R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

131

132

133

134

135

136

137

138

139

140

118

Index=52 , Username=aaa@2000

IP=N/A

IPv6=N/A

MAC=00e0-fc12-3456

Total 1 connection(s) matched on slot 3.

Total 1 connection(s) matched.

ACL assignment configuration example

Network requirements

As shown in Figure 43, a host connects to port GigabitEthernet 3/0/1 of the router, and the router uses

RADIUS servers to perform authentication, authorization, and accounting.

Perform MAC authentication on port GigabitEthernet 3/0/1 to control Internet access. Make sure an

authenticated user can access the Internet but not the FTP server at 10.0.0.1.

Use MAC-based user accounts for MAC authentication users. The MAC addresses are hyphen separated

and in lower case.

Figure 43 Network diagram

Configuration procedure

1. Make sure the RADIUS server and the router can reach each other.

2. Configure the ACL assignment on the router:

Configure ACL 3000 to deny packets destined for 10.0.0.1.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0

[Sysname-acl-adv-3000] quit

3. Configure RADIUS-based MAC authentication on the router:

# Configure a RADIUS scheme.

[Sysname] radius scheme 2000

[Sysname-radius-2000] primary authentication 10.1.1.1 1812

[Sysname-radius-2000] primary accounting 10.1.1.2 1813

[Sysname-radius-2000] key authentication simple abc

[Sysname-radius-2000] key accounting simple abc

Internet

Router

Host

IP: 192.168.1.10/24

MAC: 00-e0-fc-12-34-56

GE3/0/1

FTP server

10.0.0.1/24

RADIUS servers

Auth:10.1.1.1

Acct:10.1.1.2