Example for Configuring MAC Address Authentication to Control Access of Wired Terminals(V200R009C00 and later versions)

Created: Mar 23, 2017 14:10:58Latest reply: Mar 23, 2017 15:56:36 1534 1 0 0

 

MAC Address Authentication Overview

As one of NAC authentication modes, MAC address authentication controls a user's network access rights based on the user's interface and MAC address. The user does not need to install any client software. MAC address authentication ensures security of enterprise intranets.

In MAC address authentication, client software does not need to be installed on user terminals, but MAC addresses must be registered on servers, resulting in complex management. Another two NAC authentication methods have their advantages and disadvantages: 802.1x authentication ensures high security, but it requires that 802.1x client software be installed on user terminals, causing inflexible network deployment. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.

MAC address authentication is applied to access authentication scenarios of dumb terminals such as printers and fax machines.

Configuration Notes

l   The Cisco Identity Services Engine (ISE) in 2.0.0.306 functions as the RADIUS server in this example.

l   The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the ISE.

l   By default, the switch allows the packets from RADIUS server to pass. You do not need to configure authentication-free rules for the server on the switch.

Networking Requirements

Enterprises have high requirements on network security. To prevent unauthorized access and protect information security, an enterprise requests users to pass identity authentication and security check before they access the enterprise network. Only authorized users are allowed to access the enterprise network. To reduce network reconstruction investment, you are advised to configure the MAC authentication function on the aggregation switch and connect a single centralized authentication server to the aggregation switch in bypass mode.

Figure 1-1 Networking diagram for configuring MAC authentication to control internal user access

20170323140146569004.png

 

Data Plan

Table 1-1 Network data plan

Item

Data

ISE

IP address: 192.168.100.100

Post-authentication domain server

IP address: 192.168.102.100

Aggregation switch (SwitchA)

l  VLAN to which 0/0/6 connected to the server belongs: VLAN 100

l  VLAN to which downstream interfaces GE0/0/1 and GE0/0/2 belong: VLAN 200

Access switch (SwitchC)

User VLAN ID: 200

Access switch (SwitchD)

User VLAN ID: 200

 

Table 1-2 Aggregation switch service data plan

Item

Data

RADIUS scheme

l  Authentication server IP address: 192.168.100.100

l  Authentication server port number: 1812

l  Accounting server IP address: 192.168.100.100

l  Accounting server port number: 1813

l  Shared key for the RADIUS server: Huawei@2014

l  Accounting interval: 15 minutes

l  Authentication domain: isp

ACL number of the post-authentication domain

3002

 

Table 1-3 ISE service data plan

Item

Data

Department

RD department

Access user

Access account: A-123

Password: Huawei123

Device group

Wired device group: Switch

Switch IP address

SwitchA: 192.168.10.10

RADIUS authentication key

Huawei@2014

RADIUS accounting key

Huawei@2014

 

Configuration Roadmap

1.         Configure the aggregation switch, including the VLANs interfaces belong to, parameters for connecting to the RADIUS server, enabling NAC authentication, and access right to the post-authentication domain.

20170323140147776005.jpg

Ensure the reachable routes between the access switches (SwitchC and SwitchD), aggregation switch (SwitchA), and ISE.

2.         Configure the access switches, including the VLANs and 802.1x transparent transmission.

3.         Configure the ISE:

a.         Log in to the ISE.

b.         Add an account to the ISE.

c.         Add switches to the ISE.

d.         Configure authentication rules, authorization results, and authorization rules on the ISE.

Procedure

                               Step 1     Configure the aggregation switch.

1.         Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200
[SwitchA] interface gigabitethernet 0/0/1    
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/6    
[SwitchA-GigabitEthernet0/0/6] port link-type trunk
[SwitchA-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/6] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 192.168.10.10 24    
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 192.168.200.1 24    
[SwitchA-Vlanif200] quit
[SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.10.11    
[SwitchA] ip route-static 192.168.102.0 255.255.255.0 192.168.10.11   

2.         Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

# Create and configure the RADIUS server template rd1.

[SwitchA] radius-server template rd1
[SwitchA-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchA-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchA-radius-rd1] radius-server shared-key cipher Huawei@2014
[SwitchA-radius-rd1] quit

# Create an AAA authentication scheme abc and set the authentication mode to RADIUS.

[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit

# Configure an accounting scheme acco1. Set the accounting mode to RADIUS so that the RADIUS server can maintain account status, such as login, log-off and forced log-off.

[SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] accounting realtime 15    
[SwitchA-aaa-accounting-acco1] quit

# Create an authentication domain isp, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.

[SwitchA-aaa] domain isp
[SwitchA-aaa-domain-isp] authentication-scheme abc
[SwitchA-aaa-domain-isp] accounting-scheme acco1
[SwitchA-aaa-domain-isp] radius-server rd1
[SwitchA-aaa-domain-isp] quit
[SwitchA-aaa] quit

# Configure the global default domain isp. During access authentication, enter a user name in the format user@isp to perform AAA authentication in the domain isp. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

[SwitchA] domain isp

3.         Enable MAC address authentication.

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode

20170323140147776005.jpg

By default, the unified mode is enabled. After the NAC mode is changed, save the configuration and restart the device to make the configuration take effect.

# Configure a MAC access profile.

[SwitchA] mac-access-profile name m1
[SwitchA-mac-access-profile-m1] mac-authen username fixed A-123 password cipher Huawei123    
[SwitchA-mac-access-profile-m1] quit

# Configure an authentication profile.

[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] mac-access-profile m1    
[SwitchA-authen-profile-p1] quit

# Enable MAC address authentication on GE0/0/1 and GE0/0/2.

[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-Gigabitethernet0/0/1] authentication-profile p1    
[SwitchA-Gigabitethernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-Gigabitethernet0/0/2] authentication-profile p1    
[SwitchA-Gigabitethernet0/0/2] quit

4.         Configure ACL 3002 for the post-authentication domain.

[SwitchA] acl 3002
[SwitchA-acl-adv-3002] description 3002.in   
[SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0
[SwitchA-acl-adv-3002] rule 2 deny ip destination any
[SwitchA-acl-adv-3002] quit

                               Step 2     Configure the access switches. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.

