Example: Configuring port security in macAddressElseUserLoginSecure mode

Network configuration

As shown in Figure 96, a client is connected to the device through HundredGigE 1/0/1. The device authenticates the client by a RADIUS server in ISP domain sun. If the authentication succeeds, the client is authorized to access the Internet.

Configure HundredGigE 1/0/1 of the device to meet the following requirements:

Figure 96: Network diagram

Procedure

Make sure the host and the RADIUS server can reach each other.

  1. Configure RADIUS authentication/accounting and ISP domain settings. (See "Example: Configuring port security in userLoginWithOUI mode.")

  2. Configure port security:

    # Enable port security.

    <Device> system-view
    [Device] port-security enable
    

    # Use MAC-based accounts for MAC authentication. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.

    [Device] mac-authentication user-name-format mac-address with-hyphen uppercase
    

    # Specify the MAC authentication domain.

    [Device] mac-authentication domain sun
    

    # Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP.

    [Device] dot1x authentication-method chap
    

    # Set port security's limit on the number of MAC addresses to 64 on the port.

    [Device] interface hundredgige 1/0/1
    [Device-HundredGigE1/0/1] port-security max-mac-count 64
    

    # Set the port security mode to macAddressElseUserLoginSecure.

    [Device-HundredGigE1/0/1] port-security port-mode mac-else-userlogin-secure
    

    # Specify ISP domain sun as the mandatory authentication domain for 802.1X users.

    [Device-HundredGigE1/0/1] dot1x mandatory-domain sun
    

    # Set the NTK mode of the port to ntkonly.

    [Device-HundredGigE1/0/1] port-security ntk-mode ntkonly
    [Device-HundredGigE1/0/1] quit
    

Verifying the configuration

# Verify the port security configuration.

[Device] display port-security interface hundredgige 1/0/1
Global port security parameters:
   Port security          : Enabled
   AutoLearn aging time   : 30 min
   Disableport timeout    : 30 s
   MAC move               : Denied
   Authorization fail     : Online
   NAS-ID profile         : Not configured
   Dot1x-failure trap     : Disabled
   Dot1x-logon trap       : Disabled
   Dot1x-logoff trap      : Disabled
   Intrusion trap         : Disabled
   Address-learned trap   : Disabled
   Mac-auth-failure trap  : Disabled
   Mac-auth-logon trap    : Disabled
   Mac-auth-logoff trap   : Disabled
   Open authentication    : Disabled
   OUI value list

 HundredGigE1/0/1 is link-up
   Port mode                      : macAddressElseUserLoginSecure
   NeedToKnow mode                : NeedToKnowOnly
   Intrusion protection mode      : NoAction
   Security MAC address attribute
      Learning mode               : Sticky 
      Aging type                  : Periodical
   Max secure MAC addresses       : 64
   Current secure MAC addresses   : 0
   Authorization                  : Permitted
   NAS-ID profile                 : Not configured
   Free VLANs                     : Not configured
   Open authentication            : Disabled

# After users pass authentication, display MAC authentication information. Verify that HundredGigE 1/0/1 allows multiple MAC authentication users to be authenticated.

[Device] display mac-authentication interface hundredgige 1/0/1
Global MAC authentication parameters:
   MAC authentication     : Enabled
   User name format       : MAC address in uppercase(XX-XX-XX-XX-XX-XX)
           Username       : mac
           Password       : Not configured
   Offline detect period  : 300 s
   Quiet period           : 180 s
   Server timeout         : 100 s
   Reauth period          : 3600 s
   Authentication domain  : sun
 Online MAC-auth users    : 3

 Silent MAC users:
          MAC address       VLAN ID  From port               Port index

HundredGigE1/0/1 is link-up
   MAC authentication         : Enabled
   Carry User-IP              : Disabled
   Authentication domain      : Not configured
   Auth-delay timer           : Disabled
   Periodic reauth            : Disabled
   Re-auth server-unreachable : Logoff
   Guest VLAN                 : Not configured
   Guest VLAN auth-period     : 30 s
   Critical VLAN              : Not configured
   Critical voice VLAN        : Disabled
   Host mode                  : Single VLAN
   Offline detection          : Enabled
   Authentication order       : Default
   Guest VSI                  : Not configured
   Guest VSI auth-period      : 30 s
   Critical VSI               : Not configured
   Max online users           : 4294967295
   Authentication attempts    : successful 3, failed 7
   Current online users       : 3
          MAC address       Auth state
          1234-0300-0011    Authenticated
          1234-0300-0012    Authenticated
          1234-0300-0013    Authenticated

# Display 802.1X authentication information. Verify that HundredGigE 1/0/1 allows only one 802.1X user to be authenticated.

[Device] display dot1x interface hundredgige 1/0/1
Global 802.1X parameters:
   802.1X authentication  : Enabled
   CHAP authentication    : Enabled
   Max-tx period          : 30 s
   Handshake period       : 15 s
   Quiet timer            : Disabled
       Quiet period       : 60 s
   Supp timeout           : 30 s
   Server timeout         : 100 s
   Reauth period          : 3600 s
   Max auth requests      : 2
   EAD assistant function : Disabled
       EAD timeout        : 30 min
   Domain delimiter       : @
 Online 802.1X users      : 1

 HundredGigE1/0/1  is link-up
   802.1X authentication      : Enabled
   Handshake                  : Enabled
   Handshake reply            : Disabled
   Handshake security         : Disabled
   Unicast trigger            : Disabled
   Periodic reauth            : Disabled
   Port role                  : Authenticator
   Authorization mode         : Auto
   Port access control        : MAC-based
   Multicast trigger          : Enabled
   Mandatory auth domain      : sun
   Guest VLAN                 : Not configured
   Auth-Fail VLAN             : Not configured
   Critical VLAN              : Not configured
   Critical voice VLAN        : Disabled
   Add Guest VLAN delay       : Disabled
   Re-auth server-unreachable : Logoff
   Max online users           : 4294967295
   User IP freezing           : Disabled
   Reauth period              : 60 s
   Send Packets Without Tag   : Disabled
   Max Attempts Fail Number   : 0
   Auth-Fail VSI              : Not configured
   Critical VSI               : Not configured
   Add Guest VSI delay        : Disabled

   EAPOL packets: Tx 16331, Rx 102
   Sent EAP Request/Identity packets : 16316
        EAP Request/Challenge packets: 6
        EAP Success packets: 4
        EAP Failure packets: 5
   Received EAPOL Start packets : 6
            EAPOL LogOff packets: 2
            EAP Response/Identity packets : 80
            EAP Response/Challenge packets: 6
            Error packets: 0
   Online 802.1X users: 1
          MAC address         Auth state
          0002-0000-0011      Authenticated

# Verify that frames with an unknown destination MAC address, multicast address, or broadcast address are discarded. (Details not shown.)