Chapter Contents

• Applicable Product Models and Versions
• Introduction to Network Admission Control
• Networking Requirements
• Data Plan
• Configuration Roadmap
• Configuration Precautions
• Configuration Procedure
• Verification
• Configuration Files

Applicable Product Models and Versions

This configuration example applies to all of the switches running V200R009C00 or a later version, the Cisco ISE in version 2.0.0.306 works as the RADIUS server, and the Cisco ACS in version 5.2.0.26 works as the HWTACACS server. It is recommended that you use an ISE in version 2.0 or later. The minimum version required for an ACS is 5.1. The NAC mode of Huawei switches is unified mode.

Introduction to Network Admission Control

Network Admission Control (NAC) implements authentication, authorization, and accounting on device administrators and access users, ensuring the device and network security. Access authentication devices and AAA servers use RADIUS or HWTACACS to communicate. Both RADIUS and HWTACACS use the client/server model to implement communication between access authentication devices and AAA servers. Table 4-1 lists the differences between HWTACACS and RADIUS.

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control, so it is often used to perform AAA for device administrators.

Networking Requirements

To meet service requirements, an enterprise needs to deploy an identity authentication system to implement authentication and authorization on common access users and switch administrators. Only authorized users can access the network, which ensures the device and network security. The enterprise has the following requirements:

• For administrators:
  1. The administrators log in to the switch using STelnet and are authenticated and authorized by the ACS.
  2. If the ACS is abnormal, the switch can directly perform authentication and authorization for the administrators.
  3. Different administrators have different levels.
  4. The ACS authorizes commands that can be run by administrators at a specified level to them.
  5. Commands executed on the switch by administrators must be recorded on the ACS, facilitating maintenance and tracking.
• For common access users:
  1. Install the 802.1X client on wired PCs, perform 802.1X authentication and MAC address authentication for the PCs, and set the 802.1X authentication mode to password authentication.
  2. Perform 802.1X authentication for IP phones and set the authentication mode to password authentication.
  3. Perform MAC address authentication for APs, IP phones that do not support 802.1X authentication, printers, and fax machines.
  4. Some users and IP phones move frequently. Configure the ISE to dynamically deliver data VLANs and voice VLANs to them respectively.
  5. Directly add fixed users and IP phones to VLANs configured on switch interfaces.
  6. If the ISE is abnormal, the switch can directly authorize users. When the ISE recovers, the ISE re-authenticates users.
  7. If a user fails to pass authentication, the switch can add the user to a specified VLAN and restrict network resources the user can access.

In this example, the aggregation switch is an S7712 and the access switch is an S5720EI.

Data Plan

Configuration Roadmap

Configuration Precautions

• The RADIUS and HWTACACS shared keys configured on the switch must be the same as those configured on the servers.
• By default, the switch allows the packets sent to RADIUS and HWTACACS servers to pass through. You do not need to configure an authentication-free rule for the packets on the switch.

Configuration Procedure

1. Configure SwitchA.

   The aggregation switch configuration is not provided here. Configure the switches based on actual network planning.

   1. Configure the management IP address of SwitchA. SwitchA also uses this IP address to communicate with the ACS and ISE.

      <HUAWEI> system-view 
      [HUAWEI] sysname SwitchA 
      [SwitchA] interface LoopBack 0 
      [SwitchA-LoopBack0] ip address 192.168.50.1 32 
      [SwitchA-LoopBack0] quit

   2. Configure SwitchA as the DHCP server to assign IP addresses to common access users.

      [SwitchA] vlan batch 10 20 30 40 50 
      [SwitchA] lldp enable //Enable LLDP globally. 
      [SwitchA] dhcp enable //Enable DHCP globally. 
      [SwitchA] dhcp snooping enable //Enable DHCP snooping globally. 
      [SwitchA] interface Vlanif10 
      [SwitchA-Vlanif10] ip address 192.168.10.1 24 //Configure an IP address for VLANIF 10. 
      [SwitchA-Vlanif10] dhcp select interface //Enable the DHCP server function on VLANIF 10. 
      [SwitchA-Vlanif10] quit 
      [SwitchA] interface Vlanif20 
      [SwitchA-Vlanif20] ip address 192.168.20.1 24 
      [SwitchA-Vlanif20] dhcp select interface 
      [SwitchA-Vlanif20] quit 
      [SwitchA] interface Vlanif30 
      [SwitchA-Vlanif30] ip address 192.168.30.1 24 
      [SwitchA-Vlanif30] dhcp select interface 
      [SwitchA-Vlanif30] quit 
      [SwitchA] interface Vlanif40 
      [SwitchA-Vlanif40] ip address 192.168.40.1 24 
      [SwitchA-Vlanif40] dhcp select interface 
      [SwitchA-Vlanif40] quit

