Example for Configuring User Authorization Based on ACL or Dynamic VLAN Delivery

Latest reply: Mar 23, 2017 07:54:17 1985 1 0 1

 

Overview

After an 802.1x user is successfully authenticated on a RADIUS server, the server sends authorization information to the access device of the user. When the Agile Controller-Campus functions as the RADIUS server, it can deliver multiple authorization parameters.

l   ACL-based authorization is classified into ACL number-based (static ACL-based) and dynamic ACL-based authorization.

           ACL number: If ACL number delivery is configured on the server, the authorization information sent to the access device includes the ACL number. The access device matches ACL rules based on the delivered ACL number to control user rights.

The RADIUS attribute used for ACL number delivery is (011) Filter-Id.

           Dynamic ACL: The server delivers rules in an ACL to the device. Users can access network resources controlled using this ACL. The ACL and ACL rules must be configured on the server. The ACL does not need to be configured on the device.

The RADIUS attribute used for dynamic ACL delivery is Huawei extended RADIUS attribute (26-82) HW-Data-Filter.

l   Dynamic VLAN: If dynamic VLAN delivery is configured on the server, the authorization information sent to the access device includes the VLAN attribute. After the access device receives the authorization information, it changes the VLAN of the user to the delivered VLAN.

The delivered VLAN does not change or affect the interface configuration. The delivered VLAN, however, takes precedence over the VLAN configured on the interface. That is, the delivered VLAN takes effect after the authentication succeeds, and the configured VLAN takes effect after the user goes offline.

The following RADIUS attributes are used for dynamic VLAN delivery:

           (064) Tunnel-Type (It must be set to VLAN or 13.)

           (065) Tunnel-Medium-Type (It must be set to 802 or 6.)

           (081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)

To ensure that the RADIUS server delivers VLAN information correctly, all the three RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-Type attributes must be set to the specified values.

20170323112026784004.jpg

The following uses ACL number and dynamic VLAN delivery as an example. The configuration differences between ACL number delivery and dynamic ACL delivery are described in notes.

Configuration Notes

This example applies to all of the S series switches.

20170323112026784004.jpg

To know details about software mappings, see Version Mapping Search for Huawei Campus Switches.

Making VLAN-based authorization take effect has the following requirements on the link type and access control mode of the authentication interface:

l   If the interface link type is hybrid and the interface has been added to a VLAN in untagged mode, the access control mode can be MAC address-based or interface-based.

l   If the interface link type is access or trunk, the access control mode can only be interface-based.

Networking Requirements

As shown in Figure 1-1, a large number of employees' terminals in a company connect to the intranet through GE0/0/1 on SwitchA. To ensure network security, the administrator needs to control network access rights of terminals. The requirements are as follows:

l   Before passing authentication, terminals can access the public server (with IP address 192.168.40.1), and download the 802.1x client or update the antivirus database.

l   After passing authentication, terminals can access the service server (with IP address 192.168.50.1) and devices in the laboratory (with VLAN ID 20 and IP address segment 192.168.20.10-192.168.20.100).

Figure 1-1 Wired access networking diagram

20170323112027645005.png

 

Data Plan

Table 1-1 Service data plan for the access switch

Item

Data

RADIUS scheme

l  Authentication server IP address: 192.168.30.1

l  Authentication server port number: 1812

l  Accounting server IP address: 192.168.30.1

l  Accounting server port number: 1813

l  Shared key for the RADIUS server: Huawei@123

l  Accounting interval: 15 minutes

l  Authentication domain: huawei

Resources accessible to users before authentication

Access rights to the public server are configured using an authentication-free rule. The name of the authentication-free rule profile is default_free_rule.

Resources accessible to users after authentication

Access rights to the laboratory are granted using a dynamic VLAN. The VLAN ID is 20.

Access rights to the service server are granted using an ACL number. The ACL number is 3002.

 

Table 1-2 Service data plan for the Agile Controller-Campus

Item

Data

Department

R&D department

Access user

User name: A

Wired access account: A-123

Password: Huawei123

Switch IP address

SwitchA: 10.10.10.1

RADIUS authentication key

Huawei@123

RADIUS accounting key

Huawei@123

 

Configuration Roadmap

1.         Configure the access switch, including the VLANs interfaces belong to, parameters for connecting to the RADIUS server, enabling NAC, and network access rights users obtain after passing authentication.

20170323112026784004.jpg

In this example, ensure that reachable routes exist between SwitchA, SwitchB, servers, laboratory, and employees' terminals.

2.         Configure the Agile Controller-Campus.

a.         Log in to the Agile Controller-Campus.

b.         Add an account to the Agile Controller-Campus.

c.         Add switches to the Agile Controller-Campus.

d.         Configure authorization results and authorization rules on the Agile Controller-Campus.

Procedure

                               Step 1     Configure access switch SwitchA.

1.         Create VLANs and configure the allowed VLANs on interfaces to ensure network connectivity.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 0/0/1    
[SwitchA-GigabitEthernet0/0/1] port link-type hybrid
[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    
[SwitchA-GigabitEthernet0/0/2] port link-type hybrid
[SwitchA-GigabitEthernet0/0/2] port hybrid untagged vlan 20
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3    
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface loopback 1
[SwitchA-LoopBack1] ip address 10.10.10.1 24    
[SwitchA-LoopBack1] quit

2.         Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

# Create and configure the RADIUS server template rd1.

[SwitchA] radius-server template rd1
[SwitchA-radius-rd1] radius-server authentication 192.168.30.1 1812
[SwitchA-radius-rd1] radius-server accounting 192.168.30.1 1813
[SwitchA-radius-rd1] radius-server shared-key cipher Huawei@123
[SwitchA-radius-rd1] quit

# Create the AAA authentication scheme abc and set the authentication mode to RADIUS.

[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit

# Configure the accounting scheme acco1 and set the accounting mode to RADIUS.

[SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] accounting realtime 15
[SwitchA-aaa-accounting-acco1] quit

# Create the authentication domain huawei, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.

[SwitchA-aaa] domain huawei
[SwitchA-aaa-domain-huawei] authentication-scheme abc
[SwitchA-aaa-domain-huawei] accounting-scheme acco1
[SwitchA-aaa-domain-huawei] radius-server rd1
[SwitchA-aaa-domain-huawei] quit
[SwitchA-aaa] quit

3.         Configure an authentication-free rule profile.

[SwitchA] free-rule-template name default_free_rule
[SwitchA-free-rule-default_free_rule] free-rule 10 destination ip 192.168.40.0 mask 24
[SwitchA-free-rule-default_free_rule] quit

4.         Enable 802.1x authentication.

# Set the NAC mode to unified.

[SwitchA] authentication unified-mode

20170323112026784004.jpg

By default, the unified mode is enabled. Before changing the NAC mode, you must save the configuration. After the mode is changed and the device is restarted, functions of the newly confiugred mode take effect.

# Configure the 802.1x access profile d1.

[SwitchA] dot1x-access-profile name d1
[SwitchA-dot1x-access-profile-d1] quit

# Configure the authentication profile p1, bind the 802.1x access profile d1 and authentication-free rule profile default_free_rule to the authentication profile, specify the domain huawei as the forcible authentication domain in the authentication profile, and set the user access mode to multi-authen.

[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] dot1x-access-profile d1
[SwitchA-authen-profile-p1] free-rule-template default_free_rule
[SwitchA-authen-profile-p1] access-domain huawei force
[SwitchA-authen-profile-p1] authentication mode multi-authen
[SwitchA-authen-profile-p1] quit

# Bind the authentication profile p1 to GE0/0/1 and enable 802.1x authentication on the interface.

[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] authentication-profile p1
[SwitchA-GigabitEthernet0/0/1] quit

5.         Configure the authorization parameter ACL 3002 for users who pass authentication.

20170323112026784004.jpg

In dynamic ACL mode, this step does not need to be configured on the device.

[SwitchA] acl 3002
[SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.30.1 0
[SwitchA-acl-adv-3002] rule 2 permit ip destination 192.168.50.1 0
[SwitchA-acl-adv-3002] rule 3 deny ip destination any
[SwitchA-acl-adv-3002] quit

                               Step 2     Configure the Agile Controller-Campus.

1.         Log in to the Agile Controller-Campus.

a.         Open the Internet Explorer, enter the Agile Controller-Campus access address in the address bar, and press Enter.

The following table describes addresses for accessing the Agile Controller-Campus.

Access Mode

Description

https://Agile Controller-Campus-IP:8443

Agile Controller-Campus-IP specifies the IP address of the Agile Controller-Campus.

IP address of the Agile Controller-Campus

If port 80 is enabled during installation, you can access the Agile Controller-Campus by entering its IP address without the port number. The Agile Controller-Campus URL will automatically change to https://Agile Controller-Campus-IP:8443.

 

b.         Enter the administrator user name and password.

If you log in to the Agile Controller-Campus for the first time, use the super administrator user name admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.

2.         Create a department and an account.

a.         Choose Resource > User > User Management.

b.         Click the Department tab in the operation area on the right, and then click Add under the Department tab to add a department R&D.

20170323112028886006.png

c.         Click the User tab in the operation area on the right, and then click Add under the User tab to add a user A.

20170323112028053007.png

d.         Click 20170323112029363008.png next to user A in Operation to access Account Management. Click Add. Create a common account A-123 and set the password to Huawei123.

20170323112030081009.png

e.         In the User tab, select user A. Click Transfer to add user A to the department R&D.

20170323112031726010.png

3.         Add switches to the Agile Controller-Campus so that the switches can communicate with the Agile Controller-Campus.

Choose Resource > Device > Device Management. Click Add in the operation area on the right. Set connection parameters on the Add Device page.

20170323112032957011.png

4.         Add an authorization result.

20170323112026784004.jpg

Perform this step for ACL number and VLAN delivery.

a.         Choose Policy > Permission Control > Authentication and Authorization > Authorization Result and click Add to create an authorization result.

b.         Configure basic information for the authorization result.

Parameter

Value

Description

Name

Authorization info for authenticated users

-

Service type

Access service

-

VLAN

20

The VLAN must be the same as the VLAN configured for R&D employees on the switch.

ACL number/AAA user group

3002

The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

 

20170323112033943012.png

5.         Add an authorization result.

20170323112026784004.jpg

Perform this step for dynamic ACL and VLAN delivery.

a.         Add a dynamic ACL.

i.          Choose Policy > Permission Control > Policy Element > Dynamic ACL.

ii.        Click Add.

iii.      Configure basic information for the dynamic ACL and click Add in Rule List.

iv.       Configure attributes contained in the dynamic ACL.

20170323112034227013.png

b.         Choose Policy > Permission Control > Authentication and Authorization > Authorization Result and click Add to create an authorization result.

c.         Configure basic information for the authorization result.

Parameter

Value

Description

Name

Authorization information for users who pass authentication

-

Service type

Access service

-

VLAN

20

The VLAN ID must be the same as the VLAN ID configured for R&D employees on the switch.

Dynamic ACL

3002

-

 

20170323112035030014.png

6.         Add an authorization rule.

After a user passes authentication, authorization phase starts. The Agile Controller-Campus grants the user access rights based on the authorization rule.

a.         Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule and click Add to create an authorization rule.

b.         Configure basic information for the authorization rule.

Parameter

Value

Description

Name

Authorization rule for authenticated users

-

Service type

Access service

-

Department

R&D department

-

Authorization result

Authorization info for authenticated users

-

 

20170323112035528015.png

                               Step 3     Verify the configuration.

l   An employee can only access the Agile Controller-Campus server and public server before passing authentication.

l   An employee can access the Agile Controller-Campus server, public server, service server, and laboratory after passing authentication.

l   After the employee passes authentication, run the display access-user command on the switch. The command output shows information about the online employee.

----End

Switch Configuration File

#
sysname SwitchA
#
vlan batch 10 20
#
authentication-profile name p1
 dot1x-access-profile d1
 free-rule-template default_free_rule
 access-domain huawei force
#
radius-server template rd1
 radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
 radius-server authentication 192.168.30.1 1812 weight 80
 radius-server accounting 192.168.30.1 1813 weight 80
#
acl number 3002
 rule 1 permit ip destination 192.168.30.1 0 
 rule 2 permit ip destination 192.168.50.1 0 
 rule 3 deny ip
#
free-rule-template name default_free_rule
 free-rule 10 destination ip 192.168.40.0 mask 255.255.255.0

aaa
 authentication-scheme abc
  authentication-mode radius
 accounting-scheme acco1
  accounting-mode radius
  accounting realtime 15
 domain huawei
  authentication-scheme abc
  accounting-scheme acco1
  radius-server rd1
#
interface GigabitEthernet0/0/1
 port link-type hybrid
 port hybrid pvid vlan 10 
 port hybrid untagged vlan 10
 authentication-profile p1
#
interface GigabitEthernet0/0/2
 port link-type hybrid
 port hybrid untagged vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface LoopBack1
 ip address 10.10.10.1 255.255.255.0
#  
dot1x-access-profile name d1
#
return





★★★Summary★★★ All About Huawei Switch Features and Configurations

  • x
  • convention:

user_2790689
Created Mar 23, 2017 07:54:17 Helpful(0) Helpful(0)

good
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login