Typical NAC Configuration (Unified Mode) (the Agile Controller-Campus as the Authentication Server) (V200R005C00 to V200R008C00)
- Example for Configuring Portal Authentication to Control User Access to the Enterprise Network (Authentication Point on Core Switch)
- Example for Configuring Portal Authentication to Control User Access to the Enterprise Network (Authentication Point on Aggregation Switch)
- Example for Configuring 802.1X and MAC Address Authentication to Control User Access to the Enterprise Network (Authentication Point on Access Switch)
- Example for Configuring 802.1X and MAC Address Authentication to Control User Access to the Enterprise Network (Authentication Point on Aggregation Switch)
Example for Configuring Portal Authentication to Control User Access to the Enterprise Network (Authentication Point on Core Switch)
Portal Authentication Overview
Portal authentication is a Network Access Control (NAC) method. Portal authentication is also called web authentication. Generally, Portal authentication websites are referred to as Portal websites. Users must be authenticated by the Portal websites before they can use network services.
Portal authentication is insecure, but allows flexible networking as no client software is required on users' terminals. 802.1X authentication is another NAC method. It is more secure than Portal authentication, but requires the installation of client software on users' terminals, resulting in networking inflexibility. Like Portal authentication, MAC address authentication also does not require the installation of client software, but user terminals' MAC addresses must be registered on the authentication server. Network configuration and management is complex.
Portal authentication applies to the users who are sparsely distributed and move frequently, for example, guests of a company.
Configuration Notes
This configuration example applies to all switches running all versions.
Huawei's Agile Controller-Campus in V100R001 functions as the Portal server and RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001, V100R002, V100R003.
The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS and Portal servers to pass. You do not need to configure authentication-free rules for the two servers on the switch.
Networking Requirements
- The authentication operations should be simple. The authentication system only performs access authorization. Minimum client software is installed on user terminals.
- To facilitate network reconstruction and reduce investments, the enterprise requires the authentication point be deployed on the core switch.
- A unified identity authentication mechanism is used to authenticate all terminals accessing the campus network and deny access from unauthorized terminals.
- R&D employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect to both the intranet (code library and issue tracking system) and Internet after being authenticated.
- Marketing employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect only to the Internet after being authenticated.
Data Plan
VLAN ID |
Function |
|---|---|
101 |
VLAN for R&D employees |
102 |
VLAN for marketing employees |
103 |
VLAN for connection between the aggregation switch and core switch |
104 |
VLAN to which interfaces connecting to the servers belong |
Item |
Data |
Description |
|
|---|---|---|---|
Access switch (connecting to the R&D department) |
Interface number: GE0/0/1 VLAN: 101 |
Connects to employees' PCs. |
|
Interface number: GE0/0/2 VLAN: 101 |
Connects to the aggregation switch. |
||
Access switch (connecting to the marketing department) |
Interface number: GE0/0/1 VLAN: 102 |
Connects to employees' PCs. |
|
Interface number: GE0/0/2 VLAN: 102 |
Connects to the aggregation switch. |
||
Aggregation switch |
Interface number: GE1/0/1 VLAN: 101 VLANIF101 IP address: 192.168.0.1 |
Connects to the access switch of the R&D department. Functions as the gateway for R&D employees. |
|
Interface number: GE1/0/2 VLAN: 102 VLANIF102 IP address: 192.168.1.1 |
Connects to the access switch of the marketing department. Functions as the gateway for marketing employees. |
||
Interface number: GE1/0/3 VLAN: 103 VLANIF103 IP address: 172.16.2.1 |
Connects to the core switch. |
||
Core switch |
Interface number: GE1/0/1 VLAN: 103 VLANIF103 IP address: 172.16.2.2 |
Connects to the aggregation switch. |
|
Interface number: GE1/0/2 VLAN: 104 VLANIF104 IP address: 172.16.1.254 |
Connects to the server area and functions as the gateway for the servers. |
||
Server |
Agile Controller-Campus (RADIUS server + Portal server) |
IP address: 172.16.1.1 |
- |
DNS server |
IP address: 172.16.1.2 |
- |
|
Web server |
IP address: 172.16.1.3 |
- |
|
Code library |
IP address: 172.16.1.4 |
- |
|
Issue tracking system |
IP address: 172.16.1.5 |
- |
|
Item |
Data |
Description |
|---|---|---|
Core switch |
Number of the ACL for R&D employees' post-authentication domain: 3001 |
You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus. |
Number of the ACL for marketing employees' post-authentication domain: 3002 |
You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus. |
|
Authentication server:
|
|
|
Accounting server:
|
||
Portal server:
|
||
Agile Controller-Campus |
Host name: access.example.com |
Users can use the domain name to access the Portal server. |
Device IP address: 172.16.1.254 |
- |
|
Authentication port: 1812 |
- |
|
Accounting port: 1813 |
- |
|
RADIUS shared key: YsHsjx_202206 |
The RADIUS shared key must be the same as that configured on the switch. |
|
Port number that the Portal server uses to receive packets: 50200 |
- |
|
Portal shared key: YsHsjx_202206 |
It must be the same as the Portal authentication shared key configured on the switch. |
|
Department: R&D
Department: Marketing
|
Two departments and two corresponding accounts have been created on the Agile Controller-Campus: R&D department and an R&D employee account A-123; Marketing department and a marketing employee account B-123. |
|
Pre-authentication domain |
Agile Controller-Campus (including RADIUS server and Portal server), DNS server, and web server |
- |
Post-authentication domain |
|
- |
Configuration Roadmap
- Configure the access switch, aggregation switch, and core switch to ensure network connectivity.
