Interoperation Between Huawei Switches and Cisco ISE

Created: Feb 28, 2019 14:37:30 25 0 0 0

Configuring Cisco ISE to Authenticate Common Access Users and ACS to Authenticate Switch Administrators

This section includes the following content:

Introduction to Network Admission Control

Network Admission Control (NAC) implements authentication, authorization, and accounting on device administrators and access users, ensuring the device and network security. Access authentication devices and AAA servers use RADIUS or HWTACACS to communicate. Both RADIUS and HWTACACS use the client/server model to implement communication between access authentication devices and AAA servers. Table 2-26 lists the differences between HWTACACS and RADIUS.

Table 2-26  Comparison between HWTACACS and RADIUS

HWTACACS

RADIUS

Transmits data using TCP, which is more reliable.

Transmits data using UDP, which is more efficient.

Encrypts the entire packet except for the standard HWTACACS header.

Encrypts only the password field in the authentication packet.

Separates authentication from authorization so that authentication and authorization can be implemented on different security servers. For example, one HWTACACS server can perform authentication and another HWTACACS server can perform authorization.

Combines authentication and authorization.

Supports command line authorization. The commands that a user can use depend on the command level and AAA. When a user enters a command, the command is executed only after being authorized by the HWTACACS server.

Does not support command line authorization. The commands that a user can use depend on the user level. A user can only use the commands of the same level as or lower level than the user level.

Applies to security control.

Applies to accounting.

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control, so it is often used to perform AAA for device administrators.

Networking Requirements

To meet service requirements, an enterprise needs to deploy an identity authentication system to implement authentication and authorization on common access users and switch administrators. Only authorized users can access the network, which ensures the device and network security. The enterprise has the following requirements:

  • For administrators:
    1. The administrators log in to the switch using STelnet and are authenticated and authorized by the ACS.
    2. If the ACS is abnormal, the switch can directly perform authentication and authorization for the administrators.
    3. Different administrators have different levels.
    4. The ACS authorizes commands that can be run by administrators at a specified level to them.
    5. Commands executed on the switch by administrators must be recorded on the ACS, facilitating maintenance and tracking.
  • For common access users:
    1. Install the 802.1X client on wired PCs, perform 802.1X authentication and MAC address authentication for the PCs, and set the 802.1X authentication mode to password authentication.
    2. Perform 802.1X authentication for IP phones and set the authentication mode to password authentication.
    3. Perform MAC address authentication for APs, IP phones that do not support 802.1X authentication, printers, and fax machines.
    4. Some users and IP phones move frequently. Configure the ISE to dynamically deliver data VLANs and voice VLANs to them respectively.
    5. Directly add fixed users and IP phones to VLANs configured on switch interfaces.
    6. If the ISE is abnormal, the switch can directly authorize users. When the ISE recovers, the ISE re-authenticates users.
    7. If a user fails to pass authentication, the switch can add the user to a specified VLAN and restrict network resources the user can access.

In this example, the aggregation switch is an S7712 and the access switch is an S5720EI.

Figure 2-23  Enterprise user access networking 
imgDownload?uuid=50beb9c1bc3440d98f9fb7c

Configuration Logic

Figure 2-24  Configuration logic of Huawei switch 
imgDownload?uuid=5c896284a7aa42448957ee1Table 2-27  Configuration logic of Cisco ACS

ItemDescription
Adding groups and users-
Adding a switchSet parameters for the switch connected to the ACS.
Creating an authorization profile
  • User level profile: specifies the user level.
  • CLI profile: specifies commands that can be executed.
Configuring an authentication and authorization policyConfigure the conditions for users to pass the authentication and specify resources that users can access after authentication.

Table 2-28  Configuration logic of Cisco ISE

ItemDescription
Adding groups, terminals, and user information-
Adding a switchSet parameters for the switch connected to the ISE.
(Optional) creating an authentication protocol profileSpecify the authentication protocol that can be used by users and terminals. If no authentication protocol profile is created, the default profile in Default Network Access of the ISE is used.
Creating an authentication policyConfigure the conditions for users and terminals to pass the authentication.
Creating an authorization policySpecify resources that users and terminals can access after authentication.

Configuration Notes
  • This configuration example applies to all of the switches running V200R009C00 or a later version, the Cisco ISE in version 2.0.0.306 works as the RADIUS server, and the Cisco ACS in version 5.2.0.26 works as the HWTACACS server. It is recommended that you use an ISE in version 2.0 or later. The minimum version required for an ACS is 5.1. The NAC mode of Huawei switches is unified mode.
  • The RADIUS and HWTACACS shared keys configured on the switch must be the same as those configured on the servers.
  • By default, the switch allows the packets sent to RADIUS and HWTACACS servers to pass through. You do not need to configure an authentication-free rule for the packets on the switch.

Data Plan

Table 2-29  SwitchA data plan

Interface

ID of the VLAN to Which the Interface Belongs

IP Address

Remarks

GE0/0/1

10

192.168.10.1/24

The group pc_group1 belongs to this VLAN.

20

192.168.20.1/24

The group IP_Phone1 belongs to this VLAN.

GE0/0/2

20

192.168.20.1/24

The group IP_Phone2 belongs to this VLAN.

30

192.168.30.1/24

The group pc_group2 belongs to this VLAN.

GE0/0/3

40

192.168.40.1/24

The group ap_group belongs to this VLAN.

GE0/0/4

10

192.168.10.1/24

GE0/0/4 is an uplink interface on SwitchA and allows packets from all user VLANs to pass through.

20

192.168.20.1/24

30

192.168.30.1/24

40

192.168.40.1/24

-

50

-

Users who fail to pass authentication are added to this VLAN. This VLAN restricts resources they can access.

LoopBack 0

-

192.168.50.1/32

This IP address is the management IP address of SwitchA. SwitchA also uses this IP address to communicate with servers.

Table 2-30  Common access user information

User

Password

Group

ID of the VLAN to Which the User Belongs

Remarks

pc1

huawei@123

pc_group1

10

The user belongs to a group containing relatively fixed users, and is directly added to a VLAN configured on the connected interface.

pc2

huawei@234

pc_group2

30

The user belongs to a group containing moving users. The ISE dynamically delivers a data VLAN to the user.

phone1

huawei@345

IP_Phone1

20

The user belongs to a group containing relatively fixed IP phones, and is directly added to a VLAN configured on the connected interface.

phone2

huawei@456

IP_Phone2

20

The user belongs to a group containing moving IP phones. The ISE dynamically delivers a voice VLAN to the user.

3c-97-0e-bd-6a-65 (MAC address of AP1)

-

ap_group

40

The user belongs to a group containing APs, and is directly added to a VLAN configured on the connected interface.

Table 2-31  Administrator information

User

Password

User Level

admin

huawei@567

0

switch

huawei@789

1

configure

huawei@890

2

diagnose

huawei@901

15

Table 2-32  Authentication data plan

Item

Data

ISE

192.168.100.1/24

ACS

192.168.100.2/24

SwitchA

192.168.50.1/32

RADIUS and HWTACACS shared keys

Huawei@2014

Procedure

  1. Configure SwitchA.

    imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    The aggregation switch configuration is not provided here. Configure the switches based on actual network planning.

    1. Configure the management IP address of SwitchA. SwitchA also uses this IP address to communicate with the ACS and ISE.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] interface LoopBack 0 [SwitchA-LoopBack0] ip address 192.168.50.1 32 [SwitchA-LoopBack0] quit

    2. Configure SwitchA as the DHCP server to assign IP addresses to common access users.

      [SwitchA] vlan batch 10 20 30 40 50 [SwitchA] lldp enable   //Enable LLDP globally. [SwitchA] dhcp enable   //Enable DHCP globally. [SwitchA] dhcp snooping enable   //Enable DHCP snooping globally. [SwitchA] interface Vlanif10 [SwitchA-Vlanif10] ip address 192.168.10.1 24   //Configure an IP address for VLANIF 10. [SwitchA-Vlanif10] dhcp select interface   //Enable the DHCP server function on VLANIF 10. [SwitchA-Vlanif10] quit [SwitchA] interface Vlanif20 [SwitchA-Vlanif20] ip address 192.168.20.1 24 [SwitchA-Vlanif20] dhcp select interface [SwitchA-Vlanif20] quit [SwitchA] interface Vlanif30 [SwitchA-Vlanif30] ip address 192.168.30.1 24 [SwitchA-Vlanif30] dhcp select interface [SwitchA-Vlanif30] quit [SwitchA] interface Vlanif40 [SwitchA-Vlanif40] ip address 192.168.40.1 24 [SwitchA-Vlanif40] dhcp select interface [SwitchA-Vlanif40] quit

    3. Assign VLANs to interfaces and configure network connectivity.

      [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type hybrid [SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10 [SwitchA-GigabitEthernet0/0/1] undo port hybrid vlan 1 [SwitchA-GigabitEthernet0/0/1] voice-vlan 20 enable   //Configure VLAN 20 as a voice VLAN. [SwitchA-GigabitEthernet0/0/1] port hybrid tagged vlan 20 [SwitchA-GigabitEthernet0/0/1] stp edged-port enable   //Configure the interface as an edge interface. [SwitchA-GigabitEthernet0/0/1] dhcp snooping enable   //Enable DHCP snooping on the interface. [SwitchA-GigabitEthernet0/0/1] poe legacy enable   //Enable the PD compatibility check function on PoE-capable SwitchA so that SwitchA can provide power for non-standard PDs. [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type hybrid [SwitchA-GigabitEthernet0/0/2] undo port hybrid vlan 1 [SwitchA-GigabitEthernet0/0/2] voice-vlan 20 enable [SwitchA-GigabitEthernet0/0/2] stp edged-port enable [SwitchA-GigabitEthernet0/0/2] dhcp snooping enable [SwitchA-GigabitEthernet0/0/2] poe legacy enable [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] port link-type hybrid [SwitchA-GigabitEthernet0/0/3] port hybrid pvid vlan 40 [SwitchA-GigabitEthernet0/0/3] port hybrid untagged vlan 40 [SwitchA-GigabitEthernet0/0/3] stp edged-port enable [SwitchA-GigabitEthernet0/0/3] dhcp snooping enable [SwitchA-GigabitEthernet0/0/3] poe legacy enable [SwitchA-GigabitEthernet0/0/3] quit [SwitchA] interface gigabitethernet 0/0/4 [SwitchA-GigabitEthernet0/0/4] port link-type trunk [SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 10 20 30 40 [SwitchA-GigabitEthernet0/0/4] quit [SwitchA] ip route-static 192.168.100.0 24 192.168.60.1   //Configure a static route from SwitchA to the server area. Assume that the next-hop address is 192.168.60.1.

    4. Configure local administrators.

      # Configure the login mode and authentication mode of administrators.
      [SwitchA] user-interface maximum-vty 3   //Set the maximum number of administrators who can remotely log in to the switch to 3. [SwitchA] user-interface vty 0 2   //Enter the three administrator interface views. [SwitchA-ui-vty0-2] authentication-mode aaa   //Set the authentication mode of administrators to AAA. [SwitchA-ui-vty0-2] protocol inbound ssh      //Set the remote login protocol of administrators to SSH, that is, administrators must log in to the switch using STelnet. [SwitchA-ui-vty0-2] quit
      # Configure local SSH users. The user admin is used as an example. The configurations of other users are similar and are not provided here.
      [SwitchA] stelnet server enable   //Enable the STelnet service on the switch. [SwitchA] ssh authentication-type default password   //Set the default authentication mode of SSH users to password authentication. [SwitchA] ssh user admin   //Create a local SSH user admin. [SwitchA] ssh user admin authentication-type password   //Set the authentication mode of the user admin to password authentication. [SwitchA] ssh user admin service-type stelnet   //Set the login mode of the user admin to STelnet. [SwitchA] aaa [SwitchA-aaa] local-user admin password irreversible-cipher huawei@567   //Set the password of the local administrator admin to huawei@567. The switch can authenticate the local administrator admin when the ACS is abnormal. [SwitchA-aaa] local-user admin privilege level 0   //Set the user level of the user admin to 0. [SwitchA-aaa] local-user admin service-type ssh   //Set the login protocol of the user admin to SSH. [SwitchA-aaa] quit

    5. Configure parameters for communication between SwitchA and the ACS.

      # Create the HWTACACS server template hw used in administrator authentication.
      [SwitchA] hwtacacs-server template hw [SwitchA-hwtacacs-hw] hwtacacs-server authentication 192.168.100.2   //Configure the ACS as the HWTACACS authentication server. [SwitchA-hwtacacs-hw] hwtacacs-server authorization 192.168.100.2   //Configure the ACS as the HWTACACS authorization server. [SwitchA-hwtacacs-hw] hwtacacs-server accounting 192.168.100.2   //Configure the ACS as the HWTACACS accounting server. [SwitchA-hwtacacs-hw] hwtacacs-server shared-key cipher Huawei@2014   //Set the HWTACACS shared key for SwitchA to communicate with the ACS to Huawei@2014. [SwitchA-hwtacacs-hw] undo hwtacacs-server user-name domain-included   //Configure SwitchA to send packets in which the administrator user name does not contain the domain name to the ACS. [SwitchA-hwtacacs-hw] quit
      # Create the authentication scheme hw.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme hw [SwitchA-aaa-authen-hw] authentication-mode hwtacacs local   //Set the authentication mode to HWTACACS and configure local authentication as the backup authentication mode. [SwitchA-aaa-authen-hw] quit
      # Create the authorization scheme hw.
      [SwitchA-aaa] authorization-scheme hw [SwitchA-aaa-author-hw] authorization-mode hwtacacs local   //Set the authorization mode to HWTACACS and configure local authorization as the backup authorization mode. [SwitchA-aaa-author-hw] authorization-cmd 0 hwtacacs   //Configure command line authorization for users whose level is 0 and set the authorization mode to HWTACACS. Perform this configuration for users at a specified level based on actual requirements. [SwitchA-aaa-author-hw] quit
      # Create the accounting scheme hw.
      [SwitchA-aaa] accounting-scheme hw [SwitchA-aaa-accounting-hw] accounting-mode hwtacacs   //Set the accounting mode to HWTACACS. [SwitchA-aaa-accounting-hw] accounting start-fail online   //Allow users to log in even if accounting-start fails. [SwitchA-aaa-accounting-hw] quit
      # Create the recording scheme hw.
      [SwitchA-aaa] recording-scheme hw [SwitchA-aaa-recording-hw] recording-mode hwtacacs hw   //Associate the HWTACACS server template hw with the recording scheme so that the switch can send recorded information to the ACS. [SwitchA-aaa-recording-hw] quit [SwitchA-aaa] cmd recording-scheme hw   //Configure the switch to record commands executed by administrators.
      # Create the administrator authentication domain hw.
      [SwitchA-aaa] domain hw [SwitchA-aaa-domain-hw] authentication-scheme hw   //Specify the authentication scheme hw. [SwitchA-aaa-domain-hw] accounting-scheme hw   //Specify the accounting scheme hw. [SwitchA-aaa-domain-hw] authorization-scheme hw   //Specify the authorization scheme hw. [SwitchA-aaa-domain-hw] hwtacacs-server hw   //Specify the HWTACACS server template hw. [SwitchA-aaa-domain-hw] quit [SwitchA-aaa] quit

    6. Configure authentication for administrators.

      [SwitchA] domain hw admin   //Configure the domain hw as the default administrative authentication domain on the switch. All administrators are automatically authenticated in this domain after logging in to the switch.

    7. Configure parameters for communication between SwitchA and the ISE.

      # Set the NAC mode to unified.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      By default, the unified mode is enabled. After changing the NAC mode, you must save the configuration and restart the switch to make the configuration take effect.

      [SwitchA] authentication unified-mode
      # Create the RADIUS server template authentication.
      [SwitchA] radius-server template authentication [SwitchA-radius-authentication] radius-server authentication 192.168.100.1 1812 source ip-address 192.168.50.1   //Configure the ISE as the authentication server. [SwitchA-radius-authentication] radius-server accounting 192.168.100.1 1813 source ip-address 192.168.50.1   //Configure the ISE as the accounting server. [SwitchA-radius-authentication] radius-server shared-key cipher Huawei@2014   //Set the RADIUS shared key to Huawei@2014. [SwitchA-radius-authentication] undo radius-server user-name domain-included   //Configure the switch not to modify the original user name in the packets sent to the ISE. [SwitchA-radius-authentication] calling-station-id mac-format hyphen-split mode2 uppercase   //Set the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets to xx-xx-xx-xx-xx-xx, in uppercase. [SwitchA-radius-authentication] radius-attribute set Service-Type 10 auth-type mac   //Set the value of the RADIUS attribute Service-Type for MAC address authentication to 10. [SwitchA-radius-authentication] quit
      # Configure a RADIUS authorization server.
      [SwitchA] radius-server authorization 192.168.100.1 shared-key cipher Huawei@2014
      # Create the authentication scheme auth.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme auth [SwitchA-aaa-authen-auth] authentication-mode radius    //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-auth] quit
      # Create the accounting scheme acco. You must set the accounting mode to RADIUS so that the RADIUS server can maintain the account status, such as login, log-off, and forced log-off.
      [SwitchA-aaa] accounting-scheme acco [SwitchA-aaa-accounting-acco] accounting-mode radius    //Set the accounting mode to RADIUS. [SwitchA-aaa-accounting-acco] accounting realtime 3    //Set the real-time accounting interval to 3 minutes. [SwitchA-aaa-accounting-acco] quit
      # Create the authentication domain domain.
      [SwitchA-aaa] domain domain [SwitchA-aaa-domain-domain] authentication-scheme auth   //Specify the authentication scheme auth. [SwitchA-aaa-domain-domain] accounting-scheme acco   //Specify the accounting scheme acco. [SwitchA-aaa-domain-domain] radius-server authentication   //Specify the RADIUS server template authentication. [SwitchA-aaa-domain-domain] quit
      # Create a service scheme for user authorization when the server is abnormal.
      [SwitchA-aaa] service-scheme down01   //Create the service scheme down01 for authorization of PCs and IP phones. [SwitchA-aaa-service-down01] user-vlan 30   //Configure the switch to authorize VLAN 30 to PCs. [SwitchA-aaa-service-down01] voice-vlan   //Configure the switch to authorize voice VLANs to IP phones. [SwitchA-aaa-service-down01] quit [SwitchA-aaa] service-scheme down02   //Create the service scheme down02 for authorization of APs. [SwitchA-aaa-service-down02] user-vlan 40   //Configure the switch to authorize VLAN 40 to APs. [SwitchA-aaa-service-down02] quit
      # Create the service scheme fail for authorization of users who fail to pass authentication.
      [SwitchA-aaa] service-scheme fail [SwitchA-aaa-service-fail] user-vlan 50   //Configure the switch to delivery VLAN 50 to users who fail to pass authentication to restrict resources they can access. [SwitchA-aaa-service-fail] quit [SwitchA-aaa] quit

    8. Configure authentication for common access users.

      # Create the 802.1X access profile dot1x.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

      [SwitchA] dot1x-access-profile name dot1x [SwitchA-dot1x-access-profile-dot1x] dot1x reauthenticate   //Configure periodic re-authentication for online 802.1X authentication users. [SwitchA-dot1x-access-profile-dot1x] dot1x timer reauthenticate-period 120   //Set the re-authentication interval for online 802.1X authentication users to 120 seconds. [SwitchA-dot1x-access-profile-dot1x] authentication event client-no-response action authorize vlan 50   //Configure the switch to add users to VLAN 50 when the 802.1X client does not respond. [SwitchA-dot1x-access-profile-dot1x] quit
      # Create the MAC access profile mac for dumb terminals such as IP phones and printers.
      [SwitchA] mac-access-profile name mac [SwitchA-mac-access-profile-mac] mac-authen reauthenticate   //Configure periodic re-authentication for online MAC address authentication users. [SwitchA-mac-access-profile-mac] mac-authen timer reauthenticate-period 120   //Set the re-authentication interval for online MAC address authentication users to 120 seconds. [SwitchA-mac-access-profile-mac] quit
      # Create the MAC access profile ap_mac for APs.
      [SwitchA] mac-access-profile name ap_mac [SwitchA-mac-access-profile-ap_mac] mac-authen username macaddress format without-hyphen   //Set user names of APs to MAC addresses without hyphens for MAC address authentication. [SwitchA-mac-access-profile-ap_mac] quit
      # Configure the authentication profile dot1x&mac for PCs and IP phones.
      [SwitchA] authentication-profile name dot1x&mac [SwitchA-authen-profile-dot1x&mac] dot1x-access-profile dot1x   //Specify the 802.1X access profile dot1x. [SwitchA-authen-profile-dot1x&mac] mac-access-profile mac   //Specify the MAC access profile mac. [SwitchA-authen-profile-dot1x&mac] access-domain domain force   //Configure the forcible authentication domain domain. [SwitchA-authen-profile-dot1x&mac] authentication event authen-fail action authorize service-scheme fail   //Configure the switch to add users who fail to pass authentication to VLAN 50. [SwitchA-authen-profile-dot1x&mac] authentication event authen-server-down action authorize service-scheme down01      //Configure the switch to use the service scheme down01 to perform authorization for PCs and IP phones when the ISE is Down. [SwitchA-authen-profile-dot1x&mac] authentication event authen-server-up action re-authen   //Configure ISE to re-authenticate users when the ISE recovers. [SwitchA-authen-profile-dot1x&mac] authentication dot1x-mac-bypass   //Configure MAC address bypass authentication. [SwitchA-authen-profile-dot1x&mac] quit
      # Configure the authentication profile ap_auth for APs.
      [SwitchA] authentication-profile name ap_auth [SwitchA-authen-profile-ap_auth] mac-access-profile ap_mac   //Specify the MAC access profile ap_mac. [SwitchA-authen-profile-ap_auth] access-domain domain force   //Configure the forcible authentication domain domain. [SwitchA-authen-profile-ap_auth] authentication event authen-fail action authorize service-scheme fail   //Configure the switch to add users who fail to pass authentication to VLAN 50. [SwitchA-authen-profile-ap_auth] authentication event authen-server-down action authorize service-scheme down02      //Configure the switch to use the service scheme down02 to perform authorization for APs when the ISE is Down. [SwitchA-authen-profile-ap_auth] authentication event authen-server-up action re-authen   //Configure ISE to re-authenticate users when the ISE recovers. [SwitchA-authen-profile-ap_auth] undo authentication handshake   //Disable the handshake with pre-connection users and authorized users. [SwitchA-authen-profile-ap_auth] authentication mode multi-share   //Set the user access mode to multi-share on the switch interface connecting to APs. [SwitchA-authen-profile-ap_auth] quit
      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      If the AP packet forwarding mode is direct forwarding, you must set the user access authentication mode to multi-share on the switch interface connecting to APs.

      # Bind the authentication profile dot1x&mac to GE0/0/1 and GE0/0/2, and enable MAC address bypass authentication. Bind the authentication profile ap_mac to GE0/0/3 and enable MAC address authentication.
      [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] authentication-profile dot1x&mac [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] authentication-profile dot1x&mac [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] authentication-profile ap_auth [SwitchA-GigabitEthernet0/0/3] quit 

  2. Configure the ACS.
    1. Log in to the ACS.

      1. Open the Internet Explorer, enter the ACS access address in the address bar, and press Enter.

      2. Enter the ACS administrator user name and password to log in to the ACS.

    2. Configure switch administrators.

      1. In the navigation area on the left, choose Users and Identity Stores > Identity Groups. Click Create in the operation area on the right and create the administrator group admin. After completing the configuration, click Submit.

        imgDownload?uuid=b12cbe386d554977ae28a16

      2. In the navigation area on the left, choose Users and Identity Stores > Internal Identity Stores > Users. Click Create in the operation area on the right, create the administrator admin, and bind the administrator to the group admin. After completing the configuration, click Submit.

        imgDownload?uuid=5a12cb8ff23244e7b9d759f

    3. Add the access authentication device SwitchA.

      1. In the navigation area on the left, choose Network Resources > Network Devices and AAA Clients. Click Create in the operation area on the right, add the access authentication device SwitchA, and configure parameters of SwitchA according to the following table. After completing the configuration, click Submit.

        Parameter

        Value

        Description

        Access device name

        SwitchA

        -

        IP address

        192.168.50.1

        -

        HWTACACS shared key

        Huawei@2014

        The HWTACACS shared key must be the same as that configured on SwitchA.

        imgDownload?uuid=53653bcf69b54a77ad47a6f

    4. Configure authorization profiles.

      1. In the navigation area on the left, choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles. Click Create in the operation area on the right, create Shell Profiles PRIVILEGE_LEVEL_0 and PRIVILEGE_LEVEL_15, and set the user level to 0 and 15 respectively. After completing the configuration, click Submit.

        imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        If the level specified in a Shell Profile is x and the Shell Profile is assigned to an administrator, the administrator can only run commands at level x and lower levels. Set a proper level for device administrators based on actual requirements.

        imgDownload?uuid=55f0fd9367cb4146b17a6ab

        imgDownload?uuid=882694ac905c4bfda8fcaaa

        imgDownload?uuid=c1f03820279942e9af2d36c

        imgDownload?uuid=14b1420c6f3649659634d5f

      2. In the navigation area on the left, choose Policy Elements > Authorization and Permissions > Device Administration > Command Sets. Click Create in the operation area on the right, create Command Set PRIVILEGE_LEVEL_0, and add commands that can be run by the administrator admin. After completing the configuration, click Submit.

        imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        In the Command Set PRIVILEGE_LEVEL_0, users can run the display versiondisplay devicedisplay cpu-usage, and display memory-usage commands.

        imgDownload?uuid=ecc1aca296b346f7afd3b4e

      3. Similarly, create Command Set All and select Permit any command that is not in the table below to allow the administrator diagnose to run all commands on the switch.

        imgDownload?uuid=15b5ff6ee4f0444a9e0014f

    5. Configure authentication and authorization policies.

      1. In the navigation area on the left, choose Access Policies > Access Services. Click Create in the operation area on the right, and create access service HWTACACS. After performing step 1, click Next to go to step 2, and configure authentication protocols for users. After completing the configuration, click Finish.

        imgDownload?uuid=1f8771d3dcb8404b9f17ef7

        imgDownload?uuid=7b3cc73b19ed4bbbb9e280c

      2. In the displayed dialog box, click Yes to access the Access Policies > Access Services > Service Selection Rules page. Choose Rule based result selection and click Create. In the displayed dialog box, create the access service rule HWTACACS, set Conditions to Protocol match Tacacs, and set Results to Service: HWTACACS. After completing the configuration, click OK. Click imgDownload?uuid=8de0174fa0434b6cbba3503 to adjust this access service rule as the first rule so that this rule is matched preferentially during authentication. Click Save Changes.

        imgDownload?uuid=ff125e5bf2774afdaaa4779

        imgDownload?uuid=96ac86e7e61a4a16a34566f

      3. In the navigation area on the left, choose Access Policies > Access Services > HWTACACS > Identity. Choose Rule based result selection in the operation area on the right and click Customize. Configure the filtering condition for user authentication. In this example, choose Device IP Address. After completing the configuration, click OK.

        imgDownload?uuid=87e5a64946ce421db8db99c

      4. Click Create, create the administrator authentication rule admin, set Conditions to Device IP Address = 192.168.50.1, and set Results to Identity Source: Users. After completing the configuration, click OK, and click Save Changes.

        imgDownload?uuid=b31c9a3bc66642dab372f19

      5. In the navigation area on the left, choose Access Policies > Access Services > HWTACACS > Authorization. Click Customize and configure filtering conditions for user authorization. Under Customize Conditions, select Identity Group and System:UserName. Under Customize Results, select Shell Profiles and Command Sets. After completing the configuration, click OK, and click Save Changes.

        imgDownload?uuid=3a14ae722e1e4680914e263

      6. Click Create and create the authorization policy admin_policy for the administrator admin. Under Conditions, set Identity Group in All Groups:admin and System:UserName equals admin. Under Results, set Shell Profile: PRIVILEGE_LEVEL_0 and Command Sets: PRIVILEGE_LEVEL_0. Click OK and click Save Changes.

        imgDownload?uuid=5abf9db70c6447da97f82cf

      7. Click Create and create the authorization policy diagnose_policy for the administrator diagnose. Under Conditions, set Identity Group in All Groups:admin and System:UserName equals diagnose. Under Results, set Shell Profile: PRIVILEGE_LEVEL_15 and Command Sets: All. Click OK and click Save Changes.

        imgDownload?uuid=1eebf52c9fa1456180e0c37

  3. Configure the ISE.
    1. Log in to the ISE.

      1. Open the Internet Explorer, enter the ISE access address in the address bar, and press Enter.

      2. Enter the ISE administrator user name and password to log in to the ISE.

    2. Configure user groups, terminal lists, and user information. In this example, AP1, the group ap_group to which AP1 belongs, PC1, and the group pc_group1 to which PC1 belongs are configured. The configurations of other users and groups are similar, and are not provided here.

      1. Choose Administration > Identity Management > Groups. In the navigation area on the left, choose Endpoint Identity Groups. Click Add in the operation area on the right, and create the group ap_group to which AP1 belongs. After completing the configuration, click Submit.

        imgDownload?uuid=8b4985c8ccde4de5aaf4453

      2. In the navigation area on the left, choose User Identity Groups. Click Add in the operation area on the right, and create the group pc_group1 to which PC1 belongs. After completing the configuration, click Submit.

        imgDownload?uuid=f10f8fd5709549f5ab04a68

      3. Choose Administration > Identity Management > Identities. In the navigation area on the left, choose EndPoints. Click Add in the operation area on the right. Add the terminal with the MAC address 3c-97-0e-bd-6a-65 and bind the terminal to the group ap_group. After completing the configuration, click Save.

        imgDownload?uuid=ac0dafbc821749da9234b70
      4. In the navigation area on the left, choose Users. Click Add in the operation area on the right. Create the user pc1, set the password to huawei@123, and bind the user to the group pc_group1. After completing the configuration, click Submit.

        imgDownload?uuid=b9c28bb8f789403384c385f

    3. Configure the access authentication device.

      1. In the top navigation area, choose Administration > Network Resources > Network Device Profiles, click the Add tab. Create the access device profile huawei, set Vendor to Other, and select RADIUS under Supported Protocols.

        imgDownload?uuid=df724857a0a04169a8fa325

      2. Configure Authentication/Authorization, and Permisssions according to the following figures. After completing the configuration, click Submit.

        imgDownload?uuid=464759d4b2f542e38f55e96

        imgDownload?uuid=999223bf44d9494387bf095

      3. Choose Administration > Network Resources > Network Devices. Click Add in the operation area on the right, add the access device SwitchA, and configure parameters of SwitchA according to the following table. After completing the configuration, click Submit.

        Parameter

        Value

        Description

        Access device name

        SwitchA

        -

        IP address

        192.168.50.1

        -

        RADIUS shared key

        Huawei@2014

        The RADIUS shared key must be the same as that configured on SwitchA.

        imgDownload?uuid=9d07ff9c6c0440a585bfb76

    4. Configure authentication policies.

      1. In the top navigation area, choose Policy > Policy Elements > Conditions. In the navigation area on the left, choose Compound Conditions. Click Add in the operation area on the right, and create the 802.1X authentication filtering profile 802.1X. Click Create New Condition(Advance Option) to create a filtering rule. Set RADIUS:NAS-Port-Type to EthernetRADIUS:Service-Type to Framed, and RADIUS:NAS-IP-Address to 192.168.50.1. After completing the configuration, click Submit.

        imgDownload?uuid=f6d6293bdb2541a1a80a2bd

        imgDownload?uuid=38088503b48d43258cebde1

      2. Similarly, configure the MAC address authentication filtering profile MAC. Set RADIUS:NAS-Port-Type to EthernetRADIUS:Service-Type to Call Check, and RADIUS:NAS-IP-Address to 192.168.50.1. After completing the configuration, click Submit.

        imgDownload?uuid=db1e87ed245442b2ae1fb19

      3. In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authentication > Allowed Protocols. Click Add in the operation area on the right, create the protocol profile Authentication for user authentication. Select proper authentication protocols based on actual requirements. After completing the configuration, click Submit.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        The ISE provides the default authentication protocol profile Default Network Access. If the profile meets actual requirements, you do not need to create a profile.

        imgDownload?uuid=aa8233dce4534ce79a5c3d5
      4. In the top navigation area, choose Policy > Authentication, and click Rule-Based. Click the triangle next to the first authentication policy and choose Insert new row above.

        imgDownload?uuid=8183fcc035314ffca204aa4

      5. Create the 802.1X authentication policy 802.1x and MAC address authentication policy MAC respectively. Under Condition(s), click Select Existing Condition from Library, click Select Condition, and select the created 802.1X authentication filtering rule 802.1x and MAC address authentication filtering rule MAC from Compound Condition. Set Allowed Protocols to Authentication, click Done, and click Save.

        imgDownload?uuid=b68717ad910e4d66a14861a

        imgDownload?uuid=822c2921b9324e19a40f90d

        imgDownload?uuid=3f90f5b80ab249488e3cc26

    5. Configure authorization policies.

      1. In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authorization > Authorization Profiles. Click Add in the operation area on the right, create the authorization result profile pc_group2 for users in the group pc_group2, and set the VLAN to VLAN 30. After completing the configuration, click Submit.

        imgDownload?uuid=56d18358ecdc4e9caa73906

      2. Create the authorization result profile ipphone2 for users in the group IP_Phone2, and set the VLAN to voice VLAN 20. After completing the configuration, click Submit.

        imgDownload?uuid=eedb62ae373548a7a3d645d

      3. In the top navigation area, choose Policy > Authorization. Click the triangle next to the first authentication policy and choose Insert New Rule Above. Create the authorization policy pc_group2 for the group pc_group2 and authorize VLAN 30 to users in the group pc_group2. Under Conditions, select the group pc_group2 from User Identity Groups. Under Permissions, select pc_group2 from Standard. Click Doneand click Save.

        imgDownload?uuid=615ec9e89243461ca4c20ba

        imgDownload?uuid=43f5d92918154d3d9182d13

      4. According to the preceding step, configure the authorization policy IP_Phone2 for the group IP_Phone2. Under Conditions, select the group IP_Phone2 from User Identity Groups. Under Permissions, select ipphone2 from Standard. Save the configuration.

        imgDownload?uuid=7bc2a4f830d44236b5902ec

  4. Verify the configuration.

    Run the display access-user command on SwitchA. The command output displays detailed information about online users, including common access users and switch administrators.

