[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit

Latest reply: Aug 23, 2016 19:51:27 4751 4 1 0

1 Background

A switch connects administrators and common users to the Internet. As shown in Figure 1-1, the switch allows the administrator to manage the network and common users to access the video, voice, and web services.

Figure 1-1 Users access the Internet through the switch

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1257207-1

 

The switch needs to control network access rights of users. For example, the switch can perform authentication, authorization, and accounting (AAA) for users. AAA prevents unauthorized users from logging in to the switch and improves system security.

l   Authentication: verifies whether users are permitted to access the network.

l   Authorization: specifies the services that users are allowed to use.

l   Accounting: records network resources used by users.

AAA is applicable to the networks requiring high security, for example, finance, government, and carrier networks. To provide AAA service, the switch must work with an AAA server, as shown in Figure 1-2. Information about all access users is created and maintained on the AAA server. A user is allowed to log in to the switch only when the user name and password entered by the user are the same as those stored on the AAA server. After the user logs in to the switch, the switch grants corresponding rights to the user, for example, Internet access right.

Figure 1-2 An AAA server manages user information

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1257207-2

 

A Huawei S series switch communicates with the AAA server through the RADIUS or HWTACACS protocol. The RADIUS protocol is more popular on live networks.

The Huawei Agile Controller can be used as an AAA server to work with a Huawei S series switch.


 

2 Introduction to Huawei Agile Controller

Overview

The Agile Controller is a user-based and application-specific network resource auto-control system developed by Huawei. The Agile Controller provides a unified policy engine to realize unified access policies within the entire organization, and implements 5W1H-based authentication and authorization (user identity, access time, access location, device type, device source, and access mode). It uniformly manages access users and network access policies, and deploys policies on the entire network to ensure policy consistency. Therefore, moving users can enjoy consistent service access rights.

Using the policy matrix-based access authorization method, the Agile Controller allows administrators to configure bidirectional access control policies based on security groups. This reduces the administrators' configuration and management workload, so that they can spend more time on network optimization.

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1257207-3

When the Agile Controller is connected to an S series switch providing the AAA function, the RADIUS protocol must be configured on the Agile Controller.

How to Use Huawei Agile Controller

Connect the S series switch to the Agile Controller physically, and install the AnyOffice Agent on your PC. Log in to the Agile Controller through web.

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1257207-4

This section uses Agile Controller V100R001C00SPC200 as an example.

After logging in to the AnyOffice agent, you can view and manage Agile Controller information as well as monitoring and exporting logs. AnyOffice Agent provides four main menus: Resource, Policy, Report, and System, as described in Table 2-1.

Table 2-1 AnyOffice Agent menus

Menu

Description

Resource

Configures users, network devices, and AAA clients.

Policy

Configures the authentication and authorization profiles, including the matching conditions and results of access policies.

Report

Displays logs according to customer requirements. The logs help the administrator understand terminal access and user login information on the entire network.

System

Manages and maintains the Agile Controller.

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

All_About_Switch
Official Created Aug 11, 2015 06:18:36 Helpful(1) Helpful(1)

Connecting an S Series Switch to the Agile Controller

3.1 Implementation Differences

Both S series switch and Agile Controller use standard protocols, so they can be connected without risks.

3.2 Applicable Switch Models and Versions

Table 3-1 S series switch versions supporting Agile Controller

Model

Version

S series switches

V200R003 and later versions

V100R002C02 or later in V100R002CXX

V200R001C00 or later in V200R001CXX

 

This section uses Agile Controller V100R001C00SPC200 as an example.

3.3 Prerequisites

Figure 3-1 shows the connection between the switch and Agile Controller.

Figure 3-1 Connecting the switch to Agile Controller

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-1

 

Before connecting the devices, ensure that:

l   A reachable route exists between the switch and Agile Controller.

l   You have logged in to Agile Controller through web.

