Configuring secure mac addresses – H3C Technologies H3C S3600 Series Switches User Manual
Page 203
1-13
z
If one user of the port has passed or is undergoing authentication, you cannot specify a guest
VLAN for it.
z
When a user using a port with a guest VLAN specified fail the authentication, the port is added to
the guest VLAN and users of the port can access only the resources in the guest VLAN.
z
Multiple users may connect to one port in the macAddressOrUserLoginSecure mode for
authentication; however, after a guest VLAN is specified for the port, only one user can pass the
security authentication. In this case, the authentication client software of the other 802.1X users
displays messages about the failure; MAC authentication does not have any client software and
therefore no such messages will be displayed.
z
To change the security mode from macAddressOrUserLoginSecure mode of a port that is
assigned to a guest VLAN, execute the undo port-security guest-vlan command first to remove
the guest VLAN configuration.
z
For a port configured with both the port-security guest-vlan and port-security intrusion-mode
disableport commands, when authentication of a user fails, only the intrusion detection feature is
triggered. The port is not added to the specified guest VLAN.
z
It is not recommended to configure the port-security guest-vlan and port-security
intrusion-mode blockmac commands simultaneously for a port. Because when the
authentication of a user fails, the blocking MAC address feature will be triggered and packets of the
user will be dropped, making the user unable to access the guest VLAN.
Ignoring the Authorization Information from the RADIUS Server
After an 802.1X user or MAC-authenticated user passes Remote Authentication Dial-In User Service
(RADIUS) authentication, the RADIUS server delivers the authorization information to the device. You
can configure a port to ignore the authorization information from the RADIUS server.
Follow these steps to configure a port to ignore the authorization information from the RADIUS server:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Ignore the authorization
information from the RADIUS
server
port-security authorization
ignore
Required
By default, a port uses the
authorization information from
the RADIUS server.
Configuring Secure MAC Addresses
In autoLearn mode, a port can learn MAC addresses. These dynamically learned MAC addresses are
secure MAC addresses. You can also configure secure MAC addresses by using the mac-address
security command. A secure MAC addresses never ages out by default. .One MAC address can only
be added to the table of one port as a secure MAC address. This feature allows binding a secure MAC
address to one port in the same VLAN.
After the security port is set to autoLearn, the port changes its way of learning MAC addresses as
follows.
z
The port deletes original dynamic MAC addresses.