Native AC + NAC Solution: Core Switches Function as the Authentication Point for Wired and Wireless Users

Networking Requirements

Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data. In addition, core switches are configured with the native AC function to manage APs and transmit wireless service traffic on the entire network, implementing wired and wireless convergence. Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth.

In this example, core switches set up a CSS, which functions as the gateway and authentication point for wired and wireless users on the entire network. These users can access the network only after being authenticated. The specific requirements are as follows:

• Agile Controller-Campus functions as both the access authentication server and user service data source server.
• Users include employees (wired and wireless) who use 802.1X authentication and guests (wireless only) who use MAC address-prioritized Portal authentication.
• The authentication server delivers authorization ACLs to control network access rights of different users.

Figure 2-46 Core switches functioning as the authentication point for wired and wireless users

Device Requirements and Versions

Deployment Roadmap

Data Plan

Deployment Precautions

• In this example, Huawei's Agile Controller-Campus in V100R001 functions as the Portal server and RADIUS server. In addition to V100R001, Agile Controller-Campus can also run V100R002 or V100R003.
• The RADIUS authentication key, RADIUS accounting key, and Portal key configured on Agile Controller-Campus must be the same as those configured on switches.
• By default, the switch allows the packets sent to RADIUS and Portal servers to pass through. You do not need to configure any authentication-free rule for these packets on switches.

• When NAC is enabled on an Eth-Trunk interface, ensure that member interfaces of the Eth-Trunk interface reside on cards of the same type. Otherwise, users may fail to go online or services are affected after they go online.
• In the 802.1X authentication scenario, if there is a Layer 2 switch between the 802.1X-enabled switch and users, Layer 2 transparent transmission must be enabled for 802.1X authentication packets on the Layer 2 switch; otherwise, users cannot be successfully authenticated.

For other precautions, see "Licensing Requirements and Limitations for NAC Unified Mode" in the S12700 Series Agile Switches Product Use Precautions.

Procedure

1. Enable campus network connectivity. For details, see Native AC Solution: Core Switches Function as the Gateway for Wired and Wireless Users.

   For wireless users, the security policies in security profiles vary according to access authentication modes.

   User Access Authentication Mode	Security Policy
   MAC address authentication or Portal authentication	Open system authentication
   802.1X authentication	WPA/WPA2-802.1X authentication. WPA2 authentication is used in this example.

   For employees who use 802.1X authentication, configure a security policy in security profile sec1 as follows:

   [CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes

   For guests who use MAC address-prioritized Portal authentication, configure a security policy in security profile sec2 as follows (the default security policy is open):

   [CORE-wlan-sec-prof-sec2] security open

2. Configure AAA on CORE.
   # Configure the RADIUS server template tem_rad and configure parameters for interconnection between CORE and the RADIUS server. The parameters include the IP addresses, port numbers, and shared keys of the RADIUS authentication and accounting servers.

   <CSS> system-view
   [CSS] sysname CORE
   [CORE] radius-server template tem_rad 
   [CORE-radius-tem_rad] radius-server authentication 192.168.11.1 1812 
   [CORE-radius-tem_rad] radius-server accounting 192.168.11.1 1813 
   [CORE-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206 
   [CORE-radius-tem_rad] quit

   # Configure a RADIUS authorization server.

   [CORE] radius-server authorization 192.168.11.1 shared-key cipher YsHsjx_202206 

   # Configure AAA schemes, set the authentication, authorization, and accounting modes to RADIUS, and set the accounting interval to 15 minutes.

   [CORE] aaa 
   [CORE-aaa] authentication-scheme auth     
   [CORE-aaa-authen-auth] authentication-mode radius   
   [CORE-aaa-authen-auth] quit 
   [CORE-aaa] accounting-scheme acco 
   [CORE-aaa-accounting-acco] accounting-mode radius 
   [CORE-aaa-accounting-acco] accounting realtime 15 
   [CORE-aaa-accounting-acco] quit

   # Configure the domain huawei.com and bind AAA schemes and RADIUS server template to this domain.

   [CORE-aaa] domain huawei.com 
   [CORE-aaa-domain-huawei.com] authentication-scheme auth
   [CORE-aaa-domain-huawei.com] accounting-scheme acco
   [CORE-aaa-domain-huawei.com] radius-server tem_rad 
   [CORE-aaa-domain-huawei.com] quit 
   [CORE-aaa] quit

3. Configure a pre-authentication domain, a post-authentication domain, and the escape function on CORE.
   # Configure a pre-authentication domain to allow packets destined for the DNS server to pass through before users are authenticated.

