No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an 802.1X Access Profile

Configuring an 802.1X Access Profile

Creating an 802.1X Access Profile

Context

The device uses 802.1X access profiles to uniformly manage 802.1X access configurations. Before configuring 802.1X authentication, you need to create an 802.1X access profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x-access-profile name access-profile-name

    An 802.1X access profile is created and the 802.1X access profile view is displayed.

    By default, the device has a built-in 802.1X access profile named dot1x_access_profile.

    NOTE:
    • The compatibility profile converted after an upgrade is not counted in the configuration specification. The built-in 802.1X access profile dot1x_access_profile can be modified and applied, but cannot be deleted.
    • Before deleting an 802.1X access profile, ensure that this profile is not bound to any authentication profile.

Configuring an 802.1X Access Profile

Context

After creating an 802.1X access profile, you need to configure it. You can select a proper authentication mode based on the authentication modes supported by the client and server and the processing capability of the device and server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x-access-profile name access-profile-name

    The 802.1X access profile view is displayed.

  3. Run dot1x authentication-method { chap | pap | eap }

    An authentication mode is configured for 802.1X users.

    By default, the authentication mode of 802.1X users is eap, which indicates Extensible Authentication Protocol (EAP) relay authentication.

    The processing capability of the RADIUS server determines whether EAP termination or EAP relay is used. If the RADIUS server has a higher processing capability and can parse a large number of EAP packets before authentication, the EAP relay mode is recommended. If the RADIUS server has a processing capability not good enough to parse a large number of EAP packets and complete authentication, the EAP termination mode is recommended and the device parses EAP packets for the RADIUS server. When the authentication packet processing method is configured, ensure that the client and server both support this method; otherwise, the users cannot pass authentication.
    NOTE:
    • The EAP relay can be configured for 802.1X users only when RADIUS authentication is used.

    • If AAA local authentication is used, the authentication mode for 802.1X users can only be set to EAP termination.

    • Because mobile phones do not support EAP termination mode (PAP and CHAP), the 802.1X authentication + local authentication mode cannot be configured for mobile phones. Terminals such as laptop computers support EAP termination mode only after having third-party clients installed.

    • If the 802.1X client uses the MD5 encryption mode, the user authentication mode on the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication mode, the authentication mode on the device can be set to EAP.

    • If 802.1X users on an interface have gone online, changing the user authentication mode in the 802.1X access profile bound to the interface will make the online 802.1X users go offline.

  4. (Optional) Run authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet } *

    The types of packets that can trigger 802.1X authentication are configured.

    By default, DHCP, DHCPv6, ND, and ARP packets can trigger 802.1X authentication.

  5. (Optional) Run dot1x unicast-trigger

    802.1X authentication triggered by a unicast packet is enabled.

    By default, 802.1X authentication triggered by a unicast packet is disabled

  6. (Optional) Run dot1x port-control { auto | authorized-force | unauthorized-force }

    The authorization state of interfaces is configured.

    By default, the authorization state of an interface is auto.

  7. (Optional) Configure the device to handshake with online 802.1X users.

    When a user goes offline due to causes such as network interruption, the device still reserves the user's online information. This may result in incorrect accounting, and brings security threats if a bogus user accesses the network.

    To ensure that user online information is normal, you can configure handshake with online 802.1X authentication users on the device. The device then periodically sends handshake request packets to online 802.1X users. If a user does not respond to the handshake request packets when the retransmission count is reached, the device sets the user status to offline.

    NOTE:

    If the 802.1X client cannot exchange handshake packets with the device, the device will not receive the handshake response packets within the handshake period. Therefore, to prevent the device from disconnecting users mistakenly, disable the online user handshake function.

    This function takes effect only for the wired users.

    1. Run dot1x handshake

      The device is configured to handshake with online 802.1X users is enabled.

      By default, handshake with online 802.1X users is disabled.

    2. Run dot1x handshake packet-type { request-identity | srp-sha1-part2 }

      The type of 802.1X authentication handshake packets is configured.

      By default, the type of 802.1X authentication handshake packets is request-identity.

