Native AC + Policy Association Solution: Core Switches Function as the Authentication Point for Wired and Wireless Users

Networking Requirements

Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data. In addition, core switches are configured with the native AC function to manage APs and transmit wireless service traffic on the entire network, implementing wired and wireless convergence. Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth.

In this example, core switches set up a CSS, which functions as the gateway and authentication point for wired and wireless users on the entire network. These users can access the network only after being authenticated. The specific requirements are as follows:

• Agile Controller-Campus functions as both the access authentication server and user service data source server.
• Policy association is deployed between core switches and access switches. The core switches function as control devices to centrally authenticate users and manage user access policies, and access devices only need to execute user access policies. This function not only controls network access rights of users, but also simplifies the configuration and management of access devices.

• Users include employees (wired and wireless) who use 802.1X authentication and guests (wireless only) who use MAC address-prioritized Portal authentication.

Figure 2-35 Core switches functioning as the authentication point for wired and wireless users

Device Requirements and Versions

Deployment Roadmap

Data Plan

Deployment Precautions

• In this example, Huawei's Agile Controller-Campus in V100R003C50 functions as the Portal server and RADIUS server.
• The RADIUS authentication key, RADIUS accounting key, and Portal key configured on Agile Controller-Campus must be the same as those configured on switches.
• By default, the switch allows the packets sent to RADIUS and Portal servers to pass through. You do not need to configure any authentication-free rule for these packets on switches.

• When NAC is enabled on an Eth-Trunk interface, ensure that member interfaces of the Eth-Trunk interface reside on cards of the same type. Otherwise, users may fail to go online or services are affected after they go online.
• In the 802.1X authentication scenario, if there is a Layer 2 switch between the 802.1X-enabled switch and users, Layer 2 transparent transmission must be enabled for 802.1X authentication packets on the Layer 2 switch; otherwise, users cannot be successfully authenticated.
• For details about the devices that can function as control and access devices in a policy association scenario and other precautions, see "Licensing Requirements and Limitations for Policy Association" in S12700 Series Agile Switches Product Use Precautions.

Procedure

1. Enable campus network connectivity. For details, see Native AC Solution: Core Switches Function as the Gateway for Wired and Wireless Users.

   For wireless users, the security policies in security profiles vary according to access authentication modes.

   User Access Authentication Mode	Security Policy
   MAC address authentication or Portal authentication	Open system authentication
   802.1X authentication	WPA/WPA2-802.1X authentication. WPA2 authentication is used in this example.

   For employees who use 802.1X authentication, configure a security policy in security profile sec1 as follows:

   [CORE] wlan
   [CORE-wlan-view] security-profile name sec1
   [CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes

   For guests who use MAC address-prioritized Portal authentication, configure a security policy in security profile sec2 as follows (the default security policy is open):

   [CORE-wlan-sec-prof-sec2] security open
   [CORE-wlan-sec-prof-sec1] quit
   [CORE-wlan-view] quit

2. Configure AAA on CORE.

   # Configure the RADIUS server template tem_rad and configure parameters for interconnection between CORE and the RADIUS server. The parameters include the IP addresses, port numbers, and shared keys of the RADIUS authentication and accounting servers.

   [CORE] radius-server template tem_rad 
   [CORE-radius-tem_rad] radius-server authentication 192.168.11.1 1812 
   [CORE-radius-tem_rad] radius-server accounting 192.168.11.1 1813 
   [CORE-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206 
   [CORE-radius-tem_rad] quit
   [CORE] radius-server authorization 192.168.11.1 shared-key cipher YsHsjx_202206

   # Configure AAA schemes, set the authentication, authorization, and accounting modes to RADIUS, and set the accounting interval to 15 minutes.

   [CORE] aaa 
   [CORE-aaa] authentication-scheme auth     
   [CORE-aaa-authen-auth] authentication-mode radius   
   [CORE-aaa-authen-auth] quit 
   [CORE-aaa] accounting-scheme acco  
   [CORE-aaa-accounting-acco] accounting-mode radius 
   [CORE-aaa-accounting-acco] accounting realtime 15    
   [CORE-aaa-accounting-acco] quit 

   # Configure the domain huawei.com and bind AAA schemes and RADIUS server template to this domain.

   [CORE-aaa] domain huawei.com 
   [CORE-aaa-domain-huawei.com] authentication-scheme auth
   [CORE-aaa-domain-huawei.com] accounting-scheme acco
   [CORE-aaa-domain-huawei.com] radius-server tem_rad 
   [CORE-aaa-domain-huawei.com] quit 
   [CORE-aaa] quit

3. Configure a pre-authentication domain on CORE to allow packets destined for the DNS server and CAPWAP management network segment to pass through.