   [CORE] free-rule-template name default_free_rule 
   [CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32 
   [CORE-free-rule-default_free_rule] quit

   # Configure post-authentication domains. Configure ACL 3001 and ACL 3002 to control the network access rights of employees and guests, respectively.

   [CORE] acl 3001   //Configure an ACL for authorization of employees, so that they can access the Internet and service server after being authenticated.
   [CORE-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 
   [CORE-acl-adv-3001] rule 2 permit ip destination 192.168.11.3 0.0.0.0
   [CORE-acl-adv-3001] rule 3 deny ip destination any
   [CORE-acl-adv-3001] quit
   [CORE] acl 3002   //Configure an ACL for authorization of guests, so that they can access the Internet after being authenticated.
   [CORE-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 
   [CORE-acl-adv-3002] rule 2 deny ip destination any
   [CORE-acl-adv-3002] quit

   # Configure the escape function, so that network access rights of employees and guests are not affected if Agile Controller-Campus is faulty.

   [CORE] aaa 
   [CORE-aaa] service-scheme s1 //Configure service scheme s1 for authorization of employees if Agile Controller-Campus is faulty.
   [CORE-aaa-service-s1] acl-id 3001 
   [CORE-aaa-service-s1] quit 
   [CORE-aaa] service-scheme s2  //Configure service scheme s1 for authorization of guests if Agile Controller-Campus is faulty.
   [CORE-aaa-service-s2] acl-id 3002 
   [CORE-aaa-service-s2] quit
   [CORE-aaa] quit

4. Configure 802.1X authentication for employees on CORE.

   # Change the NAC mode to unified.

   By default, the unified mode is used. You can run the display authentication mode command to check the current NAC mode on a switch. The switch will restart automatically after the NAC mode is changed between common and unified modes.

   [CORE] authentication unified-mode

   # Configure an 802.1X access profile.

   By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X authentication requests.

   [CORE] dot1x-access-profile name d1
   [CORE-dot1x-access-profile-d1] dot1x authentication-method eap
   [CORE-dot1x-access-profile-d1] quit

   # Configure an authentication profile for employees.

   [CORE] authentication-profile name p1 
   [CORE-authen-profile-p1] dot1x-access-profile d1
   [CORE-authen-profile-p1] free-rule-template default_free_rule 
   [CORE-authen-profile-p1] access-domain huawei.com force  //Configure the domain huawei.com as a forcible domain.
   [CORE-authen-profile-p1] authentication event authen-server-down action authorize service-scheme s1  //Enable the switch to grant network access rights to users if the authentication server is faulty.
   [CORE-authen-profile-p1] authentication event authen-server-up action re-authen
   [CORE-authen-profile-p1] quit

   # Configure 802.1X authentication for wired access of employees on downlink interfaces Eth-Trunk 10 and Eth-Trunk 20.

   [CORE] interface eth-trunk 10 
   [CORE-Eth-Trunk10] authentication-profile p1 
   [CORE-Eth-Trunk10] quit
   [CORE] interface eth-trunk 20 
   [CORE-Eth-Trunk20] authentication-profile p1 
   [CORE-Eth-Trunk20] quit

   # Configure 802.1X authentication for wireless access of employees in VAP profile vap1.

   [CORE] wlan
   [CORE-wlan-view] vap-profile name vap1
   [CORE-wlan-vap-prof-vap1] authentication-profile p1 
   [CORE-wlan-vap-prof-vap1] quit
   [CORE-wlan-view] quit

5. Configure MAC address-prioritized Portal authentication for guests on CORE.
   # Configure Portal server template tem_portal, and set parameters for interconnection between CORE and the Portal server. The parameters include the IP address, port number, and shared key of the Portal server.