   3. Assign VLANs to interfaces and configure network connectivity.

      [SwitchA] interface gigabitethernet 0/0/1 
      [SwitchA-GigabitEthernet0/0/1] port link-type hybrid 
      [SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10 
      [SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10 
      [SwitchA-GigabitEthernet0/0/1] undo port hybrid vlan 1 
      [SwitchA-GigabitEthernet0/0/1] voice-vlan 20 enable //Configure VLAN 20 as a voice VLAN. 
      [SwitchA-GigabitEthernet0/0/1] port hybrid tagged vlan 20 
      [SwitchA-GigabitEthernet0/0/1] stp edged-port enable //Configure the interface as an edge interface. 
      [SwitchA-GigabitEthernet0/0/1] dhcp snooping enable //Enable DHCP snooping on the interface. 
      [SwitchA-GigabitEthernet0/0/1] poe legacy enable //Enable the PD compatibility check function on PoE-capable SwitchA so that SwitchA can provide power for non-standard PDs. 
      [SwitchA-GigabitEthernet0/0/1] quit 
      [SwitchA] interface gigabitethernet 0/0/2 
      [SwitchA-GigabitEthernet0/0/2] port link-type hybrid 
      [SwitchA-GigabitEthernet0/0/2] undo port hybrid vlan 1 
      [SwitchA-GigabitEthernet0/0/2] voice-vlan 20 enable 
      [SwitchA-GigabitEthernet0/0/2] stp edged-port enable 
      [SwitchA-GigabitEthernet0/0/2] dhcp snooping enable 
      [SwitchA-GigabitEthernet0/0/2] poe legacy enable 
      [SwitchA-GigabitEthernet0/0/2] quit 
      [SwitchA] interface gigabitethernet 0/0/3 
      [SwitchA-GigabitEthernet0/0/3] port link-type hybrid 
      [SwitchA-GigabitEthernet0/0/3] port hybrid pvid vlan 40 
      [SwitchA-GigabitEthernet0/0/3] port hybrid untagged vlan 40 
      [SwitchA-GigabitEthernet0/0/3] stp edged-port enable 
      [SwitchA-GigabitEthernet0/0/3] dhcp snooping enable 
      [SwitchA-GigabitEthernet0/0/3] poe legacy enable 
      [SwitchA-GigabitEthernet0/0/3] quit 
      [SwitchA] interface gigabitethernet 0/0/4 
      [SwitchA-GigabitEthernet0/0/4] port link-type trunk 
      [SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 10 20 30 40 
      [SwitchA-GigabitEthernet0/0/4] quit 
      [SwitchA] ip route-static 192.168.100.0 24 192.168.60.1 //Configure a static route from SwitchA to the server area. Assume that the next-hop address is 192.168.60.1.

   4. Configure local administrators.

      # Configure the login mode and authentication mode of administrators.

      [SwitchA] user-interface maximum-vty 3 //Set the maximum number of administrators who can remotely log in to the switch to 3. 
      [SwitchA] user-interface vty 0 2 //Enter the three administrator interface views. 
      [SwitchA-ui-vty0-2] authentication-mode aaa //Set the authentication mode of administrators to AAA. 
      [SwitchA-ui-vty0-2] protocol inbound ssh      //Set the remote login protocol of administrators to SSH, that is, administrators must log in to the switch using STelnet. 
      [SwitchA-ui-vty0-2] quit

      # Configure local SSH users. The user admin is used as an example. The configurations of other users are similar and are not provided here.

      [SwitchA] stelnet server enable //Enable the STelnet service on the switch. 
      [SwitchA] ssh authentication-type default password //Set the default authentication mode of SSH users to password authentication. 
      [SwitchA] ssh user admin //Create a local SSH user admin. 
      [SwitchA] ssh user admin authentication-type password //Set the authentication mode of the user admin to password authentication. 
      [SwitchA] ssh user admin service-type stelnet //Set the login mode of the user admin to STelnet. 
      [SwitchA] aaa 
      [SwitchA-aaa] local-user admin password irreversible-cipher huawei@567 //Set the password of the local administrator admin to huawei@567. The switch can authenticate the local administrator admin when the ACS is abnormal. 
      [SwitchA-aaa] local-user admin privilege level 0 //Set the user level of the user admin to 0. 
      [SwitchA-aaa] local-user admin service-type ssh //Set the login protocol of the user admin to SSH. 
      [SwitchA-aaa] quit

