H3C Technologies H3C S12500-X Series Switches User Manual
Page 115
103
After an 802.1X user goes online, you can see that the number of secure MAC addresses saved by the
port is 1. You can use the display dot1x command to display information about online 802.1X users.
The port also allows one user whose MAC address has an OUI among the specified OUIs to pass
authentication. You can use the following command to display the MAC address information for the port:
[Device] display mac-address interface ten-gigabitethernet 1/0/1
MAC Address VLAN ID State Port Aging
1234-0300-0011 1 Learned Ten-GigabitEthernet1/0/1 Y
211B
macAddressElseUserLoginSecure configuration example
434B
Network requirements
As shown in
812H
Figure 36
, a client is connected to the device through Ten-GigabitEthernet 1/0/1. The
device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized
to access the Internet.
Restrict port Ten-GigabitEthernet 1/0/1 of the device as follows:
•
Allow more than one MAC authenticated user to log on.
•
For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X
authentication. Allow only one 802.1X user to log on.
•
Use the MAC address of each user as the username and password for authentication, and require
that the MAC addresses are hyphenated and in upper case.
•
Set the total number of MAC authenticated users and 802.1X authenticated users to 64.
•
Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses.
Figure 36 Network diagram
435B
Configuration procedure
Make sure the host and the RADIUS server can reach each other.
1.
Configure RADIUS authentication/accounting and ISP domain settings. (See "
813H
userLoginWithOUI
configuration example
.")
2.
Configure port security:
# Enable port security.
<Device> system-view
[Device] port-security enable
# Use MAC-based accounts for MAC authentication, and each MAC address must be hyphenated
and in upper case.