Configuring Authentication Control Points

Context

In non-virtualization scenarios of large- and medium-sized campus networks, it is recommended that the wired authentication control point be deployed on the core switch and policy association be deployed between core and access switches. In this case, policy association needs to be configured through the CLI. Therefore, you need to log in to the CLI of the wired authentication control point to configure authentication profiles and bind these profiles to interfaces.

As shown in Figure 5-7, the core switch (Core) functions as the wired authentication control point, and policy association is deployed between Core and access switch Access-a, and the authentication enforcement point is moved to Access-a. The procedure for configuring the wired authentication control point is as follows:

Figure 5-7 Configuring the wired authentication control point

In non-virtualization scenarios of large- and medium-sized campus networks, if the built-in authentication server of iMaster NCE-Campus is used for wired access authentication and the authentication control point is configured through the CLI, the NAC device needs to be configured on the Admission Device tab page of iMaster NCE-Campus.

Procedure

1. Configure policy association between Core and Access-a.
   1. Configure interfaces to work in trunk mode and add them to a VLAN (management VLAN for policy association) so that Core and Access-a can communicate at Layer 2 in this VLAN. The following uses the configuration on Core as an example.

      [Core] vlan batch 20
      [Core] interface xgigabitethernet 0/0/1
      [Core-XGigabitEthernet0/0/1] port link-type trunk
      [Core-XGigabitEthernet0/0/1] port trunk allow-pass vlan 10
      [Core-XGigabitEthernet0/0/1] quit

   2. Establish a CAPWAP tunnel between Core and Access-a.

      Create VLANIF 10 on Core and specify VLANIF 10 as the source interface of an interface address pool and the CAPWAP tunnel.

      [Core] interface vlanif 10 
      [Core-Vlanif10] ip address 10.1.1.1 24 
      [Core-Vlanif10] dhcp select interface 
      [Core-Vlanif10] dhcp server option 43 ip-address 10.1.1.1 
      [Core-Vlanif10] quit 
      [Core] capwap source interface vlanif 10 
      [Core] as-auth 
      [Core-as-auth] auth-mode none 
      [Core-as-auth] quit

      Create VLANIF 10 on Access-a, enable VLANIF 10 to obtain an IP address through DHCP, and configure VLANIF 10 as the access interface of the CAPWAP tunnel.

      [Access-a] interface vlanif 10 
      [Access-a-Vlanif10] ip address dhcp-alloc 
      [Access-a-Vlanif10] quit 
      [Access-a] as access interface vlanif 10

2. Configure the AAA service on Core.
   1. Create and configure RADIUS server template rd1.

      [Core] radius-server template rd1 
      [Core-radius-rd1] radius-server authentication 192.168.1.1 1812 
      [Core-radius-rd1] radius-server shared-key cipher Admin@1234 
      [Core-radius-rd1] quit

   2. Create AAA authentication scheme abc and set the authentication mode to RADIUS.

      [Core] aaa 
      [Core-aaa] authentication-scheme abc 
      [Core-aaa-authen-abc] authentication-mode radius 
      [Core-aaa-authen-abc] quit

   3. Create authentication domain company1.com, and bind the AAA scheme abc and RADIUS server template rd1 to company1.com.

      [Core-aaa] domain company1.com 
      [Core-aaa-domain-company1.com] authentication-scheme abc 
      [Core-aaa-domain-company1.com] radius-server rd1 
      [Core-aaa-domain-company1.com] quit 
      [Core-aaa] quit

   4. Check whether a user can be authenticated using RADIUS authentication. (The test user test and password Admin123 have been configured on the RADIUS server.)

      [Core] test-aaa test Admin123 radius-template rd1 
      Info: Account test succeeded.

3. Configure a Portal server template on Core.

   [Core] web-auth-server abc 
   [Core-web-auth-server-abc] server-ip 192.168.1.1 
   [Core-web-auth-server-abc] port 50100 
   [Core-web-auth-server-abc] url http://192.168.1.1:19008/portal 
   [Core-web-auth-server-abc] shared-key cipher Admin@1234 
   [Core-web-auth-server-abc] quit

4. Configure an authentication profile on Core and bind the profile to the user access interface.
   • If a MAC authentication profile needs to be bound to XGE0/0/1:

     [Core] mac-access-profile name m1   //Configure MAC access profile m1.
     [Core-mac-access-profile-m1] quit
     [Core] authentication-profile name p1   //Configure authentication profile p1. 
     [Core-authen-profile-p1] mac-access-profile m1  //Bind MAC access profile m1 to p1.
     [Core-authen-profile-p1] access-domain company1.com force    //Specify the forcible authentication domain as company1.com.
     [Core-authen-profile-p1] quit
     [Core] interface xgigabitethernet 0/0/1 
     [Core-XGigabitEthernet0/0/1] authentication-profile p1   //Bind authentication profile p1 to the user access interface.
     [Core-XGigabitEthernet0/0/1] quit

   • If an 802.1X authentication profile needs to be bound to XGE0/0/1:

     [Core] dot1x-access-profile name d1   //Configure 802.1X access profile d1.
     [Core-dot1x-access-profile-d1] dot1x authentication-method eap   //Specify EAP as the authentication mode for 802.1X users.
     [Core-dot1x-access-profile-d1] dot1x timer client-timeout 30    //Set the authentication timeout interval for 802.1X users to 30 seconds.
     [Core-dot1x-access-profile-d1] quit
     [Core] authentication-profile name p1   //Configure authentication profile p1.
     [Core-authen-profile-p1] dot1x-access-profile d1  //Bind 802.1X access profile d1 to p1.
     [Core-authen-profile-p1] access-domain company1.com force    //Specify the forcible authentication domain as company1.com.
     [Core-authen-profile-p1] quit
     [Core] interface xgigabitethernet 0/0/1 
     [Core-XGigabitEthernet0/0/1] authentication-profile p1    //Bind authentication profile p1 to the user access interface.
     [Core-XGigabitEthernet0/0/1] quit

   • If a Portal authentication profile needs to be bound to XGE0/0/1:

     [Core] portal-access-profile name web1   //Configure Portal access profile web1.
     [Core-portal-access-profile-web1] web-auth-server abc direct   //Bind Portal server template abc to web1.
     [Core-portal-access-profile-web1] quit
     [Core] authentication-profile name p1   //Configure authentication profile p1.
     [Core-authen-profile-p1] portal-access-profile web1  //Bind Portal access profile web1 to p1.
     [Core-authen-profile-p1] access-domain company1.com force    //Specify the forcible authentication domain as company1.com.
     [Core-authen-profile-p1] quit
     [Core] interface xgigabitethernet 0/0/1 
     [Core-XGigabitEthernet0/0/1] authentication-profile p1    //Bind authentication profile p1 to the user access interface.
     [Core-XGigabitEthernet0/0/1] quit

Context

In non-virtualization scenarios of large- and medium-sized campus networks, wired authentication control points can also be configured using iMaster NCE-Campus. However, this method applies only to networks where policy association is not deployed. In addition, if the wired authentication control point is deployed on a core or aggregation switch, the switch does not forward EAP packets in 802.1X authentication at Layer 2 by default because such packets are bridge protocol data units (BPDUs). In this case, you need to perform the following configurations on the switch that transparently transmits these protocol packets between the wired authentication control point and user terminals:

1. Run the l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 command in the global view.

2. Run the l2protocol-tunnel user-defined-protocol dot1x enable and bpdu enable commands on the interface connected to the upstream device (wired authentication control point) and the downlink interfaces connected to user terminals.

Plan Example

Configuration Tasks