How to configure local 802.1x authentication

11

In local authentication and authorization, user information including the local user name, password, and attributes is configured on an AR. In this mode, the AR provides fast processing and low operation cost, whereas the amount of information that can be stored is limited by the AR hardware capacity.
An example is used here to describe local 802.1x authentication. Assume that a user connects to GE1/0/0 on an AR and belongs to VLAN 100. Local authentication is used, and the user can access the Internet without authorization.
1. Create VLAN 100 and add GE1/0/0 to VLAN 100.
[Huawei] vlan batch 100
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] port link-type access
[Huawei-GigabitEthernet1/0/0] port default vlan 100
[Huawei-GigabitEthernet1/0/0] quit
2. Configure a local user, AAA schemes, and AAA domain.
[Huawei]aaa
[Huawei-aaa] local-user huawei password cipher hello@123
[Huawei-aaa] local-user huawei service-type 8021x
[Huawei-aaa] authentication-scheme test
[Huawei-aaa-authen-test] authentication-mode local
[Huawei-aaa-authen-test] quit
[Huawei-aaa] authorization-scheme test
[Huawei-aaa-author-test] authorization-mode none
[Huawei-aaa-author-test] quit
[Huawei-aaa] domain default_admin
[Huawei-aaa-domain-default_admin] authentication-scheme test
[Huawei-aaa-domain-default_admin] authorization-scheme test
3. Enable 802.1x authentication globally and on an interface.
[Huawei] dot1x enable
[Huawei] interface gigabitethernet1/0/0
[Huawei-GigabitEthernet1/0/0] dot1x enable

Other related questions:
How to configure local authentication for 802.1x authentication users on S series switches
For S series switches (except the S1700), 802.1x authentication user information (including the user name, password, and other attributes of a local user) for local authentication and authorization is configured on the switches. Local authentication and authorization for 802.1x authentication users feature fast processing and low operation cost, but the amount of information that can be stored is limited by the switch hardware capacity.
Assume that a user connects to GE0/0/1 on a switch and belongs to VLAN 100. After local authentication is configured for the user on the switch, the user can access the network without being authorized. Configure local authentication for an 802.1x authentication user as follows:
1. Create VLAN 100 and add GE0/0/1 to the VLAN.
[HUAWEI] vlan batch 100 
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 100 
[HUAWEI-GigabitEthernet0/0/1] quit
2. Create a local user and an authentication domain for the local user.
[HUAWEI] aaa     
[HUAWEI-aaa] local-user huawei password cipher hello@123
[HUAWEI-aaa] local-user huawei service-type 8021x
[HUAWEI-aaa] authentication-scheme test
[HUAWEI-aaa-authen-test] authentication-mode local
[HUAWEI-aaa-authen-test] quit
[HUAWEI-aaa] authorization-scheme test
[HUAWEI-aaa-author-test] authorization-mode none
[HUAWEI-aaa-author-test] quit
[HUAWEI-aaa] domain default_admin
[HUAWEI-aaa-domain-default_admin] authentication-scheme test
[HUAWEI-aaa-domain-default_admin] authorization-scheme test
3. Enable 802.1x authentication in the system view and on a specified interface.
a. In common mode (applicable to switches running all versions):
[HUAWEI] undo authentication unified-mode  //Change the NAC mode to common. This step is required only on switches running V200R005C00 and later versions.br>[HUAWEI] quit
<HUAWEI> reboot   //This step is required only on switches running V200R005C00 and later versions.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x authentication-method eap
b. In unified mode (applicable to switches running versions from V200R005 to V200R008):
[HUAWEI] authentication unified-mode 
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication dot1x
[HUAWEI-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100
c. In unified mode (applicable to switches running V200R009 and later versions):
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] quit
[HUAWEI] authentication-profile name a1
[HUAWEI-authen-profile-a1] dot1x-access-profile d1
[HUAWEI-authen-profile-a1] quit
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication-profile a1

How to configure 802.1x authentication on a WLAN device for local users
For the procedure of configuring 802.1x authentication for local users, click Example for Configuring 802.1x Authentication (AAA in RADIUS Mode) (through commands) or Example for Configuring 802.1x Authentication for Local Users (through the web page) in AC6605&AC6005&ACU2(AC&FITAP)Product Documentation. The AC V200R006 is used as an example.

