How to configure Layer 2 transparent transmission of 802.1x authentication packets on an S series switch

58

An extensible authentication protocol (EAP) packet in 802.1x authentication is a bridge protocol data unit (BPDU). By default, S series switches do not perform Layer 2 forwarding for BPDUs. If a Layer 2 switch exists between an 802.1x authentication-enabled device and a user, Layer 2 transparent transmission must be configured on the switch. Otherwise, EAP packets sent by the user cannot reach the authentication device and the user cannot pass authentication
The following describes different methods of configuring Layer 2 transparent transmission of 802.1x authentication packets on a fixed switch and a modular switch:
- Assume that the Layer 2 fixed switch connects to the upstream device through GE0/0/1, and connects to users through GE0/0/2.
[HUAWEI] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x enable
[HUAWEI-GigabitEthernet0/0/1] bpdu enable
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1x enable
[HUAWEI-GigabitEthernet0/0/2] bpdu enable
[HUAWEI-GigabitEthernet0/0/2] quit
- Assume that the Layer 2 modular switch connects to the upstream device through GE1/0/1, and connects to users through GE1/0/2.
[HUAWEI] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] l2protocol-tunnel user-defined-protocol dot1x enable
[HUAWEI-GigabitEthernet1/0/1] bpdu bridge enable
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] l2protocol-tunnel user-defined-protocol dot1x enable
[HUAWEI-GigabitEthernet1/0/2] bpdu bridge enable
[HUAWEI-GigabitEthernet1/0/2] quit
Note that you cannot set the group-mac parameter to the following addresses:
- Reserved multicast MAC addresses: 0180-C200-0000 to 0180-C200-002F
- Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
- Destination MAC address of Smart Link packets: 010F-E200-0004
- Multicast MAC addresses used on the switch.

Other related questions:
Layer 2 transparent transmission mechanism for 802.1x protocol packets on S series switches
For S series switches (except the S1700), the Layer 2 transparent transmission mechanism for 802.1 protocol packets is as follows: 1. When an 802.1x protocol packet reaches the ingress node, the switch changes the multicast destination MAC address of the packet to a specified multicast MAC address. 2. After the MAC address of an 802.1x protocol packet is changed, the switch does not send the packet to the CPU for processing but directly forwards the packet on the Layer 2 network based on the configuration. 3. When the 802.1x protocol packet reaches the egress node, the switch restores the multicast destination MAC address of the packet to the standard multicast destination MAC address based on the mapping between the specified multicast destination MAC address and the 802.1x protocol configured on the switch.

Layer 2 transparent transmission on S series switch
Layer 2 transparent transmission mechanism on S series switches, except S1700: PEs replace the standard multicast destination MAC address of user-side Layer 2 protocol packets with a specified multicast MAC address according to the mappings between multicast destination MAC addresses and Layer 2 protocols. Internal nodes on the backbone network forward the packets across the backbone network as common Layer 2 packets. The egress device of the backbone network restores the original destination MAC address of the packets according to the mappings between multicast destination MAC addresses and Layer 2 protocols, and then forwards the packets to user networks. After the destination MAC address in a user-side packet is replaced, the packet traverses the backbone network, but will not be terminated. The new MAC address in packet is configured by the l2protocol-tunnel group-mac command. S series switches can transparently transmit the following packets: 1. Spanning Tree Protocol (STP) 2. Link Aggregation Control Protocol (LACP) 3. Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah) 4. Link Layer Discovery Protocol (LLDP) 5. Generic VLAN Registration Protocol (GVRP) 6. Generic Multicast Registration Protocol (GMRP) 7. HUAWEI Group Management Protocol (HGMP) 8. VLAN Trunking Protocol (VTP) 9. Unidirectional Link Detection (UDLD) 10. Port Aggregation Protocol (PAGP) 11. Cisco Discovery Protocol (CDP) 12. Per VLAN Spanning Tree Plus (PVST+) 13. Shared Spanning Tree Protocol (SSTP), only supported by fixed switches 14. Dynamic Trunking Protocol (DTP) 15. Device Link Detection Protocol (DLDP) 16. User-defined protocol packets

802.1x local authentication configuration on S series switch
For S series switches except S1700 switches, in 802.1x local authentication and authorization, user information (including the local user name, password, and attributes) is configured on the switch. 802.1x local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the switch hardware capacity.
Assume that the user connects to GE0/0/1 of the switch and belongs to VLAN 100. In addition, the user uses local authentication and can connect to the network without authorization. Configure 802.1x local authentication as follows:
1. Create VLAN 100, and add interface GE0/0/1 to this VLAN.
[HUAWEI] vlan 100 
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 100 
[HUAWEI-GigabitEthernet0/0/1] quit
2. Configure the local user and the authentication domain of the user.
[HUAWEI] aaa     
[HUAWEI-aaa] local-user huawei password cipher hello@123
[HUAWEI-aaa] local-user huawei service-type 8021x
[HUAWEI-aaa] authentication-scheme test
[HUAWEI-aaa-authen-test] authentication-mode local
[HUAWEI-aaa-authen-test] quit
[HUAWEI-aaa] authorization-scheme test
[HUAWEI-aaa-author-test] authorization-mode none
[HUAWEI-aaa-author-test] quit
[HUAWEI-aaa] domain default_admin
[HUAWEI-aaa-domain-default_admin] authentication-scheme test
[HUAWEI-aaa-domain-default_admin] authorization-scheme test
3. Enable 802.1x  authentication globally and on a specified interface.
a. Traditional mode (applicable to all versions)
[HUAWEI] undo authentication unified-mode  //Switch to the traditional mode (This configuration applies only to V200R005C00 and later versions.)
[HUAWEI] quit
<HUAWEI> reboot   //This configuration applies only to V200R005C00 and later versions.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x authentication-method eap
b. Unified mode (applicable to V200R005C00 and later versions)
[HUAWEI] authentication unified-mode 
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication dot1x
[HUAWEI-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top