Native AC + NAC Solution: Parent (Core Switches) in an SVF System Functions as the Authentication Point
Networking Requirements
Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data. In addition, core switches are configured with the native AC function to manage APs and transmit wireless service traffic on the entire network, implementing wired and wireless convergence.
Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth.
There are a large number of wired and wireless access devices that are widely distributed. To implement unified management and configuration and reduce management costs, SVF is deployed on the network. Core, aggregation, and access switches set up an SVF system. In the SVF system, the CSS of core switches functions as the parent, and aggregation and access switches function as ASs. The parent manages and configures ASs in a unified manner.
In this example, core switches set up an SVF system, which functions as the gateway and authentication point for wired and wireless users on the entire network. These users can access the network only after being authenticated. The specific requirements are as follows:
- Agile Controller-Campus functions as both the access authentication server and user data source server.
- Users include employees and guests. Wired users use combined 802.1X + Portal authentication, and wireless users use 802.1X authentication and MAC address-prioritized Portal authentication.
- The authentication server delivers authorization ACLs to control network access rights of different users.
Device Requirements and Versions
Location |
Device Requirement |
Device Used in This Example |
Version Used in This Example |
---|---|---|---|
Core layer |
|
S12700E |
V200R019C10 |
Aggregation layer |
- |
S5731-H |
|
Access layer |
- |
S5735-L |
|
AP |
- |
AP6050DN |
V200R019C00 |
Deployment Roadmap
Step |
Deployment Roadmap |
Devices Involved |
---|---|---|
1 |
Configure AAA, including configuring a RADIUS server template, AAA schemes, and authentication domains to enable user authentication, authorization, and accounting through RADIUS, as well as configuring parameters for interconnection between switches and the RADIUS server. |
Core switches (CORE) |
2 |
Configure a pre-authentication domain and a post-authentication domain. |
Core switches (CORE) |
3 |
Configure combined 802.1X + Portal authentication for wired users. In an SVF system, the authentication mode of wired users needs to be defined in a user access profile. |
Core switches (CORE) |
4 |
Configure 802.1X authentication and MAC address-prioritized Portal authentication for wireless users. |
Core switches (CORE) |
6 |
Log in to Agile Controller-Campus, add users, and configure parameters for interconnection with CORE, RADIUS and Portal parameters, as well as the authentication and authorization functions. |
Agile Controller-Campus |
Data Plan
Item |
VLAN ID |
Network Segment |
---|---|---|
Management VLAN |
VLAN 20 |
192.168.20.0/24 |
Service VLANs for wireless users (AP1) |
VLAN 30 |
172.16.30.0/24 |
VLAN 40 |
172.16.40.0/24 |
|
Service VLAN for a wired user (PC1) |
VLAN 50 |
172.16.50.0/24 |
Service VLAN for a wired user (PC2) |
VLAN 60 |
172.16.60.0/24 |
Network segment for communication with servers |
VLAN 1000 |
192.168.11.0/24 |
Item |
Data |
---|---|
AP group |
ap-group |
Regulatory domain profile |
domain |
SSID profiles |
ssid1, ssid2 |
VAP profiles |
vap1, vap2 (The data forwarding mode in the VAP profiles is tunnel forwarding.) |
Item |
Data |
---|---|
Parent |
CSS of two S12700E switches |
Parent's cards connected to ASs |
X1E cards of the same type in slot 1 of the two CSS member switches |
MAC addresses of ASs and APs |
as-layer1-1: 00e0-fc01-0011 as-layer1-2: 00e0-fc01-0022 as-layer2-1: 00e0-fc01-0033 as-layer2-2: 00e0-fc01-0044 |
Management VLAN of the SVF system |
VLAN 20 |
IP address of the management VLANIF interface |
192.168.20.1/24 |
Parent's interfaces connected to as-layer1-1 |
GE1/1/0/1 and GE2/1/0/2 Add the interfaces to Eth-Trunk 10 and bind them to fabric port 1. |
Parent's interfaces connected to as-layer1-2 |
