R0106-HP MSR Router Series Security Command Reference(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

211

212

213

214

215

216

217

218

219

220

202

word Securit

mode

Descri

tion

userlogin-secure-or-mac

macAddressOrUserL

oginSecure

This mode is the combination of the userLoginSecure and

macAddressWithRadius modes. In this mode, the port

allows one 802.1X authentication user and multiple MAC

authentication users to log in.

• For wired users, the port performs MAC authentication

upon receiving non-802.1X frames and performs

802.1X authentication upon receiving 802.1X frames.

• For wireless users, the port performs 802.1X

authentication first. If 802.1X authentication fails, MAC

authentication is performed.

userlogin-secure-or-mac

-ext

macAddressOrUserL

oginSecureExt

Same as the macAddressOrUserLoginSecure mode,

except that a port in this mode supports multiple 802.1X

and MAC authentication users.

userlogin-withoui userLoginWithOUI

Similar to the userLoginSecure mode. In addition, a port in

this mode also permits frames from a user whose MAC

address contains a specific OUI.

• For wired users, the port performs 802.1X

authentication upon receiving 802.1X frames, and

performs an OUI check upon receiving non-802.1X

frames.

• For wireless users, the port performs an OUI check at

first. If the OUI check fails, the port performs 802.1X

authentication.

Usage guidelines

To change the security mode of a port security enabled port, you must set the port in noRestrictions mode

first. When the port has online users, you cannot change port security mode.

IMPORTANT:

If you are configuring the autoLearn mode, first set port security's limit on the number of secure MAC

addresses by using the port-security max-mac-count command. You cannot chan

e the settin

when the

port is operating in autoLearn mode.

When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access

control mode or port authorization state. The port security automatically modifies these settings in

different security modes.

HP recommends that you do not enable the mac-else-userlogin-secure or mac-else-userlogin-secure-ext

mode on the port where the MAC authentication delay is enabled. The two modes are mutually exclusive

with the MAC authentication delay function. For more information about MAC authentication delay, see

"MAC authentication commands."

Examples

# Enable port security and configure port GigabitEthernet 2/1/1 to operate in secure mode.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface gigabitethernet 2/1/1

[Sysname-GigabitEthernet2/1/1] port-security port-mode secure

# Change the port security mode of port GigabitEthernet 2/1/1 to userLogin.