Table of Contents
Advertisement
Figure 37 Network diagram
Configuration procedure
Make sure the RADIUS servers and the access device can reach each other.
1.
Configure ACL 3000 to deny packets destined for 10.0.0.1.
<Device> system-view
[Device] acl number 3000
[Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Device-acl-adv-3000] quit
2.
Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication simple abc
[Device-radius-2000] key accounting simple abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply RADIUS scheme 2000 to ISP domain 2000 for authentication, authorization, and
accounting.
[Device] domain 2000
[Device-isp-2000] authentication default radius-scheme 2000
[Device-isp-2000] authorization default radius-scheme 2000
[Device-isp-2000] accounting default radius-scheme 2000
[Device-isp-2000] quit
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain 2000
# Configure the device to use MAC-based user accounts. Each MAC address is in the
hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication on port FortyGigE 1/1/1.
[Device] interface fortygige 1/1/1
[Device-FortyGigE1/1/1] mac-authentication
[Device-FortyGigE1/1/1] quit
# Enable MAC authentication globally.
[Device] mac-authentication
120
Advertisement
Table of Contents
Troubleshooting