GE1/1/0/2 and GE2/1/0/1 Add the interfaces to Eth-Trunk 20 and bind them to fabric port 2. |
as-layer1-1's interfaces connected to as-layer2-1 |
GE0/0/3 and GE1/0/3 Add the interfaces to Eth-Trunk 30 and bind them to fabric port 3. |
as-layer1-2's interfaces connected to as-layer2-2 |
GE0/0/3 and GE1/0/3 Add the interfaces to Eth-Trunk 40 and bind them to fabric port 4. |
as-layer2-1's interface connected to AP1 |
GE0/0/4 Add the interface to an AP port group. |
as-layer2-2's interface connected to AP2 |
GE0/0/4 Add the interface to an AP port group. |
AS authentication mode |
Whitelist authentication |
Service configuration of an AS administrator profile |
Administrator profile admin_profile, in which the administrator user name and password are configured AS group admin_group, which includes all ASs Bind the administrator profile admin_profile to the AS group admin_group. |
Service configuration of AS network basic profiles |
Network basic profile basic_profile_1, in which VLAN 50 is configured as the VLAN from which packets are allowed to pass through Network basic profile basic_profile_2, in which VLAN 60 is configured as the VLAN from which packets are allowed to pass through Network basic profile basic_profile_3, in which VLAN 50 is configured as the VLAN from which packets are allowed to pass through Network basic profile basic_profile_4, in which VLAN 60 is configured as the VLAN from which packets are allowed to pass through Port group port_group_1, which includes all downlink interfaces of as-layer1-1 Port group port_group_2, which includes all downlink interfaces of as-layer1-2 Port group port_group_3, which includes all downlink interfaces (except GigabitEthernet 0/0/4 connected to an AP) of as-layer2-1 Port group port_group_4, which includes all downlink interfaces (except GigabitEthernet 0/0/4 connected to an AP) of as-layer2-2 Bind network basic profile basic_profile_1 to port group port_group_1. Bind network basic profile basic_profile_2 to port group port_group_2. Bind network basic profile basic_profile_3 to port group port_group_3. Bind network basic profile basic_profile_4 to port group port_group_4. |
Item |
Data |
---|---|
AAA schemes |
Authentication scheme:
Accounting scheme:
|
RADIUS server |
|
Portal server |
|
802.1X access profile |
|
Portal access profile |
Name: web1 |
MAC access profile |
Name: mac1 |
Pre-authentication domain |
IP address of the DNS server: 192.168.11.2 |
Post-authentication domains |
The IP addresses of the service server and campus egress device are 192.168.11.3 and 172.16.3.1, respectively. |
Item |
Data |
---|---|
IP address of CORE |
192.168.11.254 |
RADIUS parameters |
|
Portal parameters |
|
Accounts |
Employee:
Guest:
|
Procedure
- Enable campus network connectivity. For details, see Native AC + SVF Solution: the Parent Containing Core Switches Functions as the Gateway for Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access authentication modes.
User Access Authentication Mode
Security Policy
MAC address authentication or Portal authentication
Open system authentication
802.1X authentication
WPA/WPA2-802.1X authentication. WPA2 authentication is used in this example.
For users who use 802.1X authentication, configure a security policy in security profile sec1 as follows:
[CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes
For users who use MAC address-prioritized Portal authentication, configure a security policy in security profile sec2 as follows:
[CORE-wlan-sec-prof-sec2] security open
- Configure AAA on CORE.# Configure the RADIUS server template tem_rad and configure parameters for interconnection between CORE and the RADIUS server. The parameters include the IP addresses, port numbers, and shared keys of the RADIUS authentication and accounting servers.
<CORE> system-view [CORE] radius-server template tem_rad [CORE-radius-tem_rad] radius-server authentication 192.168.11.1 1812 [CORE-radius-tem_rad] radius-server accounting 192.168.11.1 1813 [CORE-radius-tem_rad] radius-server shared-key cipher Admin@123 [CORE-radius-tem_rad] quit