- Configure Portal authentication on the core switch to implement user access control. Configure parameters for connecting to the RADIUS server and those for connecting to the Portal server, enable Portal authentication, and configure network access rights for the pre-authentication domain and post-authentication domain.
- Configure the Agile Controller-Campus:
- Log in to the Agile Controller-Campus.
- Add user accounts to the Agile Controller-Campus.
- Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.
- Add authorization results and authorization rules to the Agile Controller-Campus to grant different access rights to R&D employees and marketing employees after they are successfully authenticated.
Procedure
- Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting to the R&D department. The configuration for SwitchB, the access switch connecting to the marketing department, is similar to that for SwitchA.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan 101 [SwitchA-vlan101] quit [SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D department [SwitchA-GigabitEthernet0/0/1] port link-type access [SwitchA-GigabitEthernet0/0/1] port default vlan 101 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the aggregation switch [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 [SwitchA-GigabitEthernet0/0/2] quit
- Configure the aggregation switch to ensure network connectivity.
<HUAWEI> system-view [HUAWEI] sysname SwitchC [SwitchC] dhcp enable //Enable the DHCP service. [SwitchC] vlan batch 101 to 103 [SwitchC] interface gigabitethernet 1/0/1 //Interface of the access switch connected to the R&D department [SwitchC-GigabitEthernet1/0/1] port link-type trunk [SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 101 [SwitchC-GigabitEthernet1/0/1] quit [SwitchC] interface vlanif 101 [SwitchC-Vlanif101] ip address 192.168.0.1 255.255.255.0 //IP address segment assigned to R&D employees [SwitchC-Vlanif101] dhcp select interface [SwitchC-Vlanif101] dhcp server dns-list 172.16.1.2 [SwitchC-Vlanif101] quit [SwitchC] interface gigabitethernet 1/0/2 //Interface of the access switch connected to the marketing department [SwitchC-GigabitEthernet1/0/2] port link-type trunk [SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 102 [SwitchC-GigabitEthernet1/0/2] quit [SwitchC] interface vlanif 102 [SwitchC-Vlanif102] ip address 192.168.1.1 255.255.255.0 //IP address segment assigned to marketing employees [SwitchC-Vlanif102] dhcp select interface [SwitchC-Vlanif102] dhcp server dns-list 172.16.1.2 [SwitchC-Vlanif102] quit [SwitchC] interface gigabitethernet 1/0/3 //Interface connected to the core switch [SwitchC-GigabitEthernet1/0/3] port link-type trunk [SwitchC-GigabitEthernet1/0/3] port trunk allow-pass vlan 103 [SwitchC-GigabitEthernet1/0/3] quit [SwitchC] interface vlanif 103 [SwitchC-Vlanif103] ip address 172.16.2.1 255.255.255.0 [SwitchC-Vlanif103] quit [SwitchC] ip route-static 172.16.1.0 255.255.255.0 172.16.2.2 //Configure routes to the network segment in which the authentication server resides.
- Configure the core switch.
- Configure the Agile Controller-Campus.
- Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.
- Choose Resource > User > User Management.
- Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.
- Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.
- Click
in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password YsHsjx_202207.
- On the User tab page, select user A and click Transfer to add user A to the R&D department.
- Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.
- Choose Resource > Device > Device Management.
- Click Add.
- Configure parameters for the switch.
Parameter
Value
Description
Name
SW
-
IP Address
172.16.1.254
The interface must be able to communicate with the SC.
Device series
Huawei Quidway Series
-
Authentication Key
YsHsjx_202206
It must be the same as the shared key of the RADIUS authentication server configured on the switch.
Charging Key
YsHsjx_202206
It must be the same as the shared key of the RADIUS accounting server configured on the switch.
Real-time charging interval (minute)
15
It must be the same as the real-time accounting interval configured on the switch.
Port
2000
This is the port that the switch uses to communicate with the Portal server. Retain the default value.
Portal Key
YsHsjx_202206
It must be the same as the Portal shared key configured on the switch.
Allowed IP Addresses
192.168.0.1/24; 192.168.1.1/24
-
- Click OK.
- Configure employee authorization. This example describes how to configure R&D employee authorization. The configuration procedure for marketing employees is the same, except that the network resources the two types of employees can access are different.
- Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.
Parameter
Value
Description
Name
R&D employee post-authentication domain
-
Service Type
Access Service
-
ACL Number/AAA User Group
3001
The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.
- Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and specify the authorization conditions for R&D employees.
Parameter
Value
Description
Name
R&D employee authorization rule
-
Service Type
Access User
-
Department
R&D
-
Authorization Result
R&D employee post-authentication domain
-
- Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.
- Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.
- Verify the configuration.
- Employees can access only the Agile Controller-Campus, DNS, and web servers before authentication.
- The Portal authentication page is pushed to an employee when the employee attempts to visit an Internet website. After the employee enters the correct account and password, the requested web page is displayed.
- R&D employee A can access the Internet, code library, and issue tracking system after authentication. Marketing employee B can access the Internet but not the code library and issue tracking system after authentication.
- After an employee is authenticated, run the display access-user command on the switch. The command output shows that the employee is online.
in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password 
Configuration Files
# sysname SwitchA # vlan batch 101 # interface GigabitEthernet0/0/1 port link-type access port default vlan 101 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 101 # return
# sysname SwitchC # vlan batch 101 to 103 # dhcp enable # interface Vlanif101 ip address 192.168.0.1 255.255.255.0 dhcp select interface dhcp server dns-list 172.16.1.2 # interface Vlanif102 ip address 192.168.1.1 255.255.255.0 dhcp select interface dhcp server dns-list 172.16.1.2 # interface Vlanif103 ip address 172.16.2.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet1/0/2 port link-type trunk port trunk allow-pass vlan 102 # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 103 # ip route-static 172.16.1.0 255.255.255.0 172.16.2.2 # return
# Configuration file of the core switch
#
sysname SwitchD
#
vlan batch 103 to 104
#
domain portal
#
radius-server template policy
radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
radius-server authentication 172.16.1.1 1812 weight 80
radius-server accounting 172.16.1.1 1813 weight 80
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 1 deny ip destination 172.16.1.4 0
rule 2 deny ip destination 172.16.1.5 0
rule 3 permit ip
#
web-auth-server portal_huawei
server-ip 172.16.1.1
port 50200
shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
url http://access.***.com:8080/portal
source-ip 172.16.1.254
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
authentication-scheme auth
accounting-scheme acco
radius-server policy
#
interface Vlanif103
ip address 172.16.2.2 255.255.255.0
web-auth-server portal_huawei layer3
authentication portal
#
interface Vlanif104
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 103
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 104
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return
Example for Configuring Portal Authentication to Control User Access to the Enterprise Network (Authentication Point on Aggregation Switch)
Portal Authentication Overview
Portal authentication is a Network Access Control (NAC) method. Portal authentication is also called web authentication. Generally, Portal authentication websites are referred to as Portal websites. Users must be authenticated by the Portal websites before they can use network services.
Portal authentication is insecure, but allows flexible networking as no client software is required on users' terminals. 802.1X authentication is another NAC method. It is more secure than Portal authentication, but requires the installation of client software on users' terminals, resulting in networking inflexibility. Like Portal authentication, MAC address authentication also does not require the installation of client software, but user terminals' MAC addresses must be registered on the authentication server. Network configuration and management is complex.
Portal authentication applies to the users who are sparsely distributed and move frequently, for example, guests of a company.
Configuration Notes
- This configuration example applies to all switches running V200R009C00 or a later version.
- Huawei's Agile Controller-Campus in V100R001 functions as the Portal server and RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001, V100R002, V100R003.
- The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.
- By default, the switch allows the packets from RADIUS and Portal servers to pass. You do not need to configure authentication-free rules for the two servers on the switch.
- When you run the access-user arp-detect command to configure the IP address and MAC address of the user gateway as the source IP address and source MAC address of user offline detection packets, ensure that the MAC address of the gateway remains unchanged, especially in active/standby switchover scenarios. If the gateway MAC address is changed, ARP entries of terminals will be incorrect on the device, and the terminals cannot communicate with the device.
Networking Requirements
- The authentication operations should be simple. The authentication system only performs access authorization. Minimum client software is installed on user terminals.
- Moderate security control is required. To facilitate maintenance, a moderate number of authentication points need to be deployed on the aggregation switch.
- A unified identity authentication mechanism is used to authenticate all terminals accessing the campus network and deny access from unauthorized terminals.
- R&D employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect to both the intranet (code library and issue tracking system) and Internet after being authenticated.
- Marketing employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect only to the Internet after being authenticated.
