Got it
Huawei Enterprise Support Community
Community Forums WLAN
[From Beginner to Expert]...

[From Beginner to Expert] Q&A: Typical Configuration for Interconnection Between AC and Cisco ISE Server (802.1X Authentication)

Latest reply: Mar 26, 2022 11:03:05 886 3 2 0 0
View the author 1#

Introduction to 802.1x Authentication

802.1x authentication is a method used for Network Admission Control (NAC). It controls user access rights based on access ports to protect enterprise intranet security.

802.1x authentication is more secure than MAC address authentication and Portal authentication; however, it requires that 802.1x client software be installed on all user terminals, allowing low networking flexibility. In contrast, MAC address authentication does not need client software, but user terminals' MAC addresses must be registered on the authentication server. Network configuration and management are complex. Portal authentication also does not need client software, allowing flexible deployment. However, it does not provide high security. Therefore, 802.1x authentication is applicable to network construction scenarios where users are densely distributed and high information security is required.

When the AC is interconnected with the Cisco ISE, three authentication methods, that is, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication. The configurations for the three authentication methods are similar. The following uses EAP as an example.

For details about how to configure 802.1x authentication on the AC, see Configure 802.1x authentication on the AC.

For details about how to configure the authentication on the Cisco ISE server, see Configure the Cisco ISE.

Applicable Products and Versions

Table 2-1 Applicable products and versions

Product

Version

Huawei AC

V200R007C10 and later versions

Cisco ISE

2.0.0.306

Service Requirements

When users attempt to access the WLAN, they can use 802.1x clients for authentication. After entering the correct user names and passwords, users can connect to the Internet. Furthermore, users' services are not affected during roaming in the coverage area.

Networking Requirements

  • AC networking mode: Layer 2 bypass mode
  • DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
  • Service data forwarding mode: direct forwarding
  • WLAN authentication mode: WPA-WPA2+802.1x+AES
Figure 2-1 Networking diagram for configuring 802.1x authentication 
imgDownload?uuid=581ba236d36c4e698608c6c

Data Planning

Table 2-2 Data planning on the AC

Configuration Item

Data

Management VLAN

VLAN 100

Service VLAN

VLAN 101

AC's source interface

VLANIF 100: 10.23.100.1/24

DHCP server

The AC functions as the DHCP server to assign IP addresses to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.

IP address pool for APs

10.23.100.2-10.23.100.254/24

IP address pool for the STAs

10.23.101.2-10.23.101.254/24

RADIUS authentication parameters

  • RADIUS server template name: wlan-net
  • IP address: 10.23.103.1
  • Authentication port number: 1812
  • Shared key: huawei@123
  • Authentication scheme: wlan-net

802.1x access profile

  • Name: wlan-net
  • Authentication mode: EAP

Authentication profile

  • Name: wlan-net
  • Bound profile and authentication scheme: 802.1x access profile wlan-net, RADIUS server template wlan-net, and RADIUS authentication scheme wlan-net

AP group

  • Name: ap-group1
  • Bound profile: VAP profile wlan-net and regulatory domain profile default

Regulatory domain profile

  • Name: default
  • Country code: China

SSID profile

  • Name: wlan-net
  • SSID name: wlan-net

Security profile

  • Name: wlan-net
  • Security policy: WPA-WPA2+802.1x+AES

VAP profile

  • Name: wlan-net
  • Forwarding mode: direct forwarding
  • Service VLAN: VLAN 101
  • Bound profiles: SSID profile wlan-net, security profile wlan-net, and authentication profile wlan-net
Table 2-3 Data planning on the Cisco ISE

Configuration Item

Data

Department

R&D

Account

Account: huawei

Password: huawei123

Device profile

Huawei

Device name

AC6605

Device's IP address

10.23.102.2/32

RADIUS shared key

huawei@123

Authentication protocol

  • MS-CHAPv2
  • PEAP
  • CHAP (only for the test-aaa test)

Configuration Roadmap

  1. Configure network interworking.
  2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
  3. Configure APs to go online.
  4. Configure WLAN service parameters.
  5. Configure 802.1x authentication on the AC.
  6. Configure the Cisco ISE server.