   [CORE] web-auth-server tem_portal 
   [CORE-web-auth-server-tem_portal] server-ip 192.168.11.1   
   [CORE-web-auth-server-tem_portal] port 50200   //The Portal server port number is fixed at 50200 when Agile Controller-Campus functions as the Portal server.
   [CORE-web-auth-server-tem_portal] shared-key cipher YsHsjx_202206
   [CORE-web-auth-server-tem_portal] url http://192.168.11.1:8080/portal   
   [CORE-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log   //Enable the Portal server detection function so that you can learn the Portal server status in real time and users can still access the network even if the Portal server is faulty. Note that the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100.
   [CORE-web-auth-server-tem_portal] quit 

   # Configure a Portal access profile.

   [CORE] portal-access-profile name web1 
   [CORE-portal-acces-profile-web1] web-auth-server tem_portal direct
   [CORE-portal-acces-profile-web1] authentication event portal-server-down action authorize service-scheme s2  //Enable the switch to grant network access rights to users if the authentication server is faulty.
   [CORE-portal-acces-profile-web1] authentication event portal-server-up action re-authen
   [CORE-portal-acces-profile-web1] quit

   # Configure a MAC access profile.

   [CORE] mac-access-profile name mac1 
   [CORE-mac-access-profile-mac1] quit

   # Configure an authentication profile for guests.

   [CORE] authentication-profile name p2 
   [CORE-authen-profile-p2] portal-access-profile web1
   [CORE-authen-profile-p2] mac-access-profile mac1
   [CORE-authen-profile-p2] free-rule-template default_free_rule 
   [CORE-authen-profile-p1] access-domain huawei.com force  //Configure the domain huawei.com as a forcible domain.
   [CORE-authen-profile-p1] authentication event authen-server-down action authorize service-scheme s2  //Enable the switch to grant network access rights to users if the authentication server is faulty.
   [CORE-authen-profile-p1] authentication event authen-server-up action re-authen
   [CORE-authen-profile-p2] quit

   # Configure MAC address-prioritized Portal authentication for guests in the VAP profile vap2.

   [CORE] wlan
   [CORE-wlan-view] vap-profile name vap2
   [CORE-wlan-vap-prof-vap2] authentication-profile p2 
   [CORE-wlan-vap-prof-vap2] quit
   [CORE-wlan-view] quit

6. Configure transparent transmission of 802.1X packets on both aggregation and access switches. The following uses access switch ACC1 (S5720-SI) as an example. The configuration of other switches is similar to that of ACC1.

   If a switch supports the bpdu enable command, run both the bpdu enable and l2protocol-tunnel user-defined-protocol 802.1x enable commands on an interface of the switch.

   [ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 
   [ACC1] interface eth-trunk 30 
   [ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable 
   [ACC1-Eth-Trunk30] quit 
   [ACC1] interface gigabitethernet 0/0/3 
   [ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable 
   [ACC1-GigabitEthernet0/0/3] quit 
   [ACC1] interface gigabitethernet 0/0/4 
   [ACC1-GigabitEthernet0/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable  
   [ACC1-GigabitEthernet0/0/4] quit

7. Configure Agile Controller-Campus.
   1. Add switches so that they can communicate with Agile Controller-Campus.
      Choose Resource > Device > Device Management, click Add, and configure device information and authentication parameters.

      Table 2-61 Parameter settings on Agile Controller-Campus and CORE

      Parameter on Agile Controller-Campus	Configuration on Agile Controller-Campus	Configuration on CORE
      Name	CORE	-
      IP address	192.168.11.254	IP address of VLANIF 1000, which is used by CORE to communicate with Agile Controller-Campus
      Device series	Huawei S Series	-
      Authentication/Accounting key	YsHsjx_202206	radius-server shared-key cipher YsHsjx_202206
      Authorization key	YsHsjx_202206	radius-server authorization 192.168.11.1 shared-key cipher YsHsjx_202206
      Real-time accounting interval (minute)	15	accounting realtime 15
      Port	2000	Port 2000 is used by default. You can run the web-auth-server listening-port port-number command in the system view to change the port number.
      Portal key	YsHsjx_202206	shared-key cipher YsHsjx_202206
      Access terminal IPv4 list	172.16.30.0/24;172.16.40.0/24	IP addresses of guests, corresponding to IP address pools on VLANIF 30 and VLANIF 40
      Enable heartbeat between access device and Portal server	Selected	Only when Enable heartbeat between access device and Portal server is selected and the Portal server IP address is added to the Portal server IP address list, the Portal server can periodically send heartbeat packets to CORE, based on which CORE determines the Portal server status. This configuration corresponds to the server-detect command configured in the Portal server template view on CORE.
      Portal server IP address list	192.168.11.1

      Figure 2-47 Adding a device
      
      
   2. Create user groups and accounts. The following describes how to configure the user group Employee. The configuration of the user group Guest is similar.