      To ensure interoperability with devices from other vendors, you can configure the handshake packet type based on your networking requirements.

    3. Run dot1x timer handshake-period handshake-period-value

      The interval at which the device handshakes with online 802.1X users on non-Eth-Trunk interfaces is configured.

      By default, the interval for sending handshake packets to online 802.1X users on non-Eth-Trunk interfaces is 15 seconds.

    4. Run dot1x timer eth-trunk-access handshake-period handshake-period-value

      The interval at which the device handshakes with online 802.1X users on Eth-Trunks is configured.

      By default, the interval for sending handshake packets to online 802.1X users on Eth-Trunks is 120 seconds.

    5. Run dot1x retry max-retry-value

      The number of times a handshake packet is retransmitted to an 802.1X user is configured.

      By default, the device retransmits a handshake packet to an 802.1X user twice.

  8. (Optional) Run dot1x eap-notify-packet eap-code code-number data-type type-number

    The device is configured to send EAP packets with a code number to 802.1X users.

    By default, the device does not send EAP packets with a code number to 802.1X users.

    NOTE:

    If an H3C iMC functions as the RADIUS server, run the dot1x eap-notify-packet eap-code 10 data-type 25 command on the device.

  9. (Optional) Run dot1x trigger dhcp-binding

    The device is configured to automatically generate DHCP snooping binding entries after static IP users pass 802.1X authentication or when the users are in pre-connection state.

    By default, the device does not automatically generate DHCP snooping binding entries after static IP users pass 802.1X authentication or when the users are in pre-connection state.

(Optional) Configuring Network Access Rights for Users When the 802.1X Client Does Not Respond

Context

If the 802.1X client does not respond, users cannot pass authentication and thereby have no network access right. Before being successfully authenticated, some users may need certain basic network access rights to download client software and update the antivirus database. The network access rights can be configured for the users when the 802.1X client does not respond, so that the users can access specified network resources.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    • VLAN

      Configure a VLAN and network resources in the VLAN on the device.

    • UCL group

      1. Run ucl-group group-index [ name group-name ]

        A UCL group is created.

        By default, no UCL group is created.

      2. Configure a user ACL to filter packets based on the UCL group. For details, see Configuring a User ACL in "ACL Configuration" in the S600-E V200R013C00 Configuration Guide - Security.
      3. Use the following methods to process packets:

        • Run traffic-filter inbound acl { acl-number | name acl-name }

          ACL-based packet filtering is configured.

          By default, ACL-based packet filtering is not configured.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Configure network access control parameters in the service scheme. The administrator can configure the parameters based on actual network requirements.

        • Run acl-id acl-number

          An ACL is bound to the service scheme.

          By default, no ACL is bound to a service scheme.

          NOTE:

          Before running this command, ensure that an ACL has been created using the acl (system view) or acl name command and ACL rules have been configured using the rule command.

          The priorities of the following access policies are in descending order:

          ACL number delivered by the RADIUS server > ACL number configured on the local device > ACL rule delivered by the RADIUS server through the attribute HW-Data-Filter numbered 26-82 > User group delivered by the RADIUS server > User group configured on the local device > UCL group delivered by the RADIUS server > UCL group configured on the local device

        • Run ucl-group { group-index | name group-name }

          A UCL group is bound to the service scheme.

          By default, no UCL group is bound to a service scheme.

          Before running this command, ensure that a UCL group that identifies the user category has been created and configured.

        • Run user-vlan vlan-id

          A user VLAN is configured in the service scheme.

          By default, no user VLAN is configured in a service scheme.

          Before running this command, ensure that a VLAN has been created using the vlan command.

        • Run voice-vlan

          The voice VLAN function is enabled in the service scheme.

          By default, the voice VLAN function is disabled in a service scheme.

          For this configuration to take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      4. Run quit

        The AAA view is displayed.

      5. Run quit

        The system view is displayed.

  3. Run dot1x-access-profile name access-profile-name

    The 802.1X access profile view is displayed.

