802.1x functionality on Sx7xx switches : How to authenticate specific users on a

Latest reply: Jul 1, 2014 03:23:18 5899 3 0 0




802.1x functionality on Sx7xx switches : How to authenticate specific users on a interface




Hello everyone,


I want to present a quite interesting scenario that you might find helpful sometime.


How about if we want to use 802.1x authentication with a radius server to authenticate more users on an interface.

Ohh, yes. This is not that hard because we can configure 802.1x based on MAC address and authenticate all users of the interface.


What if we want to authenticate just some users of the interface and let the others access our network without any restrictions because they are our really good friends. How can we do this on our switches?

To explain our propose solution I would take as reference the picture bellow :

802.1x functionality on Sx7xx switches : How to authenticate specific users on a-1295299-1

                                                        



As you can see they are both connected to the same interface, so what can we do?


First we have to configure the interface as hybrid to allow both tagged and untagged packets. We also have to enable the voice VLAN function on the interface and to configure the VLAN in question.


After this we remember that the device can manage users through domains. In this case, we can configure two domains: one for users that will need radius authentication and we will name it radius4you domain and one for users that won’t need authentication and we will call it noauth4phone domain.


For this in the AAA view we will create the domains I have just specified and we will set a radius authentication scheme to one and no authentication for the lucky one.


After we configure the interface, create the domains and the radius server template (check the hedex) we should enable and configure the dot1x authentication in the system and interface view.


As a result the switch authenticates the computer with the radius server conform to the radius4you domain configured.

Since we don’t want to authenticate the phone we tried to trick the switch with the dot1x mac-bypass command. Because we used this command, when the switch tries to authenticate the phone and the dot1x authentication fails,  the switch will use the MAC address of the phone for authentication. Since we created a MAC authentication domain where no authentication is necessary, when the dot1x authentication fails, the devices that have the MAC address specified in the mac-authen domain won’t be authenticated at all.


The configuration example :

System view

#                                                                              

voice-vlan mac-address 04c5-a44c-98b1 mask ffff-ffff-ffff description phone     //Specifies the OUI   address of voice packets that can be transmitted in the voice VLAN

#

#                                                                               

domain radius4you                                                                     

#                                                                              

dot1x enable          //enable dot1x in system view                                                          

dot1x timer reauthenticate-period 100     //sets the re-authentication interval for 802.1x authentication

mac-authen enable             // enables MAC address authentication                             

mac-authen domain noauth4phone mac-address 04c5-a44c-98b1 mask ffff-ffff-ffff      //configures an authentication domain for MAC address authentication users

#


AAA view:

#                                                                               

aaa                                                                            

 authentication-scheme default                                             

 authentication-scheme radius                                                  

  authentication-mode radius                                                   

authentication-scheme noauth                                                  

  authentication-mode none                                                     

accounting-scheme default                                                     

  accounting start-fail online                                                 

domain default                                                                

 domain default_admin                                                          

 domain radius4you                                                                    

  authentication-scheme radius                                                 

  radius-server  acs                                                           

 domain noauth4phone           // creates nouaht4phone domain in aaa view                                                 

  authentication-scheme noauth     // applies the noauth authentication-scheme to the noauth4phone domain


The interface view

#                                                                              

interface Ethernet5/0/20                                                       

voice-vlan 184 enable             // configures and enables the 184 voice vlan                                            

 voice-vlan mode manual                                                        

 voice-vlan legacy enable          //enables CDP-compatible Voice VLAN function                                            

 port hybrid pvid vlan 183                                                      

 port hybrid tagged vlan 184                                                   

 port hybrid untagged vlan 183                                                 

 stp disable                                                                    

 bpdu bridge enable                                                            

dot1x mac-bypass       //Once 802.1x authentication fails, the device uses the MAC address   for authentication                                                 

#         


I hope this example is helpful if you want to configure this scenario in the future. Thank you 



  • x
  • convention:

Sophoni
Created Jul 1, 2014 03:20:26 Helpful(0) Helpful(0)

  • x
  • convention:

Sophoni
Created Jul 1, 2014 03:22:59 Helpful(0) Helpful(0)

Example for Configuring 802.1x Authentication

Networking Requirements

As shown in Figure 1, many users on a company access network through GE0/0/1 of the Switch (used as an access device). After the network operates for a period of time, attacks are detected. The administrator must control network access rights of user terminals to ensure network security. The Switch allows user terminals to access Internet resources only after they are authenticated.

