Example for Configuring 802.1x and MAC Address Authentication to Control Internal User Access to the Enterprise Network

Created: Mar 23, 2017 10:59:51Latest reply: Mar 23, 2017 15:53:13 2155 1 0 1

 

Example for Configuring 802.1x and MAC Address Authentication to Control Internal User Access to the Enterprise Network (Authentication Point on Access Switch)(V200R005 to V200R008)

Overview

802.1x authentication and MAC address authentication are two methods used for Network Admission Control (NAC). 802.1x authentication is implemented based on interfaces and MAC address authentication is implemented based on interfaces and MAC addresses. Both protocols can protect security for enterprise networks.

802.1x authentication is more secure than MAC address authentication; however, it requires that 802.1x client software be installed on all user terminals, allowing low networking flexibility. 802.1x authentication is applicable to the networks requiring high information security.

MAC address authentication does not need 802.1x client software, but user terminals' MAC addresses must be registered on the authentication server. Network configuration and management is complex. MAC address authentication is applicable to dumb terminals such as printers and fax machine.

Configuration Notes

This example applies to all of the S series switches.

20170323105757693004.jpg

To know details about software mappings, see Version Mapping Search for Huawei Campus Switches.

Huawei's Agile Controller-Campus in V100R001 functions as the RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001; V100R002; V100R003.

The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.

By default, the switch allows the packets from RADIUS server to pass. You do not need to configure authentication-free rules for the server on the switch.

Networking Requirements

Enterprises have high requirements on network security. To prevent unauthorized access and protect information security, an enterprise requests users to pass identity authentication and security check before they access the enterprise network. Only authorized users are allowed to access the enterprise network.

In addition, dumb terminals, such as IP phones and printers, can access the enterprise network only after passing authentication.

The enterprise network has the following characteristics:

l   All access switches support 802.1x authentication.

l   The enterprise network has a small size and does not have branch networks.

l   The enterprise has no more than 1000 employees. A maximum of 2000 users, including guests, access the network every day.

l   Dumb terminals, such as IP phones and printers, are connected to the enterprise network.

To provide high security for the network, you are advised to configure the 802.1x authentication function on access switches and connect a single centralized authentication server to the aggregation switch in bypass mode. MAC address authentication needs to be configured for dumb terminals.

Figure 1-1 Wired access networking diagram

20170323105758184005.png

 

Data Plan

Table 1-1 Network data plan

Item

Data

Agile Controller-Campus

IP address: 192.168.100.100

Post-authentication domain server

IP address: 192.168.102.100

Aggregation switch (SwitchA)

Management IP address: 192.168.10.10

Access switch (SwitchC)

l  User VLAN ID: 10

l  Management IP address: 192.168.30.30

Access switch (SwitchD)

l  User VLAN ID: 20

l  Management IP address: 192.168.40.40

 

Table 1-2 Access switch service data plan

Item

Data

RADIUS scheme

l  Authentication server IP address: 192.168.100.100

l  Authentication server port number: 1812

l  Accounting server IP address: 192.168.100.100

l  Accounting server port number: 1813

l  Shared key for the RADIUS server: Huawei@2014

l  Accounting interval: 15 minutes

l  Authentication domain: isp

ACL number of the post-authentication domain

3002

 

Table 1-3 Agile Controller-Campus service data plan

Item

Data

Department

R&D department

Access user

User name: A

Wired access account: A-123

Password: Huawei123

Device group

Wired device group: Switch

Switch IP address

l  SwitchC: 192.168.30.30

l  SwitchD: 192.168.40.40

RADIUS authentication key

Huawei@2014

RADIUS accounting key

Huawei@2014

 

Configuration Roadmap

1.         Configure the access switches, including the VLANs interfaces belong to, parameters for connecting to the RADIUS server, enabling NAC authentication, and access right to the post-authentication domain.

20170323105757693004.jpg

Ensure the reachable routes between the access switches (SwitchC and SwitchD), aggregation switch (SwitchA), and Agile Controller-Campus server.

