Typical NAC Configuration (Unified Mode) (V200R005C00 to V200R008C00)
Example for Configuring 802.1X Authentication to Control User Access
802.1X Authentication Overview
802.1X is a port-based network access control protocol and 802.1X authentication is one of NAC authentication modes. 802.1X authentication ensures security of enterprise intranets.
802.1X authentication ensures high security; however, it requires that 802.1X client software be installed on user terminals, resulting in inflexible network deployment. Another two NAC authentication methods have their advantages and disadvantages: MAC address authentication does not require client software installation, but MAC addresses must be registered on an authentication server. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.
As a result, 802.1X authentication is applied to scenarios with new networks, centralized user distribution, and strict information security requirements.
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address and MAC address of the user gateway as the source IP address and source MAC address of user offline detection packets, ensure that the MAC address of the gateway remains unchanged, especially in active/standby switchover scenarios. If the gateway MAC address is changed, ARP entries of terminals will be incorrect on the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-223, the terminals in an office are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control the users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
- Create and configure a RADIUS server template, an AAA scheme, and an authentication domain. Bind the RADIUS server template and AAA scheme to the authentication domain so that the Switch can authenticate access users through the RADIUS server.
- Enable 802.1X authentication to control network access rights of the employees in the office.
- Configure the user access mode to multi-authen and set the maximum number of access users to 100, so the device can control the network access rights of each user independently.
Before configuring this example, ensure that devices can communicate with each other in the network.
- Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the LAN switch to transparently transmit EAP packets.
- Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface connecting to users and the interface connecting to the access switch to enable the Layer 2 protocol tunneling function.
- Run the following commands in the system view:
- undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
- bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
- bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
- bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
- bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
- (This step is mandatory when you switch from method 1 to method 2.) Run the undo l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to delete the configuration of transparent transmission of 802.1x protocol packets.
Procedure
- Create VLANs and configure the VLANs allowed by the interface to ensure network communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# On the Switch, configure the interface GE0/0/1 connected to users as an access interface and add the interface to VLAN 10.
[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 10 [Switch-GigabitEthernet0/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 192.168.1.10 24 [Switch-Vlanif10] quit
Configure the interface type and VLANs based on the site requirements. In this example, users are added to VLAN 10.
# On the Switch, configure the interface GE0/0/2 connected to the RADIUS server as an access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 20 [Switch-GigabitEthernet0/0/2] quit
- Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1 [Switch-radius-rd1] radius-server authentication 192.168.2.30 1812 [Switch-radius-rd1] radius-server shared-key cipher YsHsjx_202206 [Switch-radius-rd1] quit
# Create an AAA authentication scheme abc and configure the authentication mode to RADIUS.
[Switch] aaa [Switch-aaa] authentication-scheme abc [Switch-aaa-authen-abc] authentication-mode radius [Switch-aaa-authen-abc] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server template rd1 to the domain isp1.
[Switch-aaa] domain isp1 [Switch-aaa-domain-isp1] authentication-scheme abc [Switch-aaa-domain-isp1] radius-server rd1 [Switch-aaa-domain-isp1] quit [Switch-aaa] quit
# Configure isp1 as the global default domain. During access authentication, enter a user name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user name does not contain the domain name or contains an invalid domain name, the user is authenticated in the default domain.
[Switch] domain isp1 - Configure 802.1x authentication on the Switch.# Switch the NAC mode to unified mode.
[Switch] authentication unified-modeAfter the common mode and unified mode are switched, the device automatically restarts.
# Enable 802.1X authentication on the interface GE0/0/1.
[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] authentication dot1x [Switch-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100 [Switch-GigabitEthernet0/0/1] quit
# (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456
- Verify the configuration.
- Run the display dot1x command to check the 802.1X authentication configuration. The command output (802.1X protocol is Enabled) shows that the 802.1X authentication has been enabled on the interface GE0/0/1.
- The user starts the 802.1X client on the terminal, and enters the user name and password for authentication.
