Example for Configuring User Authorization Based on ACL or Dynamic VLAN(V200R005C00-V200R008C00)

Created: Mar 23, 2017 14:30:51Latest reply: Sep 12, 2017 23:25:03 5016 2 0 1

 

Overview

The following example uses authorization based on ACL and dynamic VLAN to describe how to implement authorization for terminal users through the Cisco Identity Services Engine (ISE) server.

l   ACL-based authorization is classified into:

           ACL description-based authorization: If ACL description-based authorization is configured on the server, authorization information includes the ACL description. The device matches ACL rules based on the ACL description authorized by the server to control user rights. The ACL number, corresponding description, and ACL rule must be configured on the device.

The standard RADIUS attribute (011) Filter-Id is used.

           Dynamic ACL-based authorization: The server authorizes rules in an ACL to the device. Users can access network resources controlled using this ACL. The ACL and ACL rules must be configured on the server. The ACL does not need to be configured on the device.

The Huawei proprietary RADIUS attribute (26-82) HW-Data-Filter is used.

l   Dynamic VLAN: If dynamic VLAN delivery is configured on the server, authorization information includes the delivered VLAN attribute. After the device receives the delivered VLAN attribute, it changes the VLAN of the user to the delivered VLAN. Dynamic VLAN can be delivered through the VLAN ID and VLAN description.

The delivered VLAN does not change or affect the interface configuration. The delivered VLAN, however, takes precedence over the VLAN configured on the interface. That is, the delivered VLAN takes effect after the authentication succeeds, and the configured VLAN takes effect after the user goes offline.

The following standard RADIUS attributes are used for dynamic VLAN delivery:

           (064) Tunnel-Type (It must be set to VLAN or 13.)

           (065) Tunnel-Medium-Type (It must be set to 802 or 6.)

           (081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)

To ensure that the RADIUS server delivers VLAN information correctly, all the three RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-Type attributes must be set to the specified values.

Configuration Notes

The version of the Cisco ISE server in this example is 1.4.0.253.

When configuring the Cisco ISE server to function as the RADIUS server and connect to the device to implement authorization, pay attention to the following points:

l   Authorization can be implemented using standard RADIUS attributes and Huawei proprietary RADIUS attributes, and cannot be implemented using Cisco proprietary RADIUS attributes. If a Huawei proprietary RADIUS attribute is used for authorization, you must manually add the proprietary RADIUS attribute value on the Cisco ISE server.

l   If ACL description-based authorization is used and the text box of ACL (Filter-ID) is followed by a suffix .in after ACL (Filter-ID) is selected and the description abc is added on the Cisco ISE server, configure the ACL description as abc.in on Huawei switches.

l   Dynamic ACL-based authorization uses the Huawei proprietary RADIUS attribute HW-Data-Filter for authorization, and does not support authorization through a Cisco proprietary RADIUS attribute.

l   After the Huawei proprietary RADIUS attribute HW-Data-Filter is added on the Cisco ISE server, both Filter-ID and HW-Data-Filter exist in the authorization profile, only Filter-ID can be delivered, and HW-Data-Filter cannot be delivered.

l   If ACL description-based authorization is used, the description configured on the Cisco ISE server and that configured on the device cannot exceed 127 bytes because the maximum description length supported by the Cisco ISE server is 252 bytes and that supported by the device is 127 bytes.

l   If dynamic VLAN-based authorization is used through the VLAN description, the description configured on the Cisco ISE server and that configured on the device cannot exceed 32 bytes because the maximum description length supported by the Cisco ISE server is 32 bytes and that supported by the device is 80 bytes.

Networking Requirements

In Figure 1-1, a large number of employees' terminals in a company connect to the intranet through GE1/0/1 on SwitchA. To ensure network security, the administrator needs to control network access rights of terminals. The requirements are as follows:

l   Before passing authentication, terminals can access the public server (with IP address 192.168.40.1), and download the 802.1x client or update the antivirus database.

l   After passing authentication, terminals can access the service server (with IP address 192.168.50.1) and devices in the laboratory (with VLAN ID 20 and IP address segment 192.168.20.10-192.168.20.100).

Figure 1-1 Wired access networking diagram

20170323142950388004.png

 

Data Plan

Table 1-1 Service data plan for the access switch

Item

Data

RADIUS scheme

l  Authentication server IP address: 192.168.30.1

l  Authentication server port number: 1812

l  Accounting server IP address: 192.168.30.1

l  Accounting server port number: 1813

l  Shared key for the RADIUS server: Huawei@123

l  Authentication domain: huawei

Resources accessible to users before authentication

Access rights to the public server are configured using an authentication-free rule.

Resources accessible to users after authentication

Access rights to the laboratory are granted using a dynamic VLAN. The VLAN ID is 20.

Access rights to the service server are granted using an ACL. The ACL number is 3002 and the description is 3002.in.

 

Table 1-2 Service data plan for the Cisco ISE server

Item

Data

Department

R&D department

Access user

User name: A-123

Password: Huawei123

Switch IP address

SwitchA: 10.10.10.1

RADIUS authentication key

Huawei@123

RADIUS accounting key

Huawei@123

 

Configuration Roadmap

1.         Configure the access switch, including the VLANs interfaces belong to, parameters for connecting to the RADIUS server, enabling NAC, and network access rights users obtain after passing authentication.

20170323142951172005.jpg

In this example, ensure that reachable routes exist between SwitchA, SwitchB, servers, laboratory, and employees' terminals.

2.         Configure the Cisco ISE server.

a.         Log in to the Cisco ISE server.

b.         Add users on the Cisco ISE server.

c.         Add switches on the Cisco ISE server.

d.         Configure the password authentication protocol on the Cisco ISE server.

e.         Configure the authentication policy on the Cisco ISE server.

f.          Configure the authorization policy on the Cisco ISE server.

Procedure

                               Step 1     Configure access switch SwitchA.

1.         Create VLANs and configure the allowed VLANs on interfaces to ensure network connectivity.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 0/0/1    
[SwitchA-GigabitEthernet0/0/1] port link-type hybrid
[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    
[SwitchA-GigabitEthernet0/0/2] port link-type hybrid
[SwitchA-GigabitEthernet0/0/2] port hybrid untagged vlan 20
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3    
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface loopback 1
[SwitchA-LoopBack1] ip address 10.10.10.1 24    
[SwitchA-LoopBack1] quit

2.         Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

# Create and configure the RADIUS server template rd1.

[SwitchA] radius-server template rd1
[SwitchA-radius-rd1] radius-server authentication 192.168.30.1 1812
[SwitchA-radius-rd1] radius-server accounting 192.168.30.1 1813
[SwitchA-radius-rd1] radius-server shared-key cipher Huawei@123
[SwitchA-radius-rd1] quit

# Create the AAA authentication scheme abc and set the authentication mode to RADIUS.

[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit

# Configure the accounting scheme acco1 and set the accounting mode to RADIUS.

[SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] quit

# Create an authentication domain huawei, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.

[SwitchA-aaa] domain huawei
[SwitchA-aaa-domain-huawei] authentication-scheme abc
[SwitchA-aaa-domain-huawei] accounting-scheme acco1
[SwitchA-aaa-domain-huawei] radius-server rd1
[SwitchA-aaa-domain-huawei] quit
[SwitchA-aaa] quit

3.         Enable 802.1x authentication.

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode

20170323142951172005.jpg

By default, the unified mode is enabled. Before changing the NAC mode, you must save the configuration. After changing the NAC mode, restart the device to make the configuration take effect.

# Configure an authentication-free rule to allow users to access the public server before passing authentication.

[SwitchA] authentication free-rule 10 destination ip 192.168.40.1 mask 32

# Enable 802.1x authentication on GE0/0/1, specify the forcible authentication domain huawei for users who go online on the interface, and set the authentication protocol to EAP.

[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] domain name huawei force
[SwitchA-GigabitEthernet0/0/1] authentication dot1x
[SwitchA-GigabitEthernet0/0/1] dot1x authentication-method eap
[SwitchA-GigabitEthernet0/0/1] quit

4.         Configure the authorization parameter ACL 3002 for users who pass authentication.

[SwitchA] acl 3002
[SwitchA-acl-adv-3002] description 3002.in   
[SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.30.1 0
[SwitchA-acl-adv-3002] rule 2 permit ip destination 192.168.50.1 0
[SwitchA-acl-adv-3002] rule 3 deny ip destination any
[SwitchA-acl-adv-3002] quit

                               Step 2     Configure the Cisco ISE server.

1.         Log in to the Cisco ISE server.

a.         Open the Internet Explorer, enter the access address of the Cisco ISE server in the address bar and press Enter.

Access Mode

Description

https://Cisco ISE-IP

Cisco ISE-IP specifies the IP address of the Cisco ISE server.

 

b.         Enter the administrator user name and password to log in to the Cisco ISE server.

20170323142952068006.png

2.         Create a user group and a user.

a.         Choose Administration > Identity Management > Groups. Click Add in the operation area on the right, and create the user group R&D.