   [CORE] free-rule-template name default_free_rule 
   [CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 24 
   [CORE-free-rule-default_free_rule] free-rule 2 source vlan 20
   [CORE-free-rule-default_free_rule] quit

4. Configure the policy association function on core and access switches.

   # Configure Eth-Trunk 10 and Eth-Trunk 20 on CORE as control points.

   [CORE] interface eth-trunk 10 
   [CORE-Eth-Trunk10] authentication control-point
   [CORE-Eth-Trunk10] quit
   [CORE] interface eth-trunk 20 
   [CORE-Eth-Trunk20] authentication control-point
   [CORE-Eth-Trunk20] quit

   # Configure GE0/0/3 on ACC1 as the access point. The configuration of ACC2 is similar to that of ACC1.

   <ACC1> system-view
   [ACC1] interface gigabitethernet 0/0/3
   [ACC1-GigabitEthernet0/0/3] authentication access-point
   [ACC1-GigabitEthernet0/0/3] quit

   # Configure ACLs and ACL rules for user authorization on CORE. Specifically, configure ACL 3001 and ACL 3002 to control the network access rights of employees and guests, respectively.

   [CORE] acl 3001   //Configure an ACL for authorization of employees, so that they can access the Internet and service server after being authenticated.
   [CORE-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 
   [CORE-acl-adv-3001] rule 2 permit ip destination 192.168.11.3 0.0.0.0
   [CORE-acl-adv-3001] rule 3 deny ip destination any
   [CORE-acl-adv-3001] quit
   [CORE] acl 3002   //Configure an ACL for authorization of guests, so that they can access the Internet after being authenticated.
   [CORE-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 
   [CORE-acl-adv-3002] rule 2 deny ip destination any
   [CORE-acl-adv-3002] quit

   # Set the access switch login authentication mode to none authentication on CORE.

   [CORE] as-auth
   [CORE-as-auth] auth-mode none
   [CORE-as-auth] quit

   # Configure the source interface of the CAPWAP tunnel on CORE.

   [CORE] capwap source interface vlanif 20 

   # Configure the source interface for establishing a CAPWAP tunnel on each access switch. The following uses ACC1 as an example. The configuration of ACC2 is similar to that of ACC1.

   [ACC1] interface vlanif 20
   [ACC1-Vlanif20] ip address dhcp-alloc
   [ACC1-Vlanif20] quit
   [ACC1] as access interface vlanif 20
   [ACC1] as access controller ip-address 192.168.20.1 //IP address of VLANIF 20 on CORE

   # Enable access switches to allow packets destined for the DNS server to pass through. The following uses ACC1 as an example. The configuration of ACC2 is similar to that of ACC1.

   [ACC1] free-rule-template name default_free_rule
   [ACC1-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.2 mask 24 
   [ACC1-free-rule-default_free_rule] quit

5. On CORE, configure 802.1X authentication for employees and MAC address-prioritized Portal authentication for guests.

   Configure 802.1X authentication for employees.

   # Change the NAC mode to unified.

   By default, the unified mode is used. The switch will restart automatically after the NAC mode is changed between common and unified modes.

   [CORE] authentication unified-mode

   # Configure an 802.1X access profile.

   [CORE] dot1x-access-profile name d1
   [CORE-dot1x-access-profile-d1] quit

   # Configure an authentication profile for employees.

   [CORE] authentication-profile name p1 
   [CORE-authen-profile-p1] dot1x-access-profile d1
   [CORE-authen-profile-p1] free-rule-template default_free_rule 
   [CORE-authen-profile-p1] access-domain huawei.com force  //Configure the domain huawei.com as a forcible domain.
   [CORE-authen-profile-p1] quit

   # Configure 802.1X authentication for wired access of employees on downlink interfaces Eth-Trunk 10 and Eth-Trunk 20.

   [CORE] interface eth-trunk 10 
   [CORE-Eth-Trunk10] authentication-profile p1 
   [CORE-Eth-Trunk10] quit
   [CORE] interface eth-trunk 20 
   [CORE-Eth-Trunk20] authentication-profile p1 
   [CORE-Eth-Trunk20] quit

   # Configure 802.1X authentication for wireless access of employees in VAP profile vap1.

   [CORE] wlan 
   [CORE-wlan-view] vap-profile name vap1 
   [CORE-wlan-vap-prof-vap1] authentication-profile p1  
   [CORE-wlan-vap-prof-vap1] quit 
   [CORE-wlan-view] quit

   Configure MAC address-prioritized Portal authentication for guests.

