No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 Series Agile Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring 802.1X Authentication to Control User Access

Example for Configuring 802.1X Authentication to Control User Access

802.1X Authentication Overview

802.1X is a port-based network access control protocol and 802.1X authentication is one of NAC authentication modes. 802.1X authentication ensures security of enterprise intranets.

802.1X authentication ensures high security; however, it requires that 802.1X client software be installed on user terminals, resulting in inflexible network deployment. Another two NAC authentication methods have their advantages and disadvantages: MAC address authentication does not require client software installation, but MAC addresses must be registered on an authentication server. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.

As a result, 802.1X authentication is applied to scenarios with new networks, centralized user distribution, and strict information security requirements.

Configuration Notes

This configuration example applies to all switches running all versions.

Networking Requirements

As shown in Figure 14-45, the terminals in an office are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key informatio. Therefore, the administrator requires that the Switch should control the users' network access rights to ensure internal network security.

Figure 14-45  Configuring 802.1X authentication to control user access

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain. Bind the RADIUS server template and AAA scheme to the authentication domain so that the Switch can authenticate access users through the RADIUS server.
  2. Enable 802.1X authentication to control network access rights of the employees in the office.
  3. Configure the user access mode to multi-authen and set the maximum number of access users to 100, so the device can control the network access rights of each user independently.
NOTE:

Before configuring this example, ensure that devices can communicate with each other in the network.

In this example, the LAN switch exists between the access switch Switch and users. To ensure that users can pass 802.1x authentication, you must configure the EAP packet transparent transmission function on the LAN switch.
  • Method 1: The S5700LI is used as an example of the LAN switch. Perform the following operations:
    1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the LAN switch to transparently transmit EAP packets.
    2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface connecting to users and the interface connecting to the access switch to enable the Layer 2 protocol transparent transmission function.
  • Method 2: This method is recommended when a large number of users exist or high network performance is required.
    1. Run the following commands in the system view:
      • undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
      • bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
      • bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
      • bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
      • bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
    2. (This step is mandatory when you switch from method 1 to method 2.) Run the undo l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to delete the configuration of transparent transmission of 802.1x protocol packets.

Procedure

  1. Create VLANs and configure the VLANs allowed by the interface to ensure network communication.

    # Create VLAN 10 and VLAN 20.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 10 20

    # On the Switch, configure the interface GE1/0/1 connected to users as an access interface and add the interface to VLAN 10.

    [Switch] interface gigabitethernet1/0/1
    [Switch-GigabitEthernet1/0/1] port link-type access
    [Switch-GigabitEthernet1/0/1] port default vlan 10 
    [Switch-GigabitEthernet1/0/1] quit
    [Switch] interface vlanif 10
    [Switch-Vlanif10] ip address 192.168.1.10 24
    [Switch-Vlanif10] quit
    NOTE:

    Configure the interface type and VLANs based on the site requirements. In this example, users are added to VLAN 10.

    # On the Switch, configure the interface GE1/0/2 connected to the RADIUS server as an access interface and add the interface to VLAN 20.

    [Switch] interface gigabitethernet1/0/2
    [Switch-GigabitEthernet1/0/2] port link-type access
    [Switch-GigabitEthernet1/0/2] port default vlan 20
    [Switch-GigabitEthernet1/0/2] quit

  2. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.

    # Create and configure the RADIUS server template rd1.

    [Switch] radius-server template rd1
    [Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Switch-radius-rd1] quit

    # Create an AAA authentication scheme abc and configure the authentication mode to RADIUS.

    [Switch] aaa
    [Switch-aaa] authentication-scheme abc
    [Switch-aaa-authen-abc] authentication-mode radius
    [Switch-aaa-authen-abc] quit

    # Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server template rd1 to the domain isp1.

    [Switch-aaa] domain isp1
    [Switch-aaa-domain-isp1] authentication-scheme abc
    [Switch-aaa-domain-isp1] radius-server rd1
    [Switch-aaa-domain-isp1] quit
    [Switch-aaa] quit

    # Configure isp1 as the global default domain. During access authentication, enter a user name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user name does not contain the domain name or contains an invalid domain name, the user is authenticated in the default domain.

    [Switch] domain isp1

  3. Configure 802.1x authentication on the Switch.

    # Switch the NAC mode to unified mode.
    [Switch] authentication unified-mode
    NOTE:

    After the common mode and unified mode are switched, the device automatically restarts.

    # Enable 802.1X authentication on the interface GE1/0/1.
    [Switch] interface gigabitethernet1/0/1
    [Switch-GigabitEthernet1/0/1] authentication dot1x
    [Switch-GigabitEthernet1/0/1] authentication mode multi-authen max-user 100
    [Switch-GigabitEthernet1/0/1] quit

    # (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

    [Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 2222-1111-1234

  4. Verify the configuration.

    1. Run the display dot1x command to check the 802.1X authentication configuration. The command output (802.1X protocol is Enabled) shows that the 802.1X authentication has been enabled on the interface GE1/0/1.
    2. The user starts the 802.1X client on the terminal, and enters the user name and password for authentication.
    3. If the user name and password are correct, an authentication success message is displayed on the client page. The user can access the network.
    4. After the user goes online, you can run the display access-user access-type dot1x command on the device to check the online 802.1X user information.

Configuration Files

Configuration file of the Switch

#
sysname Switch
#
vlan batch 10 20
#
domain isp1 
#
access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 2222-1111-1234
#
radius-server template rd1
 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
 radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
 authentication-scheme abc
  authentication-mode radius  
 domain isp1
  authentication-scheme abc
  radius-server rd1

#
interface Vlanif10
 ip address 192.168.1.10 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 10
 authentication dot1x 
 authentication mode multi-authen max-user 100    
#
interface GigabitEthernet1/0/2
 port link-type access
 port default vlan 20   
#
return
Download
Updated: 2019-05-16

Document ID: EDOC1000069466

Views: 185411

Downloads: 1845

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next