Data Plan
VLAN ID |
Function |
|---|---|
101 |
VLAN for R&D employees |
102 |
VLAN for marketing employees |
103 |
VLAN to which interfaces connecting to the servers belong |
Item |
Data |
Description |
|
|---|---|---|---|
Access switch (connecting to the R&D department) |
Interface number: GE0/0/1 VLAN: 101 |
Connects to employees' PCs. |
|
Interface number: GE0/0/2 VLAN: 101 |
Connects to the aggregation switch. |
||
Access switch (connecting to the marketing department) |
Interface number: GE0/0/1 VLAN: 102 |
Connects to employees' PCs. |
|
Interface number: GE0/0/2 VLAN: 102 |
Connects to the aggregation switch. |
||
Aggregation switch |
Interface number: GE1/0/1 VLAN: 101 VLANIF101 IP address: 192.168.0.1 |
Connects to the access switch of the R&D department. Functions as the gateway for R&D employees. |
|
Interface number: GE1/0/2 VLAN: 102 VLANIF102 IP address: 192.168.1.1 |
Connects to the access switch of the marketing department. Functions as the gateway for marketing employees. |
||
Interface number: GE1/0/3 VLAN: 103 VLANIF103 IP address: 172.16.1.254 |
Connects to the enterprise server area. Functions as the gateway for servers. |
||
Server |
Agile Controller-Campus (RADIUS server + Portal server) |
IP address: 172.16.1.1 |
- |
DNS server |
IP address: 172.16.1.2 |
- |
|
Web server |
IP address: 172.16.1.3 |
- |
|
Code library |
IP address: 172.16.1.4 |
- |
|
Issue tracking system |
IP address: 172.16.1.5 |
- |
|
Item |
Data |
Description |
|---|---|---|
Aggregation switch |
Number of the ACL for R&D employees' post-authentication domain: 3001 |
You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus. |
Number of the ACL for marketing employees' post-authentication domain: 3002 |
You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus. |
|
Authentication server:
|
|
|
Accounting server:
|
||
Portal server:
|
||
Agile Controller-Campus |
Host name: access.example.com |
Users can use the domain name to access the Portal server. |
Device IP address: 172.16.1.254 |
- |
|
Authentication port: 1812 |
- |
|
Accounting port: 1813 |
- |
|
RADIUS shared key: YsHsjx_202206 |
The RADIUS shared key must be the same as that configured on the switch. |
|
Port number that the Portal server uses to receive packets: 50200 |
- |
|
Portal shared key: YsHsjx_202206 |
It must be the same as the Portal authentication shared key configured on the switch. |
|
Department: R&D
Department: Marketing
|
Two departments and two corresponding accounts have been created on the Agile Controller-Campus: R&D department and an R&D employee account A-123; Marketing department and a marketing employee account B-123. |
|
Pre-authentication domain |
Agile Controller-Campus (including RADIUS server and Portal server), DNS server, and web server |
- |
Post-authentication domain |
|
- |
Configuration Roadmap
- Configure the access switch and aggregation switch to ensure network connectivity.
- Configure Portal authentication on the aggregation switch to implement user access control. Configure parameters for connecting to the RADIUS server and those for connecting to the Portal server, enable Portal authentication, and configure network access rights for the pre-authentication domain and post-authentication domain.
- Configure the Agile Controller-Campus:
- Log in to the Agile Controller-Campus.
- Add user accounts to the Agile Controller-Campus.
- Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.
- Add authorization results and authorization rules to the Agile Controller-Campus to grant different access rights to R&D employees and marketing employees after they are successfully authenticated.
Procedure
- Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting to the R&D department. The configuration for SwitchB, the access switch connecting to the marketing department, is similar.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan 101 [SwitchA-vlan101] quit [SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D department [SwitchA-GigabitEthernet0/0/1] port link-type access [SwitchA-GigabitEthernet0/0/1] port default vlan 101 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the aggregation switch [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 [SwitchA-GigabitEthernet0/0/2] quit
- Configure the aggregation switch.
- Configure the Agile Controller-Campus.
- Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.
- Choose Resource > User > User Management.
- Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.
- Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.
- Click
in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password YsHsjx_202207.
- On the User tab page, select user A and click Transfer to add user A to the R&D department.
- Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.
- Choose Resource > Device > Device Management.
- Click Add.
- Configure parameters for the switch.
Parameter
Value
Description
Name
SW
-
IP Address
172.16.1.254
The interface must be able to communicate with the SC.
Device series
Huawei Quidway Series
-
Authentication Key
YsHsjx_202206
It must be the same as the shared key of the RADIUS authentication server configured on the switch.
Charging Key
YsHsjx_202206
It must be the same as the shared key of the RADIUS accounting server configured on the switch.
Real-time charging interval (minute)
15
It must be the same as the real-time accounting interval configured on the switch.
Port
2000
This is the port that the switch uses to communicate with the Portal server. Retain the default value.
Portal Key
YsHsjx_202206
It must be the same as the Portal shared key configured on the switch.
Allowed IP Addresses
192.168.0.1/24; 192.168.1.1/24
-
- Click OK.
- Configure employee authorization. This example describes how to configure R&D employee authorization. The configuration procedure for marketing employees is the same, except that the network resources the two types of employees can access are different.
- Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.
Parameter
Value
Description
Name
R&D employee post-authentication domain
-
Service Type
Access Service
-
ACL Number/AAA User Group
3001
The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.
- Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and specify the authorization conditions for R&D employees.
Parameter
Value
Description
Name
R&D employee authorization rule
-
Service Type
Access User
-
Department
R&D
-
Authorization Result
R&D employee post-authentication domain
-
- Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.
- Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.
- Verify the configuration.
- Employees can access only the Agile Controller-Campus, DNS, and web servers before authentication.
- The Portal authentication page is pushed to an employee when the employee attempts to visit an Internet website. After the employee enters the correct account and password, the requested web page is displayed.
- R&D employee A can access the Internet, code library, and issue tracking system after authentication. Marketing employee B can access the Internet but not the code library and issue tracking system after authentication.
