SupportDocumentationSwitchesCampus SwitchS3700&S5700&S6700Configuration & CommissioningConfiguration Guide

S300, S500, S2700, S5700 and S6700 V200R23C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, Policy Association, and Kerberos Snooping.

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, Policy Association, and Kerberos Snooping.

Example for Configuring Wireless 802.1X Authentication

Example for Configuring Wireless 802.1X Authentication

Networking Requirements

On the enterprise network shown in Figure 2-79, Switch_B provides the native AC function and is connected to APs through Switch_A (access switch). The enterprise plans to deploy a WLAN network named wlan-net to provide wireless access for employees. Additionally, 802.1X authentication through a RADIUS server needs to be configured for wireless users. Switch_B functions as a DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to STAs.

Figure 2-79 Networking diagram for configuring wireless 802.1X authentication

Configuration Roadmap

  1. Configure basic VLAN services on Switch_A to enable connectivity between upstream and downstream networks.
  2. Configure basic WLAN services on Switch_B, so that Switch_B can communicate with upstream and downstream devices and the APs can go online.
  3. Configure WLAN service parameters on Switch_B, and bind a security profile and an authentication profile to a VAP profile to control STAs' access to the WLAN.

Data Plan

Table 2-24 Data plan for Switch_B

Item

Data

RADIUS authentication

RADIUS authentication scheme: radius_test

RADIUS accounting scheme: scheme1

RADIUS server template: radius_test

  • IP address: 10.23.200.1
  • Authentication port number: 1812
  • Accounting port number: 1813
  • Shared key: YsHsjx_202206

802.1X access profile
  • Name: d1
  • Authentication mode: EAP

Authentication profile
  • Name: p1
  • Bound profiles and schemes: 802.1X access profile d1, RADIUS server template radius_test, RADIUS authentication scheme radius_test, and RADIUS accounting scheme scheme1

DHCP server

Switch_B functions as a DHCP server to assign IP addresses to STAs and APs.

  • IP address pool for APs on VLANIF 100: 10.23.100.2/24 to 10.23.100.254/24
  • IP address pool for STAs on VLANIF 101: 10.23.101.2 to 10.23.101.254/24

IP address of the AC's source interface

VLANIF 100: 10.23.100.1/24

AP group
  • Name: ap-group1
  • Bound profiles: VAP profile wlan-vap and regulatory domain profile domain1

Regulatory domain profile
  • Name: domain1
  • Country code: CN

SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net

Security profile
  • Name: wlan-security
  • Security policy: WPA2+802.1X+AES

VAP profile
  • Name: wlan-vap
  • Forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 101
  • Bound profiles: SSID profile wlan-ssid, security profile wlan-security, and 802.1X authentication profile p1

Procedure

  1. Configure the access switch Switch_A. Add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100.

    <HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitethernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitethernet 0/0/3
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit

  2. Configure Switch_B so that CAPWAP packets can be transmitted between the AC and APs.

    # On Switch_B, add GE0/0/1 to VLAN 100 (management VLAN).

    In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used, configure port isolation on GE0/0/1 that connects the AC to APs. If port isolation is not configured, unnecessary broadcast packets will be transmitted in the VLAN or WLAN users on different APs can directly communicate with each other at Layer 2.

    In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.

    [Switch_B] vlan batch 100 101 200
[Switch_B] interface gigabitethernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] quit

  3. Configure Switch_B to communicate with upper-layer network devices.

    # On Switch_B, add uplink interface GE0/0/2 to VLAN 200 (VLAN for communicating with the RADIUS server).

    [Switch_B] interface gigabitethernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[Switch_B-GigabitEthernet0/0/2] quit

  4. Configure Switch_B as a DHCP server to assign IP addresses to STAs and APs.

    # Configure Switch_B as a DHCP server to assign IP addresses to APs from the IP address pool on VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.

    [Switch_B] dhcp enable
[Switch_B] interface vlanif 100
[Switch_B-Vlanif100] ip address 10.23.100.1 24
[Switch_B-Vlanif100] dhcp select interface
[Switch_B-Vlanif100] quit
[Switch_B] interface vlanif 101
[Switch_B-Vlanif101] ip address 10.23.101.1 24
[Switch_B-Vlanif101] dhcp select interface
[Switch_B-Vlanif101] quit

  5. Create VLANIF 200 and configure an IP address for it. This IP address will be used as the authentication source interface.