Configuration File
# sysname SwitchA # vlan batch 10 20 30 40 50 # authentication-profile name dot1x&mac  dot1x-access-profile dot1x  mac-access-profile mac  access-domain domain force  authentication event authen-fail action authorize service-scheme fail  authentication event authen-server-down action authorize service-scheme down01  authentication event authen-server-up action re-authen  authentication dot1x-mac-bypass authentication-profile name ap_auth  mac-access-profile ap_mac  undo authentication handshake  authentication mode multi-share  access-domain domain force  authentication event authen-fail action authorize service-scheme fail  authentication event authen-server-down action authorize service-scheme down02  authentication event authen-server-up action re-authen # domain hw admin # lldp enable # dhcp enable # dhcp snooping enable # radius-server template authentication  radius-server shared-key cipher %^%#X:4qI:ZF^/hFx{B&3t+'nT;m@o.XZ<7m}BJW<Bj$%^%#  radius-server authentication 192.168.100.1 1812 source ip-address 192.168.50.1 weight 80  radius-server accounting 192.168.100.1 1813 source ip-address 192.168.50.1 weight 80  undo radius-server user-name domain-included  calling-station-id mac-format hyphen-split mode2 uppercase  radius-attribute set Service-Type 10 auth-type mac radius-server authorization 192.168.100.1 shared-key cipher %^%#pzdO:3q'(HSX}o2.=%J3`)6;-.BI2Y}/OYFD{iu-%^%#  # hwtacacs-server template hw  hwtacacs-server authentication 192.168.100.2  hwtacacs-server authorization 192.168.100.2  hwtacacs-server accounting 192.168.100.2  hwtacacs-server shared-key cipher %^%#xT<M7&Xr'VWRJJ%.-f_*zf1}FU|LmHCcbAXXf6}P%^%#  undo hwtacacs-server user-name domain-included # aaa  authentication-scheme hw   authentication-mode hwtacacs local  authentication-scheme auth   authentication-mode radius  authorization-scheme hw   authorization-mode hwtacacs local   authorization-cmd 0 hwtacacs  accounting-scheme hw   accounting-mode hwtacacs   accounting start-fail online  accounting-scheme acco   accounting-mode radius   accounting realtime 3  recording-scheme hw   recording-mode hwtacacs hw  cmd recording-scheme hw  service-scheme down01   user-vlan 30   voice-vlan  service-scheme down02   user-vlan 40  service-scheme fail   user-vlan 50  domain hw   authentication-scheme hw   accounting-scheme hw   authorization-scheme hw   radius-server default   hwtacacs-server hw  domain domain   authentication-scheme auth   accounting-scheme acco   radius-server authentication  local-user admin password irreversible-cipher %^%#-T4MG_wij3r]t(VVrv%:2<X7S\AsmIG:R}8#)eY&aS@A'}%9)gR!k1_Z,5:%^%#  local-user admin privilege level 0  local-user admin service-type ssh # interface Vlanif10  ip address 192.168.10.1 255.255.255.0  dhcp select interface # interface Vlanif20  ip address 192.168.20.1 255.255.255.0  dhcp select interface # interface Vlanif30  ip address 192.168.30.1 255.255.255.0  dhcp select interface # interface Vlanif40  ip address 192.168.40.1 255.255.255.0  dhcp select interface # interface GigabitEthernet0/0/1  port link-type hybrid  voice-vlan 20 enable  port hybrid pvid vlan 10  undo port hybrid vlan 1  port hybrid tagged vlan 20  port hybrid untagged vlan 10  stp edged-port enable  authentication-profile dot1x&mac  poe legacy enable  dhcp snooping enable # interface GigabitEthernet0/0/2  port link-type hybrid  voice-vlan 20 enable  undo port hybrid vlan 1  stp edged-port enable  authentication-profile dot1x&mac  poe legacy enable  dhcp snooping enable # interface GigabitEthernet0/0/3  port link-type hybrid  port hybrid pvid vlan 40  port hybrid untagged vlan 40  stp edged-port enable  authentication-profile ap_auth  poe legacy enable  dhcp snooping enable # interface GigabitEthernet0/0/4  port link-type trunk  port trunk allow-pass vlan 10 20 30 40 # interface LoopBack0  ip address 192.168.50.1 255.255.255.255 # ip route-static 192.168.100.0 255.255.255.0 192.168.60.1 # stelnet server enable ssh authentication-type default password ssh user admin ssh user admin authentication-type password ssh user admin service-type stelnet # user-interface maximum-vty 3 user-interface vty 0 2  authentication-mode aaa # dot1x-access-profile name dot1x  authentication event client-no-response action authorize vlan 50  dot1x timer reauthenticate-period 120  dot1x reauthenticate # mac-access-profile name mac  mac-authen reauthenticate  mac-authen timer reauthenticate-period 120 mac-access-profile name ap_mac # return

Configuring 802.1X Authentication for Wired Users on Cisco ISE

This section includes the following content:

802.1X Authentication Overview

802.1X is a port-based network access control protocol and 802.1X authentication is one of NAC authentication modes. 802.1X authentication ensures security of enterprise intranets.

802.1X authentication ensures high security; however, it requires that 802.1X client software be installed on user terminals, resulting in inflexible network deployment. Another two NAC authentication modes have their advantages and disadvantages: MAC address authentication does not require client software installation, but MAC addresses must be registered on an authentication server. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.

As a result, 802.1X authentication is applied to scenarios with new networks, centralized user distribution, and strict information security requirements.

Networking Requirements

Enterprises have high requirements on network security. To prevent unauthorized access and protect information security, an enterprise requests users to pass identity authentication and security check before they access the enterprise network. Only authorized users are allowed to access the enterprise network. To reduce network reconstruction investment, you are advised to configure the 802.1X authentication function on the aggregation switch and connect a single centralized authentication server to the aggregation switch in bypass mode.

Figure 2-25  Networking diagram for configuring 802.1X authentication to control user access 
imgDownload?uuid=63667c1e0578482db48d1e3

Configuration Logic

Figure 2-26  Configuration logic of Huawei switch 
imgDownload?uuid=0d754caf05ee4d87b3af49bTable 2-33  Configuration logic of Cisco ISE

ItemDescription
Creating a department and an account-
Adding a switchSet parameters for the switch connected to the ISE.
(Optional) creating an authentication protocol profileSpecify the authentication protocol that can be used for 802.1X authentication. If no authentication protocol profile is created, the default profile in Default Network Access of the ISE is used.
Creating an authentication policyConfigure the conditions for users to pass 802.1X authentication.
(Optional) creating an authorization policySpecify resources that users can access after 802.1X authentication. If no authorization policy is created, users are allowed to access all reachable resources.

Configuration Notes
  • This configuration example applies to all switches running V200R009C00 or a later version, the Cisco ISE in 2.0.0.306 functions as the RADIUS server.
  • The RADIUS authentication and accounting shared keys on the switch must be the same as those on the ISE.
  • By default, the switch allows the packets from RADIUS server to pass. You do not need to configure authentication-free rules for the server on the switch.

Data Plan

Table 2-34  Network data plan

Item

Data

ISE

IP address: 192.168.100.100

Post-authentication domain server

IP address: 192.168.102.100

Aggregation switch (SwitchA)

  • VLAN to which 0/0/6 connected to the server belongs: VLAN 100

  • VLAN to which downstream interfaces GE0/0/1 and GE0/0/2 belong: VLAN 200

Access switch (SwitchC)

User VLAN ID: 200

Access switch (SwitchD)

User VLAN ID: 200

Table 2-35  Aggregation switch service data plan

Item

Data

RADIUS scheme

  • Authentication server IP address: 192.168.100.100

  • Authentication server port number: 1812

  • Accounting server IP address: 192.168.100.100

  • Accounting server port number: 1813
  • Shared key for the RADIUS server: Huawei@2014
  • Accounting interval: 15 minutes
  • Authentication domain: isp

ACL number of the post-authentication domain

3002

Table 2-36  ISE service data plan

Item

Data

Department

RD department

Access user

Access account: A-123

Password: Huawei123

Device group

Wired device group: Switch

Switch IP address

SwitchA: 192.168.10.10

RADIUS authentication key

Huawei@2014

RADIUS accounting key

Huawei@2014

Procedure

  1. Configure the access switches.
    1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.

      # Create VLAN 200.
      <HUAWEI> system-view [HUAWEI] sysname SwitchC [SwitchC] vlan batch 200
      # Configure the interface connected to users as an access interface and add the interface to VLAN 200.
      [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] port link-type access [SwitchC-GigabitEthernet0/0/1] port default vlan 200  [SwitchC-GigabitEthernet0/0/1] quit [SwitchC] interface gigabitethernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] port link-type access [SwitchC-GigabitEthernet0/0/2] port default vlan 200 [SwitchC-GigabitEthernet0/0/2] quit 

      # Configure the interface connected to the upstream network as a trunk interface and configure the interface to allow VLAN 200.

      [SwitchC] interface gigabitethernet 0/0/3 [SwitchC-GigabitEthernet0/0/3] port link-type trunk [SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 200 [SwitchC-GigabitEthernet0/0/3] quit 

    2. Configure the device to transparently transmit 802.1X packets. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      In this example, SwitchC and SwitchD are deployed between the authentication switch SwitchA and users. EAP packet transparent transmission needs to be configured on SwitchC and SwitchD so that SwitchA can perform 802.1X authentication for users.

      • Method 1: S5720EI, S5720HI, S5730HI, S6720EI, S6720HI, and S6720S-EI do not support this method.
        [SwitchC] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1X enable [SwitchC-GigabitEthernet0/0/1] bpdu enable [SwitchC-GigabitEthernet0/0/1] quit [SwitchC] interface gigabitethernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol 802.1X enable [SwitchC-GigabitEthernet0/0/2] bpdu enable [SwitchC-GigabitEthernet0/0/2] quit [SwitchC] interface gigabitethernet 0/0/3 [SwitchC-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1X enable [SwitchC-GigabitEthernet0/0/3] bpdu enable [SwitchC-GigabitEthernet0/0/3] quit
      • Method 2: Only the S5720EI, S5720HI, S5730HI, S6720EI, S6720HI, and S6720S-EI support this method.

        [SwitchC] undo bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFF0 [SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE [SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF [SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC [SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8

  2. Configure the aggregation switch.
    1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 200 [SwitchA] interface gigabitethernet 0/0/1    //Configure the interface connected to SwitchC. [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 200 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2    //Configure the interface connected to SwitchD. [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 200 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/6    //Configure the interface connected to the server. [SwitchA-GigabitEthernet0/0/6] port link-type trunk [SwitchA-GigabitEthernet0/0/6] port trunk allow-pass vlan 100 [SwitchA-GigabitEthernet0/0/6] quit [SwitchA] interface vlanif 100 [SwitchA-Vlanif100] ip address 192.168.10.10 24    //Configure the management IP address for SwitchA. This IP address is used when SwitchA is added to ISE. [SwitchA-Vlanif100] quit [SwitchA] interface vlanif 200 [SwitchA-Vlanif200] ip address 192.168.200.1 24    //Configure the gateway address for terminal users. [SwitchA-Vlanif200] quit [SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.10.11    //Configure a route to the network segment where the pre-authentication domain resides. Imaging the next hop address is 192.168.10.11. [SwitchA] ip route-static 192.168.102.0 255.255.255.0 192.168.10.11    //Configure a route to the network segment where the post-authentication domain resides. Imaging the next hop address is 192.168.10.11.

    2. Configure ACL 3002 for the post-authentication domain.

      [SwitchA] acl 3002 [SwitchA-acl-adv-3002] description 3002.in   //After the Filter-ID is selected on the ISE, the authorization ACL automatically carries the suffix .in. You must set the ACL description to xxx.in on the switch. [SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0 [SwitchA-acl-adv-3002] rule 2 deny ip destination any [SwitchA-acl-adv-3002] quit

    3. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

      # Create and configure the RADIUS server template rd1.
      [SwitchA] radius-server template rd1 [SwitchA-radius-rd1] radius-server authentication 192.168.100.100 1812 [SwitchA-radius-rd1] radius-server accounting 192.168.100.100 1813 [SwitchA-radius-rd1] radius-server shared-key cipher Huawei@2014 [SwitchA-radius-rd1] quit 
      # Create an AAA authentication scheme abc and set the authentication mode to RADIUS.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme abc [SwitchA-aaa-authen-abc] authentication-mode radius [SwitchA-aaa-authen-abc] quit
      # Configure an accounting scheme acco1. Set the accounting mode to RADIUS so that the RADIUS server can maintain account status, such as login, log-off and forced log-off.
      [SwitchA-aaa] accounting-scheme acco1 [SwitchA-aaa-accounting-acco1] accounting-mode radius [SwitchA-aaa-accounting-acco1] accounting realtime 15    //Set the real-time accounting interval to 15 minutes. [SwitchA-aaa-accounting-acco1] quit
      # Create an authentication domain isp, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.
      [SwitchA-aaa] domain isp [SwitchA-aaa-domain-isp] authentication-scheme abc [SwitchA-aaa-domain-isp] accounting-scheme acco1 [SwitchA-aaa-domain-isp] radius-server rd1 [SwitchA-aaa-domain-isp] quit [SwitchA-aaa] quit
      # Configure the global default domain isp. During access authentication, enter a user name in the format user@isp to perform AAA authentication in the domain isp. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.
      [SwitchA] domain isp

    4. Enable 802.1X authentication.

      # Set the NAC mode to unified.
      [SwitchA] authentication unified-mode
      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      By default, the unified mode is enabled. After the NAC mode is changed, save the configuration and restart the device to make the configuration take effect.

      # Configure an 802.1X access profile. By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.
      [SwitchA] dot1x-access-profile name d1 [SwitchA-dot1x-access-profile-d1] quit
      # Configure an authentication profile.
      [SwitchA] authentication-profile name p1 [SwitchA-authen-profile-p1] dot1x-access-profile d1    //Bind the 802.1X access profile d1. [SwitchA-authen-profile-p1] quit
      # Enable 802.1X authentication on GE0/0/1 and GE0/0/2.
      [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-Gigabitethernet0/0/1] authentication-profile p1    //Bind the authentication profile p1 and enable 802.1X authentication. [SwitchA-Gigabitethernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-Gigabitethernet0/0/2] authentication-profile p1    //Bind the authentication profile p1 and enable 802.1X authentication. [SwitchA-Gigabitethernet0/0/2] quit

  3. Configure the ISE.
    1. Log in to the ISE.

      1. Open the Internet Explorer, enter the ISE access address in the address bar, and press Enter.
      2. Enter the ISE administrator user name and password to log in to the ISE.

    2. Create a department and an account.

      1. Choose Administration > Identity Management > Groups. In the navigation area on the left, choose User Identity Groups. Click the Add tab in the operation area on the right, and add the department RD.

        imgDownload?uuid=3e0ecefbc9464424b2101ed

      2. Choose Administration > Identity Management > Identities. In the navigation area on the left, choose Users. Click the Add tab in the operation area on the right, create an account A-123 with the password Huawei123, and add user A to the RD department.

        imgDownload?uuid=2f44f16ca2194ecf9b7e563

    3. Add a switch to the ISE and configure related parameters to ensure normal communication between the ISE and switch.

      1. In the top navigation area, choose Administration > Network Resources > Network Device Profiles, click the Add tab. Create the access device profile HUAWEI, set Vendor to Other, and select RADIUS under Supported Protocols.

        imgDownload?uuid=b7b5e95ddc5b4bf09e3c2ae

      2. Configure Authentication/Authorization, and Permisssions according to the following figures. After completing the configuration, click Submit.

        imgDownload?uuid=464759d4b2f542e38f55e96

        imgDownload?uuid=5094e0e37cf54592b3fa091

      3. Choose Administration > Network Resources > Network Devices. Click Add in the operation area on the right, add the access device SwitchA, and configure parameters of SwitchA according to the following table. After completing the configuration, click Submit.

        Parameter

        Value

        Description

        Name

        SwitchA

        -

        IP Address

        192.168.10.10

        The interface on the switch must communicate with the ISE.

        RADIUS shared key

        Huawei@2014

        It must be the same as the RADIUS authentication key and RADIUS accounting key configured on the switch.

        imgDownload?uuid=d0e169028307496e98766cf

    4. Configure the password authentication protocol.

      # In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authentication > Allowed Protocols. Click Add in the operation area on the right, create the protocol profile Authentication for user authentication. Select proper authentication protocols based on actual requirements. After completing the configuration, click Submit.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      The ISE provides the default authentication protocol profile Default Network Access. If the profile meets actual requirements, you do not need to create a profile.

      imgDownload?uuid=aa8233dce4534ce79a5c3d5

    5. Configure the authentication policy.

      1. Choose Policy > Authentication. Authentication policies are classified into simple and rule-based authentication policies. A simple authentication policy is used in this example.
      2. Click the Network Access Service drop-down list box. The Network Access Services dialog box is displayed. Click Allowed Protocols and choose Authentication.

        imgDownload?uuid=17b4a2b72408459b940cac5

    6. Add an authorization rule.

      1. In the top navigation area, choose Policy > Authorization. Click the triangle next to the first authentication policy and choose Insert New Rule Above.

      2. Add an authorization result and bind an authorization rule to the authorization result.

        imgDownload?uuid=f64fd675488c4fe19c2db7f

      3. Click the Save tab on the right. Click Done.

        imgDownload?uuid=a124afc275734a99a1e5718

  4. Verify the configuration.

    • An employee can only access the ISE before passing the authentication.
    • After passing the authentication, the employee can access resources in the post-authentication domain.
    • After the employee passes the authentication, run the display access-user command on the switch. The command output shows information about the online employee.

Configuration Files
  • SwitchA configuration file

    # sysname SwitchA # vlan batch 100 200 # authentication-profile name p1  dot1x-access-profile d1 # domain isp # radius-server template rd1  radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#  radius-server authentication 192.168.100.100 1812 weight 80  radius-server accounting 192.168.100.100 1813 weight 80 # dot1x-access-profile name d1 # acl number 3002  description 3002.in  rule 1 permit ip destination 192.168.102.100 0  rule 2 deny ip # aaa  authentication-scheme abc   authentication-mode radius  accounting-scheme acco1   accounting-mode radius   accounting realtime 15  domain isp   authentication-scheme abc   accounting-scheme acco1   radius-server rd1 # interface Vlanif100  ip address 192.168.10.10 255.255.255.0 # interface Vlanif200  ip address 192.168.200.1 255.255.255.0 # interface GigabitEthernet0/0/1  port link-type trunk  port trunk allow-pass vlan 200  authentication-profile p1 # interface GigabitEthernet0/0/2  port link-type trunk  port trunk allow-pass vlan 200  authentication-profile p1 # interface GigabitEthernet0/0/6  port link-type trunk  port trunk allow-pass vlan 100 # ip route-static 192.168.100.0 255.255.255.0 192.168.10.11 ip route-static 192.168.102.0 255.255.255.0 192.168.10.11 # return 
  • SwitchC configuration file

    # sysname SwitchC # vlan batch 200 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 200  l2protocol-tunnel user-defined-protocol 802.1x enable # interface GigabitEthernet0/0/2  port link-type access  port default vlan 200  l2protocol-tunnel user-defined-protocol 802.1x enable # interface GigabitEthernet0/0/3  port link-type trunk  port trunk allow-pass vlan 200  l2protocol-tunnel user-defined-protocol 802.1x enable # return 

Example for Configuring a Cisco ISE RADIUS Server to Provide 802.1X Authentication for Wireless STAs

Context

802.1X Authentication on the Wireless Side Overview

802.1X is a port-based network access control protocol and 802.1X authentication is one of NAC authentication modes. 802.1X authentication ensures security of enterprise intranets.

802.1X authentication ensures high security; however, it requires that 802.1X client software be installed on user terminals, resulting in inflexible network deployment. Another two NAC authentication methods have their advantages and disadvantages: MAC address authentication does not require client software installation, but MAC addresses must be registered on an authentication server. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.

As a result, 802.1X authentication is applied to scenarios with new networks, centralized user distribution, and strict information security requirements.

Configuration Notes
  • From V200R011C10, WLAN configurations are automatically delivered, without the need of running the commit all command.

  • The Cisco Identity Services Engine (ISE) in 2.0.0.306 functions as the RADIUS server in this example.

  • In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. If you set the forwarding mode to direct forwarding, you are not advised to configure the management VLAN and service VLAN to be the same.

  • In direct forwarding mode, configure port isolation on the interface directly connected to APs. If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.

  • Configure the management VLAN and service VLAN:
    • In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel and forwarded to the AC. The AC then forwards the packets to the upper-layer network. Service packets and management packets can be forwarded normally only if the network between the AC and APs is added to the management VLAN and the network between the AC and upper-layer network is added to the service VLAN.
    • In direct forwarding mode, service packets are not encapsulated into a CAPWAP tunnel, but are directly forwarded to the upper-layer network. Service packets and management packets can be forwarded normally only if the network between APs and upper-layer network is added to the service VLAN and the network between the AC and APs is added to the management VLAN.
  • No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
    • In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
    • In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
    For details on how to configure traffic suppression, see "How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide - WLAN-AC of the corresponding product version.
  • Table 2-37 lists AC and AP versions applicable to WLAN examples. Table 2-38 lists AP models supported by different versions.Table 2-37  Applicable products and versions

    AC Version

    AC Product Model

    Matching AP Version

    V200R013C00

    S5720HI, S5730HI, S6720HI, S7700, S9700

    • V200R010C00
    • V200R009C00
    • V200R008C10
    • V200R008C00
    • V200R007C20
    • V200R007C10
    • V200R006C20
    • V200R006C10

    V200R012C00

    S5720HI, S5730HI, S6720HI, S7700, S9700

    • V200R009C00
    • V200R008C10
    • V200R008C00
    • V200R007C20
    • V200R007C10
    • V200R006C20
    • V200R006C10

    V200R011C10

    S5720HI, S7700, S9700

    • V200R008C10
    • V200R008C00
    • V200R007C20
    • V200R007C10
    • V200R006C20
    • V200R006C10

    V200R011C00

    S5720HI

    • V200R007C20
    • V200R007C10
    • V200R006C20
    • V200R006C10

    V200R010C00

    S5720HI, S7700, S9700

    • V200R007C10
    • V200R006C20
    • V200R006C10

    V200R009C00

    S5720HI, S7700, S9700

    • V200R006C20
    • V200R006C10
    imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    For S7700, you are advised to deploy S7712, S7706 PoE, or S7706 switches for WLAN services. S7703 or S7703 PoE switches are not recommended.

    For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

    Table 2-38  AP models supported by different versions

    AP Version

    AP Model

    V200R010C00

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP2010DN, AP1010SN, AP7030DE, AP9330DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D, R450D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1050DN-S, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP4051DN-S, AP8050DN, AP8150DN, AP8050DN-S, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, AP2030DN-S, AP5050DN-S, AP2051DN, AP2051DN-S, AP2051DN-E, AP2051DN-L-S, AP4050DE-M, AP4050DE-M-S, AP3050DE, AP4050DE-B-S, AP7060DN, AP5510-W-GP, WA375DD-CE, R251D, R251D-E, AP100EC, AP200EC, AP300EC

    V200R009C00

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP2010DN, AP1010SN, AP7030DE, AP9330DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D, R450D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1050DN-S, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP4051DN-S, AP8050DN, AP8150DN, AP8050DN-S, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, AP2030DN-S, AP5050DN-S, AP2051DN, AP2051DN-S, AP2051DN-E, R251D, R251D-E, AP100EC, AP200EC, AP300EC

    V200R008C10

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D, R450D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1050DN-S, AP1010SN, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP4051DN-S, AP8050DN, AP8150DN, AP8050DN-S, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, AP100EC, AP200EC, AP300EC

    V200R008C00

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D, R450D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1050DN-S, AP1010SN, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP4051DN-S, AP8050DN, AP8150DN, AP8050DN-S

    V200R007C20

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1010SN, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP4051DN-S, AP8050DN, AP8150DN, AP8050DN-S

    V200R007C10

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1010SN, AP8130DN-W

    V200R006C20

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9430DN-24, AD9430DN-12, R230D, R240D

    V200R006C10

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP5030DN-S, AP3010DN-V2

    imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    The central AP and RU must use the same version. For example, if the AD9430DN-24 version is V200R006C20, the R240D version must be also V200R006C20.

Networking Requirements

As shown in Figure 2-27, an enterprise's AC connects to the egress gateway (Router) and RADIUS server, and connects to the AP through SwitchA. The WLAN with the SSID wlan-net is available for employees to access network resources. The gateway also functions as a DHCP server to provide IP addresses on the 10.23.101.0/24 network segment for STAs. The AC controls and manages STAs.

Because the WLAN is open to users, there are potential security risks to enterprise information if no security policy is configured for the WLAN. The enterprise requires high information security, so a WPA2 security policy using 802.1X authentication and AES encryption is configured. The RADIUS server authenticates STA identities. The AC must be configured to function as an EAP relay, so the AC supports 802.1X authentication.

Figure 2-27  Networking diagram for configuring 802.1X authentication 
imgDownload?uuid=5ec4a401abf54ffb8c83546

Data Planning

Table 2-39  Data planning

Item

Data

Management VLAN

VLAN 100

Service VLAN

VLAN 101

Source interface on the AC

VLANIF 100: 10.23.100.1/24

SwitchA VLAN

VLAN 100

DHCP server

  • IP address that the AC assigns to the AP: 10.23.100.2-10.23.100.254/24
  • IP addresses that Router assigns to STAs: 10.23.101.2-10.23.101.254/24
  • IP address of DNS server: 8.8.8.8

Gateway for the AP

VLANIF 100: 10.23.100.1/24

Gateway for STAs

VLANIF 101: 10.23.101.1/24

RADIUS authentication parameters

  • Name of the RADIUS server template: radius_huawei
  • IP address: 10.23.103.1
  • Authentication port number: 1812
  • Shared key: huawei@123
  • Authentication scheme: radius_huawei
  • AAA domain: huawei.com

802.1X access profile

  • Name: wlan-dot1x
  • Authentication mode: EAP

Authentication profile

  • Name: wlan-authentication
  • Referenced profile: 802.1X access profile wlan-dot1x
  • Forcible authentication domain: huawei.com
AP group
  • Name: ap-group1
  • Referenced profile: VAP profile wlan-vap and regulatory domain profile domain1
Regulatory domain profile
  • Name: domain1
  • Country code: CN
SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net
Security profile
  • Name: wlan-security
  • Security policy: WPA2-802.1X-AES
VAP profile
  • Name: wlan-vap
  • Forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 101
  • Referenced profile: SSID profile wlan-ssid, security profile wlan-security, and authentication profile wlan-authentication

Table 2-40  Data planning on the ISE server

Configuration Item

Data

Department

R&D department

Access user

Account: A-123

Password: Huawei123

AC IP address

AC: 10.23.100.1

RADIUS authentication key

123456

Configuration Roadmap
  1. Configure the AC to communicate with APs and upper-layer network devices.
  2. On the AC, configure the AC to assign an IP address to the AP and the router to assign IP addresses to STAs.
  3. Configure RADIUS authentication parameters on the AC.
  4. On the AC, configure an 802.1X access profile to manage 802.1X access control parameters.
  5. On the AC, configure an authentication profile, bind the 802.1X access profile to the authentication profile, and configure a forcible authentication domain for users.
  6. On the AC, configure the APs to go online.
  7. On the AC, configure WLAN service parameters, set the security policy to WPA2-802.1X-AES, and bind a security policy profile and an authentication profile to a VAP profile to control access from STAs.
  8. On the ISE server, configure authentication device information, user information, and 802.1X authentication function to implement device access, user access, and MAC address-based 802.1X authentication.

Procedure

  1. Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the AC to allow the AP and AC to transmit CAPWAP packets.

    # Add GE0/0/1 that connects SwitchA to the AP and GE0/0/2 that connects SwitchA to the AC to the management VLAN 100.

    <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100 [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 [SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 [SwitchA-GigabitEthernet0/0/1] stp edged-port enable [SwitchA-GigabitEthernet0/0/1] port-isolate enable [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 [SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1 [SwitchA-GigabitEthernet0/0/2] quit 

    # Add GE1/0/1 that connects the AC to SwitchA to VLAN 100.

    <HUAWEI> system-view [HUAWEI] sysname AC [AC] vlan batch 100 101 [AC] interface gigabitethernet 1/0/1 [AC-GigabitEthernet1/0/1] port link-type trunk [AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 [AC-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1 [AC-GigabitEthernet1/0/1] quit 

  2. Configure the AC to communicate with the upstream device.

    # Configure VLANIF 101 (service VLAN), VLANIF 102, and VLANIF 103.

    [AC] vlan batch 101 102 103 [AC] interface vlanif 101 [AC-Vlanif101] ip address 10.23.101.1 24 [AC-Vlanif101] quit [AC] interface vlanif 102 [AC-Vlanif102] ip address 10.23.102.2 24 [AC-Vlanif102] quit [AC] interface vlanif 103 [AC-Vlanif103] ip address 10.23.103.2 24 [AC-Vlanif103] quit 

    # Add GE1/0/2 that connects the AC to the Router to VLAN 102.

    [AC] interface gigabitethernet 1/0/2 [AC-GigabitEthernet1/0/2] port link-type trunk [AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 102 [AC-GigabitEthernet1/0/2] quit

    # Add GE1/0/3 that connects the AC to the RADIUS server to VLAN 103.

    [AC] interface gigabitethernet 1/0/3 [AC-GigabitEthernet1/0/3] port link-type trunk [AC-GigabitEthernet1/0/3] port trunk pvid vlan 103 [AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 103 [AC-GigabitEthernet1/0/3] quit

    # On the AC, configure a static route.

    [AC] ip route-static 0.0.0.0 0.0.0.0 10.23.102.1

  3. Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to STAs.

    # Configure the AC to assign an IP address to the AP from an interface address pool.

    [AC] dhcp enable [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.23.100.1 24 [AC-Vlanif100] dhcp select interface [AC-Vlanif100] quit

    # Configure the AC as a DHCP relay agent, and specify the DHCP server IP address on the DHCP relay agent.

    [AC] interface vlanif 101 [AC-Vlanif101] dhcp select relay [AC-Vlanif101] dhcp relay server-ip 10.23.102.1 [AC-Vlanif101] quit

    # Configure the Router as a DHCP server to assign IP addresses to STAs from a global address pool. The egress gateway address of the DHCP client is 10.23.101.1, and the network segment of the global address pool is 10.23.101.0/24.

    <Huawei> system-view [Huawei] sysname Router [Router] dhcp enable [Router] ip pool sta [Router-ip-pool-sta] gateway-list 10.23.101.1 [Router-ip-pool-sta] dns-list 8.8.8.8 [Router-ip-pool-sta] network 10.23.101.0 mask 24 [Router-ip-pool-sta] quit [Router] vlan batch 102 [Router] interface vlanif 102 [Router-Vlanif102] ip address 10.23.102.1 24 [Router-Vlanif102] dhcp select global [Router-Vlanif102] quit [Router] interface gigabitethernet 2/0/0 [Router-GigabitEthernet2/0/0] port link-type trunk [Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 102 [Router-GigabitEthernet2/0/0] quit [Router] ip route-static 10.23.101.0 24 10.23.102.2 

  4. Configure RADIUS authentication parameters.

    imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

    # Configure a RADIUS server template.

    [AC] radius-server template radius_huawei [AC-radius-radius_huawei] radius-server authentication 10.23.103.1 1812 [AC-radius-radius_huawei] radius-server shared-key cipher huawei@123   //The default key is huawei. [AC-radius-radius_huawei] quit 

    # Configure a RADIUS authentication scheme.

    [AC] aaa [AC-aaa] authentication-scheme radius_huawei [AC-aaa-authen-radius_huawei] authentication-mode radius [AC-aaa-authen-radius_huawei] quit 

    # Create an AAA domain and configure the RADIUS server template and authentication scheme.

    [AC-aaa] domain huawei.com [AC-aaa-domain-huawei.com] radius-server radius_huawei [AC-aaa-domain-huawei.com] authentication-scheme radius_huawei [AC-aaa-domain-huawei.com] quit [AC-aaa] quit 
    imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    If the domain name huawei.com is configured, you need to add the domain name when entering the user name.

    # Test whether a STA can be authenticated using RADIUS authentication. A user name A-123@huawei.com and password 123456 have been configured on the RADIUS server.

    [AC] test-aaa A-123@huawei.com 123456 radius-template radius_huawei Info: Account test succeed. 

  5. Configure an 802.1X access profile to manage 802.1X access control parameters.

    # Create the 802.1X access profile wlan-dot1x.

    [AC] dot1x-access-profile name wlan-dot1x 

    # Set the authentication mode to EAP relay.

    [AC-dot1x-access-profile-wlan-dot1x] dot1x authentication-method eap [AC-dot1x-access-profile-wlan-dot1x] quit 

  6. Configure an authentication profile named wlan-authentication, apply the 802.1X access profile, and configure a forcible authentication domain.

    [AC] authentication-profile name wlan-authentication [AC-authen-profile-wlan-authentication] dot1x-access-profile wlan-dot1x [AC-authen-profile-wlan-authentication] access-domain huawei.com dot1x force [AC-authen-profile-wlan-authentication] quit

  7. Configure the AP to go online.

    # Create an AP group.

    [AC] wlan [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] quit 

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC-wlan-view] regulatory-domain-profile name domain1 [AC-wlan-regulate-domain-domain1] country-code cn [AC-wlan-regulate-domain-domain1] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y  [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit 

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 100 
    # Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).

    [AC] wlan [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  [AC-wlan-ap-0] quit 

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP goes online normally.

    [AC-wlan-view] display ap all Total AP information: nor  : normal          [1] Extra information: P  : insufficient power supply -------------------------------------------------------------------------------------------------- ID   MAC            Name   Group     IP            Type            State STA Uptime      ExtraInfo -------------------------------------------------------------------------------------------------- 0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN        nor   0   10S         - -------------------------------------------------------------------------------------------------- Total: 1

  8. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile.