3.4 Connecting Devices to Provide AAA Service to 802.1x Users

3.4.1 Networking Requirements and Roadmap

Networking Requirements

On an enterprise network, an administrator connects to the switch through a management network and an 802.1x user connects to the switch through an access network. The enterprise uses the Agile Controller to create and maintain user information. The administrator can log in to the Agile Controller through web.

The administrator and 802.1x user are allocated different accounts and rights to improve security.

The requirements are as follows:

1.         The administrator can Telnet to the switch only after entering the user name and password, and can use the commands from level 0 to level 15 after login.

2.         To access the switch, the 802.1x user needs to start the 802.1x client, enter the user name and password, and be authenticated.

After the 802.1x user accesses the switch:

       The user can use the commands at level 0 to level 2.

       The Agile Controller delivers VLAN 100 and ACL 3000 to the user.

3.         The administrator is authenticated in the default domain, and the 802.1x user is authenticated in the huawei.com domain.

Figure 3-2 Users access switch through 802.1x

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-2

 

Preparations

Prepare the data according to Table 3-2. The data is only for your reference.

Table 3-2 Data used to connect the switch to Agile Controller

Administrator's user name and password of the Agile Controller

admin

Admin_123

Administrator's user name and password of the switch

admin1

Admin@1234

User name and password of the 802.1x user

user1@huawei.com

Huawei@1234

Switch name and the IP address of the interface connected to the Agile Controller

HUAWE_S

10.1.6.10

Shared password of switch and Agile Controller

Hello@1234

 

3.4.2 Configuring the S Series Switch

Configuration Roadmap

1.         Enable the Telnet service.

2.         Create a VLAN and an ACL that the Agile Controller will deliver.

3.         Configure AAA authentication for the administrator to Telnet to the switch.

4.         Configure RADIUS authentication, including creating the RADIUS server template and AAA authentication scheme and applying them to the default_admin and huawei.com domains.

5.         Enable 802.1x authentication on the interface that the 802.1x user accesses.

Procedure

1.         Configure interfaces and allocate IP addresses to them, so that the switch can communicate with the Agile Controller.

<Quidway> system-view
[Quidway] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.6.10 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.10 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.1.3.10 24
[Switch-Vlanif30] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 20
[Switch-GigabitEthernet0/0/2] quit

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-3

If the AAA server needs to deliver VLAN or ACL to access users, the user access interface (with authentication enabled) on the switch must be a hybrid interface.

[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type hybrid
[Switch-GigabitEthernet0/0/3] port hybrid untagged vlan 30
[Switch-GigabitEthernet0/0/3] quit

2.         Create a VLAN and an ACL that the Agile Controller will deliver to access users.

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-4

Only the VLAN or ACL that is the same as that configured on the AAA server can be delivered.

[Switch] vlan 100
[Switch-vlan100] quit
[Switch] acl 3000
[Switch-acl-adv-3000] quit

3.         Enable the Telnet server.

[Switch] telnet server enable

4.         Set the authentication mode for VTY users to AAA.

[Switch] user-interface maximum-vty 15  //Set the maximum number of VTY users to 15 (this value varies with versions and models). By default, a maximum of 5 Telnet users are supported.
[Switch] user-interface vty 0 14  //Enter the VTY 0-14 user interface view.
[Switch-ui-vty0-14] authentication-mode aaa  //Set the authentication mode for VTY users to AAA.
[Switch-ui-vty0-14] protocol inbound telnet  //Configure the VTY user interface to support Telnet (The default protocol is Telnet in V200R006 and earlier versions. This command is mandatory in V200R007 and later versions.)
[Switch-ui-vty0-14] quit

5.         Configure RADIUS authentication for access users on the switch.

# Configure a RADIUS server template so that the switch and Agile Controller can communicate through RADIUS.

[Switch] radius-server template 1
[Switch-radius-1] radius-server authentication 10.1.6.6 1812  //Specify the IP address and port number of the Agile Controller.
[Switch-radius-1] radius-server shared-key cipher Hello@1234  //Set the Agile Controller shared key, which must be the same as that configured on the Agile Controller.
[Switch-radius-1] quit

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-5

If the user name stored on the AAA server does not contain a domain name, run the undo radius-server user-name domain-included command. After this command is executed, the user names in the packets sent from the switch to RADIUS server do not contain domain names.

