Networking requirements
As shown in Figure 1, terminals in a company's office area access the company's internal network through the Switch. If the company has illegal access and unauthorized access, it will cause damage to the company's business systems and leakage of key information assets. Therefore, the administration hopes that the Switch can control the user's network access rights to ensure the company's intranet. Security.
Figure 1 Networking diagram for controlling enterprise users to access the network through 802.1x authentication
Configuration ideas
The configuration roadmap is as follows:
1. Create and configure a RADIUS server group, an AAA scheme, and an authentication domain. Bind the RADIUS server group and the AAA scheme to the authentication domain so that the Switch can authenticate access users through the RADIUS server.
2. Enable the 802.1x authentication function to strictly control the network access rights of employees in the office area.
l In this example, because the Switch and the user previously had a transparent switch LAN Switch, in order to ensure that users can pass 802.1x authentication, the LAN Switch must be able to transparently transmit EAP packets.
l This example only includes the configuration on the Switch. The configuration of the LAN switch and the RADIUS server is not described here.
Steps
1. Create a VLAN and configure the VLANs allowed by the interface to ensure network connectivity.
# Create VLAN10 and VLAN20.
<HUAWEI> system-view
[~ HUAWEI] vlan batch 10 20
# Configure the 10GE1 / 0/1 interface connecting the Switch to users as an access interface and add it to VLAN 10.
[* HUAWEI] interface 10ge 1/0/1
[* HUAWEI-10GE1 / 0/1] port link-type access
[* HUAWEI-10GE1 / 0/1] port default vlan 10
[* HUAWEI-10GE1 / 0/1] quit
Explanation:
The type of interface to which the device connects to users and the VLAN that the interface joins shall be based on the VLAN to which the user actually belongs. It is assumed that all users are assigned to VLAN 10.
# Configure the 10GE1 / 0/2 interface connecting the Switch to the RADIUS server as an access interface and add it to VLAN 20.
[* HUAWEI] interface 10ge 1/0/2
[* HUAWEI-10GE1 / 0/2] port link-type access
[* HUAWEI-10GE1 / 0/2] port default vlan 20
[* HUAWEI-10GE1 / 0/2] quit
[* HUAWEI] commit
2. Create and configure a RADIUS server group, an AAA authentication scheme, and an authentication domain.
# Create and configure a RADIUS server group "rd1".
[~ HUAWEI] radius enable
[* HUAWEI] radius server group rd1
[* HUAWEI-radius-rd1] radius server authentication 192.xxx.2.xx 1812
[* HUAWEI-radius-rd1] radius server shared-key-cipher huawei @ 123
[* HUAWEI-radius-rd1] radius server user-name domain-excluded
[* HUAWEI-radius-rd1] quit
Explanation:
l Make sure that the shared key in the RADIUS server group is consistent with the configuration on the RADIUS server.
l Make sure that the device and RADIUS server have the same user domain configuration.
# Create an AAA authentication scheme "abc" and set the authentication mode to RADIUS.
[* HUAWEI] aaa
[* HUAWEI-aaa] authentication-scheme abc
[* HUAWEI-aaa-authen-abc] authentication-mode radius
[* HUAWEI-aaa-authen-abc] quit
# Create an authentication domain "isp1" and bind it to the AAA authentication scheme "abc" and the RADIUS server group "rd1".
[* HUAWEI-aaa] domain isp1
[* HUAWEI-aaa-domain-isp1] authentication-scheme abc
[* HUAWEI-aaa-domain-isp1] radius server group rd1
[* HUAWEI-aaa-domain-isp1] quit
[* HUAWEI-aaa] quit
[* HUAWEI] commit
3. Configure 802.1x authentication.
# Enable 802.1x authentication globally and on 10GE1 / 0/1.
[~ HUAWEI] dot1x enable
[* HUAWEI] dot1x enable interface 10ge 1/0/1
# (Optional) Configure the 802.1x authentication mode as the EAP relay mode
[* HUAWEI] dot1x authentication-method eap
[* HUAWEI] commit
# Configure an 802.1x authentication domain to ensure that all users authenticate in the specified domain (802.1x authenticates in the default domain by default).
[* HUAWEI] domain isp1
[* HUAWEI] commit
4. Verify the configuration.
a. Run the display dot1x command to check the configuration of 802.1x authentication. From the displayed information, you can see that 802.1x authentication is enabled on 10GE1 / 0/1 (10GE1 / 0/1 802.1x: Enabled).
b. The user starts the 802.1x client on the terminal, enters the user name and password, and starts authentication.
c. If the user enters the correct username and password, the client page will display the authentication success message. Users can then access the network.
d. After the user goes online, the administrator can run the display dot1x sessions command on the device to view online 802.1x user information.
Configuration file
# Switch configuration file
#
vlan batch 10 20
#
dot1x enable
domain isp1
dot1x authentication-method eap
#
radius enable
#
radius server group rd1
radius server shared-key-cipher% #% # Y # 5L! Nh # [; / G @ Q "SIe6'v) 6mW% & k'Q.SEiIC ~ e [;% #% #
radius server authentication 192.xxx.2.xx 1812
radius server user-name domain-excluded
#
aaa
#
authentication-scheme abc
authentication-mode radius
#
domain isp1
authentication-scheme abc
radius server group rd1
#
interface 10GE1 / 0/1
port default vlan 10
dot1x enable
#
interface 10GE1 / 0/2
port default vlan 20
#