   # Configure Portal server template tem_portal, and set parameters for interconnection between CORE and the Portal server. The parameters include the IP address, port number, and shared key of the Portal server.

   [CORE] web-auth-server tem_portal 
   [CORE-web-auth-server-tem_portal] server-ip 192.168.11.1   //Configure the IP address of the Portal server.
   [CORE-web-auth-server-tem_portal] port 50200   //The Portal server port number is fixed at 50200 when Agile Controller-Campus functions as the Portal server.
   [CORE-web-auth-server-tem_portal] shared-key cipher YsHsjx_202206  //Configure a shared key used by CORE to exchange information with the Portal server, which must be the same as that configured on Agile Controller-Campus.
   [CORE-web-auth-server-tem_portal] url http://192.168.11.1:8080/portal   //Configure a URL for the Portal server.
   [CORE-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log  //Enable the Portal server detection function so that you can learn the Portal server status in real time and users can still access the network even if the Portal server is faulty. Note that the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100.
   [CORE-web-auth-server-tem_portal] quit 

   # Configure a Portal access profile.

   [CORE] portal-access-profile name web1 
   [CORE-portal-acces-profile-web1] web-auth-server tem_portal direct
   [CORE-portal-acces-profile-web1] quit

   # Configure a MAC access profile.

   [CORE] mac-access-profile name mac1
   [CORE-mac-access-profile-mac1] quit

   # Configure an authentication profile for guests.

   [CORE] authentication-profile name p2 
   [CORE-authen-profile-p2] portal-access-profile web1
   [CORE-authen-profile-p2] mac-access-profile mac1
   [CORE-authen-profile-p2] free-rule-template default_free_rule 
   [CORE-authen-profile-p2] access-domain huawei.com force  //Configure the domain huawei.com as a forcible domain.
   [CORE-authen-profile-p2] quit

   # Configure MAC address-prioritized Portal authentication for guests in the VAP profile vap2.

   [CORE] wlan
   [CORE-wlan-view] vap-profile name vap2
   [CORE-wlan-vap-prof-vap2] authentication-profile p2 
   [CORE-wlan-vap-prof-vap2] quit
   [CORE-wlan-view] quit

6. Configure 802.1X authentication for employees on access switches. The following uses ACC1 as an example. The configuration of ACC2 is similar to that of ACC1.
   # Configure an 802.1X access profile.

   [ACC1] dot1x-access-profile name d1
   [ACC1-dot1x-access-profile-d1] quit

   # Configure an authentication profile for employees.

   [ACC1] authentication-profile name p1 
   [ACC1-authen-profile-p1] dot1x-access-profile d1
   [ACC1-authen-profile-p1] quit

   # Configure 802.1X authentication for wired access of employees on the downlink interface GE0/0/3.

   [ACC1] interface GigabitEthernet 0/0/3 
   [ACC1-GigabitEthernet0/0/3] authentication-profile p1 
   [ACC1-GigabitEthernet0/0/3] quit

7. Configure transparent transmission of 802.1X packets on both aggregation switches (AGG1 and AGG2) and access switches (ACC1 and ACC2).
   # Configure aggregation switches. The following uses AGG1 as an example. The configuration of AGG2 is similar to that of AGG1.

   [AGG1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 
   [AGG1] interface eth-trunk 10 
   [AGG1-Eth-Trunk10] l2protocol-tunnel user-defined-protocol 802.1x enable 
   [AGG1-Eth-Trunk10] quit 
   [AGG1] interface eth-trunk 30
   [AGG1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable 
   [AGG1-Eth-Trunk30] quit

   # Configure access switches. The following uses ACC1 as an example. The configuration of ACC2 is similar to that of ACC1.

   [ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 
   [ACC1] interface eth-trunk 30 
   [ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable 
   [ACC1-Eth-Trunk30] quit 
   [ACC1] interface gigabitethernet 0/0/3 
   [ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable 
   [ACC1-GigabitEthernet0/0/3] quit
   [ACC1] interface gigabitethernet 0/0/4 
   [ACC1-GigabitEthernet0/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable 
   [ACC1-GigabitEthernet0/0/4] quit

8. Configure Agile Controller-Campus.
   1. Log in to Agile Controller-Campus.

      Open a browser, enter the access address of Agile Controller-Campus in the address box, and press Enter.