- After an employee is authenticated, run the display access-user command on the switch. The command output shows that the employee is online.
Switch Configuration File
# sysname SwitchA # vlan batch 101 # interface GigabitEthernet0/0/1 port link-type access port default vlan 101 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 101 # return
# sysname SwitchB # vlan batch 102 # interface GigabitEthernet0/0/1 port link-type access port default vlan 102 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 102 # return
# Configuration file of the aggregation switch
#
sysname SwitchC
#
vlan batch 101 to 103
#
domain portal
#
access-user arp-detect vlan 101 ip-address 192.168.0.1 mac-address 00e0-fc12-3456
access-user arp-detect vlan 102 ip-address 192.168.1.1 mac-address 00e0-fc12-3456
#
dhcp enable
#
radius-server template policy
radius-server shared-key cipher %#%#lJIB8CQ<:A;x$h2V5+;+C>HwC+@XAL)ldpQI}:$X%#%#
radius-server authentication 172.16.1.1 1812 source ip-address 172.16.1.254 weight 80
radius-server accounting 172.16.1.1 1813 source ip-address 172.16.1.254 weight 80
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 1 deny ip destination 172.16.1.4 0
rule 2 deny ip destination 172.16.1.5 0
rule 3 permit ip
#
web-auth-server portal_huawei
server-ip 172.16.1.1
port 50200
shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
url http://access.***.com:8080/portal
source-ip 172.16.1.254
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
authentication-scheme auth
accounting-scheme acco
radius-server policy
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
web-auth-server portal_huawei direct
authentication portal
dhcp select interface
dhcp server dns-list 172.16.1.2
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
web-auth-server portal_huawei direct
authentication portal
dhcp select interface
dhcp server dns-list 172.16.1.2
#
interface Vlanif103
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 103
#
authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return
Example for Configuring 802.1X and MAC Address Authentication to Control User Access to the Enterprise Network (Authentication Point on Access Switch)
Overview
802.1X authentication and MAC address authentication are two methods used for Network Access Control (NAC). 802.1X authentication is implemented based on interfaces and MAC address authentication is implemented based on interfaces and MAC addresses. Both protocols can protect security for enterprise networks.
802.1X authentication is more secure than MAC address authentication; however, it requires that 802.1X client software be installed on all user terminals, allowing low networking flexibility. 802.1X authentication is applicable to the networks requiring high information security.
MAC address authentication does not need 802.1X client software, but user terminals' MAC addresses must be registered on the authentication server. Network configuration and management is complex. MAC address authentication is applicable to dumb terminals such as printers and fax machine.
Configuration Notes
This configuration example applies to all switches running all versions.
Huawei's Agile Controller-Campus in V100R001 functions as the RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001, V100R002, V100R003.
The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS server to pass. You do not need to configure authentication-free rules for the server on the switch.
Networking Requirements
Enterprises have high requirements on network security. To prevent unauthorized access and protect information security, an enterprise requests users to pass identity authentication and security check before they access the enterprise network. Only authorized users are allowed to access the enterprise network.
In addition, dumb terminals, such as IP phones and printers, can access the enterprise network only after passing authentication.
The enterprise network has the following characteristics:
All access switches support 802.1X authentication.
The enterprise network has a small size and does not have branch networks.
The enterprise has no more than 1000 employees. A maximum of 2000 users, including guests, access the network every day.
Dumb terminals, such as IP phones and printers, are connected to the enterprise network.
To provide high security for the network, you are advised to configure the 802.1X authentication function on access switches and connect a single centralized authentication server to the aggregation switch in bypass mode. MAC address authentication needs to be configured for dumb terminals.
Data Plan
Item |
Data |
|---|---|
Agile Controller-Campus |
IP address: 192.168.100.100 |
Post-authentication domain server |
IP address: 192.168.102.100 |
Aggregation switch (SwitchA) |
Management IP address: 192.168.10.10 |
Access switch (SwitchC) |
|
Access switch (SwitchD) |
|
Item |
Data |
|---|---|
RADIUS scheme |
|
ACL number of the post-authentication domain |
3002 |
Item |
Data |
|---|---|
Department |
R&D department |
Access user |
User name: A Wired access account: A-123 Password: YsHsjx_202207 |
Device group |
Wired device group: Switch |
Switch IP address |
|
RADIUS authentication key |
YsHsjx_202206 |
RADIUS accounting key |
YsHsjx_202206 |
Configuration Roadmap
- Configure the access switches, including the VLANs interfaces belong to, parameters for connecting to the RADIUS server, enabling NAC authentication, and access right to the post-authentication domain.
Ensure the reachable routes between the access switches (SwitchC and SwitchD), aggregation switch (SwitchA), and Agile Controller-Campus server.
- Configure the Agile Controller-Campus:
- Log in to the Agile Controller-Campus.
- Add an account to the Agile Controller-Campus.
- Add switches to the Agile Controller-Campus.
- Configure authentication rules, authorization results, and authorization rules on the Agile Controller-Campus.
Procedure
- Configure the access switches. This example uses SwitchC to describe the configuration. The domain configuration on SwitchD is the same as that on SwitchC.
