No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring 802.1x Authentication to Control Internal User Access

Example for Configuring 802.1x Authentication to Control Internal User Access

Networking Requirements

As shown in Figure 2-5, the terminals in an office are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control the users' network access rights to ensure internal network security.

Figure 2-5 Configuring 802.1x authentication to control internal user access

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create and configure a RADIUS server group, an AAA scheme, and an authentication domain. Bind the RADIUS server group and AAA scheme to the authentication domain so that the Switch can authenticate access users through the RADIUS server.
  2. Enable 802.1x authentication to control network access rights of the employees in the office.
NOTE:
  • In this example, a LAN switch exists between the Switch and users. To ensure that users can pass 802.1x authentication, you must configure the LAN switch to transparently transmit EAP packets.

  • This example only provides the configurations on the Switch. The configurations on the LAN switch and RADIUS server are not provided here.

Procedure

  1. Create VLANs and configure interfaces to allow packets of the VLANs to pass to ensure data transmission.

    # Create VLAN 10 and VLAN 20.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] vlan batch 10 20
    

    # Configure the interface 10GE1/0/1 connecting the Switch to users as an access interface and add the interface to VLAN 10.

    [*Switch] interface 10ge 1/0/1
    [*Switch-10GE1/0/1] port link-type access
    [*Switch-10GE1/0/1] port default vlan 10 
    [*Switch-10GE1/0/1] quit
    NOTE:

    Configure the interface type and VLANs based on the site requirements. In this example, users are added to VLAN 10.

    # On the Switch, configure the interface 10GE1/0/2 connected to the RADIUS server as an access interface and add the interface to VLAN 20.

    [*Switch] interface 10ge 1/0/2
    [*Switch-10GE1/0/2] port link-type access
    [*Switch-10GE1/0/2] port default vlan 20
    [*Switch-10GE1/0/2] quit
    [*Switch] commit

  2. Create and configure a RADIUS server group, an AAA authentication scheme, and an authentication domain.

    # Create and configure a RADIUS server group rd1.

    [~Switch] radius enable
    [*Switch] radius server group rd1
    [*Switch-radius-rd1] radius server authentication 192.168.2.30 1812
    [*Switch-radius-rd1] radius server shared-key-cipher huawei@123
    [*Switch-radius-rd1] quit
    NOTE:

    Ensure that the shared key in the RADIUS server group is the same as that configured on the RADIUS server.

    # Create an AAA authentication scheme abc and configure the authentication mode to RADIUS.

    [*Switch] aaa
    [*Switch-aaa] authentication-scheme abc
    [*Switch-aaa-authen-abc] authentication-mode radius
    [*Switch-aaa-authen-abc] quit

    # Create an authentication domain isp1, and bind the AAA scheme abc and RADIUS server group rd1 to the domain isp1.

    [*Switch-aaa] domain isp1
    [*Switch-aaa-domain-isp1] authentication-scheme abc
    [*Switch-aaa-domain-isp1] radius server group rd1
    [*Switch-aaa-domain-isp1] quit
    [*Switch-aaa] quit
    [*Switch] commit

  3. Configure 802.1x authentication.

    # Enable 802.1x authentication globally and on the interface 10GE1/0/1.

    [~Switch] dot1x enable
    [*Switch] dot1x enable interface 10ge 1/0/1

    # Configure an 802.1x authentication domain so that all users are authenticated in this domain.

    [*Switch] domain isp1
    [*Switch] commit

  4. Verify the configuration.

    1. Run the display dot1x command to check the 802.1x authentication configuration. The command output (10GE1/0/1 802.1x: Enabled) shows that 802.1x authentication has been enabled on the interface 10GE1/0/1.
    2. A user starts the 802.1x client on a terminal, and enters the user name and password for authentication.
    3. If the user name and password are correct, an authentication success message is displayed on the client page. The user then can access the network.
    4. After the user goes online, you can run the display dot1x sessions command on the device to check the online 802.1x user information.

Configuration Files

# Configuration file of the Switch

#   
sysname Switch  
#                                                                               
vlan batch 10 20
#                                                                               
dot1x enable                                                                    
domain isp1   
#                                                                               
radius enable 
#                                                                               
radius server group rd1                                                         
 radius server shared-key-cipher %^%#w$Kk$.2,EF:O(u%(HzjXPW\L6'1"`SwCQJ<M|vA:%^%#               
 radius server authentication 192.168.2.30 1812  
#                                                                               
aaa                                                                             
 #                                                                              
 authentication-scheme abc                                                      
  authentication-mode radius                                                    
 #                                                                              
 domain isp1                                                                    
  authentication-scheme abc                                                     
  radius server group rd1  
#                                                                               
interface 10GE1/0/1                                                             
 port default vlan 10                                                           
 dot1x enable                                                                   
#                                                                               
interface 10GE1/0/2                                                             
 port default vlan 20                                                           
#                                                                               
return   
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18513

Downloads: 61

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next