# Configure a RADIUS authorization server.
[CORE] radius-server authorization 192.168.11.1 shared-key cipher Example@123
# Configure AAA schemes, set the authentication, authorization, and accounting modes to RADIUS, and set the accounting interval to 15 minutes.[CORE] aaa [CORE-aaa] authentication-scheme auth [CORE-aaa-authen-auth] authentication-mode radius [CORE-aaa-authen-auth] quit [CORE-aaa] accounting-scheme acco [CORE-aaa-accounting-acco] accounting-mode radius [CORE-aaa-accounting-acco] accounting realtime 15 [CORE-aaa-accounting-acco] quit
# Configure the domain huawei.com and bind AAA schemes and RADIUS server template to this domain.[CORE-aaa] domain huawei.com [CORE-aaa-domain-huawei.com] authentication-scheme auth [CORE-aaa-domain-huawei.com] accounting-scheme acco [CORE-aaa-domain-huawei.com] radius-server tem_rad [CORE-aaa-domain-huawei.com] quit [CORE-aaa] quit
- Configure a pre-authentication domain and a post-authentication domain on CORE.# Configure a pre-authentication domain to allow packets destined for the DNS server to pass through before users are authenticated.
[CORE] free-rule-template name default_free_rule [CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32 [CORE-free-rule-default_free_rule] quit
# Configure post-authentication domains. Configure ACL 3001 and ACL 3002 to control the network access rights of employees and guests, respectively.[CORE] acl 3001 //Configure an ACL for authorization of employees, so that they can access the Internet and service server after being authenticated. [CORE-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 [CORE-acl-adv-3001] rule 2 permit ip destination 192.168.11.3 0.0.0.0 [CORE-acl-adv-3001] rule 3 deny ip destination any [CORE-acl-adv-3001] quit [CORE] acl 3002 //Configure an ACL for authorization of guests, so that they can access the Internet after being authenticated. [CORE-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 [CORE-acl-adv-3002] rule 2 deny ip destination any [CORE-acl-adv-3002] quit
- Configure combined 802.1X + Portal authentication for wired users on CORE.
# Change the NAC mode to unified.
By default, the unified mode is used. The switch will restart automatically after the NAC mode is changed between common and unified modes.
[CORE] authentication unified-mode
# Configure an 802.1X access profile.By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X authentication requests.
[CORE] dot1x-access-profile name d1 [CORE-dot1x-access-profile-d1] dot1x authentication-method eap [CORE-dot1x-access-profile-d1] quit
# Configure a MAC access profile.[CORE] mac-access-profile name mac1 [CORE-mac-access-profile-mac1] quit
# Configure Portal server template tem_portal, and set parameters for interconnection between CORE and the Portal server. The parameters include the IP address, port number, and shared key of the Portal server.[CORE] web-auth-server tem_portal [CORE-web-auth-server-tem_portal] server-ip 192.168.11.1 [CORE-web-auth-server-tem_portal] port 50200 //The Portal server port number is fixed at 50200 when Agile Controller-Campus functions as the Portal server. [CORE-web-auth-server-tem_portal] shared-key cipher Admin@123 [CORE-web-auth-server-tem_portal] url http://192.168.11.1:8080/portal [CORE-web-auth-server-tem_portal] quit
# Configure a Portal access profile.
[CORE] portal-access-profile name web1 [CORE-portal-acces-profile-web1] web-auth-server tem_portal direct [CORE-portal-acces-profile-web1] quit
# Configure an authentication profile for wired users, and bind the 802.1X access profile and Portal access profile to the authentication profile.
[CORE] authentication-profile name p1 [CORE-authen-profile-p1] dot1x-access-profile d1 [CORE-authen-profile-p1] portal-access-profile web1 [CORE-authen-profile-p1] free-rule-template default_free_rule [CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a forcible domain. [CORE-authen-profile-p1] quit