# Create an AAA authentication scheme and set the authentication mode to RADIUS.

[Switch] aaa
[Switch-aaa] authentication-scheme sch1
[Switch-aaa-authen-sch1] authentication-mode radius
[Switch-aaa-authen-sch1] quit

# Apply the AAA authentication scheme and RADIUS server template to the default administrative domain.

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-6

Administrators (users accessing the switch through Telnet, SSH, FTP, HTTP, or terminal) are authenticated in the default administrative domain.

By default, the administrative domain is default_admin.

[Switch-aaa] domain default_admin
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit

# Apply the AAA authentication scheme and RADIUS server template to the huawei.com domain.

[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit

# (Optional) Set the NAC mode to unified mode. (The unified mode is available in V200R005 and later versions. In a version earlier than V200R005, skip this step.)

[Switch] authentication unified-mode

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-7

After a switching between common mode and unified mode, restart the switch to make the configuration take effect. By default, the unified mode is used.

# Enable 802.1x authentication on an interface.

[Switch] interface gigabitethernet0/0/3
[Switch-GigabitEthernet0/0/3] authentication dot1x
[Switch-GigabitEthernet0/0/3] dot1x authentication-method eap  //This step is recommended because most 802.1x clients use EAP relay authentication.
[Switch-GigabitEthernet0/0/3] quit

Configuration Files

#
sysname Switch
#
vlan batch 10 20 30 100
#
acl number 3000
#
radius-server template 1
 radius-server shared-key cipher %#%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%#%#
 radius-server authentication 10.1.6.6 1812 weight 80
#
aaa
 authentication-scheme sch1    
  authentication-mode radius  
 domain default_admin            
  authentication-scheme sch1     
  radius-server 1      
 domain huawei.com            
  authentication-scheme sch1     
  radius-server 1      
# 
interface Vlanif10 
 ip address 10.1.6.10 255.255.255.0     
# 
interface Vlanif20 
 ip address 10.1.2.10 255.255.255.0     
# 
interface Vlanif30 
 ip address 10.1.3.10 255.255.255.0     
# 
interface GigabitEthernet0/0/1         
 port link-type access           
 port default vlan 10 
#
interface GigabitEthernet0/0/2         
 port link-type access           
 port default vlan 20 
#
interface GigabitEthernet0/0/3  
 port link-type hybrid           
 port hybrid untagged vlan 30    
 authentication dot1x 
 dot1x authentication-method eap
#
user-interface maximum-vty 15  
user-interface vty 0 14          
 authentication-mode aaa     
 protocol inbound telnet      
#
return

3.4.3 Configuring Agile Controller

1.         Log in to the AnyOffice Agent and enter the user name and password to open the homepage.

a.         Enter the Universal Resource Locator (URL) address of the Agile Controller and press Enter to open the Agile Controller login page. Enter the user name and password, and click Go or press Enter, as shown in Figure 3-3.

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-8

The Agile Controller's URL address is in the format http://IP :8088/ or https://IP:8088/, for example, http://10.13.1.1/ or https://10.13.1.1:8088/.

Figure 3-3 Agile Controller login page

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-9

 

b.         After you log in to the Agile Controller, the homepage is displayed, as shown in Figure 3-4.

Figure 3-4 Agile Controller homepage

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-10

 

2.         Add an access device.

a.         Choose Resource > Device > Device Management.

b.         Click Add on the device management page, as shown in Figure 3-5.

Figure 3-5 Adding a device

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-11

 

c.         Enter the switch name and IP address, click Enable RADIUS, and set parameters acorrding to Figure 3-6.

Figure 3-6 Setting authentication parameters

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-12

 

3.         Add a user.

a.         Choose Resource > User > User Management.

A department comprises multiple terminal users, and a terminal user can use multiple accounts. The settings of terminal users and accounts depend on the department.

