No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

TechNotes-Understanding and Configuring 802.1X
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding and Configuring 802.1X

Understanding and Configuring 802.1X

About This Chapter

IEEE 802.1X (802.1X for short) is an IEEE standard for port-based network access control (PNAC). It provides an authentication mechanism for user access networks. By authenticating the rights of the user connected to a port, 802.1X can determine which network resources are accessible to the user device connected to the port.



With the popularization of networks, more and more enterprises, campuses, communities, and SOHO users select Ethernet, which is a cost-effective, convenient, and high-bandwidth access mode and one of the most important access modes on the current data communication networks. Users can access network resources from any computer that is connected to a network, which brings severe security risks to the network environment. In addition, the implementation and maintenance of different network services require the underlying Ethernet to provide a necessary security authentication mechanism. How to correctly process user access rights becomes an increasingly prominent problem.


802.1X is used to authenticate and authorize the users connected to a LAN to protect network security.


802.1X has complete user authentication and management functions, which can well support the accounting, security, operation, and management requirements of broadband networks.

Device Roles Defined in 802.1X

Figure 1-1 shows the roles of network devices that use the 802.1X authentication protocol.

Figure 1-1 Device roles defined in 802.1X
  • Client: A user terminal that seeks to gain access to the network. Based on whether supporting proactive initiation of 802.1X authentication, terminals are classified into common terminals and dumb terminals.
    1. Common terminals, such as office PCs, can run 802.1X authentication client software. Authentication is triggered after a terminal user enters its user name and password. If the authentication is successful, the terminal accesses the network.
    2. Dumb terminals, such as network printers and cameras, cannot run 802.1X authentication client software. They cannot access any network by proactively triggering authentication. Instead, they access networks through MAC address bypass (MAB) authentication.
  • Device: It provides a port for the client to access the LAN and controls the client access rights or scope on the network based on the authentication status of the client. Located between the client and the authentication server, the device requests identity information from the client, encapsulates and decapsulates the Extensible Authentication Protocol (EAP) frame, interacts with the authentication server, and relays the response to the client.
  • Authentication server: It authenticates the client and notifies the device whether the to-be-authenticated port may access the network, thereby implementing authentication, authorization, and accounting on the user. Generally, the authentication server is a RADIUS server.

After receiving Extensible Authentication Protocol over LAN (EAPOL) frames, the device strips off Ethernet headers and re-encapsulates the remaining EAP frames in RADIUS format (EAPOR) without modifying or checking the EAP frames. Then, the device relays the EAP frames to the authentication server, and the authentication server parses the EAP frames. In the reverse direction, when receiving the frames from the authentication server, the device removes the frame headers and leaves the EAP frames, encapsulates the frames into Ethernet frames, and sends them to the client.

Port-based Authentication

When 802.1X is enabled on a port but authentication is not triggered, all services on the port go through the guest VLAN. For terminals that are not 802.1X-capable, the guest VLAN is used to download 802.1X dial-up software or access restricted web pages. After 802.1 authentication is triggered, the system authenticates the client as follows:

  • If the client supports 802.1X client software and the client identity is legitimate, the 802.1X authentication is successful. Then, the client port is assigned a dynamic service VLAN, and the client can access the network.
  • If 802.1x authentication times out during EAPOL message exchange, and MAB authentication is enabled, the device relays the MAC address of the client to the authentication server for authorization. If the MAC address of the client is legitimate, the authorization is successful and a dynamic service VLAN is assigned to the client. Then, the client can access the network.
  • If 802.1X authentication of the port times out and the MAC address authentication is not enabled or the authentication fails, the port still uses the guest VLAN to access limited network resources.
  • If the authentication server fails to authenticate the client (for example, an incorrect user name or password is entered), all services on this port go through the Restrict VLAN. The Restrict VLAN has similar functions as the guest VLAN. Both allow users to access limited network resources before passing authentication. However, the Restrict VLAN has fewer network resources than the guest VLAN. Therefore, the Restrict VLAN more strictly limits the network resources accessible to unauthenticated users.
  • If the authentication server cannot be connected (for example, the network between the device and the authentication server is disconnected or the authentication server is faulty), all services on the port can go through the Critical VLAN, for example, emergency voice call or service assurance.

