No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring 802.1X Authentication

Example for Configuring 802.1X Authentication

Networking Requirements

As shown in Figure 3-12, many users on a company access network through Eth2/0/0 of the Router (used as an access device). After the network operates for a period of time, attacks are detected. The administrator must control network access rights of user terminals to ensure network security. The Router allows user terminals to access Internet resources only after they are authenticated.

Figure 3-12  Networking diagram for configuring 802.1X authentication

Configuration Roadmap

To control the network access permission of users, the administrator can configure 802.1X authentication on the Router after the server with the IP address 192.168.2.30 is used as the RADIUS server.

The configuration roadmap is as follows (configured on the Router):

  1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain. Bind the RADIUS server template and the AAA scheme to the ISP domain. The Router can then exchange information with the RADIUS server.
  2. Configure 802.1X authentication to control network access rights of the employees in offices. The configuration includes:
    1. Configure an 802.1X access profile.
    2. Configure an authentication profile.
    3. Enable 802.1X authentication on an interface.
NOTE:

Before performing operations in this example, ensure that user access terminals and the server can communicate.

This example only provides the configurations on the Router. The configurations on the LAN switch and RADIUS server are not provided here.

Procedure

  1. Create VLANs and configure the VLAN allowed by the interface to ensure network communication.

    # Create VLAN 10 and VLAN 20.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 10 20
    

    # On the Router, set Eth2/0/0 connecting to users as an access interface, and add Eth2/0/0 to VLAN 10.

    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type access
    [Router-Ethernet2/0/0] port default vlan 10 
    [Router-Ethernet2/0/0] quit
    NOTE:

    Configure the interface type and VLANs according to the actual situation. In this example, users are added to VLAN 10.

    # On the Router, set Eth2/0/1 connecting to the RADIUS server as an access interface, and add Eth2/0/1 to VLAN 20.

    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] port link-type access
    [Router-Ethernet2/0/1] port default vlan 20
    [Router-Ethernet2/0/1] quit

  2. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.

    # Create and configure RADIUS server template rd1.

    [Router] radius-server template rd1
    [Router-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Router-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Router-radius-rd1] quit

    # Create AAA scheme abc and set the authentication mode to RADIUS.

    [Router] aaa
    [Router-aaa] authentication-scheme abc
    [Router-aaa-authen-abc] authentication-mode radius
    [Router-aaa-authen-abc] quit

    # Create authentication domain isp1, and bind AAA scheme abc and RADIUS server template rd1 to authentication domain isp1.

    [Router-aaa] domain isp1
    [Router-aaa-domain-isp1] authentication-scheme abc
    [Router-aaa-domain-isp1] radius-server rd1
    [Router-aaa-domain-isp1] quit
    [Router-aaa] quit

    # Test whether a user can be authenticated using RADIUS authentication. A user name test@huawei.com and password Huawei2012 have been configured on the RADIUS server.

    [Router] test-aaa test@huawei.com Huawei2012 radius-template rd1
    Info: Account test succeed.

  3. Configure 802.1X authentication.

    # Configure the 802.1X access profile d1.
    NOTE:

    By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

    [Router] dot1x-access-profile name d1
    [Router-dot1x-access-profile-d1] quit

    # Configure the authentication profile p1, bind the 802.1X access profile d1 to the authentication profile, and specify the domain isp1 as the forcible authentication domain in the authentication profile.

    [Router] authentication-profile name p1
    [Router-authen-profile-p1] dot1x-access-profile d1
    [Router-authen-profile-p1] access-domain isp1 force
    [Router-authen-profile-p1] quit

    # Bind the authentication profile p1 to Eth2/0/0 and enable 802.1X authentication on the interface.

    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] authentication-profile p1
    [Router-Ethernet2/0/0] quit
    

  4. Verify the configuration.

    1. Run the display dot1x command to check the 802.1X authentication configuration. The command output (802.1X protocol is Enabled) shows that the 802.1X authentication has been enabled on the interface Eth2/0/0.
    2. The user starts the 802.1X client on the terminal, and enters the user name and password for authentication.
    3. If the user name and password are correct, an authentication success message is displayed on the client page. The user can access the network.
    4. After the user goes online, you can run the display access-user command on the device to check the online 802.1X user information.

Configuration Files

Router configuration file

#
sysname Router
#
vlan batch 10 20
#
authentication-profile name p1
 dot1x-access-profile d1
 access-domain isp1 force
#
radius-server template rd1
 radius-server shared-key cipher %^%#5Cz2!R*M%NaEr^6.].')L/$!!xTKZ<!!!!!!!!!!%^%#
 radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
 authentication-scheme abc
  authentication-mode radius
 domain isp1
  authentication-scheme abc
  radius-server rd1
#
interface Ethernet2/0/0
 port link-type access
 port default vlan 10
 authentication-profile p1
#
interface Ethernet2/0/1
 port link-type access
 port default vlan 20
#
dot1x-access-profile name d1
#
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 113072

Downloads: 208

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next