# Configure combined 802.1X + Portal authentication for wired users.
[CORE] uni-mng [CORE-um] user-access-profile name test01 //Configure a user access profile, which needs to be bound to authentication profile p1. [CORE-um-user-access-test01] authentication-profile p1 [CORE-um-user-access-test01] quit [CORE-um] port-group name port_group_3 //Configure a port group, which needs to be bound to the user access profile and interfaces of the AS. [CORE-um-portgroup-port_group_1] user-access-profile test01 [CORE-um-portgroup-port_group_1] as name as-layer2-1 interface gigabitEthernet 0/0/2 gigabitEthernet 0/0/4 to 0/0/24 [CORE-um-portgroup-port_group_1] quit [CORE-um] port-group name port_group_4 //Configure a port group, which needs to be bound to the user access profile and interfaces of the AS. [CORE-um-portgroup-port_group_2] user-access-profile test01 [CORE-um-portgroup-port_group_2] as name as-layer2-2 interface gigabitEthernet 0/0/2 gigabitEthernet 0/0/4 to 0/0/24 [CORE-um-portgroup-port_group_2] quit [CORE-um] commit as all //Commit the configuration. Configurations in service profiles then are delivered to ASs. Warning: Committing the configuration will take a long time. Continue?[Y/N]: y [CORE-um] quit
- On CORE, configure 802.1X authentication and MAC address-prioritized Portal authentication for wireless users.
# Configure an authentication profile for wireless users, and set the authentication mode to MAC address-prioritized Portal authentication.
[CORE] authentication-profile name p2 [CORE-authen-profile-p2] portal-access-profile web1 [CORE-authen-profile-p2] mac-access-profile mac1 [CORE-authen-profile-p2] free-rule-template default_free_rule [CORE-authen-profile-p2] access-domain huawei.com force //Configure the domain huawei.com as a forcible domain. [CORE-authen-profile-p2] quit
# Configure an authentication profile for wireless users, and set the authentication mode to 802.1X authentication.
[CORE] authentication-profile name p3 [CORE-authen-profile-p3] dot1x-access-profile d1 [CORE-authen-profile-p3] free-rule-template default_free_rule [CORE-authen-profile-p3] access-domain huawei.com force //Configure the domain huawei.com as a forcible domain. [CORE-authen-profile-p3] quit
# Configure 802.1X authentication for wireless users in VAP profile vap1.
[CORE] wlan [CORE-wlan-view] vap-profile name vap1 [CORE-wlan-vap-prof-vap1] authentication-profile p3 [CORE-wlan-vap-prof-vap1] quit [CORE-wlan-view] quit
# Configure MAC address-prioritized Portal authentication for wireless users in the VAP profile vap2.
[CORE] wlan [CORE-wlan-view] vap-profile name vap2 [CORE-wlan-vap-prof-vap2] authentication-profile p2 [CORE-wlan-vap-prof-vap2] quit [CORE-wlan-view] quit
- Configure Agile Controller-Campus.
- Add switches so that they can communicate with Agile Controller-Campus.Choose Resource > Device > Device Management, click Add, and configure device information and authentication parameters.Table 2-93 Parameter settings on Agile Controller-Campus and CORE
Parameter on Agile Controller-Campus
Configuration on Agile Controller-Campus
Configuration on CORE
Name
CORE
-
IP address
192.168.11.254
IP address of VLANIF 1000, which is used by CORE to communicate with Agile Controller-Campus
Device series
Huawei S Series
-
Authentication/Accounting key
Admin@123
radius-server shared-key cipher Admin@123
Authorization key
Admin@123
radius-server authorization 192.168.11.1 shared-key cipher Admin@123
Real-time accounting interval (minute)
15
accounting realtime 15
Port
2000
Port 2000 is used by default. You can run the web-auth-server listening-port port-number command in the system view to change the port number.
Portal key
Admin@123
shared-key cipher Admin@123
Access terminal IPv4 list
172.16.30.0/24;172.16.40.0/24
IP addresses of guests, corresponding to IP address pools on VLANIF 30 and VLANIF 40
Enable heartbeat between access device and Portal server
Selected
Only when Enable heartbeat between access device and Portal server is selected and the Portal server IP address is added to the Portal server IP address list, the Portal server can periodically send heartbeat packets to CORE, based on which CORE determines the Portal server status. This configuration corresponds to the server-detect command configured in the Portal server template view on CORE.
Portal server IP address list
192.168.11.1
Figure 2-69 Adding a device - Create user groups and accounts. The following describes how to configure the user group Employee. The configuration of the user group Guest is similar.
Choose Resource > User > User Management.
- Click
in the operation area on the left, and create the user group Employee.
Figure 2-70 Adding a user group - Click Add in the operation area on the right, and add an account.Figure 2-71 Adding an account
- Click Transfer in the operation area on the right, and add the account to the user group Employee.Figure 2-72 Adding an account to a user group
- Enable MAC address-prioritized Portal authentication.
