[All About Switches] Interconnection of 802.1x Authentication on S Switch and th

Latest reply: Aug 24, 2016 03:51:25 6920 2 2 0

1 Background

A switch connects administrators and common users to the Internet. As shown in Figure 1-1, the switch allows the administrator to manage the network and common users to access the video, voice, and web services.

Figure 1-1 Users access the Internet through the switch

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-1

 

The switch needs to control network access rights of users. For example, the switch can perform authentication, authorization, and accounting (AAA) for users. AAA prevents unauthorized users from logging in to the switch and improves system security.

l   Authentication: verifies whether users are authorized for network access.

l   Authorization: specifies the services that users are allowed to use.

l   Accounting: records network resources used by users.

AAA is applicable to the networks requiring high security, for example, finance, government, and carrier networks. To provide AAA service, the switch must work with an AAA server, as shown in Figure 1-2. Information about all access users is created and maintained on the AAA server. A user is allowed to log in to the switch only when the user name and password entered by the user are the same as those stored on the AAA server. After the user logs in to the switch, the switch grants corresponding rights to the user, for example, Internet access right.

Figure 1-2 An AAA server manages user information

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-2

 

A Huawei S series switch communicates with the AAA server through the RADIUS or HWTACACS protocol. The RADIUS protocol is more popular on live networks.

The Secure ACS of vendor C can be used as an AAA server to work with a Huawei S series switch.


2 Introduction to Vendor C Secure ACS

Overview

The Secure Access Control System (ACS) of vendor C supports the AAA function and a broad variety of access connections, including wired and wireless LAN, dialup, broadband, content, storage, voice over IP (VoIP), firewalls, and VPNs.

The Secure ACS implements the AAA function through the RADIUS or TACACS+ protocol. The RADIUS protocol complies with RFC, and the TACACS+ protocol is a property protocol of vendor C.

How to Use ACS

Connect the S series switch to Secure ACS, and install the Secure ACS client on your PC. Log in to the Secure ACS through web.

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-3

This section uses ACS 5.2.0.26 as an example.

Secure ACS client requires that your PC runs Microsoft Internet Explorer6.x, 7.x, or higher or Mozilla Firefox3.x. After logging in to the client, you can view and manage the ACS and export logs to check user information, for example, information about online users, failed authentications, and authorization attempts.

Table 2-1 describes the navigation areas on the ACS.

Table 2-1 Navigation areas on the ACS client

Name

Description

My Workspace

Includes welcome page, configuration instruction of common tasks, and account information.

To change the administrator password, choose My Workspace > My Account.

Network Resources

Configures network devices, including AAA clients and network device groups.

Users and Identity Stores

Configures the internal users and identities.

Policy Elements

Configures the authentication and authorization profiles, including the matching conditions and results of access policies.

Access Policies

Configures access policies and associates users with authentication and authorization profiles.

Monitoring and Reports

Displays log information.

System Administration

Manages and maintains ACS.


3 Connecting an S Series Switch to the Secure ACS

3.1 Implementation Differences

Both S series switches and Secure ACS use the RFC-compliance RADIUS protocol (S series switches do not support private fields of vendor C, such as Downloadable ACLs); therefore, they can work together.

Both the HWTACACS protocol and TACACS+ protocol can implement the authentication, authorization, and accounting functions. The two protocols use the same authentication process and implementation mechanism; therefore, they are compatible with each other at the protocol layer. A switch using the HWTACACS protocol can communicate with a server of vendor C (such as ACS). However, the switch using the HWTACACS protocol may not support the property attributes of vendor C because different vendors have different definitions and explanations to their property attributes.

3.2 S Series Switch Versions Supporting ACS

Table 3-1 S series switch versions supporting ACS

Model

Version

S series switches

V200R003 and later versions

V100R002C02 or later in V100R002CXX

V200R001C00 or later in V200R001CXX

 

This example uses ACS 5.2.0.26 to describe the configuration.

3.3 Prerequisites

Figure 3-1 shows the connection between the switch and Secure ACS.

Figure 3-1 Connecting the switch to Secure ACS

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-4

 

Before connecting the devices, ensure that:

l   A reachable route exists between the switch and Secure ACS.

l   You have logged in to Secure ACS through web.

