Example for Configuring Dumb Terminal Access Based on a MAC Address

This section provides an example for configuring dumb terminal access based on a MAC address.

Networking Requirements

Dumb terminals refer to printers and access control devices on a campus network. Generally, these devices do not proactively apply to the BRAS for IP addresses. . Dumb terminals access the Internet in static user mode and are authenticated based on MAC addresses.

On the network shown in Figure 1, the printer accesses the router through Interface 1.

Figure 1 Networking for configuring dumb terminal access based on a MAC address

Interfaces 1 and 2 in this example represent GE0/1/2 and GE0/1/1, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an authentication scheme, with local authentication specified.

  2. Configure an address pool, with the IP address 172.30.0.8 reserved for the printer.

  3. Configure an authentication domain named printer.

  4. Configure a BAS interface, with the user access type set to Layer 2 subscriber access and the default authentication domain set to printer.

  5. Configure a static user.

Data Preparation

To complete the configuration, you need the following data:

  • Authentication scheme name and authentication mode

  • Address pool name, gateway address, and DNS server address

  • Domain name

  • BAS interface parameters

Procedure

  1. Configure an authentication scheme.

    <HUAWEI> system-view
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme local
[*HUAWEI-aaa-authen-local] authentication-mode local
[*HUAWEI-aaa-authen-local] commit
[~HUAWEI-aaa-authen-local] quit

  2. Configure the modes for generating usernames and passwords.

    [~HUAWEI-aaa] default-user-name include ip-address .
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] default-password cipher Root@123
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit

  3. Configure a local account.

    [~HUAWEI] local-aaa-server
[*HUAWEI-local-aaa-server] user 172.30.0.8@printer password cipher Root@123 authentication-type b
[*HUAWEI-local-aaa-server] commit
[~HUAWEI-local-aaa-server] quit

  4. Configure an address pool.

    [~HUAWEI] ip pool pool1 bas local
[*HUAWEI-ip-pool-pool1] gateway 172.30.0.1 255.255.255.0
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] section 0 172.30.0.2 172.30.0.200
[~HUAWEI-ip-pool-pool1] excluded-ip-address 172.30.0.8
[~HUAWEI-ip-pool-pool1] quit

  5. Configure a domain.

    [~HUAWEI] aaa
[~HUAWEI-aaa] domain printer
[*HUAWEI-aaa-domain-printer] authentication-scheme local
[*HUAWEI-aaa-domain-printer] accounting-scheme default0
[*HUAWEI-aaa-domain-printer] commit
[~HUAWEI-aaa-domain-printer] ip-pool pool1
[*HUAWEI-aaa-domain-printer] commit
[~HUAWEI-aaa-domain-printer] quit
[~HUAWEI-aaa] quit

  6. Configure a BAS interface.

    [~HUAWEI] interface GigabitEthernet 0/1/2
[~HUAWEI-GigabitEthernet0/1/2] bas
[~HUAWEI-GigabitEthernet0/1/2-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/1/2-bas] default-domain authentication printer
[*HUAWEI-GigabitEthernet0/1/2-bas] authentication-method bind
[*HUAWEI-GigabitEthernet0/1/2-bas] ip-trigger
[*HUAWEI-GigabitEthernet0/1/2-bas] arp-trigger
[*HUAWEI-GigabitEthernet0/1/2-bas] commit
[~HUAWEI-GigabitEthernet0/1/2-bas] quit
[~HUAWEI-GigabitEthernet0/1/2] quit

    In this example, binding authentication is configured. A username and password for authentication are automatically generated. The automatically generated username and password must be the same as those configured locally. The username and password configured using the default-user-name and default-password commands in the AAA view are used as the automatically generated username and password. For details, see Configuration Files.

  7. Configure a static user. If the network has multiple printers, perform the following configuration for each printer.

    [~HUAWEI] static-user 172.30.0.8 gateway 172.30.0.1 interface GigabitEthernet 0/1/2 mac-address 00e0-fc12-3456 domain-name printer detect
[~HUAWEI] static-user detect interval 1
[*HUAWEI] commit

  8. Verify the configuration.

    After completing the preceding configurations, run the display access-user domain command to view online user information in the domain printer. The command output shows that the user goes online successfully.

    [~HUAWEI] display access-user domain printer
------------------------------------------------------------------------------
  UserID  Username                Interface      IP address       MAC          IPv6 address
  ------------------------------------------------------------------------------
  20      172.30.0.8@printer       GE0/1/2     172.30.0.8      00e0-fc12-3456          -
  ------------------------------------------------------------------------------
  Total users                        : 1

Configuration Files

#
sysname HUAWEI
#
ip pool pool1 bas local
 gateway 172.30.0.1 255.255.255.0
 section 0 172.30.0.2 172.30.0.200
 excluded-ip-address 172.30.0.8
#
aaa
 default-password cipher %^%#4*RHO=w*}.d\>j09'Z:%=:co~p\w9'G-^|-zR'N4%^%# 
 default-user-name include ip-address .
 #
 authentication-scheme local
  authentication-mode local
 #
 domain printer
  authentication-scheme local
  accounting-scheme default0
  ip-pool pool1
#
interface GigabitEthernet0/1/2
 bas
 #
  access-type layer2-subscriber default-domain authentication printer
  authentication-method bind
  ip-trigger
  arp-trigger
 #
#
static-user 172.30.0.8 172.30.0.8 gateway 172.30.0.1 interface GigabitEthernet0/1/2 mac-address 00e0-fc12-3456 domain-name printer detect
#
static-user detect interval 1
#
local-aaa-server
 user 172.30.0.8@printer password cipher %^%#4*RHO=w*}.d\>j09'Z:%=:co~p\w9'G-^|-zR'N4%^%# authentication-type B block fail-times 3 interval 5
#
return
Parent Topic: Configuration Examples for IPoE Access Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >