Example for Configuring MAC Address Authentication
Networking Requirements
As shown in Figure 4-18, Router functions as a fat AP to provide wireless Internet access service and as a DHCP server to allocate IP addresses to STAs.
MAC address authentication controls the network access authority of a user based on the access interface and MAC address of the user. The user does not need to install any client software. After detecting the MAC address of a user for the first time, the device starts authenticating the user. During authentication, the user does not need to enter the user name and password. The administrator wants to use MAC address authentication to control STA access.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure an MAC access profile and an authentication profile, and enable MAC authentication on an interface.
- Configure MAC address authentication using the RADIUS scheme.
- Create a domain used during MAC address authentication, and apply the RADIUS scheme as the AAA authentication scheme to the domain.
- Configure basic attributes for the AP, including the country code and DHCP server address, so that the AP can assign IP addresses to STAs.
- Configure a WMM profile and a radio profile on the AP and bind the radio profile to a radio interface so that STAs can communicate with the AP.
- Configure a WLAN-BSS interface so that radio packets can be sent to the WLAN service module after reaching the AP. Set the interface authentication mode to MAC address authentication and bind the AAA domain.
- Configure a security profile and set WPA-PSK authentication and CCMP encryption in the security policy.
- Configure a traffic profile file and a service set on the AP, and bind the security profile, traffic profile, and WLAN-BSS interface to the service set to ensure access security and QoS for STAs.
- Configure a VAP and deliver VAP parameters so that STAs can access the WLAN.
The router cannot function as a wireless MAC address authentication server, and a dedicated RADIUS server needs to be deployed to implement MAC address authentication. In addition, the router and the RADIUS server must be routable to each other.
Ensure that the RADIUS server IP address, port number, and shared key are correct.
Ensure that the user name and password configured on the RADIUS server are lower-case letters.
Procedure
- Configure the RADIUS scheme.
# Configure mac authentication; configure the IP address and port number for the RADIUS authentication and accounting servers; and configure the shared key huawei for Router to exchange packets with the RADIUS authentication and accounting servers; Configure Router to send packets without encapsulating the domain name in the user name to the RADIUS server so that STAs can be authenticated regardless of the domain name.
<Huawei> system-view [Huawei] radius-server template huawei [Huawei-radius-huawei] radius-server authentication 10.137.146.163 1812 [Huawei-radius-huawei] radius-server accounting 10.137.146.163 1813 [Huawei-radius-huawei] radius-server shared-key cipher huawei [Huawei-radius-huawei] undo radius-server user-name domain-included [Huawei-radius-huawei] quit
# Configure the MAC access profile m1.
<Huawei> system-view [Huawei] mac-access-profile name m1 [Huawei-mac-access-profile-m1] quit
# Configure the authentication profile p1, bind the MAC access profile m1 to the authentication profile.
<Huawei> system-view [Huawei] authentication-profile name p1 [Huawei-authen-profile-p1] mac-access-profile m1 [Huawei-authen-profile-p1] quit
- Configure a domain.
# Configure an authentication scheme named huawei and use the RADIUS authentication mode.
[Huawei] aaa [Huawei-aaa] authentication-scheme huawei [Huawei-aaa-authen-huawei] authentication-mode radius [Huawei-aaa-authen-huawei] quit
# Configure an accounting scheme named huawei and use the RADIUS accounting mode.
[Huawei-aaa] accounting-scheme huawei [Huawei-aaa-accounting-huawei] accounting-mode radius [Huawei-aaa-accounting-huawei] quit
# Create a domain named huawei and apply the authentication scheme huawei, accounting scheme huawei, and RADIUS template huawei to the domain huawei.
[Huawei-aaa] domain huawei Info: Success to create a new domain. [Huawei-aaa-domain-huawei] authentication-scheme huawei [Huawei-aaa-domain-huawei] accounting-scheme huawei [Huawei-aaa-domain-huawei] radius-server huawei [Huawei-aaa-domain-huawei] quit [Huawei-aaa] quit
- Configure basic AP attributes.
# Configure the country code for the AP.
[Huawei] wlan global country-code cn
# Create a VLANIF interface, assign an IP address to it for Layer 3 packet forwarding, and enable the DHCP server function on the VLANIF interface. In this example, an address pool is configured on VLANIF 100 to assign IP addresses to STAs.
[Huawei] dhcp enable [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 10.10.10.1 24 [Huawei-Vlanif100] dhcp select interface [Huawei-Vlanif100] quit
- Configure radios for APs.