To manage terminal users and accounts based on departments, the administrator must create level-1 department manually, and then perform the following operations:

Create a terminal user and create an account for the terminal user.

Synchronize the account and subnode information from the external authentication source to the service manager. The subnode is used as the sub-department of the target department in service manager, and the account information is copied to the corresponding department according to the subordinate node.

b.         Add a department.

Click Add on the Department tab page. Enter the department parameters, as shown in Figure 3-7 and Figure 3-8, and click OK.

Figure 3-7 Adding a department for the administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-13

 

Figure 3-8 Adding a department for the 802.1x user

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-14

 

c.         Add a user.

Click Add on the User tab page. Enter the user parameters, as shown in Figure 3-9 and Figure 3-10, and click OK.

Figure 3-9 Adding an administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-15

 

Figure 3-10 Adding an 802.1x user

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-16

 

d.         Click [All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-17 on the right side of a terminal user for which an account needs to be created to open the account management page. Click Add and set the account parameters such as Figure 3-11 and Figure 3-12.

Figure 3-11 Configuring administrator account

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-18

 

Figure 3-12 Configuring 802.1x account

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-19

 

4.         Add policy elements.

a.         Choose Policy > Permission Control > Policy Element > Dynamic ACL.

b.         Add a dynamic ACL.

Click Add. Enter the ACL parameters, as shown in Figure 3-13, and click OK.

Figure 3-13 Adding dynamic ACL attributes

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-20

 

5.         Add authentication and authorization rules.

a.         Add an authentication rule. Choose Policy > Permission Control > Authentication and Authorization > Authentication Rule.

Figure 3-14 shows the page for adding an administrator. After adding the administrator, add an 802.1x user.

Figure 3-14 Configuring authentication rule for administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-21

 

b.         Add an authorization result. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result.

Configure authorization results according to Figure 3-15 and Figure 3-16.

Figure 3-15 Authorization result for administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-22

 

Figure 3-16 Authorization result for 802.1x user

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-23

c.         Add authorization rules. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result.

Configure authorization results according to Figure 3-17 and Figure 3-18.

Figure 3-17 Configuring authorization rule for administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-24

 

Figure 3-18 Configuring authorization rule for 802.1x user

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1651985-25

 

6.         Complete the configuration.

3.4.4 Checking the Configuration

l   An administrator logs in to the switch through Telnet.

# Choose Start > Run on your PC and enter cmd to open the Windows command line interface. Run telnet, and enter the user name admin1 and password Huawei@1234 to Telnet to the switch.

C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:admin1
Password:**********
<Switch>//You can log in successfully.

# Run the display access-user username admin1 command to view the granted right.

l   An 802.1x user logs in to the switch.

# Run the test-aaa command on the switch to test whether the user can pass RADIUS authentication.

[Switch] test-aaa user1@huawei.com Huawei@1234 radius-template 1

# The 802.1x user starts the 802.1x client on the PC, and enters the user name user1@huawei.com and password Huawei@1234. If the user name and password are correct, the client displays a successful authentication message. The user can access the network.

# After the 802.1x user goes online, run the display access-user access-type dot1x command on the switch to view the user information. The Dynamic VLAN and Dynamic ACL number(Effective) fields indicate the VLAN and ACL delivered by the RADIUS server.

# Choose Resource > User > RADIUS Online User on the AnyOffice Agent to check online user information.

  • x
  • convention:

All_About_Switch
Official Created Aug 11, 2015 06:22:36 Helpful(1) Helpful(1)

3.5 Connecting Devices to Provide AAA Service to Portal Users

3.5.1 Networking Requirements and Roadmap

Networking Requirements

On an enterprise network, an administrator connects to the switch through a management network and a portal user connects to the switch through an access network. The enterprise uses Agile Controller to create and maintain user information. The administrator can log in to the Agile Controller through web.

The administrator and portal user are allocated different accounts and rights to improve security.

The requirements are as follows:

1.         The administrator can Telnet to the switch only after entering the user name and password, and can use the commands from level 0 to level 15 after login.

