Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Native AC + Policy Association Solution: Aggregation Switches Function as the Authentication Points for Wired and Wireless Users
Networking Requirements
Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data. Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth. In addition, aggregation switches are configured with the native AC function to manage APs and transmit wireless service traffic on the entire network, implementing wired and wireless convergence.
In this example, aggregation switches function as the gateways and authentication points for wired and wireless users on the entire network. These users can access the network only after being authenticated. The specific requirements are as follows:
Users include employees (wired and wireless) who use 802.1X authentication and guests (wireless only) who use MAC address-prioritized Portal authentication.
- Agile Controller-Campus functions as both the authentication server and user service data source server.
- Policy association is deployed between aggregation switches and access switches. The aggregation switches function as control devices to centrally authenticate users and manage user access policies, and access devices only need to execute user access policies. This function not only controls network access rights of users, but also simplifies the configuration and management of access devices.
Figure 2-55 Aggregation switches functioning as authentication points for wired and wireless users
Device Requirements and Versions
Location |
Device Requirement |
Device Used in This Example |
Version Used in This Example |
|---|---|---|---|
Authentication server |
Agile Controller-Campus running V100R001, V100R002, or V100R003 |
Agile Controller-Campus |
V100R003C60SPC206 |
Core layer |
- |
S12700E |
V200R019C10 |
Aggregation layer |
Modular switches equipped with X series cards or Layer 3 fixed switches that support native AC function |
S5731-H |
|
Access layer |
- |
S5735-L |
|
AP |
- |
AP6050DN |
V200R019C00 |
Deployment Roadmap
Step |
Deployment Roadmap |
Devices Involved |
|---|---|---|
Configure switches. |
1. Enable campus network connectivity. |
All switches |
2. Configure AAA, including configuring a RADIUS server template, AAA schemes, and authentication domains, as well as configuring parameters for interconnection between switches and the RADIUS server. |
Aggregation switches (AGG1 and AGG2) |
|
3. Configure policy association. |
Aggregation switches (AGG1 and AGG2) and access switches (ACC1 and ACC2) |
|
4. Configure resources accessible to users before they are authenticated (referred to as authentication-free resources), post-authentication domains, and escape function, so that users have corresponding network access rights in different authentication phases. |
Aggregation switches (AGG1 and AGG2) and access switches (ACC1 and ACC2) |
|
5. Configure 802.1X authentication for employees. |
Aggregation switches (AGG1 and AGG2) and access switches (ACC1 and ACC2) |
|
6. Configure MAC address-prioritized Portal authentication for guests. |
Aggregation switches (AGG1 and AGG2) |
|
7. Configure Layer 2 transparent transmission for 802.1X authentication packets. |
Access switches (ACC1 and ACC2) |
|
Configure Agile Controller-Campus. |
8. Add devices that need to communicate with Agile Controller-Campus, and configure RADIUS and Portal authentication parameters. |
- |
9. Add user groups and user accounts. |
||
10. Enable MAC address-prioritized Portal authentication. |
||
11. Configure network access rights for successfully authenticated employees and guests. |
Data Plan
Table 2-63 Service data plan for core switches
Item |
VLAN ID |
Network Segment |
|---|---|---|
Network segment for connecting to the Internet |
- |
172.16.3.0/24 |
Network segment for communication with AGG1 |
VLAN 70 |
172.16.70.0/24 |
Network segment for communication with AGG2 |
VLAN 80 |
172.16.80.0/24 |
Network segment for communication with servers |
VLAN 1000 |
192.168.100.0/24 |
Table 2-64 Service data plan for aggregation switches
Device |
Item |
VLAN ID |
Network Segment |
|---|---|---|---|
AGG1 |
Management VLAN for access devices and APs |
VLAN 20 |
192.168.20.0/24 |
Service VLANs for wireless users |
VLAN 30 (employee) |
172.16.30.0/24 |
|
VLAN 31 (guest) |
172.16.31.0/24 |
||
Service VLAN for wired users |
VLAN 50 |
172.16.50.0/24 |
|
Network segment for communication with CORE |
VLAN 70 |
172.16.70.0/24 |
|
AGG2 |
Management VLAN for access devices and APs |
VLAN 21 |
192.168.21.0/24 |
Service VLANs for wireless users |
VLAN 40 (employee) |
172.16.40.0/24 |
|
VLAN 41 (guest) |
172.16.41.0/24 |
||
Service VLAN for wired users |
VLAN 60 |
172.16.60.0/24 |
|
Network segment for communication with CORE |
VLAN 80 |
172.16.80.0/24 |
Table 2-65 Wireless service data plan for aggregation switches
Item |
Employee |
Guest |
|---|---|---|
Traffic profile |
traff: The user isolation mode is Layer 2 isolation and Layer 3 communication. |
|
Security profiles |
sec1: WPA/WPA2-802.1X authentication |
sec2: open system authentication (default security policy) |
SSID profiles |
ssid1 (SSID: Employee) |
ssid2 (SSID: Guest) |
AP groups |
ap-group1 (AGG1) and ap-group2 (AGG2) |
|
Regulatory domain profiles |
domain1 (AGG1) and domain2 (AGG2) |
|
Service data forwarding mode |
Tunnel forwarding |
|
Service VLANs |
VLAN 30 and VLAN 40 |
VLAN 31 and VLAN 41 |
VAP profiles |
vap1 |
vap2 |
Table 2-66 Authentication service data plan for aggregation switches
Item |
Data |
|---|---|
AAA schemes |
|
RADIUS server |
|
Portal server |
|
802.1X access profile |
|
Portal access profile |
Name: web1 |
MAC access profile |
Name: mac1 |
Authentication-free resources |
DNS server: 192.168.100.2 |
Post-authentication domains |
The IP addresses of the service server, special server, and campus egress device are 192.168.100.3, 192.168.100.100, and 172.16.3.1, respectively. |
Escape function |
Same network access rights as those in post-authentication domains |
Table 2-67 Policy association data plan
Item |
Data |
|---|---|
Control points |
|
Access points |
|
Table 2-68 Service data plan for Agile Controller-Campus
Item |
Data |
|---|---|
User accounts (user name/password) |
|
IP addresses of aggregation switches |
|
RADIUS authentication parameters |
|
Portal authentication parameters |
|
Deployment Precautions
- The RADIUS authentication, accounting, and authorization keys, as well as the Portal key configured on Agile Controller-Campus must be the same as those configured on switches.
