How to configure local authentication for 802.1x authentication users on S series switches

For S series switches (except the S1700), 802.1x authentication user information (including the user name, password, and other attributes of a local user) for local authentication and authorization is configured on the switches. Local authentication and authorization for 802.1x authentication users feature fast processing and low operation cost, but the amount of information that can be stored is limited by the switch hardware capacity.
Assume that a user connects to GE0/0/1 on a switch and belongs to VLAN 100. After local authentication is configured for the user on the switch, the user can access the network without being authorized. Configure local authentication for an 802.1x authentication user as follows:
1. Create VLAN 100 and add GE0/0/1 to the VLAN.
[HUAWEI] vlan batch 100 
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 100 
[HUAWEI-GigabitEthernet0/0/1] quit
2. Create a local user and an authentication domain for the local user.
[HUAWEI] aaa     
[HUAWEI-aaa] local-user huawei password cipher hello@123
[HUAWEI-aaa] local-user huawei service-type 8021x
[HUAWEI-aaa] authentication-scheme test
[HUAWEI-aaa-authen-test] authentication-mode local
[HUAWEI-aaa-authen-test] quit
[HUAWEI-aaa] authorization-scheme test
[HUAWEI-aaa-author-test] authorization-mode none
[HUAWEI-aaa-author-test] quit
[HUAWEI-aaa] domain default_admin
[HUAWEI-aaa-domain-default_admin] authentication-scheme test
[HUAWEI-aaa-domain-default_admin] authorization-scheme test
3. Enable 802.1x authentication in the system view and on a specified interface.
a. In common mode (applicable to switches running all versions):
[HUAWEI] undo authentication unified-mode  //Change the NAC mode to common. This step is required only on switches running V200R005C00 and later versions.br>[HUAWEI] quit
<HUAWEI> reboot   //This step is required only on switches running V200R005C00 and later versions.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x authentication-method eap
b. In unified mode (applicable to switches running versions from V200R005 to V200R008):
[HUAWEI] authentication unified-mode 
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication dot1x
[HUAWEI-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100
c. In unified mode (applicable to switches running V200R009 and later versions):
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] quit
[HUAWEI] authentication-profile name a1
[HUAWEI-authen-profile-a1] dot1x-access-profile d1
[HUAWEI-authen-profile-a1] quit
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication-profile a1

Scroll to top