157
Configuration procedure
NOTE:
Configurations on the host and RADIUS servers are not shown.
1.
Configure the RADIUS protocol.
The required RADIUS authentication/accounting configurations and ISP domain configurations are the
same as those in
Configuring the userLoginWithOUI mode
2.
Configure port security.
# Enable port security.
<Switch> system-view
[Switch] port-security enable
# Configure a MAC authentication user, setting the username and password to aaa and 123456
respectively.
[Switch] mac-authentication user-name-format fixed account aaa password simple 123456
# Specify ISP domain
sun
for MAC authentication.
[Switch] mac-authentication domain sun
# Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the
authentication method is CHAP for 802.1X.)
[Switch] dot1x authentication-method chap
# Set the maximum number of secure MAC addresses allowed on the port to 64.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Switch-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure
# Set the NTK mode of the port to ntkonly.
[Switch-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
3.
Verify the configuration.
After completing the configurations, you can use the following command to view the port security
configuration information:
<Switch> display port-security interface gigabitethernet 1/0/1
Equipment port-security is enabled
Trap is disabled
AutoLearn aging time is 30 minutes
Disableport Timeout: 20s
OUI value:
GigabitEthernet1/0/1 is link-up
Port mode is macAddressElseUserLoginSecure
NeedToKnow mode is NeedToKnowOnly
Intrusion Protection mode is NoAction
Max MAC address number is 64
Stored MAC address number is 0
Authorization is permitted