- By default, the switch allows the packets sent to RADIUS and Portal servers to pass through. You do not need to configure any authentication-free rule for these packets on switches.
- In the 802.1X authentication scenario, if there is a Layer 2 switch between the 802.1X-enabled switch and users, Layer 2 transparent transmission must be enabled for 802.1X authentication packets on the Layer 2 switch; otherwise, users cannot be successfully authenticated.
- The following describes only the configurations of AGG1 and ACC1. The configuration of AGG2 is similar to that of AGG1, and the configuration of ACC2 is similar to that of ACC1. For details about the configurations, see Configuration Files in this section.
Procedure
- Enable campus network connectivity. For details, see Native AC Solution: Aggregation Switches Function as Gateways for Wired and Wireless Users.
# Configure the network segment for CORE to connect to the Internet, and advertise the network segment using the Open Shortest Path First (OSPF) protocol.
<CORE> system-view [CORE] interface Eth-Trunk 30 [CORE-Eth-Trunk30] undo portswitch [CORE-Eth-Trunk30] description connect to Internet [CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/3 [CORE-Eth-Trunk30] trunkport xgigabitethernet 2/1/0/3 [CORE-Eth-Trunk30] mode lacp [CORE-Eth-Trunk30] ip address 172.16.3.1 24 [CORE-Eth-Trunk30] quit [CORE] ospf 1 router-id 1.1.1.1 [CORE-ospf-1] area 0 [CORE-ospf-1-area-0.0.0.0] network 172.16.3.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] quit [CORE-ospf-1] quit
- Configure AAA parameters.# Configure the RADIUS server template tem_rad, and configure the parameters for interconnection between aggregation switches and the RADIUS server, including the IP addresses, port numbers, authentication key, and accounting key of the RADIUS authentication and accounting servers.
<AGG1> system-view [AGG1] radius-server template tem_rad [AGG1-radius-tem_rad] radius-server authentication 192.168.100.10 1812 [AGG1-radius-tem_rad] radius-server accounting 192.168.100.10 1813 [AGG1-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206 [AGG1-radius-tem_rad] quit# Configure a RADIUS authorization server and an authorization key.[AGG1] radius-server authorization 192.168.100.10 shared-key cipher YsHsjx_202206# Configure an AAA authentication scheme and an AAA accounting scheme, set the authentication and accounting modes to RADIUS, and set the accounting interval to 15 minutes.[AGG1] aaa [AGG1-aaa] authentication-scheme auth [AGG1-aaa-authen-auth] authentication-mode radius [AGG1-aaa-authen-auth] quit [AGG1-aaa] accounting-scheme acco [AGG1-aaa-accounting-acco] accounting-mode radius [AGG1-aaa-accounting-acco] accounting realtime 15 [AGG1-aaa-accounting-acco] quit
# Configure the authentication domain huawei.com and bind AAA schemes and RADIUS server template to this domain.[AGG1-aaa] domain huawei.com [AGG1-aaa-domain-huawei.com] authentication-scheme auth [AGG1-aaa-domain-huawei.com] accounting-scheme acco [AGG1-aaa-domain-huawei.com] radius-server tem_rad [AGG1-aaa-domain-huawei.com] quit [AGG1-aaa] quit
- Configure policy association.# Configure Eth-Trunk 30 on the control device AGG1 as a control point.