    [AC-wlan-view] security-profile name wlan-security [AC-wlan-sec-prof-wlan-security] security wpa2 dot1x aes [AC-wlan-sec-prof-wlan-security] quit 

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AC-wlan-view] ssid-profile name wlan-ssid [AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net [AC-wlan-ssid-prof-wlan-ssid] quit 

    # Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AC-wlan-view] vap-profile name wlan-vap [AC-wlan-vap-prof-wlan-vap] forward-mode tunnel [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 [AC-wlan-vap-prof-wlan-vap] security-profile wlan-security [AC-wlan-vap-prof-wlan-vap] authentication-profile wlan-authentication [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid [AC-wlan-vap-prof-wlan-vap] quit 

    # Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

    [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 [AC-wlan-ap-group-ap-group1] quit 

  9. Commit the configuration.

    [AC-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N]:y

  10. Configure the ISE server.

    # Log in to the ISE server.
    1. Enter the access address of the ISE server in the address bar, which is in the format of https://ISE-IPISE-IP is the IP address of the ISE server.
    2. On the displayed page, enter the user name and password to log in to the ISE server.

    # Create department information. Choose Administration > Identity Management > Groups. In the pane on the right side, click Add and then create an Identity Group named R&D department
    imgDownload?uuid=f633f432f7a64f27b60665a

    # Create user account information. Choose Administration > Identity Management > Identities. In the pane on the right side, click Add and add the user account and password to R&D department
    imgDownload?uuid=ea7f906aecc94a80bdf08aa

    # Add AC information so that the ISE can interwork with the AC. Choose Administration > Network Resources > Network Devices. In the pane on the right side, click Add to add AC information.
    ParameterValueRemarks
    NameAC-
    IP Address10.23.100.1/32The IP address of the AC must be accessible from the ISE server.
    Shared SecretHuawei@123The value must be the same as the RADIUS server key configured on the AC.

    imgDownload?uuid=9c107257c9b742398c95ed4

    # Configure allowed authentication and encryption protocols. Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols, and click Add to configure allowed authentication and encryption protocols. In this example, the default configuration is used. That is, PAP, CHAP, and EAP are allowed. 
    imgDownload?uuid=f6390c7736f24f31891ab39

    # Configure authentication and authorization policies. Choose Policy > AuthenticationPolicy Type can be set to Simple or Rule-based. In this example, set it to Simple. Then, bind the user information and allowed authentication protocols configured in previous steps to the authentication policy. 
    imgDownload?uuid=7c0194493c8b415baf30d9c

  11. Verify the configuration.

    • The WLAN with SSID wlan-net is available for STAs connected to the AP.
    • The wireless PC obtains an IP address after it associates with the WLAN.
    • Use the 802.1X authentication client on a STA and enter the correct user name and password. The STA is authenticated and can access the WLAN. You must configure the client for PEAP authentication.
      • Configuration on the Windows XP operating system:

        1. On the Association tab page of the Wireless network properties dialog box, add SSID wlan-net, set the authentication mode to WPA2, and encryption algorithm to AES.
        2. On the Authentication tab page, set EAP type to PEAP and click Properties. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. In the displayed dialog box, deselect Automatically use my Windows logon name and password and click OK.
      • Configuration on the Windows 7 operating system:

        1. Access the Manage wireless networks page, click Add, and select Manually create a network profile. Add SSID wlan-net. Set the authentication mode to WPA2-Enterprise, and encryption algorithm to AES. Click Next.
        2. Click Change connection settings. On the Wireless Network Properties page that is displayed, select the Security tab page and click Settings. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. On the dialog box that is displayed, deselect Automatically use my Windows logon name and password and click OK.
        3. On the Wireless Network Properties page, click Advanced settings. On the Advanced settings page that is displayed, select Specify authentication mode, set the identity authentication mode to User authentication, and click OK.

Configuration Files
  • SwitchA configuration file

    # sysname SwitchA # vlan batch 100 # interface GigabitEthernet0/0/1  port link-type trunk  port trunk pvid vlan 100  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100  stp edged-port enable  port-isolate enable group 1 # interface GigabitEthernet0/0/2  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 # return
  • Router configuration file

    # sysname Router # vlan batch 102 # dhcp enable # ip pool sta  gateway-list 10.23.101.1  network 10.23.101.0 mask 255.255.255.0  dns-list 8.8.8.8 # interface Vlanif102  ip address 10.23.102.1 255.255.255.0  dhcp select global # interface GigabitEthernet2/0/0  port link-type trunk  port trunk allow-pass vlan 102 # ip route-static 10.23.101.0 255.255.255.0 10.23.102.2 # return 
  • AC configuration file

    # sysname AC # vlan batch 100 to 103 # authentication-profile name wlan-authentication  dot1x-access-profile wlan-dot1x  access-domain huawei.com dot1x force # dhcp enable # radius-server template radius_huawei  radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$%^%#  radius-server authentication 10.23.103.1 1812 weight 80 # aaa  authentication-scheme radius_huawei   authentication-mode radius  domain huawei.com   authentication-scheme radius_huawei   radius-server radius_huawei # interface Vlanif100  ip address 10.23.100.1 255.255.255.0  dhcp select interface # interface Vlanif101  ip address 10.23.101.1 255.255.255.0  dhcp select relay  dhcp relay server-ip 10.23.102.1 # interface Vlanif102  ip address 10.23.102.2 255.255.255.0 # interface Vlanif103  ip address 10.23.103.2 255.255.255.0 # interface GigabitEthernet1/0/1  port link-type trunk  port trunk allow-pass vlan 100 # interface GigabitEthernet1/0/2  port link-type trunk  port trunk allow-pass vlan 102 # interface GigabitEthernet1/0/3  port link-type trunk  port trunk pvid vlan 103  port trunk allow-pass vlan 103 # ip route-static 0.0.0.0 0.0.0.0 10.23.102.1 # capwap source interface vlanif100 # wlan  security-profile name wlan-security   security wpa2 dot1x aes  ssid-profile name wlan-ssid   ssid wlan-net  vap-profile name wlan-vap   forward-mode tunnel   service-vlan vlan-id 101   ssid-profile wlan-ssid   security-profile wlan-security   authentication-profile wlan-authentication  regulatory-domain-profile name domain1  ap-group name ap-group1   regulatory-domain-profile domain1   radio 0    vap-profile wlan-vap wlan 1   radio 1    vap-profile wlan-vap wlan 1  ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042   ap-name area_1   ap-group ap-group1 # dot1x-access-profile name wlan-dot1x # return

Configuring MAC Address Authentication for Wired Users on Cisco ISE

This section includes the following content:

MAC Address Authentication Overview

As one of NAC authentication modes, MAC address authentication controls a user's network access rights based on the user's interface and MAC address. The user does not need to install any client software. MAC address authentication ensures security of enterprise intranets.

In MAC address authentication, client software does not need to be installed on user terminals, but MAC addresses must be registered on servers, resulting in complex management. Another two NAC authentication methods have their advantages and disadvantages: 802.1X authentication ensures high security, but it requires that 802.1X client software be installed on user terminals, causing inflexible network deployment. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.

MAC address authentication is applied to access authentication scenarios of dumb terminals such as printers and fax machines.

Networking Requirements

Enterprises have high requirements on network security. To prevent unauthorized access and protect information security, an enterprise requests users to pass identity authentication and security check before they access the enterprise network. Only authorized users are allowed to access the enterprise network. To reduce network reconstruction investment, you are advised to configure the MAC authentication function on the aggregation switch and connect a single centralized authentication server to the aggregation switch in bypass mode.

Figure 2-28  Networking diagram for configuring MAC authentication to control user access 
imgDownload?uuid=63667c1e0578482db48d1e3

Configuration Logic

Figure 2-29  Configuration logic of Huawei switch 
imgDownload?uuid=eb95f81bee984e0d8186e96Table 2-41  Configuration logic of Cisco ISE

ItemDescription
Creating a department and an account-
Adding a switchSet parameters for the switch connected to the ISE.
(Optional) creating an authentication protocol profileSpecify the authentication protocol that can be used for MAC address authentication. If no authentication protocol profile is created, the default profile in Default Network Accessof the ISE is used.
Creating an authentication policyConfigure the conditions for users to pass MAC address authentication.
(Optional) creating an authorization policySpecify resources that users can access after MAC address authentication. If no authorization policy is created, users are allowed to access all reachable resources.

Configuration Notes
  • This configuration example applies to all switches running V200R009C00 or a later version, the Cisco ISE in 2.0.0.306 functions as the RADIUS server.
  • The RADIUS authentication and accounting shared keys on the switch must be the same as those on the ISE.
  • By default, the switch allows the packets from RADIUS server to pass. You do not need to configure authentication-free rules for the server on the switch.

Data Plan

Table 2-42  Network data plan

Item

Data

ISE

IP address: 192.168.100.100

Post-authentication domain server

IP address: 192.168.102.100

Aggregation switch (SwitchA)

  • VLAN to which 0/0/6 connected to the server belongs: VLAN 100

  • VLAN to which downstream interfaces GE0/0/1 and GE0/0/2 belong: VLAN 200

Access switch (SwitchC)

User VLAN ID: 200

Access switch (SwitchD)

User VLAN ID: 200

Table 2-43  Aggregation switch service data plan

Item

Data

RADIUS scheme

  • Authentication server IP address: 192.168.100.100

  • Authentication server port number: 1812

  • Accounting server IP address: 192.168.100.100

  • Accounting server port number: 1813
  • Shared key for the RADIUS server: Huawei@2014
  • Accounting interval: 15 minutes
  • Authentication domain: isp

ACL number of the post-authentication domain

3002

Table 2-44  ISE service data plan

Item

Data

Department

RD department

Access user

Access account: A-123

Password: Huawei123

Device group

Wired device group: Switch

Switch IP address

SwitchA: 192.168.10.10

RADIUS authentication key

Huawei@2014

RADIUS accounting key

Huawei@2014

Procedure

  1. Configure the access switches. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.

    # Create VLAN 200.
    <HUAWEI> system-view [HUAWEI] sysname SwitchC [SwitchC] vlan batch 200
    # Configure the interface connected to users as an access interface and add the interface to VLAN 200.
    [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] port link-type access [SwitchC-GigabitEthernet0/0/1] port default vlan 200  [SwitchC-GigabitEthernet0/0/1] quit [SwitchC] interface gigabitethernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] port link-type access [SwitchC-GigabitEthernet0/0/2] port default vlan 200 [SwitchC-GigabitEthernet0/0/2] quit 

    # Configure the interface connected to the upstream network as a trunk interface and configure the interface to allow VLAN 200.

    [SwitchC] interface gigabitethernet 0/0/3 [SwitchC-GigabitEthernet0/0/3] port link-type trunk [SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 200 [SwitchC-GigabitEthernet0/0/3] quit 

  2. Configure the aggregation switch.
    1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 200 [SwitchA] interface gigabitethernet 0/0/1    //Configure the interface connected to SwitchC. [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 200 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2    //Configure the interface connected to SwitchD. [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 200 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/6    //Configure the interface connected to the server. [SwitchA-GigabitEthernet0/0/6] port link-type trunk [SwitchA-GigabitEthernet0/0/6] port trunk allow-pass vlan 100 [SwitchA-GigabitEthernet0/0/6] quit [SwitchA] interface vlanif 100 [SwitchA-Vlanif100] ip address 192.168.10.10 24    //Configure the management IP address for SwitchA. This IP address is used when SwitchA is added to ISE. [SwitchA-Vlanif100] quit [SwitchA] interface vlanif 200 [SwitchA-Vlanif200] ip address 192.168.200.1 24    //Configure the gateway address for terminal users. [SwitchA-Vlanif200] quit [SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.10.11    //Configure a route to the network segment where the pre-authentication domain resides. Imaging the next hop address is 192.168.10.11. [SwitchA] ip route-static 192.168.102.0 255.255.255.0 192.168.10.11    //Configure a route to the network segment where the post-authentication domain resides. Imaging the next hop address is 192.168.10.11.

    2. Configure ACL 3002 for the post-authentication domain.

      [SwitchA] acl 3002 [SwitchA-acl-adv-3002] description 3002.in   //After the Filter-ID is selected on the ISE, the authorization ACL automatically carries the suffix .in. You must set the ACL description to xxx.in on the switch. [SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0 [SwitchA-acl-adv-3002] rule 2 deny ip destination any [SwitchA-acl-adv-3002] quit

    3. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

      # Create and configure the RADIUS server template rd1.
      [SwitchA] radius-server template rd1 [SwitchA-radius-rd1] radius-server authentication 192.168.100.100 1812 [SwitchA-radius-rd1] radius-server accounting 192.168.100.100 1813 [SwitchA-radius-rd1] radius-server shared-key cipher Huawei@2014 [SwitchA-radius-rd1] quit 
      # Create an AAA authentication scheme abc and set the authentication mode to RADIUS.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme abc [SwitchA-aaa-authen-abc] authentication-mode radius [SwitchA-aaa-authen-abc] quit
      # Configure an accounting scheme acco1. Set the accounting mode to RADIUS so that the RADIUS server can maintain account status, such as login, log-off and forced log-off.
      [SwitchA-aaa] accounting-scheme acco1 [SwitchA-aaa-accounting-acco1] accounting-mode radius [SwitchA-aaa-accounting-acco1] accounting realtime 15    //Set the real-time accounting interval to 15 minutes. [SwitchA-aaa-accounting-acco1] quit
      # Create an authentication domain isp, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.
      [SwitchA-aaa] domain isp [SwitchA-aaa-domain-isp] authentication-scheme abc [SwitchA-aaa-domain-isp] accounting-scheme acco1 [SwitchA-aaa-domain-isp] radius-server rd1 [SwitchA-aaa-domain-isp] quit [SwitchA-aaa] quit
      # Configure the global default domain isp. During access authentication, enter a user name in the format user@isp to perform AAA authentication in the domain isp. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.
      [SwitchA] domain isp

    4. Enable MAC address authentication.

      # Set the NAC mode to unified.
      [SwitchA] authentication unified-mode
      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      By default, the unified mode is enabled. After the NAC mode is changed, save the configuration and restart the device to make the configuration take effect.

      # Configure a MAC access profile.
      [SwitchA] mac-access-profile name m1 [SwitchA-mac-access-profile-m1] mac-authen username fixed A-123 password cipher Huawei123    //Set the user name mode for MAC address authentication to fixed user name. Set the user name to A-123 and password to Huawei123. [SwitchA-mac-access-profile-m1] quit
      # Configure an authentication profile.
      [SwitchA] authentication-profile name p1 [SwitchA-authen-profile-p1] mac-access-profile m1    //Bind the MAC access profile m1. [SwitchA-authen-profile-p1] quit
      # Enable MAC address authentication on GE0/0/1 and GE0/0/2.
      [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-Gigabitethernet0/0/1] authentication-profile p1    //Bind the authentication profile p1 and enable MAC address authentication. [SwitchA-Gigabitethernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-Gigabitethernet0/0/2] authentication-profile p1    //Bind the authentication profile p1 and enable MAC address authentication. [SwitchA-Gigabitethernet0/0/2] quit

  3. Configure the ISE.
    1. Log in to the ISE.

      1. Open the Internet Explorer, enter the ISE access address in the address bar, and press Enter.
      2. Enter the ISE administrator user name and password to log in to the ISE.

    2. Create a department and account.

      1. Choose Administration > Identity Management > Groups. In the navigation area on the left, choose Endpoint Identity Groups. Click Add in the operation area on the right, and create the group RD to which the RD department belongs. After completing the configuration, click Submit.

        imgDownload?uuid=974c2b12cd854b2aa338381

      2. Choose Administration > Identity Management > Identities. In the navigation area on the left, choose EndPoints. Click Add in the operation area on the right. Add the terminal with the MAC address 3c-97-0e-bd-6a-65 and bind the terminal to the group RD. After completing the configuration, click Save.

        imgDownload?uuid=4abdd4ffd31d4003a1f40d6

    3. Add a switch to the ISE and configure related parameters to ensure normal communication between the ISE and switch.

      1. In the top navigation area, choose Administration > Network Resources > Network Device Profiles, click the Add tab. Create the access device profile HUAWEI, set Vendor to Other, and select RADIUS under Supported Protocols.

        imgDownload?uuid=b7b5e95ddc5b4bf09e3c2ae

      2. Configure Authentication/Authorization, and Permisssions according to the following figures. After completing the configuration, click Submit.

        imgDownload?uuid=464759d4b2f542e38f55e96

        imgDownload?uuid=5094e0e37cf54592b3fa091

      3. Choose Administration > Network Resources > Network Devices. Click Add in the operation area on the right, add the access device SwitchA, and configure parameters of SwitchA according to the following table. After completing the configuration, click Submit.

        Parameter

        Value

        Description

        Name

        SwitchA

        -

        IP Address

        192.168.10.10

        The interface on the switch must communicate with the ISE.

        RADIUS shared key

        Huawei@2014

        It must be the same as the RADIUS authentication key and RADIUS accounting key configured on the switch.

        imgDownload?uuid=d0e169028307496e98766cf

    4. Configure the password authentication protocol.

      # In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authentication > Allowed Protocols. Click Add in the operation area on the right, create the protocol profile Authentication for user authentication. Select proper authentication protocols based on actual requirements. After completing the configuration, click Submit.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      The ISE provides the default authentication protocol profile Default Network Access. If the profile meets actual requirements, you do not need to create a profile.

      imgDownload?uuid=aa8233dce4534ce79a5c3d5

    5. Configure the authentication policy.

      1. Choose Policy > Authentication. Authentication policies are classified into simple and rule-based authentication policies. A simple authentication policy is used in this example.
      2. Click the Network Access Service drop-down list box. The Network Access Services dialog box is displayed. Click Allowed Protocols and choose Authentication.

        imgDownload?uuid=17b4a2b72408459b940cac5

    6. Add an authorization rule.

      1. In the top navigation area, choose Policy > Authorization. Click the triangle next to the first authentication policy and choose Insert New Rule Above.

      2. Add an authorization result and bind an authorization rule to the authorization result.

        imgDownload?uuid=f64fd675488c4fe19c2db7f

      3. Click the Save tab on the right. Click Done.

        imgDownload?uuid=a124afc275734a99a1e5718

  4. Verify the configuration.

    • An employee can only access the ISE before passing the authentication.
    • After passing the authentication, the employee can access resources in the post-authentication domain.
    • After the employee passes the authentication, run the display access-user command on the switch. The command output shows information about the online employee.

Configuration Files
  • SwitchA configuration file

    # sysname SwitchA # vlan batch 100 200 # authentication-profile name p1  mac-access-profile m1 # domain isp # radius-server template rd1  radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#  radius-server authentication 192.168.100.100 1812 weight 80  radius-server accounting 192.168.100.100 1813 weight 80 # mac-access-profile name m1  mac-authen username fixed A-123 password cipher %^%#'Fxw8E,G-81(A3U<^HH9Sj\:&hTdd>R>HILQYLtW%^%# # acl number 3002  description 3002.in  rule 1 permit ip destination 192.168.102.100 0  rule 2 deny ip # aaa  authentication-scheme abc   authentication-mode radius  accounting-scheme acco1   accounting-mode radius   accounting realtime 15  domain isp   authentication-scheme abc   accounting-scheme acco1   radius-server rd1 # interface Vlanif100  ip address 192.168.10.10 255.255.255.0 # interface Vlanif200  ip address 192.168.200.1 255.255.255.0 # interface GigabitEthernet0/0/1  port link-type trunk  port trunk allow-pass vlan 200  authentication-profile p1 # interface GigabitEthernet0/0/2  port link-type trunk  port trunk allow-pass vlan 200  authentication-profile p1 # interface GigabitEthernet0/0/6  port link-type trunk  port trunk allow-pass vlan 100 # ip route-static 192.168.100.0 255.255.255.0 192.168.10.11 ip route-static 192.168.102.0 255.255.255.0 192.168.10.11 # return 
  • SwitchC configuration file

    # sysname SwitchC # vlan batch 200 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 200 # interface GigabitEthernet0/0/2  port link-type access  port default vlan 200  # interface GigabitEthernet0/0/3  port link-type trunk  port trunk allow-pass vlan 200 # return 

Example for Configuring a Cisco ISE RADIUS Server to Provide MAC Address Authentication for Wireless STAs

Context

MAC Address Authentication on the Wireless Side Overview

MAC address authentication controls a user's network access rights based on their interface and MAC address. The user does not need to install any client software. The device starts authenticating a user when it first detects the user's MAC address on the interface where MAC address authentication has been enabled. During the authentication process, the user does not need to enter a user name or password.

Configuration Notes
  • From V200R011C10, WLAN configurations are automatically delivered, without the need of running the commit all command.

  • The Cisco Identity Services Engine (ISE) in 2.0.0.306 functions as the RADIUS server in this example.

  • In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. If you set the forwarding mode to direct forwarding, you are not advised to configure the management VLAN and service VLAN to be the same.

  • In direct forwarding mode, configure port isolation on the interface directly connected to APs. If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.

  • Configure the management VLAN and service VLAN:
    • In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel and forwarded to the AC. The AC then forwards the packets to the upper-layer network. Service packets and management packets can be forwarded normally only if the network between the AC and APs is added to the management VLAN and the network between the AC and upper-layer network is added to the service VLAN.
    • In direct forwarding mode, service packets are not encapsulated into a CAPWAP tunnel, but are directly forwarded to the upper-layer network. Service packets and management packets can be forwarded normally only if the network between APs and upper-layer network is added to the service VLAN and the network between the AC and APs is added to the management VLAN.
  • No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
    • In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
    • In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
    For details on how to configure traffic suppression, see "How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide - WLAN-AC of the corresponding product version.
  • Table 2-45 lists AC and AP versions applicable to WLAN examples. Table 2-46 lists AP models supported by different versions.Table 2-45  Applicable products and versions

    AC Version

    AC Product Model

    Matching AP Version

    V200R013C00

    S5720HI, S5730HI, S6720HI, S7700, S9700

    • V200R010C00
    • V200R009C00
    • V200R008C10
    • V200R008C00
    • V200R007C20
    • V200R007C10
    • V200R006C20
    • V200R006C10

    V200R012C00

    S5720HI, S5730HI, S6720HI, S7700, S9700

    • V200R009C00
    • V200R008C10
    • V200R008C00
    • V200R007C20
    • V200R007C10
    • V200R006C20
    • V200R006C10

    V200R011C10

    S5720HI, S7700, S9700

    • V200R008C10
    • V200R008C00
    • V200R007C20
    • V200R007C10
    • V200R006C20
    • V200R006C10

    V200R011C00

    S5720HI

    • V200R007C20
    • V200R007C10
    • V200R006C20
    • V200R006C10

    V200R010C00

    S5720HI, S7700, S9700

    • V200R007C10
    • V200R006C20
    • V200R006C10

    V200R009C00

    S5720HI, S7700, S9700

    • V200R006C20
    • V200R006C10
    imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    For S7700, you are advised to deploy S7712, S7706 PoE, or S7706 switches for WLAN services. S7703 or S7703 PoE switches are not recommended.

    For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

    Table 2-46  AP models supported by different versions

    AP Version

    AP Model

    V200R010C00

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP2010DN, AP1010SN, AP7030DE, AP9330DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D, R450D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1050DN-S, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP4051DN-S, AP8050DN, AP8150DN, AP8050DN-S, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, AP2030DN-S, AP5050DN-S, AP2051DN, AP2051DN-S, AP2051DN-E, AP2051DN-L-S, AP4050DE-M, AP4050DE-M-S, AP3050DE, AP4050DE-B-S, AP7060DN, AP5510-W-GP, WA375DD-CE, R251D, R251D-E, AP100EC, AP200EC, AP300EC

    V200R009C00

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP2010DN, AP1010SN, AP7030DE, AP9330DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D, R450D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1050DN-S, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP4051DN-S, AP8050DN, AP8150DN, AP8050DN-S, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, AP2030DN-S, AP5050DN-S, AP2051DN, AP2051DN-S, AP2051DN-E, R251D, R251D-E, AP100EC, AP200EC, AP300EC

    V200R008C10

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D, R450D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1050DN-S, AP1010SN, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP4051DN-S, AP8050DN, AP8150DN, AP8050DN-S, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, AP100EC, AP200EC, AP300EC

    V200R008C00

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D, R450D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1050DN-S, AP1010SN, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP4051DN-S, AP8050DN, AP8150DN, AP8050DN-S

    V200R007C20

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1010SN, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP4051DN-S, AP8050DN, AP8150DN, AP8050DN-S

    V200R007C10

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP430-E, R250D, R250D-E, AP2050DN, AP2050DN-S, AP2050DN-E, AP1010SN, AP8130DN-W

    V200R006C20

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AP5030DN-S, AP3010DN-V2, AP4030DN-E, AD9430DN-24, AD9430DN-12, R230D, R240D

    V200R006C10

    AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP5030DN-S, AP3010DN-V2

    imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    The central AP and RU must use the same version. For example, if the AD9430DN-24 version is V200R006C20, the R240D version must be also V200R006C20.

Networking Requirements

As shown in Figure 2-30, an AC in an enterprise is connected to the AP through access switch SwitchA. The enterprise deploys the WLAN wlan-netto provide wireless network access. The AC functions as the DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.

Because the WLAN is open to users, access control is required for the WLAN to ensure information security. Configure MAC address authentication to authenticate dumb terminals such as wireless network printers and wireless phones that do not support an authentication client. MAC addresses of terminals are used as user information and sent to the RADIUS server for authentication. When users connect to the WLAN, authentication is not required.

Figure 2-30  Networking diagram for configuring MAC address authentication on the wireless side 
imgDownload?uuid=75a68d4e2ff045bc9fc942c

Data Planning

Table 2-47  Data plan

Item

Data

RADIUS authentication parameters

Name of the RADIUS authentication scheme: radius_huawei

Name of the RADIUS server template: radius_huawei

  • IP address: 10.23.200.1
  • Authentication port number: 1812
  • Shared key: Huawei@123

AAA domain: huawei.com

MAC access profile
  • Name: m1
  • User name and password for MAC address authentication: MAC addresses without hyphens (-)
Authentication profile
  • Name: p1
  • Referenced profile: MAC access profile m1
  • Forcible authentication domain: huawei.com
DHCP serverThe AC functions as a DHCP server to assign IP addresses to the AP and STAs.
IP address pool for the AP10.23.100.2 to 10.23.100.254/24
IP address pool for the STAs10.23.101.2 to 10.23.101.254/24
IP address of the AC's source interfaceVLANIF 100: 10.23.100.1/24
AP group
  • Name: ap-group1
  • Referenced profiles: VAP profile wlan-vap and regulatory domain profile domain1
Regulatory domain profile
  • Name: domain1
  • Country code: CN
SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net
Security profile
  • Name: wlan-security
  • Security policy: Open
VAP profile
  • Name: wlan-vap
  • Forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 101
  • Referenced profiles: SSID profile wlan-ssid, security profile wlan-security, and authentication profile p1

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic WLAN services on the AC so that the AC can communicate with downstream and upstream devices and APs can go online.
  2. Configure RADIUS authentication parameters on the AC.
  3. On the AC, configure a MAC access profile to manage MAC access control parameters.
  4. On the AC, configure an authentication profile to manage the NAC configuration.
  5. On the AC, configure WLAN service parameters, and bind a security policy profile and an authentication profile to a VAP profile to control access from STAs.
  6. On the ISE server, configure authentication device information, user information, and MAC address authentication function to implement device access, user access, and MAC address authentication.

Procedure

  1. Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the AC to allow the AP and AC to transmit CAPWAP packets.

    # Add GE0/0/1 that connects SwitchA to the AP and GE0/0/2 that connects SwitchA to the AC to the management VLAN 100.

    <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100 [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 [SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 [SwitchA-GigabitEthernet0/0/1] stp edged-port enable [SwitchA-GigabitEthernet0/0/1] port-isolate enable [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 [SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1 [SwitchA-GigabitEthernet0/0/2] quit 

    # Add GE1/0/1 that connects the AC to SwitchA to VLAN 100.

    <HUAWEI> system-view [HUAWEI] sysname AC [AC] vlan batch 100 101 [AC] interface gigabitethernet 1/0/1 [AC-GigabitEthernet1/0/1] port link-type trunk [AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 [AC-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1 [AC-GigabitEthernet1/0/1] quit 

  2. Configure the AC to communicate with the upstream device.

    imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    Configure AC uplink interfaces to transparently transmit service VLAN packets as required and communicate with the upstream device.

    # Add AC uplink interface GE1/0/2 to service VLAN 101.

    [AC] interface gigabitethernet 1/0/2 [AC-GigabitEthernet1/0/2] port link-type trunk [AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 101 [AC-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1 [AC-GigabitEthernet1/0/2] quit 

  3. Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.

    # Configure the AC as the DHCP server to allocate an IP address to the AP from the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on VLANIF 101.

    imgDownload?uuid=c55cfd8204074fc58568422 NOTE:Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
    [AC] dhcp enable  //Enable the DHCP function. [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.23.100.1 24 [AC-Vlanif100] dhcp select interface  //Configure an interface-based address pool. [AC-Vlanif100] quit [AC] interface vlanif 101 [AC-Vlanif101] ip address 10.23.101.1 24 [AC-Vlanif101] dhcp select interface [AC-Vlanif101] quit 

  4. Configure a route from the AC to the RADIUS server. (Assume that the IP address of the upper-layer device connected to the AC is 10.23.101.2.)

    [AC] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2 

  5. Configure the AP to go online.

    # Create an AP group.

    [AC] wlan [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] quit 

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC-wlan-view] regulatory-domain-profile name domain1 [AC-wlan-regulate-domain-domain1] country-code cn [AC-wlan-regulate-domain-domain1] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y  [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit 

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 100 
    # Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).

    [AC] wlan [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  [AC-wlan-ap-0] quit 

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP goes online normally.

    [AC-wlan-view] display ap all Total AP information: nor  : normal          [1] Extra information: P  : insufficient power supply -------------------------------------------------------------------------------------------------- ID   MAC            Name   Group     IP            Type            State STA Uptime      ExtraInfo -------------------------------------------------------------------------------------------------- 0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN        nor   0   10S         - -------------------------------------------------------------------------------------------------- Total: 1

  6. Configure RADIUS authentication.
    1. Configure a RADIUS server template, an AAA authentication scheme, and domain information.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

      The STA sends its MAC address as the user name to the RADIUS server for authentication, so the AC needs to be disabled from adding a domain name to the user name (default setting).

      # Configure a RADIUS server template.

      [AC] radius-server template radius_huawei [AC-radius-radius_huawei] radius-server authentication 10.23.200.1 1812 [AC-radius-radius_huawei] radius-server shared-key cipher Huawei@123    //The default key is huawei. [AC-radius-radius_huawei] calling-station-id mac-format hyphen-split mode2  //Modify the MAC address format to xx-xx-xx-xx-xx-xx to implement interoperation with the ISE server. [AC-radius-radius_huawei] radius-attribute set service-type 10  //Modify the RADIUS attribute Service-Type to 10 to implement interoperation with the ISE server. [AC-radius-radius_huawei] quit

      # Configure a RADIUS authentication scheme.

      [AC] aaa [AC-aaa] authentication-scheme radius_huawei [AC-aaa-authen-radius_huawei] authentication-mode radius [AC-aaa-authen-radius_huawei] quit 

      # Create an AAA domain and configure the RADIUS server template and authentication scheme.

      [AC-aaa] domain huawei.com [AC-aaa-domain-huawei.com] radius-server radius_huawei [AC-aaa-domain-huawei.com] authentication-scheme radius_huawei [AC-aaa-domain-huawei.com] quit [AC-aaa] quit 

    2. Globally configure user names in MAC address authentication without the delimiter "-" (default setting).
    3. Test whether a STA can be authenticated using RADIUS authentication. In MAC address authentication, a STA's MAC address is used as the user name and password.

      [AC] test-aaa 001122334455 001122334455 radius-template radius_huawei Info: Account test succeed. 

  7. Configure the MAC access profile m1.

    imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

    In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for MAC address authentication.

    [AC] mac-access-profile name m1 [AC-mac-access-profile-m1] quit

  8. Configure the authentication profile p1.

    [AC] authentication-profile name p1 [AC-authen-profile-p1] mac-access-profile m1 [AC-authen-profile-p1] access-domain huawei.com mac-authen force [AC-authen-profile-p1] quit

  9. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile. By default, the security policy is open system.

    [AC] wlan [AC-wlan-view] security-profile name wlan-security [AC-wlan-sec-prof-wlan-security] quit 

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AC-wlan-view] ssid-profile name wlan-ssid [AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-ssid-prof-wlan-ssid] quit 

    # Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AC-wlan-view] vap-profile name wlan-vap [AC-wlan-vap-prof-wlan-vap] forward-mode tunnel Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 [AC-wlan-vap-prof-wlan-vap] security-profile wlan-security [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid [AC-wlan-vap-prof-wlan-vap] authentication-profile p1 [AC-wlan-vap-prof-wlan-vap] quit 

    # Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

    [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 [AC-wlan-ap-group-ap-group1] quit 

  10. Commit the configuration.

    [AC-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N]:y

  11. Configure the ISE server.

    # Log in to the ISE server.
    1. Enter the access address of the ISE server in the address bar, which is in the format of https://ISE-IPISE-IP is the IP address of the ISE server.
    2. On the displayed page, enter the user name and password to log in to the ISE server.

    # Create user account information. Choose Administration > Identity Management > Identities, and click Endpoints. In the pane on the right side, click Add to add MAC addresses. 
    imgDownload?uuid=5e979f810d5a4ec6ab69d51

    # Add AC information so that the ISE can interwork with the AC. Choose Administration > Network Resources > Network Devices. In the pane on the right side, click Add to add AC information.
    ParameterValueRemarks
    NameAC-
    IP Address10.23.100.1/32The IP address of the AC must be accessible from the ISE server.
    Shared SecretHuawei@123The value must be the same as the RADIUS server key configured on the AC.

    imgDownload?uuid=9c107257c9b742398c95ed4

    # Configure allowed authentication and encryption protocols. Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols, and click Add to configure allowed authentication and encryption protocols. MAC address authentication uses the PAP authentication protocol. 
    imgDownload?uuid=0cd5aa7c621a4818aa75d02

    # Configure authentication and authorization policies. Choose Policy > AuthenticationPolicy Type can be set to Simple or Rule-based. In this example, set it to Simple. Then, bind the user information and allowed authentication protocols configured in previous steps to the authentication policy. 
    imgDownload?uuid=88a0c08a38fa43d98d22d22

  12. Verify the configuration.

    • The WLAN with SSID wlan-net is available for STAs connected to the AP.
    • After the WLAN function is enabled on wireless devices, they can access the WLAN and provide public services.
    • After the STA connects to the WLAN, authentication is performed automatically. You can then directly access the WLAN.

Configuration Files
  • SwitchA configuration file

    # sysname SwitchA # vlan batch 100 # interface GigabitEthernet0/0/1  port link-type trunk  port trunk pvid vlan 100  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100  stp edged-port enable  port-isolate enable group 1 # interface GigabitEthernet0/0/2  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 # return
  • AC configuration file

    #  sysname AC # vlan batch 100 to 101 # authentication-profile name p1  mac-access-profile m1  access-domain huawei.com mac-authen force # dhcp enable # radius-server template radius_huawei  radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%#  radius-server authentication 10.23.200.1 1812 weight 80  calling-station-id mac-format hyphen-split mode2  radius-attribute set service-type 10 # mac-access-profile name m1 # aaa  authentication-scheme radius_huawei   authentication-mode radius  domain huawei.com   authentication-scheme radius_huawei   radius-server radius_huawei # interface Vlanif100  ip address 10.23.100.1 255.255.255.0  dhcp select interface # interface Vlanif101  ip address 10.23.101.1 255.255.255.0  dhcp select interface # interface GigabitEthernet1/0/1  port link-type trunk  port trunk allow-pass vlan 100 # interface GigabitEthernet1/0/2  port link-type trunk  port trunk allow-pass vlan 101 # ip route-static 10.23.200.0 255.255.255.0 10.23.101.2 #   capwap source interface vlanif100 # wlan  security-profile name wlan-security  ssid-profile name wlan-ssid   ssid wlan-net  vap-profile name wlan-vap   forward-mode tunnel   service-vlan vlan-id 101   ssid-profile wlan-ssid   security-profile wlan-security   authentication-profile p1  regulatory-domain-profile name domain1  ap-group name ap-group1   regulatory-domain-profile domain1   radio 0    vap-profile wlan-vap wlan 1   radio 1    vap-profile wlan-vap wlan 1  ap-id 0 ap-mac 60de-4476-e360   ap-name area_1   ap-group ap-group1 # return

Delivering VLANs or ACLs to Successfully Authenticated Users on Cisco ISE

This section includes the following content:

Overview

The following example uses authorization based on ACL and dynamic VLAN to describe how to implement authorization for terminal users through Cisco ISE.

  • ACL-based authorization is classified into:
    • ACL description-based authorization: If ACL description-based authorization is configured on the server, authorization information includes the ACL description. The device matches ACL rules based on the ACL description authorized by the server to control user rights. The ACL number, corresponding description, and ACL rule must be configured on the device.

      The standard RADIUS attribute (011) Filter-Id is used.

    • Dynamic ACL-based authorization: The server authorizes rules in an ACL to the device. Users can access network resources controlled using this ACL. The ACL and ACL rules must be configured on the server. The ACL does not need to be configured on the device.

      The Huawei proprietary RADIUS attribute (26-82) HW-Data-Filter is used.

  • Dynamic VLAN: If dynamic VLAN delivery is configured on the server, authorization information includes the delivered VLAN attribute. After the device receives the delivered VLAN attribute, it changes the VLAN of the user to the delivered VLAN.

    The delivered VLAN does not change or affect the interface configuration. The delivered VLAN, however, takes precedence over the VLAN configured on the interface. That is, the delivered VLAN takes effect after the authentication succeeds, and the configured VLAN takes effect after the user goes offline.

    The following standard RADIUS attributes are used for dynamic VLAN delivery:
    • (064) Tunnel-Type (It must be set to VLAN or 13.)
    • (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
    • (081) Tunnel-Private-Group-ID (For devices running versions earlier than V200R012C00, it can be the VLAN ID or VLAN description. For devices running V200R012C00 and later versions, it can be the VLAN ID, VLAN description, VLAN name, or VLAN pool.)

    To ensure that the RADIUS server delivers VLAN information correctly, all the three RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-Type attributes must be set to the specified values.

Networking Requirements

In Figure 2-31, a large number of employees' terminals in a company connect to the intranet through GE1/0/1 on SwitchA. To ensure network security, the administrator needs to control network access rights of terminals. The requirements are as follows:

  • Before passing authentication, terminals can access the public server (with IP address 192.168.40.1), and download the 802.1X client or update the antivirus database.
  • After passing authentication, terminals can access the service server (with IP address 192.168.50.1) and devices in the laboratory (with VLAN ID 20 and IP address segment 192.168.20.10-192.168.20.100).

Figure 2-31  Wired access networking diagram 
imgDownload?uuid=71751ce8f15a42c385aa7dc

Configuration Logic

Figure 2-32  Configuration logic of Huawei switch 
imgDownload?uuid=0d754caf05ee4d87b3af49bTable 2-48  Configuration logic of Cisco ISE

ItemDescription
Creating a department and an account-
Adding a switchSet parameters for the switch connected to the ISE.
(Optional) creating an authentication protocol profileSpecify the authentication protocol that can be used for 802.1X authentication. If no authentication protocol profile is created, the default profile in Default Network Access of the ISE is used.
Creating an authentication policyConfigure the conditions for users to pass 802.1X authentication.
(Optional) creating an authorization policySpecify resources that users can access after 802.1X authentication. If no authorization policy is created, users are allowed to access all reachable resources.

Configuration Notes

This configuration example applies to all switches running V200R009C00 or a later version, the version of the Cisco ISE is 1.4.0.253, when configuring the Cisco ISE to function as the RADIUS server and connect to the device to implement authorization, pay attention to the following points:

  • Authorization can be implemented using standard RADIUS attributes and Huawei proprietary RADIUS attributes, and cannot be implemented using Cisco proprietary RADIUS attributes. If a Huawei proprietary RADIUS attribute is used for authorization, you must manually add the proprietary RADIUS attribute value on the Cisco ISE.
  • If ACL description-based authorization is used and the text box of ACL (Filter-ID) is followed by a suffix .in after ACL (Filter-ID) is selected and the description abc is added on the Cisco ISE, configure the ACL description as abc.in on Huawei switches.
  • Dynamic ACL-based authorization uses the Huawei proprietary RADIUS attribute HW-Data-Filter for authorization, and does not support authorization through a Cisco proprietary RADIUS attribute.
  • After the Huawei proprietary RADIUS attribute HW-Data-Filter is added on the Cisco ISE, both Filter-ID and HW-Data-Filter exist in the authorization profile, only Filter-ID can be delivered, and HW-Data-Filter cannot be delivered.
  • If ACL description-based authorization is used, the description configured on the Cisco ISE and that configured on the device cannot exceed 127 bytes because the maximum description length supported by the Cisco ISE is 252 bytes and that supported by the device is 127 bytes.
  • If dynamic VLAN-based authorization is used through the VLAN description, the description configured on the Cisco ISE and that configured on the device cannot exceed 32 bytes because the maximum description length supported by the Cisco ISE is 32 bytes and that supported by the device is 80 bytes.

Data Plan

Table 2-49  Service data plan for the access switch

Item

Data

RADIUS scheme

  • Authentication server IP address: 192.168.30.1

  • Authentication server port number: 1812

  • Accounting server IP address: 192.168.30.1

  • Accounting server port number: 1813

  • Shared key for the RADIUS server: Huawei@123

  • Authentication domain: huawei

Resources accessible to users before authentication

Access rights to the public server are configured using an authentication-free rule.

Resources accessible to users after authentication

Access rights to the laboratory are granted using a dynamic VLAN. The VLAN ID is 20.

Access rights to the service server are granted using an ACL. The ACL number is 3002 and the description is 3002.in.

Table 2-50  Service data plan for the Cisco ISE server

Item

Data

Department

R&D department

Access user

User name: A-123

Password: Huawei123

Switch IP address

SwitchA: 10.10.10.1

RADIUS authentication key

Huawei@123

RADIUS accounting key

Huawei@123

Procedure

  1. Configure access switch SwitchA.
    1. Create VLANs and configure the allowed VLANs on interfaces to ensure network connectivity.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 10 20 [SwitchA] interface gigabitethernet 1/0/1    //Configure the interface connecting to employees' terminals. [SwitchA-GigabitEthernet1/0/1] port link-type hybrid [SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2    //Configure the interface connecting to the laboratory. [SwitchA-GigabitEthernet1/0/2] port link-type hybrid [SwitchA-GigabitEthernet1/0/2] port hybrid untagged vlan 20 [SwitchA-GigabitEthernet1/0/2] quit [SwitchA] interface gigabitethernet 1/0/3    //Configure the interface connecting to SwitchB. [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20 [SwitchA-GigabitEthernet1/0/3] quit [SwitchA] interface loopback 1 [SwitchA-LoopBack1] ip address 10.10.10.1 24    //Configure the IP address used for communication with the Cisco ISE server. [SwitchA-LoopBack1] quit 

    2. Configure the authorization parameter ACL 3002 for users who pass authentication.

      [SwitchA] acl 3002 [SwitchA-acl-adv-3002] description 3002.in   //Configure the ACL description as 3002.in. The Filter-ID set for the Cisco ISE server is 3002. [SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.30.1 0 [SwitchA-acl-adv-3002] rule 2 permit ip destination 192.168.50.1 0 [SwitchA-acl-adv-3002] rule 3 deny ip destination any [SwitchA-acl-adv-3002] quit

    3. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

      # Create and configure the RADIUS server template rd1.
      [SwitchA] radius-server template rd1 [SwitchA-radius-rd1] radius-server authentication 192.168.30.1 1812 [SwitchA-radius-rd1] radius-server accounting 192.168.30.1 1813 [SwitchA-radius-rd1] radius-server shared-key cipher Huawei@123 [SwitchA-radius-rd1] quit
      # Create the AAA authentication scheme abc and set the authentication mode to RADIUS.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme abc [SwitchA-aaa-authen-abc] authentication-mode radius [SwitchA-aaa-authen-abc] quit
      # Configure the accounting scheme acco1 and set the accounting mode to RADIUS.
      [SwitchA-aaa] accounting-scheme acco1 [SwitchA-aaa-accounting-acco1] accounting-mode radius [SwitchA-aaa-accounting-acco1] quit
      # Create an authentication domain huawei, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.
      [SwitchA-aaa] domain huawei [SwitchA-aaa-domain-huawei] authentication-scheme abc [SwitchA-aaa-domain-huawei] accounting-scheme acco1 [SwitchA-aaa-domain-huawei] radius-server rd1 [SwitchA-aaa-domain-huawei] quit [SwitchA-aaa] quit

    4. Enable 802.1X authentication.

      # Set the NAC mode to unified.

      [SwitchA] authentication unified-mode
      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:By default, the unified mode is enabled. Before changing the NAC mode, you must save the configuration. After changing the NAC mode, restart the device to make the configuration take effect.# Configure the 802.1X access profile d1 and set the authentication protocol to EAP.
      [SwitchA] dot1x-access-profile name d1 [SwitchA-dot1x-access-profile-d1] dot1x authentication-method eap [SwitchA-dot1x-access-profile-d1] quit
      # Configure the authentication-free rule profile default_free_rule.
      [SwitchA] free-rule-template name default_free_rule [SwitchA-free-rule-default_free_rule] free-rule 10 destination ip 192.168.40.1 mask 32 [SwitchA-free-rule-default_free_rule] quit
      # Configure the authentication profile p1, bind the 802.1X access profile d1 and authentication-free rule profile default_free_rule to the authentication profile, and specify the domain huawei as the forcible authentication domain in the authentication profile.
      [SwitchA] authentication-profile name p1 [SwitchA-authen-profile-p1] dot1x-access-profile d1 [SwitchA-authen-profile-p1] free-rule-template default_free_rule [SwitchA-authen-profile-p1] access-domain huawei force [SwitchA-authen-profile-p1] quit

      # Bind the authentication profile p1 to GE1/0/1 and enable 802.1X authentication.

      [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] authentication-profile p1 [SwitchA-GigabitEthernet1/0/1] quit

  2. Configure the Cisco ISE server.
    1. Log in to the ISE.

      1. Open the Internet Explorer, enter the ISE access address in the address bar, and press Enter.
      2. Enter the ISE administrator user name and password to log in to the ISE.

    2. Create a user group and a user.

      1. Choose Administration > Identity Management > Groups. Click Add in the operation area on the right, and create the user group R&D.

        imgDownload?uuid=1541d3ec219945b4ad828cb

      2. Choose Administration > Identity Management > Identities. Click Add in the operation area on the right, create a user with the user name A-123 and password Huawei123, and add the user to the user group R&D.

        imgDownload?uuid=2f44f16ca2194ecf9b7e563

    3. Add switches on the Cisco ISE server so that the Cisco ISE server can properly associate with the switches.

      Choose Administration > Network Resources > Network Devices. Click Add in the operation area on the right to access the New Network Device page. Add network access devices and set device connection parameters on the page.

      Parameter

      Value

      Description

      Name

      SwitchA

      -

      IP Address

      10.10.10.1/32

      The interface on the switch must communicate with the Cisco ISE server.

      Shared Secret

      Huawei@123

      The shared key must be the same as the shared key configured for R&D employees on the switch.

      imgDownload?uuid=1b5af8c7ca0d427ca985dbf

    4. Configure the password authentication protocol.

      Choose Policy > Policy Elements > Result. Choose Authentication > Allowed Protocols in the operation area on the left to access the Allowed Protocols Services page. Click Add in the operation area on the right, create a network access mode, and select the allowed password authentication protocol.

      When connecting to a Cisco ISE server, the switch supports EAP, PAP, and CHAP authentication modes. If the switch is configured with EAP authentication mode and connects to the Cisco ISE server, the switch does not support EAP-LEAP and EAP-FAST modes.

      imgDownload?uuid=b808c4de9b674e65839cff0

    5. Configure the authentication policy.

      Choose Policy > Authentication. Authentication policies are classified into simple and rule-based authentication policies. Compared with simple mode, rule-based mode can match multiple network access modes (that is, allowed protocols). Simple mode is used in this example. Select 802.1X, which is the network access mode configured in the previous step, from the Network Access Service drop-down list box, and use the default settings of other fields.

      imgDownload?uuid=aef2a632b7944673916e804

    6. Configure the authorization policy.

      1. Add an authorization rule.

        Choose Policy > Authorization. Click the triangle next to Edit and choose Insert New Rule Above. Add the authorization rule Authorization rule for authenticated users and the authorized user group is group R&D.

        imgDownload?uuid=a015fbe77eba4e7786731d5

      2. Add access rights.

        1. In the Permissions column, click Add New Standard Profile to access the Add New Standard Profile page.

          imgDownload?uuid=420c2dbd3cbc481a9e47493

        2. In the Add New Standard Profile page, configure access rights.

          Parameter

          Value

          Description

          Name

          VLAN20&ACL3002

          -

          Access Type

          ACCESS_ACCEPT

          Access rights for users who pass authentication

          Common Tasks

          Huawei@123

          VLAN: authorized VLAN ID or VLAN description

          Filter-ID: authorize ACL description

          imgDownload?uuid=509c371034fa43bca33cf60

          imgDownload?uuid=08d26350baee45f684d30ba

  3. Verify the configuration.

    • An employee can only access the Cisco ISE server and public server before passing authentication.
    • An employee can access the Cisco ISE server, public server, service server, and laboratory after passing authentication.
    • After an employee passes authentication, run the display access-user command on the switch. The command output shows information about the online employee.

Configuration File
# sysname SwitchA # vlan batch 10 20 # authentication-profile name p1  dot1x-access-profile d1  free-rule-template default_free_rule  access-domain huawei force # radius-server template rd1  radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#  radius-server authentication 192.168.30.1 1812 weight 80  radius-server accounting 192.168.30.1 1813 weight 80 # acl number 3002  description 3002.in   rule 1 permit ip destination 192.168.30.1 0   rule 2 permit ip destination 192.168.50.1 0   rule 3 deny ip # free-rule-template name default_free_rule  free-rule 10 destination ip 192.168.40.1 mask 255.255.255.255 #  aaa  authentication-scheme abc   authentication-mode radius  accounting-scheme acco1   accounting-mode radius  domain huawei   authentication-scheme abc   accounting-scheme acco1   radius-server rd1 # interface GigabitEthernet1/0/1  port link-type hybrid  port hybrid pvid vlan 10   port hybrid untagged vlan 10  authentication-profile p1 # interface GigabitEthernet1/0/2  port link-type hybrid  port hybrid untagged vlan 20 # interface GigabitEthernet1/0/3  port link-type trunk  port trunk allow-pass vlan 10 20 # interface LoopBack1  ip address 10.10.10.1 255.255.255.0 #   dot1x-access-profile name d1 # return

Configuring Portal Authentication for Visitors on Cisco ISE (Based on the HTTPS Protocol)

This section includes the following content:

Introduction to Portal authentication

Portal authentication is also called web authentication, when a user accesses the network, the user must be first authenticated on the Portal website. If the authentication fails, the user can access only certain network resources. After the authentication succeeds, the user can access other network resources. Portal authentication has the following advantages:

  • Ease of use: In most cases, Portal authentication does not require the client to have additional software installed and allows the client to be directly authenticated on a web page.
  • Convenient operations: Portal authentication achieves service expansion on the Portal page, including advertisement push, responsibility announcement, and enterprise publicity.
  • Mature technology: Portal authentication has been widely used in networks of carriers, fast food chains, hotels, and schools.
  • Flexible deployment: Portal authentication implements access control at the access layer or at the ingress of key data.
  • Flexible user management: Portal authentication can be performed on users based on the combination of user names and any one of VLANs, IP addresses, and MAC addresses.

Enterprises often choose Portal authentication for guests because they move frequently.

Networking Requirements

To meet service requirements, an enterprise needs to deploy an identity authentication system to implement access control on guests who attempt to access the enterprise network. Only authorized users can access the enterprise network.

The enterprise has the following requirements:

  • The operations should be simple and the authentication system only performs access authorization, without a need for authentication client software on terminals.
  • Unified identity authentication is performed for all terminals that attempt to access the enterprise network. Unauthorized terminals cannot access the enterprise network.

In this example, the aggregation switch is an S7700 and the access switches are S5720HI switches.

Figure 2-33  Networking for configuring authentication for guests 
imgDownload?uuid=afdc70b518b74cb58515410

Configuration Logic

Figure 2-34  Configuration logic of Huawei switch 
imgDownload?uuid=2dd939a639d1463cbbef6b5Table 2-51  Configuration logic of Cisco ISE

ItemDescription
Creating groups and accounts-
Adding switchesSpecify switches connected to the ISE.
(Optional) creating an authentication protocol profileSpecify the authentication protocol that can be used by visitors for Portal authentication. If no authentication protocol profile is created, the default profile in Default Network Access of the ISE is used.
Creating an authentication policyConfigure the conditions for visitors to pass Portal authentication.
(Optional) creating an authorization policySpecify resources that users can access after Portal authentication. If no authorization policy is created, visitors are allowed to access all reachable resources.

Configuration Notes
  • This configuration example applies to all of the switches running V200R010C00 or a later version, the Cisco ISE runs version 2.0.0.306.
  • The RADIUS shared key and Portal shared key configured on the switch must be the same as that configured on the server.
  • By default, the switch allows the packets sent to the RADIUS server to pass through. You do not need to configure an authentication-free rule for the packets on the switch.

Data Plan

Table 2-52  Switch data plan

Item

Interface

VLAN

IP address

Access switch (SwitchA)

  • GE0/0/1
  • GE0/0/2

10

VLANIF 10: 192.168.10.2/24

Access switch (SwitchB)

  • GE0/0/1
  • GE0/0/2

20

VLANIF 20: 192.168.20.2/24

Aggregation switch (SwitchC)

GE1/0/1

10

VLANIF 10: 192.168.10.1/24

GE1/0/2

20

VLANIF 20: 192.168.20.1/24

GE1/0/3

100

VLANIF 100: 192.168.100.254/24

Table 2-53  Authentication data plan

Item

Data

ISE

IP address: 192.168.100.1/24

RADIUS shared key and Portal shared key

Huawei@2014

Access authentication device

  • SwitchA: 192.168.10.2/24
  • SwitchB: 192.168.20.2/24

Guest

Department: R&D department
  • User: A
  • User name: A-123
  • Password: Huawei@123
Department: marketing department
  • User: B
  • User name: B-123
  • Password: Huawei@B-123

Procedure

  1. Configure the aggregation switch to ensure network connectivity.

    <HUAWEI> system-view [HUAWEI] sysname SwitchC [SwitchC] vlan batch 10 20 100 [SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] port link-type trunk [SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [SwitchC-GigabitEthernet1/0/1] quit [SwitchC] interface gigabitethernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] port link-type trunk [SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 [SwitchC-GigabitEthernet1/0/2] quit [SwitchC] interface gigabitethernet 1/0/3 [SwitchC-GigabitEthernet1/0/2] port link-type access [SwitchC-GigabitEthernet1/0/2] port default vlan 100 [SwitchC-GigabitEthernet1/0/2] quit [SwitchC] interface Vlanif 10 [SwitchC-Vlanif10] ip address 192.168.10.1 24 [SwitchC-Vlanif10] quit [SwitchC] interface Vlanif 20 [SwitchC-Vlanif20] ip address 192.168.20.1 24 [SwitchC-Vlanif20] quit [SwitchC] interface Vlanif 100 [SwitchC-Vlanif100] ip address 192.168.100.254 24 [SwitchC-Vlanif100] quit

  2. Configure the access switches. The following uses the configuration of SwitchA connecting to the R&D department as an example. The configuration of SwitchB connecting to the marketing department is similar and is not provided here.
    1. Create VLANs and add interfaces to VLANs to ensure network connectivity.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 10 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type access [SwitchA-GigabitEthernet0/0/1] port default vlan 10 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface vlanif 10 [SwitchA-Vlanif10] ip address 192.168.10.2 24 [SwitchA-Vlanif10] quit [SwitchA] ip route-static 192.168.100.0 24 192.168.10.1

    2. Configure parameters for communication with the RADIUS server.

      # Create the RADIUS server template policy.
      [SwitchA] radius-server template policy [SwitchA-radius-policy] radius-server authentication 192.168.100.1 1812 source ip-address 192.168.10.2   //Configure the RADIUS authentication server. [SwitchA-radius-policy] radius-server accounting 192.168.100.1 1813 source ip-address 192.168.10.2 [SwitchA-radius-policy] radius-server shared-key cipher Huawei@2014   //Set the RADIUS shared key to Huawei@2014. [SwitchA-radius-policy] calling-station-id mac-format hyphen-split mode2   //Set the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets to xx-xx-xx-xx-xx-xx. [SwitchA-radius-policy] quit
      # Create the AAA authentication scheme auth.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme auth [SwitchA-aaa-authen-auth] authentication-mode radius   //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-auth] quit
      # Create the AAA accounting scheme acco. You must set the accounting mode to RADIUS so that the RADIUS server can maintain the account status, such as login, log-off, and forced log-off.
      [SwitchA-aaa] accounting-scheme acco [SwitchA-aaa-accounting-acco] accounting-mode radius   //Set the accounting mode to RADIUS. [SwitchA-aaa-accounting-acco] accounting realtime 15   // Set the real-time accounting interval to 15 minutes. [SwitchA-aaa-accounting-acco] quit
      # Create the authentication domain portal.
      [SwitchA-aaa] domain portal [SwitchA-aaa-domain-portal] authentication-scheme auth   //Bind the authentication scheme auth to the authentication domain. [SwitchA-aaa-domain-portal] accounting-scheme acco   //Bind the accounting scheme acco to the authentication domain. [SwitchA-aaa-domain-portal] radius-server policy   //Bind the RADIUS server template policy to the authentication domain. [SwitchA-aaa-domain-portal] quit [SwitchA-aaa] quit
      # Configure the authentication domain portal as the global default authentication domain.
      [SwitchA] domain portal

    3. Configure Portal authentication.

      # Set the NAC mode to unified.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.

      [SwitchA] authentication unified-mode
      # Configure the SSL policy.
      [SwitchA] ssl policy portal [SwitchA-ssl-policy-portal] certificate load pem-cert cert_rsa_cert.pem key-pair rsa key-file cert_rsa_key.pem auth-code cipher huawei   //The key must be the same as that configured in the certificate. [SwitchA-ssl-policy-portal] ssl minimum version tls1.0 [SwitchA-ssl-policy-portal] quit
      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      Before loading a certificate for the SSL policy, ensure that the certificate file and key pair file have been stored on the switch; otherwise, certificate loading will fail. In addition, the certificate file and key pair file must be saved in the subdirectory securityunder the system root directory. If the subdirectory security does not exist, create it.

      # Enable the Portal interoperation function of the HTTPS protocol.
      [SwitchA] portal web-authen-server https ssl-policy portal
      # Configure the URL template u1.
      [SwitchA] url-template name u1 [SwitchA-url-template-u1] url https://192.168.100.1:8443/portal/PortalSetup.action#portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a   //For details about how to obtain the URL, see Obtain the URL of the Portal authentication page. [SwitchA-url-template-u1] parameter start-mark #   //Change the start character in a URL from # to ?. [SwitchA-url-template-u1] url-parameter login-url switch_url https://192.168.10.2:8443 [SwitchA-url-template-u1] quit
      # Configure the Portal server template w1.
      [SwitchA] web-auth-server w1 [SwitchA-web-auth-server-w1] server-ip 192.168.100.1   //Specify the IP address of the ISE that provides the Portal authentication page. [SwitchA-web-auth-server-w1] shared-key cipher Huawei@2014 [SwitchA-web-auth-server-w1] url-template u1   //Bind the URL template u1. [SwitchA-web-auth-server-w1] quit
      # Configure the Portal access profile p1.
      [SwitchA] portal-access-profile name p1 [SwitchA-portal-acces-profile-p1] web-auth-server w1 direct   //Bind the Portal server template w1. [SwitchA-portal-acces-profile-p1] quit
      # Configure the authentication-free rule profile default_free_rule.
      [SwitchA] free-rule-template name default_free_rule [SwitchA-free-rule-default_free_rule] free-rule 1 destination ip 192.168.10.2 mask 255.255.255.255 [SwitchA-free-rule-default_free_rule] quit
      # Configure the authentication profile a1.
      [SwitchA] authentication-profile name a1 [SwitchA-authen-profile-a1] portal-access-profile p1   //Bind the Portal access profile p1. [SwitchA-authen-profile-a1] quit
      # Enable Portal authentication on an interface.
      [SwitchA] interface GigabitEthernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] authentication-profile a1 [SwitchA-GigabitEthernet0/0/1] quit

  3. Configure the ISE.
    1. Log in to the ISE.

      1. Open the Internet Explorer, enter the ISE access address in the address bar, and press Enter.

      2. Enter the ISE administrator user name and password to log in to the ISE.

    2. Create groups and accounts.

      1. Choose Administration > Identity Management > Groups. In the navigation area on the left, choose User Identity Groups. Click Add in the operation area on the right and create the group R&D. After completing the configuration, click Submit.

        imgDownload?uuid=0d37d3c43d224a72918036b

      2. Choose Administration > Identity Management > Identities. In the navigation area on the left, choose Users. Click Add in the operation area on the right, create the user A, set the Name to A-123, set the Login Password to Huawei@123, and bind the user to the group R&D. After completing the configuration, click Submit. User B is similar to A, and is not mentioned here.

        imgDownload?uuid=00acfcd1395e4d95be05506

    3. Add switches on the ISE so that the ISE can communicate with the switches.

      1. In the top navigation area, choose Administration > Network Resources > Network Device Profiles. Click Add to create the access authentication device profile HUAWEI. Set Vendor to Other, select RADIUS, and set RADIUS Dictionaries to HW. Configure Change of Authorization (CoA) according to the following figures. After completing the configuration, click Submit.

        imgDownload?uuid=b8b19fb7e47d4164a643c6b

        imgDownload?uuid=a6756ab61bf641e98253836

      2. Choose Administration > Network Resources > Network Devices. Click Add in the operation area on the right, add the access authentication device SwitchA, and configure parameters of SwitchA on the New Network Device page according to the following table. After completing the configuration, click Submit.

        Parameter

        Value

        Description

        Access device name

        SwitchA

        -

        IP address

        192.168.10.2/24

        -

        RADIUS shared key

        Huawei@2014

        The RADIUS shared key must be the same as that configured on SwitchA.

        imgDownload?uuid=db8cab19880c4728a770cda

    4. Add an authentication policy on the ISE to perform identity authentication for access users.

      1. In the top navigation area, choose Policy > Policy Elements > Conditions. In the navigation area on the left, choose Authentication > Compound Conditions. Click Add in the operation area on the right.

      2. Create the authentication condition profile Portal and configure authentication conditions. Set RADIUS:Service-Type to Outbound and RADIUS:NAS-IP-Address to 192.168.10.2. After completing the configuration, click Submit.

        imgDownload?uuid=5472593938754790b9cb67c

      3. In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authentication > Allowed Protocols. Click Add in the operation area on the right.

      4. Create the protocol profile Portal for user authentication, and select Allow PAP/ASCII and Allow CHAP. After completing the configuration, click Submit.

        imgDownload?uuid=3ae9b6f910024f40b1a2ec8

      5. In the top navigation area, choose Policy > Authentication, and click Rule-Based. Click the triangle next to the first authentication policy and choose Insert new row above.

        imgDownload?uuid=46d411f8e55b4a20a59c6f6

      6. Create the authentication policy Portal, add the authentication condition profile Portal and the protocol profile Portal for user authentication, click Done, and click Save.

        imgDownload?uuid=729a1cb99ebc4b9faa52a7e

    5. Obtain the URL of the Portal authentication page.

      1. Choose Guest Access > Configure > Guest Portals and click Self-Registered Guest Portal (default).

        imgDownload?uuid=865263e19f12469480f943a

      2. Click Portal test URL and the page is the Portal authentication page for users and the URL is the URL configured in the URL template on the switch.

        imgDownload?uuid=8cdfa31101544af78c9690d

  4. Check the configuration.

    • An employee can only access the ISE before passing authentication.
    • After an employee passes authentication, run the display access-user command on the switch. The command output shows information about the online employee.

Configuration Files

SwitchC configuration file

# sysname SwitchC # vlan batch 10 20 100 # interface Vlanif10  ip address 192.168.10.1 255.255.255.0 # interface Vlanif20  ip address 192.168.20.1 255.255.255.0 # interface Vlanif100  ip address 192.168.100.254 255.255.255.0 # interface GigabitEthernet1/0/1  port link-type trunk  port trunk allow-pass vlan 10 # interface GigabitEthernet1/0/2  port link-type trunk  port trunk allow-pass vlan 20 # interface GigabitEthernet1/0/3  port link-type access  port default vlan 100 # return

SwitchA configuration file

# sysname SwitchA # vlan batch 10 # authentication-profile name a1  portal-access-profile p1 # domain portal # radius-server template policy  radius-server shared-key cipher %^%#5qD#!uKN)@!O<$-pg]T5F}@-4Ro(JLj.]x)m~sY1%^%#  radius-server authentication 192.168.100.1 1812 source ip-address 192.168.10.2 weight 80  radius-server accounting 192.168.100.1 1813 source ip-address 192.168.10.2 weight 80  calling-station-id mac-format hyphen-split mode2 # free-rule-template name default_free_rule  free-rule 1 destination ip 192.168.10.2 mask 255.255.255.255 # url-template name u1  url https://192.168.100.1:8443/portal/PortalSetup.action#portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a  parameter start-mark #  url-parameter login-url switch_url https://192.168.10.2:8443 # web-auth-server w1  server-ip 192.168.100.1  shared-key cipher %^%#by7>I&"d),x~BNM+tFb)2"5iCzRIj-0*Zg<Pwcz3%^%#  url-template u1 # portal-access-profile name p1  web-auth-server w1 direct # aaa  authentication-scheme auth   authentication-mode radius  accounting-scheme acco   accounting-mode radius   accounting realtime 15  domain portal   authentication-scheme auth   accounting-scheme acco   radius-server policy # interface Vlanif10  ip address 192.168.10.2 255.255.255.0 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 10  authentication-profile a1 # interface GigabitEthernet0/0/2  port link-type trunk  port trunk allow-pass vlan 10 # ip route-static 192.168.100.0 255.255.255.0 192.168.10.1 # portal web-authen-server https ssl-policy portal # ssl policy portal  certificate load pem-cert cert_rsa_cert.pem key-pair rsa key-file cert_rsa_key.pem auth-code cipher %^%#'kky=K\0_-ge]M&p9''7~v{=V\dshHvR:E4#t-wI%^%#   ssl minimum version tls1.0 # return

Configuring CWA Authentication (MAC Address Authentication-based Portal Authentication Page Push) for Visitors on Cisco ISE

This section includes the following content:

Introduction to NAC

Portal authentication is a Network Admission Control (NAC) method. Portal authentication is also called web authentication. Generally, Portal authentication websites are referred to as Portal websites. Users must be authenticated by the Portal websites before they can use network services.

MAC address authentication and Portal authentication provide low security, but allows for flexible network deployment because they do not require installation of any client software on user terminals. 802.1X authentication is more secure than MAC address authentication and Portal authentication, but requires installation of client software on user terminals. The network deployment is inflexible. Therefore, MAC address authentication and Portal authentication can be used in scenarios where users, such as guests in enterprises, are sparsely distributed and move frequently.

When a Cisco ISE works as the RADIUS server, you can configure MAC address authentication on a Huawei switch to deliver a redirection ACL and a redirection URL to users so that authentication for guests who attempt to access the network can be implemented on a Portal authentication page.

Implementation Process

Figure 2-35 only shows a simple implementation process and does not provide all details about the implementation of this function.

Figure 2-35  CWA implementation 
imgDownload?uuid=1923efbe88ca4cc48c66fc9

Networking Requirements

To meet service requirements, an enterprise needs to deploy an identity authentication system to implement access control on wired and wireless guests who attempt to access the enterprise network. Only authorized users can access the enterprise network. The enterprise has the following requirements:

  • The operations should be simple and the authentication system only performs access authorization, without a need for authentication client software on terminals.
  • Unified identity authentication is performed for all guests who attempt to access the enterprise network. Unauthorized guests cannot access the enterprise network.

In this example, the aggregation switch is an S7700 and the access switch is an S5720HI.