    [Switch_B] interface vlanif 200
[Switch_B-Vlanif200] ip address 10.23.200.3 24
[Switch_B-Vlanif200] quit

  6. Configure APs to go online.

    # Create a regulatory domain profile, configure the AC country code in the profile, and bind the profile to the AP group.

    [Switch_B] wlan
[Switch_B-wlan-view] regulatory-domain-profile name domain1
[Switch_B-wlan-regulate-domain-domain1] country-code cn
[Switch_B-wlan-regulate-domain-domain1] quit
[Switch_B-wlan-view] ap-group name ap-group1
[Switch_B-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may restart APs. Continue?[Y/N]:y
[Switch_B-wlan-ap-group-ap-group1] quit
[Switch_B-wlan-view] quit
    # Configure the AC's source interface.
    [Switch_B] capwap source interface vlanif 100
    # Import APs offline on Switch_B and add the APs to the AP group ap-group1. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP with the MAC address 00e0-fc76-e360 as area_1 if it is deployed in area 1, and name the AP with the MAC address 00e0-fc76-e370 as area_2 if it is deployed in area 2.

    The default AP authentication mode is MAC address authentication. If the default setting is retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the AirEngine 8760-X1-PRO is used and has two radios: radio 0 and radio 1.

    [Switch_B] wlan
[Switch_B-wlan-view] ap auth-mode mac-auth
[Switch_B-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[Switch_B-wlan-ap-0] ap-name area_1
[Switch_B-wlan-ap-0] ap-group name ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y  
[Switch_B-wlan-ap-0] quit
[Switch_B-wlan-view] ap-id 1 ap-mac 00e0-fc76-e370
[Switch_B-wlan-ap-1] ap-name area_2
[Switch_B-wlan-ap-1] ap-group name ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y  
[Switch_B-wlan-ap-1] quit
[Switch_B-wlan-view] quit

    # After APs are powered on, run the display ap all command to check the AP status. If the State field displays nor, the APs are online.

    [Switch_B] display ap all
Total AP information: 
nor  : normal          [2] 
Extrainfo : Extra information 
P  : insufficient power supply 
-------------------------------------------------------------------------------------------------- 
ID   MAC            Name   Group     IP            Type                      State STA Uptime      ExtraInfo 
-------------------------------------------------------------------------------------------------- 
0    00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AirEngine8760-X1-PRO      nor   0   10S         - 
1    00e0-fc76-e370 area_2 ap-group1 10.23.100.253 AirEngine8760-X1-PRO      nor   0   10S         - 
-------------------------------------------------------------------------------------------------- 
Total: 2

  7. Configure a RADIUS server template, a RADIUS authentication scheme, and a RADIUS accounting scheme for STA authentication.

    Ensure that the RADIUS server IP address, port number, and shared key are correctly configured and are the same as those on the RADIUS server.

    # Configure a RADIUS server template.

    [Switch_B] radius-server template radius_test
[Switch_B-radius-radius_test] radius-server authentication 10.23.200.1 1812
[Switch_B-radius-radius_test] radius-server accounting 10.23.200.1 1813
[Switch_B-radius-radius_test] radius-server shared-key cipher YsHsjx_202206
    # Change the value of a RADIUS attribute.
    [Switch_B-radius-radius_test] radius-server attribute translate 
[Switch_B-radius-radius_test] radius-attribute set Framed-Mtu 1000
[Switch_B-radius-radius_test] quit

    When the Access-Challenge packet sent by the RADIUS server contains EAP information longer than 1200 bytes, the terminal may fail to receive the EAP Request/Challenge packet. In this case, you can run this command to set attribute-name to Framed-MTU and reduce the value of the Framed-MTU attribute in the authentication request packet sent by the device to the RADIUS server. The default value of the Framed-MTU attribute is 1500. You can change it to 1000. Some third-party RADIUS servers do not support this attribute. As a result, the packet length of the RADIUS server cannot be limited.