   5. Configure parameters for communication between SwitchA and the ACS.

      # Create the HWTACACS server template hw used in administrator authentication.

      [SwitchA] hwtacacs-server template hw 
      [SwitchA-hwtacacs-hw] hwtacacs-server authentication 192.168.100.2 //Configure the ACS as the HWTACACS authentication server. 
      [SwitchA-hwtacacs-hw] hwtacacs-server authorization 192.168.100.2 //Configure the ACS as the HWTACACS authorization server. 
      [SwitchA-hwtacacs-hw] hwtacacs-server accounting 192.168.100.2 //Configure the ACS as the HWTACACS accounting server. 
      [SwitchA-hwtacacs-hw] hwtacacs-server shared-key cipher Huawei@2014 //Set the HWTACACS shared key for SwitchA to communicate with the ACS to Huawei@2014. 
      [SwitchA-hwtacacs-hw] undo hwtacacs-server user-name domain-included //Configure SwitchA to send packets in which the administrator user name does not contain the domain name to the ACS. 
      [SwitchA-hwtacacs-hw] quit

      # Create the authentication scheme hw.

      [SwitchA] aaa 
      [SwitchA-aaa] authentication-scheme hw 
      [SwitchA-aaa-authen-hw] authentication-mode hwtacacs local //Set the authentication mode to HWTACACS and configure local authentication as the backup authentication mode. 
      [SwitchA-aaa-authen-hw] quit

      # Create the authorization scheme hw.

      [SwitchA-aaa] authorization-scheme hw 
      [SwitchA-aaa-author-hw] authorization-mode hwtacacs local //Set the authorization mode to HWTACACS and configure local authorization as the backup authorization mode. 
      [SwitchA-aaa-author-hw] authorization-cmd 0 hwtacacs //Configure command line authorization for users whose level is 0 and set the authorization mode to HWTACACS. Perform this configuration for users at a specified level based on actual requirements. 
      [SwitchA-aaa-author-hw] quit

      # Create the accounting scheme hw.

      [SwitchA-aaa] accounting-scheme hw 
      [SwitchA-aaa-accounting-hw] accounting-mode hwtacacs //Set the accounting mode to HWTACACS. 
      [SwitchA-aaa-accounting-hw] accounting start-fail online //Allow users to log in even if accounting-start fails. 
      [SwitchA-aaa-accounting-hw] quit

      # Create the recording scheme hw.

      [SwitchA-aaa] recording-scheme hw 
      [SwitchA-aaa-recording-hw] recording-mode hwtacacs hw //Associate the HWTACACS server template hw with the recording scheme so that the switch can send recorded information to the ACS. 
      [SwitchA-aaa-recording-hw] quit 
      [SwitchA-aaa] cmd recording-scheme hw //Configure the switch to record commands executed by administrators.

      # Create the administrator authentication domain hw.

      [SwitchA-aaa] domain hw 
      [SwitchA-aaa-domain-hw] authentication-scheme hw //Specify the authentication scheme hw. 
      [SwitchA-aaa-domain-hw] accounting-scheme hw //Specify the accounting scheme hw. 
      [SwitchA-aaa-domain-hw] authorization-scheme hw //Specify the authorization scheme hw. 
      [SwitchA-aaa-domain-hw] hwtacacs-server hw //Specify the HWTACACS server template hw. 
      [SwitchA-aaa-domain-hw] quit 
      [SwitchA-aaa] quit

   6. Configure authentication for administrators.

      [SwitchA] domain hw admin //Configure the domain hw as the default administrative authentication domain on the switch. All administrators are automatically authenticated in this domain after logging in to the switch.

   7. Configure parameters for communication between SwitchA and the ISE.

      # Set the NAC mode to unified.

      By default, the unified mode is enabled. After changing the NAC mode, you must save the configuration and restart the switch to make the configuration take effect.

