4000 Router Series Security Configuration Guide

# Configure MAC authentication to use MAC-based accounts. The MAC address usernames and

passwords are hyphenated and in lower case.

[Device] mac-authentication user-name-format mac-address with-hyphen lowercase

Verifying the configuration

# Display MAC authentication settings and statistics.

<Device> display mac-authentication

MAC authentication is enabled

User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx

Fixed username: mac

Fixed password: Not configured

Offline detect period is 180s

Quiet period is 180s

Server response timeout value is 100s

Max number of users is 1024 per slot

Current number of online users is 1

Current authentication domain is aabbcc

Silent MAC user info:

MAC Addr From Port Port Index

Gigabitethernet1/1 is link-up

MAC authentication is enabled

Max number of online users is 256

Current number of online users is 1

Current authentication domain: Not configured

MAC auth-delay is disabled

Authentication attempts: successful 1, failed 0

MAC Addr Auth state

00e0-fc12-3456 authenticated

RADIUS-based MAC authentication configuration

example

Network requirements

As shown in Figure 27, a host is connected to port GigabitEthernet 1/1 of the device. The device uses

RADIUS servers for authentication, authorization, and accounting.

To control user access to the Internet, configure MAC authentication on port GigabitEthernet 1/1, as

follows:

• Configure the device to detect whether a user has gone offline every 180 seconds, and if a user fails

authentication, deny the user for 180 seconds.

• Configure all users to belong to the ISP domain 2000.

• Use a shared user account for all users, with the username aaa and password 123 456 .