Problem of 802.1X authentication failure between AR1200-S and the ACS of company C

16

Possible causes:
1. The RADIUS template is wrongly configured.
2. The 802.1X protocol is wrongly configured under an interface.
3. The policy matching the ACS is wrong.
4. The ACS is not compatible with the router.
5. Other causes
Recommended solution:
Configure a RADIUS authentication domain in the AAA view, and enable corresponding domain in the system. Otherwise, the default domain is automatically accessed during RADIUS authentication.
The specific configuration is as follows:
1. Run the following commands in the system view:
[AR-1220-S-1]
radius-server template huawei
radius-server shared-key cipher %$%$6nH'B radius-server authentication 192.168.102.2 1812
radius-server accounting 192.168.102.2 1813
2. Run the following commands in the AAA view:
[AR-1220-S-1-aaa]
authentication-scheme default
authentication-scheme huawei
authentication-mode radius
authentication-scheme tacacs
authentication-mode hwtacacs
authentication-scheme portal
authentication-mode radius
authorization-scheme default
authorization-scheme huawei
authorization-scheme tacacs
authorization-mode hwtacacs
authorization-scheme portal
accounting-scheme default
accounting-scheme huawei
accounting-mode radius
accounting-scheme tacacs
accounting-mode hwtacacs
accounting-scheme portal
accounting-mode radius
domain default
domain default_admin
domain huawei
authentication-scheme huawei
accounting-scheme huawei
radius-server huawei
local-user admin password cipher %$%$|nL=";YRaC+2;4@s->.I-Zs^%$%$
local-user admin privilege level 15
local-user admin service-type telnet
3. Enable Huawei domain in the system view.
[AR-1220-S-1]domain huawei
For details, see the URL: AR1200-S and C company ACS docking 802.1X certification does not pass the problem .

Other related questions:
How to configure remote 802.1x authentication
In remote authentication and authorization, user information including the user name, password, and attributes is configured on the remote AAA server. This mode has high network security. An example is used here to describe remote 802.1x authentication. Assume that a user connects to GE1/0/0 on an AR and belongs to VLAN 10. GE1/0/2 connects to the RADIUS server and belongs to VLAN 20. RADIUS authentication and non-accounting are used for the user, and the IP address of the RADIUS server is 192.168.2.30:1812. 1. Configure interfaces and VLANs so that the AR can communicate with the RADIUS server. [Huawei] vlan batch 10 20 [Huawei] interface gigabitethernet 1/0/1 [Huawei-GigabitEthernet1/0/1] port link-type access [Huawei-GigabitEthernet1/0/1] port default vlan 10 [Huawei-GigabitEthernet1/0/1] quit [Huawei] interface gigabitethernet 1/0/2 [Huawei-GigabitEthernet1/0/2] port link-type access [Huawei-GigabitEthernet1/0/2] port default vlan 20 [Huawei-GigabitEthernet1/0/2] quit 2. Configure a RADIUS server template, a domain, and AAA schemes. [Huawei] radius-server template rd1 [Huawei-radius-rd1] radius-server authentication 192.168.2.30 1812 [Huawei-radius-rd1] radius-server shared-key cipher Huawei@2012 [Huawei-radius-rd1] quit [Huawei] aaa [Huawei-aaa] authentication-scheme abc [Huawei-aaa-authen-abc] authentication-mode radius [Huawei-aaa-authen-abc] quit [Huawei-aaa] domain isp1 [Huawei-aaa-domain-isp1] authentication-scheme abc [Huawei-aaa-domain-isp1] radius-server rd1 [Huawei-aaa-domain-isp1] quit [Huawei-aaa] quit 3. Enable 802.1x globally and interfaces. [Huawei] dot1x enable [Huawei] interface gigabitethernet 1/0/1 [Huawei-GigabitEthernet1/0/1] dot1x enable

How to configure local 802.1x authentication
In local authentication and authorization, user information including the local user name, password, and attributes is configured on an AR. In this mode, the AR provides fast processing and low operation cost, whereas the amount of information that can be stored is limited by the AR hardware capacity. An example is used here to describe local 802.1x authentication. Assume that a user connects to GE1/0/0 on an AR and belongs to VLAN 100. Local authentication is used, and the user can access the Internet without authorization. 1. Create VLAN 100 and add GE1/0/0 to VLAN 100. [Huawei] vlan batch 100 [Huawei] interface gigabitethernet 1/0/0 [Huawei-GigabitEthernet1/0/0] port link-type access [Huawei-GigabitEthernet1/0/0] port default vlan 100 [Huawei-GigabitEthernet1/0/0] quit 2. Configure a local user, AAA schemes, and AAA domain. [Huawei]aaa [Huawei-aaa] local-user huawei password cipher hello@123 [Huawei-aaa] local-user huawei service-type 8021x [Huawei-aaa] authentication-scheme test [Huawei-aaa-authen-test] authentication-mode local [Huawei-aaa-authen-test] quit [Huawei-aaa] authorization-scheme test [Huawei-aaa-author-test] authorization-mode none [Huawei-aaa-author-test] quit [Huawei-aaa] domain default_admin [Huawei-aaa-domain-default_admin] authentication-scheme test [Huawei-aaa-domain-default_admin] authorization-scheme test 3. Enable 802.1x authentication globally and on an interface. [Huawei] dot1x enable [Huawei] interface gigabitethernet1/0/0 [Huawei-GigabitEthernet1/0/0] dot1x enable

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top