      1. Choose Resource > User > User Management.

      2. Click in the operation area on the left, and create the user group Employee.
         Figure 2-48 Adding a user group
         
      3. Click Add in the operation area on the right, and add an account.
         Figure 2-49 Adding an account
         
      4. Click Transfer in the operation area on the right, and add the account to the user group Employee.
         Figure 2-50 Adding an account to a user group
         

   3. Enable MAC address-prioritized Portal authentication.

      1. Choose System > Terminal Configuration > Global Parameters > Access Management.

      2. On the Configure MAC Address-Prioritized Portal Authentication tab page, enable MAC address-prioritized Portal authentication, and set Validity period of MAC address (min) to 60.

      Figure 2-51 Configuring MAC address-prioritized Portal authentication
      
   4. Configure authorization. End users will match authorization rules based on specified conditions. The following describes how to configure authorization for employees. The configuration for guests is similar.

      1. Choose Policy > Permission Control > Authentication & Authorization > Authorization Result, and configure a post-authentication domain for employees.

         Figure 2-52 Adding an authorization result
         

      2. Configure authorization rules for employees and guests according to Table 2-62. The following describes how to configure authorization rules for wired access of employees. The configuration for guests is similar.

         Table 2-62 Authorization rules for employees and guests

         Name	User Group	Terminal IP Address Range	SSID	Authorization Result
         Wired employees authorization rule	Employee	wire	-	Employees_post-authentication_domain
         Wireless employees authorization rule	Employee	-	test01	Employees_post-authentication_domain
         Guests authorization rule	Guest	-	test02	Guests_post-authentication_domain

         • Choose Resource > User > IP Address Range, set the name of an IP address range to wire, and add IP address segments 172.16.50.0/24 and 172.16.60.0/24.
           Figure 2-53 Adding an IP address range
           
         • Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule.
           Figure 2-54 Adding an authorization rule
           
           

Verifying the Deployment

[CORE] display access-user username user1 detail
Basic:
  User ID                         : 118293
  User name                       : user1          //User name
  Domain-name                     : huawei.com     //Authentication domain
  User MAC                        : 00e0-fc12-3344
  User IP address                 : 172.16.60.133
  User vpn-instance               : -
  User IPv6 address               : FE80::E9AA:9FE9:95F9:C499
  User IPv6 link local address    : FE80::E9AA:9FE9:95F9:C499
  User access Interface           : Eth-Trunk20   //Interface on which the user goes online
  User vlan event                 : Success        
  QinQVlan/UserVlan               : 0/60
  User vlan source                : user request                  
  User access time                : 2019/08/05 03:15:16
  User accounting session ID      : CORE00220000000060ad****0304e15
  User access type                : 802.1x       //User access type
  Terminal Device Type            : Data Terminal 
  Dynamic ACL ID(Effective)       : 3001         //Authorization information

AAA:
  User authentication type        : 802.1x authentication     //Authentication mode
  Current authentication method   : RADIUS
  Current authorization method    : -
  Current accounting method       : RADIUS

 ------------------------------------------------------------------------------
 Total: 1, printed: 1

Choose Resource > User > RADIUS Log on Agile Controller-Campus to check RADIUS authentication logs of the employee account.

