1-7
RADIUS-Based MAC Authentication Configuration Example
Network requirements
As illustrated in
Figure 1-2
, a host is connected to the device through port GigabitEthernet 1/0/1. The
device authenticates, authorizes and keeps accounting on the host through the RADIUS server.
z
MAC authentication is required on every port to control user access to the Internet.
z
Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes.
z
All users belong to ISP domain 2000.
z
The username type of fixed username is used for authentication, with the username being
aaa
and
password being
123456
.
Figure 1-2
Network diagram for MAC authentication using RADIUS
Configuration procedure
It is required that the RADIUS server and the device are reachable to each other and the username and
password are configured on the server.
1) Configure MAC authentication on the device
# Configure a RADIUS scheme.
<Device> system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication abc
[Device-radius-2000] key accounting abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Specify the AAA schemes for the ISP domain.
[Device] domain 2000
[Device-isp-2000] authentication default radius-scheme 2000
[Device-isp-2000] authorization default radius-scheme 2000
[Device-isp-2000] accounting default radius-scheme 2000
[Device-isp-2000] quit
# Enable MAC authentication globally.
[Device] mac-authentication