      The following table describes addresses for accessing Agile Controller-Campus.

      Access Address	Description
      https://Agile Controller-Campus-IP:8443	Agile Controller-Campus-IP indicates the IP address of Agile Controller-Campus.
      IP address of Agile Controller-Campus	If port 80 is enabled during installation, you can access Agile Controller-Campus by simply entering its IP address without the port number. In this case, the Agile Controller-Campus URL will automatically change to https://Agile Controller-Campus-IP:8443.

      If you log in to Agile Controller-Campus for the first time, log in as the super administrator. Change the password immediately after the first login. Otherwise, Agile Controller-Campus cannot be used.

   2. Add switches so that they can communicate with Agile Controller-Campus.
      Choose Resource > Device > Device Management, click Add, and configure device information and authentication parameters.

      Table 2-53 RADIUS and Portal parameters

      Parameter	Value	Description
      Name	CORE	-
      IP address	192.168.11.254	IP address of a switch's interface that can communicate with the service controller.
      Authentication/Accounting key	YsHsjx_202206	Same as the shared key of the RADIUS server configured on the switch.
      Authorization key	YsHsjx_202206	Same as the authorization key of the RADIUS server configured on the switch.
      Real-time accounting interval (minute)	15	Same as that configured on the switch.
      Port	2000	Port used by the switch to communicate with the Portal server. Use the default value.
      Portal key	YsHsjx_202206	Same as that configured on the switch.
      Enable heartbeat between access device and Portal server	Selected	Only when Enable heartbeat between access device and Portal server is selected and the Portal server IP address is added to the Portal server IP address list, the Portal server can periodically send heartbeat packets to CORE, based on which CORE determines the Portal server status. This configuration corresponds to the server-detect command configured in the Portal server template view on CORE.
      Portal server IP address list	192.168.11.1

      Figure 2-36 Adding a device
      
   3. Create user groups and accounts. The following describes how to configure the user group employee. The configuration of the user group guest is similar.

      1. Choose Resource > User > User Management.

      2. Click in the operation area on the left, and create the user group employee.
         Figure 2-37 Adding a user group
         
      3. Click Add in the operation area on the right, and add an account.
         Figure 2-38 Adding an account
         
      4. Click Transfer in the operation area on the right, and add the account to the user group employee.
         Figure 2-39 Adding an account to a user group
         
   4. Enable MAC address-prioritized Portal authentication.

      1. Choose System > Terminal Configuration > Global Parameters > Access Management.

      2. On the Configure MAC Address-Prioritized Portal Authentication tab page, enable MAC address-prioritized Portal authentication, and set Validity period of MAC address (min) to 60.

      Figure 2-40 Configuring MAC address-prioritized Portal authentication
      
   5. Configure authorization. End users will match authorization rules based on specified conditions. The following describes how to configure authorization for employees. The configuration for guests is similar.

      1. Choose Policy > Permission Control > Authentication & Authorization > Authorization Result, and configure a post-authentication domain for employees.

         Figure 2-41 Adding an authorization result
         
      2. Choose Resource > User > IP Address Range, set the name of an IP address range to wire, and add IP address segments 172.16.50.0/24 and 172.16.60.0/24.
         Figure 2-42 Adding an IP address range
         
         Figure 2-43 Adding an IP address range
         

      3. Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule, and configure authorization rules for employees and guests according to the following tables. The following describes how to configure authorization rules for employees. The configuration for guests is similar.

         Table 2-54 Authorization rule for wired access of employees

         Name	User Group	Terminal IP Address Range	Authorization Result
         wire_employee_auth_rule	employee	wire	employee_domain

         Table 2-55 Authorization rule for wireless access of employees

         Name	User Group	SSID	Authorization Result
         wireless_employee_auth_rule	employee	test01	employee_domain

         Table 2-56 Authorization rule for guests

         Name	User Group	SSID	Authorization Result
         guest_auth_rule	guest	test02	guest_domain

