R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

191

192

193

194

195

196

197

198

199

200

182

[Router] display mac-address interface gigabitethernet 3/0/1

MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)

1234-0300-0011 1 Learned GigabitEthernet3/0/1 AGING

--- 1 mac address(es) found ---

Configuring the macAddressElseUserLoginSecure mode

Network requirements

As shown in Figure 69, a client is connected to the Router through GigabitEthernet 3/0/1. The Router

authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to

access the Internet.

Restrict port GigabitEthernet 3/0/1 of the Router:

• Allow more than one MAC authenticated user to log on.

• For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X

authentication. Allow only one 802.1X user to log on.

• Use the hyphenated, lowercased MAC address of a user as both the username and password for

MAC authentication of the user.

• Set the total number of MAC authenticated users and 802.1X authenticated users to 64.

• Enable NTK to prevent frames from being sent to unknown MAC addresses.

Configuration procedure

Configuration procedures for the host and RADIUS servers are not shown.

1. Configure the RADIUS protocol:

Configure the RADIUS authentication/accounting and ISP domain settings the same as in

"Configuring the userLoginWithOUI mode."

2. Conf

igure port security:

# Enable port security.

<Router> system-view

[Router] port-security enable

# Use MAC-based user accounts for MAC authentication users. Each MAC address must be

hyphenated and in lowercase.

[Router] mac-authentication user-name-format mac-address with-hyphen lowercase

[Router] interface gigabitethernet 3/0/1

# Specify ISP domain sun for MAC authentication.

[Router] mac-authentication domain sun

[Router] interface gigabitethernet 3/0/1

# Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the

authentication method is CHAP for 802.1X.)

[Router] dot1x authentication-method chap

# Set port security's limit on the number of MAC addresses to 64 on the port.

[Router-GigabitEthernet3/0/1] port-security max-mac-count 64

# Set the port security mode to macAddressElseUserLoginSecure.

[Router-GigabitEthernet3/0/1] port-security port-mode mac-else-userlogin-secure