Configuration of EAD and local centralized MAC address authentication on H3C S3600 series switch(2)

Configuration of EAD and local centralized MAC address authentication on H3C S3600 series switch(2)

1 Network requirements：

1.1 The IP address of PC is 1.1.1.1/8 and the IP address of vlan1 on switch is 1.1.1.2/8.

1.2 The PC is connected to port G1/0/1 of switch.

1.3 Implement mac authentication at first.If the authentication is failed,implement dot1x authentication again.

2 Network diagram：

None

3 Configuration procedure：

3.1 Enable MAC address authentication globally

[Switch] MAC-authentication

3.2 Specify centralized MAC address authentication mode as MAC address, using hyphened MAC addresses as the usernames.

[Switch] MAC-authentication authmode usernameasmacaddress usernameformat with-hyphen

3.3 Use the system default domain as the MAC authentication domain.

[Switch] MAC-authentication domain system

3.4 Enter port Ethernet1/0/1 view

[Switch] interface Ethernet1/0/1

3.5 Enable MAC authentication on port

[Switch-Ethernet1/0/1] MAC-authentication

3.6 Quit to system view

[Switch-Ethernet1/0/1] quit

3.7 Add a user of MAC authentication（the username and password are both a MAC address of the PC that should be authenticated）

[Switch] local-user 00-15-c5-0d-1a-34

3.8 Set a password

[Switch-luser-00-15-c5-0d-1a-34] password simple 00-15-c5-0d-1a-34

3.9 Set the service type as lan-access

[Switch-luser-00-15-c5-0d-1a-34] service-type lan-access 

3.10 enable dot1x authentication globally

[Switch] dot1x

3.11 Set the switch as a RADIUS server

[Switch]local-server nas-ip 127.0.0.1 key huawei

3.12 Enter port Ethernet1/0/1 view

[Switch] interface Ethernet1/0/1

3.13 Enable dot1x authentication on port

[Switch-Ethernet1/0/1] dot1x

3.14 Quit to system view

[Switch-Ethernet1/0/1] quit

3.15 Add a local user

[Switch] local-user huawei

3.16 Set service type as lan-access

[Switch-luser-huawei] service-type lan-access

3.17 Set a password

[Switch-luser-huawei] password simple huawei

4 Configuration tips:

1.            Can not change or delete the related user’s configuration while implementing MAC authentication.

2.            MAC authentication and dot1x authentication must use system default domain as their authentication domain,and the time of authentication is long.

3.            This case is also applicable to H3C S5600 series switch.