      [SwitchA] authentication unified-mode

      # Create the RADIUS server template authentication.

      [SwitchA] radius-server template authentication 
      [SwitchA-radius-authentication] radius-server authentication 192.168.100.1 1812 source ip-address 192.168.50.1 //Configure the ISE as the authentication server. 
      [SwitchA-radius-authentication] radius-server accounting 192.168.100.1 1813 source ip-address 192.168.50.1 //Configure the ISE as the accounting server. 
      [SwitchA-radius-authentication] radius-server shared-key cipher Huawei@2014 //Set the RADIUS shared key to Huawei@2014. 
      [SwitchA-radius-authentication] undo radius-server user-name domain-included //Configure the switch not to modify the original user name in the packets sent to the ISE. 
      [SwitchA-radius-authentication] calling-station-id mac-format hyphen-split mode2 uppercase //Set the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets to xx-xx-xx-xx-xx-xx, in uppercase. 
      [SwitchA-radius-authentication] radius-attribute set Service-Type 10 auth-type mac //Set the value of the RADIUS attribute Service-Type for MAC address authentication to 10. 
      [SwitchA-radius-authentication] quit

      # Configure a RADIUS authorization server.

      [SwitchA] radius-server authorization 192.168.100.1 shared-key cipher Huawei@2014

      # Create the authentication scheme auth.

      [SwitchA] aaa 
      [SwitchA-aaa] authentication-scheme auth 
      [SwitchA-aaa-authen-auth] authentication-mode radius //Set the authentication mode to RADIUS. 
      [SwitchA-aaa-authen-auth] quit

      # Create the accounting scheme acco. You must set the accounting mode to RADIUS so that the RADIUS server can maintain the account status, such as login, log-off, and forced log-off.

      [SwitchA-aaa] accounting-scheme acco 
      [SwitchA-aaa-accounting-acco] accounting-mode radius //Set the accounting mode to RADIUS. 
      [SwitchA-aaa-accounting-acco] accounting realtime 3 //Set the real-time accounting interval to 3 minutes. 
      [SwitchA-aaa-accounting-acco] quit

      # Create the authentication domain domain.

      [SwitchA-aaa] domain domain 
      [SwitchA-aaa-domain-domain] authentication-scheme auth //Specify the authentication scheme auth. 
      [SwitchA-aaa-domain-domain] accounting-scheme acco //Specify the accounting scheme acco. 
      [SwitchA-aaa-domain-domain] radius-server authentication //Specify the RADIUS server template authentication. 
      [SwitchA-aaa-domain-domain] quit

      # Create a service scheme for user authorization when the server is abnormal.

      [SwitchA-aaa] service-scheme down01 //Create the service scheme down01 for authorization of PCs and IP phones. 
      [SwitchA-aaa-service-down01] user-vlan 30 //Configure the switch to authorize VLAN 30 to PCs. 
      [SwitchA-aaa-service-down01] voice-vlan //Configure the switch to authorize voice VLANs to IP phones. 
      [SwitchA-aaa-service-down01] quit 
      [SwitchA-aaa] service-scheme down02 //Create the service scheme down02 for authorization of APs. 
      [SwitchA-aaa-service-down02] user-vlan 40 //Configure the switch to authorize VLAN 40 to APs. 
      [SwitchA-aaa-service-down02] quit

      # Create the service scheme fail for authorization of users who fail to pass authentication.

      [SwitchA-aaa] service-scheme fail 
      [SwitchA-aaa-service-fail] user-vlan 50 //Configure the switch to delivery VLAN 50 to users who fail to pass authentication to restrict resources they can access. 
      [SwitchA-aaa-service-fail] quit 
      [SwitchA-aaa] quit

   8. Configure authentication for common access users.

      # Create the 802.1X access profile dot1x.

   By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

   [SwitchA] dot1x-access-profile name dot1x 
   [SwitchA-dot1x-access-profile-dot1x] dot1x reauthenticate //Configure periodic re-authentication for online 802.1X authentication users. 
   [SwitchA-dot1x-access-profile-dot1x] dot1x timer reauthenticate-period 120 //Set the re-authentication interval for online 802.1X authentication users to 120 seconds. 
   [SwitchA-dot1x-access-profile-dot1x] authentication event client-no-response action authorize vlan 50 //Configure the switch to add users to VLAN 50 when the 802.1X client does not respond. 
   [SwitchA-dot1x-access-profile-dot1x] quit

   # Create the MAC access profile mac for dumb terminals such as IP phones and printers.

   [SwitchA] mac-access-profile name mac 
   [SwitchA-mac-access-profile-mac] mac-authen reauthenticate //Configure periodic re-authentication for online MAC address authentication users. 
   [SwitchA-mac-access-profile-mac] mac-authen timer reauthenticate-period 120 //Set the re-authentication interval for online MAC address authentication users to 120 seconds. 
   [SwitchA-mac-access-profile-mac] quit

   # Create the MAC access profile ap_mac for APs.

   [SwitchA] mac-access-profile name ap_mac 
   [SwitchA-mac-access-profile-ap_mac] mac-authen username macaddress format without-hyphen //Set user names of APs to MAC addresses without hyphens for MAC address authentication. 
   [SwitchA-mac-access-profile-ap_mac] quit

