1-9
Figure 1-3
Network diagram for ACL assignment
Configuration procedure
z
Make sure that there is a route available between the RADIUS server and the switch.
z
In this example, the switch uses the default username type (user MAC address) for MAC
authentication. Therefore, you need to add the username and password of each user on the
RADIUS server correctly.
z
You need to configure the RADIUS server to assign ACL 3000 as the authorization ACL.
# Configure the RADIUS scheme.
<Sysname> system-view
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication abc
[Sysname-radius-2000] key accounting abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit
# Create an ISP domain and specify the AAA schemes.
[Sysname] domain 2000
[Sysname-isp-2000] authentication default radius-scheme 2000
[Sysname-isp-2000] authorization default radius-scheme 2000
[Sysname-isp-2000] accounting default radius-scheme 2000
[Sysname-isp-2000] quit
# Configure ACL 3000 to deny packets destined for 10.0.0.1.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Sysname-acl-adv-3000] quit
# Enable MAC authentication globally.
[Sysname] mac-authentication
# Specify the ISP domain for MAC authentication users.
[Sysname] mac-authentication domain 2000
# Specify the MAC authentication username type as MAC address, that is, using the MAC address of a
user as the username and password for MAC authentication of the user.