802.1x dynamic ACL assignment from Microsoft NPS?

Created: Apr 3, 2019 11:18:35Latest reply: Apr 10, 2019 11:49:47 1029 13 0 0
  Rewarded Hi-coins: 0 (problem resolved)

Switch is S5720-SI


I have 802.1x working and users are authenticated using RADIUS (Microsoft NPS). Can someone please help in setting up RADIUS for dynamic ACL's. The user will have limited access when unauthenticated with an ACL on the switch but we would like the user to have full internet access when authenticated by downloading an ACL from RADIUS.


We have it working with Cisco switches by using the vendor specific attribute Cisco-AV-Pair with value ip:inacl#10=permit ip any any. What is the equivalent with Huawei switches?


Thank you.


  • x
  • convention:

Featured Answers
chenhui
Admin Created Apr 4, 2019 11:58:13 Helpful(0) Helpful(0)

Posted by BangorUni at 2019-04-04 07:38Thank you but I've seen that document previously and it doesn't help with the RADIUS configuration,  ...
The vendor-ID for Huawei is 2011 and the specific attribute for the downloadable ACL from the RADIUS server to the users is 26-82.

The format is: acl number key1 key-value1 ... keyN key-valueN permit/deny

The range of the number is from 10000 to 10999.

key1 dest-ip, dest-ipmask, tcp-srcport, tcp-dstport, udp-srcport, udp-srcport, udp-dstport.

For example: acl 10008 dest-ip 10.1.1.1. dest-ipmask 32 udp-dstport 5555 permit.
  • x
  • convention:

All Answers
chenhui
chenhui Admin Created Apr 3, 2019 12:33:07 Helpful(0) Helpful(0)

@BangorUni hi,
here is an example http://support.huawei.com/hedex/hdx.do?docid=EDOC1000005733&lang=en
path: CLI-based configuration > configuration guide - security > MAC configuration > configuration 802.1x authentication > (option)conguring a user group
  • x
  • convention:

BangorUni
BangorUni Created Apr 3, 2019 12:53:19 Helpful(0) Helpful(0)

Sorry I don't understand. Where does RADIUS fit in with user-groups? Maybe I should have been more specific, it's not just users but devices too. At the moment I'm working on authenticating Windows 10 PC's which have Microsoft Certificates installed. This works with Cisco switches using the attribute above. How does the Huawei switch know that my Windows 10 PC is a member of a user-group? Is this user-group the same name as the Microsoft Active Directory Group?

I'm confused.
  • x
  • convention:

chenhui
chenhui Admin Created Apr 3, 2019 13:32:35 Helpful(0) Helpful(0)

Posted by BangorUni at 2019-04-03 12:53Sorry I don't understand. Where does RADIUS fit in with user-groups? Maybe I should have been more s ...

what I understand is that you want to assign the dynamic acl to the users to limit them when authenticate failed, and permit them to access the services when authenticate success. Am I right?
  • x
  • convention:

chenhui
chenhui Admin Created Apr 3, 2019 13:37:06 Helpful(0) Helpful(0)

Posted by BangorUni at 2019-04-03 12:53 Sorry I don't understand. Where does RADIUS fit in with user-groups? Maybe I should have been more s ...
if I understand right, maybe the example will help you, https://support.huawei.com/enterprise/en/doc/EDOC1000114001/eceec2e8/delivering-vlans-or-acls-to-successfully-authenticated-users-on-cisco-ise
  • x
  • convention:

BangorUni
BangorUni Created Apr 4, 2019 07:38:27 Helpful(0) Helpful(0)

Thank you but I've seen that document previously and it doesn't help with the RADIUS configuration, we are using Microsoft NPS as our RADIUS and I need to know how to configure the vendor specific attributes for downloadable ACL's.

To make it more clear I'll explain our Cisco setup which we want to replicate on Huawei switches:

RADIUS Server is Microsoft NPS.
Cisco switches have 802.1x configured.
Cisco switch has a Pre-Auth-ACL applied to each port limiting network access.
PC's are all Windows 10 with Microsoft certificates.
RADIUS Server has a Network Policy to match Windows PC's in Active Directory Group and correct certificate.
This Network Policy has Cisco vendor specific attribute Cisco-AV-Pair with permit ip any any

If 802.1x match is successful then Cisco switch applies ACL from RADIUS which overwrites the Pre-Auth-ACL on the port giving PC's full network access. This works and is the suggested method by Cisco when unauthenticated hosts require some network access, which ours do.