   # Configure the authentication profile dot1x&mac for PCs and IP phones.

   [SwitchA] authentication-profile name dot1x&mac 
   [SwitchA-authen-profile-dot1x&mac] dot1x-access-profile dot1x //Specify the 802.1X access profile dot1x. 
   [SwitchA-authen-profile-dot1x&mac] mac-access-profile mac //Specify the MAC access profile mac. 
   [SwitchA-authen-profile-dot1x&mac] access-domain domain force //Configure the forcible authentication domain domain. 
   [SwitchA-authen-profile-dot1x&mac] authentication event authen-fail action authorize service-scheme fail //Configure the switch to add users who fail to pass authentication to VLAN 50. 
   [SwitchA-authen-profile-dot1x&mac] authentication event authen-server-down action authorize service-scheme down01      //Configure the switch to use the service scheme down01 to perform authorization for PCs and IP phones when the ISE is Down. 
   [SwitchA-authen-profile-dot1x&mac] authentication event authen-server-up action re-authen //Configure ISE to re-authenticate users when the ISE recovers. 
   [SwitchA-authen-profile-dot1x&mac] authentication dot1x-mac-bypass //Configure MAC address bypass authentication. 
   [SwitchA-authen-profile-dot1x&mac] quit

   # Configure the authentication profile ap_auth for APs.

   [SwitchA] authentication-profile name ap_auth 
   [SwitchA-authen-profile-ap_auth] mac-access-profile ap_mac //Specify the MAC access profile ap_mac. 
   [SwitchA-authen-profile-ap_auth] access-domain domain force //Configure the forcible authentication domain domain. 
   [SwitchA-authen-profile-ap_auth] authentication event authen-fail action authorize service-scheme fail //Configure the switch to add users who fail to pass authentication to VLAN 50. 
   [SwitchA-authen-profile-ap_auth] authentication event authen-server-down action authorize service-scheme down02      //Configure the switch to use the service scheme down02 to perform authorization for APs when the ISE is Down. 
   [SwitchA-authen-profile-ap_auth] authentication event authen-server-up action re-authen //Configure ISE to re-authenticate users when the ISE recovers. 
   [SwitchA-authen-profile-ap_auth] undo authentication handshake //Disable the handshake with pre-connection users and authorized users. 
   [SwitchA-authen-profile-ap_auth] authentication mode multi-share //Set the user access mode to multi-share on the switch interface connecting to APs. 
   [SwitchA-authen-profile-ap_auth] quit

   If the AP packet forwarding mode is direct forwarding, you must set the user access authentication mode to multi-share on the switch interface connecting to APs.

   # Bind the authentication profile dot1x&mac to GE0/0/1 and GE0/0/2, and enable MAC address bypass authentication. Bind the authentication profile ap_mac to GE0/0/3 and enable MAC address authentication.

   [SwitchA] interface gigabitethernet 0/0/1 
   [SwitchA-GigabitEthernet0/0/1] authentication-profile dot1x&mac 
   [SwitchA-GigabitEthernet0/0/1] quit 
   [SwitchA] interface gigabitethernet 0/0/2 
   [SwitchA-GigabitEthernet0/0/2] authentication-profile dot1x&mac 
   [SwitchA-GigabitEthernet0/0/2] quit 
   [SwitchA] interface gigabitethernet 0/0/3 
   [SwitchA-GigabitEthernet0/0/3] authentication-profile ap_auth 
   [SwitchA-GigabitEthernet0/0/3] quit

2. Configure the ACS.
   1. Log in to the ACS.
      1. Open the Internet Explorer, enter the ACS access address in the address bar, and press Enter.
      2. Enter the ACS administrator user name and password to log in to the ACS.
   2. Configure switch administrators.
      1. In the navigation area on the left, choose Users and Identity Stores > Identity Groups. Click Create in the operation area on the right and create the administrator group admin. After completing the configuration, click Submit.

      2. In the navigation area on the left, choose Users and Identity Stores > Internal Identity Stores > Users. Click Create in the operation area on the right, create the administrator admin, and bind the administrator to the group admin. After completing the configuration, click Submit. In this example, admin is configured. The configurations of other users are similar, and are not provided here.

   3. Add the access authentication device SwitchA.
      1. In the navigation area on the left, choose Network Resources > Network Devices and AAA Clients. Click Create in the operation area on the right, add the access authentication device SwitchA, and configure parameters of SwitchA according to the following table. After completing the configuration, click Submit.