Choose System > Terminal Configuration > Global Parameters > Access Management.
On the Configure MAC Address-Prioritized Portal Authentication tab page, enable MAC address-prioritized Portal authentication, and set Validity period of MAC address (min) to 60.
Figure 2-73 Configuring MAC address-prioritized Portal authentication - Configure authorization. End users will match authorization rules based on specified conditions. The following describes how to configure authorization for employees. The configuration for guests is similar.
Choose Policy > Permission Control > Authentication & Authorization > Authorization Result, and configure a post-authentication domain for employees.
Figure 2-74 Adding an authorization resultConfigure authorization rules for employees and guests according to Table 2-94. The following describes how to configure authorization rules for wired access of employees. The configuration for guests is similar.
Table 2-94 Authorization rules for employees and guestsName
User Group
Terminal IP Address Range
SSID
Authorization Result
Wired employees authorization rule
Employee
wire
-
Employees_post-authentication_domain
Wireless employees authorization rule
Employee
-
test01
Employees_post-authentication_domain
Guests authorization rule
Guest
-
test02
Guests_post-authentication_domain
- Choose Resource > User > IP Address Range, set the name of an IP address range to wire, and add IP address segments 172.16.50.0/24 and 172.16.60.0/24.Figure 2-75 Adding an IP address range
- Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule.Figure 2-76 Adding an authorization rule
- Choose Resource > User > IP Address Range, set the name of an IP address range to wire, and add IP address segments 172.16.50.0/24 and 172.16.60.0/24.
- Add switches so that they can communicate with Agile Controller-Campus.
Verifying the Deployment
Check Item |
Expected Result |
---|---|
Employee authentication |
|
Guest authentication |
|
[CORE] display access-user username user1 detail Basic: User ID : 81564 User name : user1 //User name Domain-name : huawei.com //Authentication domain User MAC : 00e0-fc12-3344 User IP address : 192.168.50.111 User vpn-instance : - User IPv6 address : FE80::E9AA:9FE9:95F9:C499 User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499 User access Interface : Eth-Trunk10 User vlan event : Success QinQVlan/UserVlan : 0/50 User vlan source : user request User access time : 2019/10/22 02:00:03 User accounting session ID : LSW900210000000050ad****0203e9c User access type : 802.1x //User access type AS ID : 1 AS name : as-layer2-1 //AS on which the user goes online AS IP : 192.168.20.212 AS MAC : 00e0-fc12-4455 AS Interface : GigabitEthernet0/0/10 //AS interface on which the user goes online Terminal Device Type : Data Terminal Dynamic ACL ID(Effective) : 3001 //Authorization information AAA: User authentication type : 802.1x authentication //Authentication mode Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1
Choose Resource > User > RADIUS Log on Agile Controller-Campus to check RADIUS authentication logs of the employee account.
Configuration Files
- CORE configuration file
# sysname CORE # vlan batch 20 30 40 50 60 1000 # stp mode rstp # authentication-profile name p1 dot1x-access-profile d1 portal-access-profile web1 free-rule-template default_free_rule access-domain huawei.com force authentication-profile name p2 mac-access-profile mac1 portal-access-profile web1 free-rule-template default_free_rule access-domain huawei.com force authentication-profile name p3 dot1x-access-profile d1 free-rule-template default_free_rule access-domain huawei.com force # dhcp enable # dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%# radius-server authentication 192.168.11.1 1812 weight 80 radius-server accounting 192.168.11.1 1813 weight 80 radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-z\z_1{_|r~%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.11.3 0 rule 3 deny ip acl number 3002 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255 # web-auth-server tem_portal server-ip 192.168.11.1 port 50200 shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%# url http://192.168.11.1:8080/portal # portal-access-profile name web1 web-auth-server tem_portal direct # drop-profile default # vlan 30 dhcp snooping enable vlan 40 dhcp snooping enable vlan 50 dhcp snooping enable vlan 60 dhcp snooping enable # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 