No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S1720GFR, S2700, S5700, and S6720 V200R010C00 Web-based Configuration Guide

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring 802.1x Authentication (Authentication Point on the Access Switch)

Example for Configuring 802.1x Authentication (Authentication Point on the Access Switch)

Networking Requirements

In Figure 1-314, terminals in a company's offices are connected to the company's intranet through the switch. GE0/0/2 to GE0/0/n on the switch are directly connected to terminals in offices. GE0/0/1 on the switch is connected to the RADIUS server through the intranet.

To meet the company's high security requirements, configure 802.1x authentication, use the RADIUS server to authenticate terminals in offices, and deploy authentication points on GE0/0/2 to GE0/0/n of the switch.
Figure 1-314  Networking diagram for configuring 802.1x authentication

Configuration Roadmap

The configuration roadmap is as follows:

  1. Specify the VLANs to which interfaces belong.
  2. Configure an IP address for each VLANIF interface.
  3. Configure AAA on the switch to implement identity authentication on access users through the RADIUS server. The configuration includes configuring a RADIUS server template, an AAA scheme, and an authentication domain, and binding the RADIUS server template and AAA scheme to the authentication domain.
  4. Configure 802.1x authentication to control network access rights of the employees in offices, including the 802.1x profile, authentication profile, and 802.1x authentication on interfaces.
NOTE:

Before performing the following operations, ensure that there are reachable routes between user terminals and the server.

Procedure

  1. Specify the VLANs to which interfaces belong.
    1. Choose Configuration > Basic Services > Interface Settings. Click Connect to PC.
    2. Select GE0/0/2 from Step 2: Select Interface, set Interface Status below Step 3: Configure Interface to ON, and enter 20 for Default VLAN. The other parameters do not need to be set. Configure GE0/0/1 in the same way, as shown in Figure 1-315 and Figure 1-316.

      Figure 1-315  Configure GE0/0/2

      Figure 1-316  Configure GE0/0/1

    3. Click Apply. In the dialog box that is displayed, click OK.
    4. The configurations of GE0/0/3 to GE0/0/n are the same as the configuration of GE0/0/2.
  2. Configure an IP address for each VLANIF interface.
    1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page.
    2. Click a record below VLAN ID to open the Modify VLAN page. Select Create VLANIF and set IPv4 address and Mask, as shown in Figure 1-317 and Figure 1-318.

      Figure 1-317  Configure VLANIF 10

      Figure 1-318  Configure VLANIF 20

    3. After setting the parameters, click OK.
  3. Configure AAA.
    1. Run the authentication unified-mode command in the system view to set the NAC mode to unified.

      NOTE:

      By default, the unified mode is used. The switch restarts after the NAC mode is changed between the common mode and unified mode.

    2. Choose Configuration > Security Services > AAA, click the RADIUS tab, click the RADIUS Server Profile tab, and click Create to create and configure the RADIUS server template rd1. Set parameters according to Figure 1-319 and click OK.

      Figure 1-319  Configure a RADIUS server template

    3. Choose Configuration > Security Services > AAA, click the RADIUS tab, click the Authentication/Accounting Server tab, and click Create to create and configure an authentication server rd1. Set parameters according to Figure 1-320 and click OK.

      Figure 1-320  Configure an authentication server

    4. Click the Authentication/Authorization/Accounting Scheme tab, and click Create to create the AAA authentication scheme abc and set the authentication mode to RADIUS. Set parameters according to Figure 1-321 and click OK.

      Figure 1-321  Configure an AAA authentication scheme

    5. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > Domain Profile to open the Domain Profile List page. Click Create to access the Create Domain Profile page. Enter huawei.com for Profile name and click OK. The authentication domain huawei.com is created and the AAA authentication scheme abc and RADIUS server template rd1 are bound to the authentication domain. Set parameters according to Figure 1-322 and click Apply.

      Figure 1-322  Configure an authentication domain

  4. Configure 802.1x authentication.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > 802.1X Profile to access the 802.1X Profile List page. Click Create. The Create 802.1X Profile page is displayed. Enter d1 for Profile name and click OK to create an 802.1x profile. Set parameters according to Figure 1-323 and click Apply to complete the configuration of the 802.1x profile d1.

      Figure 1-323  Configure the 802.1x profile

    2. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile to access the Authentication Profile List page. Click Create and enter p1 for Profile name, as shown in Figure 1-324. Click OK to create the authentication profile p1.

      Figure 1-324  Create an Authentication Profile

    3. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > p1 > 802.1X Profile. Select d1 from the 802.1X Profile drop-down list, as shown in Figure 1-325, and click Apply to bind the 802.1x profile d1 to the authentication profile p1.

      Figure 1-325  Bind the authentication profile to 802.1x profile

    4. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > p1 > Domain Profile. Select huawei.com from the Domain Profile drop-down list, as shown in Figure 1-326, and click Apply to apply the authentication domain huawei.com to the authentication profile p1.

      Figure 1-326  Bind authentication profile to authentication domain

    5. Choose Configuration > Security Services > AAA Service App > Wired Interface Authentication. Select GE0/0/2 on the front panel. Select p1 from Authentication Profile, as shown in Figure 1-327, and click Apply. Configure GE0/0/3 to GE0/0/n in the same way.

      Figure 1-327  Bind authentication profile to interface

Operation Result

  • Start the 802.1x client on a terminal, and enter the user name and password for authentication.
  • If the user name and password are correct, a client page displays an authentication success information and you can access the Internet.
  • After going online, log in to the web system. Choose Monitoring > User > Wired User Statistics. The 802.1x user information is displayed.
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000114003

Views: 37134

Downloads: 992

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next