No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring 802.1X Authentication (Authentication Point on the Aggregation Switch)

Example for Configuring 802.1X Authentication (Authentication Point on the Aggregation Switch)

Networking Requirements

In Figure 4-22, terminals in a company's offices are connected to the company's intranet through GE0/0/2 to GE0/0/n on SwitchB. GE0/0/1 on the access switch SwitchB is connected to GE1/0/2 on the aggregation switch SwitchA.

To meet the company's high security requirements, configure 802.1X authentication, use the RADIUS server to authenticate terminals in offices, and deploy the authentication point on GE1/0/2 of SwitchA to facilitate maintenance and reduce the number of authentication points.

Figure 4-22  Networking diagram for configuring 802.1X authentication


  1. Configure SwitchB.

    # Configure transparent transmission of 802.1X packets. The following uses the configuration of the downlink interface GE0/0/2 as an example. The configurations of other downlink interfaces (GE0/0/2 to GE0/0/n) are similar to the configuration of GE0/0/2, and are not mentioned here.
    The Layer 2 switch SwitchB is deployed between the authentication switch SwitchA and users. Transparent transmission of 802.1X packets must be configured on SwitchB so that SwitchA can perform 802.1X authentication for users. An S5700LI switch is used as the access switch in this example.
    [SwitchB] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
    [SwitchB] interface gigabitethernet 0/0/2
    [SwitchB-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol 802.1X enable
    [SwitchB-GigabitEthernet0/0/2] bpdu enable
    [SwitchB-GigabitEthernet0/0/2] quit
    [SwitchB] interface gigabitethernet 0/0/1
    [SwitchB-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1X enable
    [SwitchB-GigabitEthernet0/0/1] bpdu enable
    [SwitchB-GigabitEthernet0/0/1] quit

  2. Configure SwitchA.

    # Configure AAA.
    1. Create and configure the RADIUS server template rd1.

      [SwitchA] radius-server template rd1
      [SwitchA-radius-rd1] radius-server authentication 1812
      [SwitchA-radius-rd1] radius-server shared-key cipher Huawei@2012
      [SwitchA-radius-rd1] quit
    2. Create the AAA authentication scheme abc and set the authentication mode to RADIUS.

      [SwitchA] aaa
      [SwitchA-aaa] authentication-scheme abc
      [SwitchA-aaa-authen-abc] authentication-mode radius
      [SwitchA-aaa-authen-abc] quit
    3. Create the authentication domain, and bind the AAA authentication scheme abc and RADIUS server template rd1 to the domain.

      [SwitchA-aaa] domain
      [] authentication-scheme abc
      [] radius-server rd1
      [] quit
      [SwitchA-aaa] quit
    4. Check whether a user can pass RADIUS authentication. (The test user test and password Huawei2012 have been configured on the RADIUS server.)

      [SwitchA] test-aaa test Huawei2012 radius-template rd1
      Info: Account test succeed.
    # Configure 802.1X authentication.
    1. Change the NAC mode to unified.

      By default, the unified mode is enabled. After changing the NAC mode, the device automatically restarts.

      [SwitchA] authentication unified-mode
    2. Configure the 802.1X access profile d1.

      By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

      [SwitchA] dot1x-access-profile name d1
      [SwitchA-dot1x-access-profile-d1] quit
    3. Configure the authentication profile p1, bind the 802.1X access profile d1 to the authentication profile, specify the domain as the forcible authentication domain in the authentication profile, set the user access mode to multi-authen, and set the maximum number of access users to 100.

      [SwitchA] authentication-profile name p1
      [SwitchA-authen-profile-p1] dot1x-access-profile d1
      [SwitchA-authen-profile-p1] access-domain force
      [SwitchA-authen-profile-p1] authentication mode multi-authen max-user 100
      [SwitchA-authen-profile-p1] quit
    4. # Bind the authentication profile p1 to GE1/0/2 and enable 802.1X authentication.

      [SwitchA] interface gigabitethernet 1/0/2
      [SwitchA-GigabitEthernet1/0/2] authentication-profile p1
      [SwitchA-GigabitEthernet1/0/2] quit
    5. # (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

      [SwitchA] access-user arp-detect vlan 20 ip-address mac-address 2222-1111-1234

  3. Verify the configuration.

    1. A user starts the 802.1X client on a terminal, and enters the user name and password for authentication.
    2. If the user name and password are correct, an authentication success message is displayed on the client page. The user can access the network.
    3. After users go online, you can run the display access-user access-type dot1x command on the switch to view information about online 802.1X authentication users.

Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 123056

Downloads: 58

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next