No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring 802.1X Access Services

Configuring 802.1X Access Services

Before configuring 802.1X access services, familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain the data required for the configuration.

Usage Scenario

To prevent unauthorized users or devices from gaining access to a network and ensure network security, you can configure 802.1X access services to allow only authorized users to access the network.

Pre-configuration Tasks

  • Configure link-layer protocol parameters for interfaces to go Up at the link layer.
  • Configure a routing protocol to implement IP connectivity of the network.

Configuration Procedures

Perform one or more of the following configurations as required.

Creating a Dot1x Template

When 802.1X authentication is used, an authentication server and 802.1X client perform authentication negotiation based on parameters defined in a dot1x template.

Context

After a dot1x template is created in the system view, configure parameters for the dot1x template:
  • Run the eap-end command to specify the authentication method for 802.1X users using the dot1x template. Choose EAP termination mode or EAP relay mode as required.
  • Run the authentication timeout command in the template view to set the timeout period for the BRAS to wait for an EAP Response packet from the authentication server. If the BRAS does not receive an EAP Response packet from the authentication server within a specified timeout period, the BRAS considers that a user goes offline and logs out the user.
  • During 802.1X authentication, the BRAS sends an EAP-Request/Identity packet to the client. If you want the BRAS to retransmit the packet when the client does not respond, run the request command to set the timeout period for the BRAS to wait for an EAP-Response/Identity packet from the client and the number of retransmissions of EAP-Request/Identity packets. If the client does not respond with an EAP-Response/Identity packet within the timeout period and after packet retransmissions reach the specified number, the user is logged out.
  • If users go online through 802.1X authentication, run the reauthentication interval command to set the interval for the BRAS to send re-authentication request packets. If re-authentication fails, the users are logged out to ensure that only authorized users can access the network.
  • In some cases, accounting continues after 802.1X users go offline. To resolve such issues, run the keepalive command to set the number of and timeout period for handshake packet retransmissions between the EAP client and server. If the client does not respond within the timeout period and after handshake packet retransmissions reach the specified number, the user is logged out.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x-template dot1x-template-number

    A dot1x template is created and the dot1x template view is displayed.

    Dot1x templates are identified by numbers. The router has a default dot1x template numbered 1. This template can be modified but cannot be deleted.

  3. (Optional) Run eap-end [ chap | pap ]

    The EAP authentication method is set for 802.1X users.

  4. (Optional) Run authentication timeout time

    The timeout period for the BRAS to wait for an EAP Response packet from the authentication server is set.

  5. (Optional) Run request { interval time | retransmit times } *

    The timeout period for the BRAS to wait for an EAP-Response/Identity packet from the client and the number of retransmissions of EAP-Request/Identity packets is set.

  6. (Optional) Run reauthentication interval time

    The interval for the BRAS to send re-authentication request packets is set.

  7. (Optional) Run keepalive { interval time | retransmit times } *

    The number of and timeout period for handshake packet retransmissions between the EAP client and server is set.

  8. Run commit

    The configuration is committed.

Binding a dot1x Template to a Domain

When 802.1X authentication is used for users in a domain, authentication negotiation is performed based on parameters defined in a dot1x template.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name

    The AAA domain view is displayed.

  4. Run dot1x-template dot1x-template-number

    A dot1x template is bound to a domain.

  5. Run commit

    The configuration is committed.

(Optional) Binding a Sub-interface to a VLAN

When restrictions on broadcast packets are required in a LAN to enhance the LAN security or to set up virtual working groups, VLANs must be configured. VLANs can be used only on Ethernet sub-interfaces.

Context

When a user accesses the network through a main interface, you do not need to bind the main interface to a VLAN. When a user accesses the network through a sub-interface, you need to bind the sub-interface to a VLAN.

You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding a sub-interface to a VLAN, you need the following parameters:

  • Number of the sub-interface
  • VLAN ID
  • QinQ ID
NOTE:
  • Each main interface can be configured with only one any-other sub-interface. The user-vlan any-other parameter cannot be configured together with the user-vlan start-vlan parameter or the user-vlan qinq parameter on the same sub-interface.
  • If a sub-interface has configured with dot1q termination, QinQ termination, QinQ stacking, or VLAN-type dot1q, the user-vlan command cannot be run on the sub-interface.
  • User VLANs with the same VLAN ID cannot be configured on different sub-interfaces.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number.subinterface-number

    A sub-interface is created and the sub-interface view is displayed.

  3. Run user-vlan { start-vlan-id [ end-vlan-id ] [ qinq start-pe-vlan [ end-pe-vlan ] ] } | any-other }

    User-side VLANs are created.

  4. Run commit

    The configuration is committed.

Configuring a BAS interface

When an interface is used for broadband access, you need to configure it as a BAS interface and set the access type and relevant attributes for this interface.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run license

    The license view is displayed.

  3. Run active bas slot slot-id

    The BAS access function is enabled on a board.

  4. Run quit

    Return to the system view.

  5. Run interface interface-type interface-number [ .subinterface-number [ p2p | p2mp ] ]

    The user-side interface view is displayed.

  6. Run commit

    The configuration is committed.

  7. Run bas

    A BAS interface is created, and the BAS interface view is displayed.

    You can configure an interface as the BAS interface by running the bas command in the interface view. An Ethernet interface, an Eth-Trunk interface, a Virtual Ethernet (VE) interface or a sub-interface of the preceding interfaces can be configured as a BAS interface.

  8. Perform one or more operations in Table 8-1 to set the desired interface parameters.

    Table 8-1 Configure a BAS interface.

    BAS Interface Parameter

    Command

    Description

    Access type and relevant attributes for Layer 2 common users

    access-type layer2-subscriber [ default-domain { authentication [ force | replace ] dname | pre-authentication prename } * | bas-interface-name bname | accounting-copy radius-server rd-name ] *

    Configure a user who accesses a network from a BAS interface as a Layer 2 common user, allowing such users to have independent service attributes and directly access a Layer 2 network. A BRAS performs authentication and accounting on these users separately. When setting the access type on the BAS interface, you can set the service attributes of the access users at the same time or later. The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk interface. You can configure the access type only on the Eth-Trunk interface.

    User authentication method

    authentication-method

    Configure 802.1X authentication for user access through a BAS interface.

    Maximum number of users on a BAS interface

    access-limit user-number

    Limit the number of online users in a domain. If the number of online users exceeds the specified upper limit, the system rejects users' access requests and notifies the users of authentication failures. This facilitates the management of access users.

    The function to trust the access-line-id information reported by clients

    client-option82 [ { basinfo-insert { cn-telecom | version3 } | version1 } ]

    Enable the function to locate a user through DHCP Option 82 or PPPoE+.

    The function to enable VBAS on a BAS interface

    vbas

    Enable the function to locate a user through the virtual BAS (VBAS). You do not need to run this command if the function to locate a user through DHCP Option 82 or PPPoE+ is enabled.

    The function to enable the NE40E to carry link-account information in the accounting request packets sent to a RADIUS server

    Run link-account resolve

    When a RADIUS server performs accounting for users who go online in non-authentication mode, the server needs to differentiate users. Run this command to enable the NE40E to carry link-account information in the accounting request packets sent to the RADIUS server.

  9. Run commit

    The configuration is committed.

Verifying the 802.1X Access Configuration

After 802.1X access services are configured, check the configurations.

Procedure

  • Run the display dot1x-template number command to check dot1x template configurations.
  • Run the display bas-interface command to check BAS interface configurations.

Example

Run the display dot1x-template number command to view configurations of the dot1x template numbered 1.

<HUAWEI> display dot1x-template 1
  Template index               : 1
  Reauthentication switch      : On
  Keepalive switch             : Off
  Reauthentication interval(S) : 3600
  Keepalive retransmit         : 0
  Keepalive interval(S)        : 20
  Request  interval(S)         : 30
  Request retransmit           : 2
  Server response time(S)      : 30
  Send-EAP-SIM                 : No
  EAP-end                      : Yes
  EAP-end-authentication-method: CHAP

Run the display bas-interface command to view configurations of all BAS interfaces.

<HUAWEI> display bas-interface
---------------------------------------------------------------------------
   Interface                BASIF-access-type       config-state   access-number
  ---------------------------------------------------------------------------
   Eth-Trunk0               Layer2-subscriber       Updated        0
   Eth-Trunk0.1             Layer2-subscriber       Updated        1
   Eth-Trunk0.1234          Layer2-subscriber       Updated        0
  ----------------------------------------------------------------------
  Total 3 BASIF is configured                                          
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17434

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next