2.         The portal user is redirected to the portal authentication web page. After entering the correct user name and password, the user can access the switch.

After the portal user accesses the switch:

?       The user can use the commands at level 0 to level 2.

?       The Agile Controller delivers VLAN 100 and ACL 3000 to the user.

3.         The administrator is authenticated in the default domain, and the portal user is authenticated in the huawei.com domain.

Figure 3-19 Users access switch through portal

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-1

 

Preparations

Prepare the data according to Table 3-3. The data is only for your reference.

Table 3-3 Data used to connect the switch to Agile Controller

Administrator's user name and password of the Agile Controller

admin

Admin_123

Administrator's user name and password of the switch

admin1

Admin@1234

User name and password of the portal user

user1@huawei.com

Huawei@1234

Switch name and the IP address of the interface connected to the Agile Controller

HUAWE_S

10.1.6.10

Shared password of switch and Agile Controller

Hello@1234

Shared password of switch and portal server

Huawei@123

 

3.5.2 Configuring the S Series Switch

Configuration Roadmap

1.         Enable the Telnet service.

2.         Create a VLAN and an ACL that the Agile Controller will deliver.

3.         Configure AAA authentication for the administrator to Telnet to the switch.

4.         Configure RADIUS authentication, including creating the RADIUS server template and AAA authentication scheme and applying them to the default_admin and huawei.com domains.

5.         Configure portal authentication, including creating a portal server template and applying the template to the portal user access interface. Enable portal authentication on the access interface.

Procedure

1.         Configure interfaces and allocate IP addresses to them, so that the switch can communicate with the Agile Controller.

<Quidway> system-view
[Quidway] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.1.6.10 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.1.2.10 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.1.3.10 24
[Switch-Vlanif30] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 20
[Switch-GigabitEthernet0/0/2] quit

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-2

If the AAA server needs to deliver VLAN or ACL to access users, the user access interface (with authentication enabled) on the switch must be a hybrid interface.

[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type hybrid
[Switch-GigabitEthernet0/0/3] port hybrid untagged vlan 30
[Switch-GigabitEthernet0/0/3] quit

2.         Create a VLAN and an ACL that the Agile Controller will deliver to access users.

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-3

Only the VLAN or ACL that is the same as that configured on the AAA server can be delivered.

[Switch] vlan 100
[Switch-vlan100] quit
[Switch] acl 3000
[Switch-acl-adv-3000] quit

3.         Enable the Telnet server.

[Switch] telnet server enable

4.         Set the authentication mode for VTY users to AAA.

[Switch] user-interface maximum-vty 15  //Set the maximum number of VTY users to 15 (this value varies with versions and models). By default, a maximum of 5 Telnet users are supported.
[Switch] user-interface vty 0 14  //Enter the VTY 0-14 user interface view.
[Switch-ui-vty0-14] authentication-mode aaa  //Set the authentication mode for VTY users to AAA.
[Switch-ui-vty0-14] protocol inbound telnet  //Configure the VTY user interface to support Telnet (The default protocol is Telnet in V200R006 and earlier versions. This command is mandatory in V200R007 and later versions.)
[Switch-ui-vty0-14] quit

5.         Configure RADIUS authentication for access users on the switch.

# Configure a RADIUS server template so that the switch and Agile Controller can communicate through RADIUS.

[Switch] radius-server template 1
[Switch-radius-1] radius-server authentication 10.1.6.6 1812  //Specify the IP address and port number of the Agile Controller.
[Switch-radius-1] radius-server shared-key cipher Hello@1234  //Set the Agile Controller shared key, which must be the same as that configured on the Agile Controller.
[Switch-radius-1] quit

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-4

If the user name stored on the AAA server does not contain a domain name, run the undo radius-server user-name domain-included command. After this command is executed, the user names in the packets sent from the switch to RADIUS server do not contain domain names.