# Create VLAN 200.

<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 200

# Configure the interface connected to users as an access interface and add the interface to VLAN 200.

[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 200  
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] port link-type access
[SwitchC-GigabitEthernet0/0/2] port default vlan 200
[SwitchC-GigabitEthernet0/0/2] quit

# Configure the interface connected to the upstream network as a trunk interface and configure the to allow VLAN 200.

[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] port link-type trunk
[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 200
[SwitchC-GigabitEthernet0/0/3] quit

                               Step 3     Configure the ISE.

1.         Log in to the ISE.

a.         Open the Internet Explorer, enter the ISE address in the address box, and press Enter.

The following table describes addresses for accessing the ISE.

Address Format

Description

https://ISE-IP

In the address, ISE-IP indicates the ISE address.

 

b.         Enter the configured user name and password to log in to the Cisco ISE.

2.         Create a department and account.

a.         Choose Administration > Identity Management > Groups. In the navigation area on the left, choose Endpoint Identity Groups. Click Add in the operation area on the right, and create the group RD to which the RD department belongs. After completing the configuration, click Submit.

20170323140148493006.jpg

b.         Choose Administration > Identity Management > Identities. In the navigation area on the left, choose EndPoints. Click Add in the operation area on the right. Add the terminal with the MAC address 3c-97-0e-bd-6a-65 and bind the terminal to the group RD. After completing the configuration, click Save.

20170323140148678007.png

3.         Add a switch to the ISE and configure related parameters to ensure normal communication between the ISE and switch.

a.         In the top navigation area, choose Administration > Network Resources > Network Device Profiles, click the Add tab. Create the access device profile HUAWEI, set Vendor to Other, and select RADIUS under Supported Protocols.

20170323140149023008.png

b.         Configure Authentication/Authorization, and Permisssions according to the following figures. After completing the configuration, click Submit.

20170323140150044009.png

20170323140151288010.jpg

c.         Choose Administration > Network Resources > Network Devices. Click Add in the operation area on the right, add the access device SwitchA, and configure parameters of SwitchA according to the following table. After completing the configuration, click Submit.

20170323140152681011.jpg

Parameter

Value

Description

Name

SwitchA

-

IP Address

192.168.10.10

The interface on the switch must communicate with the ISE.

RADIUS shared key

Huawei@2014

It must be the same as the RADIUS authentication key and RADIUS accounting key configured on the switch.

 

20170323140153754012.png

4.         Configure the password authentication protocol.

           In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authentication > Allowed Protocols. Click Add in the operation area on the right.

20170323140147776005.jpg

The ISE provides the default authentication protocol profile Default Network Access. If the profile meets actual requirements, you do not need to create a profile.

20170323140153579013.png

           Create the protocol profile Authentication for user authentication. Select proper authentication protocols based on actual requirements. After completing the configuration, click Submit.

20170323140154909014.png

5.         Configure the authentication policy.

a.         Choose Policy > Authentication. Authentication policies are classified into simple and rule-based authentication policies. A simple authentication policy is used in this example.

b.         Click the Network Access Service drop-down list box. The Network Access Services dialog box is displayed. Click Allowed Protocols and choose Authentication.

20170323140155554015.png

6.         Add an authorization rule.

a.         In the top navigation area, choose Policy > Authorization. Click the triangle next to the first authentication policy and choose Insert New Rule Above.

20170323140156742016.jpg

b.         Add an authorization result and bind an authorization rule to the authorization result.

20170323140157723017.jpg

c.         Click the Save tab on the right. Click Done.

20170323140158265018.png

                               Step 4     Verify the configuration.

l   An employee can only access the ISE before passing the authentication.

l   After passing the authentication, the employee can access resources in the post-authentication domain.

l   After the employee passes the authentication, run the display access-user command on the switch. The command output shows information about the online employee.

----End

Configuration Files

l   SwitchA configuration file

#
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name p1
 mac-access-profile m1
#
domain isp
#
radius-server template rd1
 radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
 radius-server authentication 192.168.100.100 1812 weight 80
 radius-server accounting 192.168.100.100 1813 weight 80
#
mac-access-profile name m1
 mac-authen username fixed A-123 password cipher %^%#'Fxw8E,G-81(A3U<^HH9Sj\:&hTdd>R>HILQYLtW%^%#
#
acl number 3002
 description 3002.in
 rule 1 permit ip destination 192.168.102.100 0
 rule 2 deny ip
#
aaa
 authentication-scheme abc
  authentication-mode radius
 accounting-scheme acco1
  accounting-mode radius
  accounting realtime 15
 domain isp
  authentication-scheme abc
  accounting-scheme acco1
  radius-server rd1
#
interface Vlanif100
 ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
 ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 200
 authentication-profile p1
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 200
 authentication-profile p1
#
interface GigabitEthernet0/0/6
 port link-type trunk
 port trunk allow-pass vlan 100
#
ip route-static 192.168.100.0 255.255.255.0 192.168.10.11
ip route-static 192.168.102.0 255.255.255.0 192.168.10.11
#
return

l   SwitchC configuration file

#
sysname SwitchC
#
vlan batch 200
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 200
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 200
 #
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 200
#
return

This post was last edited by 交换机在江湖 at 2017-05-31 17:14.
  • x
  • convention:

user_2790689     Created Mar 23, 2017 15:56:36 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top