3.4 Connecting Devices to Provide AAA Service to 802.1x Users

3.4.1 Networking Requirements and Roadmap

Networking Requirements

On an enterprise network, an administrator connects to the switch through a management network and an 802.1x user connects to the switch through an access network. The enterprise uses ACS to create and maintain user information. The administrator can log in to the ACS through web.

The administrator and 802.1x user are allocated different accounts and rights to improve security.

The requirements are as follows:

1.         The administrator can Telnet to the switch only after entering the user name and password, and can use the commands from level 0 to level 15 after login.

2.         To access the switch, the 802.1x user needs to start the 802.1x client, enter the user name and password, and be authenticated.

After the 802.1x user accesses the switch:

?       The user can use the commands at level 0 to level 2.

?       The ACS delivers VLAN 100 and ACL 3000 to the user.

3.         The administrator is authenticated in the default domain, and the 802.1x user is authenticated in the huawei.com domain.

Figure 3-2 Users access switch through 802.1x

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-5

 

Preparations

Prepare the data according to Table 3-2. The data is only for your reference.

Table 3-2 Data used to connect the switch to ACS

Administrator's user name and password of the ACS client

acsadmin

Admin_123

Administrator's user name and password of the switch

admin1

Admin@1234

User name and password of the 802.1x user

user1@huawei.com

Huawei@1234

Switch name and the IP address of the interface connected to the ACS

HUAWE_S

10.1.6.10

Shared password of switch and ACS

Hello@1234

 

3.4.2 Configuring the S Series Switch

Configuration Roadmap

1.         Enable the Telnet service.

2.         Create a VLAN and an ACL that the ACS will deliver.

3.         Configure AAA authentication for the administrator to Telnet to the switch.

4.         Configure RADIUS authentication, including creating the RADIUS server template and AAA authentication scheme and applying them to the default_admin and huawei.com domains.

5.         Enable 802.1x authentication on the interface that the 802.1x user accesses.

Procedure

1.         Configure interfaces and allocate IP addresses to them, so that the switch can communicate with the ACS.

<Quidway> system-view
[Quidway] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.6.10 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.10 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.1.3.10 24
[Switch-Vlanif30] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 20
[Switch-GigabitEthernet0/0/2] quit

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-6

If the AAA server needs to deliver VLAN or ACL to access users, the user access interface (with authentication enabled) on the switch must be a hybrid interface.

[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type hybrid
[Switch-GigabitEthernet0/0/3] port hybrid untagged vlan 30
[Switch-GigabitEthernet0/0/3] quit

2.         Create a VLAN and an ACL that the ACS will deliver to access users.

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-7

Only the VLAN or ACL that is the same as that configured on the AAA server can be delivered.

[Switch] vlan 100
[Switch-vlan100] quit
[Switch] acl 3000
[Switch-acl-adv-3000] quit

3.         Enable the Telnet server.

[Switch] telnet server enable

4.         Set the authentication mode for VTY users to AAA.

[Switch] user-interface maximum-vty 15  //Set the maximum number of VTY users to 15 (this value varies with versions and models). By default, a maximum of 5 Telnet users are supported.
[Switch] user-interface vty 0 14  //Enter the VTY 0-14 user interface view.
[Switch-ui-vty0-14] authentication-mode aaa  //Set the authentication mode for VTY users to AAA.
[Switch-ui-vty0-14] protocol inbound telnet  //Configure the VTY user interface to support Telnet (The default protocol is Telnet in V200R006 and earlier versions. This command is mandatory in V200R007 and later versions.)
[Switch-ui-vty0-14] quit

5.         Configure RADIUS authentication for access users on the switch.

# Configure a RADIUS server template so that the switch and ACS can communicate through RADIUS.

[Switch] radius-server template 1
[Switch-radius-1] radius-server authentication 10.1.6.6 1812  //Specify the IP address and port number of the ACS.
[Switch-radius-1] radius-server shared-key cipher Hello@1234  //Set the ACS shared key, which must be the same as that configured on the ACS.
[Switch-radius-1] quit

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-8

If the user name stored on the AAA server does not contain a domain name, run the undo radius-server user-name domain-included command. After this command is executed, the user names in the packets sent from the switch to RADIUS server do not contain domain names.