[AGG1] interface Eth-Trunk 30 [AGG1-Eth-Trunk30] authentication control-point [AGG1-Eth-Trunk30] quit
# Enable access devices to establish CAPWAP tunnels with the control device without authentication.
[AGG1] as-auth [AGG1-as-auth] auth-mode none Warning: None authentication is configured, which has security risks. Continue? [Y/N]:y [AGG1-as-auth] quit
# Configure the source interface used by the control device to establish a CAPWAP tunnel.[AGG1] capwap source interface vlanif 20
# Configure GE0/0/3 on the access device ACC1 as an access point.<ACC1> system-view [ACC1] interface gigabitethernet 0/0/3 [ACC1-GigabitEthernet0/0/3] authentication access-point [ACC1-GigabitEthernet0/0/3] quit
# Configure the source interface used by the access device to establish a CAPWAP tunnel, and specify the IP address of the control device.[ACC1] interface vlanif 20 [ACC1-Vlanif20] ip address dhcp-alloc [ACC1-Vlanif20] quit [ACC1] as access interface vlanif 20 [ACC1] as access controller ip-address 192.168.20.1 //IP address of VLANIF 20 on AGG1
- Configure authentication-free resources, post-authentication domains, and the escape function.# On the control device, configure authentication-free resources to allow packets destined for the DNS server and packets in the management VLAN for policy association to pass through.
[AGG1] free-rule-template name default_free_rule [AGG1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32 [AGG1-free-rule-default_free_rule] free-rule 2 source vlan 20 [AGG1-free-rule-default_free_rule] quit
# Configure authentication-free resources on the access device so that it can send all user packets to the control devices for processing.[ACC1] free-rule-template name default_free_rule [ACC1-free-rule-default_free_rule] free-rule 1 destination any source any [ACC1-free-rule-default_free_rule] quit
# Configure post-authentication domains. Configure ACL 3001 and ACL 3002 to control the network access rights of employees and guests, respectively.ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network segments of wireless users and all the network segments that wireless users can access. Otherwise, all packets of wireless users are discarded on APs even if the users are successfully authenticated.
[AGG1] acl 3001 [AGG1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to access the Internet after being authenticated. [AGG1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow employees to access the DNS server after being authenticated. [AGG1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0 //Allow employees to access the service server after being authenticated. [AGG1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 //Allow employees to communicate with each other. [AGG1-acl-adv-3001] rule 5 permit ip destination 172.16.40.0 0.0.0.255 //Allow employees to communicate with each other. [AGG1-acl-adv-3001] rule 6 permit ip destination 172.16.50.0 0.0.0.255 //Allow employees to communicate with each other. [AGG1-acl-adv-3001] rule 7 permit ip destination 172.16.60.0 0.0.0.255 //Allow employees to communicate with each other. [AGG1-acl-adv-3001] rule 8 deny ip destination any [AGG1-acl-adv-3001] quit [AGG1] acl 3002 [AGG1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to access the Internet after being authenticated. [AGG1-acl-adv-3002] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow guests to access the DNS server after being authenticated. [AGG1-acl-adv-3002] rule 3 permit ip destination 172.16.31.0 0.0.0.255 //Allow guests to communicate with each other. [AGG1-acl-adv-3002] rule 4 permit ip destination 172.16.41.0 0.0.0.255 //Allow guests to communicate with each other. [AGG1-acl-adv-3002] rule 5 deny ip destination any [AGG1-acl-adv-3002] quit
# Configure the escape function, so that network access rights of employees and guests are not affected if Agile Controller-Campus is faulty.[AGG1] aaa [AGG1-aaa] service-scheme s1 //Enable the switch to grant the network access rights in service scheme s1 to employees if Agile Controller-Campus is faulty. [AGG1-aaa-service-s1] acl-id 3001 [AGG1-aaa-service-s1] quit [AGG1-aaa] service-scheme s2 //Enable the switch to grant the network access rights in service scheme s2 to guests if Agile Controller-Campus is faulty. [AGG1-aaa-service-s2] acl-id 3002 [AGG1-aaa-service-s2] quit [AGG1-aaa] quit
- Configure 802.1X authentication for employees.# Configure an 802.1X access profile on the control device. By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports EAP; otherwise, the RADIUS server cannot process 802.1X authentication requests.
[AGG1] dot1x-access-profile name d1 [AGG1-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees on the control device.[AGG1] authentication-profile name p1 [AGG1-authen-profile-p1] dot1x-access-profile d1 [AGG1-authen-profile-p1] free-rule-template default_free_rule [AGG1-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a forcible domain. [AGG1-authen-profile-p1] authentication event authen-server-down action authorize service-scheme s1 //Enable the switch to grant network access rights to users if the authentication server is faulty. [AGG1-authen-profile-p1] authentication event authen-server-up action re-authen //Configure the switch to re-authenticate employees after the authentication server recovers. [AGG1-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on the downlink interface Eth-Trunk 30 of the control device.[AGG1] interface Eth-Trunk 30 [AGG1-Eth-Trunk30] authentication-profile p1 [AGG1-Eth-Trunk30] quit
# Configure a security policy for wireless users. The security policies for wireless users vary according to authentication modes. For employees who use 802.1X authentication, configure a security policy in security profile sec1 as follows.