802.1x local authentication configuration on S series switch
For S series switches except S1700 switches, in 802.1x local authentication and authorization, user information (including the local user name, password, and attributes) is configured on the switch. 802.1x local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the switch hardware capacity.
Assume that the user connects to GE0/0/1 of the switch and belongs to VLAN 100. In addition, the user uses local authentication and can connect to the network without authorization. Configure 802.1x local authentication as follows:
1. Create VLAN 100, and add interface GE0/0/1 to this VLAN.
[HUAWEI] vlan 100 
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 100 
[HUAWEI-GigabitEthernet0/0/1] quit
2. Configure the local user and the authentication domain of the user.
[HUAWEI] aaa     
[HUAWEI-aaa] local-user huawei password cipher hello@123
[HUAWEI-aaa] local-user huawei service-type 8021x
[HUAWEI-aaa] authentication-scheme test
[HUAWEI-aaa-authen-test] authentication-mode local
[HUAWEI-aaa-authen-test] quit
[HUAWEI-aaa] authorization-scheme test
[HUAWEI-aaa-author-test] authorization-mode none
[HUAWEI-aaa-author-test] quit
[HUAWEI-aaa] domain default_admin
[HUAWEI-aaa-domain-default_admin] authentication-scheme test
[HUAWEI-aaa-domain-default_admin] authorization-scheme test
3. Enable 802.1x  authentication globally and on a specified interface.
a. Traditional mode (applicable to all versions)
[HUAWEI] undo authentication unified-mode  //Switch to the traditional mode (This configuration applies only to V200R005C00 and later versions.)
[HUAWEI] quit
<HUAWEI> reboot   //This configuration applies only to V200R005C00 and later versions.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x authentication-method eap
b. Unified mode (applicable to V200R005C00 and later versions)
[HUAWEI] authentication unified-mode 
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication dot1x
[HUAWEI-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100

How to configure remote 802.1x authentication
In remote authentication and authorization, user information including the user name, password, and attributes is configured on the remote AAA server. This mode has high network security. An example is used here to describe remote 802.1x authentication. Assume that a user connects to GE1/0/0 on an AR and belongs to VLAN 10. GE1/0/2 connects to the RADIUS server and belongs to VLAN 20. RADIUS authentication and non-accounting are used for the user, and the IP address of the RADIUS server is 192.168.2.30:1812. 1. Configure interfaces and VLANs so that the AR can communicate with the RADIUS server. [Huawei] vlan batch 10 20 [Huawei] interface gigabitethernet 1/0/1 [Huawei-GigabitEthernet1/0/1] port link-type access [Huawei-GigabitEthernet1/0/1] port default vlan 10 [Huawei-GigabitEthernet1/0/1] quit [Huawei] interface gigabitethernet 1/0/2 [Huawei-GigabitEthernet1/0/2] port link-type access [Huawei-GigabitEthernet1/0/2] port default vlan 20 [Huawei-GigabitEthernet1/0/2] quit 2. Configure a RADIUS server template, a domain, and AAA schemes. [Huawei] radius-server template rd1 [Huawei-radius-rd1] radius-server authentication 192.168.2.30 1812 [Huawei-radius-rd1] radius-server shared-key cipher Huawei@2012 [Huawei-radius-rd1] quit [Huawei] aaa [Huawei-aaa] authentication-scheme abc [Huawei-aaa-authen-abc] authentication-mode radius [Huawei-aaa-authen-abc] quit [Huawei-aaa] domain isp1 [Huawei-aaa-domain-isp1] authentication-scheme abc [Huawei-aaa-domain-isp1] radius-server rd1 [Huawei-aaa-domain-isp1] quit [Huawei-aaa] quit 3. Enable 802.1x globally and interfaces. [Huawei] dot1x enable [Huawei] interface gigabitethernet 1/0/1 [Huawei-GigabitEthernet1/0/1] dot1x enable

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top