For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X
•
authentication. Allow only one 802.1X user to log on.
Use a fixed username and password for MAC authentication of all users.
•
Set the total number of MAC authenticated users and 802.1X authenticated users to 64.
•
Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses.
•
Figure 36 Network diagram
Configuration procedure
Make sure the host and the RADIUS server can reach each other.
Configure RADIUS authentication/accounting and ISP domain settings. (See
1.
configuration
Configure port security:
2.
# Enable port security.
<Device> system-view
[Device] port-security enable
# Configure the username and password for MAC authentication as aaa and 123456.
[Device] mac-authentication user-name-format fixed account aaa password simple 123456
# Specify the MAC authentication domain.
[Device] mac-authentication domain sun
# Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the
authentication method is CHAP for 802.1X.)
[Device] dot1x authentication-method chap
# Set port security's limit on the number of MAC addresses to 64 on the port.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Device-Ten-GigabitEthernet1/0/1]port-security port-mode mac-else-userlogin-secure
# Set the NTK mode of the port to ntkonly.
[Device-Ten-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
[Device-Ten-GigabitEthernet1/0/1] quit
Verifying the configuration
# Display the port security configuration.
[Device] display port-security interface ten-gigabitethernet 1/0/1
example.)
96
userLoginWithOUI