Example for Configuring 802.1x Authentication to Control Access of Wired Terminals (Authentication Point on Aggregation Switch)(V200R008C00)

Created Mar 23, 2017 11:29:12Latest reply Mar 23, 2017 15:55:23 3794 1 0 0

 

802.1x Authentication Overview

802.1x is a port-based network access control protocol and 802.1x authentication is one of NAC authentication modes. 802.1x authentication ensures security of enterprise intranets.

802.1x authentication ensures high security; however, it requires that 802.1x client software be installed on user terminals, resulting in inflexible network deployment. Another two NAC authentication modes have their advantages and disadvantages: MAC address authentication does not require client software installation, but MAC addresses must be registered on an authentication server. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.

As a result, 802.1x authentication is applied to scenarios with new networks, centralized user distribution, and strict information security requirements.

Configuration Notes

l   The Cisco Identity Services Engine (ISE) in 2.0.0.306 functions as the RADIUS server in this example.

l   Currently, the device supports CHAP, PAP, EAP-PEAP, EAP-FAST, EAP-TLS, and EAP-MD5 authentication modes for 802.1x clients.

l   The RADIUS authentication and accounting shared keys on the switch must be the same as those on the ISE.

l   By default, the switch allows the packets from RADIUS server to pass. You do not need to configure authentication-free rules for the server on the switch.

Networking Requirements

Enterprises have high requirements on network security. To prevent unauthorized access and protect information security, an enterprise requests users to pass identity authentication and security check before they access the enterprise network. Only authorized users are allowed to access the enterprise network. To reduce network reconstruction investment, you are advised to configure the 802.1x authentication function on the aggregation switch and connect a single centralized authentication server to the aggregation switch in bypass mode.

Figure 1-1 Networking diagram for configuring 802.1x authentication to control internal user access

20170323112814693004.png

 

Data Plan

Table 1-1 Network data plan

Item

Data

ISE

IP address: 192.168.100.100

Post-authentication domain server

IP address: 192.168.102.100

Aggregation switch (SwitchA)

l  VLAN to which 0/0/6 connected to the server belongs: VLAN 100

l  VLAN to which downstream interfaces GE0/0/1 and GE0/0/2 belong: VLAN 200

Access switch (SwitchC)

User VLAN ID: 200

Access switch (SwitchD)

User VLAN ID: 200

 

Table 1-2 Aggregation switch service data plan

Item

Data

RADIUS scheme

l  Authentication server IP address: 192.168.100.100

l  Authentication server port number: 1812

l  Accounting server IP address: 192.168.100.100

l  Accounting server port number: 1813

l  Shared key for the RADIUS server: Huawei@2014

l  Accounting interval: 15 minutes

l  Authentication domain: isp

ACL number of the post-authentication domain

3002

 

Table 1-3 ISE service data plan

Item

Data

Department

RD department

Access user

Access account: A-123

Password: Huawei123

Device group

Wired device group: Switch

Switch IP address

SwitchA: 192.168.10.10

RADIUS authentication key

Huawei@2014

RADIUS accounting key

Huawei@2014

 

Configuration Roadmap

1.         Configure the aggregation switch, including the VLANs interfaces belong to, parameters for connecting to the RADIUS server, enabling NAC authentication, and access right to the post-authentication domain.

20170323112815803005.jpg

Ensure the reachable routes between the access switches (SwitchC and SwitchD), aggregation switch (SwitchA), and ISE.

2.         Configure the access switches, including the VLANs and 802.1x transparent transmission.

3.         Configure the ISE:

a.         Log in to the ISE.

b.         Add an account to the ISE.

c.         Add switches to the ISE.

d.         Configure authentication rules, authorization results, and authorization rules on the ISE.

Procedure

                               Step 1     Configure the aggregation switch.