Figure 2-36  Networking for configuring authentication for guests 
imgDownload?uuid=0f830d19c6b548fabdc353e

Configuration Logic

Figure 2-37  Configuration logic of Huawei switch 
imgDownload?uuid=0f114792c6fc4074a872d69Figure 2-38  Configuration logic of Cisco ISE 
imgDownload?uuid=e061f72a574340218083361

Configuration Notes
  • For the applicable products and versions of this configuration example, see Applicable product models and versions. For details about the matching model and version of AP, see Example for Configuring WLAN Services on a Small-Scale Network in "Typical WLAN-AC Configuration (Applicable to V200R009 and Later Versions)" in the Typical Configuration Examples. The Cisco ISE runs version 2.0.0.306.

  • The ISE works as the RADIUS server and Portal server in this scenario and can deliver a redirection ACL and a redirection URL only to MAC address authentication users. In addition, the redirection ACL and redirection URL can only be delivered to users by the ISE, and cannot be configured on the switch.
  • The RADIUS shared key and Portal shared key configured on the switch must be the same as that configured on the server.
  • By default, the switch allows the packets sent to the RADIUS server and Portal server to pass through. You do not need to configure an authentication-free rule for the packets on the switch.

Data Plan

Table 2-54  SwitchA data plan

Item

Interface

VLAN

IP Address

Wireless guest

GE0/0/1

  • Management VLAN: 100
  • Service VLAN: 101
  • VLANIF 100: 192.168.100.1/24
  • VLANIF 101: 192.168.101.1/24

Wired guest

GE0/0/2

102

VLANIF 102: 192.168.102.1/24

Uplink interface

GE0/0/3

103

VLANIF 103: 192.168.103.1/24

-

Loopback 0

-

192.168.50.1/32

Table 2-55  Authentication data plan

Item

Data

ISE

IP address: 192.168.10.2/24

  • RADIUS shared key

  • Portal shared key

Huawei@2014

Access authentication device

SwitchA: 192.168.50.1/32

Guest

User A:
  • User name: A-123
  • Password: Huawei@123
User B:
  • User name: B-123
  • Password: Huawei@B-123

Procedure

  1. Configure the access authentication device SwitchA.
    1. Create VLANs and add interfaces to VLANs to ensure network connectivity.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 101 102 103 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type access [SwitchA-GigabitEthernet0/0/1] port default vlan 100 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type access [SwitchA-GigabitEthernet0/0/2] port default vlan 102 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] port link-type trunk [SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 103 [SwitchA-GigabitEthernet0/0/3] quit [SwitchA] interface LoopBack 0 [SwitchA-LoopBack0] ip address 192.168.50.1 32   //Configure a management IP address for SwitchA. [SwitchA-LoopBack0] quit

    2. Configure SwitchA as a DHCP server to allocate IP addresses to APs and guests.

      [SwitchA] interface vlanif 100 [SwitchA-Vlanif100] ip address 192.168.100.1 24 [SwitchA-Vlanif100] dhcp select interface   //Configure SwitchA to allocate IP addresses to APs. [SwitchA-Vlanif100] quit [SwitchA] interface vlanif 101 [SwitchA-Vlanif101] ip address 192.168.101.1 24 [SwitchA-Vlanif101] dhcp select interface   //Configure SwitchA to allocate IP addresses to wireless guests. [SwitchA-Vlanif101] quit [SwitchA] interface vlanif 102 [SwitchA-Vlanif102] ip address 192.168.102.1 24 [SwitchA-Vlanif102] dhcp select interface   //Configure SwitchA to allocate IP addresses to wired guests. [SwitchA-Vlanif102] quit [SwitchA] interface vlanif 103 [SwitchA-Vlanif103] ip address 192.168.103.1 24 [SwitchA-Vlanif103] quit [SwitchA] ip route-static 192.168.10.0 24 gigabitethernet 0/0/3 192.168.103.2   //Configure a static route from SwitchA to the ISE. Assume that the next-hop address is 192.168.103.2 and the interface that forwards packets is GE0/0/3.

    3. Configure a redirection ACL.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      A redirection ACL differs from a common ACL in the following aspects:

      • permit: indicates that the switch redirects packets instead of allowing packets matching the rule to pass through.
      • deny: indicates that the switch does not redirect packets and allows packets matching the rule to pass through.

      A redirection ACL takes precedence over a common ACL. If the RADIUS server assigns a redirection ACL and a common ACL to users simultaneously and you want to control the user rights through the common ACL, do not configure the last rule of the redirection ACL to rule rule-id deny ip. If you configure the last rule of the redirection ACL to rule rule-id deny ip, the assigned common ACL does not take effect.

      Do not configure source-ip in the redirection ACL rules; otherwise, data transmission may be interrupted and authentication cannot be performed for users.

      # Configure a redirection ACL 3003. Rules 1 and 2 allow DNS packets to pass through. Rules 3, 4, 5, and 6 allow DHCP packets to pass through. Rule 7 allows packets exchanged between clients and ISE to pass through.
      [SwitchA] acl number 3003 [SwitchA-acl-adv-3003] rule 1 deny udp destination-port eq dns [SwitchA-acl-adv-3003] rule 2 deny udp source-port eq dns [SwitchA-acl-adv-3003] rule 3 deny udp destination-port eq bootps [SwitchA-acl-adv-3003] rule 4 deny udp destination-port eq bootpc [SwitchA-acl-adv-3003] rule 5 deny udp source-port eq bootpc [SwitchA-acl-adv-3003] rule 6 deny udp source-port eq bootps [SwitchA-acl-adv-3003] rule 7 deny ip destination 192.168.10.2 0 [SwitchA-acl-adv-3003] rule 8 permit tcp destination-port eq www [SwitchA-acl-adv-3003] rule 9 permit tcp destination-port eq 443 [SwitchA-acl-adv-3003] quit

    4. Configure RADIUS communication parameters, including the RADIUS server template, AAA schemes, and authentication domain.

      # Create the RADIUS server template policy.
      [SwitchA] radius-server template policy [SwitchA-radius-policy] radius-server authentication 192.168.10.2 1812 source ip-address 192.168.50.1   //Configure the ISE as the RADIUS authentication server. [SwitchA-radius-policy] radius-server accounting 192.168.10.2 1813 source ip-address 192.168.50.1 [SwitchA-radius-policy] radius-server shared-key cipher Huawei@2014   //Set the RADIUS authentication and accounting keys to Huawei@2014. [SwitchA-radius-policy] radius-attribute set Service-Type 10 auth-type mac   //Set the value of the RADIUS attribute Service-Type for MAC address authentication to 10. [SwitchA-radius-policy] calling-station-id mac-format hyphen-split mode2   //Set the encapsulation format of the MAC address in the calling-station-id attribute of RADIUS packets to xx-xx-xx-xx-xx-xx. [SwitchA-radius-policy] quit
      # Configure a RADIUS authorization server.
      [SwitchA] radius-server authorization 192.168.10.2 shared-key cipher Huawei@2014   //Configure the ISE as the RADIUS authorization server and set the RADIUS shared key to Huawei@2014. [SwitchA] radius-server authorization calling-station-id decode-mac-format ascii hyphen-split common   //Configure the switch to parse received dynamic authorization packets in which MAC addresses are in the xx-xx-xx-xx-xx-xx format.
      # Create the AAA authentication scheme auth.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme auth [SwitchA-aaa-authen-auth] authentication-mode radius   //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-auth] quit
      # Create the AAA accounting scheme acco. You must set the accounting mode to RADIUS so that the RADIUS server can maintain the account status, such as login, log-off, and forced log-off.
      [SwitchA-aaa] accounting-scheme acco [SwitchA-aaa-accounting-acco] accounting-mode radius   //Set the accounting mode to RADIUS. [SwitchA-aaa-accounting-acco] accounting realtime 15   //Set the real-time accounting interval to 15 minutes. [SwitchA-aaa-accounting-acco] quit
      # Create the authentication domain huawei.
      [SwitchA-aaa] domain huawei [SwitchA-aaa-domain-huawei] authentication-scheme auth   //Bind the AAA authentication scheme auth to the authentication domain. [SwitchA-aaa-domain-huawei] accounting-scheme acco   //Bind the AAA accounting scheme acco to the authentication domain. [SwitchA-aaa-domain-huawei] radius-server policy   //Bind the RADIUS server template policy to the authentication domain. [SwitchA-aaa-domain-huawei] quit [SwitchA-aaa] quit
      # Configure the authentication domain huawei as the global default authentication domain.
      [SwitchA] domain huawei

    5. Configure basic WLAN services so that APs can go online.

      # Configure the AC's source interface.
      [SwitchA] capwap source interface Vlanif 100
      # Configure SwitchA to allow APs to go online without authentication.
      [SwitchA] wlan [SwitchA-wlan-view] ap auth-mode no-auth
      # Create the AP group huawei_ap.
      [SwitchA-wlan-view] ap-group name huawei_ap [SwitchA-wlan-ap-group-huawei_ap] regulatory-domain-profile default Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [SwitchA-wlan-ap-group-huawei_ap] quit

    6. Configure WLAN service parameters.

      # Create the security profile huawei_sec and use the default security policy open.
      [SwitchA-wlan-view] security-profile name huawei_sec [SwitchA-wlan-sec-prof-huawei_sec] quit
      # Create the SSID profile huawei_ssid.
      [SwitchA-wlan-view] ssid-profile name huawei_ssid [SwitchA-wlan-ssid-prof-huawei_ssid] ssid Guest   //Set the wireless SSID to Guest. Warning: This action may cause service interruption. Continue?[Y/N]y [SwitchA-wlan-ssid-prof-huawei_ssid] quit
      # Create the VAP profile huawei_vap.
      [SwitchA-wlan-view] vap-profile name huawei_vap [SwitchA-wlan-vap-prof-huawei_vap] security-profile huawei_sec   //Bind the security profile huawei_sec. [SwitchA-wlan-vap-prof-huawei_vap] ssid-profile huawei_ssid   //Bind the SSID profile huawei_ssid. [SwitchA-wlan-vap-prof-huawei_vap] forward-mode tunnel   //Set the data forwarding mode to tunnel forwarding. [SwitchA-wlan-vap-prof-huawei_vap] service-vlan vlan-id 101   //Configure VLAN 101 as the service VLAN. [SwitchA-wlan-vap-prof-huawei_vap] quit
      # Bind the VAP profile to AP group.
      [SwitchA-wlan-view] ap-group name huawei_ap [SwitchA-wlan-ap-group-huawei_ap] vap-profile huawei_vap wlan 1 radio all [SwitchA-wlan-ap-group-huawei_ap] quit [SwitchA-wlan-view] quit

    7. Enable authentication for guests.

      # Create the MAC access profile huawei_mac.
      [SwitchA] mac-access-profile name huawei_mac [SwitchA-mac-acces-profile-huawei_mac] quit
      # Create the authentication profile huawei_auth.
      [SwitchA] authentication-profile name huawei_auth [SwitchA-authen-profile-huawei_auth] mac-access-profile huawei_mac   //Bind the MAC access profile huawei_mac. [SwitchA-authen-profile-huawei_auth] quit
      # Enable authentication for wired guests on GE0/0/2.
      [SwitchA] interface GigabitEthernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] authentication-profile huawei_auth Warning: This action may cause service interruption. Continue?[Y/N]y [SwitchA-GigabitEthernet0/0/2] quit
      # Enable authentication for wireless guests in the huawei_vap profile.
      [SwitchA] wlan [SwitchA-wlan-view] vap-profile name huawei_vap [SwitchA-wlan-vap-prof-huawei_vap] authentication-profile huawei_auth [SwitchA-wlan-vap-prof-huawei_vap] quit [SwitchA-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N] :y [SwitchA-wlan-view] return <SwitchA> save   //Save the configuration. The current configuration (excluding the configurations of unregistered boards o r cards) will be written to flash:/vrpcfg.zip.                              Are you sure to continue?[Y/N]y
      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      For wireless users, you can configure attributes for APs when the switch works as an AC. In versions earlier than V200R011C10, the configurations are not delivered to APs in real time, and are delivered to APs only after you run the commit command in the WLAN view. In V200R011C10 and later versions, the commit command is deleted, the switch delivers the configurations to APs every 5 seconds.

  2. Configure the ISE.
    1. Log in to the ISE.

      1. Open the Internet Explorer, enter the ISE access address in the address bar, and press Enter.

      2. Enter the ISE administrator user name and password to log in to the ISE.

    2. Create groups and accounts.

      1. Choose Administration > Identity Management > Groups. In the navigation area on the left, choose User Identity Groups. Click Add in the operation area on the right and create the group R&D. After completing the configuration, click Submit.

        imgDownload?uuid=0d37d3c43d224a72918036b

      2. Choose Administration > Identity Management > Identities. In the navigation area on the left, choose Users. Click Add in the operation area on the right, create the user A, set the Name to A-123, set the Login Password to Huawei@123, and bind the user to the group R&D. After completing the configuration, click Submit. User B is similar to A, and is not mentioned here.

        imgDownload?uuid=00acfcd1395e4d95be05506

    3. Add the switch on the ISE so that the ISE can communicate with the switch.

      1. Add Huawei proprietary RADIUS attributes 26-156 HW-Portal-URL26-173 HW-Redirect-ACL, and 26-238 HW-Ext-Specific. In the top navigation area, choose Policy > Policy Elements > Dictionaries. In the navigation area on the left, choose System > RADIUS > RADIUS Vendors > HW. In the operation area on the right, choose Dictionaries Attributes and click Add to add Huawei proprietary RADIUS attributes 26-156 HW-Portal-URL26-173 HW-Redirect-ACL, and 26-238 HW-Ext-Specific. After completing the configuration, click Submit.

        imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        If the ISE does not have the Huawei proprietary RADIUS attribute dictionary HW, create it manually. Huawei's vendor ID is 2011.

        imgDownload?uuid=4a4f4a60c7c14405be6e657

        imgDownload?uuid=69cbdc51ebfb4c568b664e7

        imgDownload?uuid=a5fafe6c40b544e6902d560

        imgDownload?uuid=d74a795c7ebf44d48c935f4

      2. Configure the access authentication device profile Huawei. In the top navigation area, choose Administration > Network Resources > Network Device Profiles. Click Add to create the access authentication device profile Huawei. Set Vendor to Other, select RADIUS, and set RADIUS Dictionaries to HW. Configure Authentication/AuthorizationChange of Authorization (CoA), and Redirect according to the following figures. After completing the configuration, click Submit.

        imgDownload?uuid=92f07478ef0845a59612349

        imgDownload?uuid=3f967754eaef45cf93770e9

        imgDownload?uuid=efde03be352d4933afe4e8e

        imgDownload?uuid=ed36fde848ed41dcad31b35

        imgDownload?uuid=769f62b83b00401686f8872

      3. Configure the access authentication device SwitchA. In the top navigation area, choose Administration > Network Resources > Network Devices. In the operation area on the right, click Add to add the access authentication device SwitchA, and configure parameters of SwitchA on the New Network Device page according to the following table. After completing the configuration, click Submit.

        Parameter

        Data

        Description

        Access device name

        SwitchA

        -

        IP address

        192.168.50.1/32

        -

        RADIUS shared key

        Huawei@2014

        The RADIUS shared key must be the same as that configured on SwitchA.

        imgDownload?uuid=8603712898f54ef58151774

    4. Configure authentication policies.

      1. Configure the authentication protocol for guests. In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authentication > Allowed Protocols. In the operation area on the right, click Add to create the authentication protocol profile PORTAL for guests, and select proper authentication protocols based on actual requirements.

        imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        The ISE provides the default authentication protocol profile Default Network Access. If the profile meets actual requirements, you do not need to create a profile.

        imgDownload?uuid=387c1b4d2f224f75b7fac59

      2. Create authentication condition profiles. In the top navigation area, choose Policy > Policy Elements > Conditions. In the navigation area on the left, choose Authentication > Compound Conditions. In the operation area on the right, click Add to create authentication condition profiles Wired_MAC and Wireless_MAC. Click Create New Condition(Advanced Option) to create authentication conditions according to the following figures. After completing the configuration, click Submit.

        imgDownload?uuid=c275a04833d444329ecae5b

        imgDownload?uuid=35178ccfde034edfb0b8998

      3. Create an authentication policy. In the top navigation area, choose Policy > Authentication, and click Rule-Based. Click the triangle behind Edit next to the first authentication policy and choose Insert new row above. Create the authentication policy Mac_Portal, configure the policy according to the following figures, click Done, and click Save.

        imgDownload?uuid=53f2a59389d84819adeabdb

    5. Configure authorization policies.

      1. Configure authorization results. In the top navigation area, choose Policy > Policy Elements > Results. In the navigation area on the left, choose Authorization > Authorization Profiles. In the operation area on the right, click Add and create the authorization results profile Guest_Redirect to authorize the redirection ACL and redirection URL to guests before they are authenticated successfully. After completing the configuration, click Submit.

        imgDownload?uuid=dbae96e2099f42a594644c2

        imgDownload?uuid=5399114a062f4dd8a80a0ee

      2. Configure a redirection authorization policy used during Portal authentication. In the top navigation area, choose Policy > Authorization. Click the triangle behind Edit next to the first authorization policy and choose Insert new row above. Create the redirection authorization policy Pre_Author used during Portal authentication. Click Create New Condition(Advance Option) under the second Conditions, choose Network Access > AuthenticationStatus, and set Network Access:AuthenticationStatus to UnknownUser. Select Wired_MAB and Wireless_MAB from Compound Conditions, select Standard > Guest_Redirect from Permissions, click Done, and click Save.

        imgDownload?uuid=eed9878587e6436bb4697fe

        imgDownload?uuid=709dde43dc354b50a769b5b

        imgDownload?uuid=bf7ca7ae49cc445fb955738

      3. Configure an authorization policy used after Portal authentication is complete. Create the authorization policy Portal_Author, configure the policy according to the following figures, click Done, and click Save.

        imgDownload?uuid=7e6187a828ab42df962dc3b

        imgDownload?uuid=29ebd9ae38e545f4b295b14

  3. Check the configuration.

    After a guest passes authentication, run the display access-user command on the switch. The command output shows information about the online guest.

Configuration File
# sysname SwitchA # vlan batch 100 to 103 # authentication-profile name huawei_auth  mac-access-profile huawei_mac # domain huawei # radius-server authorization calling-station-id decode-mac-format ascii hyphen-split common # dhcp enable # radius-server template policy  radius-server shared-key cipher %^%#\5)&.GjCF$i]^jH'$@%$"Uy#0'xJ;NlSS+6(FN:1%^%#  radius-server authentication 192.168.10.2 1812 source ip-address 192.168.50.1 weight 80  radius-server accounting 192.168.10.2 1813 source ip-address 192.168.50.1 weight 80  calling-station-id mac-format hyphen-split mode2  radius-attribute set Service-Type 10 auth-type mac radius-server authorization 192.168.10.2 shared-key cipher %^%#'kky=K\0_-ge]M&p9''7~v{=V\dshHvR:E4#t-wI%^%#  # acl number 3003    rule 1 deny udp destination-port eq dns   rule 2 deny udp source-port eq dns   rule 3 deny udp destination-port eq bootps   rule 4 deny udp destination-port eq bootpc   rule 5 deny udp source-port eq bootpc   rule 6 deny udp source-port eq bootps   rule 7 deny ip destination 192.168.10.2 0   rule 8 permit tcp destination-port eq www  rule 9 permit tcp destination-port eq 443 # aaa  authentication-scheme auth   authentication-mode radius  accounting-scheme acco   accounting-mode radius   accounting realtime 15  domain huawei   authentication-scheme auth   accounting-scheme acco   radius-server policy # interface Vlanif100  ip address 192.168.100.1 255.255.255.0  dhcp select interface # interface Vlanif101  ip address 192.168.101.1 255.255.255.0  dhcp select interface # interface Vlanif102  ip address 192.168.102.1 255.255.255.0  dhcp select interface # interface Vlanif103  ip address 192.168.103.1 255.255.255.0 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 100 # interface GigabitEthernet0/0/2  port link-type access  port default vlan 102  authentication-profile huawei_auth # interface GigabitEthernet0/0/3  port link-type trunk  port trunk allow-pass vlan 103 # interface LoopBack0  ip address 192.168.50.1 255.255.255.255 # ip route-static 192.168.10.0 255.255.255.0 GigabitEthernet0/0/3 192.168.103.2 # capwap source interface vlanif100 # wlan   security-profile name huawei_sec  ssid-profile name huawei_ssid   ssid Guest  vap-profile name huawei_vap   forward-mode tunnel   service-vlan vlan-id 101   ssid-profile huawei_ssid   security-profile huawei_sec   authentication-profile huawei_auth  ap auth-mode no-auth  ap-group name huawei_ap   radio 0    vap-profile huawei_vap wlan 1   radio 1    vap-profile huawei_vap wlan 1   radio 2    vap-profile huawei_vap wlan 1 # mac-access-profile name huawei_mac # return

Applicable product models and versions

ProductProduct ModelSoftware Version
S5700S5720HIV200R010C00, V200R011C00, V200R011C10, V200R012C00, V200R013C00
S5730HI

V200R012C00, V200R013C00

S6700S6720HI

V200R012C00, V200R013C00

S7700S7703, S7706, and S7712V200R010C00, V200R011C10, V200R012C00, V200R013C00
S7706 PoE

V200R013C00

S7703 PoE

V200R013C00

S9700S9703, S9706, and S9712V200R010C00, V200R011C10, V200R012C00, V200R013C00

imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

Among S7700 switches, the S7712, S7706, or S7706 PoE is recommended, while the S7703 or S7703 PoE is not recommended.

Among S9700 switches, the S9712 or S9706 is recommended, while the S9703 is not recommended.

Configuring Authentication for Access Users and Posture Service on Cisco ISE

This section includes the following content:

Posture Service

The Posture Service of the Cisco ISE ensures that terminals accessing the network satisfy specified conditions, such as running a specific program, updating the patch or antivirus database to the latest version. The Posture Service includes:

  1. Client Provisioning: The ISE checks whether a user terminal has installed the NAC Agent or AnyConnect each time the terminal attempts to access the network. If not installed, the NAC Agent or AnyConnect must be downloaded and installed. The ISE then performs the Posture Service for the terminal. If the NAC Agent or AnyConnect is installed, the ISE directly performs the Posture Service for the terminal.
  2. Posture Service: The ISE checks whether a terminal satisfies specified conditions. If the terminal does not satisfy specified conditions, the ISE repairs it. If the terminal satisfies specified conditions, the ISE performs authorization for the terminal.
  3. Authorization policy: After a user terminal passes the check, the ISE grants normal network access rights to the user.

Function Implementation

Figure 2-39 only shows a simple implementation process and does not provide all details about the implementation of this function.

Figure 2-39  Implementation flowchart of Terminal status check function 
imgDownload?uuid=4d02a468b3a749f0b9821ea

Networking Requirements

To ensure network security, an enterprise requires that user terminals attempting to access the enterprise network download the AnyConnect. The ISE performs Posture Service to ensure that access user terminals are in secure state.

Figure 2-40  Enterprise intranet topology 
imgDownload?uuid=1347a5a17a7e42b1bb70633

Configuration Logic

Figure 2-41  Configuration logic of Huawei switch 
imgDownload?uuid=542ad7fe04e24eae94e09faFigure 2-42  Configuration logic of Cisco ISE 
imgDownload?uuid=d2d225db1c4344439417753

Configuration Notes
  • The access switches in this example are S5700LI switches, the aggregation switch must run V200R010C00 or a later version, the Cisco ISE in version 2.2.0.470 works as the RADIUS server. It is recommended that you use an ISE in version 2.0 or later.
  • The RADIUS shared keys configured on the switch and the server must be the same.
  • By default, the switch allows the packets sent to the RADIUS server to pass through. You do not need to configure an authentication-free rule for the packets on the switch.
  • In this example, the ISE checks whether user terminals run the cmd program. Configure terminal status check items based on actual requirements.

Data Plan

Table 2-56  Basic data plan

Device

Interface

VLAN ID

SwitchA

  • GE0/0/1

  • GE0/0/2

10

SwitchB

  • GE0/0/1

  • GE0/0/2

20

SwitchC

GE1/0/1

10

GE1/0/2

20

GE1/0/3

100

Table 2-57  Authentication data plan

Item

Data

RADIUS authentication, accounting, and authorization server (ISE)

192.168.100.2/24

Access authentication device (SwitchC)

192.168.100.1/24

RADIUS shared key

Huawei@2017

Procedure

  1. Configure the switches.
    1. Add interfaces to VLANs to ensure network connectivity.

      # Configure SwitchA. The configuration of SwitchB is similar and is not provided here.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 10 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type access [SwitchA-GigabitEthernet0/0/1] port default vlan 10 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 [SwitchA-GigabitEthernet0/0/2] quit

      # Configure SwitchC.

      <HUAWEI> system-view [HUAWEI] sysname SwitchC [SwitchC] vlan batch 10 20 100 [SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] port link-type trunk [SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [SwitchC-GigabitEthernet1/0/1] quit [SwitchC] interface gigabitethernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] port link-type trunk [SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 [SwitchC-GigabitEthernet1/0/2] quit [SwitchC] interface gigabitethernet 1/0/3 [SwitchC-GigabitEthernet1/0/3] port link-type access [SwitchC-GigabitEthernet1/0/3] port default vlan 100 [SwitchC-GigabitEthernet1/0/3] quit [SwitchC] interface Vlanif 10 [SwitchC-Vlanif10] ip address 192.168.10.1 24 [SwitchC-Vlanif10] quit [SwitchC] interface Vlanif 20 [SwitchC-Vlanif20] ip address 192.168.20.1 24 [SwitchC-Vlanif20] quit [SwitchC] interface Vlanif 100 [SwitchC-Vlanif100] ip address 192.168.100.1 24 [SwitchC-Vlanif100] quit

    2. Configure the Layer 2 transparent transmission function for 802.1X authentication packets. The following uses SwitchA as an example. The configuration of SwitchB is similar and is not provided here.

      [SwitchA] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002   //group-mac can be set to any MAC address except one of the reserved multicast MAC addresses (0180-C200-0000-0180-C200-002F) and other special MAC addresses. [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchA-GigabitEthernet0/0/1] bpdu enable [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchA-GigabitEthernet0/0/2] bpdu enable [SwitchA-GigabitEthernet0/0/2] quit

    3. Configure a redirection ACL.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      A redirection ACL differs from a common ACL in the following aspects:

      • permit: indicates that the switch redirects packets instead of allowing packets matching the rule to pass through.
      • deny: indicates that the switch does not redirect packets and allows packets matching the rule to pass through.

      A redirection ACL takes precedence over a common ACL. If the RADIUS server assigns a redirection ACL and a common ACL to users simultaneously and you want to control the user rights through the common ACL, do not configure the last rule of the redirection ACL to rule rule-id deny ip. If you configure the last rule of the redirection ACL to rule rule-id deny ip, the assigned common ACL does not take effect.

      Do not configure source-ip in the redirection ACL rules; otherwise, data transmission may be interrupted and authentication cannot be performed for users.

      # Configure the redirection ACL 3001. Rules 1 and 2 allow DNS packets to pass through. Rules 3, 4, 5, and 6 allow DHCP packets to pass through. Rule 7 allows packets exchanged between the switch and the ISE to pass through. The switch redirects other types of packets.
      [SwitchC] acl number 3001 [SwitchC-acl-adv-3001] rule 1 deny udp destination-port eq dns [SwitchC-acl-adv-3001] rule 2 deny udp source-port eq dns [SwitchC-acl-adv-3001] rule 3 deny udp destination-port eq bootps [SwitchC-acl-adv-3001] rule 4 deny udp destination-port eq bootpc [SwitchC-acl-adv-3001] rule 5 deny udp source-port eq bootpc [SwitchC-acl-adv-3001] rule 6 deny udp source-port eq bootps [SwitchC-acl-adv-3001] rule 7 deny ip destination 192.168.100.2 0 [SwitchC-acl-adv-3001] rule 8 permit ip [SwitchC-acl-adv-3001] quit

    4. Configure a URL template.

      [SwitchC] url-template name huawei [SwitchC-url-template-huawei] url https://192.168.100.2:8443/portal/g#p=GaBXNbzRZ9YLVskqZAVGPqxwxo&action=cpp   //Configure the URL of the Client Provisioning page. For details on how to obtain the URL, see Obtain the URL of the Client Provisioning page.  [SwitchC-url-template-huawei] parameter start-mark #   //Change the start character in the URL from # to ?. [SwitchC-url-template-huawei] url-parameter user-mac client_mac   //Configure the URL to carry the user MAC address. [SwitchC-url-template-huawei] quit

    5. Configure a RADIUS server template.

      [SwitchC] radius-server template dot1x [SwitchC-radius-dot1x] radius-server authentication 192.168.100.2 1812 source ip-address 192.168.100.1   //Configure the ISE as the RADIUS authentication server. [SwitchC-radius-dot1x] radius-server accounting 192.168.100.2 1813 source ip-address 192.168.100.1   //Configure the ISE as the RADIUS accounting server. [SwitchC-radius-dot1x] radius-server shared-key cipher Huawei@2017   //Set the RADIUS shared key to Huawei@2017. [SwitchC-radius-dot1x] calling-station-id mac-format hyphen-split mode2 uppercase   //Set the format of the MAC address in the Calling-Station-Id attribute of RADIUS packets to XX-XX-XX-XX-XX-XX. [SwitchC-radius-dot1x] undo radius-server user-name domain-included   //Configure the switch not to modify the original user name in the packets sent to the RADIUS server. [SwitchC-radius-dot1x] quit [SwitchC] radius-server authorization attribute-decode-sameastemplate   //Configure the switch to parse the Calling-Station-Id attribute based on the configuration in the RADIUS server template.

    6. Configure AAA schemes and an authentication domain.

      1. Configure an AAA authentication scheme.
        [SwitchC] aaa [SwitchC-aaa] authentication-scheme auth [SwitchC-aaa-authen-auth] authentication-mode radius   //Set the authentication mode to RADIUS. [SwitchC-aaa-authen-auth] quit
      2. Configure an AAA accounting scheme. You must set the accounting mode to RADIUS so that the RADIUS server can maintain the account status, such as login, log-off, and forced log-off.
        [SwitchC-aaa] accounting-scheme acco [SwitchC-aaa-accounting-acco] accounting-mode radius   //Set the accounting mode to RADIUS. [SwitchC-aaa-accounting-acco] accounting realtime 3   //Set the real-time accounting interval to 3 minutes. [SwitchC-aaa-accounting-acco] quit
      3. Configure a user authentication domain.
        [SwitchC-aaa] domain huawei.com [SwitchC-aaa-domain-huawei.com] authentication-scheme auth [SwitchC-aaa-domain-huawei.com] accounting-scheme acco [SwitchC-aaa-domain-huawei.com] radius-server dot1x [SwitchC-aaa-domain-huawei.com] quit [SwitchC-aaa] quit [SwitchC] domain huawei.com   //Configure the authentication domain huawei.com as the global default authentication domain.

    7. Enable authentication for access users.

      1. Set the NAC mode to unified.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        By default, the NAC unified mode is used. If the current NAC mode on the switch is common mode, you must save the configuration first, run the authentication unified-mode command, and enter y to restart the switch immediately. The NAC mode then can be successfully changed to the unified mode.

        [SwitchC] authentication unified-mode
      2. Configure an 802.1X access profile.
        [SwitchC] dot1x-access-profile name 802.1x-authen [SwitchC-dot1x-access-profile-802.1x-authen] quit
      3. Configure an authentication profile.
        [SwitchC] authentication-profile name auth-pro [SwitchC-authen-profile-auth-pro] dot1x-access-profile 802.1x-authen [SwitchC-authen-profile-auth-pro] quit
      4. Enable 802.1X authentication on GE1/0/1 and GE1/0/2.
        [SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] authentication-profile auth-pro [SwitchC-GigabitEthernet1/0/1] quit [SwitchC] interface gigabitethernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] authentication-profile auth-pro [SwitchC-GigabitEthernet1/0/2] quit [SwitchC] quit

  2. Configure the ISE.
    1. Log in to the ISE.

      1. Open the Internet Explorer, enter the ISE access address in the address bar, and press Enter.

      2. Enter the ISE administrator user name and password to log in to the ISE.

    2. Configure user information.

      1. Choose Administration > Identity Management > Groups. Choose User Identity Groups on the left. Click Add on the right to create the group Employee. After completing the configuration, click Submit.

        imgDownload?uuid=54ec28648bd844ba8da1daa

      2. Choose Administration > Identity Management > Identities. Choose Users on the left. Click Add on the right to configure user information, set the user name to Kau and password to Huawei@1234, and add the user to the group Employee. After completing the configuration, click Submit.

        imgDownload?uuid=295cf792418f42dc8882c30

    3. Configure the access authentication device.

      1. Configure Huawei extended RADIUS attributes. Choose Policy > Policy Elements > Dictionaries. Choose System > Radius > RADIUS VendorsHW on the left. Click Dictionary Attributes on the right and click Add to add Huawei extended RADIUS attributes HW-Data-FilterHW-Portal-URLHW-Redirect-ACL, and HW-Ext-SpecificTable 2-58 describes information about these attributes. The following example shows how to add the attribute HW-Portal-URL. The configurations of adding other attributes are similar and are not provided here. After completing the configuration, click Submit.

        imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        If the ISE does not have the Huawei extended RADIUS attribute dictionary HW, create it manually. Huawei's vendor ID is 2011.

        Table 2-58  RADIUS attribute information

        Attribute Name

        Data Type

        Direction

        ID

        HW-Data-Filter

        STRING

        Both

        82

        HW-Portal-URL

        STRING

        Both

        156

        HW-Redirect-ACL

        STRING

        Both

        173

        HW-Ext-Specific

        STRING

        Both

        238

        imgDownload?uuid=d6e7c0428ae3489d8591fce

      2. Configure an access authentication device profile. Choose Administration > Network Resources > Network Device Profiles. Click Add to create the access authentication device profile HUAWEI, and configure the profile according to the following table. After completing the configuration, click Jump To Top and Submit.

