R0106-HP MSR Router Series Security Configuration Guide(V7)
177
<Device> system-view
[Device] port-security enable
# Use MAC-based accounts for MAC authentication. Each MAC address is in the hexadecimal
notation with hyphens, and letters are in upper case.
[Device] mac-authentication user-name-format mac-address with-hyphen uppercase
# Specify the MAC authentication domain.
[Device] mac-authentication domain sun
# Set the 802.1X authentication method to CHAP. By default, the authentication method for
802.1X is CHAP.
[Device] dot1x authentication-method chap
# Set port security's limit on the number of MAC addresses to 64 on the port.
[Device] interface gigabitethernet 2/1/1
[Device-GigabitEthernet2/1/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Device-GigabitEthernet2/1/1] port-security port-mode mac-else-userlogin-secure
# Set the NTK mode of the port to ntkonly.
[Device-GigabitEthernet2/1/1] port-security ntk-mode ntkonly
[Device-GigabitEthernet2/1/1] quit
Verifying the configuration
# Verify the port security configuration.
[Device] display port-security interface gigabitethernet 2/1/1
Port security parameters:
Port security : Enabled
AutoLearn aging time : 0 min
Disableport timeout : 30 s
MAC move : Denied
OUI value list
GigabitEthernet2/1/1 is link-up
Port mode : macAddressElseUserLoginSecure
NeedToKnow mode : NeedToKnowOnly
Intrusion protection mode : NoAction
Max secure MAC addresses : 64
Current secure MAC addresses : 0
Authorization : Permitted
# After users pass authentication, display MAC authentication information. Verify that port
GigabitEthernet 2/1/1 allows multiple MAC authentication users to be authenticated.
[Device] display mac-authentication interface gigabitethernet 2/1/1
Global MAC authentication parameters:
MAC authentication : Enabled
User name format : MAC address in uppercase(XX-XX-XX-XX-XX-XX)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 180 s
Server timeout : 100 s