Mac authentication configuration example – H3C Technologies H3C WX3000 Series Unified Switches User Manual
Page 290
29-7
To do…
Use the command…
Remarks
Clear the statistics of global or
on-port MAC authentication
reset mac-authentication statistics
[ interface interface-type
interface-number
]
Available in user view
MAC Authentication Configuration Example
Network requirements
As illustrated in
, a supplicant is connected to Switch through port GigabitEthernet 1/0/2.
z
MAC authentication is required on port GigabitEthernet 1/0/2 to control user access to the Internet.
z
All users belong to domain aabbcc.net. The authentication is performed locally and the MAC
address of the PC (00-0d-88-f6-44-c1) is used as both the username and password.
Figure 29-1
Network diagram for MAC authentication configuration
IP network
PC
MAC: 00-0d-88-f6-44-c1
Switch
GE 1/0/2
Configuration Procedure
# Enable MAC authentication on port GigabitEthernet 1/0/2.
<device> system-view
[device] mac-authentication interface GigabitEthernet 1/0/2
# Specify to use the user MAC address as both the username and password for MAC authentication,
and specify the MAC address format as hyphened lowercase MAC address.
[device] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen
lowercase
# Add a local user.
z
Specify the username and password.
[device] local-user 00-0d-88-f6-44-c1
[device-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1
z
Set the service type to “lan-access”.
[device-luser-00-0d-88-f6-44-c1] service-type lan-access
[device-luser-00-0d-88-f6-44-c1] quit
# Add an ISP domain named aabbcc.net.
[device] domain aabbcc.net
New Domain added.
# Specify to perform local authentication.
[device-isp-aabbcc.net] scheme local
[device-isp-aabbcc.net] quit
# Specify aabbcc.net as the ISP domain for MAC authentication
[device] mac-authentication domain aabbcc.net
# Enable MAC authentication globally (This is usually the last step in configuring access control related
features. Otherwise, a user may be denied of access to the networks because of incomplete
configuaration.)