Figure 1 Networking diagram for configuring 802.1x authentication
802.1x functionality on Sx7xx switches : How to authenticate specific users on a-1480577-1

Configuration Roadmap

To control the network access permission of users, the administrator can configure 802.1x authentication on the Switch after the server with the IP address 192.168.2.30 is used as the RADIUS server.

The configuration roadmap is as follows:

  1. Configure the LAN switch to transparently transmit the EAP packets used for 802.1x authentication to the Switch.
  2. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain on the Switch. Bind the RADIUS server template and the AAA scheme to the ISP domain. The Switch can then exchange information with the RADIUS server.
  3. Configure 802.1x authentication on the Switch.
    1. Enable 802.1x authentication globally and on the interface.
    2. Enable MAC address bypass authentication to authenticate terminals (such as printers) that cannot install 802.1x authentication client software.
    3. A maximum of 200 802.1x authentication users are allowed to access an interface, preventing excessive concurrent access users.
    4. Set the maximum number of times that an authentication request packet is sent to a user to 3 to avoid repeated authentication.
    5. Configure VLAN100 as the guest VLAN so that users can access resources in the guest VLAN without authentication.
802.1x functionality on Sx7xx switches : How to authenticate specific users on a-1480577-2 NOTE:

By default, 802.1x authentication can be triggered through ARP packets. To configure triggering of 802.1x authentication through DHCP packets, run the dot1x dhcp-trigger command in the system view.

Procedure

  1. Configure the LAN switch to transparently transmit the EAP packets used for 802.1x authentication. In this example, the LAN switch is an S5700. The configurations on the LAN switches of other models are the same as that on the S5700.

    # Configure the LAN switch to transparently transmit the EAP packets.

    <LAN Switch> system-view [LAN Switch] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002

    # Enable the Layer 2 protocol transparent transmission function on the interface connecting to users and the interface connecting to the Switch. In this example, the interface connecting to users is GE0/0/1. Only the configuration on GE0/0/1 is provided here, and the configurations on other interfaces are the same.

    [LAN Switch] interface gigabitethernet 0/0/1 [LAN Switch-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1x enable [LAN Switch-GigabitEthernet0/0/1] bpdu enable
    802.1x functionality on Sx7xx switches : How to authenticate specific users on a-1480577-3 NOTE:

    The preceding step is performed on the LAN switch, and all the following steps are performed on the Switch.


  2. Create VLANs and configure the VLAN allowed by the interface to ensure network communication.

    # Create VLAN 10 and VLAN 20.

    <HUAWEI> system-view [HUAWEI] vlan batch 10 20 

    # On the Switch, set GE0/0/1 connecting to users as a hybrid interface, and add GE0/0/1 to VLAN 10.

    [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type hybrid [HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 10 [HUAWEI-GigabitEthernet0/0/1] quit
    802.1x functionality on Sx7xx switches : How to authenticate specific users on a-1480577-4 NOTE:

    Configure the interface type and VLANs according to the actual situation. In this example, users are added to VLAN 10.

    # On the Switch, set GE0/0/2 connecting to the RADIUS server as an access interface, and add GE0/0/2 to VLAN 20.

    [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/2] port link-type access [HUAWEI-GigabitEthernet0/0/2] port default vlan 20 [HUAWEI-GigabitEthernet0/0/2] quit

    # Create VLANIF10 and VLANIF20 and assign IP addresses to the VLANIF interfaces so that user terminals, Switch, and internal devices on the enterprise network can set up routes. In this example, the IP address of VLANIF10 is 192.168.1.20/24 and the IP address of VLANIF20 is 192.168.2.29/24.

    [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] ip address 192.168.1.20 24 [HUAWEI-Vlanif10] quit [HUAWEI] interface vlanif 20 [HUAWEI-Vlanif20] ip address 192.168.2.29 24 [HUAWEI-Vlanif20] quit 


  3. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.

    # Create and configure RADIUS server template rd1.

    [HUAWEI] radius-server template rd1 [HUAWEI-radius-rd1] radius-server authentication 192.168.2.30 1812 [HUAWEI-radius-rd1] radius-server shared-key cipher hello [HUAWEI-radius-rd1] radius-server retransmit 2 [HUAWEI-radius-rd1] quit

    # Create AAA scheme abc and set the authentication mode to RADIUS.

    [HUAWEI] aaa [HUAWEI-aaa] authentication-scheme abc [HUAWEI-aaa-authen-abc] authentication-mode radius [HUAWEI-aaa-authen-abc] quit

    # Create authentication domain isp1, and bind AAA scheme abc and RADIUS server template rd1 to authentication domain isp1.

    [HUAWEI-aaa] domain isp1 [HUAWEI-aaa-domain-isp1] authentication-scheme abc [HUAWEI-aaa-domain-isp1] radius-server rd1 [HUAWEI-aaa-domain-isp1] quit [HUAWEI-aaa] quit

    # Configure the default domain isp1 in the system view.When a user enters the user name in the format of user@isp1, the user is authenticated in the authentication domain isp1. If the user name does not carry the domain name or carries a nonexistent domain name, the user is authenticated in the default domain.

    [HUAWEI] domain isp1


  4. Configure 802.1x authentication.

    # Enable 802.1x authentication globally and on an interface.

    [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] dot1x enable

    # Configure MAC address bypass authentication.

    [HUAWEI-GigabitEthernet0/0/1] dot1x mac-bypass

    # Set the maximum number of concurrent access users for 802.1x authentication on an interface to 200.

    [HUAWEI-GigabitEthernet0/0/1] dot1x max-user 200 [HUAWEI-GigabitEthernet0/0/1] quit

    # Set the maximum number of times that an authentication request packet is sent to the user to 3.

    [HUAWEI] dot1x retry 3

    # Configure VLAN100 as the guest VLAN in 802.1x authentication.

    [HUAWEI] vlan batch 100 [HUAWEI] authentication guest-vlan 100 interface gigabitethernet 0/0/1


  • x
  • convention:

Sophoni
Created Jul 1, 2014 03:23:18 Helpful(0) Helpful(0)

  • View the 802.1x configuration.

    <HUAWEI> display dot1x interface gigabitethernet 0/0/1 GigabitEthernet0/0/1 status: UP 802.1x protocol is Enabled[mac-bypass] Port control type is Auto                                                     
      Authentication mode is MAC-based                                              
      Authentication method is CHAP                                            
      Reauthentication is disabled Maximum users: 200 Current users: 0  Guest VLAN 100 is not effective           
      Critical VLAN is disabled
      Restrict VLAN is disabled  Authentication Success: 0          Failure: 0                                 
      EAPOL Packets: TX     : 0          RX     : 0                                 
      Sent      EAPOL Request/Identity Packets  : 0                                 
                EAPOL Request/Challenge Packets : 0                                 
                Multicast Trigger Packets       : 0                                 
                EAPOL Success Packets           : 0                                 
                EAPOL Failure Packets           : 0                                 
      Received  EAPOL Start Packets             : 0                                 
                EAPOL Logoff Packets            : 0                                 
                EAPOL Response/Identity Packets : 0                                 
                EAPOL Response/Challenge Packets: 0    


  • Configuration Files

    # Configuration file of the LAN Switch

    #                                                                               
    l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
    #                                                                               
    interface GigabitEthernet0/0/1                                                  
     l2protocol-tunnel user-defined-protocol 802.1x enable    
    # 
    return
    

    # Configuration file of the Switch

    # vlan batch 10 20 100 
    #                                                                               
    domain isp1
    #
    dot1x enable 
    dot1x retry 3 #
    radius-server template rd1
     radius-server shared-key cipher %@%@lrWRXXUmJ/5W\uBqID/6EULC%@%@
     radius-server authentication 192.168.2.30 1812 weight 80
     radius-server retransmit 2 #
    aaa
     authentication-scheme abc
      authentication-mode radius
     domain isp1
      authentication-scheme abc
      radius-server rd1 #                                                                               
    interface Vlanif10                                                              
     ip address 192.168.1.20 255.255.255.0 
    #                                                                               
    interface Vlanif20                                                              
     ip address 192.168.2.29 255.255.255.0  #
    interface GigabitEthernet0/0/1 port hybrid tagged vlan 10  dot1x mac-bypass                                                               
     dot1x max-user 200  authentication guest-vlan 100 #                                                                              
    interface GigabitEthernet0/0/2 port link-type access                                                          
     port default vlan 20 # 
    return
    
    • x
    • convention:

    Comment

    Reply
    You need to log in to reply to the post Login | Register

    Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
    • Politically sensitive content
    • Content concerning pornography, gambling, and drug abuse
    • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
    Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
    If the attachment button is not available, update the Adobe Flash Player to the latest version!
    Login and enjoy all the member benefits

    Login and enjoy all the member benefits

    Login