Configuration Notes

  • Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.

  • The AC and server must have the same RADIUS shared key.

Procedure

  1. Configure network interworking.

    # Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
    <HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
    # Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next hop of the address of Router.
    <HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
    # Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure the static route to the RADIUS server.
    <AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
    # Configure the IP address of GE0/0/1 on Router and a static route to the network segment for STAs.
    <Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1

  2. Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs and STAs respectively.

    # On the AC, configure the VLANIF 100 to assign IP addresses to APs.
    [AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
    # On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.
    imgDownload?uuid=e0f19c4c507f43009db7865 NOTE:
    Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
    [SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

  3. Configure APs to go online.

    # Create an AP group to which the APs with the same configuration can be added.

    [AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

    # Create a regulatory domain profile, configure the AC country code in the profile, and bind the profile to the AP group.

    [AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 100
    # Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure names for the APs based on the AP locations, so that you can know where the APs are located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.
    imgDownload?uuid=e0f19c4c507f43009db7865 NOTE:

    The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate on the 2.4 GHz and 5 GHz bands respectively.

    [AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-0] quit

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

    [AC-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
--------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime
--------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN        nor   0   10S
--------------------------------------------------------------------------------
Total: 1

  4. Configure the AP channel and power.

    imgDownload?uuid=e0f19c4c507f43009db7865 NOTE:

    The settings of the AP channel and power in this example are for reference only. You need to configure the AP channel and power based on the actual country code and network planning.

    # Disable the automatic channel and power calibration functions.

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled.
    [AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
    # Configure the channel and power for radio 0.
    [AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
    # Configure the channel and power for radio 1.
    [AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit

  5. Configure 802.1x authentication on the AC.
    1. Configure RADIUS authentication parameters.

      # Create a RADIUS server template.

      [AC-wlan-view] quit
[AC] radius-server template wlan-net
[AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-net] radius-server shared-key cipher huawei@123
[AC-radius-wlan-net] quit

      # Create a RADIUS authentication scheme.

      [AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

    2. Configure an 802.1x access profile to manage 802.1x access control parameters.

      # Create the 802.1x access profile wlan-net.

      [AC] dot1x-access-profile name wlan-net

      # Configure EAP relay authentication.

      [AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit

    3. Create the authentication profile wlan-net and bind it to the 802.1x access profile, authentication scheme, and RADIUS server template.

      [AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit

    4. Configure WLAN service parameters.

      # Create the security profile wlan-net and set the security policy in the profile.

      [AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-net] quit

      # Create the SSID profile wlan-net and set the SSID name to wlan-net.

      [AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit

      # Create the VAP profile wlan-net, configure the direct data forwarding mode and service VLANs, and bind the security profile, authentication profile, and SSID profile to the VAP profile.

      [AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit

      # Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of the AP.

      [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

  6. Configure the Cisco ISE.
    1. # Log in to the Cisco ISE server.

      # Enter the access address of the Cisco ISE server in the address box, which is in the format of https://Cisco ISE IPCisco ISE IP is the IP address of the Cisco ISE server.

      # On the displayed page, enter the user name and password to log in to the Cisco ISE server.

    2. Create a department and an account.

      # Choose Administration > Identity Management > Groups > User Identity Groups. In the pane on the right side, click Add and create a department named R&D. Then, click Submit.


      imgDownload?uuid=2e9262d887f64f99a4ebdde

      # Choose Administration > Identity Management > Identities > Users. In the pane on the right side, click Add to create the account with the user name of huawei and password of huawei123. Add the account to department R&D. Then, click Submit.


      imgDownload?uuid=6def05ad7df14ff493c9353

    3. Add the AC so that the Cisco ISE can interwork with the AC.

      # Choose Administration > Network Resources > Network Device Profiles. In the pane on the left side, click Add and create a device profile named Huawei. Then, click Submit.


      imgDownload?uuid=087bd9e0e8774898ace9caf

      # Choose Administration > Network Resources > Network Devices. In the pane on the right side, click Add. Set the device name to AC6605, IP address to 10.23.102.2/32, and RADIUS shared key to huawei@123. Then, click Submit.


