mac-authen domain
Function
The mac-authen domain command configures an authentication domain for MAC address authentication users.
The undo mac-authen domain command restores the global default authentication domain for MAC address authentication users.
The default authentication domain for MAC address authentication users is the global default domain.
Only S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S6720-LI, S6720S-LI, S6720S-SI, S6720-SI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI support configuration of MAC address authentication on VLANIF interfaces.
Format
In the system view:
mac-authen domain isp-name [ mac-address mac-address mask mask ]
undo mac-authen domain [ isp-name [ mac-address mac-address ] | [ mac-address { mac-address | all } ] ]
In the interface view:
mac-authen domain isp-name
undo mac-authen domain
Parameters
Parameter |
Description |
Value |
|---|---|---|
isp-name |
Specifies the ISP domain name. |
The value is a string of 1 to 64 case-insensitive characters without any space, asterisk (*), question mark (?), quotation mark ("), hyphen (-) or consecutive hyphens (--). |
mac-address mac-address |
Specifies an authentication domain for the MAC address authentication user with a specified MAC address. |
The value is in H-H-H format. H contains 1 to 4 hexadecimal digits. |
mask mask |
Specifies the mask of a MAC address. |
The value is in H-H-H format. H contains 1 to 4 hexadecimal digits. |
all |
Restores the global default domain for all MAC address authentication users. |
- |
Views
System view, VLANIF interface view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view
Usage Guidelines
Usage Scenario
When user names for MAC address authentication do not contain domain names, the device authenticates users using the default domain if no authentication domain is configured on the device or interface. The authentication scheme is not flexible because all users are authenticated in the default domain. The mac-authen domain command specifies the authentication domains for MAC address authentication users. Different interfaces can be located in different authentication domains. This command can specify the authentication domains for the specified MAC addresses. Therefore, this command allows users with different authentication requirements to adopt various authentication schemes.
If the user name contains a domain name (configured using mac-authen username), the user is authenticated in this domain.
The specified user names and domain names must be the same as those configured in the AAA view.
The authentication schemes in the domains are configured in the AAA view.
Prerequisites
The domain to be configured as an authentication domain has been created using the domain (AAA view) command.
MAC address authentication has been enabled globally and on an interface using the mac-authen command.
Precautions
If authentication domains are configured in both the system view and interface view, the domain configured in the interface view takes effect. If no authentication domain is configured in the interface view, the domain configured in the system view takes effect.
You must specify a unicast MAC address in the mac-authen domain command. A user with an all-0 MAC address is not authenticated.
The configured authentication domain is applied to the MAC addresses calculated with the mask. Therefore, the undo mac-authen domain command will delete the authentication domain of the calculated MAC addresses. Before running the undo mac-authen domain command, run the display this command to view the calculated MAC addresses.
On a network configured with both 802.1X authentication and MAC address bypass authentication, an 802.1X user failing the 802.1X authentication will be authenticated in the manner of MAC address bypass authentication. If the authentication scheme of MAC address bypass authentication is none authentication, the user can go online successfully without being authenticated. To prevent such unauthorized authentication, use the mac-authen domain command to specify different domains for the two authentication methods.
Example
# Configure the cams domain as the authentication domain for MAC address authentication users in the system view.
<HUAWEI> system-view [HUAWEI] mac-authen domain cams
# Configure the cams domain as the authentication domain for MAC address authentication users in the interface view.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] mac-authen domain cams