- If the user name and password are correct, an authentication success message is displayed on the client page. The user can access the network.
- After the user goes online, you can run the display access-user access-type dot1x command on the device to check the online 802.1X user information.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # domain isp1 # access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456# radius-server template rd1 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%# radius-server authentication 192.168.2.30 1812 weight 80 # aaa authentication-scheme abc authentication-mode radius domain isp1 authentication-scheme abc radius-server rd1 # interface Vlanif10 ip address 192.168.1.10 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 authentication dot1x authentication mode multi-authen max-user 100 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # return
Example for Configuring MAC Address Authentication to Control User Access
MAC Address Authentication Overview
As one of NAC authentication modes, MAC address authentication controls a user's network access rights based on the user's interface and MAC address. The user does not need to install any client software. MAC address authentication ensures security of enterprise intranets.
In MAC address authentication, client software does not need to be installed on user terminals, but MAC addresses must be registered on servers, resulting in complex management. Another two NAC authentication methods have their advantages and disadvantages: 802.1X authentication ensures high security, but it requires that 802.1X client software be installed on user terminals, causing inflexible network deployment. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.
MAC address authentication is applied to access authentication scenarios of dumb terminals such as printers and fax machines.
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address and MAC address of the user gateway as the source IP address and source MAC address of user offline detection packets, ensure that the MAC address of the gateway remains unchanged, especially in active/standby switchover scenarios. If the gateway MAC address is changed, ARP entries of terminals will be incorrect on the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-224, the terminals in the physical access control department are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control the users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
- Create and configure a RADIUS server template, an AAA scheme, and an authentication domain. Bind the RADIUS server template and AAA scheme to the authentication domain so that the Switch can authenticate access users through the RADIUS server.
- Enable MAC address authentication so that the Switch can control network access rights of the dumb terminals in the physical access control department.
- Configure the user access mode to multi-authen and set the maximum number of access users to 100, so the device can control the network access rights of each user independently.
Before configuring this example, ensure that devices can communicate with each other on the network.
Procedure
- Create VLANs and configure the VLANs allowed by the interface to ensure network communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# On the Switch, configure the interface GE0/0/1 connected to users as an access interface and add the interface to VLAN 10.
[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 10 [Switch-GigabitEthernet0/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 192.168.1.10 24 [Switch-Vlanif10] quit
Configure the interface type and VLANs based on the site requirements. In this example, users are added to VLAN 10.
# On the Switch, configure the interface GE0/0/2 connected to the RADIUS server as an access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 20 [Switch-GigabitEthernet0/0/2] quit
- Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1 [Switch-radius-rd1] radius-server authentication 192.168.2.30 1812 [Switch-radius-rd1] radius-server shared-key cipher YsHsjx_202206 [Switch-radius-rd1] quit
# Create an AAA authentication scheme abc and configure the authentication mode to RADIUS.
[Switch] aaa [Switch-aaa] authentication-scheme abc [Switch-aaa-authen-abc] authentication-mode radius [Switch-aaa-authen-abc] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server template rd1 to the domain isp1.
[Switch-aaa] domain isp1 [Switch-aaa-domain-isp1] authentication-scheme abc [Switch-aaa-domain-isp1] radius-server rd1 [Switch-aaa-domain-isp1] quit [Switch-aaa] quit
# Configure isp1 as the global default domain. During access authentication, enter a user name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user name does not contain the domain name or contains an invalid domain name, the user is authenticated in the default domain.
[Switch] domain isp1 - Configure MAC address authentication on the Switch.# Switch the NAC mode to unified mode.
[Switch] authentication unified-modeAfter the common mode and unified mode are switched, the device automatically restarts.
# Enable MAC address authentication on the interface GE0/0/1.[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] authentication mac-authen [Switch-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100 [Switch-GigabitEthernet0/0/1] quit
# (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456
- Verify the configuration.
- Run the display mac-authen command to check the MAC address authentication configuration. The command output (MAC address authentication is enabled) shows that MAC address authentication has been enabled on the interface GE0/0/1.