      imgDownload?uuid=986f0641c2f3425bb383efd

    4. Configure the authentication protocol.

      # Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols. Select Default Network Access and click Edit.


      imgDownload?uuid=8cfabb6069774a56ab631d7
      # Select Allow CHAPAllow MS-CHAPv2, and Allow PEAP. For other parameters, use the default settings. Click Save.
      imgDownload?uuid=e0f19c4c507f43009db7865 NOTE:

      By default, the Cisco ISE disables the CHAP authentication protocol. You need to select the CHAP authentication protocol on the server so that the CHAP protocol can be used to carry out the test-aaa test on the AC.


      imgDownload?uuid=886f0f0bf5aa40a4949756f

  7. On the AC, check whether users can pass RADIUS authentication.

    [AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.

  8. Verify the configuration.

    • The WLAN with SSID wlan-net is available for STAs connected to the AP.
    • The wireless PC obtains an IP address after it associates with the WLAN.
    • Use the 802.1x authentication client on a STA and enter the correct user name and password. The STA is authenticated and can access the WLAN. You must configure the client for PEAP authentication.

      • Configuration on the Windows XP operating system:

        1. On the Association tab page of the Wireless network properties dialog box, add SSID wlan-net, set the authentication mode to WPA2, and encryption algorithm to AES.
        2. On the Authentication tab page, set EAP type to PEAP and click Properties. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. In the displayed dialog box, deselect Automatically use my Windows logon name and password and click OK.

      • Configuration on the Windows 7 operating system:

        1. Access the Manage wireless networks page, click Add, and select Manually create a network profile. Add SSID wlan-net. Set the authentication mode to WPA2-Enterprise, and encryption algorithm to AES. Click Next.
        2. Click Change connection settings. On the Wireless Network Properties page that is displayed, select the Security tab page and click Settings. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. In the displayed dialog box, deselect Automatically use my Windows logon name and password and click OK.
        3. Click OK. On the Wireless Network Properties page, click Advanced settings. On the Advanced settings page that is displayed, select Specify authentication mode, set the identity authentication mode to User authentication, and click OK.

    • After wireless users connect to the network, run the display access-user access-type dot1x command on the AC to view users in 802.1x authentication mode. The user huawei has gone online successfully.

      [AC] display access-user access-type dot1x 
------------------------------------------------------------------------------
UserID Username                IP address       MAC            Status          
------------------------------------------------------------------------------
460    huawei                  10.23.101.254    8000-6e74-e78a Success 
------------------------------------------------------------------------------
Total: 1, printed: 1

For details, see the WLAN Product Interoperation Configuration Guide.

                               Step 1      Log in to the enterprise technical support website at http://support.huawei.com/enterprise.

                               Step 2      Click WLAN.

          20180416192050120001.png

                               Step 3      Click the name of the product to be queried, for example, AC6605.

                               Step 4      Choose Configuration & Commissioning > Interoperation Configuration Guide to find the WLAN Product Interoperation Configuration Guide.

                           

WLAN Product Interoperation Configuration Guide

http://support.huawei.com/enterprise/en/doc/EDOC1000113779

This post was last edited by wlandoc at 2018-08-22 06:48.

Like (2) Dislike (0) Favorite(0) Share Report
Previous: Huawei Wireless Access Controllers V200R003C00 Web Platform Configuration Guide-Configuration Wizard
Next: Through VLan how I can search the services
(1) (0)
2#
Yencao
Created Dec 24, 2021 15:11:46

Thanks for sharing
View more
  • x
  • convention:
(0) (0)
3#
SamB
Moderator Created Feb 28, 2022 18:59:21

Useful post, thanks for sharing
View more
  • x
  • convention:
(0) (0)
4#
SamB
Moderator Created Mar 26, 2022 11:03:05

I have no permission to view this

WLAN Product Interoperation Configuration Guide

http://support.huawei.com/enterprise/en/doc/EDOC1000113779
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.