Configuring a MAC Access Profile

Context

After creating a MAC access profile, you need to configure it. You can select a proper authentication mode based on performance of the device and server, as well as security requirements. During MAC address authentication, you do not need to enter the user name and password. However, you need to configure the user name format and password for MAC address authentication on the device in advance.

Procedure

Run system-view
The system view is displayed.
Run mac-access-profile name access-profile-name
The MAC access profile view is displayed.
Run mac-authen authentication-method { chap | pap }
An authentication mode is configured for MAC address authentication users.

By default, the authentication mode of MAC address authentication users is PAP.
Run mac-authen username { fixed username [ password cipher password ] | macaddress [ format { with-hyphen [ normal ] [ colon ] | without-hyphen } [ uppercase ] [ password cipher password ] ] | dhcp-option option-code { circuit-id | remote-id } ^* [ separate separate ] [ format-hex ] password cipher password }
The user name format is configured for MAC address authentication.

By default, a MAC address without hyphens (-) or colons (:) is used as the user name and password for MAC address authentication.
- When configuring the user name format for MAC address authentication, ensure that the authentication server supports the user name format.
- If MAC address authentication is enabled on a VLANIF interface, on an Eth-Trunk, in a port group, or in a VAP profile, and MAC address authentication users use fixed user names, passwords must be configured. If MAC address authentication is enabled in a port group and MAC addresses are used as user names, passwords cannot be configured. If MAC address authentication is enabled on a VLANIF interface or in a VAP profile, user names for MAC address authentication cannot be set to specified DHCP option information.
(Optional) Configure the types of packets that can trigger MAC address authentication.
1. Run authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet } ^*
  
  The types of packets that can trigger MAC address authentication are configured.
  
  By default, DHCP, DHCPv6, ND, and ARP packets can trigger MAC address authentication.
2. Run authentication trigger-condition dhcp dhcp-option option-code
  
  The device is configured to send DHCP option information to the authentication server after receiving DHCP packets that trigger MAC address authentication.
  
  By default, the device does not send DHCP option information to the authentication server after receiving DHCP packets that trigger MAC address authentication.
3. Run mac-authen offline dhcp-release
  
  The device is configured to clear user entries after receiving DHCP Release packets from MAC address authentication users.
  
  By default, the device does not clear user entries after receiving DHCP Release packets from MAC address authentication users.
(Optional) Run mac-authen permit mac-address mac-address mask { mask | mask-length }
The MAC address segment allowed by MAC address authentication is configured.

By default, no MAC address segment is configured for MAC address authentication.

Only MAC address authentication users who go online through VLANIF interfaces support this function.

A maximum of eight MAC address ranges are allowed for MAC address authentication on a VLANIF interface.
(Optional) Run mac-authen trigger dhcp-binding
The device is configured to automatically generate DHCP snooping binding entries after static IP users pass MAC address authentication or when the users are in pre-connection state.

By default, the device does not automatically generate DHCP snooping binding entries after static IP users pass MAC address authentication or when the users are in pre-connection state.