    # Configure a RADIUS authentication scheme.

    [Switch_B] aaa
[Switch_B-aaa] authentication-scheme radius_test
[Switch_B-aaa-authen-radius_test] authentication-mode radius
[Switch_B-aaa-authen-radius_test] quit

    # Configure a RADIUS accounting scheme.

    [Switch_B-aaa] accounting-scheme scheme1
[Switch_B-aaa-accounting-scheme1] accounting-mode radius
[Switch_B-aaa-accounting-scheme1] accounting realtime 15
[Switch_B-aaa-accounting-scheme1] quit
[Switch_B-aaa] quit

    # Configure an authentication domain.

    [Switch_B-aaa] domain test
[Switch_B-aaa-domain-test] authentication-scheme radius
[Switch_B-aaa-domain-test] accounting-scheme scheme1
[Switch_B-aaa-domain-test] radius-server radius_test
[Switch_B-aaa-domain-test] quit

  8. Configure an 802.1X access profile for STA authentication.

    By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X authentication requests.

    [Switch_B] dot1x-access-profile name d1
[Switch_B-dot1x-access-profile-d1] quit

  9. Configure the 802.1X authentication profile p1 for STA authentication.

    [Switch_B] authentication-profile name p1
[Switch_B-authentication-profile-p1] dot1x-access-profile d1
[Switch_B-authentication-profile-p1] access-domain test
[Switch_B-authentication-profile-p1] quit

  10. Configure WLAN service parameters.

    # Create the security profile wlan-security and configure a security policy in the profile.

    [Switch_B] wlan
[Switch_B-wlan-view] security-profile name wlan-security
[Switch_B-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
[Switch_B-wlan-sec-prof-wlan-security] quit

    # Create the SSID profile wlan-ssid and set the SSID name to wlan-net.

    [Switch_B-wlan-view] ssid-profile name wlan-ssid
[Switch_B-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[Switch_B-wlan-ssid-prof-wlan-ssid] quit

    # Create the VAP profile wlan-vap, configure the service data forwarding mode and service VLAN, and bind the security profile, SSID profile, and authentication profile to the VAP profile.

    [Switch_B-wlan-view] vap-profile name wlan-vap
[Switch_B-wlan-vap-prof-wlan-vap] forward-mode tunnel
[Switch_B-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[Switch_B-wlan-vap-prof-wlan-vap] security-profile wlan-security
[Switch_B-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[Switch_B-wlan-vap-prof-wlan-vap] authentication-profile p1
[Switch_B-wlan-vap-prof-wlan-vap] quit

    # Bind the VAP profile wlan-vap to the AP group and apply the profile to radios 0 and 1 of the APs.

    [Switch_B-wlan-view] ap-group name ap-group1
[Switch_B-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[Switch_B-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[Switch_B-wlan-ap-group-ap-group1] quit

  11. Verify the configuration.

    • After the configuration is complete, the WLAN with the SSID wlan-net is available for STAs. Use a mobile phone to associate with this WLAN and the user name and password.
    • After the authentication succeeds, the user automatically obtains an IP address on the 10.23.101.0/24 network segment and can access the Internet.
    • An administrator can view detailed information about online users by running the display access-user and display access-user user-id user-id commands on Switch_B.

Configuration Files

Switch_B configuration file

#
sysname Switch_B
#
vlan batch 100 to 101 200
#
authentication-profile name p1
 dot1x-access-profile d1
 access-domain test
# 
dhcp enable
#
radius-server template radius_test
 radius-server shared-key cipher %^%#ANM|Cb!>GNo=U@V~_{E1fQ>;I2#2l(3Q%1~Z.u|R%^%#
 radius-server authentication 10.23.200.1 1812 weight 80
 radius-server accounting 10.23.200.1 1813 weight 80
 radius-server attribute translate
 radius-attribute set Framed-Mtu 1000
#
aaa
 authentication-scheme radius_test
  authentication-mode radius
 accounting-scheme scheme1
  accounting-mode radius
  accounting realtime 15
 domain test
  authentication-scheme radius_test
  accounting-scheme scheme1
  radius-server radius_test
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface Vlanif200
 ip address 10.23.200.3 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 200
#
capwap source interface vlanif100
#
wlan
 security-profile name wlan-security
  security wpa2 dot1x aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  authentication-profile p1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 0 ap-mac 00e0-fc76-e360
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
  radio 1
   channel 20mhz 149
   eirp 127
 ap-id 1 ap-mac 00e0-fc76-e370
  ap-name area_2
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
  radio 1
   channel 20mhz 149
   eirp 127
#
dot1x-access-profile name d1
#
return

Switch_A configuration file

#
sysname Switch_A
#
vlan batch 100 
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 100
#
return