I have configured Huawei switches for 802.1x and it works. I have even got downloadable Vlan's working (if we need to use them in the future). But I don't know how to configure the Microsoft NPS Server with Huawei sttributes to apply a permit ip any to the port once it is authenticated.

Thank you again and sorry for maybe being unclear.
  • x
  • convention:

chenhui
chenhui Admin Created Apr 4, 2019 11:58:13 Helpful(0) Helpful(0)

Posted by BangorUni at 2019-04-04 07:38Thank you but I've seen that document previously and it doesn't help with the RADIUS configuration,  ...
The vendor-ID for Huawei is 2011 and the specific attribute for the downloadable ACL from the RADIUS server to the users is 26-82.

The format is: acl number key1 key-value1 ... keyN key-valueN permit/deny

The range of the number is from 10000 to 10999.

key1 dest-ip, dest-ipmask, tcp-srcport, tcp-dstport, udp-srcport, udp-srcport, udp-dstport.

For example: acl 10008 dest-ip 10.1.1.1. dest-ipmask 32 udp-dstport 5555 permit.
  • x
  • convention:

chenhui
chenhui Admin Created Apr 4, 2019 12:00:45 Helpful(0) Helpful(0)

Posted by chenhui at 2019-04-04 11:58 the vendor-ID for Huawei is 2011, and the specific attribute for the downloadable ACL from the RAD ...
@BangorUni by the way,
it's recommended to use the RADIUS standard attribute filter-ID to announce the ACL.
  • x
  • convention:

BangorUni
BangorUni Created Apr 5, 2019 09:14:35 Helpful(0) Helpful(0)

Thanks, we are getting closer but the host still cannot access the internet after authentication. Please see stripped down config of our switch. We have a Pre-Auth-ACL on the port limiting access to one subnet. Once authenticated we want the ACL specified in RADIUS using Filter-Id (ACL 3001) to overwrite the Pre-Auth-ACL. I have included a display result at the end:

radius-server template dot1xauth
radius-server shared-key cipher *********
radius-server authentication 10.2.3.3 1812 weight 80
radius-server accounting 10.2.3.3 1813 weight 80

acl number 3001
rule 10 permit ip
acl name Pre-Auth-ACL 3999
rule 10 permit ip destination 10.3.0.0 0.0.255.255
rule 20 deny ip

aaa
authentication-scheme radius
authentication-mode radius local
accounting-scheme default
accounting-scheme dot1xacc
accounting-mode radius
domain dot1xauth
authentication-scheme radius
accounting-scheme dot1xacc
radius-server dot1xauth

interface GigabitEthernet0/0/2
description AMTTEST2
port link-type access
port default vlan 5
traffic-filter inbound acl name Pre-Auth-ACL
dot1x domain dot1xauth
dot1x enable
dot1x max-user 1
dot1x port-method port
dot1x reauthenticate
dot1x authentication-method eap

[HUAWEI-GigabitEthernet0/0/2]dis access-user user 106

Basic:
User ID : 106
User name : host/AMTTEST2.test.com
Domain-name : dot1xauth
User MAC : 7054-d2c4-3fcb
User IP address : 10.3.5.42
User vpn-instance : -
User IPv6 address : -
User access Interface : GigabitEthernet0/0/2
User vlan event : Success
QinQVlan/UserVlan : 0/5
User vlan source : server vlan
User access time : 2019/04/05 10:06:10 DST
User accounting session ID : HUAWEI00002000000005527625000006a
Option82 information : -
User access type : 802.1x
Terminal Device Type : Data Terminal
Dynamic VLAN ID : 5
Dynamic ACL number(Effective) : 3001
Session Timeout : 3600(s), Remaining: 3596(s)
Termination Action : RE-AUTHENTICATION

AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
  • x
  • convention:

BangorUni
BangorUni Created Apr 5, 2019 09:27:02 Helpful(0) Helpful(0)

NPS
  • x
  • convention:

12
Back to list

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login