beautypg.com

H3C Technologies H3C S7500E Series Switches User Manual

Page 136

background image

7-10

z

Make sure that there is a route available between the RADIUS server and the switch.

z

In this example, the switch uses the default username type (user MAC address) for MAC

authentication. Therefore, you need to add a user account with the username 00-e0-fc-12-34-56

and password 00-e0-fc-12-34-56 on the RADIUS server.

z

Specify ACL 3000 as the authorization ACL on the RADIUS server.

1) Configure the authorization ACL

# Configure ACL 3000 to deny packets destined for 10.0.0.1.

system-view

[Device] acl number 3000

[Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0

[Device-acl-adv-3000] quit

2) Configure RADIUS-based MAC authentication on the device

# Configure the RADIUS scheme.

[Device] radius scheme 2000

[Device-radius-2000] primary authentication 10.1.1.1 1812

[Device-radius-2000] primary accounting 10.1.1.2 1813

[Device-radius-2000] key authentication abc

[Device-radius-2000] key accounting abc

[Device-radius-2000] user-name-format without-domain

[Device-radius-2000] quit

# Create an ISP domain and specify the AAA schemes.

[Device] domain 2000

[Device-isp-2000] authentication default radius-scheme 2000

[Device-isp-2000] authorization default radius-scheme 2000

[Device-isp-2000] accounting default radius-scheme 2000

[Device-isp-2000] quit

# Enable MAC authentication globally.

[Device] mac-authentication

# Specify the ISP domain for MAC authentication users.

[Device] mac-authentication domain 2000

# Configure the device to send a user’s MAC address as the username and password to the RADIUS

server for MAC authentication, where the MAC address is with hyphens and in lowercase.

[Device] mac-authentication user-name-format mac-address with-hyphen lowercase

# Enable MAC authentication for port GigabitEthernet 2/0/1.

[Device] interface gigabitethernet 2/0/1

[Device-GigabitEthernet2/0/1] mac-authentication

3) Verify the configuration

After the host passes authentication, you can perform the display connection command on the

device to view the online user information.

[Device-GigabitEthernet2/0/1] display connection

Slot: 1

Index=9 , Username=00-e0-fc-12-34-56@2000

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: