Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
181182183184185186187188189190
176
Port mode : userLoginWithOUI
NeedToKnow mode : Disabled
Intrusion protection mode : NoAction
Max secure MAC addresses : 64
Current secure MAC addresses : 1
Authorization : Permitted
# Display information about the online 802.1X user to verify 802.1X configuration.
[Device] display dot1x
# Verify that the port also allows one user whose MAC address has an OUI among the specified OUIs
to pass authentication.
[Device] display mac-address interface gigabitethernet 2/1/1
MAC Address VLAN ID State Port/NickName Aging
1234-0300-0011 1 Learned GE2/1/1 Y
macAddressElseUserLoginSecure configuration example
Network requirements
As shown in Figure 61, a client is connected to the device through GigabitEthernet 2/1/1. The device
authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to
access the Internet.
Configure port GigabitEthernet 2/1/1 of the device to meet the following requirements:
Allow more than one MAC authenticated user to log on.
For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X
authentication. Allow only one 802.1X user to log on.
Use the MAC address of each user as the username and password for authentication. A MAC
address is in the hexadecimal notation with hyphens, and letters are in upper case.
The maximum number of MAC authenticated users and 802.1X authenticated users is 64.
NTK (ntkonly mode) is enabled to prevent frames from being sent to unknown MAC addresses.
Figure 61 Network diagram
Configuration procedure
Make sure the host and the RADIUS server can reach each other.
1. Configure RADIUS authentication/accounting and ISP domain settings. (See "userLoginWithOUI
c
onfiguration example.")
2. Configure port security:
# Enable port security.