        Table 2-59  Access authentication device profile HUAWEI

        Item

        Data

        Name

        HUAWEI

        Vendor

        Other

        Supported Protocols

        • RADIUS
        • TACACS+
        • Trustsec

        RADIUS Dictionaries

        HW

        Authentication/Authorization > Flow Type ConditionsWired 802.1X detected if the following condition(s) are met:
        • "Radius:NAS-Port-Type" = "Ethernet"
        • "Radius:Service-Type" = "Framed"

        Change of Authorization (CoA)

        • CoA by: RADIUS
        • Default CoA Port: 3799
        • Timeout Interval: 5
        • Retry Count: 2
        Change of Authorization (CoA) > Disconnect: RFC 5176
        • "Radius:Acct-Session-Id" = "0"
        • "Radius:Acct-Terminate-Cause" = "Admin Reset"

        Change of Authorization (CoA) > Disconnect: Port Bounce and Port Shutdown

        Change of Authorization (CoA) > Re-authenticate: Basic, Rerun, and Last

        Change of Authorization (CoA) > CoA Push: RFC 5176

        • "HW:HW-Ext-Specific" = "user-command=1"
        • "Radius:Acct-Session-Id" = "0"

        Redirect

        • Type: Static URL
        • Client MAC Address: client_mac
      3. Configure the access authentication device. Choose Administration > Network Resources > Network Devices. Click Network devices on the left. Click Add on the right to add the access authentication device SwitchC, and configure the device according to the following table. After completing the configuration, click Submit.

        Table 2-60  Access authentication device SwitchC

        Item

        Data

        Name

        SwitchC

        IP Address

        192.168.100.1/24

        Device Profile

        HUAWEI

        RADIUS Authentication Settings > Shared Secret

        Huawei@2017

        imgDownload?uuid=b61de397b5944fd788ed094

    4. (Optional) Configure an authentication protocol profile.

      # Choose Policy > Policy Elements > Results. Choose Authentication > Allowed Protocols on the left. Click Add on the right to create an authentication protocol profile, and select authentication protocols based on actual requirements. After completing the configuration, click Submit.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      The authentication protocol profile Default Network Access used in this example is the default authentication protocol profile of the ISE. If the profile meets actual requirements, you do not need to create a profile.

    5. Configure authentication policies.

      # Choose Policy > Authentication. Set Policy Type to Rule-Based. Click imgDownload?uuid=e631b656823f44fcb468558 behind Edit next to the first authentication policy. Click Insert new row above to create the authentication policy wired_802.1x-authen, and configure the policy according to the following figure. After completing the configuration, click Done and Save.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      Wired_802.1X is the default rule that 802.1X authentication for wired users must meet on the ISE.

      imgDownload?uuid=2579b44167904ece9a8dae8

    6. Configure authorization policies.

      1. Configure an authorization redirection ACL profile. Choose Policy > Policy Elements > Results. Choose Authorization > Authorization Profileson the left. Click Add on the right to create the authorization redirection ACL profile posture_redirect, and configure the profile according to the following figure. After completing the configuration, click Submit.

        imgDownload?uuid=34dc354fddb1418fa6a1ff1

      2. Configure an authorization profile to reject user access. Create the authorization profile Denyany and configure the profile according to the following figure. After completing the configuration, click Submit.

        imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        The following shows how to configure the ISE to deliver dynamic ACLs to reject user access. You can also use the default authorization profile DenyAccess of the ISE in actual scenarios.

        imgDownload?uuid=7d108250b52349798deef52

      3. Obtain the URL of the Client Provisioning page. Open the authorization profile posture_redirect, obtain the URL https://iseHost:8443/portal/g?p=GaBXNbzRZ9YLVskqZAVGPqxwxo under Common Tasks, and perform the following operations:
        • Change iseHost to the ISE's IP address 192.168.100.2.
        • Change ? to #.
        • Add &action=cpp to the end of the URL to indicate that the ISE performs the Posture Service for users.
        https://192.168.100.2:8443/portal/g#p=GaBXNbzRZ9YLVskqZAVGPqxwxo&action=cpp is the URL of the Client Provisioning page and must be configured on the switch.

        imgDownload?uuid=3dbd79e4d2614dd0ac83528

      4. Configure an authorization redirection ACL policy. Choose Policy > Authorization. Click imgDownload?uuid=e631b656823f44fcb468558 behind Edit next to the first authorization policy. Click Insert New Rule Above to create the authorization policy Author_Policy_Check, and configure the policy according to the following table. After completing the configuration, click Done and Save.

        Table 2-61  Authorization redirection ACL policy Author_Policy_Check

        Item

        Data

        Conditions

        • "Compound Conditions" "Wired_802.1X"
        • "Session:PostureStatus" "EQUALS" "Unknown"
        • "DEVICE:Device Type" "EQUALS" "All Device Types#HUAWEI"
        • "RADIUS:State" "CONTAINS" "ise22"
        NOTE:

        In this example, ise22 is the host name of the ISE.

        Permissions

        posture_redirect

        imgDownload?uuid=e218325f0dab4eaeba71fab

      5. Configure an authorization policy for terminals that pass the check. Create the authorization policy Author_Policy and configure the policy according to the following table. After completing the configuration, click Done and Save.

        Table 2-62  Authorization policy Author_Policy for terminals that pass the check

        Item

        Data

        Conditions

        • "Compound Conditions" "Wired_802.1X"
        • "Session:PostureStatus" "EQUALS" "Compliant"

        Permissions

        PermitAccess

        imgDownload?uuid=0a4ab183e4414f00b1cd41d

      6. Configure an authorization policy for terminals that do not pass the check. Create the authorization policy Author_Fail and configure the policy according to the following table. After completing the configuration, click Done and Save.

        Table 2-63  Authorization policy Author_Fail for terminals that do not pass the check

        Item

        Data

        Conditions

        "Session:PostureStatus" "EQUALS" "NonCompliant"

        Permissions

        Denyany

        imgDownload?uuid=814477a1077e4d9dbc14e11

    7. Configure the Client Provisioning.

      1. Upload the AnyConnect to the ISE. In this example, AnyConnectDesktopWindows 4.4.243.0 and AnyConnectComplianceModuleWindows 4.2.520.0 are used. Choose Policy > Policy Elements > Results. Choose Client Provisioning > Resources on the left. Click Add on the right. Two methods are available for uploading the AnyConnect to the ISE:
        • Agent resources from Cisco site: Directly download the AnyConnect from the Cisco website.
        • Agent resources from local disk: Download the AnyConnect from the Cisco website to a local disk, and then upload it from the local disk to the ISE.
        Choose a method based on actual requirements and upload the AnyConnect as prompted. The details are not provided here.
      2. Configure the AnyConnect configuration file profile. Choose Policy > Policy Elements > Results. Choose Client Provisioning > Resources on the left. Click Add on the right and select NAC Agent or AnyConnect Posture Profile. Set Posture Agent Profile Settings to AnyConnect. Set the profile name to PostureSettings and Server name rules in the Posture Protocol table to *. Retain the default values of other parameters. Click Submit.

        imgDownload?uuid=b0e16557c1124e578768bdd

      3. Add the AnyConnect configuration. Choose Policy > Policy Elements > Results. Choose Client Provisioning > Resources on the left. Click Addon the right, select AnyConnect Configuration, and configure the AnyConnect according to the following figure. After completing the configuration, click Submit.

        imgDownload?uuid=434fc69d66e04b15b2adae7

      4. Configure a Client Provisioning rule. Choose Policy > Client Provisioning. Click imgDownload?uuid=e631b656823f44fcb468558 behind Edit next to the first Client Provisioning rule. Click Insert new policy above to create the Client Provisioning rule CPP, and configure the rule according to the following table. After completing the configuration, click Done and Save.

        Table 2-64  Client Provisioning rule CPP

        Item

        Data

        Operating Systems

        Windows All

        Results

        AnyConnect Configuration

        imgDownload?uuid=eb6bf04197d94d719413e69

    8. Configure the Posture Service.

      1. Configure global parameters for the Posture Service. Choose Administration > System > Settings. Choose Posture > General Settings on the left. Remediation Timer indicates the duration for the ISE to wait for a terminal to be repaired. If the repair is not complete after the duration expires, the AnyConnect notifies the ISE that the terminal status is NonCompliant (Default Posture Status). Automatically Close Login Success Screen After indicates the time after which the login success page is closed upon a user login success. After completing the configuration, click Save.

        imgDownload?uuid=eaafd25286f04f58b05ca8d

      2. Configure terminal status check items. In this example, the ISE checks whether user terminals run the cmd program. Configure terminal status check items based on actual requirements. Choose Policy > Policy Elements > Conditions. Choose Posture > Application Condition on the left. Click Add on the right to create the condition cmd_check that terminals must meet, and configure the condition according to the following figure. After completing the configuration, click Submit.

        imgDownload?uuid=511f41ce57ce4295bd1a339

      3. Configure a repair action for terminals that do not pass the check. Choose Policy > Policy Elements > Results. Click Posture > Remediation Actions > Launch Program Remediations on the left. Click Add on the right to create the terminal repair action cmd_rem. Set Remediation Type to Manual (manual repair), Program Installation Path to SYSTEM_32, and Program Executable to cmd.exe, and click Add. After completing the configuration, click Submit.

        imgDownload?uuid=758f5a28c63349a4ba8a378

      4. Configure the terminal check policy. Choose Policy > Policy Elements > Results. Choose Posture > Remediation Actions > Requirements on the left. Click imgDownload?uuid=e631b656823f44fcb468558 behind Edit next to the first requirement. Click Insert new Requirement to create the terminal check policy cmd_requirement, and configure the policy according to the following table. After completing the configuration, click Done and Save.

        Table 2-65  Terminal check policy cmd_requirement

        Item

        Data

        Operating Systems

        Windows All

        Conditions

        cmd_check

        Remediation Actions

        cmd_rem

        imgDownload?uuid=ebf925c8eaed40c795eaeb0

      5. Configure a rule for applying the terminal check policy. Choose Policy > Posture. Create the rule posture_policy for applying the terminal check policy, and configure the rule based on the following table. After completing the configuration, click Done and Save.

        Table 2-66  Rule posture_policy for applying the terminal check policy

        Item

        Data

        Operating Systems

        Windows All

        Requirements

        cmd_requirement

        imgDownload?uuid=a070f4830ad04ce39a8db41

  3. Verify the configuration.
    1. Configure an 802.1X client on the terminal.

      # If the operating system has a built-in standard 802.1X client, see "Configuring the Standard 802.1X client Provided by the Operating System" in Agile Controller-Campus Product Documentation for terminal configurations before authentication.

    2. (Optional) Modify the DNS file on the terminal.

      # If no DNS server is configured on the network, you need to modify the DNS file on the terminal and configure the mapping between the ISE domain name and IP address. The detailed configurations are not provided here.

    3. Connect the terminal to the network.

      # Connect the terminal to the network. Enter the user name Kau and password Huawei@1234 in the Windows Security dialog box that is displayed. The terminal then can pass authentication. However, the ISE detects that the value of the Session:PostureStatus equals Unknownin the packet when performing authorization for the terminal user, the ISE authorizes a redirection ACL and URL template to the user. In this case, when the user visits any IP address or website (excluding IP address of the DHCP server and DNS server, and website of the ISE), the access authentication device redirects the user to the ISE, and the ISE performs the Posture Service for the user terminal. Run the display access-user command on the access authentication device to check information about online users. The information is as follows:

      <SwitchC> display access-user                                                          ------------------------------------------------------------------------------   UserID Username                IP address       MAC            Status            ------------------------------------------------------------------------------   63     Kau                     192.168.10.254   fc3f-dbfc-12a0 Success           ------------------------------------------------------------------------------   Total: 1, printed: 1                                                           
      <SwitchC> display access-user user-id 63                                                                                  Basic:                                                                             User ID                         : 63                                             User name                       : Kau                                            Domain-name                     : default                                        User MAC                        : fc3f-dbfc-12a0                                 User IP address                 : 192.168.10.254                                   User vpn-instance               : -                                              User IPv6 address               : -                                              User access Interface           : GigabitEthernet1/0/1                           User vlan event                 : Success                                        QinQVlan/UserVlan               : 0/10                                         User vlan source                : user request                                   User access time                : 2017/05/23 07:12:55                            User accounting session ID      : S770600001000004090785d3d000003f             Option82 information            : -                                              User access type                : 802.1x                                         Redirect Acl Id(Effective)      : 3001                                           Push URL content                : huawei                                         Terminal Device Type            : Data Terminal                                                                                                                 AAA:                                                                               User authentication type        : 802.1x authentication                          Current authentication method   : RADIUS                                         Current authorization method    : -                                              Current accounting method       : RADIUS        

    4. Perform the Posture Service.

      1. Open a browser and visit any IP address or website (excluding IP address of the DHCP server and DNS server, and website of the ISE), the access authentication device redirects the user to the ISE, and the ISE performs the Posture Service for the terminal. Click Start.

        imgDownload?uuid=fbe6467705f04f4cb456c4c

      2. Click This is my first time here and Click here to download and install AnyConnect.

        imgDownload?uuid=32d0e400a4a243f9bc1d0f8

        imgDownload?uuid=c4b21375136646e6bf360c0

      3. If the AnyConnect detects that the terminal does not run the cmd program, you need to repair it manually. Click Start in the dialog box that is displayed to repair the terminal.

        imgDownload?uuid=5b8ef8cb138c491ab8da87e

      4. After the Posture Service is finished and the terminal status satisfies specified conditions, the terminal passes authentication and the ISE grants normal network access rights to terminal user.

        imgDownload?uuid=164762095dfe4156907e05f

        imgDownload?uuid=d017a109eb59449eb339ed1

      5. Run the display access-user command on the access authentication device to check information about online users.

        <SwitchC> display access-user                                                          ------------------------------------------------------------------------------   UserID Username                IP address       MAC            Status            ------------------------------------------------------------------------------   63     Kau                     192.168.10.254   fc3f-dbfc-12a0 Success           ------------------------------------------------------------------------------   Total: 1, printed: 1                                                           
        <SwitchC> display access-user user-id 63                                                                                                                               Basic:                                                                             User ID                         : 63                                             User name                       : Kau                                            Domain-name                     : default                                        User MAC                        : fc3f-dbfc-12a0                                 User IP address                 : 192.168.10.254                                   User vpn-instance               : -                                              User IPv6 address               : -                                              User access Interface           : GigabitEthernet1/0/1                           User vlan event                 : Success                                        QinQVlan/UserVlan               : 0/10                                         User vlan source                : user request                                   User access time                : 2017/05/23 07:27:37                            User accounting session ID      : S7706000010000040906e392d000003e             Option82 information            : -                                              User access type                : 802.1x                                         Terminal Device Type            : Data Terminal                                                                                                                 AAA:                                                                               User authentication type        : 802.1x authentication                          Current authentication method   : RADIUS                                         Current authorization method    : -                                              Current accounting method       : RADIUS           

Configuration Files

SwitchA configuration file

# sysname SwitchA # vlan batch 10 # l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 10  l2protocol-tunnel user-defined-protocol dot1x enable # interface GigabitEthernet0/0/2  port link-type trunk  port trunk allow-pass vlan 10  l2protocol-tunnel user-defined-protocol dot1x enable #    return

SwitchB configuration file

# sysname SwitchB # vlan batch 20 # l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 20  l2protocol-tunnel user-defined-protocol dot1x enable # interface GigabitEthernet0/0/2  port link-type trunk  port trunk allow-pass vlan 20  l2protocol-tunnel user-defined-protocol dot1x enable # return

SwitchC configuration file

# sysname SwitchC   #   vlan batch 10 20 100  #   authentication-profile name auth-pro     dot1x-access-profile 802.1x-authen #   domain huawei.com #   radius-server authorization attribute-decode-sameastemplate    #   radius-server template dot1x  radius-server shared-key cipher %^%#fvWn,^7)/=nn]v%M<<j~g%pdR]\"(T}k\Z55=;j,%^%#  radius-server authentication 192.168.100.2 1812 source ip-address 192.168.100.1 weight 80    radius-server accounting 192.168.100.2 1813 source ip-address 192.168.100.1 weight 80  undo radius-server user-name domain-included     calling-station-id mac-format hyphen-split mode2 uppercase    #   acl number 3001    rule 1 deny udp destination-port eq dns  rule 2 deny udp source-port eq dns  rule 3 deny udp destination-port eq bootps   rule 4 deny udp destination-port eq bootpc   rule 5 deny udp source-port eq bootpc   rule 6 deny udp source-port eq bootps   rule 7 deny ip destination 192.168.100.2 0  rule 8 permit ip # url-template name huawei   url https://192.168.100.2:8443/portal/g#p=GaBXNbzRZ9YLVskqZAVGPqxwxo&action=cpp  parameter start-mark #  url-parameter user-mac client_mac #   aaa  authentication-scheme auth   authentication-mode radius  accounting-scheme acco   accounting-mode radius   accounting realtime 3  domain huawei.com   authentication-scheme auth   accounting-scheme acco   radius-server dot1x # interface Vlanif10  ip address 192.168.10.1 255.255.255.0 #   interface Vlanif20  ip address 192.168.20.1 255.255.255.0 # interface Vlanif100  ip address 192.168.100.1 255.255.255.0 # interface GigabitEthernet1/0/1  port link-type trunk  port trunk allow-pass vlan 10  authentication-profile auth-pro # interface GigabitEthernet1/0/2  port link-type trunk  port trunk allow-pass vlan 20  authentication-profile auth-pro # interface GigabitEthernet1/0/3  port link-type access  port default vlan 100 # dot1x-access-profile name 802.1x-authen # return

Configuring Authentication for Access Users on Cisco ISE (BYOD Scenario)

This section includes the following content:

BYOD

Bring your own device (BYOD) has become a trend as the Internet develops fast. Many enterprises allow employees to connect to enterprise networks in wireless mode using their own mobile terminals such as mobile phones, tablets, and laptops. BYOD satisfies employees' pursuit of new technology and desire of being unique, and improves their working efficiency. However, employees' own mobile terminals may bring security risks to enterprise networks, and traditional security technologies that authenticate and authorize users based on user roles cannot secure enterprise networks in this scenario. Terminal type identification technology is introduced to solve this problem. This technology identifies types of mobile terminals that employees use to connect to enterprise networks. Enterprises can use this technology to implement authentication and authorization based on user information, device type, and device operating environment.

Networking Requirements

An enterprise allows employees to bring their own mobile terminals, and requires that users are granted different network access rights based on their terminal types.

Figure 2-43  Enterprise intranet topology 
imgDownload?uuid=8da0ae50b7da43b49411da5

Configuration Logic

Figure 2-44  Configuration logic of Huawei switch 
imgDownload?uuid=6b6c201456db41d88d16890Figure 2-45  Configuration logic of Cisco ISE 
imgDownload?uuid=30fc8db4616d42eda25e419

Configuration Notes
  • The authentication control point in this example must be deployed on the S5720HI, S5730HI, or S6720HI fixed switch or X series card of modular switch running V200R009C00 or a later version, the access switches are S5700LI switches. A Cisco ISE in version 2.0.0.306 works as the RADIUS server. It is recommended that you use an ISE in version 2.0 or later.
  • The authentication mode in a BYOD solution must be 802.1X authentication, and cannot be set to MAC address authentication or Portal authentication.
  • The RADIUS shared keys configured on the switch and the server must be the same.
  • By default, the switch allows the packets sent to the RADIUS server to pass through. You do not need to configure an authentication-free rule for the packets on the switch.

Data Plan

Table 2-67  Basic data plan

Item

Data

SwitchA

  • GE0/0/1: VLAN 10
  • GE0/0/2: VLAN 10

SwitchB

  • GE0/0/1: VLAN 20
  • GE0/0/2: VLAN 20

SwitchC

Interfaces:
  • GE1/0/1: VLAN 10
  • GE1/0/2: VLAN 20
  • GE1/0/3: VLAN 100
DHCP server:
  • AP: 192.168.10.1/24
  • Wireless terminal: 192.168.11.1/24
  • Wired terminal: 192.168.20.1/24

Table 2-68  Authentication data plan

Item

Data

RADIUS server template

  • Name: dot1x
  • RADIUS shared key: Huawei@2017
  • Source IP address: 192.168.100.1/24
  • IP address of the RADIUS server: 192.168.100.2/24
  • Authentication port: 1812
  • Accounting port: 1813

AAA authentication scheme

  • Name: auth
  • Authentication mode: RADIUS

AAA accounting scheme

  • Name: acco
  • Accounting mode: RADIUS
  • Real-time accounting interval: 3 minutes

Authentication domain

  • Name: huawei.com
  • Referenced profiles: AAA authentication scheme auth, AAA accounting scheme acco, RADIUS server template dot1x, and forcible URL template u1

802.1X access profile

  • Name: 802.1x-authen
  • Authentication protocol: EAP

Authentication profile

  • Name: auth-pro
  • Referenced profile: 802.1x access profile 802.1x-authen

Table 2-69  WLAN data plan

Item

Data

Management VLAN

10

Regulatory domain profile

  • Name: default
  • Country code: CN

Security profile

  • Name: huawei_sec
  • Security policy: WPA+dot1x+AES

SSID profile

  • Name: huawei_ssid
  • SSID name: Employee

VAP profile

  • Name: huawei_vap
  • Forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 11
  • Referenced profiles: security profile huawei_sec, SSID profile huawei_ssid, and authentication profile auth-pro

AP group

  • Name: huawei_ap
  • Referenced profiles: regulatory domain profile default and VAP profile huawei_vap

Procedure

  1. Configure the switches.
    1. Add interfaces to VLANs to ensure network connectivity.

      # Configure SwitchA. The configuration of SwitchB is similar and is not provided here.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 10 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type access [SwitchA-GigabitEthernet0/0/1] port default vlan 10 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 [SwitchA-GigabitEthernet0/0/2] quit

      # Configure SwitchC.

      <HUAWEI> system-view [HUAWEI] sysname SwitchC [SwitchC] vlan batch 10 11 20 100 [SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] port link-type trunk [SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [SwitchC-GigabitEthernet1/0/1] quit [SwitchC] interface gigabitethernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] port link-type trunk [SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 [SwitchC-GigabitEthernet1/0/2] quit [SwitchC] interface gigabitethernet 1/0/3 [SwitchC-GigabitEthernet1/0/3] port link-type access [SwitchC-GigabitEthernet1/0/3] port default vlan 100 [SwitchC-GigabitEthernet1/0/3] quit

    2. Configure SwitchC as a DHCP server to allocate IP addresses to the AP and user terminals.

      [SwitchC] dhcp enable   //Enable the DHCP service globally. [SwitchC] interface Vlanif 10 [SwitchC-Vlanif10] ip address 192.168.10.1 24 [SwitchC-Vlanif10] dhcp select interface   //Configure SwitchC to allocate an IP address to the AP. [SwitchC-Vlanif10] quit [SwitchC] interface Vlanif 11 [SwitchC-Vlanif11] ip address 192.168.11.1 24 [SwitchC-Vlanif11] dhcp select interface   //Configure SwitchC to allocate IP addresses to wireless terminals. [SwitchC-Vlanif11] quit [SwitchC] interface Vlanif 20 [SwitchC-Vlanif20] ip address 192.168.20.1 24 [SwitchC-Vlanif20] dhcp select interface   //Configure SwitchC to allocate IP addresses to wired terminals. [SwitchC-Vlanif20] quit [SwitchC] interface Vlanif 100 [SwitchC-Vlanif100] ip address 192.168.100.1 24 [SwitchC-Vlanif100] quit

    3. Configure the Layer 2 transparent transmission function for 802.1X authentication packets. The following uses SwitchA as an example. The configuration of SwitchB is similar and is not provided here.

      [SwitchA] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002   //group-mac can be set to any MAC address except one of the reserved multicast MAC addresses (0180-C200-0000-0180-C200-002F) and other special MAC addresses. [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchA-GigabitEthernet0/0/1] bpdu enable [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchA-GigabitEthernet0/0/2] bpdu enable [SwitchA-GigabitEthernet0/0/2] quit

    4. Configure a redirection ACL.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      A redirection ACL differs from a common ACL in the following aspects:

      • permit: indicates that the switch redirects packets instead of allowing packets matching the rule to pass through.
      • deny: indicates that the switch does not redirect packets and allows packets matching the rule to pass through.

      A redirection ACL takes precedence over a common ACL. If the RADIUS server assigns a redirection ACL and a common ACL to users simultaneously and you want to control the user rights through the common ACL, do not configure the last rule of the redirection ACL to rule rule-id deny ip. If you configure the last rule of the redirection ACL to rule rule-id deny ip, the assigned common ACL does not take effect.

      Do not configure source-ip in the redirection ACL rules; otherwise, data transmission may be interrupted and authentication cannot be performed for users.

      # Configure redirection ACL 3001. Rules 1 and 2 allow DNS packets to pass through. Rule 3 allows packets to the ISE to pass through. The switch redirects other types of packets.
      [SwitchC] acl number 3001 [SwitchC-acl-adv-3001] rule 1 deny udp destination-port eq dns [SwitchC-acl-adv-3001] rule 2 deny udp source-port eq dns [SwitchC-acl-adv-3001] rule 3 deny ip destination 192.168.100.2 0 [SwitchC-acl-adv-3001] rule 4 permit ip [SwitchC-acl-adv-3001] quit

    5. Configure a URL template.

      [SwitchC] url-template name u1 [SwitchC-url-template-u1] url https://192.168.100.2:8443/portal/g#p=xqEy6OazGNj8gcJJBwQNJNB96O&action=nsp   //Configure the URL of the BYOD registration page. For details on how to obtain the URL, see Obtain the URL of the BYOD registration page. [SwitchC-url-template-u1] parameter start-mark #   //Change the start character in the URL from # to ?. [SwitchC-url-template-u1] url-parameter user-mac client_mac user-ipaddress ip ssid essid   //Configure parameters carried in the URL. [SwitchC-url-template-u1] quit

    6. Configure a RADIUS server template.

      [SwitchC] radius-server template dot1x [SwitchC-radius-dot1x] radius-server authentication 192.168.100.2 1812 source ip-address 192.168.100.1   //Configure the ISE as the RADIUS authentication server. [SwitchC-radius-dot1x] radius-server accounting 192.168.100.2 1813 source ip-address 192.168.100.1   //Configure the ISE as the RADIUS accounting server. [SwitchC-radius-dot1x] radius-server shared-key cipher Huawei@2017   //Set the RADIUS shared key to Huawei@2017. [SwitchC-radius-dot1x] calling-station-id mac-format hyphen-split mode2 uppercase   //Set the format of the MAC address in the Calling-Station-Id attribute of RADIUS packets to XX-XX-XX-XX-XX-XX. [SwitchC-radius-dot1x] undo radius-server user-name domain-included   //Configure the switch not to modify the original user name in the packets sent to the RADIUS server. [SwitchC-radius-dot1x] quit [SwitchC] radius-server authorization attribute-decode-sameastemplate   //Configure the switch to parse the Calling-Station-Id attribute based on the configuration in the RADIUS server template.

    7. Configure AAA schemes and an authentication domain.

      1. Configure an AAA authentication scheme.
        [SwitchC] aaa [SwitchC-aaa] authentication-scheme auth [SwitchC-aaa-authen-auth] authentication-mode radius   //Set the authentication mode to RADIUS. [SwitchC-aaa-authen-auth] quit
      2. Configure an AAA accounting scheme. You must set the accounting mode to RADIUS so that the RADIUS server can maintain the account status, such as login, log-off, and forced log-off.
        [SwitchC-aaa] accounting-scheme acco [SwitchC-aaa-accounting-acco] accounting-mode radius   //Set the accounting mode to RADIUS. [SwitchC-aaa-accounting-acco] accounting realtime 3   //Set the real-time accounting interval to 3 minutes. [SwitchC-aaa-accounting-acco] quit
      3. Configure a user authentication domain.
        [SwitchC-aaa] domain huawei.com [SwitchC-aaa-domain-huawei.com] authentication-scheme auth [SwitchC-aaa-domain-huawei.com] accounting-scheme acco [SwitchC-aaa-domain-huawei.com] radius-server dot1x [SwitchC-aaa-domain-huawei.com] quit [SwitchC-aaa] quit [SwitchC] domain huawei.com   //Configure the authentication domain huawei.com as the global default authentication domain.

    8. Configure the AP to go online.

      # Configure the AC's source interface.
      [SwitchC] capwap source interface Vlanif 11
      # Configure SwitchC to allow the AP to go online without authentication.
      [SwitchC] wlan [SwitchC-wlan-view] ap auth-mode no-auth
      # Create an AP group.
      [SwitchC-wlan-view] ap-group name huawei_ap [SwitchC-wlan-ap-group-huawei_ap] regulatory-domain-profile default Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [SwitchC-wlan-ap-group-huawei_ap] quit

    9. Configure WLAN service parameters.

      # Create a security profile.
      [SwitchC-wlan-view] security-profile name huawei_sec [SwitchC-wlan-sec-prof-huawei_sec] security wpa dot1x aes [SwitchC-wlan-sec-prof-huawei_sec] quit
      # Create an SSID profile.
      [SwitchC-wlan-view] ssid-profile name huawei_ssid [SwitchC-wlan-ssid-prof-huawei_ssid] ssid Employee   //Set the SSID to Employee. [SwitchC-wlan-ssid-prof-huawei_ssid] quit
      # Create a VAP profile.
      [SwitchC-wlan-view] vap-profile name huawei_vap [SwitchC-wlan-vap-prof-huawei_vap] security-profile huawei_sec [SwitchC-wlan-vap-prof-huawei_vap] ssid-profile huawei_ssid [SwitchC-wlan-vap-prof-huawei_vap] forward-mode tunnel [SwitchC-wlan-vap-prof-huawei_vap] service-vlan vlan-id 11 [SwitchC-wlan-vap-prof-huawei_vap] quit
      # Bind the VAP profile to the AP group.
      [SwitchC-wlan-view] ap-group name huawei_ap [SwitchC-wlan-ap-group-huawei_ap] vap-profile huawei_vap wlan 1 radio all [SwitchC-wlan-ap-group-huawei_ap] quit [SwitchC-wlan-view] quit

    10. Enable authentication for access users.

      # Set the NAC mode to unified.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      By default, the unified mode is used. After changing the NAC mode from common to unified, you must enter y as prompted to restart the switch immediately to make the configuration take effect.

      [SwitchC] authentication unified-mode
      # Configure an 802.1X access profile.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

      [SwitchC] dot1x-access-profile name 802.1x-authen [SwitchC-dot1x-access-profile-802.1x-authen] quit
      # Configure an authentication profile.
      [SwitchC] authentication-profile name auth-pro [SwitchC-authen-profile-auth-pro] dot1x-access-profile 802.1x-authen [SwitchC-authen-profile-auth-pro] quit
      # Enable 802.1x authentication for wired access users.
      [SwitchC] interface gigabitethernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] authentication-profile auth-pro [SwitchC-GigabitEthernet1/0/2] quit
      # Enable 802.1x authentication for wireless access users.
      [SwitchC] wlan [SwitchC-wlan-view] vap-profile name huawei_vap [SwitchC-wlan-vap-prof-huawei_vap] authentication-profile auth-pro Warning: This action may cause service interruption. Continue?[Y/N]y [SwitchC-wlan-vap-prof-huawei_vap] quit [SwitchC-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N]:y [SwitchC-wlan-view] quit
      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      For wireless users, you can configure attributes for APs when the switch works as an AC. In versions earlier than V200R011C10, the configurations are not delivered to APs in real time, and are delivered to APs only after you run the commit command in the WLAN view. In V200R011C10 and later versions, the commit command is deleted, the switch delivers the configurations to APs every 5 seconds.

  2. Configure the ISE.
    1. Log in to the ISE.

      1. Open the Internet Explorer, enter the ISE access address in the address bar, and press Enter.

      2. Enter the ISE administrator user name and password to log in to the ISE.

    2. Configure user information.

      1. Choose Administration > Identity Management > Groups. Choose User Identity Groups on the left. Click Add on the right to create the group Employee. After completing the configuration, click Submit.

        imgDownload?uuid=54ec28648bd844ba8da1daa

      2. Choose Administration > Identity Management > Identities. Choose Users on the left. Click Add on the right to configure user information, set the user name to Kau and password to Huawei@1234, and add the user to the group Employee. After completing the configuration, click Submit.

        imgDownload?uuid=295cf792418f42dc8882c30

      3. Choose Administration > Identity Management > External Identity Sources. Click Add on the right to create the certificate authentication profile Preloaded_Certificate_Profile, and configure the profile according to the following figure. After completing the configuration, click Submit.

        imgDownload?uuid=4c4e98ba5c3e4bf5ac5bbf7

      4. Choose Administration > Identity Management > Identity Source Sequences. Click Add to create the authentication source dot1x, and configure the source according to the following figure. After completing the configuration, click Submit.

        imgDownload?uuid=fbacd46524b2480fb0c749d

    3. Configure the access authentication device.

      1. Configure Huawei extended RADIUS attributes. Choose Policy > Policy Elements > Dictionaries. Choose System > Radius > RADIUS VendorsHW on the left. Click Dictionary Attributes on the right and click Add to add Huawei extended RADIUS attributes 26-156 HW-Portal-URL26-173 HW-Redirect-ACL, and 26-238 HW-Ext-Specific. After completing the configuration, click Submit. The following example shows how to add the attribute 26-156 HW-Portal-URL. The configurations of adding other attributes are similar and are not provided here.

        imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        If the ISE does not have the Huawei extended RADIUS attribute dictionary HW, create it manually. Huawei's vendor ID is 2011.

        imgDownload?uuid=d6e7c0428ae3489d8591fce

      2. Configure an access authentication device profile. Choose Administration > Network Resources > Network Device Profiles. Click Add to create the access authentication device profile HW, and configure the profile according to the following table. After completing the configuration, click Jump To Top and Submit.

        Table 2-70  Access authentication device profile HW

        Item

        Data

        Name

        HW

        Vendor

        Other

        Supported Protocols

        • RADIUS
        • TACACS+
        • Trustsec

        RADIUS Dictionaries

        HW

        Authentication/Authorization > Flow Type ConditionsWired 802.1x detected if the following condition(s) are met:
        • "Radius:NAS-Port-Type" = "Ethernet"
        • "Radius:Service-Type" = "Framed"

        Change of Authorization (CoA)

        • CoA by: RADIUS
        • Default CoA Port: 3799
        • Timeout Interval: 5
        • Retry Count: 2
        Change of Authorization (CoA) > Disconnect: RFC 5176
        • "Radius:Acct-Session-Id" = "0"
        • "Radius:Acct-Terminate-Cause" = "Admin Reset"

        Change of Authorization (CoA) > Disconnect: Port Bounce and Port Shutdown

        Change of Authorization (CoA) > Re-authenticate: Basic, Rerun, and Last

        Change of Authorization (CoA) > CoA Push: RFC 5176

        • "HW:HW-Ext-Specific" = "user-command=1"
        • "Radius:Acct-Session-Id" = "0"

        Redirect

        • Type: Static URL
        • Client IP Address: ip
        • Client MAC Address: client_mac
        • SSID: essid
      3. Configure the access authentication device. Choose Administration > Network Resources > Network Devices. Click Add on the right to add the access authentication device SwitchC, and configure the device according to the following table. After completing the configuration, click Submit.

