How to configure remote 802.1x authentication

0

In remote authentication and authorization, user information including the user name, password, and attributes is configured on the remote AAA server. This mode has high network security.
An example is used here to describe remote 802.1x authentication. Assume that a user connects to GE1/0/0 on an AR and belongs to VLAN 10. GE1/0/2 connects to the RADIUS server and belongs to VLAN 20. RADIUS authentication and non-accounting are used for the user, and the IP address of the RADIUS server is 192.168.2.30:1812.
1. Configure interfaces and VLANs so that the AR can communicate with the RADIUS server.
[Huawei] vlan batch 10 20
[Huawei] interface gigabitethernet 1/0/1
[Huawei-GigabitEthernet1/0/1] port link-type access
[Huawei-GigabitEthernet1/0/1] port default vlan 10
[Huawei-GigabitEthernet1/0/1] quit
[Huawei] interface gigabitethernet 1/0/2
[Huawei-GigabitEthernet1/0/2] port link-type access
[Huawei-GigabitEthernet1/0/2] port default vlan 20
[Huawei-GigabitEthernet1/0/2] quit
2. Configure a RADIUS server template, a domain, and AAA schemes.
[Huawei] radius-server template rd1
[Huawei-radius-rd1] radius-server authentication 192.168.2.30 1812
[Huawei-radius-rd1] radius-server shared-key cipher Huawei@2012
[Huawei-radius-rd1] quit
[Huawei] aaa
[Huawei-aaa] authentication-scheme abc
[Huawei-aaa-authen-abc] authentication-mode radius
[Huawei-aaa-authen-abc] quit
[Huawei-aaa] domain isp1
[Huawei-aaa-domain-isp1] authentication-scheme abc
[Huawei-aaa-domain-isp1] radius-server rd1
[Huawei-aaa-domain-isp1] quit
[Huawei-aaa] quit
3. Enable 802.1x globally and interfaces.
[Huawei] dot1x enable
[Huawei] interface gigabitethernet 1/0/1
[Huawei-GigabitEthernet1/0/1] dot1x enable

Other related questions:
How to configure remote 802.1x authentication
In remote authentication and authorization, user information including the user name, password, and attributes is configured on the remote AAA server. This mode has high network security. An example is used here to describe remote 802.1x authentication. Assume that a user connects to GE1/0/0 on an AR and belongs to VLAN 10. GE1/0/2 connects to the RADIUS server and belongs to VLAN 20. RADIUS authentication and non-accounting are used for the user, and the IP address of the RADIUS server is 192.168.2.30:1812. 1. Configure interfaces and VLANs so that the AR can communicate with the RADIUS server. [Huawei] vlan batch 10 20 [Huawei] interface gigabitethernet 1/0/1 [Huawei-GigabitEthernet1/0/1] port link-type access [Huawei-GigabitEthernet1/0/1] port default vlan 10 [Huawei-GigabitEthernet1/0/1] quit [Huawei] interface gigabitethernet 1/0/2 [Huawei-GigabitEthernet1/0/2] port link-type access [Huawei-GigabitEthernet1/0/2] port default vlan 20 [Huawei-GigabitEthernet1/0/2] quit 2. Configure a RADIUS server template, a domain, and AAA schemes. [Huawei] radius-server template rd1 [Huawei-radius-rd1] radius-server authentication 192.168.2.30 1812 [Huawei-radius-rd1] radius-server shared-key cipher Huawei@2012 [Huawei-radius-rd1] quit [Huawei] aaa [Huawei-aaa] authentication-scheme abc [Huawei-aaa-authen-abc] authentication-mode radius [Huawei-aaa-authen-abc] quit [Huawei-aaa] domain isp1 [Huawei-aaa-domain-isp1] authentication-scheme abc [Huawei-aaa-domain-isp1] radius-server rd1 [Huawei-aaa-domain-isp1] quit [Huawei-aaa] quit 3. Enable 802.1x globally and interfaces. [Huawei] dot1x enable [Huawei] interface gigabitethernet 1/0/1 [Huawei-GigabitEthernet1/0/1] dot1x enable

802.1x remote authentication on S series switch
In 802.1x remote authentication and authorization, user information (including the user name, password and attributes) is configured on the remote AAA server. 802.1x remote authentication and authorization feature high network security. S series switches (except S1700 switches) running V200R003C10 or an earlier version supports only traditional NAC configuration. Switches running V200R005C00 or a later version support both traditional and unified NAC configuration. By default, unified NAC configuration is used. 802.1x remote authentication also supports traditional and unified modes. 802.1x remote authentication configuration is the same on all switch models: - For the traditional 802.1x remote authentication configuration, see "Example for Configuring 802.1x Authentication to Control Internal User Access" in "Configuring NAC (Common Mode)" of Typical Configuration Examples. - For the unified 802.1x remote authentication configuration, see "Example for Configuring 802.1x Authentication to Control Internal User Access" in "Configuring NAC (Unified Mode)" of Typical Configuration Examples.

How to configure remote authentication for 802.1x authentication users on S series switches
802.1x authentication user information (including the user name, password, and other attributes) for remote authentication and authorization is configured on a remote AAA server. Remote authentication and authorization for 802.1x authentication users feature high network security. For S series and E series switches (except the S1700) running V200R003C10 and earlier versions, NAC can be configured only in common mode. For switches running V200R005C00 and later versions, NAC can be configured in common or unified mode. Accordingly, remote authentication for 802.1x authentication users can be configured in common or unified mode. For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version. The following links are for reference only. - For the configuration example in common mode, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Common Mode) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. - For the configuration example in unified mode on switches running versions from V200R005C00 to V200R008C00, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Unified Mode) (V200R005C00 to, V200R008C00) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. - For the configuration example in unified mode on switches running V200R009C00 and later versions, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Unified Mode) (V200R009C00 and Later Versions) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Configuration Guide - User Access and Authentication.

How to configure local 802.1x authentication
In local authentication and authorization, user information including the local user name, password, and attributes is configured on an AR. In this mode, the AR provides fast processing and low operation cost, whereas the amount of information that can be stored is limited by the AR hardware capacity. An example is used here to describe local 802.1x authentication. Assume that a user connects to GE1/0/0 on an AR and belongs to VLAN 100. Local authentication is used, and the user can access the Internet without authorization. 1. Create VLAN 100 and add GE1/0/0 to VLAN 100. [Huawei] vlan batch 100 [Huawei] interface gigabitethernet 1/0/0 [Huawei-GigabitEthernet1/0/0] port link-type access [Huawei-GigabitEthernet1/0/0] port default vlan 100 [Huawei-GigabitEthernet1/0/0] quit 2. Configure a local user, AAA schemes, and AAA domain. [Huawei]aaa [Huawei-aaa] local-user huawei password cipher hello@123 [Huawei-aaa] local-user huawei service-type 8021x [Huawei-aaa] authentication-scheme test [Huawei-aaa-authen-test] authentication-mode local [Huawei-aaa-authen-test] quit [Huawei-aaa] authorization-scheme test [Huawei-aaa-author-test] authorization-mode none [Huawei-aaa-author-test] quit [Huawei-aaa] domain default_admin [Huawei-aaa-domain-default_admin] authentication-scheme test [Huawei-aaa-domain-default_admin] authorization-scheme test 3. Enable 802.1x authentication globally and on an interface. [Huawei] dot1x enable [Huawei] interface gigabitethernet1/0/0 [Huawei-GigabitEthernet1/0/0] dot1x enable

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top