         Figure 2-44 Authorization rule for wired access of employees
         
         Figure 2-45 Authorization rule for wireless access of employees
         

Verifying the Deployment

Configuration Files

• CORE configuration file

  #
  sysname CORE
  #
  vlan batch 20 30 40 50 60 1000
  #
  authentication-profile name p1
   dot1x-access-profile d1
   free-rule-template default_free_rule
   access-domain huawei.com force
  authentication-profile name p2
   mac-access-profile mac1
   portal-access-profile web1
   free-rule-template default_free_rule
   access-domain huawei.com force
  #
  dhcp enable
  #
  dhcp snooping enable
  #
  radius-server template tem_rad
   radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%#
   radius-server authentication 192.168.11.1 1812 weight 80
   radius-server accounting 192.168.11.1 1813 weight 80
  radius-server authorization 192.168.11.1 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/6;4[4'HJ(/<%^%#
  #
  acl number 3001
   rule 1 permit ip destination 172.16.3.0 0.0.0.255
   rule 2 permit ip destination 192.168.11.3 0
   rule 3 deny ip
  acl number 3002
   rule 1 permit ip destination 172.16.3.0 0.0.0.255
   rule 2 deny ip
  #
  free-rule-template name default_free_rule
   free-rule 1 destination ip 192.168.11.2 mask 255.255.0.0
   free-rule 2 source vlan 20
  #
  web-auth-server tem_portal
   server-ip 192.168.11.1
   port 50200
   shared-key cipher %^%#}czkQj/H4NTr~B$84qB."XQ(;1'$}:;L4z;K~c]P%^%#
   url http://192.168.11.1:8080/portal
   server-detect interval 100 max-times 5 action log
  #
  portal-access-profile name web1
   web-auth-server tem_portal direct
  #
  vlan 30
   dhcp snooping enable
  vlan 40
   dhcp snooping enable
  vlan 50
   dhcp snooping enable
  vlan 60
   dhcp snooping enable
  #
  aaa
   authentication-scheme auth
    authentication-mode radius
   accounting-scheme acco
    accounting-mode radius
    accounting realtime 15
   domain huawei.com
    authentication-scheme auth
    accounting-scheme acco
    radius-server tem_rad
  #
  interface Vlanif20
   ip address 192.168.20.1 255.255.255.0
   dhcp select interface
  #
  interface Vlanif30
   ip address 172.16.30.1 255.255.255.0
   arp-proxy inner-sub-vlan-proxy enable
   dhcp select interface
   dhcp server dns-list 192.168.11.2
  #
  interface Vlanif40
   ip address 172.16.40.1 255.255.255.0
   arp-proxy inner-sub-vlan-proxy enable
   dhcp select interface
   dhcp server dns-list 192.168.11.2
  #
  interface Vlanif50
   ip address 172.16.50.1 255.255.255.0
   arp-proxy inner-sub-vlan-proxy enable
   dhcp select interface
   dhcp server dns-list 192.168.11.2
  #
  interface Vlanif60
   ip address 172.16.60.1 255.255.255.0
   arp-proxy inner-sub-vlan-proxy enable
   dhcp select interface
   dhcp server dns-list 192.168.11.2
  #
  interface Vlanif1000
   ip address 192.168.11.254 255.255.255.0
  #
  interface Eth-Trunk10
   description con to AGG1
   port link-type trunk
   port trunk allow-pass vlan 20 50
   authentication control-point
   authentication-profile p1
  #
  interface Eth-Trunk20
   description con to AGG2
   port link-type trunk
   port trunk allow-pass vlan 20 60
   authentication control-point
   authentication-profile p1
  #
  interface XGigabitEthernet1/1/0/1
   eth-trunk 10
  #
  interface XGigabitEthernet1/1/0/2
   eth-trunk 20
  #
  interface XGigabitEthernet1/2/0/1
   port link-type access
   port default vlan 1000
   #
  interface XGigabitEthernet2/1/0/1
   eth-trunk 20
  #
  interface XGigabitEthernet2/1/0/2
   eth-trunk 10
  #
  capwap source interface vlanif20
  #
  wlan
   traffic-profile name traff1
    user-isolate l2
   traffic-profile name traff2
    user-isolate l2
   security-profile name sec1
    security wpa2 dot1x aes
   security-profile name sec2
    security open
   ssid-profile name ssid1
    ssid test01
   ssid-profile name ssid2
    ssid test02
   vap-profile name vap1
    forward-mode tunnel
    service-vlan vlan-id 30
    ssid-profile ssid1
    security-profile sec1
    traffic-profile traff1
    authentication-profile p1
    ip source check user-bind enable
    arp anti-attack check user-bind enable
    learn-client-address dhcp-strict
   vap-profile name vap2
    forward-mode tunnel
    service-vlan vlan-id 40
    ssid-profile ssid2
    security-profile sec2
    traffic-profile traff2
    authentication-profile p2
    ip source check user-bind enable
    arp anti-attack check user-bind enable
    learn-client-address dhcp-strict
   ap-group name ap-group1
    regulatory-domain-profile domain1
    radio 0
     vap-profile vap1 wlan 1
     vap-profile vap2 wlan 2
    radio 1
     vap-profile vap1 wlan 1
     vap-profile vap2 wlan 2
   ap-id 1 type-id 30 ap-mac 00e0-fc12-4400 ap-sn 2102355547W0E3000316
    ap-name area_1
    ap-group ap-group1
   ap-id 2 type-id 56 ap-mac 00e0-fc12-3390 ap-sn 21500829352SGA900583
    ap-name area_2
    ap-group ap-group1
  #
  as-auth      
   auth-mode none
  #
  dot1x-access-profile name d1
  #
  mac-access-profile name mac1
  #
  return

