R3303-HP HSR6800 Routers Security Configuration Guide
182
[Router] display mac-address interface gigabitethernet 3/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
1234-0300-0011 1 Learned GigabitEthernet3/0/1 AGING
--- 1 mac address(es) found ---
Configuring the macAddressElseUserLoginSecure mode
Network requirements
As shown in Figure 69, a client is connected to the Router through GigabitEthernet 3/0/1. The Router
authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to
access the Internet.
Restrict port GigabitEthernet 3/0/1 of the Router:
• Allow more than one MAC authenticated user to log on.
• For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X
authentication. Allow only one 802.1X user to log on.
• Use the hyphenated, lowercased MAC address of a user as both the username and password for
MAC authentication of the user.
• Set the total number of MAC authenticated users and 802.1X authenticated users to 64.
• Enable NTK to prevent frames from being sent to unknown MAC addresses.
Configuration procedure
Configuration procedures for the host and RADIUS servers are not shown.
1. Configure the RADIUS protocol:
Configure the RADIUS authentication/accounting and ISP domain settings the same as in
"Configuring the userLoginWithOUI mode."
2. Conf
igure port security:
# Enable port security.
<Router> system-view
[Router] port-security enable
# Use MAC-based user accounts for MAC authentication users. Each MAC address must be
hyphenated and in lowercase.
[Router] mac-authentication user-name-format mac-address with-hyphen lowercase
[Router] interface gigabitethernet 3/0/1
# Specify ISP domain sun for MAC authentication.
[Router] mac-authentication domain sun
[Router] interface gigabitethernet 3/0/1
# Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the
authentication method is CHAP for 802.1X.)
[Router] dot1x authentication-method chap
# Set port security's limit on the number of MAC addresses to 64 on the port.
[Router-GigabitEthernet3/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Router-GigabitEthernet3/0/1] port-security port-mode mac-else-userlogin-secure