         Parameter	Value	Description
         Access device name	SwitchA	-
         IP address	192.168.50.1	-
         TACACS+ shared secret	Huawei@2014	The TACACS+ shared secret must be the same as HWTACACS shared key configured on SwitchA.

   4. Configure authorization profiles.
      1. In the navigation area on the left, choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles. Click Create in the operation area on the right, create Shell Profiles PRIVILEGE_LEVEL_0 and PRIVILEGE_LEVEL_15, and set the user level to 0 and 15 respectively. After completing the configuration, click Submit.

         If the level specified in a Shell Profile is x and the Shell Profile is assigned to an administrator, the administrator can only run commands at level x and lower levels. Set a proper level for device administrators based on actual requirements.

      2. In the navigation area on the left, choose Policy Elements > Authorization and Permissions > Device Administration > Command Sets. Click Create in the operation area on the right, create Command Set PRIVILEGE_LEVEL_0, and add commands that can be run by the administrator admin. After completing the configuration, click Submit.

         In the Command Set PRIVILEGE_LEVEL_0, users can run the display version, display device, display cpu-usage, and display memory-usage commands.

      3. Similarly, create Command Set All and select Permit any command that is not in the table below to allow the administrator diagnose to run all commands on the switch.

   5. Configure authentication and authorization policies.
      1. In the navigation area on the left, choose Access Policies > Access Services. Click Create in the operation area on the right, and create access service HWTACACS. After performing step 1, click Next to go to step 2, and configure authentication protocols for users. After completing the configuration, click Finish.

      2. In the displayed dialog box, click Yes to access the Access Policies > Access Services > Service Selection Rules page. Choose Rule based result selection and click Create. In the displayed dialog box, create the access service rule HWTACACS, set Conditions to Protocol match Tacacs, and set Results to Service: HWTACACS. After completing the configuration, click OK. Click to adjust this access service rule as the first rule so that this rule is matched preferentially during authentication. Click Save Changes.

      3. In the navigation area on the left, choose Access Policies > Access Services > HWTACACS > Identity. Choose Rule based result selection in the operation area on the right and click Customize. Configure the filtering condition for user authentication. In this example, choose Device IP Address. After completing the configuration, click OK.

      4. Click Create, create the administrator authentication rule admin, set Conditions to Device IP Address = 192.168.50.1, and set Results to Identity Source: Users. After completing the configuration, click OK, and click Save Changes.

      5. In the navigation area on the left, choose Access Policies > Access Services > HWTACACS > Authorization. Click Customize and configure filtering conditions for user authorization. Under Customize Conditions, select Identity Group and System:UserName. Under Customize Results, select Shell Profiles and Command Sets. After completing the configuration, click OK, and click Save Changes.

      6. Click Create and create the authorization policy admin_policy for the administrator admin. Under Conditions, set Identity Group in All Groups:admin and System:UserName equals admin. Under Results, set Shell Profile: PRIVILEGE_LEVEL_0 and Command Sets: PRIVILEGE_LEVEL_0. Click OK and click Save Changes.

      7. Click Create and create the authorization policy diagnose_policy for the administrator diagnose. Under Conditions, set Identity Group in All Groups:admin and System:UserName equals diagnose. Under Results, set Shell Profile: PRIVILEGE_LEVEL_15 and Command Sets: All. Click OK and click Save Changes.

3. Configure the ISE.
   1. Log in to the ISE.
      1. Open the Internet Explorer, enter the ISE access address in the address bar, and press Enter.
      2. Enter the ISE administrator user name and password to log in to the ISE.
   2. Configure user groups, terminal lists, and user information. In this example, AP1, the group ap_group to which AP1 belongs, PC1, and the group pc_group1 to which PC1 belongs are configured. The configurations of other users and groups are similar, and are not provided here.
      1. Choose Administration > Identity Management > Groups. In the navigation area on the left, choose Endpoint Identity Groups. Click Add in the operation area on the right, and create the group ap_group to which AP1 belongs. After completing the configuration, click Submit.

      2. In the navigation area on the left, choose User Identity Groups. Click Add in the operation area on the right, and create the group pc_group1 to which PC1 belongs. After completing the configuration, click Submit.

      3. Choose Administration > Identity Management > Identities. In the navigation area on the left, choose EndPoints. Click Add in the operation area on the right. Add the terminal with the MAC address 3c-97-0e-bd-6a-65 and bind the terminal to the group ap_group. After completing the configuration, click Save.

      4. In the navigation area on the left, choose Users. Click Add in the operation area on the right. Create the user pc1, set the password to huawei@123, and bind the user to the group pc_group1. After completing the configuration, click Submit.

