H3C HSW-2024G User Manual

Operation Manual – Centralized MAC Address Authentication H3C S3100-52P Ethernet Switch Table of Contents

Table of Contents

Chapter 1 Centralized MAC Address Authentication Configuration........................................1-1

1.1 Centralized MAC Address Authentication Overview.........................................................1-1

1.2 Centralized MAC Address Authentication Configuration................................................... 1-2

1.2.1 Enabling Centralized MAC Address Authentication Globally..................................1-2

1.2.2 Enabling Centralized MAC Address Authentication for a Port................................ 1-2

1.2.3 Configuring Centralized MAC Address Authentication Mode.................................1-3

1.2.4 Configuring the ISP Domain for MAC Address Authentication Users.....................1-4

1.2.5 Configuring the Timers Used in Centralized MAC Address Authentication............ 1-4

1.3 Displaying and Debugging Centralized MAC Address Authentication..............................1-5

1.4 Centralized MAC Address Authentication Configuration Example.................................... 1-6

Operation Manual – Centralized MAC Address Authentication H3C S3100-52P Ethernet Switch

Chapter 1 Centralized MAC Address

Authentication Configuration

1-1

Chapter 1 Centralized MAC Address

Authentication Configuration

1.1 Centralized MAC Address Authentication Overview

Centralized MAC address authentication is port- and MAC address-based authentication used to control user permissions to access a network. Centralized MAC address authentication can be performed without client-side sof t ware. With thi s type of authentication employed, a switch authenticates a user upon detecting the MAC address of the user for the first time.

Centralized MAC address authentication can be implemented in the following two modes:

z MAC address mode, where user MAC serves as both the user name and the

password.

z Fixed mode, where user names and passwords are configured on a switch in

advance. In this case, every user corresponds to a specific user name and password configured on the switch.

As for S3100-52P Ethernet Switch, authentication can be performed locally or on a RADIUS server .

1) When a RADIUS server is used for authentication, the switch serves a s a RADIUS client. Authentication is carried out through the cooperation of switches and the RADIUS server.

z In MAC address mode, a switch sends user MAC addresses detected to the

RADIUS server as both user names and passwords. The rest handli ng procedures are the same as that of the common RADIUS authentication.

z In fixed mode, a switch sends the user name and password previously configured

for the user to be authenticated to the RADIUS server and replaces the calling-station-id field of the RADIUS packet with the MAC address of the user. The rest handling procedures are the same as that of the common RADIUS authentication.

z A user can access a network upon passing the authentication performed by the

DADIUS server.

2) When authentications are performe d locally, users are authenticated by switche s. In this case,

z For MAC address mode, you can specify the format to enter the MAC addresses

used as both user name and password by executing corresponding commands. That is, to specify whether or not MAC addresses are provided in the hyphened

Operation Manual – Centralized MAC Address Authentication H3C S3100-52P Ethernet Switch

Chapter 1 Centralized MAC Address

Authentication Configuration

1-2

form. The input format should be the same as the configured format, or else, the authentication will fail.

z For fixed mode, configure the local user names and passwords as those for fixed

mode.

z The service type of a local user needs to be configured as lan-access.

1.2 Centralized MAC Address Authentication Configuration

The following are centralized MAC address authentication configuration tasks:

z Enabling Centralized MAC Address Authentication Globally z Enabling Centralized MAC Address Authentication for a Port z Configuring Centralized MAC Address Authentication Mode z Configuring the ISP Domain for MAC Address Authentication Users z Configuring the Timers Used in Centralized MAC Address Authentication

Caution:

The configuration of the maximum number of learned MAC addresses (refer to the mac-address max-mac-count command) is unavailable for the ports with centralized MAC address authentication enabled. Similarly, the centralized MAC address authentication is unavailable for the ports with the maximum number of learned MAC addresses configured.

1.2.1 Enabling Centralized MAC Address Authentication Globally

Table 1-1 Enable centralized MAC address authentication

Operation Command Description

Enter system view

system-view

—

Enable centralized MAC address authentication globally

mac-authentication

Required By default, centralized MAC

address authentication is globally disabled.

1.2.2 Enabling Centralized MAC Address Authentication for a Port

You can enable centralized MAC ad dress auth entication for a po rt in system vie w or i n Ethernet port view.

+ 4 hidden pages

H3C HSW-2024G User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual