Got it

CE switch 802.1x authentication configuration guide

263 0 1 0

Hello everyone,

Today I will share with you how to configure 802.1x authentication on CE switch.

Networking requirements

As shown in Figure 1, terminals in a company's office area access the company's internal network through the Switch. If the company has illegal access and unauthorized access, it will cause damage to the company's business systems and leakage of key information assets. Therefore, the administration hopes that the Switch can control the user's network access rights to ensure the company's intranet. Security.

Figure 1 Networking diagram for controlling enterprise users to access the network through 802.1x authentication


Configuration ideas

The configuration roadmap is as follows:

1. Create and configure a RADIUS server group, an AAA scheme, and an authentication domain. Bind the RADIUS server group and the AAA scheme to the authentication domain so that the Switch can authenticate access users through the RADIUS server.

2. Enable the 802.1x authentication function to strictly control the network access rights of employees in the office area.

l In this example, because the Switch and the user previously had a transparent switch LAN Switch, in order to ensure that users can pass 802.1x authentication, the LAN Switch must be able to transparently transmit EAP packets.

l This example only includes the configuration on the Switch. The configuration of the LAN switch and the RADIUS server is not described here.


1. Create a VLAN and configure the VLANs allowed by the interface to ensure network connectivity.

# Create VLAN10 and VLAN20.

<HUAWEI> system-view

[~ HUAWEI] vlan batch 10 20

# Configure the 10GE1 / 0/1 interface connecting the Switch to users as an access interface and add it to VLAN 10.

[* HUAWEI] interface 10ge 1/0/1

[* HUAWEI-10GE1 / 0/1] port link-type access

[* HUAWEI-10GE1 / 0/1] port default vlan 10

[* HUAWEI-10GE1 / 0/1] quit


The type of interface to which the device connects to users and the VLAN that the interface joins shall be based on the VLAN to which the user actually belongs. It is assumed that all users are assigned to VLAN 10.

# Configure the 10GE1 / 0/2 interface connecting the Switch to the RADIUS server as an access interface and add it to VLAN 20.

[* HUAWEI] interface 10ge 1/0/2

[* HUAWEI-10GE1 / 0/2] port link-type access

[* HUAWEI-10GE1 / 0/2] port default vlan 20

[* HUAWEI-10GE1 / 0/2] quit

[* HUAWEI] commit

2. Create and configure a RADIUS server group, an AAA authentication scheme, and an authentication domain.

# Create and configure a RADIUS server group "rd1".

[~ HUAWEI] radius enable

[* HUAWEI] radius server group rd1

[* HUAWEI-radius-rd1] radius server authentication 1812

[* HUAWEI-radius-rd1] radius server shared-key-cipher huawei @ 123

[* HUAWEI-radius-rd1] radius server user-name domain-excluded

[* HUAWEI-radius-rd1] quit


l Make sure that the shared key in the RADIUS server group is consistent with the configuration on the RADIUS server.

l Make sure that the device and RADIUS server have the same user domain configuration.

# Create an AAA authentication scheme "abc" and set the authentication mode to RADIUS.

[* HUAWEI] aaa

[* HUAWEI-aaa] authentication-scheme abc

[* HUAWEI-aaa-authen-abc] authentication-mode radius

[* HUAWEI-aaa-authen-abc] quit

# Create an authentication domain "isp1" and bind it to the AAA authentication scheme "abc" and the RADIUS server group "rd1".

[* HUAWEI-aaa] domain isp1

[* HUAWEI-aaa-domain-isp1] authentication-scheme abc

[* HUAWEI-aaa-domain-isp1] radius server group rd1

[* HUAWEI-aaa-domain-isp1] quit

[* HUAWEI-aaa] quit

[* HUAWEI] commit

3. Configure 802.1x authentication.

# Enable 802.1x authentication globally and on 10GE1 / 0/1.

[~ HUAWEI] dot1x enable

[* HUAWEI] dot1x enable interface 10ge 1/0/1

# (Optional) Configure the 802.1x authentication mode as the EAP relay mode

[* HUAWEI] dot1x authentication-method eap

[* HUAWEI] commit

# Configure an 802.1x authentication domain to ensure that all users authenticate in the specified domain (802.1x authenticates in the default domain by default).

[* HUAWEI] domain isp1

[* HUAWEI] commit

4. Verify the configuration.

a. Run the display dot1x command to check the configuration of 802.1x authentication. From the displayed information, you can see that 802.1x authentication is enabled on 10GE1 / 0/1 (10GE1 / 0/1 802.1x: Enabled).

b. The user starts the 802.1x client on the terminal, enters the user name and password, and starts authentication.

c. If the user enters the correct username and password, the client page will display the authentication success message. Users can then access the network.

d. After the user goes online, the administrator can run the display dot1x sessions command on the device to view online 802.1x user information.

Configuration file

# Switch configuration file


vlan batch 10 20


dot1x enable

domain isp1

dot1x authentication-method eap


radius enable


radius server group rd1

 radius server shared-key-cipher% #% # Y # 5L! Nh # [; / G @ Q "SIe6'v) 6mW% & k'Q.SEiIC ~ e [;% #% #

 radius server authentication 1812

 radius server user-name domain-excluded




 authentication-scheme abc

  authentication-mode radius


 domain isp1

  authentication-scheme abc

  radius server group rd1


interface 10GE1 / 0/1

 port default vlan 10

 dot1x enable


interface 10GE1 / 0/2

 port default vlan 20


That is all I want to share with you! Thank you!

  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.