User Role
Wireless User Authentication Mode
Security Policy
Remarks
Employee
802.1X authentication
WPA/WPA2-802.1X authentication
In this example, WPA2 authentication is used.
Guest
MAC address-prioritized Portal authentication
Open system authentication
The default security policy is open system authentication. Therefore, you do not need to configure a security policy for guests.
[AGG1] wlan [AGG1-wlan] security-profile name sec1 [AGG1-wlan-sec-prof-sec1] security wpa2 dot1x aes Warning: This action may cause service interruption. Continue?[Y/N]y [AGG1-wlan-sec-prof-sec1] quit
#Configure 802.1X authentication for wireless access of employees in VAP profile vap1.[AGG1-wlan-view] vap-profile name vap1 [AGG1-wlan-vap-prof-vap1] authentication-profile p1 Warning: This action may cause service interruption. Continue?[Y/N]y [AGG1-wlan-vap-prof-vap1] quit [AGG1-wlan-view] quit
# Configure an 802.1X access profile on the access device.[ACC1] dot1x-access-profile name d1 [ACC1-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees on the access device.[ACC1] authentication-profile name p1 [ACC1-authen-profile-p1] dot1x-access-profile d1 [ACC1-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on the downlink interface GE0/0/3 of the access device.[ACC1] interface GigabitEthernet 0/0/3 [ACC1-GigabitEthernet0/0/3] authentication-profile p1 [ACC1-GigabitEthernet0/0/3] quit
- Configure MAC address-prioritized Portal authentication for guests.# Configure Portal server template tem_portal, and set parameters for interconnection between aggregation switches and the Portal server. The parameters include the IP address, port number, and shared key of the Portal server, as well as the URL of the Portal page.
[AGG1] web-auth-server tem_portal [AGG1-web-auth-server-tem_portal] server-ip 192.168.100.10 [AGG1-web-auth-server-tem_portal] port 50200 [AGG1-web-auth-server-tem_portal] shared-key cipher YsHsjx_202206 [AGG1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal [AGG1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //Enable the Portal server detection function so that you can learn the Portal server status in real time and users can still access the network even if the Portal server is faulty. Note that the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100. [AGG1-web-auth-server-tem_portal] quit# Configure a Portal access profile.[AGG1] portal-access-profile name web1 [AGG1-portal-acces-profile-web1] web-auth-server tem_portal direct [AGG1-portal-acces-profile-web1] authentication event portal-server-down action authorize service-scheme s2 //Enable the switch to grant network access rights to users if the Portal server is faulty. [AGG1-portal-acces-profile-web1] authentication event portal-server-up action re-authen //Configure the switch to re-authenticate guests after the Portal server recovers. [AGG1-portal-acces-profile-web1] quit
# Configure a MAC access profile.[AGG1] mac-access-profile name mac1 [AGG1-mac-access-profile-mac1] quit
# Configure an authentication profile for guests.[AGG1] authentication-profile name p2 [AGG1-authen-profile-p2] portal-access-profile web1 [AGG1-authen-profile-p2] mac-access-profile mac1 [AGG1-authen-profile-p2] free-rule-template default_free_rule [AGG1-authen-profile-p2] access-domain huawei.com force //Configure the domain huawei.com as a forcible domain. [AGG1-authen-profile-p2] authentication event authen-server-down action authorize service-scheme s2 //Enable the switch to grant network access rights to users if the authentication server is faulty. [AGG1-authen-profile-p2] authentication event authen-server-up action re-authen //Configure the switch to re-authenticate guests after the authentication server recovers. [AGG1-authen-profile-p2] quit
# Configure MAC address-prioritized Portal authentication for guests in the VAP profile vap2.[AGG1] wlan [AGG1-wlan-view] vap-profile name vap2 [AGG1-wlan-vap-prof-vap2] authentication-profile p2 Warning: This action may cause service interruption. Continue?[Y/N]y [AGG1-wlan-vap-prof-vap2] quit [AGG1-wlan-view] quit
- Configure Layer 2 transparent transmission for 802.1X authentication packets on the access device. This function needs to be configured on all interfaces through which 802.1X authentication packets pass. If a switch does not support the bpdu enable command, you only need to run the l2protocol-tunnel user-defined-protocol 802.1x enable command on its interface.
