The 802.1X authentication and MAC address authentication are allowed to be configured simultaneously on the same interface.
- If the authentication is successful when the end user first performs the MAC address authentication, the 802.1X authentication initiated by the end user will not be processed. Otherwise, the 802.1X authentication initiated by the end user will be processed normally.
- When the end user first initiates the 802.1X authentication, then do not perform the MAC address authentication.
Configuration Condition
None
Enable MAC Address Authentication Function
The MAC address authentication is also called free-client authentication. The authentication mode is applicable to the terminal that cannot install the client software for authentication, and also applicable to the end user that does not install client software, but can authenticate without inputting the user name and password.
When configuring the parameters of the MAC address authentication in the authentication device port and if the port does not enable the MAC address authentication function, the configured function does not take effect.
Table 12-14 Enable the MAC address authentication function
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
Enable the MAC address authentication function
|
dot1x mac-authentication { enable | disable }
|
Mandatory
By default, the MAC address authentication function in the port is disabled.
|
-
Support enabling the MAC address authentication function and port security function on one port at the same time, but there is limitation: do not permit configuring the port security IP rule or MAX rule.
- Do not enable the MAC address authentication function and security channel authentication function on one port at the same time.
Configure MAC Address Authentication User Name Format
The user name and password format used by the MAC address authentication includes two cases: fixed user name and password format and MAC address user name and password format.
Fixed user name and password format: When receiving the packets of the end user, the authentication device sends the configured user name and password to the authentication server for authentication.
MAC address user name and password format: The authentication device takes the MAC address of the end user as the user name and password. The MAC address format as the user name and password includes two cases: One is with the hyphen, such as 00-01-7a-00-00-01; the other is not with hyphen, such as 00017a000001.
Table 12–15 Configure the MAC address authentication user name format
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
Configure the MAC address authentication user name format
|
dot1x mac-authentication user-name-format { fixed account account-value password password-value | mac-address [ with-hyphen | without-hyphen ] }
|
Mandatory
By default, the MAC address authentication adopts the MAC address with hyphen as the user name and password.
|
Configure Domain Name Delimiter
The authentication device can manage the user based on the domain. If the authentication user name carries the domain name, the device uses the server in the AAA server group to authenticate, authorize and account the user. If the authentication user name does not carry the domain name, use the default configured authentication server in the system to authenticate. Therefore, the authentication device needs to parse the user name and domain name correctly, playing the decisive function for the user to provide the authentication service. Different clients support different user name and domain name delimiters. To manage and control the user access of different user name formats better, it is necessary to specify the supported domain name delimiter on the authentication device.
Currently, the supported domain name delimiters include @, /, and \.
When the domain name delimiter is @, the authenticated user name format is username@domain.
When the domain name delimiter is /, the authenticated user name format is username/domain.
When the domain name delimiter is \, the authenticated user name format is domain\username.
Here, username is the pure user name, and domain is the domain name. If the user name contains multiple domain name delimiters, the authentication device only identifies the first domain name delimiter as the actual used domain name delimiter and the other characters as one part of the domain name.
Table 12-16 Configure the domain name delimiter
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
Configure the domain name delimiter
|
dot1x domain-delimiter domain-delimiter-type
|
Mandatory
By default, the domain name delimiter in the port is @.
|
-
When using the user name with the domain name to authenticate, it is necessary to configure the corresponding authentication server group on the authentication device.
Configure Authentication User Name Format
The authentication user is named by the format of username@domain. The domain name is behind the domain name delimiter @. The authentication device decides which authentication server group authenticates the user by parsing the domain name. The early server cannot accept the user name with the domain name, so the authentication device needs to delete the domain name carried in the user name and just send the authentication user name to the server. You can select whether the authentication user name sent to the authentication device carries the domain name by configuring the format of the authentication user name.
Currently, the supported domain name delimiter includes @, \, /.
Table 12-17 Configure the authentication user name format
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
Configure the format of the authentication user name
|
dot1x user-name-format { with-domain | without-domain }
|
Mandatory
By default, send the authentication user name with the domain name to the authentication server.
|
-
Configure the port of sending the authentication user name without domain name to the authentication server not to support the certificate authentication.
Configure Interacting Mode of Authentication Packet
In the actual application scenario, after most of clients initiate the authentication, the authentication device and client support unicast/multicast authentication interacting mode, but there are still come authentication clients that can only identify the multicast authentication packet, that is, the authentication packet with the destination MAC address 0180.C200.0003. Here, you can configure the multicast authentication interacting mode in the port.
For most of authentication clients, after the authentication device receives the EAP packet responded by the server for the first time and interacts with the client and authentication server, be subject to the identifier in the service packet. Only a few of authentication clients need to be subject to the identifier generated by the authentication device. As for the case, it is necessary to configure the function of concerning the identifier in the EAP authentication packet in the port.
Table 12-18 Configure the interacting mode of the authentication packet
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
Configure the authentication interacting mode
|
dot1x auth-mac { multicast | unicast }
|
Mandatory
By default, the port adopts the interacting mode of the unicast authentication packet.
|
Concern the identifier in the EAP authentication packet
|
dot1x identifier { match | ignore }
|
Optional
By default, do not concern the identifier in the EAP authentication packet.
|
-
Only a few of clients need to concern the identifier of the authentication interacted packet. Unless there is a clear demand, try to avoid configuring the function.