion trap : Disabled Address-learned trap : Disabled Mac-auth-failure trap : Disabled Mac-auth-logon trap : Disabled Mac-auth-logoff trap : Disabled Open authentication : Disabled OUI value list HundredGigE1/0/1 is link-up Port mode : macAddressElseUserLoginSecure NeedToKnow mode : NeedToKnowOnly Intrusion protection mode : NoAction Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses : 0 Authorization : Permitted NAS-ID profile : Not configured Free VLANs : Not configured Open authentication : Disabled
# After users pass authentication, display MAC authentication information. Verify that HundredGigE 1/0/1 allows multiple MAC authentication users to be authenticated.
[Device] display mac-authentication interface hundredgige 1/0/1 Global MAC authentication parameters: MAC authentication : Enabled User name format : MAC address in uppercase(XX-XX-XX-XX-XX-XX) Username : mac Password : Not configured Offline detect period : 300 s Quiet period : 180 s Server timeout : 100 s Reauth period : 3600 s Authentication domain : sun Online MAC-auth users : 3 Silent MAC users: MAC address VLAN ID From port Port index HundredGigE1/0/1 is link-up MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer : Disabled Periodic reauth : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Guest VLAN auth-period : 30 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Single VLAN Offline detection : Enabled Authentication order : Default Guest VSI : Not configured Guest VSI auth-period : 30 s Critical VSI : Not configured Max online users : 4294967295 Authentication attempts : successful 3, failed 7 Current online users : 3 MAC address Auth state 1234-0300-0011 Authenticated 1234-0300-0012 Authenticated 1234-0300-0013 Authenticated
# Display 802.1X authentication information. Verify that HundredGigE 1/0/1 allows only one 802.1X user to be authenticated.
[Device] display dot1x interface hundredgige 1/0/1 Global 802.1X parameters: 802.1X authentication : Enabled CHAP authentication : Enabled Max-tx period : 30 s Handshake period : 15 s Quiet timer : Disabled Quiet period : 60 s Supp timeout : 30 s Server timeout : 100 s Reauth period : 3600 s Max auth requests : 2 EAD assistant function : Disabled EAD timeout : 30 min Domain delimiter : @ Online 802.1X users : 1 HundredGigE1/0/1 is link-up 802.1X authentication : Enabled Handshake : Enabled Handshake reply : Disabled Handshake security : Disabled Unicast trigger : Disabled Periodic reauth : Disabled Port role : Authenticator Authorization mode : Auto Port access control : MAC-based Multicast trigger : Enabled Mandatory auth domain : sun Guest VLAN : Not configured Auth-Fail VLAN : Not configured Critical VLAN : Not configured Critical voice VLAN : Disabled Add Guest VLAN delay : Disabled Re-auth server-unreachable : Logoff Max online users : 4294967295 User IP freezing : Disabled Reauth period : 60 s Send Packets Without Tag : Disabled Max Attempts Fail Number : 0 Auth-Fail VSI : Not configured Critical VSI : Not configured Add Guest VSI delay : Disabled EAPOL packets: Tx 16331, Rx 102 Sent EAP Request/Identity packets : 16316 EAP Request/Challenge packets: 6 EAP Success packets: 4 EAP Failure packets: 5 Received EAPOL Start packets : 6 EAPOL LogOff packets: 2 EAP Response/Identity packets : 80 EAP Response/Challenge packets: 6 Error packets: 0 Online 802.1X users: 1 MAC address Auth state 0002-0000-0011 Authenticated
# Verify that frames with an unknown destination MAC address, multicast address, or broadcast address are discarded. (Details not shown.)