2.         Configure the Agile Controller-Campus:

a.         Log in to the Agile Controller-Campus.

b.         Add an account to the Agile Controller-Campus.

c.         Add switches to the Agile Controller-Campus.

d.         Configure authentication rules, authorization results, and authorization rules on the Agile Controller-Campus.

Procedure

                               Step 1     Configure the access switches. This example uses SwitchC to describe the configuration. The domain configuration on SwitchD is the same as that on SwitchC.

1.         Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 10
[SwitchC] interface gigabitethernet 0/0/1    
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 10  
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2    
[SwitchC-GigabitEthernet0/0/2] port link-type access
[SwitchC-GigabitEthernet0/0/2] port default vlan 10
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3    
[SwitchC-GigabitEthernet0/0/3] port link-type trunk
[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[SwitchC-GigabitEthernet0/0/3] quit
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ip address 192.168.30.30 24   

2.         Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

# Create and configure the RADIUS server template rd1.

[SwitchC] radius-server template rd1
[SwitchC-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchC-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchC-radius-rd1] radius-server shared-key cipher Huawei@2014
[SwitchC-radius-rd1] quit

# Create an AAA authentication scheme abc and set the authentication mode to RADIUS.

[SwitchC] aaa
[SwitchC-aaa] authentication-scheme abc
[SwitchC-aaa-authen-abc] authentication-mode radius
[SwitchC-aaa-authen-abc] quit

# Configure the accounting scheme acco1 and set the accounting mode to RADIUS.

[SwitchC-aaa] accounting-scheme acco1
[SwitchC-aaa-accounting-acco1] accounting-mode radius
[SwitchC-aaa-accounting-acco1] accounting realtime 15    
[SwitchC-aaa-accounting-acco1] quit

# Create an authentication domain isp, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.

[SwitchC-aaa] domain isp
[SwitchC-aaa-domain-isp] authentication-scheme abc
[SwitchC-aaa-domain-isp] accounting-scheme acco1
[SwitchC-aaa-domain-isp] radius-server rd1
[SwitchC-aaa-domain-isp] quit
[SwitchC-aaa] quit

# Configure isp as the global default domain. During access authentication, enter a user name in the format user@isp to perform AAA authentication in the domain isp. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

[SwitchC] domain isp

3.         Enable 802.1x and MAC address authentication.

# Set the NAC mode to unified.

[SwitchC] authentication unified-mode

20170323105757693004.jpg

By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.

# Enable 802.1x authentication on GE0/0/1.

[SwitchC] interface gigabitEthernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] authentication dot1x
[SwitchC-GigabitEthernet0/0/1] quit

# Enable MAC address authentication on GE0/0/2.

[SwitchC] interface gigabitEthernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] authentication mac-authen
[SwitchC-GigabitEthernet0/0/2] mac-authen username fixed A-123 password cipher Huawei123    
[SwitchC-GigabitEthernet0/0/2] quit

4.         Configure ACL 3002 for the post-authentication domain.

[SwitchC] acl 3002
[SwitchC-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0
[SwitchC-acl-adv-3002] rule 2 deny ip destination any
[SwitchC-acl-adv-3002] quit

                               Step 2     Configure the Agile Controller-Campus.

1.         Log in to the Agile Controller-Campus.

a.         Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.

The following table provides two types of Agile Controller-Campus addresses.

Address Format

Description

https://Agile Controller-Campus-IP:8443

In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address.

Agile Controller-Campus IP address

If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443.

 

b.         Enter the administrator account and password.

If you log in to the Agile Controller-Campus for the first time, use the super administrator account admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.

2.         Create a department and account.

a.         Choose Resource > User > User Management.

b.         Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.

20170323105759962006.jpg

20170323105759149007.png

c.         Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.

20170323105800536008.jpg

20170323105801875009.png

d.         Click 20170323105803097010.png in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password Huawei123.

20170323105804125011.png

e.         On the User tab page, select user A and click Transfer to add user A to the R&D department.

