CE switch 802.1x authentication configuration guide

69 0 1 0

Networking requirements

As shown in Figure 1, terminals in a company's office area access the company's internal network through the Switch. If the company has illegal access and unauthorized access, it will cause damage to the company's business systems and leakage of key information assets. Therefore, the administration hopes that the Switch can control the user's network access rights to ensure the company's intranet. Security.

Figure 1 Networking diagram for controlling enterprise users to access the network through 802.1x authentication

1


Configuration ideas

The configuration roadmap is as follows:

1. Create and configure a RADIUS server group, an AAA scheme, and an authentication domain. Bind the RADIUS server group and the AAA scheme to the authentication domain so that the Switch can authenticate access users through the RADIUS server.

2. Enable the 802.1x authentication function to strictly control the network access rights of employees in the office area.


l In this example, because the Switch and the user previously had a transparent switch LAN Switch, in order to ensure that users can pass 802.1x authentication, the LAN Switch must be able to transparently transmit EAP packets.

l This example only includes the configuration on the Switch. The configuration of the LAN switch and the RADIUS server is not described here.

Steps


1. Create a VLAN and configure the VLANs allowed by the interface to ensure network connectivity.


# Create VLAN10 and VLAN20.

<HUAWEI> system-view

[~ HUAWEI] vlan batch 10 20

# Configure the 10GE1 / 0/1 interface connecting the Switch to users as an access interface and add it to VLAN 10.

[* HUAWEI] interface 10ge 1/0/1

[* HUAWEI-10GE1 / 0/1] port link-type access

[* HUAWEI-10GE1 / 0/1] port default vlan 10

[* HUAWEI-10GE1 / 0/1] quit


Explanation:

The type of interface to which the device connects to users and the VLAN that the interface joins shall be based on the VLAN to which the user actually belongs. It is assumed that all users are assigned to VLAN 10.


# Configure the 10GE1 / 0/2 interface connecting the Switch to the RADIUS server as an access interface and add it to VLAN 20.

[* HUAWEI] interface 10ge 1/0/2

[* HUAWEI-10GE1 / 0/2] port link-type access

[* HUAWEI-10GE1 / 0/2] port default vlan 20

[* HUAWEI-10GE1 / 0/2] quit

[* HUAWEI] commit


2. Create and configure a RADIUS server group, an AAA authentication scheme, and an authentication domain.

# Create and configure a RADIUS server group "rd1".

[~ HUAWEI] radius enable

[* HUAWEI] radius server group rd1

[* HUAWEI-radius-rd1] radius server authentication 192.xxx.2.xx 1812

[* HUAWEI-radius-rd1] radius server shared-key-cipher huawei @ 123

[* HUAWEI-radius-rd1] radius server user-name domain-excluded

[* HUAWEI-radius-rd1] quit


Explanation:

l Make sure that the shared key in the RADIUS server group is consistent with the configuration on the RADIUS server.

l Make sure that the device and RADIUS server have the same user domain configuration.


# Create an AAA authentication scheme "abc" and set the authentication mode to RADIUS.

[* HUAWEI] aaa

[* HUAWEI-aaa] authentication-scheme abc

[* HUAWEI-aaa-authen-abc] authentication-mode radius

[* HUAWEI-aaa-authen-abc] quit

# Create an authentication domain "isp1" and bind it to the AAA authentication scheme "abc" and the RADIUS server group "rd1".

[* HUAWEI-aaa] domain isp1

[* HUAWEI-aaa-domain-isp1] authentication-scheme abc

[* HUAWEI-aaa-domain-isp1] radius server group rd1

[* HUAWEI-aaa-domain-isp1] quit

[* HUAWEI-aaa] quit

[* HUAWEI] commit


3. Configure 802.1x authentication.

# Enable 802.1x authentication globally and on 10GE1 / 0/1.

[~ HUAWEI] dot1x enable

[* HUAWEI] dot1x enable interface 10ge 1/0/1

# (Optional) Configure the 802.1x authentication mode as the EAP relay mode

[* HUAWEI] dot1x authentication-method eap

[* HUAWEI] commit

# Configure an 802.1x authentication domain to ensure that all users authenticate in the specified domain (802.1x authenticates in the default domain by default).

[* HUAWEI] domain isp1

[* HUAWEI] commit


4. Verify the configuration.

a. Run the display dot1x command to check the configuration of 802.1x authentication. From the displayed information, you can see that 802.1x authentication is enabled on 10GE1 / 0/1 (10GE1 / 0/1 802.1x: Enabled).

b. The user starts the 802.1x client on the terminal, enters the user name and password, and starts authentication.

c. If the user enters the correct username and password, the client page will display the authentication success message. Users can then access the network.

d. After the user goes online, the administrator can run the display dot1x sessions command on the device to view online 802.1x user information.


Configuration file

# Switch configuration file

#

vlan batch 10 20

#

dot1x enable

domain isp1

dot1x authentication-method eap

#

radius enable

#

radius server group rd1

 radius server shared-key-cipher% #% # Y # 5L! Nh # [; / G @ Q "SIe6'v) 6mW% & k'Q.SEiIC ~ e [;% #% #

 radius server authentication 192.xxx.2.xx 1812

 radius server user-name domain-excluded

#

aaa

 #

 authentication-scheme abc

  authentication-mode radius

 #

 domain isp1

  authentication-scheme abc

  radius server group rd1

#

interface 10GE1 / 0/1

 port default vlan 10

 dot1x enable

#

interface 10GE1 / 0/2

 port default vlan 20

#


  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login