1.         Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200
[SwitchA] interface gigabitethernet 0/0/1    
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/6    
[SwitchA-GigabitEthernet0/0/6] port link-type trunk
[SwitchA-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/6] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 192.168.10.10 24    
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 192.168.200.1 24    
[SwitchA-Vlanif200] quit
[SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.10.11    
[SwitchA] ip route-static 192.168.102.0 255.255.255.0 192.168.10.11   

2.         Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

# Create and configure the RADIUS server template rd1.

[SwitchA] radius-server template rd1
[SwitchA-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchA-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchA-radius-rd1] radius-server shared-key cipher Huawei@2014
[SwitchA-radius-rd1] quit

# Create an AAA authentication scheme abc and set the authentication mode to RADIUS.

[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit

# Configure an accounting scheme acco1. Set the accounting mode to RADIUS so that the RADIUS server can maintain account status, such as login, log-off and forced log-off.

[SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] accounting realtime 15    
[SwitchA-aaa-accounting-acco1] quit

# Create an authentication domain isp, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.

[SwitchA-aaa] domain isp
[SwitchA-aaa-domain-isp] authentication-scheme abc
[SwitchA-aaa-domain-isp] accounting-scheme acco1
[SwitchA-aaa-domain-isp] radius-server rd1
[SwitchA-aaa-domain-isp] quit
[SwitchA-aaa] quit

# Configure the global default domain isp. During access authentication, enter a user name in the format user@isp to perform AAA authentication in the domain isp. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

[SwitchA] domain isp

3.         Enable 802.1x authentication.

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode

20170323112815803005.jpg

By default, the unified mode is enabled. After the NAC mode is changed, save the configuration and restart the device to make the configuration take effect.

# Enable 802.1x authentication on GE0/0/1 and GE0/0/2.

[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-Gigabitethernet0/0/1] authentication dot1x    
[SwitchA-Gigabitethernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-Gigabitethernet0/0/2] authentication dot1x    
[SwitchA-Gigabitethernet0/0/2] quit

4.         Configure ACL 3002 for the post-authentication domain.

[SwitchA] acl 3002
[SwitchA-acl-adv-3002] description 3002.in   
[SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0
[SwitchA-acl-adv-3002] rule 2 deny ip destination any
[SwitchA-acl-adv-3002] quit

                               Step 2     Configure the access switches.

1.         Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.

# Create VLAN 200.

<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 200

# Configure the interface connected to users as an access interface and add the interface to VLAN 200.

[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 200  
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] port link-type access
[SwitchC-GigabitEthernet0/0/2] port default vlan 200
[SwitchC-GigabitEthernet0/0/2] quit

# Configure the interface connected to the upstream network as a trunk interface and configure the to allow VLAN 200.

[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] port link-type trunk
[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 200
[SwitchC-GigabitEthernet0/0/3] quit

2.         Configure the device to transparently transmit 802.1x packets. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.

20170323112815803005.jpg

In this example, SwitchC and SwitchD are deployed between the authentication switch SwitchA and users. EAP packet transparent transmission needs to be configured on SwitchC and SwitchD so that SwitchA can perform 802.1x authentication for users.

           Method 1: The S5720EI, S5720HI, and S6720EI do not support this method.

[SwitchC] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/1] bpdu enable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/2] bpdu enable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/3] bpdu enable
[SwitchC-GigabitEthernet0/0/3] quit

           Method 2: Only the S5720EI, S5720HI, and S6720EI support this method.

[SwitchC] undo bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFF0
[SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
[SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
[SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
[SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8

                               Step 3     Configure the ISE.

1.         Log in to the ISE.

a.         Open the Internet Explorer, enter the ISE address in the address box, and press Enter.

The following table describes addresses for accessing the ISE.

Address Format

Description

https://ISE-IP

In the address, ISE-IP indicates the ISE address.

 

b.         Enter the configured user name and password to log in to the Cisco ISE.

2.         Create a department and account.

a.         Choose Administration > Identity Management > Groups. In the navigation area on the left, choose User Identity Groups. Click the Add tab in the operation area on the right, and add the department RD.