- Enable 802.1X and MAC address authentication.# Set the NAC mode to unified.
[SwitchC] authentication unified-mode
By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.
# Enable 802.1X authentication on GE0/0/1.[SwitchC] interface gigabitEthernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] authentication dot1x [SwitchC-GigabitEthernet0/0/1] quit
# Enable MAC address authentication on GE0/0/2.[SwitchC] interface gigabitEthernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] authentication mac-authen [SwitchC-GigabitEthernet0/0/2] mac-authen username fixed A-123 password cipher YsHsjx_202207 //Set the user name mode for MAC address authentication to fixed user name. Set the user name to A-123 and password to YsHsjx_202207. [SwitchC-GigabitEthernet0/0/2] quit
- Enable 802.1X and MAC address authentication.
- Configure the Agile Controller-Campus.
- Create a department and account.
- Choose Resource > User > User Management.
- Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.
- Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.
- Click
in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password YsHsjx_202207.
- On the User tab page, select user A and click Transfer to add user A to the R&D department.
- Add switches to the Agile Controller-Campus so that the switches can communicate with the Agile Controller-Campus.
Choose .
Click Permission Control Device Group in the navigation tree, and click
and Add SubGroup to create a device group Switch.
Click the device group in the navigation tree and select ALL Device. Click Add to add network access devices.
Set connection parameters on the Add Device page.
This example uses SwitchC to describe the configuration procedure. The configuration on SwitchD is the same as that on SwitchC except that the IP addresses are different.
Parameter
Value
Description
Name
SwitchC
-
IP Address
192.168.30.30
The interface on the switch must communicate with the Agile Controller-Campus.
Device Series
Huawei Quidway series switch
-
Authentication Key
YsHsjx_202206
It must be the same as the shared key of the RADIUS authentication server configured on the switch.
Charging Key
YsHsjx_202206
It must be the same as the shared key of the RADIUS accounting server configured on the switch.
Real-time charging interval (minute)
15
It must be the same as the real-time accounting interval configured on the switch.
- Click Permission Control Device Group in the navigation tree, select SwitchC, and click Move to move SwitchC to the Switch group. The configuration on SwitchD is the same as that on SwitchC.
- Add an authentication rule.
Choose and click Add to create an authentication rule.
- Configure basic information for the authentication rule.
Parameter
Value
Description
Name
Access authentication rule
-
Service Type
Access service
-
Authentication Condition
Device group Switch
Customize authentication rules based on the requirements of your network.
Please select the allowed authentication protocol
- PAP
- CHAP
- EAP-MD5
- EAP-PEAP-MSCHAPv2
- EAP-TLS
- EAP-PEAP-GTC
- EAP-TTLS-PAP
-
- Add an authorization result.
Choose and click Add to create an authorization result.
- Configure basic information for the authorization result.
Parameter
Value
Description
Name
Post-authentication domain
-
Service Type
Access service
-
ACL Number/AAA User Group
3002
The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.
- Add an authorization rule.
After a user passes the authentication, authorization phase starts. The Agile Controller-Campus grants the user access rights based on the authorization rule.
Choose and click Add to create an authorization rule.
Configure basic information for the authorization rule.
Parameter
Value
Description
Name
Authorization rule for R&D employees
-
Service Type
Access service
-
Access Device Group
Switch
-
Authorization Result
Post-authentication domain
-
- Create a department and account.
- Verify the configuration.
- An employee can only access the Agile Controller-Campus server before passing the authentication.
- After passing the authentication, the employee can access resources in the post-authentication domain.
- After the employee passes the authentication, run the display access-user command on the switch. The command output shows information about the online employee.
and 
Switch Configuration File
#
sysname SwitchC
#
vlan batch 10
#
domain isp
#
radius-server template rd1
radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
radius-server authentication 192.168.100.100 1812 weight 80
radius-server accounting 192.168.100.100 1813 weight 80
#
acl number 3002
rule 1 permit ip destination 192.168.102.100 0
rule 2 deny ip
#
aaa
authentication-scheme abc
authentication-mode radius
accounting-scheme acco1
accounting-mode radius
accounting realtime 15
domain isp
authentication-scheme abc
accounting-scheme acco1
radius-server rd1
#
interface Vlanif10
ip address 192.168.30.30 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
authentication dot1x
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
authentication mac-authen
mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|duQ*k{7uXu{J{S=zx-3%^%#
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10
#
return
Example for Configuring 802.1X and MAC Address Authentication to Control User Access to the Enterprise Network (Authentication Point on Aggregation Switch)
Overview
On a NAC network, the 802.1X, MAC address, and Portal authentication modes are configured on the user access interfaces of a device to meet various authentication requirements. Users can access the network using any authentication mode.
If multiple authentication modes are enabled, the authentication modes take effect in the sequence they are configured. In addition, after multiple authentication modes are deployed, users can be authenticated in different modes by default and assigned different network rights accordingly by the device.
Configuration Notes
This configuration example applies to all switches running all versions.
Huawei's Agile Controller-Campus in V100R001 functions as the RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001, V100R002, V100R003.
