Table of Contents
Advertisement
On port GigabitEthernet 1/0/1 of the switch, enable MAC authentication and configure ACL 3000.
After the host passes MAC authentication, the RADIUS server assigns ACL 3000 to port
GigabitEthernet 1/0/1 of the switch. As a result, the host can access the Internet but cannot access the
FTP server, whose IP address is 10.0.0.1.
Figure 5-3 Network diagram for ACL assignment
Configuration procedure
Make sure that there is a route available between the RADIUS server and the switch.
In this example, the switch uses the default username type (user MAC address) for MAC
authentication. Therefore, you need to add the username and password of each user on the
RADIUS server correctly.
You need to configure the RADIUS server to assign ACL 3000 as the authorization ACL.
# Configure the RADIUS scheme.
<Sysname> system-view
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication abc
[Sysname-radius-2000] key accounting abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit
# Create an ISP domain and specify the AAA schemes.
[Sysname] domain 2000
[Sysname-isp-2000] authentication default radius-scheme 2000
[Sysname-isp-2000] authorization default radius-scheme 2000
[Sysname-isp-2000] accounting default radius-scheme 2000
[Sysname-isp-2000] quit
# Configure ACL 3000 to deny packets destined for 10.0.0.1.
[Sysname] acl number 3000
5-8
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