# Create a WMM profile named wmm-1 and retain the default parameter settings.
[Huawei] wlan [Huawei-wlan-view] wmm-profile name wmm-1 id 1 [Huawei-wlan-wmm-prof-wmm-1] quit
# Create a radio profile named radio-1 and bind the WMM profile wmm-1 to it.
[Huawei-wlan-view] radio-profile name radio-1 [Huawei-wlan-radio-prof-radio-1] wmm-profile name wmm-1 [Huawei-wlan-radio-prof-radio-1] quit [Huawei-wlan-view] quit
# Bind the radio profile radio-1 to a radio interface.
[Huawei] interface wlan-radio 0/0/0 [Huawei-Wlan-Radio0/0/0] radio-profile name radio-1 [Huawei-Wlan-Radio0/0/0] quit
- Configure service sets for APs.
# Configure the user VLAN bound to the WLAN-BSS interface, and bind the authentication profile p1 and enable MAC authentication.
[Huawei] interface wlan-bss 1 [Huawei-Wlan-Bss1] port hybrid tagged vlan 100 [Huawei-Wlan-Bss1] authentication-profile p1 [Huawei-Wlan-Bss1] quit
# Configure a security profile named security-1 and set the authentication mode to PSK authentication and CCMP encryption.
Configure the WPA security policy for the security profile and set the authentication mode to PSK and encryption mode to CCMP.
[Huawei] wlan [Huawei-wlan-view] security-profile name security-1 id 1 [Huawei-wlan-sec-prof-security-1] security-policy wpa [Huawei-wlan-sec-prof-security-1] wpa authentication-method psk pass-phrase cipher huawei@123 encryption-method ccmp [Huawei-wlan-sec-prof-security-1] quit
# Create a traffic profile named traffic-1 and retain the default parameter settings.
[Huawei-wlan-view] traffic-profile name traffic-1 id 1 [Huawei-wlan-traffic-prof-traffic-1] quit
# Create a service set and bind the traffic profile, security profile, and WLAN-BSS interface to the service set.
[Huawei-wlan-view] service-set name huawei-1 id 1 [Huawei-wlan-service-set-huawei-1] ssid huawei [Huawei-wlan-service-set-huawei-1] traffic-profile name traffic-1 [Huawei-wlan-service-set-huawei-1] security-profile name security-1 [Huawei-wlan-service-set-huawei-1] wlan-bss 1 [Huawei-wlan-service-set-huawei-1] quit [Huawei-wlan-view] quit
- Configure a VAP.
# Bind the service set huawei-1 to a radio interface.
[Huawei] interface wlan-radio 0/0/0 [Huawei-Wlan-Radio0/0/0] service-set name huawei-1 [Huawei-Wlan-Radio0/0/0] quit
- Verify the configurations.
# If the MAC address of the network adapter on a STA is not configured on the RADIUS server, the MAC address authentication fails and the STA cannot access the Internet.
# When the MAC address of the network adapter on a STA is the same as the user name configured on the RADIUS server, the MAC address authentication succeeds and the STA can access Internet resources.
Configuration Files
- Configuration file of the Router
# vlan batch 100 # dhcp enable # authentication-profile name p1 mac-access-profile m1 # radius-server template huawei radius-server shared-key cipher %^%#9T`|L}K(4#J3k=+I8SiJrsM:RO[iy@Uuc:LTQJ,1%^%# radius-server authentication 10.137.146.163 1812 weight 80 radius-server accounting 10.137.146.163 1813 weight 80 undo radius-server user-name domain-included # aaa authentication-scheme huawei authentication-mode radius accounting-scheme huawei accounting-mode radius domain huawei authentication-scheme huawei accounting-scheme huawei radius-server huawei # interface Vlanif100 ip address 10.10.10.1 255.255.255.0 dhcp select interface # interface Wlan-Bss1 port hybrid tagged vlan 100 authentication-profile p1 permit-domain name huawei force-domain name huawei # mac-access-profile name m1 # wlan wmm-profile name wmmf id 0 wmm-profile name wmm-1 id 1 traffic-profile name traf id 0 traffic-profile name traffic-1 id 1 security-profile name secf id 0 security-profile name security-1 id 1 security-policy wpa wpa authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp service-set name huawei-1 id 1 Wlan-Bss 1 ssid huawei traffic-profile id 1 security-profile id 1 radio-profile name radiof id 0 wmm-profile id 0 radio-profile name radio-1 id 1 wmm-profile id 1 # interface Wlan-Radio0/0/0 radio-profile id 1 service-set id 1 wlan 1 # return