H3C Technologies H3C S12500-X Series Switches User Manual

103

After an 802.1X user goes online, you can see that the number of secure MAC addresses saved by the

port is 1. You can use the display dot1x command to display information about online 802.1X users.
The port also allows one user whose MAC address has an OUI among the specified OUIs to pass

authentication. You can use the following command to display the MAC address information for the port:

[Device] display mac-address interface ten-gigabitethernet 1/0/1

MAC Address VLAN ID State Port Aging

1234-0300-0011 1 Learned Ten-GigabitEthernet1/0/1 Y

211B

macAddressElseUserLoginSecure configuration example

434B

Network requirements

As shown in

812H

Figure 36

, a client is connected to the device through Ten-GigabitEthernet 1/0/1. The

device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized
to access the Internet.
Restrict port Ten-GigabitEthernet 1/0/1 of the device as follows:

•

Allow more than one MAC authenticated user to log on.

•

For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X
authentication. Allow only one 802.1X user to log on.

•

Use the MAC address of each user as the username and password for authentication, and require
that the MAC addresses are hyphenated and in upper case.

•

Set the total number of MAC authenticated users and 802.1X authenticated users to 64.

•

Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses.

Figure 36 Network diagram

435B

Configuration procedure

Make sure the host and the RADIUS server can reach each other.

1.

Configure RADIUS authentication/accounting and ISP domain settings. (See "

813H

userLoginWithOUI

configuration example

.")

2.

Configure port security:
# Enable port security.

system-view

[Device] port-security enable

# Use MAC-based accounts for MAC authentication, and each MAC address must be hyphenated

and in upper case.