R3303-HP HSR6800 Routers Security Configuration Guide
112
Task Remarks
Basic configuration for MAC authentication:
• Configuring MAC authentication globally
• Configuring MAC authentication on a port
Required.
Specifying a MAC authentication domain Optional.
Basic configuration for MAC authentication
Before you perform basic configuration for MAC authentication, complete the following tasks:
• Create and configure an authentication domain, also called "an ISP domain."
• For local authentication, create local user accounts, and specify the lan-access service for the
accounts.
• For RADIUS authentication, check that the device and the RADIUS server can reach each other, and
create user accounts on the RADIUS server.
If you are using MAC-based accounts, make sure the username and password for each account is the
same as the MAC address of the MAC authentication users.
Configuring MAC authentication globally
MAC authentication can take effect on a port only when it is enabled globally and on the port.
To configure MAC authentication globally:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable MAC
authentication
globally.
mac-authentication Disabled by default.
3. Configure MAC
authentication
timers.
mac-authentication timer
{ offline-detect offline-detect-value |
quiet quiet-value | server-timeout
server-timeout-value }
Optional.
By default, the offline detect timer is 300
seconds, the quiet timer is 60 seconds, and
the server timeout timer is 100 seconds.
4. Configure the
properties of MAC
authentication user
accounts.
mac-authentication
user-name-format { fixed [ account
name ] [ password { cipher |
simple } password ] | mac-address
[ { with-hyphen | without-hyphen }
[ lowercase | uppercase ] ] }
Optional.
By default, the username and password for
a MAC authentication user account must be
a MAC address (without hyphens) in lower
case.
NOTE:
W
hen global MAC authentication is enabled, the EAD fast deployment function cannot take effect. For
more information, see "Configuring 802.1X."