Figure 1-2 shows the system authentication process.

Figure 1-2 Authentication process


The relationship between MAB authentication and port-based 802.1X authentication is as follows: If both port-based 802.1X authentication and MAB authentication are enabled, 802.1X authentication is performed first. If 802.1x authentication times out, MAB authentication is then performed. If 802.1x authentication is disabled but MAB authentication is enabled, MAB authentication is directly performed. Disabling MAB authentication has no impact on 802.1X authentication status.

802.1X Information Exchange

Authorized/Unauthorized 802.1X Port

Whether the client is authorized to access the network depends on the status of the connected device port. The port is started in the unauthorized state. In this state, all incoming and outgoing traffic except 802.1X protocol packets is not allowed to pass through the port. After the client passes the authentication, the port changes to the authorized state to allow all the traffic from the client.

If a client that does not support 802.1X authentication is connected to an unauthorized 802.1X port, the device requests to authenticate the client. In this case, the client does not respond to the request, the port is still in the unauthorized state, and the client does not have the network access right. The port dot1x port-control command and the following keywords can be used to control the port authorization status of the device:

force-authorized: Specifies the forced authorization mode. In this mode, the port always stays in the authorized state and users can access the network through this port without authentication or authorization. The port sends and receives traffic normally without 802.1X client authentication. This configuration has security risks and is not recommended.

force-unauthorized: Specifies the forced unauthorization mode. The port stays in the unauthorized state and users are not allowed to access network resources through this port.

auto: Specifies the automatic identification mode. After 802.1X authentication is enabled, the port is in the unauthorized state and can send and receive only EAPOL packets. If the port receives an EAPOL-start frame, authentication starts. The device requests the identity of the client and starts to relay the authentication message between the client and the authentication server. If the authentication is successful (the client receives an Accept frame from the authentication server), the port status changes to authorized and all frames from the authenticated client are allowed to pass through the port. If the authentication fails, the port remains in the unauthorized state.

802.1x Information Exchange

802.1x authentication can be triggered by the client or the device. If the port dot1x port-control auto command is used to enable identity authentication on the port, the device sends an EAP-Request/Identity frame to the client when detecting that the link is connected (the link status changes from down to up). After receiving the frame, the client responds an EAP-response/identity frame.

If the client does not receive the EAP-Request/Identity frame from the device during startup, the client can send an EAPOL-start frame to start authentication. This frame can instruct the device to send a request.

When the client provides its identity, the device acts as a mediator to transfer the EAP frame between the client and the authentication server until the authentication succeeds or fails. If the authentication succeeds, the port is authorized. If the authentication fails, it can be performed again. Based on the final authentication result, the port is assigned to a VLAN that provides limited services or the user is not assigned the network access right. The detailed process is shown in Figure 1-3.

Figure 1-3 802.1x information exchange process

(1) When a user accesses the network, the 802.1X client program is automatically started. The client program sends an authentication request frame (EAPOR-start) to the device to start the authentication process.

(2) After receiving the authentication request frame from the client, the device sends an EAP-Request/Identity frame to the client, requesting the client to send the user name.

(3) The client sends the user name to the device through an EAP-Response/Identity frame to respond to the request sent by the device.

(4) The device encapsulates the EAP packets from the client in EAPOR format into a RADIUS Access-Request packet and sends it to the authentication server for processing.

(5)–(9)The authentication server (RADIUS server) verifies the user name and password of the client using a specific method. If the authentication succeeds, the server sends an authentication success packet (RADIUS Access-Accept) to the device. In the preceding figure, the MD5-Challenge method is used. In addition, EAP-TLS and PEAP are supported.

(10) After receiving the RADIUS Access-Accept packet, the device decapsulates it in EAPOR format and sends an EAP-Success packet to the client. Then, the device changes the port to the authorized state and allows the user to access the network through the port.

MAB Authentication

If MAB authentication is enabled because 802.1X authentication times out during EAPOL message exchange, the device can authorize the client when detecting the Ethernet packets from the client. The device uses the MAC address of the client as its identifier, adds the MAC address to the RADIUS-Access/Request frame, and sends the frame to the RADIUS server. After the server sends a RADIUS-Access/Accept frame (authorization success) to the device, the port is authorized. If the MAB authorization fails and the guest VLAN is specified, the device assigns the port to the guest VLAN. If the device detects an EAPOL packet when waiting for an Ethernet packet, the device stops MAB authorization and starts 802.1X authentication. The detailed process is shown in Figure 1-4. In the figure, PAE refers to the port access entity, that is, the device for authentication and authorization.

Figure 1-4 MAB authorization process

Configuring 802.1X Authentication

This section describes how to configure 802.1X authentication on an ONU in two networking modes.

ONU Functioning as the 802.1x Authentication Device

The ONU functions as the 802.1X authentication device. 802.1x authentication configurations are delivered to the ONU through the OLT.


  • The OLT has been connected to a Layer 3 switch.
  • The ONU is online and can be managed by the OLT.
  • The remote RADIUS server has been deployed and is functioning properly.

Figure 1-5 shows the networking diagram for RADIUS authentication.

Figure 1-5 Networking diagram for RADIUS authentication

Data Planning

Configuration Item


Networking data

PON port: 0/6/0

Upstream port: 0/10/0


ONU IP address:

802.1X authentication

Port authentication mode: auto

Authentication method: EAP

VLAN planning

  • Management WAN port VLAN: 11
  • Guest VLAN, SVLAN: 10; CVLAN: 10
  • Restrict VLAN, SVLAN: 20; CVLAN: 20
  • Critical VLAN, SVLAN: 30; CVLAN: 30
  • Dynamic Service VLAN, SVLAN: 40; CVLAN: 40

The preceding VLANs need to be mapped to GEM ports in the line profile and service profile during network planning.

RADIUS server

  • Primary authentication server: IP address:; Port number: 1812
  • Secondary authentication server: IP address:; Port number: 1812
  • Master shared key: 0123456789123456
  • Slave shared key: 0123456789123456
  • The IP addresses and shared keys for the authorization server can be the same as those for the authentication server.


  1. Create and configure a dot1x (802.1x) profile.

    Configure dot1x parameters on ONU port 1, enable dot1x authentication, set the authentication mode to auto, set the authentication method to EAP, and configure related VLANs. If ONU port 1 needs to connect a terminal that does not support 802.1X, enable MAB authentication.

    huawei(config)#ont dot1x-profile profile-id 1 
    huawei(config-dot1x-profile-1)#port dot1x eth 1 enable 
    huawei(config-dot1x-profile-1)#port dot1x authentication-method eth 1 eap 
    huawei(config-dot1x-profile-1)#port dot1x port-control eth 1 auto 
    huawei(config-dot1x-profile-1)#port dot1x guest-vlan eth 1 10 
    huawei(config-dot1x-profile-1)#port dot1x restrict-vlan eth 1 20 
    huawei(config-dot1x-profile-1)#port dot1x critical-vlan eth 1 30 
    huawei(config-dot1x-profile-1)#port mac-bypass eth 1 enable

  2. Configure a WAN profile.

    huawei(config)#ont wan-profile profile-id 9 profile-name wan_prof_hwtest 
    huawei(config-wan-profile-9)#connection-type route 

  3. Configure the IP address of the ONU and the IP interface index of the Internet service, and bind the WAN profile.

    Set the static IP address of the ONU to and the IP interface index of the Internet service to 0.

    huawei(config)#gpon ont home-gateway config-method omci 
    huawei(config)#interface gpon 0/6 
    huawei(config-if-gpon-0/6)#ont ipconfig 0 0 ip-index 0 static ip-address mask vlan 11 gateway 
    huawei(config-if-gpon-0/6)#ont internet-config 0 0 ip-index 0 
    huawei(config-if-gpon-0/6)#ont wan-config 0 0 ip-index 0 profile-id 9 

  4. Configure the RADIUS server IP address and authentication domain.

    Configure the RADIUS server as the primary authentication server, the RADIUS server as the secondary authentication server, and configure the master and slave shared keys as 0123456789123456. Set the authentication timeout interval to 20s and the maximum number of retries to 3.

