Comware 交換器 MAC 認證設定
scenario:
1. mac auth passed: to intranet
2. mac auth failed then vlan 100: to internet only
主要觀念!!!
使用 RADIUS 認證, MAC 認證 可以設定不同認證密碼格式 大寫/小寫 有 - 沒有 - 等設定
本範例使用 MAC認證
認證成功後 可以存取整個網路!!
認證不成功 會導入 訪客網段
<HP_SW_8_212>dis cur
#
version 5.20, Release 1513P07
#
sysname HP_SW_8_212
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
#
domain default enable system
#
telnet server enable
#
lldp compliance cdp
# 啟動MAC認證,
mac-authentication
mac-authentication timer quiet 3600
#
password-recovery enable
# 啟動ACL 訪客網段只能存取特定VLAN
acl number 3000 name internet_only
rule 0 deny ip source 10.100.0.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 5 permit ip
#
vlan 1
#
vlan 8
#
vlan 100
#
vlan 4000
# 定義 RADIUS Scheme 為 rad 可以自行命名
radius scheme rad
primary authentication 192.168.8.9 key cipher $c$3$+01kIKnlIpoCaXAN+TGSli42mTNnZ48SyA==
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
# 定義 MAC認證 DOMAIN
domain tungpei.com.tw
authentication lan-access radius-scheme rad
authorization lan-access radius-scheme rad
authentication portal radius-scheme rad
authorization portal radius-scheme rad
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher $c$3$kbBWHFjNSXzhjjwOJ3PbIB9+aJp1l2Sc9aoA
authorization-attribute level 3
service-type telnet terminal
#
stp enable
#
cwmp
undo cwmp enable
#
interface NULL0
#
interface Vlan-interface8
ip address 192.168.8.212 255.255.252.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 untagged
port hybrid pvid vlan 100
mac-vlan enable
stp edged-port enable
mac-authentication
mac-authentication guest-vlan 100
mac-authentication domain tungpei.com.tw
#
ip route-static 0.0.0.0 0.0.0.0 192.168.8.252
#
load tr069-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user-interface vty 5 15
#
return
<HP_SW_8_212>