No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring 802.1X Authentication to Control Internal User Access

Example for Configuring 802.1X Authentication to Control Internal User Access

Networking Requirements

As shown in Figure 3-16, many users on a company access network through GE0/0/1 of the Switch (used as an access device). After the network operates for a period of time, attacks are detected. The administrator must control network access rights of user terminals to ensure network security. The Switch allows user terminals to access Internet resources only after they are authenticated.

Figure 3-16  Networking diagram for configuring 802.1X authentication

Configuration Roadmap

To control the network access permission of users, the administrator can configure 802.1X authentication on the Switch after the server with the IP address 192.168.2.30 is used as the RADIUS server.

The configuration roadmap is as follows (configured on the Switch):

  1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain. Bind the RADIUS server template and the AAA scheme to the ISP domain. The Switch can then exchange information with the RADIUS server.
  2. Configure 802.1X authentication.
    1. Enable 802.1X authentication globally and on the interface.
    2. Enable MAC address bypass authentication to authenticate terminals (such as printers) that cannot install 802.1X authentication client software.
NOTE:

Before configuring this example, ensure that devices can communicate with each other in the network.

In this example, the LAN switch exists between the access switch Switch and users. To ensure that users can pass 802.1X authentication, you must configure the EAP packet transparent transmission function on the LAN switch. The S600-E is used as an example of the LAN switch. Perform the following operations:
  1. Run the l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the LAN switch to transparently transmit EAP packets.
  2. Run the l2protocol-tunnel user-defined-protocol 802.1X enable command on the interface connecting to users and the interface connecting to the access switch to enable the Layer 2 protocol transparent transmission function.

Procedure

  1. Create VLANs and configure the VLAN allowed by the interface to ensure network communication.

    # Create VLAN 10 and VLAN 20.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 10 20
    

    # On the Switch, set GE0/0/1 connecting to users as an access interface, and add GE0/0/1 to VLAN 10.

    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] port link-type access
    [Switch-GigabitEthernet0/0/1] port default vlan 10 
    [Switch-GigabitEthernet0/0/1] quit
    NOTE:

    Configure the interface type and VLANs according to the actual situation. In this example, users are added to VLAN 10.

    # On the Switch, set GE0/0/2 connecting to the RADIUS server as an access interface, and add GE0/0/2 to VLAN 20.

    [Switch] interface gigabitethernet 0/0/2
    [Switch-GigabitEthernet0/0/2] port link-type access
    [Switch-GigabitEthernet0/0/2] port default vlan 20
    [Switch-GigabitEthernet0/0/2] quit

  2. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.

    # Create and configure RADIUS server template rd1.

    [Switch] radius-server template rd1
    [Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Switch-radius-rd1] quit

    # Create AAA scheme abc and set the authentication mode to RADIUS.

    [Switch] aaa
    [Switch-aaa] authentication-scheme abc
    [Switch-aaa-authen-abc] authentication-mode radius
    [Switch-aaa-authen-abc] quit

    # Create authentication domain isp1, and bind AAA scheme abc and RADIUS server template rd1 to authentication domain isp1.

    [Switch-aaa] domain isp1
    [Switch-aaa-domain-isp1] authentication-scheme abc
    [Switch-aaa-domain-isp1] radius-server rd1
    [Switch-aaa-domain-isp1] quit
    [Switch-aaa] quit

    # Configure the default domain isp1 in the system view. When a user enters the user name in the format of user@isp1, the user is authenticated in the authentication domain isp1. If the user name does not carry the domain name or carries a nonexistent domain name, the user is authenticated in the default domain.

    [Switch] domain isp1

    # Test whether a user can be authenticated using RADIUS authentication. A user name test@huawei.com and password Huawei2012 have been configured on the RADIUS server.

    [Switch] test-aaa test@huawei.com Huawei2012 radius-template rd1
    Info: Account test succeed.

  3. Configure 802.1X authentication.

    # Switch the NAC mode to common mode.

    [Switch] undo authentication unified-mode
    Warning: Switching the authentication mode will take effect after system restart
    . Some configurations are invalid after the mode is switched. For the invalid co
    mmands, see the user manual. Save the configuration file and reboot now? [Y/N] y
    NOTE:
    • By default, the NAC unified mode is used.
    • After the unified mode is switched to common mode, you must save the configuration and restart the device to make each function in the new configuration mode take effect.

    # Enable 802.1X authentication globally and on an interface.

    <Switch> system-view
    [Switch] dot1x enable
    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] dot1x enable
    NOTE:

    By default, 802.1X authentication can be triggered through ARP packets. To configure triggering of 802.1X authentication through DHCP packets, run the dot1x dhcp-trigger command in the system view.

    # Configure MAC address bypass authentication.

    [Switch-GigabitEthernet0/0/1] dot1x mac-bypass

  4. Verify the configuration.

    1. Run the display dot1x command to check the 802.1X authentication configuration. The command output (802.1X protocol is Enabled) shows that the 802.1X authentication has been enabled on the interface GE0/0/1.
    2. The user starts the 802.1X client on the terminal, and enters the user name and password for authentication.
    3. If the user name and password are correct, an authentication success message is displayed on the client page. The user can access the network.
    4. After the user goes online, you can run the display access-user command on the device to check the online 802.1X user information.

Configuration Files

Switch configuration file

#   
sysname Switch  
#                                                                                      
vlan batch 10 20
#                                                                               
undo authentication unified-mode
#                                                                               
domain isp1
#
dot1x enable 
#
radius-server template rd1
 radius-server shared-key cipher %^%#t67cDelRvAQg;*"4@P/3~q_31Sn{ST\V8'Ci633)%^%#
 radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
 authentication-scheme abc
  authentication-mode radius
 domain isp1
  authentication-scheme abc
  radius-server rd1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10                                              
 dot1x mac-bypass                                                               
#                                                                              
interface GigabitEthernet0/0/2            
 port link-type access                                                          
 port default vlan 20
# 
return
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54870

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next