- After the user starts the terminal, the device automatically obtains the terminal MAC address and uses it as the user name and password for authentication.
- The user can access the network after the authentication succeeds.
- After the user goes online, you can run the display access-user access-type mac-authen command on the device to check the online MAC address authentication user information.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # domain isp1 # access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456# radius-server template rd1 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%# radius-server authentication 192.168.2.30 1812 weight 80# aaa authentication-scheme abc authentication-mode radius domain isp1 authentication-scheme abc radius-server rd1# interface GigabitEthernet0/0/1 port link-type access port default vlan 10 authentication mac-authen authentication mode multi-authen max-user 100 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # return
Example for Configuring Portal Authentication to Control User Access
Portal Authentication Overview
As one of NAC authentication modes, Portal authentication is also called web authentication. Generally, Portal authentication websites are also called Portal websites. When users go online, they must be authenticated on Portal websites. The users can use network resources only after they pass the authentication.
Portal authentication cannot ensure high security, but it does not require client software installation and provides flexible deployment. Another two NAC authentication methods have their advantages and disadvantages: 802.1X authentication ensures high security, but it requires that 802.1X client software be installed on user terminals, causing inflexible network deployment. MAC address authentication does not require client software installation, but MAC addresses must be registered on an authentication server, resulting in complex management.
Portal authentication is applied to scenarios where a large number of scattered users such as company visitors move frequently.
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address and MAC address of the user gateway as the source IP address and source MAC address of user offline detection packets, ensure that the MAC address of the gateway remains unchanged, especially in active/standby switchover scenarios. If the gateway MAC address is changed, ARP entries of terminals will be incorrect on the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-225, the terminals in the visitor area are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control the users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
- Create and configure a RADIUS server template, an AAA scheme, and an authentication domain. Bind the RADIUS server template and AAA scheme to the authentication domain so that the Switch can authenticate access users through the RADIUS server.
- Enable Portal authentication so that the Switch can control network access rights of the visitors in the visitor areas.
- Configure a Portal server template so that the device can communicate with the Portal server.
Before configuring this example, ensure that devices can communicate with each other on the network.
Procedure
- Create VLANs and configure the VLANs allowed by the interface to ensure network communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# On the Switch, configure the interface GE0/0/1 connected to users as an access interface and add the interface to VLAN 10.
[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 10 [Switch-GigabitEthernet0/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 192.168.1.10 24 [Switch-Vlanif10] quit
Configure the interface type and VLANs based on the site requirements. In this example, users are added to VLAN 10.
# On the Switch, configure the interface GE0/0/2 connected to the RADIUS server as an access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 20 [Switch-GigabitEthernet0/0/2] quit
- Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1 [Switch-radius-rd1] radius-server authentication 192.168.2.30 1812 [Switch-radius-rd1] radius-server shared-key cipher YsHsjx_202206 [Switch-radius-rd1] quit
# Create an AAA authentication scheme abc and configure the authentication mode to RADIUS.
[Switch] aaa [Switch-aaa] authentication-scheme abc [Switch-aaa-authen-abc] authentication-mode radius [Switch-aaa-authen-abc] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server template rd1 to the domain isp1.
[Switch-aaa] domain isp1 [Switch-aaa-domain-isp1] authentication-scheme abc [Switch-aaa-domain-isp1] radius-server rd1 [Switch-aaa-domain-isp1] quit [Switch-aaa] quit
# Configure isp1 as the global default domain. During access authentication, enter a user name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user name does not contain the domain name or contains an invalid domain name, the user is authenticated in the default domain.
[Switch] domain isp1 - Configure Portal authentication on the Switch.# Switch the NAC mode to unified mode.
[Switch] authentication unified-modeAfter the common mode and unified mode are switched, the device automatically restarts.