Configuration Files

• CORE configuration file

  #
  sysname CORE
  #
  vlan batch 20 30 40 50 60 1000
  #
  authentication-profile name p1
   dot1x-access-profile d1
   free-rule-template default_free_rule
   access-domain huawei.com force
   authentication event authen-server-down action authorize service-scheme s1
   authentication event authen-server-up action re-authen
  authentication-profile name p2
   mac-access-profile mac1
   portal-access-profile web1
   free-rule-template default_free_rule
   access-domain huawei.com force
   authentication event authen-server-down action authorize service-scheme s2
   authentication event authen-server-up action re-authen
  #
  dhcp enable
  #
  dhcp snooping enable
  #
  radius-server template tem_rad
   radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%#
   radius-server authentication 192.168.100.10 1812 weight 80
   radius-server accounting 192.168.100.10 1813 weight 80
  radius-server authorization 192.168.100.10 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/6;4[4'HJ(/<%^%#
  #
  acl number 3001
   rule 1 permit ip destination 172.16.3.0 0.0.0.255
   rule 2 permit ip destination 192.168.11.3 0
   rule 3 deny ip
  acl number 3002
   rule 1 permit ip destination 172.16.3.0 0.0.0.255
   rule 2 deny ip
  #
  free-rule-template name default_free_rule
   free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
  #
  web-auth-server tem_portal
   server-ip 192.168.100.10
   port 50200
   shared-key cipher %^%#}czkQj/H4NTr~B$84qB."XQ(;1'$}:;L4z;K~c]P%^%#
   url http://192.168.100.10:8080/portal
   server-detect interval 100 max-times 5 action log
  #
  portal-access-profile name web1
   authentication event portal-server-down action authorize service-scheme s2
   authentication event portal-server-up action re-authen
   web-auth-server tem_portal direct
  #
  vlan 30
   dhcp snooping enable
  vlan 40
   dhcp snooping enable
  vlan 50
   dhcp snooping enable
  vlan 60
   dhcp snooping enable
  #
  aaa
   authentication-scheme auth
    authentication-mode radius
   accounting-scheme acco
    accounting-mode radius
    accounting realtime 15
   service-scheme s1
    acl-id 3001
   service-scheme s2
    acl-id 3002
   domain huawei.com
    authentication-scheme auth
    accounting-scheme acco
    radius-server tem_rad
  #
  interface Vlanif20
   ip address 192.168.20.1 255.255.255.0
   dhcp select interface
  #
  interface Vlanif30
   ip address 172.16.30.1 255.255.255.0
   arp-proxy inner-sub-vlan-proxy enable
   dhcp select interface
   dhcp server dns-list 192.168.11.2
  #
  interface Vlanif40
   ip address 172.16.40.1 255.255.255.0
   arp-proxy inner-sub-vlan-proxy enable
   dhcp select interface
   dhcp server dns-list 192.168.11.2
  #
  interface Vlanif50
   ip address 172.16.50.1 255.255.255.0
   arp-proxy inner-sub-vlan-proxy enable
   dhcp select interface
   dhcp server dns-list 192.168.11.2
  #
  interface Vlanif60
   ip address 172.16.60.1 255.255.255.0
   arp-proxy inner-sub-vlan-proxy enable
   dhcp select interface
   dhcp server dns-list 192.168.11.2
  #
  interface Vlanif1000
   ip address 192.168.11.254 255.255.255.0
  #
  interface Eth-Trunk10
   description con to AGG1
   port link-type trunk
   port trunk allow-pass vlan 20 50
   authentication-profile p1
  #
  interface Eth-Trunk20
   description con to AGG2
   port link-type trunk
   port trunk allow-pass vlan 20 60
   authentication-profile p1
  #
  interface GigabitEthernet1/1/0/1
   eth-trunk 10
  #
  interface GigabitEthernet1/1/0/2
   eth-trunk 20
  #
  interface GigabitEthernet1/2/0/1
   port link-type access
   port default vlan 1000
   #
  interface GigabitEthernet2/1/0/1
   eth-trunk 20
  #
  interface GigabitEthernet2/1/0/2
   eth-trunk 10
  #
  #
  capwap source interface vlanif20
  #
  wlan
   traffic-profile name traff1
    user-isolate l2
   traffic-profile name traff2
    user-isolate l2
   security-profile name sec1
    security wpa2 dot1x aes
   security-profile name sec2
    security open
   ssid-profile name ssid1
    ssid test01
   ssid-profile name ssid2
    ssid test02
   vap-profile name vap1
    forward-mode tunnel
    service-vlan vlan-id 30
    ssid-profile ssid1
    security-profile sec1
    traffic-profile traff1
    authentication-profile p1
    ip source check user-bind enable
    arp anti-attack check user-bind enable
    learn-client-address dhcp-strict
   vap-profile name vap2
    forward-mode tunnel
    service-vlan vlan-id 40
    ssid-profile ssid2
    security-profile sec2
    traffic-profile traff2
    authentication-profile p2
    ip source check user-bind enable
    arp anti-attack check user-bind enable
    learn-client-address dhcp-strict
   ap-group name ap-group1
    regulatory-domain-profile domain1
    radio 0
     vap-profile vap1 wlan 1
     vap-profile vap2 wlan 2
    radio 1
     vap-profile vap1 wlan 1
     vap-profile vap2 wlan 2
   ap-id 1 type-id 30 ap-mac 00e0-fc12-4400 ap-sn 2102355547W0E3000316
    ap-name area_1
    ap-group ap-group1
   ap-id 2 type-id 56 ap-mac 00e0-fc12-3390 ap-sn 21500829352SGA900583
    ap-name area_2
    ap-group ap-group1
  dot1x-access-profile name d1
  #
  mac-access-profile name mac1
  #
  return

