131 
Figure 38 Network diagram 
 
 
Configuration procedure 
1.  Make sure the RADIUS server and the access device can reach each other. (Details not 
shown.) 
2.  Configure the RADIUS servers: 
# Create a shared account for MAC authentication users. (Details not shown.) 
# Set username aaa and password 123456 for the account. (Details not shown.) 
3.  Configure RADIUS-based MAC authentication on the device: 
# Configure a RADIUS scheme. 
<Device> system-view 
[Device] radius scheme 2000 
[Device-radius-2000] primary authentication 10.1.1.1 1812 
[Device-radius-2000] primary accounting 10.1.1.2 1813 
[Device-radius-2000] key authentication simple abc 
[Device-radius-2000] key accounting simple abc 
[Device-radius-2000] user-name-format without-domain 
[Device-radius-2000] quit 
# Apply the RADIUS scheme to ISP domain bbb for authentication, authorization, and 
accounting. 
[Device] domain bbb 
[Device-isp-bbb] authentication default radius-scheme 2000 
[Device-isp-bbb] authorization default radius-scheme 2000 
[Device-isp-bbb] accounting default radius-scheme 2000 
[Device-isp-bbb] quit 
# Enable MAC authentication on Ten-GigabitEthernet 1/0/1. 
[Device] interface ten-gigabitethernet 1/0/1 
[Device-Ten-GigabitEthernet1/0/1] mac-authentication 
[Device-Ten-GigabitEthernet1/0/1] quit 
# Specify the MAC authentication domain as ISP domain bbb. 
[Device] mac-authentication domain bbb 
# Set MAC authentication timers. 
[Device] mac-authentication timer offline-detect 180 
[Device] mac-authentication timer quiet 180 
# Specify username aaa and password 123456 in plain text for the account shared by MAC 
authentication users. 
[Device] mac-authentication user-name-format fixed account aaa password simple 123456 
# Enable MAC authentication globally.