# Enable Portal authentication on the interface GE0/0/1.[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] authentication portal [Switch-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100 [Switch-GigabitEthernet0/0/1] quit
# Create and configure a Portal server template abc.[Switch] web-auth-server abc //In V200R020C10SPC100 and later versions, you must also run the web-auth-server server-source or server-source command to configure the local gateway address used to receive and respond to the packets sent by the Portal server, so as to implement Portal authentication. [Switch-web-auth-server-abc] server-ip 192.168.2.20 [Switch-web-auth-server-abc] port 50200 [Switch-web-auth-server-abc] url http://192.168.2.20:8080/webagent [Switch-web-auth-server-abc] shared-key cipher YsHsjx_202206 [Switch-web-auth-server-abc] quit
Ensure that the port number configured on the device is the same as that used by the Portal server.
# Bind the Portal server template abc to the interface GE0/0/1.[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] web-auth-server abc direct [Switch-GigabitEthernet0/0/1] quit
In this example, users are allocated static IP addresses. If the users obtain IP addresses through DHCP and the DHCP server is upstream connected to Switch, use the authentication free-rule command to create authentication-free rules and ensure that the DHCP server is included in the authentication-free rules.
In addition, if the URL of Portal server needs to be analyzed by DNS and the DNS server is upstream connected to Switch, you also need to create authentication-free rules and ensure that the DNS server is included in the authentication-free rules.
# (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets. This function does not take effect for users who use Layer 3 Portal authentication.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc11-1234 - Verify the configuration.
- Run the display portal and display web-auth-server configuration commands to check the external Portal authentication configuration. The command output (web-auth-server layer2(direct)) shows that the Portal server template has been bound to the interface GE0/0/1.
- After starting the browser and entering any network address, the user is redirected to the Portal authentication page. The user then enters the user name and password for authentication.
- If the user name and password are correct, an authentication success message is displayed on the Portal authentication page. The user can access the network.
- After the user goes online, you can run the display access-user access-type portal command on the device to check the online Portal authentication user information.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # domain isp1 # radius-server template rd1 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%# radius-server authentication 192.168.2.30 1812 weight 80# web-auth-server abc server-ip 192.168.2.20 port 50200 shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%# url http://192.168.2.20:8080/webagent # aaa authentication-scheme abc authentication-mode radius domain isp1 authentication-scheme abc radius-server rd1# interface Vlanif10 ip address 192.168.1.10 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 authentication portal authentication mode multi-authen max-user 100 web-auth-server abc direct # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # return
Example for Configuring Multiple Authentication Modes to Control User Access
Overview of Multiple Authentication Modes
In NAC network deployment, to provide flexible authentication, the device supports concurrent deployment of 802.1X authentication, MAC address authentication, and Portal authentication on the interfaces connected to users. In this case, the users can access the network using any authentication mode.
If multiple authentication modes are enabled, the authentication modes take effect in the sequence they are configured. In addition, after multiple authentication modes are deployed, users can be authenticated in different modes by default and assigned different network rights accordingly by the device.
Configuration Notes
This configuration example applies to all switches running all versions.
When you run the access-user arp-detect command to configure the IP address and MAC address of the user gateway as the source IP address and source MAC address of user offline detection packets, ensure that the MAC address of the gateway remains unchanged, especially in active/standby switchover scenarios. If the gateway MAC address is changed, ARP entries of terminals will be incorrect on the device, and the terminals cannot communicate with the device.
Networking Requirements
As shown in Figure 3-226, the terminals in a company are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control the users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
- Create and configure a RADIUS server template, an AAA scheme, and an authentication domain. Bind the RADIUS server template and AAA scheme to the authentication domain so that the Switch can authenticate access users through the RADIUS server.
- Enable 802.1X authentication, MAC address authentication, and Portal authentication so that the Switch can control network access rights of the internal employees, dumb terminals, and visitors. In addition, configure 802.1X authentication to take precedence because there are more employees than dumb terminals and visitors.
- Configure the user access mode to multi-authen and set the maximum number of access users to 100, so the device can control the network access rights of each user independently.