20170323105804512012.png

3.         Add switches to the Agile Controller-Campus so that the switches can communicate with the Agile Controller-Campus.

a.         Choose Resource > Device > Device Management.

b.         Click Permission Control Device Group in the navigation tree, and click 20170323105805662013.png and Add SubGroup to create a device group Switch.

20170323105806022014.png

c.         Click the device group in the navigation tree and select ALL Device. Click Add to add network access devices.

d.         Set connection parameters on the Add Device page.

This example uses SwitchC to describe the configuration procedure. The configuration on SwitchD is the same as that on SwitchC except that the IP addresses are different.

Parameter

Value

Description

Name

SwitchC

-

IP Address

192.168.30.30

The interface on the switch must communicate with the Agile Controller-Campus.

Device Series

Huawei Quidway series switch

-

Authentication Key

Huawei@2014

It must be the same as the shared key of the RADUIS authentication server configured on the switch.

Charging Key

Huawei@2014

It must be the same as the shared key of the RADUIS accounting server configured on the switch.

Real-time charging interval (minute)

15

It must be the same as the real-time accounting interval configured on the switch.

 

20170323105807627015.png

e.         Click Permission Control Device Group in the navigation tree, select SwitchC, and click Move to move SwitchC to the Switch group. The configuration on SwitchD is the same as that on SwitchC.

4.         Add an authentication rule.

a.         Choose Policy > Permission Control > Authentication and Authorization > Authentication Rule and click Add to create an authentication rule.

b.         Configure basic information for the authentication rule.

Parameter

Value

Description

Name

Access authentication rule

-

Service Type

Access service

-

Authentication Condition

Device group Switch

Customize authentication rules based on the requirements of your network.

Please select the allowed authentication protocol

EAP-PEAP-MSCHAPv2

-

 

20170323105808730016.png

20170323105809632017.png

5.         Add an authorization result.

a.         Choose Policy > Permission Control > Authentication and Authorization > Authorization Result and click Add to create an authorization result.

b.         Configure basic information for the authorization result.

Parameter

Value

Description

Name

Post-authentication domain

-

Service Type

Access service

-

ACL Number/AAA User Group

3002

The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

 

20170323105810596018.png

6.         Add an authorization rule.

After a user passes the authentication, authorization phase starts. The Agile Controller-Campus grants the user access rights based on the authorization rule.

a.         Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule and click Add to create an authorization rule.

b.         Configure basic information for the authorization rule.

Parameter

Value

Description

Name

Authorization rule for R&D employees

-

Service Type

Access service

-

Access Device Group

Switch

-

Authorization Result

Post-authentication domain

-

 

20170323105810855019.png

                               Step 3     Verify the configuration.

l   An employee can only access the Agile Controller-Campus server before passing the authentication.

l   After passing the authentication, the employee can access resources in the post-authentication domain.

l   After the employee passes the authentication, run the display access-user command on the switch. The command output shows information about the online employee.

----End

Switch Configuration File

#
sysname SwitchC
#
vlan batch 10
#
domain isp
#
radius-server template rd1
 radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
 radius-server authentication 192.168.100.100 1812 weight 80
 radius-server accounting 192.168.100.100 1813 weight 80
#
acl number 3002
 rule 1 permit ip destination 192.168.102.100 0
 rule 2 deny ip
#
aaa
 authentication-scheme abc
  authentication-mode radius
 accounting-scheme acco1
  accounting-mode radius
  accounting realtime 15
 domain isp
  authentication-scheme abc
  accounting-scheme acco1
  radius-server rd1
#
interface Vlanif10
 ip address 192.168.30.30 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
 authentication dot1x
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
 authentication mac-authen
 mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|duQ*k{7uXu{J{S=zx-3%^%#
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

This post was last edited by 交换机在江湖 at 2017-05-31 16:50.
  • x
  • convention:

user_2790689     Created Mar 23, 2017 15:53:13 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top