<ACC1> system-view [ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 [ACC1] interface Eth-Trunk 30 [ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-Eth-Trunk30] quit [ACC1] interface gigabitethernet 0/0/3 [ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-GigabitEthernet0/0/3] quit [ACC1] interface gigabitethernet 0/0/4 [ACC1-GigabitEthernet0/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-GigabitEthernet0/0/4] quit
- Log in to Agile Controller-Campus, add devices that need to communicate with Agile Controller-Campus, and configure RADIUS and Portal authentication parameters.# Choose Resource > Device > Device Management, click Add, set parameters according to Table 2-69, and click OK.Table 2-69 Parameter settings on Agile Controller-Campus and AGG1
Parameter on Agile Controller-Campus
Configuration on Agile Controller-Campus
Configuration on AGG1
Name
AGG1
-
IP address
172.16.70.2
IP address of VLANIF 70, which is used by AGG1 to communicate with Agile Controller-Campus
Enable RADIUS (mandatory for 802.1X, Portal, and MAC address authentication, Free Mobility, and Service Chain)
Selected
-
Device series
Huawei S Series
-
Authentication/Accounting key
YsHsjx_202206
[AGG1-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206Authorization key
YsHsjx_202206
[AGG1] radius-server authorization 192.168.100.10 shared-key cipher YsHsjx_202206Real-time accounting interval (minute)
15
[AGG1-aaa-accounting-acco] accounting realtime 15
Enable Portal (mandatory for Portal authentication)
Selected
-
Portal protocol type
HUAWEI portal protocol
-
Portal key
YsHsjx_202206
[AGG1-web-auth-server-tem_portal] shared-key cipher YsHsjx_202206Access terminal IPv4 list
172.16.30.0/24;172.16.31.0/24
List of IP addresses used by employees and guests for accessing the network in wireless mode
Enable heartbeat between access device and Portal server
Selected
Only when Enable heartbeat between access device and Portal server is selected and the Portal server IP address is added to the Portal server IP address list, the Portal server can periodically send heartbeat packets to AGG1, based on which AGG1 determines the Portal server status. This configuration corresponds to the server-detect command configured in the Portal server template view on AGG1.
Portal server IP address list
192.168.100.10
- Add user groups and user accounts. The following describes how to create an employee group and an employee account. The procedure for creating a guest group and a guest account is similar.
# Choose Resource > User > User Management. Click
in the operation area on the left, add a user group named Employee, and click OK. Click Add in the operation area on the right, and add an employee account.
- Enable MAC address-prioritized Portal authentication.
# Choose System > Terminal Configuration > Global Parameters > Access Management. On the Configure MAC Address-Prioritized Portal Authentication tab page, enable MAC address-prioritized Portal authentication, set Validity period of MAC address (min) to 60, and click OK.
- Configure network access rights for successfully authenticated employees and guests.
# Configure authorization results. Choose Policy > Permission Control > Authentication & Authorization > Authorization Result, click Add, set parameters according to Table 2-70, and click OK. Here, the employee authorization result is used as an example.
Table 2-70 Authorization results for employees and guestsName
Authorization Parameter: ACL Number/AAA User Group
Employee authorization result
3001
Guest authorization result
3002
# Configure authorization rules. Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule, click Add, set parameters according to Table 2-71, and click OK. Here, the employee authorization rule is used as an example.
Table 2-71 Authorization rules for employees and guestsName
Authorization Condition: User Group
Authorization Result
Employee authorization rule
Employee
Employee authorization result
Guest authorization rule
Guest
Guest authorization result
in the operation area on the left, add a user group named Employee, and click OK. Click Add in the operation area on the right, and add an employee account.
Expected Results
- Access devices can go online on the control device.
- The employees and guest can access only the authentication-free resources, but not resources in post-authentication domains, before they are authenticated or when they fail the authentication.
- The employees and guest can be successfully authenticated and access the network after selecting the correct access mode and entering the correct user names and passwords.
- After being authenticated, the employees and guest can access authentication-free resources and resources in post-authentication domains, but cannot access resources that are denied in the post-authentication domains.
- The employees can communicate with each other, but cannot communicate with the guest.
When a guest accesses the network for the first time, the guest can associate with the WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in the address box of a browser for Portal authentication. On the redirection page that is displayed, the guest can enter the user name and password, and then is successfully authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can directly connect to the WLAN without entering the user name and password again.
Verifying the Deployment
- Verify that access devices can go online on the control device.# Run the display as all command on the control device. The command output shows that the access device is online.
[AGG1] display as all Total: 1, Normal: 1, Fault: 0, Idle: 0, Version mismatch: 0 -------------------------------------------------------------------------------- No. Type MAC IP State Name -------------------------------------------------------------------------------- 0 S5735-L 00e0-fc12-4455 192.168.20.220 normal acc1 --------------------------------------------------------------------------------
- Verify that the employees and guest can access only the authentication-free resources, but not resources in post-authentication domains, before they are authenticated or when they fail the authentication. The following uses wired access of an employee as an example.# Enter an incorrect user name or password on PC1, and then run the display access-user command on AGG1 to view information about online users. The command output shows that user1 is online but is in Pre-authen state; that is, authentication has not been performed or user authentication fails.
[AGG1] display access-user ------------------------------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------------------------------ 49208 user1 172.16.50.172 00e0-fc12-3344 Pre-authen ------------------------------------------------------------------------------------------------------ Total: 1, printed: 1
# On PC1, ping an authentication-free resource, for example, the DNS server with IP address 192.168.100.2. The ping operation succeeds.C:\Users\*******>ping 192.168.100.2 Pinging 192.168.100.2 with 32 bytes of data: Reply from 192.168.100.2: bytes=32 time<1ms TTL=252 Reply from 192.168.100.2: bytes=32 time<1ms TTL=252 Reply from 192.168.100.2: bytes=32 time<1ms TTL=252 Reply from 192.168.100.2: bytes=32 time<1ms TTL=252 Ping statistics for 192.168.100.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Users\*******># On PC1, ping a resource in the post-authentication domain, for example, the campus egress device with IP address 172.16.3.1. The ping operation fails.C:\Users\*******>ping 172.16.3.1 Pinging 172.16.3.1 with 32 bytes of data: Request time out. Request time out. Request time out. Request time out. Ping statistics for 172.16.3.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\*******> - Verify that the employees and guest can be successfully authenticated and access the network after selecting the correct access mode and entering the correct user names and passwords.# Enter the correct user name and password of the wired employee user on PC1, connect to the WLANs Employee and Guest using wireless user accounts, and then run the display access-user command on AGG1 to view information about online users. The command output shows that both the employee and guest users are in Success state.
[AGG1] display access-user ------------------------------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------------------------------ 49208 user1 172.16.50.172 00e0-fc12-3344 Success 49212 user2 172.16.30.81 00e0-fc12-3366 Success 49216 guest4 172.16.31.153 00e0-fc12-3355 Success ------------------------------------------------------------------------------------------------------ Total: 3, printed: 3
# Run the display access-user username user1 detail command on AGG1 to view the authentication, authorization, and access location (GE0/0/3 on ACC1) information of user1.[AGG1] display access-user username user1 detail Basic: User ID : 49208 User name : user1 Domain-name : huawei.com User MAC : 00e0-fc12-3344 User IP address : 172.16.50.172 User vpn-instance : - User IPv6 address : FE80::E9AA:9FE9:95F9:C499 User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499 User access Interface : Eth-Trunk30 User vlan event : Success QinQVlan/UserVlan : 0/50 User vlan source : user request User access time : 2019/09/03 17:16:16 User accounting session ID : LSW5-AG0001800000005061****0300038 User access type : 802.1x AS ID : 0 AS name : acc1 AS IP : 192.168.20.220 AS MAC : 00e0-fc12-4455 AS Interface : GigabitEthernet0/0/3 Terminal Device Type : Data Terminal Dynamic ACL ID(Effective) : 3001 Dynamic service scheme : - AAA: User authentication type : 802.1x authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1# Run the display access-user username user2 detail command on AGG1 to view the authentication, authorization, and access location (AP area_1) information of user2.[AGG1] display access-user username user2 detail Basic: User ID : 49212 User name : user2 Domain-name : huawei.com User MAC : 00e0-fc12-3366 User IP address : 172.16.30.81 User vpn-instance : - User IPv6 address : - User access Interface : Wlan-Dbss2177 User vlan event : Success QinQVlan/UserVlan : 0/30 User vlan source : user request User access time : 2019/09/03 17:16:38 User accounting session ID : LSW5-AG000180000000308a****030003e User access type : 802.1x AP name : area_1 Radio ID : 0 AP MAC : 00e0-fc12-4400 SSID : Employee Online time : 251(s) Dynamic ACL ID(Effective) : 3001 Dynamic service scheme : - Service Scheme Priority : 0 AAA: User authentication type : 802.1x authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1# Run the display access-user username guest4 detail command on AGG1 to view the authentication, authorization, and access location (AP area_1) information of guest4.[AGG1] display access-user username guest4 detail Basic: User ID : 49216 User name : guest4 Domain-name : huawei.com User MAC : 00e0-fc12-3355 User IP address : 172.16.31.153 User vpn-instance : - User IPv6 address : - User access Interface : Wlan-Dbss2180 User vlan event : Success QinQVlan/UserVlan : 0/31 User vlan source : user request User access time : 2019/09/03 17:37:22 User accounting session ID : LSW5-AG0001800000003172****0300040 User access type : WEB AP name : area_1 Radio ID : 1 AP MAC : 00e0-fc12-4400 SSID : Guest Online time : 1148(s) Web-server IP address : 192.168.100.10 Dynamic ACL ID(Effective) : 3002 Dynamic service scheme : - Service Scheme Priority : 0 AAA: User authentication type : WEB authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1 - Verify that the successfully authenticated employees and guest can access authentication-free resources and resources in post-authentication domains, but cannot access resources that are denied in the post-authentication domains. The following uses wired access of an employee as an example.