- Configure a Portal server template so that the device can communicate with the Portal server.
Before configuring this example, ensure that devices can communicate with each other on the network.
Procedure
- Create VLANs and configure the VLANs allowed by the interface to ensure network communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# On the Switch, configure the interface GE0/0/1 connected to users as an access interface and add the interface to VLAN 10.
[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 10 [Switch-GigabitEthernet0/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 192.168.1.10 24 [Switch-Vlanif10] quit
Configure the interface type and VLANs based on the site requirements. In this example, users are added to VLAN 10.
# On the Switch, configure the interface GE0/0/2 connected to the RADIUS server as an access interface and add the interface to VLAN 20.
[Switch] interface gigabitethernet0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 20 [Switch-GigabitEthernet0/0/2] quit
- Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1 [Switch-radius-rd1] radius-server authentication 192.168.2.30 1812 [Switch-radius-rd1] radius-server shared-key cipher YsHsjx_202206 [Switch-radius-rd1] quit
# Create an AAA authentication scheme abc and configure the authentication mode to RADIUS.
[Switch] aaa [Switch-aaa] authentication-scheme abc [Switch-aaa-authen-abc] authentication-mode radius [Switch-aaa-authen-abc] quit
# Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server template rd1 to the domain isp1.
[Switch-aaa] domain isp1 [Switch-aaa-domain-isp1] authentication-scheme abc [Switch-aaa-domain-isp1] radius-server rd1 [Switch-aaa-domain-isp1] quit [Switch-aaa] quit
# Configure isp1 as the global default domain. During access authentication, enter a user name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user name does not contain the domain name or contains an invalid domain name, the user is authenticated in the default domain.
[Switch] domain isp1 - Configure 802.1X authentication, MAC address authentication, and Portal authentication on the Switch.# Switch the NAC mode to unified mode.
[Switch] authentication unified-modeAfter the common mode and unified mode are switched, the device automatically restarts.
# Enable 802.1X authentication, MAC address authentication, and Portal authentication on the interface GE0/0/1.
[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] authentication dot1x mac-authen portal [Switch-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100 [Switch-GigabitEthernet0/0/1] quit
# Create and configure a Portal server template abc.[Switch] web-auth-server abc //In V200R020C10SPC100 and later versions, you must also run the web-auth-server server-source or server-source command to configure the local gateway address used to receive and respond to the packets sent by the Portal server, so as to implement Portal authentication. [Switch-web-auth-server-abc] server-ip 192.168.2.20 [Switch-web-auth-server-abc] port 50200 [Switch-web-auth-server-abc] url http://192.168.2.20:8080/webagent [Switch-web-auth-server-abc] shared-key cipher YsHsjx_202206 [Switch-web-auth-server-abc] quit
Ensure that the port number configured on the device is the same as that used by the Portal server.
# Bind the Portal server template abc to the interface GE0/0/1.[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] web-auth-server abc direct [Switch-GigabitEthernet0/0/1] quit
# (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets. This function does not take effect for users who use Layer 3 Portal authentication.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc11-1234 - Verify the configuration.
- Run the display dot1x, display mac-authen, display portal, and display web-auth-server configuration commands. The command outputs show that 802.1X authentication, MAC address authentication, and Portal authentication have been enabled on GE0/0/1.
- The user can access the network after passing 802.1X authentication, MAC address authentication, or Portal authentication.
- After the user goes online, you can run the display access-user interface gigabitethernet0/0/1 command on the device to check all online user information.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # domain isp1 # radius-server template rd1 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%# radius-server authentication 192.168.2.30 1812 weight 80# web-auth-server abc server-ip 192.168.2.20 port 50200 shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%# url http://192.168.2.20:8080/webagent # aaa authentication-scheme abc authentication-mode radius domain isp1 authentication-scheme abc radius-server rd1# interface Vlanif10 ip address 192.168.1.10 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 authentication dot1x mac-authen portal authentication mode multi-authen max-user 100 web-auth-server abc direct # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # return