No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring 802.1X Port-based Authentication on the NE20E Functioning as an Authenticator

Configuring 802.1X Port-based Authentication on the NE20E Functioning as an Authenticator

Creating an 802.1X Template

When 802.1X authentication is used, the NE20E and 802.1X clients perform authentication negotiation based on the parameters defined in an 802.1X template.

Context

To ensure that only authorized 802.1X users can access the network, you need to create an 802.1X template and enter the 802.1X template view. Then, authentication negotiation is performed based on the parameters defined in the 802.1X template to verify the consistency between parameters set by 802.1X users and those defined in the 802.1X template.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x-template dot1x-template-number

    An 802.1X template is created and the 802.1X template view is displayed.

    802.1X templates are identified by numbers. The NE20E has a default 802.1X template numbered 1. This template can be modified but cannot be deleted.

    NOTE:
    All the parameters in the following optional steps have default values on the NE20E. Run corresponding commands to modify the default settings.

  3. (Optional) Run authentication timeout time

    The timeout period for the BRAS to wait for an EAP Response packet from the authentication server is set.

  4. (Optional) Run request { interval time | retransmit times } *

    The timeout period for the BRAS to wait for an EAP-Response/Identity packet from the client and the number of retransmissions of EAP-Request/Identity packets is set.

  5. (Optional) Run keepalive { interval time | retransmit times }*

    The number of and timeout period for handshake packet retransmissions between the EAP client and server are set.

  6. (Optional) Run reauthentication interval time

    The interval for reauthentication of online 802.1X template users is set.

  7. (Optional) Run eap-end [ chap | pap ]

    The authentication method for EAP termination defined in the 802.1X template is configured.

Configuring a Forcible Authentication Domain

After a forcible authentication domain is configured, the NE20E uses the authentication policy configured in this domain to authenticate users.

Prerequisites

  • Configure an authentication scheme (RADIUS authentication).
  • Configure a RADIUS server group.

Context

To ensure that users go online from the configured domain for authentication and accounting, you need to configure a forcible authentication domain so that all 802.1X users accessing the interface are authenticated in this domain.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name

    The domain view is displayed.

  4. Run authentication-scheme scheme-name

    An authentication scheme is specified for the domain.

  5. Run accounting-scheme scheme-name

    An accounting scheme is specified for the domain.

  6. Run radius-server group group-name

    A RADIUS server group is specified for the domain.

  7. Run dot1x-template dot1x-template-number

    An 802.1X template is bound to the domain.

Configuring 802.1X Authentication Functions on an Interface

After 802.1X authentication is enabled on an interface, a user device connected to the interface can access the network only after being authenticated. If authentication fails, the user device cannot access the network.

Context

802.1X authentication supports two access control types:
  • Interface-based access control: After the first user is authenticated, subsequent users can use network resources without being authenticated. If the first user goes offline, the other users can no longer access the network.

  • MAC-based access control: Every user accessing an interface is authenticated. If a user goes offline, other authenticated users can still access the network.

An 802.1X authentication-enabled interface supports the following authorization modes:
  • Authorized: authorized-force is configured to allow users to access the network without being authenticated.

  • Auto: auto is configured to allow only EAPOL packets to pass through and prohibit users from accessing network resources. If authentication succeeds, the interface enters the authorized state and allows users to access the network.

  • Unauthorized: unauthorized-force is configured to prohibit user authentication. The authenticator does not provide authentication services for access users on this interface.

NOTE:

If the access control type or authorization state of an interface is changed when users are accessing the network through this interface, the users may be logged off unexpectedly.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run dot1x enable

    802.1X authentication is enabled on the interface.

  4. Run dot1x force-domain domain-name

    A forcible authentication domain is configured for 802.1X authentication on the interface.

    NOTE:
    The domain bound to the 802.1X authentication-enabled interface is the forcible authentication domain configured for 802.1X authentication on the interface using the dot1x force-domain command.

  5. (Optional) Run dot1x port-method { port | mac }

    An access control type is configured on the interface.

    • If a supplicant does not support 802.1X port-based authentication after the dot1x port-method mac command is run, run the dot1x mac-bypass command to enable MAC bypass authentication.
    • To separately manage the traffic of users who pass the authentication and who fail the authentication, run the dot1x vlan-tagged command to enable the device to replace VLAN IDs carried in user packets with a specified VLAN ID.

  6. (Optional) Run dot1x port-control { authorized-force | auto | unauthorized-force }

    An authorization mode is configured for 802.1X authentication on the interface.

  7. (Optional) Run dot1x max-user number

    The maximum number of access users allowed to access the 802.1X authentication-enabled interface is configured.

    NOTE:

    When the number of access users on an interface reaches the configured upper limit, no more users can access the network through this interface.

Verifying the 802.1X Port-based Authentication Configuration on the Authenticator

After 802.1X port-based authentication is enabled on the authenticator, you can view information about 802.1X configurations and sessions.

Prerequisites

The configurations of 802.1X authentication are complete.

Procedure

  • Run the display dot1x command to check 802.1X authentication configurations on interfaces.
  • Run the display dot1x sessions command to check information about 802.1X sessions.
  • Run the display dot1x statistics command to check 802.1X packet statistics.

Example

Run the display dot1x command to view 802.1x authentication configurations on interfaces.

<HUAWEI> display dot1x
------------------------------------------------------------------------
      Interface           authen   method  type  max-user-num force-domain
------------------------------------------------------------------------
   GigabitEthernet2/0/1   enable     mac   auto   64           -           
   GigabitEthernet2/0/2   enable     mac   auto   30           byd          
------------------------------------------------------------------------
  Total 2 port is configured

Run the display dot1x sessions command to view information about 802.1X sessions on all interfaces, including the board that users access and the number of access users, or information about 802.1X sessions on a specified interface, including the user MAC address, user state, and VLAN ID.

<HUAWEI> display dot1x sessions
Total 1200 dot1x sessions.
------------------------------------------------------------------------
      slot           user-num 
------------------------------------------------------------------------
      1                1000        
      3                 200
------------------------------------------------------------------------
<HUAWEI> display dot1x sessions mac c000-03d7-d0c0
------------------------------------------------------------------------------------------------------------------------
 UserIndex  Interface    Mac              State              VlanId      QinqId   Dot1x-template  Handshake  Reauthentication
------------------------------------------------------------------------------------------------------------------------------

 65664       GE3/0/3     c000-03d7-d0c0   authenticated      0           0        1               disable    enable 
------------------------------------------------------------------------------------------------------------------------------

Run the display dot1x statistics command to view 802.1X packet statistics.

<HUAWEI> display dot1x statistics slot 2
Packet Statistics:
EAP_REQ/ID              : 0   EAP_RESP/ID        : 0
EAP_REQ/CHALLENGE       : 0   EAP_RESP/CHALLENGE : 0
EAP_REQ/TLS             : 0   EAP_RESP/TLS       : 0
EAP_SUCCESS             : 0   EAP_FAILURE        : 0
EAP_START               : 0   EAP_LOGOFF         : 0
EAP_KEY                 : 0   EAP_LIMITDROP      : 0
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20407

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next