2. H3C
  3. HSW-2024G
HSW-2024G

H3C HSW-2024G User manual

  • Hello! I am an AI chatbot trained to assist you with the H3C HSW-2024G User manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
  • How to enable centralized MAC address authentication globally on the H3C HSW-2024G switch?
    How to enable centralized MAC address authentication for a specific port on the H3C HSW-2024G switch?
    What are the two modes of centralized MAC address authentication supported by the H3C HSW-2024G switch?
    How to set the ISP domain for MAC address authentication users on the H3C HSW-2024G switch?
    What are the timers used in centralized MAC address authentication on the H3C HSW-2024G switch?
Operation Manual – Centralized MAC Address Authentication
H3C S3100-52P Ethernet Switch Table of Contents
i
Table of Contents
Chapter 1 Centralized MAC Address Authentication Configuration........................................ 1-1
1.1 Centralized MAC Address Authentication Overview .........................................................1-1
1.2 Centralized MAC Address Authentication Configuration...................................................1-2
1.2.1 Enabling Centralized MAC Address Authentication Globally..................................1-2
1.2.2 Enabling Centralized MAC Address Authentication for a Port................................1-2
1.2.3 Configuring Centralized MAC Address Authentication Mode.................................1-3
1.2.4 Configuring the ISP Domain for MAC Address Authentication Users..................... 1-4
1.2.5 Configuring the Timers Used in Centralized MAC Address Authentication............1-4
1.3 Displaying and Debugging Centralized MAC Address Authentication..............................1-5
1.4 Centralized MAC Address Authentication Configuration Example....................................1-6
Operation Manual – Centralized MAC Address Authentication
H3C S3100-52P Ethernet Switch
Chapter 1 Centralized MAC Address
Authentication Configuration
1-1
Chapter 1 Centralized MAC Address
Authentication Configuration
1.1 Centralized MAC Address Authentication Overview
Centralized MAC address authentication is port- and MAC address-based
authentication used to control user permissions to access a network. Centralized MAC
address authentication can be performed without client-side software. With this type of
authentication employed, a switch authenticates a user upon detecting the MAC
address of the user for the first time.
Centralized MAC address authentication can be implemented in the following two
modes:
z MAC address mode, where user MAC serves as both the user name and the
password.
z Fixed mode, where user names and passwords are configured on a switch in
advance. In this case, every user corresponds to a specific user name and
password configured on the switch.
As for S3100-52P Ethernet Switch, authentication can be performed locally or on a
RADIUS server.
1) When a RADIUS server is used for authentication, the switch serves as a RADIUS
client. Authentication is carried out through the cooperation of switches and the
RADIUS server.
z In MAC address mode, a switch sends user MAC addresses detected to the
RADIUS server as both user names and passwords. The rest handling procedures
are the same as that of the common RADIUS authentication.
z In fixed mode, a switch sends the user name and password previously configured
for the user to be authenticated to the RADIUS server and replaces the
calling-station-id field of the RADIUS packet with the MAC address of the user.
The rest handling procedures are the same as that of the common RADIUS
authentication.
z A user can access a network upon passing the authentication performed by the
DADIUS server.
2) When authentications are performed locally, users are authenticated by switches.
In this case,
z For MAC address mode, you can specify the format to enter the MAC addresses
used as both user name and password by executing corresponding commands.
That is, to specify whether or not MAC addresses are provided in the hyphened
Operation Manual – Centralized MAC Address Authentication
H3C S3100-52P Ethernet Switch
Chapter 1 Centralized MAC Address
Authentication Configuration
1-2
form. The input format should be the same as the configured format, or else, the
authentication will fail.
z For fixed mode, configure the local user names and passwords as those for fixed
mode.
z The service type of a local user needs to be configured as lan-access.
1.2 Centralized MAC Address Authentication Configuration
The following are centralized MAC address authentication configuration tasks:
z Enabling Centralized MAC Address Authentication Globally
z Enabling Centralized MAC Address Authentication for a Port
z Configuring Centralized MAC Address Authentication Mode
z Configuring the ISP Domain for MAC Address Authentication Users
z Configuring the Timers Used in Centralized MAC Address Authentication
Caution:
The configuration of the maximum number of learned MAC addresses (refer to the
mac-address max-mac-count command) is unavailable for the ports with centralized
MAC address authentication enabled. Similarly, the centralized MAC address
authentication is unavailable for the ports with the maximum number of learned MAC
addresses configured.
1.2.1 Enabling Centralized MAC Address Authentication Globally
Table 1-1 Enable centralized MAC address authentication
Operation Command Description
Enter system view
system-view
Enable centralized MAC
address authentication
globally
mac-authentication
Required
By default, centralized MAC
address authentication is
globally disabled.
1.2.2 Enabling Centralized MAC Address Authentication for a Port
You can enable centralized MAC address authentication for a port in system view or in
Ethernet port view.
Operation Manual – Centralized MAC Address Authentication
H3C S3100-52P Ethernet Switch
Chapter 1 Centralized MAC Address
Authentication Configuration
1-3
Table 1-2 Enable centralized MAC address authentication for a port in system view
Operation Command Description
Enter system view
system-view
Enable centralized MAC
address authentication for
specified ports
mac-authentication
interface interface-list
Required
By default, centralized
MAC address
authentication is disabled
on a port.
Table 1-3 Enable centralized MAC address authentication for a port in Ethernet port
view
Operation Command Description
Enter system view
system-view
Enter Ethernet port view
interface interface-type
interface-number
Enable centralized MAC
address authentication for
the current port
mac-authentication
Required
By default, centralized
MAC address
authentication is disabled
on a port.
