S series switch with 802.1x configured cannot connect to the RADIUS server

9

For S series switches except S1700 switches, to configure 802.1x authentication, run the dot1x enable command to enable 802.1x authentication globally and on an interface. In addition, ensure that the switch and the RADIUS server can communicate at Layer 3.

Other related questions:
How can the switch connect to the RADIUS server when 802.1x authentication is configured
When you configure 802.1x authentication, run the dot1x enable command to enable 802.1x authentication globally and on an interface. In addition, ensure that the switch and the RADIUS server can communicate at Layer 3.

Do S series switches support RADIUS server functions
S series switches can only function as RADIUS clients but not RADIUS servers.

802.1x local authentication configuration on S series switch
For S series switches except S1700 switches, in 802.1x local authentication and authorization, user information (including the local user name, password, and attributes) is configured on the switch. 802.1x local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the switch hardware capacity.
Assume that the user connects to GE0/0/1 of the switch and belongs to VLAN 100. In addition, the user uses local authentication and can connect to the network without authorization. Configure 802.1x local authentication as follows:
1. Create VLAN 100, and add interface GE0/0/1 to this VLAN.
[HUAWEI] vlan 100 
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 100 
[HUAWEI-GigabitEthernet0/0/1] quit
2. Configure the local user and the authentication domain of the user.
[HUAWEI] aaa     
[HUAWEI-aaa] local-user huawei password cipher hello@123
[HUAWEI-aaa] local-user huawei service-type 8021x
[HUAWEI-aaa] authentication-scheme test
[HUAWEI-aaa-authen-test] authentication-mode local
[HUAWEI-aaa-authen-test] quit
[HUAWEI-aaa] authorization-scheme test
[HUAWEI-aaa-author-test] authorization-mode none
[HUAWEI-aaa-author-test] quit
[HUAWEI-aaa] domain default_admin
[HUAWEI-aaa-domain-default_admin] authentication-scheme test
[HUAWEI-aaa-domain-default_admin] authorization-scheme test
3. Enable 802.1x  authentication globally and on a specified interface.
a. Traditional mode (applicable to all versions)
[HUAWEI] undo authentication unified-mode  //Switch to the traditional mode (This configuration applies only to V200R005C00 and later versions.)
[HUAWEI] quit
<HUAWEI> reboot   //This configuration applies only to V200R005C00 and later versions.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x authentication-method eap
b. Unified mode (applicable to V200R005C00 and later versions)
[HUAWEI] authentication unified-mode 
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication dot1x
[HUAWEI-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100

Why cannot I modify the RADIUS server template on an S series switch
For S series switches (except S1700 switches): �?In the versions earlier than V200R005, users cannot modify their own RADIUS server template online. When users go online using a RADIUS server template, the RADIUS server template cannot be modified. Before modifying the RADIUS server template, wait until all users on the RADIUS server go offline or run the cut access-user command in the AAA view to disconnect the users. �?In V200R005 and later versions, users can modify the RADIUS server template online. However, the modification may not take effect on the online users or online users may be forced to go offline.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top