No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Web-based Configuration Guide

This document describes how to configure and maintain devices through the web NMS client, including device status statistics, SVF, interface, Ethernet switching, IP service, IP routing, security, ACL, AAA, system management, QoS, diagnosis service, and EasyDeploy.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Connecting to Cisco ISE

Connecting to Cisco ISE

Context

Connecting to Cisco ISE refers to using the Cisco ISE server for authentication and authorization on a network admission control (NAC) network. NAC is a type of E2E security architecture that covers 802.1X, MAC, and portal authentication, and supports configuration of aggregation and access layers. NAC enables authentication, authorization, and accounting for device administrators and access users, ensuring device and network security.

Procedure

  1. Choose Configuration > Advanced Services > Connecting to Cisco ISE. The configuration page is displayed.
  2. On the Select Authentication Interfaces page, select interfaces for authentication configuration by performing any of the following operations based on actual requirements:

    • Click an interface icon to select an interface. You can click the icon again to deselect the interface.
    • Drag the mouse to select continuous interfaces in batches.
    • Click multiple interface icons to select them. You can click a certain icon again to deselect the interface.

    After selecting an interface, click Clear Interface Authentication Configuration to clear the original authentication configuration of the interface.

  3. To clear all authentication configurations on the device, click Clear Authentication Configuration.
  4. Set the Authentication method to 802.1X, MAC, or Portal.
  5. Set the Network layer to Aggregation layer or Access layer.

    NOTE:

    Network layer is configurable only when the Authentication method is set to 802.1X.

  6. Specify the parameters in Authentication Configuration, as shown in Figure 5-41.

    NOTE:

    Authentication Configuration is not supported when the Authentication method is set to 802.1X and the Network layer is set to Access layer.

    Figure 5-41  Authentication configuration

    Table 5-21 describes the parameters on the page.

    Table 5-21  List of authentication parameters

    Parameter

    Description

    Authentication server IP address

    Indicates the IPv4 address of the RADIUS authentication server.

    Secondary server IP address

    Indicates the IPv4 address of the secondary RADIUS authentication server.

    Accounting server IP address

    Indicates the IPv4 address of the RADIUS accounting server.

    Secondary server IP address

    Indicates the IPv4 address of the secondary RADIUS accounting server.

    Shared key

    Indicates the shared key for RADIUS servers.

    Authentication Service

    Primary server port number

    Indicates the port number of the RADIUS authentication server.

    Source address of outgoing packets

    Indicates the source address of RADIUS packets sent by a switch to the RADIUS authentication server.
    • IP Address: a specified IPv4 address.
    • VLANIF: IPv4 address of a specified VLANIF interface.
    • Loopback: IPv4 address of a specified loopback interface.

    Secondary server port number

    Indicates the port number of the secondary RADIUS authentication server.

    This parameter is configurable only after the address of the secondary RADIUS authentication server is configured.

    Source address of packets sent by the secondary server

    Indicates the source address of RADIUS packets sent to the secondary RADIUS authentication server.
    • IP Address: a specified IPv4 address.
    • VLANIF: IPv4 address of a specified VLANIF interface.
    • Loopback: IPv4 address of a specified loopback interface.

    This parameter is configurable only after the address of the secondary RADIUS authentication server is configured.

    Accounting Service

    Primary server port number

    Indicates the port number of the RADIUS accounting server.

    Source address of outgoing packets

    Indicates the source address of RADIUS packets sent to the RADIUS accounting server.
    • IP Address: a specified IPv4 address.
    • VLANIF: IPv4 address of a specified VLANIF interface.
    • Loopback: IPv4 address of a specified loopback interface.

    Secondary server port number

    Indicates the port number of the secondary RADIUS accounting server.

    This parameter is configurable only after the address of the secondary RADIUS accounting server is configured.

    Source address of packets sent by the secondary server

    Indicates the source address of RADIUS packets sent to the secondary RADIUS accounting server.
    • IP Address: a specified IPv4 address.
    • VLANIF: IPv4 address of a specified VLANIF interface.
    • Loopback: IPv4 address of a specified loopback interface.

    This parameter is configurable only after the address of the secondary RADIUS accounting server is configured.

    Real-time accounting interval (minutes)

    Indicates the real-time accounting interval.

    MAC address format in Calling-Station-Id

    Indicates the encapsulation format of the MAC address in the Calling-Station-Id (Type 31) attribute of RADIUS packets.

    MAC address format in Called-Station-Id

    Indicates the encapsulation format of the MAC address in the Called-Station-Id (Type 30) attribute of RADIUS packets.

    Maximum number of authentication requests

    Indicates the times of retransmission of request authentication or handshake packets to an 802.1X user.

    This parameter is configurable only when the Authentication method is set to 802.1X.

    Authentication timeout period (s)

    Indicates the timeout time for client authentication.

    User name mode Indicates the user name type of a MAC authentication user.
    • MAC address: MAC address type.
    • Fixed user name: user name type.
    This parameter is configurable only when the Authentication method is set to MAC.
    MAC address Indicates that the user name of a MAC authentication user is a MAC address.

    This parameter is configurable only when the user name of a MAC authentication user is set to the MAC address type.

    MAC address case Indicates that the user name of a MAC authentication user is a MAC address in uppercase.

    This parameter is configurable only when the user name of a MAC authentication user is set to the MAC address type.

    MAC-based authentication user name Indicates that the user name of a MAC authentication user is a fixed user name.

    This parameter is configurable only when the user name of a MAC authentication user is set to the user name type.

    MAC-based authentication password Indicates the password for a MAC authentication user.
    External Portal server IP Address Indicates the IP address of the portal server. This parameter is configurable only when the Authentication method is set to Portal.
    Shared key Indicates the shared key for the communication with the portal server.
    SSL policy Indicates the SSL policy used by the built-in portal server.
    URL Indicates the redirection URL for the portal server.
    URL Separator Replaces the start character in the URL with a quotation mark (?).
    User access URL Indicates the original URL that is accessed by a user and carried in the URL.
    MAC Address Indicates the access user's MAC address carried in the URL.
    User IP Indicates the access user's IP address carried in the URL.
    System name Indicates the access device's system name carried in the URL.
    Login URL keyword/Login URL Indicates the identification keyword for the login URL sent to the portal server during redirection, and the specified URL on the access device.

  7. Specify the parameters in Global Settings, as shown in Figure 5-42.

    NOTE:

    Global Settings is not supported when the Authentication method is set to 802.1X and the Network layer is set to Access layer.

    Figure 5-42  Setting global parameters

    Table 5-22 describes the parameters on the page.

    Table 5-22  List of global parameters

    Parameter

    Description

    ACL for the post-authentication domain

    Indicates the global ACL.

    Authentication domain

    Create an authentication domain.

  8. Specify the parameters in 802.1X packet transparent transmission configuration, as shown in Figure 5-43.

    NOTE:

    802.1X packet transparent transmission configuration is supported when the Authentication method is set to 802.1X and the Network layer is set to Access layer.

    Figure 5-43  Configuring 802.1X transparent transmission

    Table 5-23 describes the parameters on the page.

    Table 5-23  Configuring 802.1X transparent transmission

    Parameter

    Description

    Destination MAC address of transparently transmitted 802.1X packets

    Indicates the multicast destination MAC address of the user-defined protocol packets.

    Multicast MAC address replacing the destination multicast MAC address of packets Indicates the multicast MAC address that replaces the destination MAC address of Layer 2 protocol packets.

  9. Click Apply to complete the configuration.
Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100066172

Views: 7247

Downloads: 11

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next