How to use 802.1x to enable non-authentication for users

3

After 802.1x authentication is enabled globally and on an interface, non-authentication can be implemented for specific users according to the MAC addresses of users.

To implement this function, set the MAC address of the interface for users to access to the static MAC address of the specified VLAN.

Other related questions:
How to configure the restrict VLAN function on S series switches
You can configure a restrict VLAN on an interface of a switch, so that a user can still access some network resources (for example, update the virus library) when the user fails authentication. The user who fails authentication is added to the restrict VLAN to access resources in the restrict VLAN. Note that a user fails authentication because the authentication server rejects the user for some reasons, for example, the user enters an incorrect password, but not because the authentication times out or the network is disconnected. Configure a restrict VLAN on S series switches (except the S1700) as follows: - Perform the following operations in the system view: [HUAWEI] vlan batch 20 [HUAWEI] undo authentication unified-mode //Skip this step on switches running versions earlier than V200R005C00. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 20 //The restrict VLAN takes effect only for hybrid or access interfaces added to the restrict VLAN in untagged mode. [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] dot1x enable interface gigabitethernet 1/0/1 [HUAWEI] dot1x port-method port interface gigabitethernet 1/0/1 [HUAWEI] authentication restrict-vlan 20 interface gigabitethernet 1/0/1 - Perform the following operations in the interface view: [HUAWEI] vlan batch 20 [HUAWEI] undo authentication unified-mode //Skip this step on switches running versions earlier than V200R005C00. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 20 //The restrict VLAN takes effect only for hybrid or access interfaces added to the restrict VLAN in untagged mode. [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] dot1x port-method port [HUAWEI-GigabitEthernet1/0/1] authentication restrict-vlan 20

How to configure remote authentication for 802.1x authentication users on S series switches
802.1x authentication user information (including the user name, password, and other attributes) for remote authentication and authorization is configured on a remote AAA server. Remote authentication and authorization for 802.1x authentication users feature high network security. For S series and E series switches (except the S1700) running V200R003C10 and earlier versions, NAC can be configured only in common mode. For switches running V200R005C00 and later versions, NAC can be configured in common or unified mode. Accordingly, remote authentication for 802.1x authentication users can be configured in common or unified mode. For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version. The following links are for reference only. - For the configuration example in common mode, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Common Mode) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. - For the configuration example in unified mode on switches running versions from V200R005C00 to V200R008C00, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Unified Mode) (V200R005C00 to, V200R008C00) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. - For the configuration example in unified mode on switches running V200R009C00 and later versions, see "Typical User Access and Authentication Configuration - Typical NAC Configuration (Unified Mode) (V200R009C00 and Later Versions) - Example for Configuring 802.1x Authentication to Control Internal User Access" in S1720&S2700&S3700&S5700&S6700&S7700&S9700 Configuration Guide - User Access and Authentication.

How to configure local authentication for 802.1x authentication users on S series switches
For S series switches (except the S1700), 802.1x authentication user information (including the user name, password, and other attributes of a local user) for local authentication and authorization is configured on the switches. Local authentication and authorization for 802.1x authentication users feature fast processing and low operation cost, but the amount of information that can be stored is limited by the switch hardware capacity.
Assume that a user connects to GE0/0/1 on a switch and belongs to VLAN 100. After local authentication is configured for the user on the switch, the user can access the network without being authorized. Configure local authentication for an 802.1x authentication user as follows:
1. Create VLAN 100 and add GE0/0/1 to the VLAN.
[HUAWEI] vlan batch 100 
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 100 
[HUAWEI-GigabitEthernet0/0/1] quit
2. Create a local user and an authentication domain for the local user.
[HUAWEI] aaa     
[HUAWEI-aaa] local-user huawei password cipher hello@123
[HUAWEI-aaa] local-user huawei service-type 8021x
[HUAWEI-aaa] authentication-scheme test
[HUAWEI-aaa-authen-test] authentication-mode local
[HUAWEI-aaa-authen-test] quit
[HUAWEI-aaa] authorization-scheme test
[HUAWEI-aaa-author-test] authorization-mode none
[HUAWEI-aaa-author-test] quit
[HUAWEI-aaa] domain default_admin
[HUAWEI-aaa-domain-default_admin] authentication-scheme test
[HUAWEI-aaa-domain-default_admin] authorization-scheme test
3. Enable 802.1x authentication in the system view and on a specified interface.
a. In common mode (applicable to switches running all versions):
[HUAWEI] undo authentication unified-mode  //Change the NAC mode to common. This step is required only on switches running V200R005C00 and later versions.br>[HUAWEI] quit
<HUAWEI> reboot   //This step is required only on switches running V200R005C00 and later versions.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x authentication-method eap
b. In unified mode (applicable to switches running versions from V200R005 to V200R008):
[HUAWEI] authentication unified-mode 
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication dot1x
[HUAWEI-GigabitEthernet0/0/1] authentication mode multi-authen max-user 100
c. In unified mode (applicable to switches running V200R009 and later versions):
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] quit
[HUAWEI] authentication-profile name a1
[HUAWEI-authen-profile-a1] dot1x-access-profile d1
[HUAWEI-authen-profile-a1] quit
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication-profile a1

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top