# Create an AAA authentication scheme and set the authentication mode to RADIUS.

[Switch] aaa
[Switch-aaa] authentication-scheme sch1
[Switch-aaa-authen-sch1] authentication-mode radius
[Switch-aaa-authen-sch1] quit

# Apply the AAA authentication scheme and RADIUS server template to the default administrative domain.

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-5

Administrators (users accessing the switch through Telnet, SSH, FTP, HTTP, or terminal) are authenticated in the default administrative domain.

By default, the administrative domain is default_admin.

[Switch-aaa] domain default_admin
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit

# Apply the AAA authentication scheme and RADIUS server template to the huawei.com domain.

[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit

6.         Configure Portal authentication.

# (Optional) Set the NAC mode to unified mode. (The unified mode is available in V200R005 and later versions. In a version earlier than V200R005, skip this step.)

[Switch] authentication unified-mode

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-6

After a switching between common mode and unified mode, restart the switch to make the configuration take effect. By default, the unified mode is used.

# Create and configure a portal server template.

[Switch] web-auth-server abc
[Switch-web-auth-server-abc] server-ip 10.1.6.8
[Switch-web-auth-server-abc] port 50200
[Switch-web-auth-server-abc] url http://10.1.6.8:8080/webagent
[Switch-web-auth-server-abc] shared-key cipher Huawei@123
[Switch-web-auth-server-abc] quit

# Enable portal authentication on the interface.

[Switch] interface gigabitethernet0/0/3
[Switch-GigabitEthernet0/0/3] authentication portal  //Enable portal authentication on the interface.
[Switch-GigabitEthernet0/0/3] web-auth-server abc direct  //Apply the portal server template to the interface.
[Switch-GigabitEthernet0/0/3] quit

Configuration Files

#
sysname Switch
#
vlan batch 10 20 30 100
#
acl number 3000
#
radius-server template 1
 radius-server shared-key cipher %#%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%#%#
 radius-server authentication 10.1.6.6 1812 weight 80
#
web-auth-server abc
 server-ip 10.1.6.8
 port 50200
 shared-key cipher %#%#yV{\SVYgIU'Krp1#VA;2uY~y-Hhp#Znkf|,QE4$.%#%#
 url http://10.1.6.8:8080/webagent
#
aaa
 authentication-scheme sch1    
  authentication-mode radius  
 domain default_admin            
  authentication-scheme sch1     
  radius-server 1      
 domain huawei.com            
  authentication-scheme sch1     
  radius-server 1      
# 
interface Vlanif10 
 ip address 10.1.6.10 255.255.255.0     
# 
interface Vlanif20 
 ip address 10.1.2.10 255.255.255.0     
# 
interface Vlanif30 
 ip address 10.1.3.10 255.255.255.0     
# 
interface GigabitEthernet0/0/1         
 port link-type access           
 port default vlan 10 
#
interface GigabitEthernet0/0/2         
 port link-type access           
 port default vlan 20 
#
interface GigabitEthernet0/0/3  
 port link-type hybrid           
 port hybrid untagged vlan 30    
 authentication portal 
 web-auth-server abc direct
#
user-interface maximum-vty 15  
user-interface vty 0 14          
 authentication-mode aaa     
 protocol inbound telnet      
#
return

3.5.3 Configuring Agile Controller

1.         Log in to the AnyOffice Agent and enter the user name and password to open the homepage.

a.         Enter the Universal Resource Locator (URL) address of the Agile Controller and press Enter to open the Agile Controller login page. Enter the user name and password, and click Go or press Enter, as shown in Figure 3-20.

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-7

The Agile Controller's URL address is in the format http://IP :8088/ or https://IP:8088/, for example, http://10.13.1.1/ or https://10.13.1.1:8088/.

Figure 3-20 Agile Controller login page

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-8

 

b.         After you log in to the Agile Controller, the homepage is displayed, as shown in Figure 3-21.

Figure 3-21 Agile Controller homepage

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-9

 

2.         Add an access device.

a.         Choose Resource > Device > Device Management.

b.         Click Add on the device management page, as shown in Figure 3-22.

