beautypg.com

Configuration procedure, Verifying the configuration – H3C Technologies H3C S6300 Series Switches User Manual

Page 173

background image

158

For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X

authentication. Allow only one 802.1X user to log on.

Use the MAC address of each user as the username and password for authentication, and require
that the MAC addresses are hyphenated and in upper case.

Set the total number of MAC authenticated users and 802.1X authenticated users to 64.

Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses.

Figure 65 Network diagram

Configuration procedure

Make sure the host and the RADIUS server can reach each other.

1.

Configure RADIUS authentication/accounting and ISP domain settings. (See "

userLoginWithOUI

configuration example

.")

2.

Configure port security:
# Enable port security.

system-view

[Device] port-security enable

# Use MAC-based accounts for MAC authentication. Each MAC address must be hyphenated and
in upper case.

[Device] mac-authentication user-name-format mac-address with-hyphen uppercase

# Specify the MAC authentication domain.

[Device] mac-authentication domain sun

# Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the
authentication method is CHAP for 802.1X.)

[Device] dot1x authentication-method chap

# Set port security's limit on the number of MAC addresses to 64 on the port.

[Device] interface ten-gigabitethernet 1/0/1

[Device-Ten-GigabitEthernet1/0/1] port-security max-mac-count 64

# Set the port security mode to macAddressElseUserLoginSecure.

[Device-Ten-GigabitEthernet1/0/1] port-security port-mode

mac-else-userlogin-secure

# Set the NTK mode of the port to ntkonly.

[Device-Ten-GigabitEthernet1/0/1] port-security ntk-mode ntkonly

[Device-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display the port security configuration.