dhcp select interface # interface Vlanif30 ip address 172.16.30.1 255.255.255.0 dhcp select interface # interface Vlanif40 ip address 172.16.40.1 255.255.255.0 dhcp select interface # interface Vlanif50 ip address 172.16.50.1 255.255.255.0 dhcp select interface # interface Vlanif60 ip address 172.16.60.1 255.255.255.0 dhcp select interface # interface Vlanif1000 ip address 192.168.11.254 255.255.255.0 dhcp select interface # interface Eth-Trunk10 port link-type hybrid port hybrid tagged vlan 1 20 50 stp root-protection stp edged-port disable mode lacp loop-detection disable mad relay # interface XGigabitEthernet1/1/0/1 eth-trunk 10 # interface XGigabitEthernet2/1/0/2 eth-trunk 10 # interface XGigabitEthernet1/1/0/2 eth-trunk 20 # interface XGigabitEthernet2/1/0/1 eth-trunk 20 # interface XGigabitEthernet1/2/0/1 port link-type access port default vlan 1000 # capwap source interface vlanif20 # wlan traffic-profile name traff1 user-isolate l2 traffic-profile name default security-profile name sec1 security wpa2 dot1x aes security-profile name default security-profile name default-wds security-profile name default-mesh ssid-profile name ssid1 ssid test01 ssid-profile name ssid2 ssid test02 ssid-profile name default vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff1 authentication-profile p3 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 40 ssid-profile ssid2 security-profile sec2 traffic-profile traff2 authentication-profile p2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name default wds-profile name default mesh-handover-profile name default mesh-profile name default regulatory-domain-profile name domain regulatory-domain-profile name default air-scan-profile name default rrm-profile name default radio-2g-profile name default radio-5g-profile name default wids-profile name default ap-system-profile name default port-link-profile name default wired-port-profile name default ap-group name default ap-group name ap-group regulatory-domain-profile domain ap-group name ap-group1 radio 0 vap-profile vap1 wlan 1 radio 1 vap-profile vap1 wlan 1 ap-id 1 type-id 30 ap-mac 00e0-fc12-4400 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group provision-ap wlan work-group default # as-auth undo auth-mode whitelist mac-address 00e0-fc00-0011 whitelist mac-address 00e0-fc00-0022 whitelist mac-address 00e0-fc00-0033 whitelist mac-address 00e0-fc00-0044 # uni-mng as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0011 down-direction fabric-port 1 member-group interface Eth-Trunk 30 port Eth-Trunk 30 trunkmember interface GigabitEthernet0/0/3 as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0022 down-direction fabric-port 1 member-group interface Eth-Trunk 40 port Eth-Trunk 10 trunkmember interface GigabitEthernet0/0/4 as name as-layer2-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0033 as name as-layer2-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0044 interface fabric-port 1 port member-group interface Eth-Trunk 10 interface fabric-port 2 port member-group interface Eth-Trunk 20 interface fabric-port 3 port member-group interface Eth-Trunk 30 interface fabric-port 4 port member-group interface Eth-Trunk 40 as-admin-profile name admin_profile user asuser password %^%#@ROwA@p_b1-Y5,#^8JYBZ~w-&ZE2KL;EKLVI4%^%# network-basic-profile name basic_profile_1 pass-vlan 50 network-basic-profile name basic_profile_2 pass-vlan 60 network-basic-profile name basic_profile_3 pass-vlan 50 network-basic-profile name basic_profile_4 pass-vlan 60 user-access-profile name test01 authentication-profile p1 as-group name admin_group as-admin-profile admin_profile as name as-layer1-1 as name as-layer1-2 as name as-layer2-1 as name as-layer2-2 port-group name port_group_1 network-basic-profile basic_profile_1 as name as-layer1-1 interface all port-group name port_group_2 network-basic-profile basic_profile_2 as name as-layer1-2 interface all port-group name port_group_3 network-basic-profile basic_profile_3 as name as-layer2-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24 user-access-profile test01 port-group name port_group_4 network-basic-profile basic_profile_4 as name as-layer2-2 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24 user-access-profile test01 port-group connect-ap name ap as name as-layer2-1 interface GigabitEthernet 0/0/3 as name as-layer2-2 interface GigabitEthernet 0/0/3 # dot1x-access-profile name d1 # mac-access-profile name mac1 return