20170323112816749006.jpg

20170323112817512007.jpg

b.         Choose Administration > Identity Management > Identities. In the navigation area on the left, choose Users. Click the Add tab in the operation area on the right, create an account A-123 with the password Huawei123, and add user A to the RD department.

20170323112818336008.jpg

20170323112818379009.png

3.         Add a switch to the ISE and configure related parameters to ensure normal communication between the ISE and switch.

a.         In the top navigation area, choose Administration > Network Resources > Network Device Profiles, click the Add tab. Create the access device profile HUAWEI, set Vendor to Other, and select RADIUS under Supported Protocols.

20170323112819704010.png

b.         Configure Authentication/Authorization, and Permisssions according to the following figures. After completing the configuration, click Submit.

20170323112820687011.png

20170323112821153012.jpg

c.         Choose Administration > Network Resources > Network Devices. Click Add in the operation area on the right, add the access device SwitchA, and configure parameters of SwitchA according to the following table. After completing the configuration, click Submit.

20170323112822255013.jpg

Parameter

Value

Description

Name

SwitchA

-

IP Address

192.168.10.10

The interface on the switch must communicate with the ISE.

RADIUS shared key

Huawei@2014

It must be the same as the RADIUS authentication key and RADIUS accounting key configured on the switch.

 

20170323112823626014.png

4.         Configure the password authentication protocol.

           In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authentication > Allowed Protocols. Click Add in the operation area on the right.

20170323112815803005.jpg

The ISE provides the default authentication protocol profile Default Network Access. If the profile meets actual requirements, you do not need to create a profile.

20170323112824535015.png

           Create the protocol profile Authentication for user authentication. Select proper authentication protocols based on actual requirements. After completing the configuration, click Submit.

20170323112824550016.png

5.         Configure the authentication policy.

a.         Choose Policy > Authentication. Authentication policies are classified into simple and rule-based authentication policies. A simple authentication policy is used in this example.

b.         Click the Network Access Service drop-down list box. The Network Access Services dialog box is displayed. Click Allowed Protocols and choose Authentication.

20170323112825010017.png

6.         Add an authorization rule.

a.         In the top navigation area, choose Policy > Authorization. Click the triangle next to the first authentication policy and choose Insert New Rule Above.

20170323112826195018.jpg

b.         Add an authorization result and bind an authorization rule to the authorization result.

20170323112827729019.jpg

c.         Click the Save tab on the right. Click Done.

20170323112828123020.png

                               Step 4     Verify the configuration.

l   An employee can only access the ISE before passing the authentication.

l   After passing the authentication, the employee can access resources in the post-authentication domain.

l   After the employee passes the authentication, run the display access-user command on the switch. The command output shows information about the online employee.

----End

Configuration Files

l   SwitchA Configuration File

#
sysname SwitchA
#
vlan batch 100 200
#
domain isp
#
radius-server template rd1
 radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
 radius-server authentication 192.168.100.100 1812 weight 80
 radius-server accounting 192.168.100.100 1813 weight 80
#
acl number 3002
 description 3002.in
 rule 1 permit ip destination 192.168.102.100 0
 rule 2 deny ip
#
aaa
 authentication-scheme abc
  authentication-mode radius
 accounting-scheme acco1
  accounting-mode radius
  accounting realtime 15
 domain isp
  authentication-scheme abc
  accounting-scheme acco1
  radius-server rd1
#
interface Vlanif100
 ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
 ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 200
 authentication dot1x
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 200
 authentication dot1x
#
interface GigabitEthernet0/0/6
 port link-type trunk
 port trunk allow-pass vlan 100
#
ip route-static 192.168.100.0 255.255.255.0 192.168.10.11
ip route-static 192.168.102.0 255.255.255.0 192.168.10.11
#
return

l   SwitchC Configuration File

#
sysname SwitchC
#
vlan batch 200
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 200
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 200
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 200
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
return

This post was last edited by 交换机在江湖 at 2017-5-31 17:10.
  • x
  • convention:

user_2790689  Expert   Created Mar 23, 2017 15:55:23 Helpful(0) Helpful(0)

good
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top