• AGG1 configuration file

  #
  sysname AGG1
  #
  vlan batch 20 50
  #
  l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
  #
  interface Eth-Trunk10
   description connect to CORE
   port link-type trunk
   port trunk allow-pass vlan 20 50
   l2protocol-tunnel user-defined-protocol 802.1x enable
  #
  interface Eth-Trunk30
   port link-type trunk
   port trunk allow-pass vlan 20 50
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  #
  interface XGigabitEthernet0/0/1
   eth-trunk 10
  #
  interface GigabitEthernet0/0/3
   eth-trunk 30
  #
  interface XGigabitEthernet1/0/1
   eth-trunk 10
  #
  interface GigabitEthernet1/0/3
   eth-trunk 30
  #
  return

• AGG2 configuration file

  #
  sysname AGG2
  #
  vlan batch 20 60
  #
  l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
  #
  interface Eth-Trunk20
   description connect to CORE
   port link-type trunk
   port trunk allow-pass vlan 20 60
   l2protocol-tunnel user-defined-protocol 802.1x enable
  #
  interface Eth-Trunk40
   port link-type trunk
   port trunk allow-pass vlan 20 60
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  #
  interface XGigabitEthernet0/0/1
   eth-trunk 20
  #
  interface GigabitEthernet0/0/3
   eth-trunk 40
  #
  interface XGigabitEthernet1/0/1
   eth-trunk 20
  #
  interface GigabitEthernet1/0/3
   eth-trunk 40
  #
  return

• ACC1 configuration file

  #
  sysname ACC1
  #
  vlan batch 20 50
  #
  authentication-profile name p1
   dot1x-access-profile d1
  #
  l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 
  #
  as access interface vlanif 20
  as access controller ip-address 192.168.20.1
  #
  free-rule-template name default_free_rule
   free-rule 1 destination ip 192.168.11.2 mask 255.255.255.0
  #
  interface Vlanif20
   ip address dhcp-alloc
  #
  interface Eth-Trunk30
   port link-type trunk
   port trunk allow-pass vlan 20 50
   l2protocol-tunnel user-defined-protocol 802.1x enable
  #
  interface GigabitEthernet0/0/1
   eth-trunk 30
  #
  interface GigabitEthernet0/0/2
   eth-trunk 30
  #
  interface GigabitEthernet0/0/3
   port link-type access
   port default vlan 50
   authentication access-point 
   authentication-profile p1
   stp edged-port enable
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  # 
  interface GigabitEthernet0/0/4
   port link-type access
   port default vlan 20
   stp edged-port enable
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  #
  dot1x-access-profile name d1 
  #  
  return

• ACC2 configuration file

  #
  sysname ACC2
  #
  vlan batch 20 60
  #
  authentication-profile name p1
   dot1x-access-profile d1
  #
  l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 
  #
  as access interface vlanif 20
  as access controller ip-address 192.168.20.1
  #
  free-rule-template name default_free_rule
   free-rule 1 destination ip 192.168.11.2 mask 255.255.255.0
  #
  interface Vlanif20
   ip address dhcp-alloc
  #
  interface Eth-Trunk40
   port link-type trunk
   port trunk allow-pass vlan 20 60
   l2protocol-tunnel user-defined-protocol 802.1x enable
  #
  interface GigabitEthernet0/0/1
   eth-trunk 40
  #
  interface GigabitEthernet0/0/2
   eth-trunk 40
  #
  interface GigabitEthernet0/0/3
   port link-type access
   port default vlan 60
   authentication access-point  
   authentication-profile p1
   stp edged-port enable
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  # 
  interface GigabitEthernet0/0/4
   port link-type access
   port default vlan 20
   stp edged-port enable
   l2protocol-tunnel user-defined-protocol 802.1x enable
   port-isolate enable group 1
  #
  dot1x-access-profile name d1 
  #  
  return