beautypg.com

Network requirements, Network diagram, Configuration procedure – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 155

background image

19-16

Port Security Configuration for macAddressElseUserLoginSecure Mode

Network requirements

The client is connected to the switch through GigabitEthernet 0/0/1. The switch authenticates the client
by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.

Restrict port GigabitEthernet 0/0/1 of the switch as follows:

z

Allow more than one MAC authenticated user to log on.

z

For 802.1x users, perform MAC authentication first and then, if MAC authentication fails, 802.1x
authentication. Allow only one 802.1x user to log on.

z

For MAC-based authentication, allow usernames and passwords in self-defined formats. Set the
total number of MAC authenticated users and 802.1x-authenticated users to 64.

z

Enable NTK to prevent frames from being sent to unknown MAC addresses.

Network diagram

See

Figure 19-2

.

Configuration procedure

Configurations on the host and RADIUS servers are omitted.

1) Configure the RADIUS protocol

The required RADIUS authentication/accounting configurations are the same as those in

Port Security

Configuration for userLoginWithOUI Mode

.

2) Configure port security

# Enable port security.

system-view

[AC] port-security enable

# Configure a MAC authentication user, setting the user name and password to aaa and 123456
respectively.

[AC] mac-authentication user-name-format fixed account aaa password simple 123456

[AC] interface gigabitethernet 0/0/1

# Set the maximum number of secure MAC addresses allowed on the port to 64.

[AC-GigabitEthernet0/0/1] port-security max-mac-count 64

# Set the port security mode to macAddressElseUserLoginSecure.

[AC-GigabitEthernet0/0/1] port-security port-mode mac-else-userlogin-secure

# Set the NTK mode of the port to ntkonly.

[AC-GigabitEthernet0/0/1] port-security ntk-mode ntkonly

3) Verify the configuration

After completing the above configurations, you can use the following command to view the port security
configuration information:

display port-security interface gigabitethernet 0/0/1

Equipment port-security is enabled

Trap is disabled

See also other documents in the category H3C Technologies Routers: