Network requirements, Network diagram, Configuration procedure – H3C Technologies H3C S3600 Series Switches User Manual

1-18

[Switch-isp-aabbcc.net] scheme radius-scheme radius1

[Switch-isp-aabbcc.net] quit

# Set aabbcc.net as the default user domain.

[Switch] domain default enable aabbcc.net

# Configure the switch to use MAC addresses as usernames for authentication, specifying that the MAC

addresses should be lowercase without separators.

[Switch] mac-authentication authmode usernameasmacaddress usernameformat without-hyphen

# Specify the ISP domain for MAC authentication.

[Switch] mac-authentication domain aabbcc.net

# Enable port security.

[Switch] port-security enable

# Set the port security mode to mac-authentication.

[Switch] interface Ethernet 1/0/1

[Switch-Ethernet1/0/1] port-security port-mode mac-authentication

# Configure the port to drop packets whose source addresses are the same as that of the packet failing

MAC authentication after intrusion protection is triggered.

[Switch-Ethernet1/0/1] port-security intrusion-mode blockmac

Port Security Mode userLoginWithOUI Configuration Example

Network requirements

The host connects to the switch through port Ethernet 1/0/1, and the switch authenticates the host with

a RADIUS server. If the authentication succeeds, the host is authorized to access the Internet.

Restrict Ethernet 1/0/1 of the switch as follows:

z

Allow one 802.1X user to get online.

z

Set two OUI values, and allow only one user whose MAC address matches one of the two OUI

values to get online.

z

Configure port security trapping to monitor the operations of the 802.1X-authenticated user.

Network diagram

Figure 1-7 Network diagram for configuring port security mode userLoginWithOUI

Configuration procedure