        Table 2-71  Access authentication device SwitchC

        Item

        Data

        Name

        SwitchC

        IP Address

        192.168.100.1/24

        Device Profile

        HW

        RADIUS Authentication Settings > Shared Secret

        Huawei@2017

        imgDownload?uuid=b61de397b5944fd788ed094

    4. Configure an authentication protocol profile.

      # Choose Policy > Policy Elements > Results. Choose Authentication > Allowed Protocols on the left. Click Add on the right to create the authentication protocol profile Protocols, and select authentication protocols based on actual requirements. After completing the configuration, click Submit.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      The ISE provides the default authentication protocol profile Default Network Access. If the profile meets actual requirements, you do not need to create a profile.

      imgDownload?uuid=7ad9b81766f04c6ab6442f1

    5. Configure authentication policies.

      # Choose Policy > Authentication. Set Policy Type to Rule-Based. Click imgDownload?uuid=e631b656823f44fcb468558 behind Edit on the right of the first authentication policy. Click Insert new row above to create the authentication policy BYOD, and configure the policy according to the following figure. After completing the configuration, click Done and Save.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      Wired_802.1X and Wireless_802.1X are the default rules that 802.1x authentication for wired and wireless users must meet on the ISE respectively.

      imgDownload?uuid=a021b9547a204587af91849

    6. Configure authorization policies.

      1. Configure an authorization redirection ACL profile. Choose Policy > Policy Elements > Results. Choose Authorization > Authorization Profileson the left. Click Add on the right to create the authorization redirection ACL profile BYOD-ACL-Profile, and configure the profile according to the following figure. After completing the configuration, click Submit.

        imgDownload?uuid=2565bd3c93b144a7be573dc

      2. Obtain the URL of the BYOD registration page. Open the authorization profile BYOD-ACL-Profile, obtain the URL https://iseHost:8443/portal/g?p=xqEy6OazGNj8gcJJBwQNJNB96O under Common Tasks, and perform the following operations:
        • Change iseHost to the ISE's IP address 192.168.100.2.
        • Change ? to #.
        • Add &action=nsp to the end of the URL to indicate that the ISE performs BYOD registration for users.
        https://192.168.100.2:8443/portal/g#p=xqEy6OazGNj8gcJJBwQNJNB96O&action=nsp is the URL of the BYOD registration page and must be configured on the switch.

        imgDownload?uuid=152259f6fa53457fb1d35e6

      3. Configure an authorization redirection ACL policy for users before BYOD is complete. Choose Policy > Authorization. Click imgDownload?uuid=e631b656823f44fcb468558 behind Editon the right of the first authorization policy. Click Insert New Rule Above to create the authorization policy BYOD-Author-First, and configure the policy according to the following figure. After completing the configuration, click Done and Save.

        imgDownload?uuid=5ab7b3cd623c4851a8f4284

      4. Configure an authorization policy for users after BYOD is complete. Create the authorization policy BYOD-Author-Second and configure the policy according to the following figure. After completing the configuration, click Done and Save.

        imgDownload?uuid=0c86176bb71b49d493897e8

    7. Configure BYOD.

      1. Upload the Cisco supplicant provisioning wizard to the ISE. The wired Windows OS and wired MAC OS require WinSPWizard 1.0.0.46 (ISE 2.0 Supplicant Provisioning Wizard for Windows) and MacOsXSPWizard 1.0.0.36 (ISE 2.0 Supplicant Provisioning Wizard for Mac OsX) respectively to complete the BYOD process. Choose Policy > Policy Elements > Results. Choose Client Provisioning > Resources on the left. Click Add on the right. Two methods are available for uploading the Cisco supplicant provisioning wizard to the ISE:
        • Agent resources from Cisco site: Directly download the wizard from the Cisco website.
        • Agent resources from local disk: Download the wizard from the Cisco website to a local disk, and then upload it from the local disk to the ISE.
        Choose a method based on actual requirements. The details are not provided here.
      2. Configure a certificate profile. Choose Administration > System > Certificates. Choose Certificate Authority > Certificate Templates on the left. Click Add on the right to create the certificate profile internalcertBYOD, and configure the profile according to the following figure. After completing the configuration, click Submit.

        imgDownload?uuid=502d0700ee0e43f395d422d

      3. Define a configuration file. Choose Policy > Policy Elements > Results. Choose Client Provisioning > Resources on the left. Click Add on the right and select Native Supplicant Profile. In the following example, the Windows OS is used for wired terminals and the iOS for wireless terminals.

        imgDownload?uuid=49add2d8ab2b4df79ab9529

        imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        In the wireless terminal configuration, the SSID name must be the same as the actual SSID name.

        imgDownload?uuid=64bc70024cca464193f5612

      4. Configure BYOD policies. Choose Policy > Client Provisioning. Click imgDownload?uuid=e631b656823f44fcb468558 behind Edit on the right of the first Client Provisioning Policy. Click Insert new policy above to create Client Provisioning Policy Wired-Windows-BYOD and Wireless-iOS-BYOD, and configure the policies according to the following figures. After completing the configuration, click Done and Save.

        imgDownload?uuid=0f50a3fef9d442ddad283c0

        imgDownload?uuid=7edfa9b35eac4141944662d

Configuration Files

SwitchA configuration file

# sysname SwitchA # vlan batch 10 # l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 10  l2protocol-tunnel user-defined-protocol dot1x enable # interface GigabitEthernet0/0/2  port link-type trunk  port trunk allow-pass vlan 10  l2protocol-tunnel user-defined-protocol dot1x enable #    return

SwitchB configuration file

# sysname SwitchB # vlan batch 20 # l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 20  l2protocol-tunnel user-defined-protocol dot1x enable # interface GigabitEthernet0/0/2  port link-type trunk  port trunk allow-pass vlan 20  l2protocol-tunnel user-defined-protocol dot1x enable # return

SwitchC configuration file

# sysname SwitchC # vlan batch 10 to 11 20 100 # authentication-profile name auth-pro  dot1x-access-profile 802.1x-authen # domain huawei.com # radius-server authorization attribute-decode-sameastemplate # dhcp enable # radius-server template dot1x  radius-server shared-key cipher %^%#Th<O@jRUiQ@_R%CCmGH;d/O["El.T7$2<b~dIoIM%^%#  radius-server authentication 192.168.100.2 1812 source ip-address 192.168.100.1 weight 80  radius-server accounting 192.168.100.2 1813 source ip-address 192.168.100.1 weight 80    undo radius-server user-name domain-included     calling-station-id mac-format hyphen-split mode2 uppercase # acl number 3001   rule 1 deny udp destination-port eq dns  rule 2 deny udp source-port eq dns  rule 3 deny ip destination 192.168.100.2 0  rule 4 permit ip # url-template name u1  url https://192.168.100.2:8443/portal/g#p=xqEy6OazGNj8gcJJBwQNJNB96O&action=nsp  parameter start-mark #   url-parameter user-mac client_mac user-ipaddress ip ssid essid  # aaa  authentication-scheme auth   authentication-mode radius  accounting-scheme acco    accounting-mode radius   accounting realtime 3   domain huawei.com   authentication-scheme auth   accounting-scheme acco   radius-server dot1x      force-push url-template u1 # interface Vlanif10  ip address 192.168.10.1 255.255.255.0    dhcp select interface   # interface Vlanif11  ip address 192.168.11.1 255.255.255.0    dhcp select interface   # interface Vlanif20  ip address 192.168.20.1 255.255.255.0    dhcp select interface   # interface Vlanif100  ip address 192.168.100.1 255.255.255.0  # interface GigabitEthernet1/0/1    port link-type trunk     port trunk allow-pass vlan 10   # interface GigabitEthernet1/0/2    port link-type trunk     port trunk allow-pass vlan 20    authentication-profile auth-pro # interface GigabitEthernet1/0/3    port link-type access    port default vlan 100   # capwap source interface vlanif11 # wlan  security-profile name huawei_sec   security wpa dot1x aes  ssid-profile name huawei_ssid     ssid Employee   vap-profile name huawei_vap   forward-mode tunnel      service-vlan vlan-id 11   ssid-profile huawei_ssid   security-profile huawei_sec      authentication-profile auth-pro  regulatory-domain-profile name default   ap auth-mode no-auth     ap-group name huawei_ap   radio 0    vap-profile huawei_vap wlan 1   radio 1    vap-profile huawei_vap wlan 1   radio 2    vap-profile huawei_vap wlan 1 # dot1x-access-profile name 802.1x-authen  # return  

Configuring Authentication for Access Users on Cisco ISE (Single-Gateway Free Mobility Scenario)

This section includes the following content:

Overview

On an enterprise network, different network access policies can be deployed for users on access devices to meet different network access requirements. The application of mobile office and BYOD technologies brings frequent changes of users' physical locations and IP addresses. Therefore, the original network control solution based on physical ports and IP addresses cannot ensure consistency of network access experience. For example, the network access policy of a user does not change when the user's physical location changes.

The free mobility solution allows a user to obtain the same network access policy regardless of the user's location and IP address changes on an agile network. The free mobility solution is used together with switches and the Agile Controller-Campus. Administrators only need to centrally deploy network access policies on the Agile Controller-Campus, and then deliver these policies to all associated switches. Users will obtain the same network access policies regardless of their physical locations and IP addresses.

Cisco ISE can be used as a RADIUS server to authenticate access users, ensuring security of the enterprise intranet.

Networking Requirements

An enterprise has the following requirements to ensure its intranet security:

  • Users can access the network only after passing 802.1X authentication.
  • The gateway functions as a DHCP server to allocate IP addresses to terminals.
  • Both PC1 and PC2 can access the customer problem handling system after being authenticated.
  • PC1 and PC2 cannot communicate with each other even after being authenticated.
  • The Agile Controller-Campus and ISE control the security groups and network access policies of PCs, improving O&M efficiency.

Figure 2-46  Enterprise intranet topology 
imgDownload?uuid=7e4e513c7efe4b46b99555c

Requirement Analysis
  • The Agile Controller-Campus creates security groups to which PCs belong, defines the network access policies of each security group, and delivers the policies to SwitchA.
  • The ISE performs 802.1X authentication on access users and adds authenticated users to corresponding security groups.

Configuration Logic

Figure 2-47  Configuration logic of Huawei switch 
imgDownload?uuid=92fdef7f831247bd9ee996eFigure 2-48  Configuration logic of Huawei Agile Controller-Campus 
imgDownload?uuid=5d6394ac62354f7b9dd019fTable 2-72  Configuration logic of Cisco ISE

ItemDescription
Adding groups and users-
Adding a switchSet parameters for the switch connected to the ISE.
(Optional) creating an authentication protocol profileSpecify the authentication protocol that can be used for 802.1X authentication. If no authentication protocol profile is created, the default profile in Default Network Access of the ISE is used.
Creating authentication policiesConfigure the conditions for users to pass 802.1X authentication.
Creating authorization policiesGrant different RADIUS standard attributes Filter-ID to different users to assign users to planned security groups.

Configuration Notes
  • In this example, an ISE running 2.2.0.470 is used as the RADIUS server, and the Agile Controller-Campus runs V100R002C10. The access switches are S5720SI switches and are only used for Layer 2 access.
  • In this example, all users have the same gateway.
  • Free mobility is supported only on switches that have NAC configured in unified mode.
  • The RADIUS shared keys configured on the switch and the server must be the same.
  • By default, the switch allows the packets sent to the RADIUS server to pass through. You do not need to configure an authentication-free rule for the packets on the switch.
  • When the controller delivers a UCL group name that is not supported by the switch, for example, this group name contains Chinese characters or special characters, the switch cannot parse the group name. A UCL group name that can be supported by the switch must be consistent with the value of group-name in the ucl-group group-index [ name group-name ] command, cannot be -, --, a, an, or any, and cannot contain any of the following characters: / \ : * ? " < > | @ ' %. Therefore, when configuring a UCL group name on the controller, do not use Chinese characters or special characters.

  • If the switch has been associated with an Agile Controller-Campus and has free mobility configured, perform the following steps to delete historical data and reconfigure the core switch.

    1. Run the undo group-policy controller command in the system view to disable free mobility and disconnect the switch from the Agile Controller-Campus.
    2. Run the undo acl all command to delete the access control policy.
    3. Run the undo ucl-group ip all command to delete IP addresses bound to security groups.
    4. Run the undo ucl-group all command to delete security groups.
    5. Return to the user view and run the save command. The system automatically deletes the configured version number.

Data Plan

Table 2-73  Basic data plan of SwitchA

Item

VLAN

IP Address

GE1/0/130192.168.30.1/24
GE1/0/3
GE1/0/250192.168.254.55/24

Table 2-74  Authentication data plan

Item

Data

RADIUS server template

  • Name: dot1x
  • RADIUS shared key: Huawei@2017
  • Source IP address: 192.168.254.55/24
  • IP address of the RADIUS server: 192.168.254.252/24
  • Authentication port: 1812
  • Accounting port: 1813

AAA authentication scheme

  • Name: auth
  • Authentication mode: RADIUS

AAA accounting scheme

  • Name: acco
  • Accounting mode: RADIUS
  • Real-time accounting interval: 15 minutes

Authentication domain

  • Name: huawei.com
  • Referenced profiles: AAA authentication scheme auth, AAA accounting scheme acco, and RADIUS server template dot1x

802.1X access profile

  • Name: 802.1x-access
  • Authentication protocol: EAP

Authentication profile

  • Name: 802.1x-auth
  • Referenced profile: 802.1X access profile 802.1x-access

Table 2-75  Free mobility data plan

ItemData
IP address of SwitchA192.168.254.55/24
IP address of the Agile Controller-Campus192.168.254.253/24
Interoperation passwordAdmin@2017
Security group
  • pc_group1: security group to which PC1 belongs
  • pc_group2: security group to which PC2 belongs
  • Problem: security group to which the customer problem handling system belongs

Procedure

  1. Configure switches.
    1. Add interfaces to VLANs to ensure network connectivity.

      # Configure SwitchA.
      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 30 50 [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type access [SwitchA-GigabitEthernet1/0/1] port default vlan 30 [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type access [SwitchA-GigabitEthernet1/0/2] port default vlan 50 [SwitchA-GigabitEthernet1/0/2] stp disable [SwitchA-GigabitEthernet1/0/2] quit [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type access [SwitchA-GigabitEthernet1/0/3] port default vlan 30 [SwitchA-GigabitEthernet1/0/3] stp disable [SwitchA-GigabitEthernet1/0/3] quit
      # Configure SwitchB.
      <HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] vlan batch 30 [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] port link-type access [SwitchB-GigabitEthernet0/0/1] port default vlan 30 [SwitchB-GigabitEthernet0/0/1] port-isolate enable group 1   //Configure port isolation between PC1 and PC2. [SwitchB-GigabitEthernet0/0/1] stp disable [SwitchB-GigabitEthernet0/0/1] quit [SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] port link-type access [SwitchB-GigabitEthernet0/0/2] port default vlan 30 [SwitchB-GigabitEthernet0/0/2] port-isolate enable group 1 [SwitchB-GigabitEthernet0/0/2] stp disable [SwitchB-GigabitEthernet0/0/2] quit [SwitchB] interface gigabitethernet 0/0/3 [SwitchB-GigabitEthernet0/0/3] port link-type access [SwitchB-GigabitEthernet0/0/3] port default vlan 30 [SwitchB-GigabitEthernet0/0/3] quit

    2. Configure SwitchA as a DHCP server to allocate IP addresses to user terminals.

      [SwitchA] dhcp enable   //Enable DHCP globally. [SwitchA] interface Vlanif 30 [SwitchA-Vlanif30] ip address 192.168.30.1 24 [SwitchA-Vlanif30] dhcp select interface [SwitchA-Vlanif30] arp-proxy inner-sub-vlan-proxy enable [SwitchA-Vlanif30] quit [SwitchA] interface Vlanif 50 [SwitchA-Vlanif50] ip address 192.168.254.55 24 [SwitchA-Vlanif50] quit

    3. Configure the Layer 2 transparent transmission function for 802.1X authentication packets.

      [SwitchB] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002   //group-mac can be set to any MAC address except one of the reserved multicast MAC addresses (0180-C200-0000 to 0180-C200-002F) and other special MAC addresses. [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchB-GigabitEthernet0/0/1] bpdu enable [SwitchB-GigabitEthernet0/0/1] quit [SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchB-GigabitEthernet0/0/2] bpdu enable [SwitchB-GigabitEthernet0/0/2] quit [SwitchB] interface gigabitethernet 0/0/3 [SwitchB-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchB-GigabitEthernet0/0/3] bpdu enable [SwitchB-GigabitEthernet0/0/3] quit

    4. Configure free mobility.

      [SwitchA] group-policy controller 192.168.254.253 password Admin@2017 src-ip 192.168.254.55

    5. Configure a RADIUS server template.

      [SwitchA] radius-server template dot1x [SwitchA-radius-dot1x] radius-server authentication 192.168.254.252 1812 source ip-address 192.168.254.55   //Configure a RADIUS authentication server. [SwitchA-radius-dot1x] radius-server accounting 192.168.254.252 1813 source ip-address 192.168.254.55   //Configure a RADIUS accounting server. [SwitchA-radius-dot1x] radius-server shared-key cipher Huawei@2017   //Set the RADIUS shared key to Huawei@2017. [SwitchA-radius-dot1x] undo radius-server user-name domain-included   //Configure the switch not to modify the original user name in the packets sent to the RADIUS server. [SwitchA-radius-dot1x] calling-station-id mac-format hyphen-split mode2 uppercase   //Set the encapsulation format of the MAC address in the Calling-Station-Id attribute of RADIUS packets to XX-XX-XX-XX-XX-XX. [SwitchA-radius-dot1x] quit [SwitchA] radius-server authorization attribute-decode-sameastemplate   //Configure the switch to parse the Calling-Station-Id attribute based on the configuration in the RADIUS server template.

    6. Configure AAA schemes and an authentication domain.

      # Configure an AAA authentication scheme.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme auth [SwitchA-aaa-authen-auth] authentication-mode radius   //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-auth] quit
      # Configure an AAA accounting scheme. You must set the accounting mode to RADIUS so that the RADIUS server can maintain the account status, such as login, log-off, and forced log-off.
      [SwitchA-aaa] accounting-scheme acco [SwitchA-aaa-accounting-acco] accounting-mode radius   //Set the accounting mode to RADIUS. [SwitchA-aaa-accounting-acco] accounting realtime 15   //Set the real-time accounting interval to 15 minutes. [SwitchA-aaa-accounting-acco] quit
      # Configure a user authentication domain.
      [SwitchA-aaa] domain huawei.com [SwitchA-aaa-domain-huawei.com] authentication-scheme auth [SwitchA-aaa-domain-huawei.com] accounting-scheme acco [SwitchA-aaa-domain-huawei.com] radius-server dot1x [SwitchA-aaa-domain-huawei.com] quit [SwitchA-aaa] quit [SwitchA] domain huawei.com   //Configure the authentication domain huawei.com as the global default authentication domain.

    7. Configure 802.1X authentication.

      # Set the NAC mode to unified.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      By default, the unified mode is used. After changing the NAC mode from common to unified, you must enter y as prompted to restart the switch immediately to make the configuration take effect.

      [SwitchA] authentication unified-mode
      # Configure an 802.1X access profile.imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      By default, an 802.1X access profile uses the EAP authentication mode.

      This scenario does not support the CHAP or EAP-MD5 authentication mode.

      [SwitchA] dot1x-access-profile name 802.1x-access [SwitchA-dot1x-access-profile-802.1x-access] quit
      # Configure an authentication profile.
      [SwitchA] authentication-profile name 802.1x-auth [SwitchA-authen-profile-802.1x-auth] dot1x-access-profile 802.1x-access [SwitchA-authen-profile-802.1x-auth] quit
      # Enable the switch to perform 802.1X authentication for users.
      [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] authentication-profile 802.1x-auth [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] authentication-profile 802.1x-auth [SwitchA-GigabitEthernet1/0/2] quit

  2. Configure the Agile Controller-Campus.
    1. Log in to the Agile Controller-Campus. Open Internet Explorer, enter the Agile Controller-Campus access address in the address bar, and press Enter. On the login page, enter the user name and password to log in.
    2. Add a switch.

      1. Choose Resource > Device > Device Management. Click Add on the right, set parameters for SwitchA according to Table 2-98 and the following figure. After completing the configuration, click OK.

        imgDownload?uuid=42ceaf3c818b4dae87b242c

      2. Select SwitchA and click Synchronize.

        imgDownload?uuid=61984884b5f749698189e16

      3. The Status of SwitchA becomes imgDownload?uuid=69b05cac44004cf791a605c, indicating a normal communication status. Alternatively, you can run the display group-policy statuscommand on SwitchA to view its communication status. When State is displayed as working, communication between SwitchA and the Agile Controller-Campus is normal.

        [SwitchA] display group-policy status      Controller IP address: 192.168.254.253   Controller port: 5222          Backup controller IP address: -          Backup controller port: -      Source IP address: 192.168.254.55        State: working       Connected controller: master   Device protocol version: 2     Controller protocol version: 2
      4. Choose Device Group > Free Mobility > Custom. Click imgDownload?uuid=531f1098b9124c8ab2c4e3e next to Device Group, create the device group UCL, and click OK.

        imgDownload?uuid=66bb76d373d048fd955f0f3

        imgDownload?uuid=eb1aa9396d95446a85a949c

      5. Select the UCL group, and click Join on the right to add SwitchA to this group.

    3. Configure security groups.

      1. Configure dynamic security groups. Choose Policy > Permission Control > Security Group > Dynamic Security Group Management. Click Addon the right, add the dynamic security group pc_group1, and click OK. The following uses pc_group1 as an example. The configuration of pc_group2 is similar and is not provided here.

        imgDownload?uuid=de310953f5234a1d827d755

      2. Deploy the security groups. Select pc_group1 and pc_group2, and click Global Deployment to deploy these security groups to SwitchA. Run the display ucl-group all command on SwitchA to verify that security groups are deployed successfully.
        [SwitchA] display ucl-group all ID       UCL group name -------------------------------------------------------------------------------- 31       pc_group1 32       pc_group2 -------------------------------------------------------------------------------- Total : 2
      3. Configure a static security group. Choose Static Security Group Management on the left. Click Add on the right, add the static security group Problem, bind the IP address of the customer problem handling system, and click OK.

        imgDownload?uuid=7739c7c0d93f4414bd3cb28

    4. Configure access control policies.

      1. Choose Policy > Free Mobility > Policy Configuration > Permission Control. Select the UCL group under Common Policy, click Add on the right, and configure policies for controlling access between security groups. In this example, PC1 and PC2 can access the customer problem handling system, but cannot communicate with each other.

      2. Disable PC1 from communicating with PC2, and allow PC1 to access the customer problem handling system.

        imgDownload?uuid=ed60272c864b48f38bf804f

        imgDownload?uuid=bb02e93e06354ea8a5dfb3f

        imgDownload?uuid=1f67d919c00a4efb8a92bfd

      3. Disable PC2 from communicating with PC1, and allow PC2 to access the customer problem handling system.

        imgDownload?uuid=0c09898353734af892c540e

        imgDownload?uuid=45b0e5c3ac33467e8ab6730

        imgDownload?uuid=5e26e73f49644ddd9ccbe81

      4. Select the access control policies, and click Global Configuration to deliver the policies to SwitchA. Run the display acl all command on SwitchA to verify that the access control policies are deployed successfully.

        imgDownload?uuid=deae700d7ca04e4eba83e9d

        [SwitchA] display acl all  Total nonempty ACL number is 2 Ucl-group ACL Auto_PGM_U31 9998, 2 rules Acl's step is 5  rule 1 deny ip source ucl-group 31 destination ucl-group 32  rule 2 permit ip source ucl-group 31 destination 192.168.30.2 0 Ucl-group ACL Auto_PGM_U32 9999, 2 rules Acl's step is 5  rule 1 deny ip source ucl-group 32 destination ucl-group 31  rule 2 permit ip source ucl-group 32 destination 192.168.30.2 0

  3. Configure the ISE.
    1. Log in to the ISE. Open Internet Explorer, enter the ISE access address in the address bar, and press Enter. On the ISE login page, enter the ISE administrator user name and password to log in to the ISE.
    2. Configure local users.

      1. Choose Administration > Identity Management > Groups. Choose User Identity Groups on the left. Click Add on the right, and create groups pc_group1 and pc_group2. After completing the configuration, click Submit. The following uses pc_group1 as an example. The configuration of pc_group2 is similar and is not provided here.

        imgDownload?uuid=0df416274a254493aa3e388

      2. Choose Administration > Identity Management > Identities. Choose Users on the left. Click Add on the right, configure information about PC1 and PC2, and add them to pc_group1 and pc_group2, respectively. After completing the configuration, click Submit. The following uses PC1 as an example. The configuration of PC2 is similar and is not provided here.

        imgDownload?uuid=e0ce8e34a0a24c68a9d17cf

    3. Add an access authentication switch.

      1. Configure an access authentication device profile. Choose Administration > Network Resources > Network Device Profiles. Click Add, create the access authentication device profile hw, and configure the profile according to the following table. After completing the configuration, click Jump To Top and Submit.

        imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        The Huawei Radius extended attributes are not used in this example, so you do not need to perform this step. You can use the default network device profile Cisco in the following steps.

        Table 2-76  Access authentication device profile hw

        Parameter

        Setting

        Name

        hw

        Vendor

        Other

        Supported Protocols

        • RADIUS
        • TACACS+
        • TrustSec

        RADIUS Dictionaries

        HW

        NOTE:

        If the ISE does not have the Huawei extended RADIUS attribute dictionary HW, create it manually. Huawei's vendor ID is 2011.

        Authentication/Authorization > Flow Type ConditionsWired 802.1X detected if the following condition(s) are met:
        • "Radius:NAS-Port-Type" = "Ethernet"
        • "Radius:Service-Type" = "Framed"
        Authentication/Authorization > Attribute AliasingSelect SSID and configure Radius:Called-Station-ID.
        Permissions
        • Select Set VLAN and then select IETF 802.1X Attributes.
        • Select Set ACL and configure Radius:Filter-ID.

        Change of Authorization (CoA)

        • CoA by: RADIUS
        • Default CoA Port: 3799
        • Default DTLS CoA Port: 2083
        • Timeout Interval: 5
        • Retry Count: 2
        • Select Send Message-Authenticator.
        Change of Authorization (CoA) > Disconnect: RFC 5176
        • "Radius:Acct-Session-Id" = "0"
        • "Radius:Acct-Terminate-Cause" = "Admin Reset"

        Change of Authorization (CoA) > Disconnect: Port Bounce and Port Shutdown

        Change of Authorization (CoA) > Re-authenticate: Basic, Rerun, and Last

        Change of Authorization (CoA) > CoA Push: RFC 5176

        "Radius:Acct-Session-Id" = "0"
      2. Configure an access authentication switch. Choose Administration > Network Resources > Network Devices. Choose Network devices on the left. Click Add on the right, add the access authentication device SwitchA, and configure the device according to the following table. After completing the configuration, click Submit.

        Table 2-77  Access authentication switch (SwitchA)

        Parameter

        Setting

        Name

        SwitchA

        IP Address

        192.168.254.55/32

        Device Profile

        hw

        RADIUS Authentication Settings > Shared Secret

        Huawei@2017

        imgDownload?uuid=22a572d405684c8c8a17eec

    4. (Optional) Configure an authentication protocol profile.

      # Choose Policy > Policy Elements > Results. Choose Authentication > Allowed Protocols on the left. Click Add on the right to create an authentication protocol profile, and select authentication protocols based on actual requirements. After completing the configuration, click Submit.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      The authentication protocol profile Default Network Access used in this example is the default authentication protocol profile of the ISE. If the profile meets actual requirements, you do not need to create a profile.

    5. Configure authentication policies.

      # Choose Policy > Authentication. Set Policy Type to Rule-Based. Click imgDownload?uuid=e631b656823f44fcb468558 behind Edit next to the first authentication policy. Click Insert new row above to create the authentication policy wired_802.1x-authen, and configure the policy according to the following figure. After completing the configuration, click Done and Save.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      Wired_802.1X is the default rule that 802.1X authentication for wired users must meet on the ISE.

      imgDownload?uuid=2579b44167904ece9a8dae8

    6. Configure authorization policies.

      1. Configure authorization profiles. Choose Policy > Policy Elements > Results. Choose Authorization > Authorization Profiles on the left. Click Add on the right, create authorization profiles pc_group1_author_pro and pc_group2_author_pro, and configure the profiles according to the following figure. After completing the configuration, click Submit. The following uses pc_group1_author_pro as an example. The configuration of pc_group2_author_pro is similar and is not provided here.

        imgDownload?uuid=39f4a17e18264a37b68a3b8

      2. Configure authorization policies. Choose Policy > Authorization. Click imgDownload?uuid=e631b656823f44fcb468558 behind Edit next to the first authorization policy. Click Insert New Rule Above, create authorization policies pc_group1_author_policy and pc_group2_author_policy, and configure the policies according to the following figure. After completing the configuration, click Done and Save. The following uses pc_group1_author_policy as an example. The configuration of pc_group2_author_policy is similar and is not provided here.

        imgDownload?uuid=26dd8f91322e47989d5a4c4

  4. Verify the configuration.

    The Agile Controller-Campus delivers access control policies of different security groups to SwitchA. After PC1 and PC2 go online, they pass 802.1X authentication on the ISE and are added to security groups pc_group1 and pc_group2, respectively. PC1 and PC2 can access the customer problem handling system, but cannot communicate with each other.

Configuration Files

SwitchA configuration file

# sysname SwitchA # vlan batch 30 50 # authentication-profile name 802.1x-auth  dot1x-access-profile 802.1x-access # domain huawei.com # group-policy controller 192.168.254.253 password %^%#PAJ-YQ/]292l+4Oj.MnG826Y2Qx%L+w'gA&M|w&;%^%# src-ip 192.168.254.55 # dhcp enable # radius-server authorization attribute-decode-sameastemplate # radius-server template dot1x  radius-server shared-key cipher %^%#}V!)F5^lk-gCyfV1r~j4W!=R6W1#IDY:zR-so(WJ%^%#  radius-server authentication 192.168.254.252 1812 source ip-address 192.168.254.55 weight 80  radius-server accounting 192.168.254.252 1813 source ip-address 192.168.254.55 weight 80  undo radius-server user-name domain-included  calling-station-id mac-format hyphen-split mode2 uppercase # aaa  authentication-scheme auth   authentication-mode radius  accounting-scheme acco   accounting-mode radius   accounting realtime 15  domain huawei.com   authentication-scheme auth   accounting-scheme acco   radius-server dot1x # interface Vlanif30  ip address 192.168.30.1 255.255.255.0  arp-proxy inner-sub-vlan-proxy enable  dhcp select interface # interface Vlanif50  ip address 192.168.254.55 255.255.255.0 # interface GigabitEthernet1/0/1  port link-type access  port default vlan 30  authentication-profile 802.1x-auth # interface GigabitEthernet1/0/2  port link-type access  port default vlan 50  stp disable  authentication-profile 802.1x-auth #          interface GigabitEthernet1/0/3  port link-type access  port default vlan 30  stp disable # dot1x-access-profile name 802.1x-access # return

SwitchB configuration file

# sysname SwitchB # vlan batch 30 # l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 30  stp disable  l2protocol-tunnel user-defined-protocol dot1x enable  port-isolate enable group 1 # interface GigabitEthernet0/0/2   port link-type access  port default vlan 30  stp disable  l2protocol-tunnel user-defined-protocol dot1x enable  port-isolate enable group 1 # interface GigabitEthernet0/0/3  port link-type access  port default vlan 30  l2protocol-tunnel user-defined-protocol dot1x enable # return

Cards or Switches Where the Authentication Control Point Can Be Deployed

Switch Version

Cards or Switches Where the Authentication Control Point Can Be Deployed

V200R010C00

  • S5720HI
  • X series cards of S7700, S9700, and S12700 series switches

V200R011C00

S5720HI

V200R011C10

  • S5720HI
  • X series cards of S7700, S9700, and S12700 series switches
V200R012C00 and later versions
  • S5720HI, S5730HI, S6720HI
  • X series cards of S7700, S9700, and S12700 series switches

Configuring Authentication for Access Users on Cisco ISE (to Implement Multi-Gateway Free Mobility Through VXLAN Packets Carrying Security Group Information)

This section includes the following content:

Overview

On an enterprise network, different network access policies can be deployed for users on access devices to meet different network access requirements. The application of mobile office and BYOD technologies brings frequent changes of users' physical locations and IP addresses. Therefore, the original network control solution based on physical ports and IP addresses cannot ensure consistency of network access experience. For example, the network access policy of a user does not change when the user's physical location changes.

The free mobility solution allows a user to obtain the same network access policy regardless of the user's location and IP address changes on an agile network. The free mobility solution is used together with switches and the Agile Controller-Campus. Administrators only need to centrally deploy network access policies on the Agile Controller-Campus, and then deliver these policies to all associated switches. Users will obtain the same network access policies regardless of their physical locations and IP addresses.

A Cisco ISE can be used as a RADIUS server to authenticate access users, ensuring security of the enterprise intranet.

Networking Requirements

An enterprise has the following requirements to ensure its intranet security:

  • Users can access the network only after passing 802.1X authentication.
  • User gateways function as DHCP servers to allocate IP addresses to terminals.
  • Both User1 and User2 can access the customer problem handling system after being authenticated.
  • User1 and User2 cannot communicate with each even after being authenticated.
  • The Agile Controller-Campus and ISE control the security groups and network access policies of users, improving O&M efficiency.

Figure 2-49  Enterprise intranet topology 
imgDownload?uuid=6e5c93cd1c5a4f1da77f614

Requirement Analysis

The key technology in this solution is that the Agile Controller-Campus delivers security groups to which users belong and network access policies between security groups to all involved switches. When a user accesses the network through Switch1 or Switch2, the ISE authenticates the user and authorizes a security group to identify the user. When the user accesses resources on another network, the packet carries information about the security group to which the user belongs after VXLAN encapsulation. Therefore, the user does not need to be authenticated again on other switches.