# Create an AAA authentication scheme and set the authentication mode to RADIUS.

[Switch] aaa
[Switch-aaa] authentication-scheme sch1
[Switch-aaa-authen-sch1] authentication-mode radius
[Switch-aaa-authen-sch1] quit

# Apply the AAA authentication scheme and RADIUS server template to the default administrative domain.

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-9

Administrators (users accessing the switch through Telnet, SSH, FTP, HTTP, or terminal) are authenticated in the default administrative domain.

By default, the administrative domain is default_admin.

[Switch-aaa] domain default_admin
[Switch-aaa-domain-default_admin] radius-server 1
[Switch-aaa-domain-default_admin] authentication-scheme sch1
[Switch-aaa-domain-default_admin] quit
[Switch-aaa] quit

# Apply the AAA authentication scheme and RADIUS server template to the huawei.com domain.

[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit

# (Optional) Set the NAC mode to unified mode. (The unified mode is available in V200R005 and later versions. In a version earlier than V200R005, skip this step.)

[Switch] authentication unified-mode

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-10

After a switching between common mode and unified mode, restart the switch to make the configuration take effect. By default, the unified mode is used.

# Enable 802.1x authentication on an interface.

[Switch] interface gigabitethernet0/0/3
[Switch-GigabitEthernet0/0/3] authentication dot1x
[Switch-GigabitEthernet0/0/3] dot1x authentication-method eap  //This step is recommended because most 802.1x clients use EAP relay authentication.
[Switch-GigabitEthernet0/0/3] quit

Configuration Files

#
sysname Switch
#
vlan batch 10 20 30 100
#
acl number 3000
#
radius-server template 1  
 radius-server shared-key cipher %#%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%#%#
 radius-server authentication 10.1.6.6 1812 weight 80  
#
aaa
 authentication-scheme sch1    
  authentication-mode radius  
 domain default_admin            
  authentication-scheme sch1     
  radius-server 1      
 domain huawei.com            
  authentication-scheme sch1     
  radius-server 1      
# 
interface Vlanif10 
 ip address 10.1.6.10 255.255.255.0     
# 
interface Vlanif20 
 ip address 10.1.2.10 255.255.255.0     
# 
interface Vlanif30 
 ip address 10.1.3.10 255.255.255.0     
# 
interface GigabitEthernet0/0/1         
 port link-type access           
 port default vlan 10 
#
interface GigabitEthernet0/0/2         
 port link-type access           
 port default vlan 20 
#
interface GigabitEthernet0/0/3  
 port link-type hybrid            
 port hybrid untagged vlan 30    
 authentication dot1x 
 dot1x authentication-method eap
#
user-interface maximum-vty 15  
user-interface vty 0 14          
 authentication-mode aaa     
 protocol inbound telnet      
#
return

3.4.3 Configuring Secure ACS

1.         Log in to the ACS client and enter the user name and password to open the homepage.

Enter the Universal Resource Locator (URL) address of the ACS and press Enter to open the ACS login page. Enter the user name and password, and click Login.

After you log in to the ACS, the homepage is displayed. Navigation areas on the ACS client shows the homepage of ACS.

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-11

The ACS's URL address is in the format http://IP/ or https://IP/ for example, http://10.13.1.1/ or https://10.13.1.1/.

2.         Add an access device.

a.         Choose Network Resources > Network Devices and AAA clients > Create, as shown in Figure 3-3.

Figure 3-3 Configuring network device and AAA client

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-12

 

b.         Enter the switch name and IP address, set the authentication mode between the switch and ACS to RADIUS, enter the shared secret and CoA port number, and click Submit, as shown in Figure 3-4.

Figure 3-4 Adding network device and AAA client

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-13

 

3.         Add a user.

a.         Choose Users and Identity Stores > Internal Identity Stores > Users, as shown in Figure 3-5.

Figure 3-5 Configuring access user

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-14

 

b.         Enter the user name, password, and confirm password, and click Submit, as shown in Figure 3-6.

Figure 3-6 shows the page for adding an 802.1x user. After adding the access user, add an administrator according to the administrator parameters.

Figure 3-6 Adding a user

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-15

 

4.         Add an authentication and authorization profile.

a.         Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles > Create to add an authentication and authorization profile, as shown in Figure 3-7.

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-16

When you use the RADIUS protocol, it is recommended that you choose Policy Elements > Authorization and Permissions > Network Access.

When you use the TACACS+ protocol, it is recommended that you choose Policy Elements > Authorization and Permissions > Authorization Profiles.

Figure 3-7 Add an authentication and authorization profile.

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-17

 

b.         Add the authentication and authorization profile for the administrator to specify that the administrator can only log in through Telnet and has a user privilege of 15.

The settings on the General tab page are shown in Figure 3-8.

Figure 3-8 Setting general parameters for the administrator's authentication and authorization profile

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-18

 

The settings on the RADIUS Attributes tab page are shown in Figure 3-8. Click Submit to commit the profile configuration.

Figure 3-9 Setting RADIUS attribute parameters for the administrator's authentication and authorization profile

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-19

 

c.         Add an authentication and authorization profile for an 802.1x user to specify that the user can only log in through 802.1x and has a user privilege of 2 and ACS delivers ACL 3000 and VLAN 100, as shown in Figure 3-10, Figure 3-11, and Figure 3-12. Click Submit to commit the profile configuration.

Figure 3-10 Setting general parameters for the 802.1x user's authentication and authorization profile

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-20

 

Figure 3-11 Setting common task parameters for the 802.1x user's authentication and authorization profile

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-21

 

Figure 3-12 Setting RADIUS attribute parameters for the 802.1x user's authentication and authorization profile

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-22

 

5.         Add an access policy to bind the user to an authentication and authorization profile.

a.         Create an access service and choose Access Policies > Access Services > Create.

b.         Configure the access service. Set the communication mode to Network Access and specify the user access protocol, as shown in Figure 3-13 and Figure 3-14. And then click Next and Finish.

Figure 3-13 Setting the communication mode to Network Access

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-23

 

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-24

The S series switches support the first five user access protocols.

Figure 3-14 User access protocols

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-25

 

c.         Choose Access Policies > Access Services > Service Selection Rules to create a rule, as shown in Figure 3-15.

Figure 3-15 Creating a rule

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-26

 

d.         Configure the rule. Set the authentication mode to RADIUS and add attributes according to Figure 3-16.

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-27

You can choose Access Policies > Access Services > Service Selection Rules to prepare the attributes that you want to add.

Figure 3-16 Configuring the rule

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-28

 

Click OK, and then click Save Changes.

e.         Select the created access service and click Identity to add an Identity rule, as shown in Figure 3-17.

Figure 3-17 Creating an Identity rule

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-29

 

f.          Configure the rule, as shown in Figure 3-18.

Figure 3-18 Configuring the Identity rule

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-30

 

Click OK, and then click Save Changes.

g.         Select the created access service and click Authorization. Configure the authentication rule for the administrator according to Figure 3-19 or for the 802.1 user according to Figure 3-20.

Figure 3-19 Configuring authentication rule for administrator

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-31

 

Figure 3-20 Configuring authentication rule for 802.1x user

[All About Switches] Interconnection of 802.1x Authentication on S Switch and th-1257375-32

 

h.         Click OK, and then click Save Changes.

6.         Complete the configuration.

3.4.4 Checking the Configuration

l   An administrator logs in to the switch through Telnet.

# Choose Start > Run on your PC and enter cmd to open the Windows command line interface. Run telnet, and enter the user name admin1 and password Huawei@1234 to Telnet to the switch.

C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:admin1
Password:**********
<Switch>//You can log in successfully.

# Run the display access-user username admin1 command to view the granted right.

l   An 802.1x user logs in to the switch.

# Run the test-aaa command on the switch to test whether the user can pass RADIUS authentication.

[Switch] test-aaa user1@huawei.com Huawei@1234 radius-template 1

# The 802.1x user starts the 802.1x client on the PC, and enters the user name user1@huawei.com and password Huawei@1234. If the user name and password are correct, the client displays a successful authentication message. The user can access the network.

# After the 802.1x user goes online, run the display access-user access-type dot1x command on the switch to view the user information. The Dynamic VLAN and Dynamic ACL number(Effective) fields indicate the VLAN and ACL delivered by the RADIUS server.

 

★★★Summary★★★ All About Huawei Switch Features and Configurations

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

Created Aug 11, 2015 14:52:07 Helpful(1) Helpful(1)

Very good ! Tkx~
  • x
  • convention:

Created Aug 11, 2015 15:12:29 Helpful(1) Helpful(1)

Thank you for sharing.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top