# On PC1, ping an authentication-free resource, for example, the DNS server with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2 Pinging 192.168.100.2 with 32 bytes of data: Reply from 192.168.100.2: bytes=32 time<1ms TTL=252 Reply from 192.168.100.2: bytes=32 time<1ms TTL=252 Reply from 192.168.100.2: bytes=32 time<1ms TTL=252 Reply from 192.168.100.2: bytes=32 time<1ms TTL=252 Ping statistics for 192.168.100.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Users\*******># On PC1, ping a resource in the post-authentication domain, for example, the campus egress device with IP address 172.16.3.1. The ping operation succeeds.C:\Users\*******>ping 172.16.3.1 Pinging 172.16.3.1 with 32 bytes of dataa: Reply from 172.16.3.1: bytes=32 time<1ms TTL=253 Reply from 172.16.3.1: bytes=32 time<1ms TTL=253 Reply from 172.16.3.1: bytes=32 time<1ms TTL=253 Reply from 172.16.3.1: bytes=32 time<1ms TTL=253 Ping statistics for 172.16.3.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Users\*******># On PC1, ping a resource denied in the post-authentication domain, for example, the special server with IP address 192.168.100.100. The ping operation fails.C:\Users\*******>ping 192.168.100.100 Pinging 192.168.100.100 with 32 bytes of data: Request time out. Request time out. Request time out. Request time out. Ping statistics for 192.168.100.100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\*******> - Verify that employees can communicate with each other, but cannot communicate with the guest.# On PC1, ping the IP address of the terminal used by the wireless employee account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.81 Pinging 172.16.30.81 with 32 bytes of data: Reply from 172.16.30.81: bytes=32 time=106ms TTL=63 Reply from 172.16.30.81: bytes=32 time=93ms TTL=63 Reply from 172.16.30.81: bytes=32 time=102ms TTL=63 Reply from 172.16.30.81: bytes=32 time=27ms TTL=63 Ping statistics for 172.16.30.81: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 27ms, Maximum = 106ms, Average = 82ms C:\Users\*******># On PC1, ping the IP address of the terminal used by guest4. The ping operation fails.C:\Users\*******>ping 172.16.31.153 Pinging 172.16.31.153 with 32 bytes of data: Request time out. Request time out. Request time out. Request time out. Ping statistics for 172.16.31.153: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\*******>
Configuration Files
# CORE configuration file
# sysname CORE # vlan batch 70 80 1000 # interface Vlanif70 ip address 172.16.70.1 255.255.255.0 # interface Vlanif80 ip address 172.16.80.1 255.255.255.0 # interface Vlanif1000 ip address 192.168.100.1 255.255.255.0 # interface Eth-Trunk10 description connect to AGG1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 70 mode lacp # interface Eth-Trunk20 description connect to AGG2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 80 mode lacp # interface Eth-Trunk30 undo portswitch description connect to Internet ip address 172.16.3.1 255.255.255.0 mode lacp # interface XGigabitEthernet1/1/0/1 eth-trunk 10 # interface XGigabitEthernet1/1/0/2 eth-trunk 20 # interface XGigabitEthernet1/1/0/3 eth-trunk 30 # interface XGigabitEthernet1/2/0/1 port link-type access port default vlan 1000 # interface XGigabitEthernet2/1/0/1 eth-trunk 20 # interface XGigabitEthernet2/1/0/2 eth-trunk 10 # interface XGigabitEthernet2/1/0/3 eth-trunk 30 # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 172.16.3.0 0.0.0.255 network 172.16.70.0 0.0.0.255 network 172.16.80.0 0.0.0.255 network 192.168.100.0 0.0.0.255 # return
# AGG1 configuration file
# sysname AGG1 # vlan batch 20 30 to 31 50 70 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule access-domain huawei.com force authentication event authen-server-down action authorize service-scheme s1 authentication event authen-server-up action re-authen authentication-profile name p2 mac-access-profile mac1 portal-access-profile web1 free-rule-template default_free_rule access-domain huawei.com force authentication event authen-server-down action authorize service-scheme s2 authentication event authen-server-up action re-authen # dhcp enable # dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#QM@-!k^FcW*pZR2\4y93zY`;XY`TG356P_:6g7*O%^%# radius-server authentication 192.168.100.10 1812 weight 80 radius-server accounting 192.168.100.10 1813 weight 80 radius-server authorization 192.168.100.10 shared-key cipher %^%#S"vi.B|D80}JJgD*N%h&6+AUO7X-T/l0V$;|PU$A%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 192.168.100.3 0 rule 4 permit ip destination 172.16.30.0 0.0.0.255 rule 5 permit ip destination 172.16.40.0 0.0.0.255 rule 6 permit ip destination 172.16.50.0 0.0.0.255 rule 7 permit ip destination 172.16.60.0 0.0.0.255 rule 8 deny ip acl number 3002 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 172.16.31.0 0.0.0.255 rule 4 permit ip destination 172.16.41.0 0.0.0.255 rule 5 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255 free-rule 2 source vlan 20 # web-auth-server tem_portal server-ip 192.168.100.10 port 50200 shared-key cipher %^%#4~o~~(mF^~L=JK5Pd94Y$[Rq<"AL$Kt1!1Q+W5r@%^%# url http://192.168.100.10:8080/portal server-detect interval 100 max-times 5 action log # portal-access-profile name web1 authentication event portal-server-down action authorize service-scheme s2 authentication event portal-server-up action re-authen web-auth-server tem_portal direct # vlan 30 dhcp snooping enable vlan 31 dhcp snooping enable vlan 50 dhcp snooping enable # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 service-scheme s1 acl-id 3001 service-scheme s2 acl-id 3002 domain huawei.com authentication-scheme auth accounting-scheme acco radius-server tem_rad # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 dhcp select interface # interface Vlanif30 ip address 172.16.30.