20170323142953802007.jpg

20170323142954576008.jpg

b.         Choose Administration > Identity Management > Identities. Click Add in the operation area on the right, create a user with the user name A-123 and password Huawei123, and add the user to the user group R&D.

20170323142955935009.jpg

20170323142956022010.png

3.         Add switches on the Cisco ISE server so that the Cisco ISE server can properly associate with the switches.

Choose Administration > Network Resources > Network Devices. Click Add in the operation area on the right to access the New Network Device page. Add network access devices and set device connection parameters on the page.

Parameter

Value

Description

Name

SwitchA

-

IP Address

10.10.10.1/32

The interface on the switch must communicate with the Cisco ISE server.

Shared Secret

Huawei@123

The shared key must be the same as the shared key configured for R&D employees on the switch.

 

20170323142956571011.png

20170323142957762012.png

4.         Configure the password authentication protocol.

Choose Policy > Policy Elements > Result. Choose Authentication > Allowed Protocols in the operation area on the left to access the Allowed Protocols Services page. Click Add in the operation area on the right, create a network access mode, and select the allowed password authentication protocol.

When connecting to a Cisco ISE server, the switch supports EAP, PAP, and CHAP authentication modes. If the switch is configured with EAP authentication mode and connects to the Cisco ISE server, the switch does not support EAP-LEAP and EAP-FAST modes.

20170323142958768013.jpg

20170323142959380014.png

5.         Configure the authentication policy.

Choose Policy > Authentication. Authentication policies are classified into simple and rule-based authentication policies. Compared with simple mode, rule-based mode can match multiple network access modes (that is, allowed protocols). Simple mode is used in this example. Select 802.1X, which is the network access mode configured in the previous step, from the Network Access Service drop-down list box, and use the default settings of other fields.

20170323143000974015.png

6.         Configure the authorization policy.

a.         Add an authorization rule.

Choose Policy > Authorization. Click the triangle next to Edit and choose Insert New Rule Above. Add the authorization rule Authorization rule for authenticated users and the authorized user group is group R&D.

20170323143001569016.jpg

b.         Add access rights.

i.          In the Permissions column, click Add New Standard Profile to access the Add New Standard Profile page.

20170323143001283017.jpg

ii.        In the Add New Standard Profile page, configure access rights.

Parameter

Value

Description

Name

VLAN20&ACL3002

-

Access Type

ACCESS_ACCEPT

Access rights for users who pass authentication

Common Tasks

Huawei@123

VLAN: authorized VLAN ID or VLAN description

Filter-ID: authorize ACL description

 

20170323143002974018.png

20170323143003938019.jpg

                               Step 3     Verify the configuration.

l   An employee can only access the Cisco ISE server and public server before passing authentication.

l   An employee can access the Cisco ISE server, public server, service server, and laboratory after passing authentication.

l   After an employee passes authentication, run the display access-user command on the switch. The command output shows information about the online employee.

----End

Switch Configuration File

#
sysname SwitchA
#
vlan batch 10 20
#
radius-server template rd1
 radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
 radius-server authentication 192.168.30.1 1812 weight 80
 radius-server accounting 192.168.30.1 1813 weight 80
#
acl number 3002
 description 3002.in 
 rule 1 permit ip destination 192.168.30.1 0 
 rule 2 permit ip destination 192.168.50.1 0 
 rule 3 deny ip
#
aaa
 authentication-scheme abc
  authentication-mode radius
 accounting-scheme acco1
  accounting-mode radius
 domain huawei
  authentication-scheme abc
  accounting-scheme acco1
  radius-server rd1
#
interface GigabitEthernet0/0/1
 port link-type hybrid
 port hybrid pvid vlan 10
 port hybrid untagged vlan 10
 authentication dot1x
#
interface GigabitEthernet0/0/2
 port link-type hybrid
 port hybrid untagged vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface LoopBack1
 ip address 10.10.10.1 255.255.255.0
#  
authentication free-rule 10 destination ip 192.168.40.1 mask 255.255.255.255
#
return

本帖最后由 交换机在江湖 于 2017-10-12 10:42 编辑
  • x
  • convention:

user_2790689     Created Mar 23, 2017 15:57:32 Helpful(0) Helpful(0)

good
  • x
  • convention:

user_2877207     Created Sep 12, 2017 23:25:03 Helpful(0) Helpful(0)

Hi, could you help to provide the command to show the applied ACL after successful authorization? A screenshot of the result is highly appreciated. Thanks!
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top