120
Figure 37 Network diagram
Configuration procedure
Make sure the RADIUS servers and the access device can reach each other.
1. Configure ACL 3000 to deny packets destined for 10.0.0.1.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Sysname-acl-adv-3000] quit
2. Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication simple abc
[Sysname-radius-2000] key accounting simple abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit
# Apply RADIUS scheme 2000 to ISP domain 2000 for authentication, authorization, and
accounting.
[Sysname] domain 2000
[Sysname-isp-2000] authentication default radius-scheme 2000
[Sysname-isp-2000] authorization default radius-scheme 2000
[Sysname-isp-2000] accounting default radius-scheme 2000
[Sysname-isp-2000] quit
# Specify the ISP domain for MAC authentication.
[Sysname] mac-authentication domain 2000
# Configure the device to use MAC-based user accounts. Each MAC address is in the
hexadecimal notation with hyphens, and letters are in lower case.
[Sysname] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication on port GigabitEthernet 1/0/1.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication
[Sysname-GigabitEthernet1/0/1] quit
# Enable MAC authentication globally.
[Sysname] mac-authentication
Internet
Device
Host
IP:
192
.168
.1
.
10
/
24
MAC: 00-e0-fc-12-34-
56
GE1
/0
/
1
FTP server
10.
0.
0
.1
/24
RADIUS servers
Auth:
10
.1
.
1
.
1
Acct:10.1.1.2
To Next Page
Loading...
