How to configure the escape function for MAC address authentication users on S series switches

1

For S series switches (except the S1700), you can specify none authentication as a backup authentication mode when setting the authentication mode to RADIUS or HWTACACS. This configuration prevents authentication failures that occur if the remote authentication server does not respond due to faults or network congestion. This configuration applies to MAC address authentication, 802.1x authentication, Portal authentication, and hybrid authentication.
The configuration method is as follows:
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme scheme1
[HUAWEI-aaa-authen-scheme1] authentication-mode radius none

Other related questions:
Configure MAC address bypass authentication on S series switch
On S series switches (except S1700), you can enable MAC address bypass authentication for terminals such as printers on which the 802.1x client software cannot be installed or used to allow these terminals to access the network. For example, if a large number of PCs and a small number of dumb terminals are connected to GE1/0/1 and GE1/0/5, to ensure that the PCs and dumb terminals access the network, you can enable 802.1x authentication and MAC address bypass authentication on GE1/0/1 and GE1/0/5. The following describes the configuration: - Configure multiple interfaces in a batch in the system view. [HUAWEI] dot1x enable [HUAWEI] dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 [HUAWEI] dot1x mac-bypass interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 - Configure each interface in the interface view. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface gigabitethernet 1/0/5 [HUAWEI-GigabitEthernet 1/0/5] dot1x enable [HUAWEI-GigabitEthernet 1/0/5] dot1x mac-bypass Precautions: 1. In addition to performing the preceding configuration, you still need to add MAC addresses of terminals on the authentication server. For details, see the configuration guide of the authentication server. 2. In V200R005C00 and later version, S series switches support MAC address bypass authentication only in NAC traditional configuration mode.

How to configure MAC address authentication on S series switches
MAC address authentication controls a user's network access rights based on the access port and the user's MAC address. The user does not need to install any client software. For switches running V200R003C10 and earlier versions, NAC can be configured only in common mode. For switches running V200R005C00 and later versions, NAC can be configured in common or unified mode. Accordingly, MAC address authentication can be configured in common or unified mode. For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version. The following links are for reference only. - See "NAC Configuration (Common Mode) - Example for Configuring MAC Address Authentication to Control Internal User Access" in S2750&S5700&S6720 V200R008C00 Configuration Guide - User Access and Authentication. - See "NAC Configuration (Unified Mode) - Example for Configuring MAC Address Authentication to Control Internal User Access (RADIUS Authentication Is Used)" or "NAC Configuration (Unified Mode) - Example for Configuring MAC Address Authentication to Control Internal User Access" in S2750&S5700&S6720 V200R008C00 Configuration Guide - User Access and Authentication. - See "NAC Configuration (Unified Mode) - Example for Configuring MAC Address Authentication" in S1720&S2700&S5700&S6720 V200R009C00 Configuration Guide - User Access and Authentication.

How to configure local authentication for a MAC address authentication user when the user's MAC address is used as the user name for authentication
You can configure local authentication for MAC address authentication users on S series switches (except the S1700). Perform the following operations to configure local authentication for a MAC address authentication user when the user's MAC address is specified as the user name for authentication (the configuration in NAC common mode is used as an example and is applicable to switches running all versions).
1. Configure an AAA scheme and a local account.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme a1
[HUAWEI-aaa-authen-a1] authentication-mode local   //Set the user's authentication mode to local authentication.
[HUAWEI-aaa-authen-a1] quit
[HUAWEI-aaa] local-user 000b-09d4-8828 password cipher Huawei@123  //Configure a local account and specify the user's MAC address as the user name.
[HUAWEI-aaa] local-user 000b-09d4-8828 service-type bind   //Configure the access type. You can set the access type of the local authentication user to 802.1x, Bind, PPP, or web.
2. Configure an authentication domain.
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] authentication-scheme a1
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] domain huawei   //Configure the authentication domain huawei as the global default authentication domain.
3. Specify the user's MAC address as the user name for local authentication.
[HUAWEI] mac-authen username macaddress format with-hyphen password cipher Huawei@123
4. Enable MAC address authentication.
[HUAWEI] mac-authen  //Enable MAC address authentication globally.
[HUAWEI] interface gigabitethernet 1/0/1  //Enter the view of the interface connected to the user.
[HUAWEI-GigabitEthernet1/0/1] port link-type access
[HUAWEI-GigabitEthernet1/0/1] port default vlan 10   //Add the interface to the VLAN to which the user belongs.
[HUAWEI-GigabitEthernet1/0/1] mac-authen  //Enable MAC address authentication on the interface.
[HUAWEI-GigabitEthernet1/0/1] quit
For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version. Take the configuration on a switch running V200R009 as an example. For details, see "NAC Configuration (Unified Mode) - Example for Configuring MAC Address Authentication (AAA Local Authentication Is Used)" in S1720&S2700&S5700&S6720 V200R009C00 Configuration Guide - User Access and Authentication.

S series switches' support for MAC address authentication
S series switches (except the S1700) support MAC address authentication as follows: - In V100R006, switches except the S2700SI and S2710SI support MAC address authentication. - In versions later than V100R006, all switches support MAC address authentication.

How to add a MAC address for MAC address authentication on S series switches
For S series switches (except the S1700), if a new MAC address entry is generated after MAC address authentication is configured on an interface, MAC address authentication will be performed for the MAC address. You can perform the following operations to add a MAC address for MAC address authentication. [HUAWEI] interface Vlanif 10 [HUAWEI-Vlanif10] mac-authen permit mac-address 1111-1111-1111 mask 24

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top