The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS server to pass. You do not need to configure authentication-free rules for the server on the switch.
Networking Requirements
Enterprises have high requirements on network security. To prevent unauthorized access and protect information security, an enterprise requests users to pass identity authentication and security check before they access the enterprise network. Only authorized users are allowed to access the enterprise network.
In addition, dumb terminals, such as IP phones and printers, can access the enterprise network only after passing authentication.
The enterprise network has the following characteristics:
The access switches on the network do not support 802.1X authentication.
The enterprise network has a small size and does not have branch networks.
The enterprise has no more than 1000 employees. A maximum of 2000 users, including guests, access the network every day.
Dumb terminals, such as IP phones and printers, are connected to the enterprise network.
To reduce network reconstruction investment, you are advised to configure the 802.1X authentication function on the aggregation switch and connect a single centralized authentication server to the aggregation switch in bypass mode. MAC address authentication needs to be configured for dumb terminals.
Data Plan
Item |
Data |
|---|---|
Agile Controller-Campus |
IP address: 192.168.100.100 |
Post-authentication domain server |
IP address: 192.168.102.100 |
Aggregation switch (SwitchA) |
|
Access switch (SwitchC) |
User VLAN ID: 200 |
Access switch (SwitchD) |
User VLAN ID: 200 |
Item |
Data |
|---|---|
RADIUS scheme |
|
ACL number of the post-authentication domain |
3002 |
Item |
Data |
|---|---|
Department |
R&D department |
Access user |
User name: A Wired access account: A-123 Password: YsHsjx_202207 |
Device group |
Wired device group: Switch |
Switch IP address |
SwitchA: 192.168.10.10 |
RADIUS authentication key |
YsHsjx_202206 |
Charging Key |
YsHsjx_202206 |
Configuration Roadmap
- Configure the aggregation switch, including the VLANs interfaces belong to, parameters for connecting to the RADIUS server, enabling NAC authentication, and access right to the post-authentication domain.
Ensure the reachable routes between the access switches (SwitchC and SwitchD), aggregation switch (SwitchA), and Agile Controller-Campus server.
- Configure the access switches, including the VLANs and 802.1X transparent transmission.
- Configure the Agile Controller-Campus:
- Log in to the Agile Controller-Campus.
- Add an account to the Agile Controller-Campus.
- Add switches to the Agile Controller-Campus.
- Configure authentication rules, authorization results, and authorization rules on the Agile Controller-Campus.
Procedure
- Configure the aggregation switch.
- Enable 802.1X and MAC address authentication.# Set the NAC mode to unified.
[SwitchA] authentication unified-mode
By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.
# Enable 802.1X and MAC address authentication on GE0/0/1 and GE0/0/2.[SwitchA] interface gigabitethernet 0/0/1 [SwitchA-Gigabitethernet0/0/1] authentication dot1x mac-authen //Configure a combination of 802.1X and MAC address authentication. [SwitchA-Gigabitethernet0/0/1] mac-authen username fixed A-123 password cipher YsHsjx_202207 //Set the user name mode for MAC address authentication to fixed user name. Set the user name to A-123 and password to YsHsjx_202207. [SwitchA-Gigabitethernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-Gigabitethernet0/0/2] authentication dot1x mac-authen //Configure a combination of 802.1X and MAC address authentication. [SwitchA-Gigabitethernet0/0/2] mac-authen username fixed A-123 password cipher YsHsjx_202207 //Set the user name mode for MAC address authentication to fixed user name. Set the user name to A-123 and password to YsHsjx_202207. [SwitchA-Gigabitethernet0/0/2] quit
- Enable 802.1X and MAC address authentication.
- Configure the access switches.
- Configure the device to transparently transmit 802.1X packets. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.
In this example, SwitchC and SwitchD are deployed between the authentication switch SwitchA and users. EAP packet transparent transmission needs to be configured on SwitchC and SwitchD so that SwitchA can perform 802.1X authentication for users.
- Method 1:
[SwitchC] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1x enable [SwitchC-GigabitEthernet0/0/1] bpdu enable [SwitchC-GigabitEthernet0/0/1] quit [SwitchC] interface gigabitethernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol 802.1x enable [SwitchC-GigabitEthernet0/0/2] bpdu enable [SwitchC-GigabitEthernet0/0/2] quit [SwitchC] interface gigabitethernet 0/0/3 [SwitchC-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable [SwitchC-GigabitEthernet0/0/3] bpdu enable [SwitchC-GigabitEthernet0/0/3] quit
Method 2: This method is recommended when a large number of users exist or high network performance is required. Only the S5720-EI, S5720-HI, and S6720-EI support this method.
[SwitchC] undo bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFF0 [SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE [SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF [SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC [SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
This following step is mandatory when you switch from method 1 to method 2.
[SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] undo l2protocol-tunnel user-defined-protocol 802.1x enable [SwitchC-GigabitEthernet0/0/1] quit [SwitchC] interface gigabitethernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] undo l2protocol-tunnel user-defined-protocol 802.1x enable [SwitchC-GigabitEthernet0/0/2] quit [SwitchC] interface gigabitethernet 0/0/3 [SwitchC-GigabitEthernet0/0/3] undo l2protocol-tunnel user-defined-protocol 802.1x enable [SwitchC-GigabitEthernet0/0/3] quit
- Method 1:
- Configure the device to transparently transmit 802.1X packets. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.
- Configure the Agile Controller-Campus.
- Create a department and an account.
- Choose Resource > User > User Management.
- Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.
- Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.
- Click
in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password YsHsjx_202207.
- On the User tab page, select user A and click Transfer to add user A to the R&D department.
- Add switches to the Agile Controller-Campus so that the switches can communicate with the Agile Controller-Campus.
Choose .
Click Permission Control Device Group in the navigation tree, and click
and Add SubGroup to create a device group Switch.
Click the device group in the navigation tree and select ALL Device. Click Add to add network access devices.
Set connection parameters on the Add Device page.
Parameter
Value
Description
Name
SwitchA
-
IP Address
192.168.10.10
The interface on the switch must communicate with the Agile Controller-Campus.
Device Series
Huawei Quidway series switch
-
Authentication Key
YsHsjx_202206
It must be the same as the shared key of the RADIUS authentication server configured on the switch.
Charging Key
YsHsjx_202206
It must be the same as the shared key of the RADIUS accounting server configured on the switch.
Real-time charging interval (minute)
15
It must be the same as the real-time accounting interval configured on the switch.
- Click Permission Control Device Group in the navigation tree, select SwitchC, and click Move to move SwitchA to the Switch group. The configuration on SwitchD is the same as that on SwitchC.
- Add an authentication rule.
Choose and click Add to create an authentication rule.
- Configure basic information for the authentication rule.
Parameter
Value
Description
Name
Access authentication rule
-
Service Type
Access service
-
Authentication Condition
Device group Switch
Customize authentication rules based on the requirements of your network.
Please select the allowed authentication protocol
- PAP
- CHAP
- EAP-MD5
- EAP-PEAP-MSCHAPv2
- EAP-TLS
- EAP-PEAP-GTC
- EAP-TTLS-PAP
-
- Add an authorization result.
Choose and click Add to create an authorization result.
- Configure basic information for the authorization result.
Parameter
Value
Description
Name
Post-authentication domain
-
Service Type
Access service
-
ACL Number/AAA User Group
3002
The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.
- Add an authorization rule.
After a user passes the authentication, authorization phase starts. The Agile Controller-Campus grants the user access rights based on the authorization rule.
Choose and click Add to create an authorization rule.
Configure basic information for the authorization rule.
Parameter
Value
Description
Name
Authorization rule for R&D employees
-
Service Type
Access service
-
Access Device Group
Switch
-
Authorization Result
Post-authentication domain
-
- Create a department and an account.
- Verify the configuration.
- An employee can only access the Agile Controller-Campus server before passing the authentication.
- After passing the authentication, the employee can access resources in the post-authentication domain.
- After the employee passes the authentication, run the display access-user command on the switch. The command output shows information about the online employee.
Configuration Files
SwitchA configuration file
# sysname SwitchA # vlan batch 100 200 # domain isp # radius-server template rd1 radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%# radius-server authentication 192.168.100.100 1812 weight 80 radius-server accounting 192.168.100.100 1813 weight 80 # acl number 3002 rule 1 permit ip destination 192.168.102.100 0 rule 2 deny ip # aaa authentication-scheme abc authentication-mode radius accounting-scheme acco1 accounting-mode radius accounting realtime 15 domain isp authentication-scheme abc accounting-scheme acco1 radius-server rd1 # interface Vlanif100 ip address 192.168.10.10 255.255.255.0 # interface Vlanif200 ip address 192.168.200.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 200 authentication dot1x mac-authen mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|duQ*k{7uXu{J{S=zx-3%^%# # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 200 authentication dot1x mac-authen mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|duQ*k{7uXu{J{S=zx-3%^%# # interface GigabitEthernet0/0/6 port link-type trunk port trunk allow-pass vlan 100 # ip route-static 192.168.100.0 255.255.255.0 192.168.100.100 ip route-static 192.168.102.0 255.255.255.0 192.168.102.100 # returnSwitchC configuration file
# sysname SwitchC # vlan batch 200 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1 port link-type access port default vlan 200 l2protocol-tunnel user-defined-protocol 802.1x enable # interface GigabitEthernet0/0/2 port link-type access port default vlan 200 l2protocol-tunnel user-defined-protocol 802.1x enable # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 200 l2protocol-tunnel user-defined-protocol 802.1x enable # return
- Example for Configuring Portal Authentication to Control User Access to the Enterprise Network (Authentication Point on Core Switch)
- Example for Configuring Portal Authentication to Control User Access to the Enterprise Network (Authentication Point on Aggregation Switch)
- Example for Configuring 802.1X and MAC Address Authentication to Control User Access to the Enterprise Network (Authentication Point on Access Switch)
- Example for Configuring 802.1X and MAC Address Authentication to Control User Access to the Enterprise Network (Authentication Point on Aggregation Switch)