Centralized MAC address authentication for a port can be configured but does not take
effect before global centralized MAC address authentication is enabled. After global
centralized MAC address authentication is enabled, ports enabled with the centralized
MAC address authentication will perform the authentication immediately.
1.2.3 Configuring Centralized MAC Address Authentication Mode
Table 1-4 Configure centralized MAC address authentication mode
Operation Command Description
Enter system view
system-view
Configure centralized
MAC address
authentication mode as
MAC address mode
mac-authentication
authmode
usernameasmacaddres
s [ usernameformat
{ with-hyphen |
without-hyphen } ]
Optional
By default, the MAC
address mode is adopted.
Configure centralized
MAC address
authentication mode as
fixed mode
mac-authentication
authmode
usernamefixed
Optional
Operation Manual – Centralized MAC Address Authentication
H3C S3100-52P Ethernet Switch
Chapter 1 Centralized MAC Address
Authentication Configuration
1-4
Operation Command Description
Set a user name for fixed
mode
mac-authentication
authusername
username
Required for fixed mode
By default, the user name
is mac and no password
is needed.
Set the password for fixed
mode
mac-authentication
authpassword password
Optional
1.2.4 Configuring the ISP Domain for MAC Address Authentication Users
Table 1-5 lists the operations to configure the ISP domain for centralized MAC address
authentication users.
Table 1-5 Configure the ISP domain for MAC address authentication users
Operation Command Description
Enter system view
system-view
Configure the ISP domain
for MAC address
authentication users
mac-authentication
domain isp-name
Required
By default, the “default
domain” is used as the
ISP domain.
1.2.5 Configuring the Timers Used in Centralized MAC Address
Authentication
The following timers are used in centralized MAC address authentication:
z Offline detect timer, which sets the time interval for a switch to test whether a user
goes offline. Upon detecting a user is offline, a switch notifies the RADIUS server
of the user to trigger the RADIUS server to stop the accounting on the user.
z Quiet timer, which sets the quiet period for a switch. After a user fails to pass the
authentication performed by a switch, the switch quiets for a specific period (the
quiet period) before it authenticates users again.
z Server timeout timer. During authentication, the switch prohibits the user from
accessing the network through the corresponding port if the connection between
the switch and RADIUS server times out. In this case, the user can have it
authenticated through another port of the switch.
Table 1-6 lists the operations to configure the timers used in centralized MAC address
authentication.
Operation Manual – Centralized MAC Address Authentication
H3C S3100-52P Ethernet Switch
Chapter 1 Centralized MAC Address
Authentication Configuration
1-5
Table 1-6 Configure the timers used in centralized MAC address authentication
Operation Command Description
Enter system view
system-view
Configure a timer
used in centralized
MAC address
authentication
mac-authentication
timer { offline-detect
offline-detect-value |
quiet quiet-value |
server-timeout
server-timeout-value }
Optional
The default settings of the timers
used in centralized MAC address
authentication are as follows:
z Offline detect timer: 300
seconds
z Quiet timer: 60 seconds
z Server timeout timer: 100
seconds
1.3 Displaying and Debugging Centralized MAC Address
Authentication
After the above configuration, you can execute the display command in any view to
display system running of centralized MAC address authentication configuration, and
to verify the effect of the configuration. You can execute the reset command in user
view to clear the statistics of centralized MAC address authentication.
Table 1-7 Display and debug centralized MAC address authentication
Operation Command Description
Display global or port
information about
centralized MAC address
authentication
display
mac-authentication
[ interface interface-list ]
This command can be
executed in any view.
Clear the statistics of
global or port centralized
MAC address
authentication
reset mac-authentication
statistics [ interface
interface-type
interface-number ]
This command is
executed in user view
Operation Manual – Centralized MAC Address Authentication
H3C S3100-52P Ethernet Switch
Chapter 1 Centralized MAC Address
Authentication Configuration
1-6
1.4 Centralized MAC Address Authentication Configuration
Example
Note:
Centralized MAC address authentication configuration is similar to that of 802.1x. In
this example, the differences between the two lie in:
z Centralized MAC address authentication needs to be enabled both globally and for
a port.
z In MAC address mode, MAC address of locally authenticated user is used as both
user name and password.
z In MAC address mode, MAC address of user authenticated by RADIUS server need
to be configured as both user name and password on the RADIUS server.
The following section describes how to enable centralized MAC address authentication
globally and for a port, and how to configure a local user. For other related configuration,
refer to the configuration examples in “802.1x” Configuration.
# Enable centralized MAC address authentication for Ethernet 1/0/2 port.
<H3C> system-view
[H3C] mac-authentication interface Ethernet 1/0/2
# Configure centralized MAC address authentication mode as MAC address mode, and
use hyphened MAC addresses as the user names and passwords for authentication.
[H3C] mac-authentication authmode usernameasmacaddress userformat
with-hyphen
# Add a local user.
z Configure the user name and password.
[H3C] local-user 00-e0-fc-01-01-01
[H3C-luser-00-e0-fc-01-01-01] password simple 00-e0-fc-01-01-01
z Set service type of the local user to lan-access.
[H3C-luser-00-e0-fc-01-01-01] service-type lan-access
# Enable centralized MAC address authentication globally.
[H3C-luser-00-e0-fc-01-01-01] quit
[H3C] mac-authentication
# Configure the domain name for centralized MAC address authentication users as
aabbcc163.net.
[H3C] mac-authentication domain aabbcc163.net
For domain-related configuration, refer to the “802.1x” Configuration Example part of
this manual.
/