    huawei(config-dot1x-profile-1)#radius-server authentication 1812 
    huawei(config-dot1x-profile-1)#radius-server shared-key 0123456789123456 
    huawei(config-dot1x-profile-1)#radius-server authentication 1812 secondary 
    huawei(config-dot1x-profile-1)#radius-server shared-key 0123456789123456 secondary 
    huawei(config-dot1x-profile-1)#radius-server user-name domain-included 
    huawei(config-dot1x-profile-1)#radius-server timeout 20 
    huawei(config-dot1x-profile-1)#radius-server retransmit 3 

  5. Bind the ONU to the dot1x profile.

    huawei(config)#interface gpon 0/6 
    huawei(config-if-gpon-0/6)#ont dot1x-config 0 0 profile-id 1  

  6. Configure service flows for 802.1X authentication.

    • Add a service flow to the RADIUS server. Set SVLAN and CVLAN to 11.
      huawei(config)#vlan 11 smart  
      huawei(config)#port vlan 11 0/10 0 
      huawei(config)#service-port vlan 11 gpon 0/6/0 ont 0 gemport 0 multi-service user-vlan 11
    • Add a service flow to the Guest network. Set SVLAN and CVLAN to 10.
      huawei(config)#vlan 10 smart  
      huawei(config)#port vlan 10 0/10 0 
      huawei(config)#service-port vlan 10 gpon 0/6/0 ont 0 gemport 0 multi-service user-vlan 10
    • Add a service flow to the Restrict network. Set SVLAN and CVLAN to 20.
      huawei(config)#vlan 20 smart  
      huawei(config)#port vlan 20 0/10 0 
      huawei(config)#service-port vlan 20 gpon 0/6/0 ont 0 gemport 0 multi-service user-vlan 20
    • Add a service flow to the Critical network. Set SVLAN and CVLAN to 30.
      huawei(config)#vlan 30 smart  
      huawei(config)#port vlan 30 0/10 0 
      huawei(config)#service-port vlan 30 gpon 0/6/0 ont 0 gemport 0 multi-service user-vlan 30
    • Add a service flow to the Dynamic Service network. Set SVLAN and CVLAN to 40.
      huawei(config)#vlan 40 smart 
      huawei(config)#port vlan 40 0/10 0 
      huawei(config)#service-port vlan 40 gpon 0/6/0 ont 0 gemport 0 multi-service user-vlan 40 

  7. (Optional) Configure the online user recording function.

    Configure the IP addresses of the primary and secondary accounting servers. (The accounting server can use the same shared key with the authentication server or a different shared key.)

    huawei(config)#ont dot1x-profile profile-id 1 
    huawei(config-dot1x-profile-1)#radius-server accounting 1812 
    huawei(config-dot1x-profile-1)#radius-server accounting 1812 secondary 

  8. (Optional) Configure the function of forcing users to go offline.

    Configure the IP address of the RADIUS authorization server.

    huawei(config)#ont dot1x-profile profile-id 1 
    huawei(config-dot1x-profile-1)#radius-server authorization 1812 shared-key 0123456789123456 

Operation Result

After the ONU is configured, it can function as an access point for 802.1X authentication. The device can access the LAN through the user name and password, or MAC address.

Core Switch Functioning as the 802.1X Authentication Device

The core switch functions as the 802.1X authentication device, and the transparent transmission function is configured on the OLT for 802.1x protocol packets.


  • The ONU/OLT is online and in the normal state.
  • By default, the ONU transparently transmits EAPOL and BPDU packets.

Figure 1-6 shows the networking diagram for RADIUS authentication.

Figure 1-6 Networking diagram for RADIUS authentication


  • Configure EAPOL packets to be transparently transmitted on the OLT.
huawei(config)#protocol permit-forwarding eapol enable
  • Configure BPDU packets to be transparently transmitted on the OLT.
huawei(config)#vlan service-profile profile-id 10
huawei(config-vlan-srvprof-10)#bpdu tunnel enable
huawei(config)#vlan bind service-profile 11 profile-id 10

Operation Result

After the configuration is completed, 802.1x protocol packets can be transparently transmitted to the core switch, and the core switch then implements 802.1X authentication.

Updated: 2019-10-25

Document ID: EDOC1100097571

Views: 1199

Downloads: 55

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next