[Switch-isp-aabbcc.net] quit
# Set aabbcc.net as the default user domain.
[Switch] domain default enable aabbcc.net
# Configure the switch to use MAC addresses as usernames for authentication, specifying
that the MAC addresses should be lowercase without separators.
[Switch]
mac-authentication
without-hyphen
# Specify the ISP domain for MAC authentication.
[Switch] mac-authentication domain aabbcc.net
# Enable port security.
[Switch] port-security enable
# Set the port security mode to mac-authentication.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port-security port-mode mac-authentication
# Configure the port to drop packets whose source addresses are the same as that of the
packet failing MAC authentication after intrusion protection is triggered.
[Switch-GigabitEthernet1/0/1] port-security intrusion-mode blockmac
Port Security Mode userLoginWithOUI Configuration Example
Network requirements
The host connects to the switch through port GE1/0/1, and the switch authenticates the
host with a RADIUS server. If the authentication succeeds, the host is authorized to access
the Internet.
Restrict GE1/0/1 of the switch as follows:
Allow one 802.1X user to get online.
Set two OUI values, and allow only one user whose MAC address matches one of the
two OUI values to get online.
Configure port security trapping to monitor the operations of the 802.1X-authenticated
user.
Network diagram
Figure 1-7 Network diagram for configuring port security mode userLoginWithOUI
Configuration procedure
authmode
usernameasmacaddress
1-20
usernameformat