  4. Run authentication event client-no-response action authorize { service-scheme service-scheme-name | ucl-group ucl-group-name | vlan vlan-id }

    Network access rights are configured for users when the 802.1X client does not respond.

    By default, no network access right is configured for users when the 802.1X client does not respond.

(Optional) Configuring Re-authentication for Online 802.1X Authentication Users

Context

If the administrator modifies parameters such as access rights and authorization attributes of an online user on the authentication server, the user must be re-authenticated to ensure user validity.

If re-authentication is configured for online 802.1X authentication users, the device sends saved authentication parameters of an online user to the authentication server for re-authentication. The device saves user authentication information after users go online. If the user authentication information on the authentication server remains unchanged, the user keeps online. If the information has been modified, the user is disconnected and needs to be re-authenticated.

The device re-authenticates 802.1X authentication users in the following modes:
  • The device periodically re-authenticates users using a specified 802.1X access profile.
    NOTE:

    After this function is configured, many 802.1X authentication logs will be generated.

  • The device is manually configured to re-authenticate a user with a specified MAC address once.

If the device is connected to a server for re-authentication and the server replies with a re-authentication deny message that makes an online user go offline, it is recommended that you locate the cause of the re-authentication failure on the server or disable the re-authentication function on the device.

Procedure

  • Configuring periodic re-authentication
    1. Run system-view

      The system view is displayed.

    2. Run dot1x-access-profile name access-profile-name

      The 802.1X access profile view is displayed.

    3. Run dot1x reauthenticate

      Re-authentication is configured for online 802.1X authentication users.

      By default, re-authentication is not configured for online 802.1X authentication users.

    4. (Optional) Run dot1x timer reauthenticate-period reauthenticate-period-value

      The re-authentication interval is configured for online 802.1X authentication users.

      By default, the re-authentication interval is 3600 seconds for online 802.1X authentication users.

      NOTE:

      It is recommended that the re-authentication interval be set to the default value. If multiple ACLs need to be delivered during user authorization, you are advised to disable the re-authentication function or set a longer re-authentication interval to improve the device's processing performance.

      In remote authentication and authorization, if the re-authentication interval is set to a shorter time, the CPU usage may be higher.

      To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.

  • Configuring single-time re-authentication
    1. Run system-view

      The system view is displayed.

    2. Run dot1x reauthenticate mac-address mac-address

      The device is manually configured to re-authenticate a user with a specified MAC address once.

(Optional) Configuring the Authentication Timeout Timer for 802.1X Clients

Context

The device starts the authentication timeout timer for 802.1X clients after sending an EAP-Request/MD5-Challenge packet to a client. If the client does not respond within the period set by this timer, the device sends the packet again. If the packet has been sent for the maximum number of times (configured using the dot1x retry max-retry-value command) and no response is received, the device stops sending the packet. This prevents repeated retransmission of authentication requests, which occupies lots of resources.

In Figure 2-48, the device sends an authentication failure packet to the client after the EAP-Request/MD5 Challenge packet times out. Generally, if the client fails to be authenticated, the device starts a backup mechanism (MAC address authentication, Portal authentication, or granting specified access permission), so that the client can continue to access the network. The value of the timeout timer for EAP-Request/MD5 Challenge packets is calculated as follows:

Timer value = (max-retry-value + 1) x client-timeout-value

Figure 2-48  802.1X authentication timeout process

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x-access-profile name access-profile-name

    The 802.1X access profile view is displayed.

  3. Run dot1x timer client-timeout client-timeout-value

    The authentication timeout timer for 802.1X clients is configured.

    By default, the authentication timeout timer for 802.1X clients is enabled and its value is 5 seconds.

  4. (Optional) Run dot1x retry max-retry-value

    The number of times an authentication request is retransmitted to an 802.1X client is configured.

    By default, the device can retransmit an authentication request to an 802.1X user twice.

Verifying the 802.1X Access Profile Configuration

Context

After configuring an 802.1X access profile, run the following command to check the configuration.

Procedure

  • Run the display dot1x-access-profile configuration [ name access-profile-name ] command to check the configuration of the 802.1X access profile.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 22892

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next