   3. Configure the access authentication device.
      1. In the top navigation area, choose Administration > Network Resources > Network Device Profiles, click the Add tab. Create the access device profile huawei, set Vendor to Other, and select RADIUS under Supported Protocols.

      2. Configure Authentication/Authorization, and Permisssions according to the following figures. After completing the configuration, click Submit.

      3. Choose Administration > Network Resources > Network Devices. Click Add in the operation area on the right, add the access device SwitchA, and configure parameters of SwitchA according to the following table. After completing the configuration, click Submit.

         Parameter	Value	Description
         Access device name	SwitchA	-
         IP address	192.168.50.1	-
         RADIUS shared key	Huawei@2014	The RADIUS shared key must be the same as that configured on SwitchA.

   4. Configure authentication policies.
      1. In the top navigation area, choose Policy > Policy Elements > Conditions. In the navigation area on the left, choose Compound Conditions. Click Add in the operation area on the right, and create the 802.1X authentication filtering profile 802.1X. Click Create New Condition(Advance Option) to create a filtering rule. Set RADIUS:NAS-Port-Type to Ethernet, RADIUS:Service-Type to Framed, and RADIUS:NAS-IP-Address to 192.168.50.1. After completing the configuration, click Submit.

      2. Similarly, configure the MAC address authentication filtering profile MAC. Set RADIUS:NAS-Port-Type to Ethernet, RADIUS:Service-Type to Call Check, and RADIUS:NAS-IP-Address to 192.168.50.1. After completing the configuration, click Submit.

      3. In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authentication > Allowed Protocols. Click Add in the operation area on the right, create the protocol profile Authentication for user authentication. Select proper authentication protocols based on actual requirements. After completing the configuration, click Submit.

         The ISE provides the default authentication protocol profile Default Network Access. If the profile meets actual requirements, you do not need to create a profile.

      4. In the top navigation area, choose Policy > Authentication, and click Rule-Based. Click the triangle next to the first authentication policy and choose Insert new row above.
      5. Create the 802.1X authentication policy 802.1x and MAC address authentication policy MAC respectively. Under Condition(s), click Select Existing Condition from Library, click Select Condition, and select the created 802.1X authentication filtering rule 802.1x and MAC address authentication filtering rule MAC from Compound Condition. Set Allowed Protocols to Authentication, click Done, and click Save.

   5. Configure authorization policies.
      1. In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authorization > Authorization Profiles. Click Add in the operation area on the right, create the authorization result profile pc_group2 for users in the group pc_group2, and set the VLAN to VLAN 30. After completing the configuration, click Submit.

      2. Create the authorization result profile ipphone2 for users in the group IP_Phone2, and set the VLAN to voice VLAN 20. After completing the configuration, click Submit.

      3. In the top navigation area, choose Policy > Authorization. Click the triangle next to the first authentication policy and choose Insert New Rule Above. Create the authorization policy pc_group2 for the group pc_group2 and authorize VLAN 30 to users in the group pc_group2. Under Conditions, select the group pc_group2 from User Identity Groups. Under Permissions, select pc_group2 from Standard. Click Done and click Save.

      4. According to the preceding step, configure the authorization policy IP_Phone2 for the group IP_Phone2. Under Conditions, select the group IP_Phone2 from User Identity Groups. Under Permissions, select ipphone2 from Standard. Save the configuration.

Verification

Run the display access-user command on SwitchA. The command output displays detailed information about online users, including common access users and switch administrators.

Configuration Files

# 

sysname SwitchA 

# 

vlan batch 10 20 30 40 50 

# 

authentication-profile name dot1x&mac 

 dot1x-access-profile dot1x 

 mac-access-profile mac 

 access-domain domain force 

 authentication event authen-fail action authorize service-scheme fail 

 authentication event authen-server-down action authorize service-scheme down01 

 authentication event authen-server-up action re-authen 

 authentication dot1x-mac-bypass 

authentication-profile name ap_auth 

 mac-access-profile ap_mac 

 undo authentication handshake 

 authentication mode multi-share 

 access-domain domain force 

 authentication event authen-fail action authorize service-scheme fail 

 authentication event authen-server-down action authorize service-scheme down02 

 authentication event authen-server-up action re-authen 

# 

domain hw admin 

# 

lldp enable 

# 

dhcp enable 

# 

dhcp snooping enable 

# 

radius-server template authentication 

 radius-server shared-key cipher %^%#X:4qI:ZF^/hFx{B&3t+'nT;m@o.XZ<7m}BJW<Bj$%^%# 

 radius-server authentication 192.168.100.1 1812 source ip-address 192.168.50.1 weight 80 

 radius-server accounting 192.168.100.1 1813 source ip-address 192.168.50.1 weight 80 

 undo radius-server user-name domain-included 

 calling-station-id mac-format hyphen-split mode2 uppercase 

 radius-attribute set Service-Type 10 auth-type mac 

radius-server authorization 192.168.100.1 shared-key cipher %^%#pzdO:3q'(HSX}o2.=%J3`)6;-.BI2Y}/OYFD{iu-%^%#  

