HP 5500 Ei 5500 Si Switch Series Configuration Guide

 116 
Configuring MAC authentication 
MAC authentication overview 
MAC authentication controls network access by authenticating source MAC addresses on a port. It does 
not require client software. A user does not need to input a username and password for network access. 
The device initiates a MAC authentication process when it detects an unknown source MAC address on 
a MAC authentication enabled port. If the MAC address passes authentication, the user can access 
authorized network resources. If the...

 117 
For more information about configuring local authentication and RADIUS authentication, see 
Configuring AAA .
  
MAC authentication timers 
MAC authentication uses the following timers: 
•  Offline detect timer —Sets the interval that the device waits for traffic from a user before it regards 
the user idle. If a user connection has been idle  for two consecutive intervals, the device logs the 
user out and stops accounting for the user.  
•   Quiet timer —Sets the interval that the device must...

 118 
If a user in the guest VLAN passes MAC authentication, it is removed from the guest VLAN and can 
access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. 
A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do not 
re-configure the port as a tagged member in the VLAN. 
Critical VLAN 
You can configure a MAC authentication critical VLAN on a port to accommodate users that fail MAC 
authentication because no...

 119 
Configuring MAC authentication globally 
 
Step Command  Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enable MAC 
authentication globally.  mac-authentication 
Disabled by default. 
3.  Configure MAC 
authentication timers.  mac-authentication
 timer 
{  offline-detect  offline-detect-value  | 
quiet  quiet-value  | server-timeout  
server-timeout-value }  Optional. 
By default, the offline detect timer is 
300 seconds, the quiet timer is 60 
seconds, and the server timeout 
timer is 100...

 120 
Specifying a MAC authentication domain 
By default, MAC authentication users are in the system default authentication domain. To implement 
different access policies for users, you can specify authentication domains for MAC authentication users 
in the following ways: 
•  Specify a global authentication domain in system  view. This domain setting applies to all ports.  
•   Specify an authentication domain for an indi vidual port in Ethernet interface view.  
MAC authentication chooses an...

 121 
Table 8 Relationships of the MAC authentication gu est VLAN with other security features 
Feature Relationship  description Reference 
Quiet function of MAC 
authentication The MAC authentication guest VLAN 
function has higher priority. A user can 
access any resources in the guest VLAN.  
See 
MAC authentication timers  
Super VLAN  You cannot specify a VLAN as both a super 
VLAN and a MAC authentication guest 
VLAN.  See 
Layer 2—LAN Switching 
Configuration Guide 
Port intrusion protection  The...

 122 
Table 9 Relationships of the MAC authentication crit ical VLAN with other security features 
Feature Relationship  description Reference 
Quiet function of MAC 
authentication The MAC authentication critical VLAN 
function has higher priority. 
When a user fails MAC authentication 
because no RADIUS authentication server is 
reachable, the user can access the resources 
in the critical VLAN, and the user’s MAC 
address is not marked as a silent MAC 
address. 
See 
MAC authentication timers  
Super...

 123 
Figure 48 Network diagram 
 
 
Configuration procedure 
# Add a local user account, set both the username and password to 00-e0-fc-12-34-56, the MAC address 
of the user host, and enable LAN access service for the account. 
 system-view 
[Device] local-user 00-e0-fc-12-34-56 
[Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 
[Device-luser-00-e0-fc-12-34-56] service-type lan-access 
[Device-luser-00-e0-fc-12-34-56] quit 
# Configure ISP domain aabbcc.net to perform local...

 124 
          MAC Addr         From Port                    Port Index 
Gigabitethernet1/0/1 is link-up 
  MAC address authentication is enabled 
  Authenticate success: 1, failed: 0 
 Max number of on-line users is 256 
  Current online user number is 1 
          MAC Addr         Authenticate state           Auth Index 
          00e0-fc12-3456   MAC_AUTHENTICATOR_SUCCESS     29 
# After the user passes authentication, use the display connection command to display the online user 
information....

 125 
# Configure a RADIUS scheme. 
 system-view 
[Device] radius scheme 2000 
[Device-radius-2000] primary authentication 10.1.1.1 1812 
[Device-radius-2000] primary accounting 10.1.1.2 1813 
[Device-radius-2000] key authentication abc 
[Device-radius-2000] key accounting abc 
[Device-radius-2000] user-name-format without-domain 
[Device-radius-2000] quit 
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and 
accounting. 
[Device] domain 2000 
[Device-isp-2000]...