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif31 ip address 172.16.31.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif50 ip address 172.16.50.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif70 ip address 172.16.70.2 255.255.255.0 # interface Eth-Trunk10 description connect to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 70 mode lacp # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 authentication control-point authentication-profile p1 mode lacp port-isolate enable group 1 # interface GigabitEthernet0/0/3 eth-trunk 30 # interface GigabitEthernet1/0/3 eth-trunk 30 # interface XGigabitEthernet0/0/1 eth-trunk 10 # interface XGigabitEthernet1/0/1 eth-trunk 10 # ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 172.16.30.0 0.0.0.255 network 172.16.31.0 0.0.0.255 network 172.16.50.0 0.0.0.255 network 172.16.70.0 0.0.0.255 # capwap source interface vlanif20 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security wpa2 dot1x aes security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff authentication-profile p1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 31 ssid-profile ssid2 security-profile sec2 traffic-profile traff authentication-profile p2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 1 type-id 30 ap-mac 00e0-fc12-4400 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group1 # as-auth auth-mode none # dot1x-access-profile name d1 # mac-access-profile name mac1 # return
# AGG2 configuration file
#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
authentication event authen-server-down action authorize service-scheme s1
authentication event authen-server-up action re-authen
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication event authen-server-down action authorize service-scheme s2
authentication event authen-server-up action re-authen
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#fax3=MV"r//"O"5FMI;5&H_R7f2k$Tfj6[1Xa0$5%^%#
radius-server authentication 192.168.100.10 1812 weight 80
radius-server accounting 192.168.100.10 1813 weight 80
radius-server authorization 192.168.100.10 shared-key cipher %^%#3xW1/X3Dv=QAh^+{A2SA<g5cJ#]\5B:|Jl)|;GB2%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 192.168.100.3 0
rule 4 permit ip destination 172.16.30.0 0.0.0.255
rule 5 permit ip destination 172.16.40.0 0.0.0.255
rule 6 permit ip destination 172.16.50.0 0.0.0.255
rule 7 permit ip destination 172.16.60.0 0.0.0.255
rule 8 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 172.16.31.0 0.0.0.255
rule 4 permit ip destination 172.16.41.0 0.0.0.255
rule 5 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255
free-rule 2 source vlan 21
#
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#7#CV~W{9N'1()yUYlP(BhQ&AMk(xTU;)]yCTa5mG%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
authentication event portal-server-down action authorize service-scheme s2
authentication event portal-server-up action re-authen
web-auth-server tem_portal direct
#
vlan 40
dhcp snooping enable
vlan 41
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
dhcp select interface
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
interface Eth-Trunk20
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 60
authentication control-point
authentication-profile p1
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 40
#
interface GigabitEthernet1/0/3
eth-trunk 40
#
interface XGigabitEthernet0/0/1
eth-trunk 20
#
interface XGigabitEthernet1/0/1
eth-trunk 20
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
#
capwap source interface vlanif21
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
security open
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 41
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain2
ap-group name ap-group2
regulatory-domain-profile domain2
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 2 type-id 56 ap-mac 00e0-fc12-3390 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group2
#
as-auth
auth-mode none
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
# ACC1 configuration file
# sysname ACC1 # vlan batch 20 50 # authentication-profile name p1 dot1x-access-profile d1 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # as access interface vlanif 20 as access controller ip-address 192.168.20.1 # free-rule-template name default_free_rule free-rule 1 destination any source any # interface Vlanif20 ip address dhcp-alloc # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 l2protocol-tunnel user-defined-protocol 802.1x enable mode lacp # interface GigabitEthernet0/0/1 eth-trunk 30 # interface GigabitEthernet0/0/2 eth-trunk 30 # interface GigabitEthernet0/0/3 port link-type access port default vlan 50 stp edged-port enable authentication access-point authentication-profile p1 l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # dot1x-access-profile name d1 # return
# ACC2 configuration file
# sysname ACC2 # vlan batch 21 60 # authentication-profile name p1 dot1x-access-profile d1 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # as access interface vlanif 21 as access controller ip-address 192.168.21.1 # free-rule-template name default_free_rule free-rule 1 destination any source any # interface Vlanif21 ip address dhcp-alloc # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 60 l2protocol-tunnel user-defined-protocol 802.1x enable mode lacp # interface GigabitEthernet0/0/1 eth-trunk 40 # interface GigabitEthernet0/0/2 eth-trunk 40 # interface GigabitEthernet0/0/3 port link-type access port default vlan 60 stp edged-port enable authentication access-point authentication-profile p1 l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 21 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # dot1x-access-profile name d1 # return