H3C LS-3100-52P-OVS-H3 Operation Manual - page 1431
1-17
1234-0300-0011 1 Learned GigabitEthernet1/0/1 AGING
--- 1 mac address(es) found ---
Configuring the macAddressElseUserLoginSecure Mode
Network requirements
The client is connected to the switch through GigabitEthernet 1/0/1. The switch authenticates the client
by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Restrict port GigabitEthernet 1/0/1of the switch as follows:
z
Allow more than one MAC authenticated user to log on.
z
For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X
authentication. Allow only one 802.1X user to log on.
z
Set fixed username and password for MAC-based authentication. Set the total number of MAC
authenticated users and 802.1X-authenticated users to 64.
z
Enable NTK to prevent frames from being sent to unknown MAC addresses.
See
Figure 1-2
.
Configuration procedure
z
Configurations on the host and RADIUS servers are omitted.
1) Configure the RADIUS protocol
The required RADIUS authentication/accounting configurations are the same as those in
Configuring
the userLoginWithOUI Mode
.
2) Configure port security
# Enable port security.
[Switch] port-security enable
# Configure a MAC authentication user, setting the user name and password to aaa and 123456
respectively.
[Switch] mac-authentication user-name-format fixed account aaa password simple 123456
[Switch] interface gigabitethernet 1/0/1
# Set the maximum number of secure MAC addresses allowed on the port to 64.
[Switch-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Switch-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure
# Set the NTK mode of the port to ntkonly.
[Switch-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
3) Verify the configuration