R3303-HP HSR6800 Routers Security Configuration Guide
116
Slot: 3
Index=52 , Username=00-15-e9-43-82-73@aabbcc.net
IP=N/A
IPv6=N/A
MAC=00e0-fc12-3456
Total 1 connection(s) matched on slot 3.
Total 1 connection(s) matched.
RADIUS-based MAC authentication configuration example
Network requirements
As shown in Figure 42, a host connects to port GigabitEthernet 3/0/1 on the router. The router uses
RADIUS servers for authentication, authorization, and accounting.
Perform MAC authentication on port GigabitEthernet 3/0/1 to control Internet access. Make sure the
following requirements are met:
• The router detects whether a user has gone offline every 180 seconds. If a user fails authentication,
the router does not authenticate the user within 180 seconds.
• All MAC authentication users belong to ISP domain 2000 and share the user account aaa with
password 123456.
Figure 42 Network diagram
Configuration procedure
1. Make sure the RADIUS server and the router can reach each other.
2. Create a shared account for MAC authentication users on the RADIUS server, and set the
username aaa and password 123456 for the account. (Details not shown.)
3. Configure the router:
# Configure a RADIUS scheme.
<Router> system-view
[Router] radius scheme 2000
[Router-radius-2000] primary authentication 10.1.1.1 1812
[Router-radius-2000] primary accounting 10.1.1.2 1813
[Router-radius-2000] key authentication abc
[Router-radius-2000] key accounting abc
[Router-radius-2000] user-name-format without-domain
IP network
GE3/0/1
RouterHost
RADIUS servers
Auth:10.1.1.1
Acct:10.1.1.2