• AGG1 configuration file

  #
  sysname AGG1
  #
  vlan batch 20 50
  #
  l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
  #
  interface Eth-Trunk10
   description connect to CORE
   port link-type trunk
   undo port trunk allow-pass vlan 1
   port trunk allow-pass vlan 20 50
   l2protocol-tunnel user-defined-protocol 802.1x enable
  #
  interface Eth-Trunk30
   port link-type trunk
   undo port trunk allow-pass vlan 1
   port trunk allow-pass vlan 20 50
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  #
  interface GigabitEthernet0/0/3 
   eth-trunk 30 
  # 
  interface GigabitEthernet0/0/10 
   mad detect mode direct 
  # 
  interface GigabitEthernet1/0/3 
   eth-trunk 30 
  # 
  interface GigabitEthernet1/0/10 
   mad detect mode direct 
  #
  interface XGigabitEthernet0/0/1
   eth-trunk 10
  #
  interface XGigabitEthernet1/0/1
   eth-trunk 10
  #
  return

• AGG2 configuration file

  #
  sysname AGG2
  #
  vlan batch 20 60
  #
  l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
  #
  interface Eth-Trunk20
   description connect to CORE
   port link-type trunk
   undo port trunk allow-pass vlan 1
   port trunk allow-pass vlan 20 60
   l2protocol-tunnel user-defined-protocol 802.1x enable
  #
  interface Eth-Trunk40
   port link-type trunk
   undo port trunk allow-pass vlan 1
   port trunk allow-pass vlan 20 60
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  #
  interface GigabitEthernet0/0/3 
   eth-trunk 40  
  # 
  interface GigabitEthernet0/0/10 
   mad detect mode direct 
  # 
  interface GigabitEthernet1/0/3 
   eth-trunk 40 
  # 
  interface GigabitEthernet1/0/10 
   mad detect mode direct 
  # 
  interface XGigabitEthernet0/0/1
   eth-trunk 20
  #
  interface XGigabitEthernet1/0/1
   eth-trunk 20
  #
  return

• ACC1 configuration file

  #
  sysname ACC1
  #
  vlan batch 20 50
  #
  l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
  #
  interface Eth-Trunk30
   port link-type trunk
   undo port trunk allow-pass vlan 1
   port trunk allow-pass vlan 20 50
   l2protocol-tunnel user-defined-protocol 802.1x enable
  #
  interface GigabitEthernet0/0/1 
   eth-trunk 30 
  # 
  interface GigabitEthernet0/0/2 
   eth-trunk 30 
  # 
  interface GigabitEthernet0/0/3
   port link-type access
   port default vlan 50
   stp edged-port enable
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  #
  interface GigabitEthernet0/0/4
   port link-type access
   port default vlan 20
   stp edged-port enable
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  #
  return

• ACC2 configuration file

  #
  sysname ACC2
  #
  vlan batch 20 60
  #
  l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
  #
  sysname ACC2
  #
  vlan batch 20 60
  #
  interface Eth-Trunk40
   port link-type trunk
   undo port trunk allow-pass vlan 1
   port trunk allow-pass vlan 20 60
   l2protocol-tunnel user-defined-protocol 802.1x enable
  #
  interface GigabitEthernet0/0/1 
   eth-trunk 40 
  # 
  interface GigabitEthernet0/0/2 
   eth-trunk 40 
  #
  interface GigabitEthernet0/0/3
   port link-type access
   port default vlan 60
   stp edged-port enable
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  #
  interface GigabitEthernet0/0/4
   port link-type access
   port default vlan 20
   stp edged-port enable
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  #
  return