HPE FlexNetwork 10500 Series Security Configuration Manual page 277

•
Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses.
Figure 79 Network diagram
Host
Configuration procedure
Make sure the host and the RADIUS server can reach each other.
1. Configure RADIUS authentication/accounting and ISP domain settings. (See
"userLoginWithOUI configuration
2. Configure port security:
# Enable port security.
<Device> system-view
[Device] port-security enable
# Use MAC-based accounts for MAC authentication. Each MAC address must be in the
hexadecimal notation with hyphens, and letters are in upper case.
[Device] mac-authentication user-name-format mac-address with-hyphen uppercase
# Specify the MAC authentication domain.
[Device] mac-authentication domain sun
# Set the 802.1X authentication method to CHAP. By default, the authentication method for
802.1X is CHAP.
[Device] dot1x authentication-method chap
# Set port security's limit on the number of MAC addresses to 64 on the port.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Device-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure
# Specify ISP domain sun as the mandatory authentication domain for 802.1X users.
[Device-GigabitEthernet1/0/1] dot1x mandatory-domain sun
# Set the NTK mode of the port to ntkonly.
[Device-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
[Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Verify the port security configuration.
[Device] display port-security interface gigabitethernet 1/0/1
Global port security parameters:
Port security
AutoLearn aging time
Disableport timeout
MAC move
Authorization fail
Authentication servers
(192.168.1.2/24
192.168.1.3/24)
GE1/0/1
Device
: Enabled
: 30 min
: 30 s
: Denied
: Online
Internet
example.")
260