Configuration Logic

Figure 2-50  Configuration logic of Huawei switch 
imgDownload?uuid=f017f7e3e6ad4d42a91547aFigure 2-51  Configuration logic of Huawei Agile Controller-Campus 
imgDownload?uuid=5d6394ac62354f7b9dd019fTable 2-78  Configuration logic of Cisco ISE

ItemDescription
Adding groups and users-
Adding switchesSet parameters for switches connected to the ISE.
(Optional) creating an authentication protocol profileSpecify the authentication protocol that can be used for 802.1X authentication. If no authentication protocol profile is created, the default profile in Default Network Access of the ISE is used.
Creating authentication policiesConfigure the conditions for users to pass 802.1X authentication.
Creating authorization policiesGrant different RADIUS standard attributes Filter-ID to different users to assign users to planned security groups.

Configuration Notes
  • In this example, an ISE running 2.2.0.470 is used as the RADIUS server, and the Agile Controller-Campus runs V100R002C10.
  • When there is a Layer 2 switch between users and the authentication control point, transparent transmission of 802.1X authentication packets needs to be configured on the Layer 2 switch.
  • In this example, user gateways reside on different devices.
  • Free mobility is supported only on switches that have NAC configured in unified mode.
  • The RADIUS shared keys configured on the switch and the server must be the same.
  • By default, the switch allows the packets sent to the RADIUS server to pass through. You do not need to configure an authentication-free rule for the packets on the switch.
  • When the controller delivers a UCL group name that is not supported by the switch, for example, this group name contains Chinese characters or special characters, the switch cannot parse the group name. A UCL group name that can be supported by the switch must be consistent with the value of group-name in the ucl-group group-index [ name group-name ] command, cannot be -, --, a, an, or any, and cannot contain any of the following characters: / \ : * ? " < > | @ ' %. Therefore, when configuring a UCL group name on the controller, do not use Chinese characters or special characters.

  • If the switch has been associated with an Agile Controller-Campus and has free mobility configured, perform the following steps to delete historical data and reconfigure the core switch.

    1. Run the undo group-policy controller command in the system view to disable free mobility and disconnect the switch from the Agile Controller-Campus.
    2. Run the undo acl all command to delete the access control policy.
    3. Run the undo ucl-group ip all command to delete IP addresses bound to security groups.
    4. Run the undo ucl-group all command to delete security groups.
    5. Return to the user view and run the save command. The system automatically deletes the configured version number.

Data Plan

Table 2-79  IP address and VXLAN data plan

Device

VXLAN Tunnel

Interface

Switch1

Switch1—>Switch3:
  • BD: 10
  • VNI: 2010
  • Source IP: 10.1.1.2
  • Peer IP: 10.3.3.2
GE0/0/1:
  • IP: 192.168.2.1
GE0/0/2:
  • VLAN: 101
  • VLANIF IP: 192.168.60.1

Switch2

Switch2—>Switch3:
  • BD: 20
  • VNI: 2020
  • Source IP: 10.2.2.2
  • Peer IP: 10.3.3.2
GE0/0/1:
  • IP: 192.168.3.1
GE0/0/2:
  • VLAN: 201
  • VLANIF IP: 192.168.21.1

Switch3

Switch3—>Switch1:
  • BD: 10
  • VNI: 2010
  • Source IP: 10.3.3.2
  • Peer IP: 10.1.1.2
Switch3—>Switch2:
  • BD: 20
  • VNI: 2020
  • Source IP: 10.3.3.2
  • Peer IP: 10.2.2.2
GE1/0/1:
  • IP: 192.168.2.2
GE1/0/2:
  • IP: 192.168.3.2
GE1/0/3:
  • IP: 192.168.11.1
GE1/0/4:
  • IP: 192.168.30.1

Table 2-80  Authentication data plan

Item

Data

RADIUS server template

  • Name: policy
  • RADIUS shared key: Huawei@2017
  • Source IP address of Switch1: 192.168.2.1
  • Source IP address of Switch2: 192.168.3.1
  • IP address of the RADIUS server: 192.168.11.20
  • Authentication port: 1812
  • Accounting port: 1813

AAA authentication scheme

  • Name: auth
  • Authentication mode: RADIUS

AAA accounting scheme

  • Name: acco
  • Accounting mode: RADIUS
  • Real-time accounting interval: 15 minutes

Authentication domain

  • Name: huawei.com
  • Referenced profiles: AAA authentication scheme auth, AAA accounting scheme acco, and RADIUS server template policy

802.1X access profile

  • Name: 802.1x-access
  • Authentication protocol: EAP

Authentication profile

  • Name: 802.1x-auth
  • Referenced profile: 802.1X access profile 802.1x-access

Table 2-81  Free mobility data plan

ItemData
IP address of Switch1192.168.2.1
IP address of Switch2192.168.3.1
IP address of the Agile Controller-Campus192.168.11.10
Interoperation passwordAdmin@2017
Security group
  • pc_group1: security group to which User1 belongs
  • pc_group2: security group to which User2 belongs
  • Problem: security group to which the customer problem handling system belongs

Procedure

  1. Configure switches.
    1. Set the NAC mode to unified on both Switch1 and Switch2.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      By default, the unified mode is used. After changing the NAC mode from common to unified, you must enter y as prompted to restart the switch immediately to make the configuration take effect.

      <HUAWEI> system-view [HUAWEI] authentication unified-mode

    2. Configure IP addresses and a routing protocol to ensure connectivity.

      # Configure Switch1.
      [HUAWEI] sysname Switch1 [Switch1] dhcp enable   //Enable DHCP globally. [Switch1] interface loopback 1 [Switch1-LoopBack1] ip address 10.1.1.2 32 [Switch1-LoopBack1] quit [Switch1] interface gigabitethernet 0/0/1 [Switch1-GigabitEthernet0/0/1] undo portswitch [Switch1-GigabitEthernet0/0/1] ip address 192.168.2.1 24 [Switch1-GigabitEthernet0/0/1] quit [Switch1] vlan batch 101 [Switch1] interface gigabitethernet 0/0/2 [Switch1-GigabitEthernet0/0/2] port link-type access [Switch1-GigabitEthernet0/0/2] port default vlan 101 [Switch1-GigabitEthernet0/0/2] quit [Switch1] interface vlanif 101 [Switch1-Vlanif101] ip address 192.168.60.1 24 [Switch1-Vlanif101] dhcp select interface [Switch1-Vlanif101] quit [Switch1] ospf [Switch1-ospf-1] area 0 [Switch1-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.0 [Switch1-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [Switch1-ospf-1-area-0.0.0.0] quit [Switch1-ospf-1] quit
      # Configure Switch2.
      [HUAWEI] sysname Switch2 [Switch2] dhcp enable [Switch2] interface loopback 1 [Switch2-LoopBack1] ip address 10.2.2.2 32 [Switch2-LoopBack1] quit [Switch2] interface gigabitethernet 0/0/1 [Switch2-GigabitEthernet0/0/1] undo portswitch [Switch2-GigabitEthernet0/0/1] ip address 192.168.3.1 24 [Switch2-GigabitEthernet0/0/1] quit [Switch2] vlan batch 201 [Switch2] interface gigabitethernet 0/0/2 [Switch2-GigabitEthernet0/0/2] port link-type access [Switch2-GigabitEthernet0/0/2] port default vlan 201 [Switch2-GigabitEthernet0/0/2] quit [Switch2] interface vlanif 201 [Switch2-Vlanif201] ip address 192.168.21.1 24 [Switch2-Vlanif201] dhcp select interface [Switch2-Vlanif201] quit [Switch2] ospf [Switch2-ospf-1] area 0 [Switch2-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.0 [Switch2-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255 [Switch2-ospf-1-area-0.0.0.0] quit [Switch2-ospf-1] quit 
      # Configure Switch3.
      <HUAWEI> system-view [HUAWEI] sysname Switch3 [Switch3] interface loopback 1 [Switch3-LoopBack1] ip address 10.3.3.2 32 [Switch3-LoopBack1] quit [Switch3] interface gigabitethernet 1/0/1 [Switch3-GigabitEthernet1/0/1] undo portswitch [Switch3-GigabitEthernet1/0/1] ip address 192.168.2.2 24 [Switch3-GigabitEthernet1/0/1] quit [Switch3] interface gigabitethernet 1/0/2 [Switch3-GigabitEthernet1/0/2] undo portswitch [Switch3-GigabitEthernet1/0/2] ip address 192.168.3.2 24 [Switch3-GigabitEthernet1/0/2] quit [Switch3] interface gigabitethernet 1/0/3 [Switch3-GigabitEthernet1/0/3] undo portswitch [Switch3-GigabitEthernet1/0/3] ip address 192.168.11.1 24 [Switch3-GigabitEthernet1/0/3] quit [Switch3] interface gigabitethernet 1/0/4 [Switch3-GigabitEthernet1/0/4] undo portswitch [Switch3-GigabitEthernet1/0/4] ip address 192.168.30.1 24 [Switch3-GigabitEthernet1/0/4] quit [Switch3] ospf [Switch3-ospf-1] area 0 [Switch3-ospf-1-area-0.0.0.0] network 10.3.3.2 0.0.0.0 [Switch3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [Switch3-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255 [Switch3-ospf-1-area-0.0.0.0] network 192.168.11.0 0.0.0.255 [Switch3-ospf-1-area-0.0.0.0] network 192.168.30.0 0.0.0.255 [Switch3-ospf-1-area-0.0.0.0] quit [Switch3-ospf-1] quit 

      # After OSPF is configured successfully, switches are reachable to each other. In this following example, ping Switch2 from Switch1.

      [Switch1] ping 10.2.2.2   PING 10.2.2.2: 56  data bytes, press CTRL_C to break                                Reply from 10.2.2.2: bytes=56 Sequence=1 ttl=255 time=240 ms                      Reply from 10.2.2.2: bytes=56 Sequence=2 ttl=255 time=5 ms                        Reply from 10.2.2.2: bytes=56 Sequence=3 ttl=255 time=5 ms                        Reply from 10.2.2.2: bytes=56 Sequence=4 ttl=255 time=14 ms                       Reply from 10.2.2.2: bytes=56 Sequence=5 ttl=255 time=5 ms                                                                                                       --- 10.2.2.2 ping statistics ---                                                    5 packet(s) transmitted                                                          5 packet(s) received                                                             0.00% packet loss                                                                round-trip min/avg/max = 5/53/240 ms  

    3. Configure VXLAN tunnels and a Layer 3 VXLAN gateway.

      # Configure Switch3.

      [Switch3] bridge-domain 10 [Switch3-bd10] vxlan vni 2010 [Switch3-bd10] quit [Switch3] interface nve 1 [Switch3-Nve1] source 10.3.3.2 [Switch3-Nve1] vni 2010 head-end peer-list 10.1.1.2 [Switch3-Nve1] quit [Switch3] bridge-domain 20 [Switch3-bd20] vxlan vni 2020 [Switch3-bd20] quit [Switch3] interface nve 1 [Switch3-Nve1] source 10.3.3.2 [Switch3-Nve1] vni 2020 head-end peer-list 10.2.2.2 [Switch3-Nve1] quit

      # Configure a Layer 3 VXLAN gateway on Switch3.

      [Switch3] interface vbdif 10 [Switch3-Vbdif10] ip address 192.168.10.10 24 [Switch3-Vbdif10] quit [Switch3] interface vbdif 20 [Switch3-Vbdif20] ip address 192.168.20.10 24 [Switch3-Vbdif20] quit [Switch3] ip route-static 192.168.21.0 255.255.255.0 192.168.20.11 [Switch3] ip route-static 192.168.60.0 255.255.255.0 192.168.10.11

      # Configure Switch1.

      [Switch1] bridge-domain 10 [Switch1-bd10] vxlan vni 2010 [Switch1-bd10] quit [Switch1] interface nve 1 [Switch1-Nve1] source 10.1.1.2 [Switch1-Nve1] vni 2010 head-end peer-list 10.3.3.2 [Switch1-Nve1] quit [Switch1] interface vbdif 10 [Switch1-Vbdif10] ip address 192.168.10.11 24 [Switch1-Vbdif10] quit [Switch1] ip route-static 192.168.21.0 255.255.255.0 192.168.10.10

      # Configure Switch2.

      [Switch2] bridge-domain 20 [Switch2-bd20] vxlan vni 2020 [Switch2-bd20] quit [Switch2] interface nve 1 [Switch2-Nve1] source 10.2.2.2 [Switch2-Nve1] vni 2020 head-end peer-list 10.3.3.2 [Switch2-Nve1] quit [Switch2] interface vbdif 20 [Switch2-Vbdif20] ip address 192.168.20.11 24 [Switch2-Vbdif20] quit [Switch2] ip route-static 192.168.60.0 255.255.255.0 192.168.20.10

    4. Configure free mobility. The following uses Switch1 as an example. The configuration of Switch2 is similar and is not provided here.

      [Switch1] group-policy controller 192.168.11.10 password Admin@2017 src-ip 192.168.2.1

    5. Configure 802.1X authentication. The following uses Switch1 as an example. The configuration of Switch2 is similar and is not provided here.

      1. Configure a RADIUS server template.
        [Switch1] radius-server template policy [Switch1-radius-policy] radius-server authentication 192.168.11.20 1812 source ip-address 192.168.2.1   //Configure a RADIUS authentication server. [Switch1-radius-policy] radius-server accounting 192.168.11.20 1813 source ip-address 192.168.2.1   //Configure a RADIUS accounting server. [Switch1-radius-policy] radius-server shared-key cipher Huawei@2017   //Set the RADIUS shared key to Huawei@2017. [Switch1-radius-policy] undo radius-server user-name domain-included   //Configure the switch not to modify the original user name in the packets sent to the RADIUS server. [Switch1-radius-policy] calling-station-id mac-format hyphen-split mode2 uppercase   //Set the encapsulation format of the MAC address in the Calling-Station-Id attribute of RADIUS packets to XX-XX-XX-XX-XX-XX. [Switch1-radius-policy] quit [Switch1] radius-server authorization attribute-decode-sameastemplate   //Configure the switch to parse the Calling-Station-Id attribute based on the configuration in the RADIUS server template.
      2. Configure AAA schemes and an authentication domain.
        [Switch1] aaa [Switch1-aaa] authentication-scheme auth [Switch1-aaa-authen-auth] authentication-mode radius   //Set the authentication mode to RADIUS. [Switch1-aaa-authen-auth] quit [Switch1-aaa] accounting-scheme acco [Switch1-aaa-accounting-acco] accounting-mode radius   //Set the accounting mode to RADIUS. [Switch1-aaa-accounting-acco] accounting realtime 15   //Set the real-time accounting interval to 15 minutes. [Switch1-aaa-accounting-acco] quit [Switch1-aaa] domain huawei.com [Switch1-aaa-domain-huawei.com] radius-server policy [Switch1-aaa-domain-huawei.com] authentication-scheme auth [Switch1-aaa-domain-huawei.com] accounting-scheme acco [Switch1-aaa-domain-huawei.com] quit [Switch1-aaa] quit [Switch1] domain huawei.com   //Configure the authentication domain huawei.com as the global default authentication domain.
      3. Enable 802.1X authentication.
        [Switch1] dot1x-access-profile name 802.1x-access   //Configure an 802.1X access profile to use the EAP authentication mode. [Switch1-dot1x-access-profile-802.1x-access] quit [Switch1] authentication-profile name 802.1x-auth   //Configure an authentication profile. [Switch1-authen-profile-802.1x-auth] dot1x-access-profile 802.1x-access [Switch1-authen-profile-802.1x-auth] quit [Switch1] interface gigabitethernet 0/0/2 [Switch1-GigabitEthernet0/0/2] authentication-profile 802.1x-auth   //Enable 802.1X authentication on the authentication control point.  [Switch1-GigabitEthernet0/0/2] quit

  2. Configure the Agile Controller-Campus.
    1. Log in to the Agile Controller-Campus. Open Internet Explorer, enter the Agile Controller-Campus access address in the address bar, and press Enter. On the login page, enter the user name and password to log in.
    2. Add switches.

      1. Choose Resource > Device > Device Management. Click Add on the right, set parameters for Switch1 and Switch2 according to Table 2-81and the following figure. After completing the configuration, click OK. The following uses Switch1 as an example. The configuration of Switch2 is similar and is not provided here.

        imgDownload?uuid=17d6c76c5faa4a67842276c

      2. Select Switch1 and Switch2 and click Synchronize.

        imgDownload?uuid=d588ffd41b3e400d8bbdcaa

      3. The Status of Switch1 becomes imgDownload?uuid=69b05cac44004cf791a605c, indicating a normal communication status. Alternatively, you can run the display group-policy statuscommand on Switch1 and Switch2 to view their communication status. When State is displayed as working on a switch, communication between the switch and Agile Controller-Campus is normal. The following uses Switch1 as an example. The configuration of Switch2 is similar and is not provided here.

        <Switch1> display group-policy status      Controller IP address: 192.168.11.10   Controller port: 5222          Backup controller IP address: -          Backup controller port: -      Source IP address: 192.168.2.1        State: working       Connected controller: master   Device protocol version: 2     Controller protocol version: 2
      4. Choose Device Group > Free Mobility > Custom. Click imgDownload?uuid=531f1098b9124c8ab2c4e3e next to Device Group, create the device group UCL, and click OK.

        imgDownload?uuid=66bb76d373d048fd955f0f3

        imgDownload?uuid=eb1aa9396d95446a85a949c

      5. Select the UCL group, and click Join on the right to add Switch1 and Switch2 to this group.

    3. Configure security groups.

      1. Configure dynamic security groups. Choose Policy > Permission Control > Security Group > Dynamic Security Group Management. Click Addon the right, add the dynamic security group pc_group1, and click OK. The following uses pc_group1 as an example. The configuration of pc_group2 is similar and is not provided here.

        imgDownload?uuid=de310953f5234a1d827d755

      2. Deploy the security groups. Select pc_group1 and pc_group2, and click Global Deployment to deploy these security groups to Switch1 and Switch2. Run the display ucl-group all command on Switch1 and Switch2 to verify that security groups are deployed successfully. The following uses Switch1 as an example. The configuration of Switch2 is similar and is not provided here.
        <Switch1> display ucl-group all ID       UCL group name -------------------------------------------------------------------------------- 31       pc_group1 32       pc_group2 -------------------------------------------------------------------------------- Total : 2
      3. Configure a static security group. Choose Static Security Group Management on the left. Click Add on the right, add the static security group Problem, bind the IP address of the customer problem handling system, and click OK.

        imgDownload?uuid=7739c7c0d93f4414bd3cb28

    4. Configure access control policies.

      1. Choose Policy > Free Mobility > Policy Configuration > Permission Control. Select the UCL group under Common Policy, click Add on the right, and configure policies for controlling access between security groups. In this example, User1 and User2 can access the customer problem handling system, but cannot communicate with each other.

      2. Disable User1 from communicating with User2, and allow User1 to access the customer problem handling system.

        imgDownload?uuid=ed60272c864b48f38bf804f

        imgDownload?uuid=bb02e93e06354ea8a5dfb3f

        imgDownload?uuid=1f67d919c00a4efb8a92bfd

      3. Disable User2 from communicating with User1, and allow User2 to access the customer problem handling system.

        imgDownload?uuid=0c09898353734af892c540e

        imgDownload?uuid=45b0e5c3ac33467e8ab6730

        imgDownload?uuid=5e26e73f49644ddd9ccbe81

      4. Select the access control policies, and click Global Configuration to deliver the policies to Switch1 and Switch2. Run the display acl allcommand on Switch1 and Switch2 to verify that the access control policies are deployed successfully. The following uses Switch1 as an example. The configuration of Switch2 is similar and is not provided here.

        imgDownload?uuid=deae700d7ca04e4eba83e9d

        <Switch1> display acl all  Total nonempty ACL number is 2 Ucl-group ACL Auto_PGM_U31 9998, 2 rules Acl's step is 5  rule 1 deny ip source ucl-group 31 destination ucl-group 32  rule 2 permit ip source ucl-group 31 destination 192.168.30.2 0 Ucl-group ACL Auto_PGM_U32 9999, 2 rules Acl's step is 5  rule 1 deny ip source ucl-group 32 destination ucl-group 31  rule 2 permit ip source ucl-group 32 destination 192.168.30.2 0

  3. Configure the ISE.
    1. Log in to the ISE. Open Internet Explorer, enter the ISE access address in the address bar, and press Enter. On the ISE login page, enter the ISE administrator user name and password to log in to the ISE.
    2. Configure local users.

      1. Choose Administration > Identity Management > Groups. Choose User Identity Groups on the left. Click Add on the right, and create groups pc_group1 and pc_group2. After completing the configuration, click Submit. The following uses pc_group1 as an example. The configuration of pc_group2 is similar and is not provided here.

        imgDownload?uuid=0df416274a254493aa3e388

      2. Choose Administration > Identity Management > Identities. Choose Users on the left. Click Add on the right, configure information about User1 and User2, and add them to pc_group1 and pc_group2, respectively. After completing the configuration, click Submit. The following uses User1 as an example. The configuration of User2 is similar and is not provided here.

        imgDownload?uuid=8755dce2bcf64010bd57fb0

    3. Add access authentication switches.

      1. Configure an access authentication device profile. Choose Administration > Network Resources > Network Device Profiles. Click Add, create the access authentication device profile hw, and configure the profile according to the following table. After completing the configuration, click Jump To Top and Submit.

        imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

        The Huawei Radius extended attributes are not used in this example, so you do not need to perform this step. You can use the default network device profile Cisco in the following steps.

        Table 2-82  Access authentication device profile hw

        Parameter

        Setting

        Name

        hw

        Vendor

        Other

        Supported Protocols

        • RADIUS
        • TACACS+
        • TrustSec

        RADIUS Dictionaries

        HW

        NOTE:

        If the ISE does not have the Huawei extended RADIUS attribute dictionary HW, create it manually. Huawei's vendor ID is 2011.

        Authentication/Authorization > Flow Type ConditionsWired 802.1X detected if the following condition(s) are met:
        • "Radius:NAS-Port-Type" = "Ethernet"
        • "Radius:Service-Type" = "Framed"
        Authentication/Authorization > Attribute AliasingSelect SSID and configure Radius:Called-Station-ID.
        Permissions
        • Select Set VLAN and then select IETF 802.1X Attributes.
        • Select Set ACL and configure Radius:Filter-ID.

        Change of Authorization (CoA)

        • CoA by: RADIUS
        • Default CoA Port: 3799
        • Default DTLS CoA Port: 2083
        • Timeout Interval: 5
        • Retry Count: 2
        • Select Send Message-Authenticator.
        Change of Authorization (CoA) > Disconnect: RFC 5176
        • "Radius:Acct-Session-Id" = "0"
        • "Radius:Acct-Terminate-Cause" = "Admin Reset"

        Change of Authorization (CoA) > Disconnect: Port Bounce and Port Shutdown

        Change of Authorization (CoA) > Re-authenticate: Basic, Rerun, and Last

        Change of Authorization (CoA) > CoA Push: RFC 5176

        "Radius:Acct-Session-Id" = "0"
      2. Configure access authentication switches. Choose Administration > Network Resources > Network Devices. Choose Network devices on the left. Click Add on the right, add access authentication devices Switch1 and Switch2, and configure the devices according to the following table. After completing the configuration, click Submit. The following uses Switch1 as an example. The configuration of Switch2 is similar and is not provided here.

        Table 2-83  Access authentication switch (Switch1 and Switch2)

        Item

        Data

        Switch1
        • Name: Switch1
        • IP Address: 192.168.2.1/32
        • Device Profile: hw
        • RADIUS Authentication Settings > Shared Secret: Huawei@2017
        Switch2
        • Name: Switch2
        • IP Address: 192.168.3.1/32
        • Device Profile: hw
        • RADIUS Authentication Settings > Shared Secret: Huawei@2017

        imgDownload?uuid=cdb3934ad7444f529228383

    4. (Optional) Configure an authentication protocol profile.

      # Choose Policy > Policy Elements > Results. Choose Authentication > Allowed Protocols on the left. Click Add on the right to create an authentication protocol profile, and select authentication protocols based on actual requirements. After completing the configuration, click Submit.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      The authentication protocol profile Default Network Access used in this example is the default authentication protocol profile of the ISE. If the profile meets actual requirements, you do not need to create a profile.

    5. Configure authentication policies.

      # Choose Policy > Authentication. Set Policy Type to Rule-Based. Click imgDownload?uuid=e631b656823f44fcb468558 behind Edit next to the first authentication policy. Click Insert new row above to create the authentication policy wired_802.1x-authen, and configure the policy according to the following figure. After completing the configuration, click Done and Save.

      imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

      Wired_802.1X is the default rule that 802.1X authentication for wired users must meet on the ISE.

      imgDownload?uuid=2579b44167904ece9a8dae8

    6. Configure authorization policies.

      1. Configure authorization profiles. Choose Policy > Policy Elements > Results. Choose Authorization > Authorization Profiles on the left. Click Add on the right, create authorization profiles pc_group1_author_pro and pc_group2_author_pro, and configure the profiles according to the following figure. After completing the configuration, click Submit. The following uses pc_group1_author_pro as an example. The configuration of pc_group2_author_pro is similar and is not provided here.

        imgDownload?uuid=39f4a17e18264a37b68a3b8

      2. Configure authorization policies. Choose Policy > Authorization. Click imgDownload?uuid=e631b656823f44fcb468558 behind Edit next to the first authorization policy. Click Insert New Rule Above, create authorization policies pc_group1_author_policy and pc_group2_author_policy, and configure the policies according to the following figure. After completing the configuration, click Done and Save. The following uses pc_group1_author_policy as an example. The configuration of pc_group2_author_policy is similar and is not provided here.

        imgDownload?uuid=26dd8f91322e47989d5a4c4

  4. Verify the configuration.

    • After the configuration is complete, run the display vxlan vni command on Switch1, Switch2, and Switch3. You can see that the VNI status in the command output is up. Run the display vxlan tunnel command to view information about VXLAN tunnels. The following uses Switch3 as an example. The command outputs on Switch1 and Switch2 are similar and are not provided here.

      [Switch3] display vxlan vni  VNI               BD-ID             State                                        -----------------------------------------                                        2010              10                up                                           2020              20                up                                           -----------------------------------------                                        Number of vxlan vni bound to BD is : 2    
      [Switch3] display vxlan tunnel  Tunnel ID       Source              Destination         State     Type           ----------------------------------------------------------------------------     4026531842      10.3.3.2            10.1.1.2            up        static         4026531841      10.3.3.2            10.2.2.2            up        static         ----------------------------------------------------------------------------     Number of vxlan tunnel : 2  
    • The Agile Controller-Campus delivers access control policies of different security groups to Switch1 and Switch2. After User1 and User2 go online, they pass 802.1X authentication on the ISE and are added to security groups pc_group1 and pc_group2, respectively. User1 and User2 can access the customer problem handling system, but cannot communicate with each other.

Configuration Files
  • Configuration file of Switch1

    #                                                                                sysname Switch1                                                                  #                                                                                vlan batch 101                                                          #                                                                                authentication-profile name 802.1x-auth                                           dot1x-access-profile 802.1x-access                                              #                                                                                domain huawei.com                                                                #                                                                                radius-server authorization attribute-decode-sameastemplate                      #                                                                                group-policy controller 192.168.11.10 password %^%#=9]jRG40)#g\=@5-lx9=OK/F&4$lz(YjFn7.yOX(%^%# src-ip 192.168.2.1                                               #                                                                                dhcp enable                                                                      #                                                                                radius-server template policy                                                     radius-server shared-key cipher %^%#[Ov`$Y`N:Y<rII5.kz;8W":mSzqR2NCjg=EgTJRK%^%#                                                                                 radius-server authentication 192.168.11.20 1812 source ip-address 192.168.2.1 weight 80                                                                          radius-server accounting 192.168.11.20 1813 source ip-address 192.168.2.1 weight 80                                                                              undo radius-server user-name domain-included                                     calling-station-id mac-format hyphen-split mode2 uppercase                      #                                                                                aaa                                                                               authentication-scheme auth                                                        authentication-mode radius                                                      accounting-scheme acco                                                            accounting-mode radius                                                           accounting realtime 15                                                          domain huawei.com                                                                 authentication-scheme auth                                                       accounting-scheme acco                                                           radius-server policy                                                           #                                                                                bridge-domain 10                                                                  vxlan vni 2010                                                                  #                                                                                interface Vlanif101                                                               ip address 192.168.60.1 255.255.255.0                                            dhcp select interface                                                           #                                                                                interface GigabitEthernet0/0/1                                                    undo portswitch                                                                  ip address 192.168.2.1 255.255.255.0                                            #                                                                                interface GigabitEthernet0/0/2                                                    port link-type access                                                            port default vlan 101                                                            authentication-profile 802.1x-auth                                              #                                                                                interface LoopBack1                                                               ip address 10.1.1.2 255.255.255.255                                             #                                                                                interface Vbdif10                                                                 ip address 192.168.10.11 255.255.255.0                                          #                                                                                interface Nve1                                                                    source 10.1.1.2                                                                  vni 2010 head-end peer-list 10.3.3.2                                            #                                                                                ospf 1                                                                            area 0.0.0.0                                                                      network 10.1.1.2 0.0.0.0                                                         network 192.168.2.0 0.0.0.255                                                  #                                                                                ip route-static 192.168.21.0 255.255.255.0 192.168.10.10                         #                                                                                dot1x-access-profile name 802.1x-access                                          #                                                                                return                                                                          
  • Configuration file of Switch2

    #                                                                                sysname Switch2                                                                  #                                                                                vlan batch 201                                                      #                                                                                authentication-profile name 802.1x-auth                                           dot1x-access-profile 802.1x-access                                              #                                                                                domain huawei.com                                                                #                                                                                radius-server authorization attribute-decode-sameastemplate                      #                                                                                group-policy controller 192.168.11.10 password %^%#=9]jRG40)#g\=@5-lx9=OK/F&4$lz(YjFn7.yOX(%^%# src-ip 192.168.3.1                                               #                                                                                dhcp enable                                                                      #                                                                                radius-server template policy                                                     radius-server shared-key cipher %^%#[Ov`$Y`N:Y<rII5.kz;8W":mSzqR2NCjg=EgTJRK%^%#                                                                                 radius-server authentication 192.168.11.20 1812 source ip-address 192.168.2.1 weight 80                                                                          radius-server accounting 192.168.11.20 1813 source ip-address 192.168.2.1 weight 80                                                                              undo radius-server user-name domain-included                                     calling-station-id mac-format hyphen-split mode2 uppercase                      #                                                                                aaa                                                                               authentication-scheme auth                                                        authentication-mode radius                                                      accounting-scheme acco                                                            accounting-mode radius                                                           accounting realtime 15                                                          domain huawei.com                                                                 authentication-scheme auth                                                       accounting-scheme acco                                                           radius-server policy                                                           #                                                                                bridge-domain 20                                                                  vxlan vni 2020                                                                  #                                                                                interface Vlanif201                                                               ip address 192.168.21.1 255.255.255.0                                            dhcp select interface                                                           #                                                                                interface GigabitEthernet0/0/1                                                    undo portswitch                                                                  ip address 192.168.3.1 255.255.255.0                                            #                                                                                interface GigabitEthernet0/0/2                                                    port link-type access                                                            port default vlan 201                                                            authentication-profile 802.1x-auth                                              #                                                                                interface LoopBack1                                                               ip address 10.2.2.2 255.255.255.255                                             #                                                                                interface Vbdif20                                                                 ip address 192.168.20.11 255.255.255.0                                          #                                                                                interface Nve1                                                                    source 10.2.2.2                                                                  vni 2020 head-end peer-list 10.3.3.2                                            #                                                                                ospf 1                                                                            area 0.0.0.0                                                                      network 10.2.2.2 0.0.0.0                                                         network 192.168.3.0 0.0.0.255                                                  #    ip route-static 192.168.60.0 255.255.255.0 192.168.20.10                         #                                                                                dot1x-access-profile name 802.1x-access                                          #                                                                                return                                                                          
  • Configuration file of Switch3

    #                                                                                sysname Switch3                                                                  #                                                                                bridge-domain 10                                                                  vxlan vni 2010                                                                  # bridge-domain 20                                                                  vxlan vni 2020                                                                  #                                                                                interface GigabitEthernet1/0/1                                                    undo portswitch                                                                  ip address 192.168.2.2 255.255.255.0                                            #                                                                                interface GigabitEthernet1/0/2                                                    undo portswitch                                                                  ip address 192.168.3.2 255.255.255.0                                            # interface GigabitEthernet1/0/3                                                    undo portswitch                                                                  ip address 192.168.11.1 255.255.255.0                                            #                                                                                interface GigabitEthernet1/0/4                                                    undo portswitch                                                                  ip address 192.168.30.1 255.255.255.0                                            #                                                                                                                                                               interface LoopBack1                                                               ip address 10.3.3.2 255.255.255.255                                             # interface Vbdif10  ip address 192.168.10.10 255.255.255.0 # interface Vbdif20  ip address 192.168.20.10 255.255.255.0 #                                                                                interface Nve1                                                                    source 10.3.3.2                                                                  vni 2010 head-end peer-list 10.1.1.2                                             vni 2020 head-end peer-list 10.2.2.2                                            #                                                                                ospf 1                                                                            area 0.0.0.0                                                                      network 10.3.3.2 0.0.0.0    network 192.168.2.0 0.0.0.255                                                    network 192.168.3.0 0.0.0.255    network 192.168.11.0 0.0.0.255                                                      network 192.168.30.0 0.0.0.255                                                    #                                                                                ip route-static 192.168.21.0 255.255.255.0 192.168.20.11 ip route-static 192.168.60.0 255.255.255.0 192.168.10.11 # return                                                                          

Card or Switch Where the Authentication Control Point Can Be Deployed

Switch VersionCard or Switch Where the Authentication Control Point Can Be Deployed
V200R011C10
  • S5720HI
  • X series cards of S7700, S9700, and S12700 series switches
V200R012C00 and later versions
  • S5720HI, S5730HI, S6720HI
  • X series cards of S7700, S9700, and S12700 series switches

imgDownload?uuid=c55cfd8204074fc58568422 NOTE:

For details about switches where VXLAN can be deployed, see the Licensing Requirements and Limitations for VXLAN in Configuration Guide - VXLAN of the corresponding version.

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top