WeOSMAC authentication using accept list HowTo
Introduction
This document describes a setup of MAC authentication using a local MAC accept list to authorise MAC addresses. For an overview of all available configuration settings for Port Access refer to the configuration section in the Port Access Guide.
Overview
For an overview of all available configuration settings for Port Access Control, refer to the configuration section in the Port Access Control Guide.
Below is the topology of the devices in this setup.
|
.--.-.
( ( )__
(_, \ ) ,_)
'-'--`--'
| GW 10.0.2.1
| VLAN 2
| 10.0.2.0/24
| 10.0.2.2
Authenticator .--+------+------+------+--.
(Switch/Router) | 5 6 7 8 |
with Accept-List| WeOS |
10.0.1.1 | 1 2 3 4 |
'--+------+------+------+--'
X X X X <== Controlled Ports
| VLAN 1 (All Blocked by
| 10.0.1.0/24 Authenticator)
.--+-.
| H1 | (Host/Supplicant)
'----' IP 10.0.1.43/24
GW 10.0.1.1
Figure 1: A basic setup of port access control using MAC Authentication. Ports eth1-eth4 are controlled. Here ports eth1-eth7 are on VLAN 1 and eth8 is on VLAN 2, but they could be on the same VLAN.
Configuration
First VLANs and IP addresses of the WeOS router is configured, see Figure 1 above. It is assumed that all ports are assigned (untagged) to VLAN 1 from start. For more information, see VLAN configuration.
example:/#> config example:/config/#> vlan 2 example:/config/vlan-2/#> untagged eth8 example:/config/vlan-2/#> end example:/config/#> iface vlan1 example:/config/iface-vlan1/#> no inet example:/config/iface-vlan1/#> inet static 10.0.1.1/24 example:/config/iface-vlan1/inet-static-10.0.1.1/#> end example:/config/iface-vlan1/#> end example:/config/#> iface vlan2 example:/config/iface-vlan2/#> inet static 10.0.2.2/24 example:/config/iface-vlan2/inet-static-10.0.2.2/#> end example:/config/iface-vlan2/#> end example:/config/#> ip example:/config/ip/#> route default 10.0.2.1 example:/config/ip/#> leave example:/#>
A MAC authentication list configured. This is done in the AAA context.
example:/#> config example:/config/#> aaa example:/config/aaa/#> mac-auth 1 example:/config/aaa/mac-auth-1/#> mac match 00:80:c8:3c:25:b8 description "My PC" example:/config/aaa/mac-auth-1/#> leave example:/config/#> leave example:/#>
See MAC match Settings for more information on how to configure a MAC authentication list.
With a MAC authentication list created, enabling MAC Authentication on ports eth1-eth4 can be done as follows.
example:/#> config example:/config/#> port-access example:/config/port-access/#> port eth1..eth4 example:/config/port-access/#> description "Site A" example:/config/port-access/#> mac-authentication example:/config/port-access/mac-auth/#> accept-list 1 example:/config/port-access/mac-auth/#> leave example:/#>
Status
Port access status can be shown by issuing show port-access in the admin context.
example:/#> show port-access PORT ACCESS Status : Enabled Description : Site A Ports : eth1..eth4 802.1X Not configured. MAC AUTHENTICATION Status : Enabled Authentication server : 1 (Site A) Accept list : Not set AUTHENTICATED MAC METHOD PORT 00:80:c8:3c:25:b8 accept-list eth1 RECENT EVENTS (AUTH.LOG) Nov 22 18:40:21 example macd[2200]: Auth successful for 00:80:c8:3c:25:b8 on eth1 example:/#>