•
Use RADIUS servers to perform authentication, authorization, and accounting for users.
•
Perform MAC authentication on GigabitEthernet 1/0/1 to control Internet access.
•
Use MAC-based user accounts for MAC authentication users. Each MAC address is in the
hexadecimal notation with hyphens, and letters are in lower case.
•
Use an ACL to deny authenticated users to access the FTP server at 10.0.0.1.
Figure 49 Network diagram
Host
IP: 192.168.1.10/24
MAC: 00-e0-fc-12-34-56
Configuration procedure
Make sure the RADIUS servers and the access device can reach each other.
1.
Configure ACL 3000 to deny packets destined for 10.0.0.1.
<Device> system-view
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Device-acl-ipv4-adv-3000] quit
2.
Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication simple abc
[Device-radius-2000] key accounting simple abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply the RADIUS scheme to an ISP domain for authentication, authorization, and
accounting.
[Device] domain bbb
[Device-isp-bbb] authentication default radius-scheme 2000
[Device-isp-bbb] authorization default radius-scheme 2000
[Device-isp-bbb] accounting default radius-scheme 2000
[Device-isp-bbb] quit
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain bbb
# Configure the device to use MAC-based user accounts. Each MAC address is in the
hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication on GigabitEthernet 1/0/1.
RADIUS servers
Auth:10.1.1.1
Acct:10.1.1.2
GE1/0/1
Device
Internet
162
FTP server
10.0.0.1/24