Figure 3-22 Adding a device

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-10

 

c.         Enter the switch name and IP address, select Enable RADIUS and Enable Portal, and set parameters according to Figure 3-23.

Figure 3-23 Setting authentication parameters

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-11

 

3.         Add a user.

a.         Choose Resource > User > User Management.

A department comprises multiple terminal users, and a terminal user can use multiple accounts. The settings of terminal users and accounts depend on the department.

To manage terminal users and accounts based on departments, the administrator must create level-1 department manually, and then perform the following operations:

Create a terminal user and create an account for the terminal user.

Synchronize the account and subnode information from the external authentication source to the service manager. The subnode is used as the sub-department of the target department in service manager, and the account information is copied to the corresponding department according to the subordinate node.

b.         Add a department.

Click Add on the Department tab page. Enter the department parameters, as shown in Figure 3-24 and Figure 3-25, and click OK.

Figure 3-24 Adding department for administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-12

 

Figure 3-25 Adding department for portal user

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-13

 

c.         Add a user.

Click Add on the User tab page. Enter the user parameters, as shown in Figure 3-26 and Figure 3-27, and click OK.

Figure 3-26 Adding administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-14

 

Figure 3-27 Adding portal user

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-15

 

d.         Click [All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-16 on the right side of a terminal user for which an account needs to be created to open the account management page. Click Add and set the account parameters such as Figure 3-28 and Figure 3-29.

Figure 3-28 Setting account for administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-17

 

Figure 3-29 Configuring portal account

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-18

 

4.         Add policy elements.

a.         Choose Policy > Permission Control > Policy Element > Dynamic ACL.

b.         Add a dynamic ACL.

Click Add. Enter the ACL parameters, as shown in Figure 3-30, and click OK.

Figure 3-30 Setting dynamic ACL attributes

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-19

 

5.         Add authentication and authorization rules.

a.         Add an authentication rule. Choose Policy > Permission Control > Authentication and Authorization > Authentication Rule.

Figure 3-31 shows the page for adding an administrator. After adding the administrator, add a portal user.

Figure 3-31 Configuring authentication rule for administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-20

 

b.         Add an authorization result. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result.

Configure authorization results according to Figure 3-32 and Figure 3-33.

Figure 3-32 Authorization result for administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-21

 

Figure 3-33 Authorization result for portal user

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-22

c.         Add authorization rules. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result.

Configure authorization results according to Figure 3-34 and Figure 3-35.

Figure 3-34 Authorization result for administrator

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-23

 

Figure 3-35 Authorization result for portal user

[All About Switches] Interconnection of 802.1x & Portal Authentication on S Swit-1652077-24

 

6.         Complete the configuration.

3.5.4 Checking the Configuration

l   An administrator logs in to the switch through Telnet.

# Choose Start > Run on your PC and enter cmd to open the Windows command line interface. Run telnet, and enter the user name admin1 and password Huawei@1234 to Telnet to the switch.

C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:admin1
Password:**********
<Switch>//You can log in successfully.

# Run the display access-user username admin1 command to view the granted right.

l   A portal user logs in to the switch.

# Run the test-aaa command on the switch to test whether the user can pass RADIUS authentication.

[Switch] test-aaa user1@huawei.com Huawei@1234 radius-template 1

# The portal user is redirected to the portal authentication web page. After entering the user name user1@huawei.com and password Huawei@1234, the user can access the network.

# After the portal user goes online, run the display access-user access-type dot1x command on the switch to view the user information. The Dynamic VLAN and Dynamic ACL number(Effective) fields indicate the VLAN and ACL delivered by the RADIUS server.

# Choose Resource > User > RADIUS Online User on the AnyOffice Agent to check online user information.

 

 

★★★Summary★★★ All About Huawei Switch Features and Configurations

  • x
  • convention:

DOTA
Created Aug 11, 2015 06:50:06 Helpful(1) Helpful(1)

Very good , thank you~
  • x
  • convention:

ivyivy
Created Aug 11, 2015 07:12:53 Helpful(1) Helpful(1)

Very useful~
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login