RADIUS-based MAC authentication configuration example
Network requirements
As shown in
uses RADIUS servers for authentication, authorization, and accounting.
To control user access to the Internet, configure MAC authentication on port Ten-GigabitEthernet 1/0/1,
as follows:
Configure the device to detect whether a user has gone offline every 180 seconds, and if a user fails
•
authentication, deny the user for 180 seconds.
•
Configure all users to belong to the ISP domain 2000.
Use a shared user account for all users, with the username aaa and password 123456.
•
Figure 33 Network diagram
Configuration procedure
1.
Make sure the RADIUS server and the access device can reach each other.
2.
Create a shared account for MAC authentication users on the RADIUS server, and set the
username aaa and password 123456 for the account. (Details not shown.)
3.
Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
<Device> system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication simple abc
[Device-radius-2000] key accounting simple abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and
accounting.
[Device] domain 2000
[Device-isp-2000] authentication default radius-scheme 2000
[Device-isp-2000] authorization default radius-scheme 2000
MAC Addr
Auth state
00e0-fc12-3456
authenticated
Figure
33, a host is connected to port Ten-GigabitEthernet 1/0/1 of the device. The device
84