< Home

mac-authen

Function

The mac-authen command enables MAC address authentication globally or on an interface.

The undo mac-authen command disables MAC address authentication globally or on an interface.

By default, MAC address authentication is disabled globally and on an interface.

Only S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S6720-LI, S6720S-LI, S6720S-SI, S6720-SI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI support configuration of MAC address authentication on VLANIF interfaces.

Format

In the system view:

mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

undo mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

In the interface view:

mac-authen

undo mac-authen

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, VLANIF interface view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

MAC address authentication controls network access rights of a user based on the user's access interface and MAC address. During MAC address authentication, the user name and password are the user's MAC address. MAC address authentication is applicable to the scenario where MAC addresses are unchanged and high security is not required, and is used to authenticate terminals such as printers where the authentication client cannot be installed.

If you run the mac-authen command in the system view without any interfaces specified, MAC address authentication is enabled globally. The configurations of MAC address authentication take effect only after global MAC address authentication is enabled. MAC address bypass authentication is not controlled by this command.

To enable MAC address authentication on an interface, you can perform either of the following operations:
  • Run the mac-authen command in the interface view.
  • Run the mac-authen interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> command in the system view.

Precautions

  • Before running the undo mac-authen command, ensure that there is no online MAC address authentication user; otherwise, you cannot run this command. Online MAC address authentication users do not include online users using MAC address bypass authentication.

  • After MAC address authentication is enabled on a VLANIF interface, the guest VLAN, critical VLAN, or dynamic VLAN authorization is invalid to the MAC address authentication users on the VLANIF interface.
  • Before enabling MAC address authentication on the VLANIF interface, ensure that the strict ARP entry learning function is disabled using the undo arp learning strict command. If the function is enabled, the users cannot go online.
  • After the static MAC address entry is configured using the mac-address static mac-address interface-type interface-number vlan vlan-id command, the user corresponding to the entry cannot pass MAC address authentication.
  • If MAC address authentication is enabled on an interface, the following commands cannot be used on the same interface. If the following commands are configured on an interface, MAC address authentication cannot be enabled on the same interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port link-type dot1q-tunnel

    Sets the link type of an interface to QinQ.

    port vlan-mapping vlan map-vlan

    port vlan-mapping vlan inner-vlan

    Configures VLAN mapping on an interface.

    port vlan-stacking

    Configures selective QinQ.

    mac-vlan enable

    Enables MAC address-based VLAN assignment on an interface.

    ip-subnet-vlan enable

    Enables IP subnet-based VLAN assignment on an interface.

    user-bind ip sticky-mac

    Enables the device to generate snooping MAC entries.

Example

# Enable global MAC address authentication.

<HUAWEI> system-view
[HUAWEI] mac-authen

# Enable MAC address authentication on GE0/0/1 in the system view.

<HUAWEI> system-view
[HUAWEI] mac-authen
[HUAWEI] mac-authen interface gigabitethernet 0/0/1

# Enable MAC address authentication on GE0/0/1 in the interface view.

<HUAWEI> system-view
[HUAWEI] mac-authen
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] mac-authen
Parent Topic: NAC Configuration Commands (Common Mode)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >