118
RADIUS-based MAC authentication configuration example
Network requirements
As shown in Figure 34, a host connects to port Ethernet 1/0/1 on the access device. The device uses
RADIUS servers for authentication, authorization, and accounting.
Perform MAC authentication on port Ethernet 1/0/1 to control Internet access. Make sure that:
• The device detects whether a user has gone offline every 180 seconds. If a user fails authentication,
the device does not authenticate the user within 180 seconds.
• All MAC authentication users belong to ISP domain 2000 and share the user account aaa with
password 123456.
Figure 34 Network diagram
Configuration procedure
1. Make sure the RADIUS server and the access device can reach each other.
2. Create a shared account for MAC authentication users on the RADIUS server, and set the
username aaa and password 123456 for the account.
3. Configure the device:
# Configure a RADIUS scheme.
<Device> system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication abc
[Device-radius-2000] key accounting abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and
accounting.
[Device] domain 2000
[Device-isp-2000] authentication default radius-scheme 2000
[Device-isp-2000] authorization default radius-scheme 2000
[Device-isp-2000] accounting default radius-scheme 2000
[Device-isp-2000] quit
# Enable MAC authentication globally.
[Device] mac-authentication
To Next Page
Loading...
Need help?
General