# 

hwtacacs-server template hw 

 hwtacacs-server authentication 192.168.100.2 

 hwtacacs-server authorization 192.168.100.2 

 hwtacacs-server accounting 192.168.100.2 

 hwtacacs-server shared-key cipher %^%#xT<M7&Xr'VWRJJ%.-f_*zf1}FU|LmHCcbAXXf6}P%^%# 

 undo hwtacacs-server user-name domain-included 

# 

aaa 

 authentication-scheme hw 

  authentication-mode hwtacacs local 

 authentication-scheme auth 

  authentication-mode radius 

 authorization-scheme hw 

  authorization-mode hwtacacs local 

  authorization-cmd 0 hwtacacs 

 accounting-scheme hw 

  accounting-mode hwtacacs 

  accounting start-fail online 

 accounting-scheme acco 

  accounting-mode radius 

  accounting realtime 3 

 recording-scheme hw 

  recording-mode hwtacacs hw 

 cmd recording-scheme hw 

 service-scheme down01 

  user-vlan 30 

  voice-vlan 

 service-scheme down02 

  user-vlan 40 

 service-scheme fail 

  user-vlan 50 

 domain hw 

  authentication-scheme hw 

  accounting-scheme hw 

  authorization-scheme hw 

  radius-server default 

  hwtacacs-server hw 

 domain domain 

  authentication-scheme auth 

  accounting-scheme acco 

  radius-server authentication 

 local-user admin password irreversible-cipher %^%#-T4MG_wij3r]t(VVrv%:2<X7S\AsmIG:R}8#)eY&aS@A'}%9)gR!k1_Z,5:%^%# 

 local-user admin privilege level 0 

 local-user admin service-type ssh 

# 

interface Vlanif10 

 ip address 192.168.10.1 255.255.255.0 

 dhcp select interface 

# 

interface Vlanif20 

 ip address 192.168.20.1 255.255.255.0 

 dhcp select interface 

# 

interface Vlanif30 

 ip address 192.168.30.1 255.255.255.0 

 dhcp select interface 

# 

interface Vlanif40 

 ip address 192.168.40.1 255.255.255.0 

 dhcp select interface 

# 

interface GigabitEthernet0/0/1 

 port link-type hybrid 

 voice-vlan 20 enable 

 port hybrid pvid vlan 10 

 undo port hybrid vlan 1 

 port hybrid tagged vlan 20 

 port hybrid untagged vlan 10 

 stp edged-port enable 

 authentication-profile dot1x&mac 

 poe legacy enable 

 dhcp snooping enable 

# 

interface GigabitEthernet0/0/2 

 port link-type hybrid 

 voice-vlan 20 enable 

 undo port hybrid vlan 1 

 stp edged-port enable 

 authentication-profile dot1x&mac 

 poe legacy enable 

 dhcp snooping enable 

# 

interface GigabitEthernet0/0/3 

 port link-type hybrid 

 port hybrid pvid vlan 40 

 port hybrid untagged vlan 40 

 stp edged-port enable 

 authentication-profile ap_auth 

 poe legacy enable 

 dhcp snooping enable 

# 

interface GigabitEthernet0/0/4 

 port link-type trunk 

 port trunk allow-pass vlan 10 20 30 40 

# 

interface LoopBack0 

 ip address 192.168.50.1 255.255.255.255 

# 

ip route-static 192.168.100.0 255.255.255.0 192.168.60.1 

# 

stelnet server enable 

ssh authentication-type default password 

ssh user admin 

ssh user admin authentication-type password 

ssh user admin service-type stelnet 

# 

user-interface maximum-vty 3 

user-interface vty 0 2 

 authentication-mode aaa 

# 

dot1x-access-profile name dot1x 

 authentication event client-no-response action authorize vlan 50 

 dot1x timer reauthenticate-period 120 

 dot1x reauthenticate 

# 

mac-access-profile name mac 

 mac-authen reauthenticate 

 mac-authen timer reauthenticate-period 120 

mac-access-profile name ap_mac 

# 

return