Interoperation Between Huawei Switches and Aruba ClearPass

197 0 0 0

Configuring 802.1X and MAC Address Authentication for Access Users on Aruba ClearPass

This section includes the following content:

Overview

After successfully authenticating a user, a RADIUS server sends authorization information to the user's access device. Aruba ClearPass supports dynamic ACL-based and VLAN-based authorization.

  • ACL-based authorization is classified into static ACL-based and dynamic ACL-based authorization.imgDownload?uuid=d0dfc76597524b769c571d5 NOTE:

    This section describes dynamic ACL-based authorization.

    • Static ACL-based authorization: If the RADIUS server is configured to deliver the ACL number, the authorization information it sends to the access device includes the ACL number. The access device matches ACL rules based on the delivered ACL number to control user rights.

      The RADIUS attribute used for ACL number delivery is (011) Filter-Id.

    • Dynamic ACL-based authorization: The RADIUS server delivers rules in an ACL to the access device so that users can access network resources controlled using this ACL. The ACL and ACL rules must be configured on the server, whereas the ACL does not need to be configured on the device.

      The RADIUS attribute used for dynamic ACL delivery is Huawei extended RADIUS attribute (26-82) HW-Data-Filter.

  • VLAN-based authorization is classified into static VLAN-based and dynamic VLAN-based authorization.

    • Static VLAN-based authorization: This authorization mode uses interface-based VLAN to control user access rights. After interfaces are added to specified VLANs, hosts in a same VLAN can directly communicate with each other, whereas hosts in different VLANs cannot.
    • Dynamic VLAN-based authorization: If the RADIUS server is configured to dynamically deliver VLANs, authorization information includes the delivered VLAN attribute. After the access device receives the delivered VLAN attribute, it changes the VLAN of the user to the delivered VLAN.

      The delivered VLAN does not change or affect the interface configuration. The priority of the delivered VLAN, however, is higher than that of the user-configured VLAN. The delivered VLAN takes effect after the authentication succeeds, whereas the user-configured VLAN takes effect after the user goes offline.

      The following three RADIUS attributes are used for dynamic VLAN delivery:
      • (064) Tunnel-Type (It must be set to VLAN or 13.)
      • (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
      • (081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)

      The preceding three attributes must be used together to ensure that the RADIUS server delivers VLAN attributes correctly. In addition, the Tunnel-Type and Tunnel-Medium-Type attributes must be set to the specified values.

Networking Requirements

In Figure 2-54, a large number of employee terminals connect to the intranet through GE0/0/1 on SwitchA. To ensure network security, the administrator needs to control network access rights of the terminals. The requirements are as follows:

  • Before being authenticated, terminals can access the public server (with IP address 192.168.200.2), for example, users can download the 802.1X client or update the antivirus database.
  • After being authenticated, terminals can access the service server (with IP address 192.168.300.2) and devices in the lab (with VLAN ID 20 and IP address segment from 192.168.20.10 to 192.168.20.100).
  • Terminals that pass 802.1X authentication can access the service server through dynamic ACL-based authorization.
  • Terminals that pass MAC address authentication can access the devices in the lab through dynamic VLAN-based authorization.

Figure 2-54  Networking diagram for configuring Aruba ClearPass to authenticate access users 
imgDownload?uuid=ea05760aa1bd4627a9d5b82

Configuration Logic

Figure 2-55  Configuration logic of Huawei switch 
imgDownload?uuid=c2986e6830434f91988e312Figure 2-56  Configuration logic of Aruba ClearPass 
imgDownload?uuid=c9124d781fa14948af7d8cd

Configuration Notes
  • In this example, ClearPass in version 6.5.0.71095 works as the RADIUS server. The access switches are S5700LI switches and are only used for Layer 2 access.
  • The RADIUS shared key configured on the switch and the server must be the same.
  • By default, the switch allows the packets sent to the RADIUS server to pass through. You do not need to configure an authentication-free rule for the packets on the switch.

Data Plan

Table 2-90  Service data plan for the access switch

Item

Data

RADIUS scheme

  • Authentication server IP address: 192.168.100.2

  • Authentication server port number: 1812

  • Accounting server IP address: 192.168.100.2

  • Accounting server port number: 1813

  • Shared key for the RADIUS server: Huawei@123

  • Accounting interval: 15 minutes

  • Authentication domain: huawei

Resources accessible to users before authentication

Access rights to the public server are configured using an authentication-free rule. The name of the authentication-free rule profile is default_free_rule.

Resources accessible to users after authentication

Access rights to the lab are granted using a dynamic VLAN whose ID is 20.

Access rights to the service server are granted using a dynamic ACL whose number is 3002.

Table 2-91  Aruba ClearPass service data plan

Item

Data

Department

R&D department

Access user

User name: huawei01

Password: Huawei123

Switch IP address

SwitchA: 192.168.30.1

RADIUS authentication key

Huawei@123

RADIUS accounting key

Huawei@123

Procedure

  1. Configure SwitchB.
    1. Create VLANs and configure interfaces to ensure transmission of the VLAN packets.

      <HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] vlan batch 10 30 100 200 300 [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type access [SwitchB-GigabitEthernet1/0/1] port default vlan 100 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port link-type access [SwitchB-GigabitEthernet1/0/2] port default vlan 200 [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port link-type access [SwitchB-GigabitEthernet1/0/3] port default vlan 300 [SwitchB-GigabitEthernet1/0/3] quit [SwitchB] interface gigabitethernet 1/0/5 [SwitchB-GigabitEthernet1/0/5] port link-type trunk [SwitchB-GigabitEthernet1/0/5] port trunk allow-pass vlan 10 30 [SwitchB-GigabitEthernet1/0/5] quit [SwitchB] interface Vlanif 100 [SwitchB-Vlanif100] ip address 192.168.100.1 24 [SwitchB-Vlanif100] quit [SwitchB] interface Vlanif 200 [SwitchB-Vlanif200] ip address 192.168.200.1 24 [SwitchB-Vlanif200] quit [SwitchB] interface Vlanif 300 [SwitchB-Vlanif300] ip address 192.168.300.1 24 [SwitchB-Vlanif300] quit [SwitchB] interface Vlanif 10 [SwitchB-Vlanif10] ip address 192.168.10.1 24 [SwitchB-Vlanif10] quit

    2. Enable the DHCP function.

      [SwitchB] dhcp enable [SwitchB] interface Vlanif 10 [SwitchB-Vlanif100] dhcp select interface [SwitchB-Vlanif100] quit

  2. Configure SwitchA.
    1. Save the configuration and switch NAC configuration mode to unified.

      <HUAWEI> save <HUAWEI> system-view [HUAWEI] authentication unified-mode 
      imgDownload?uuid=d0dfc76597524b769c571d5 NOTE:

      The default NAC configuration mode is unified. If you switch the mode from traditional to unified, you must enter y as prompted to restart the device.

    2. Create VLANs and configure interfaces to ensure transmission of the VLAN packets.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 10 20 30 [SwitchA] interface gigabitethernet 0/0/1    //Configure the interface connected to the employee terminal. [SwitchA-GigabitEthernet0/0/1] port link-type hybrid [SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2    //Configure the interface connected to the lab. [SwitchA-GigabitEthernet0/0/2] port link-type hybrid [SwitchA-GigabitEthernet0/0/2] port hybrid untagged vlan 20 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/3    //Configure the interface connected to SwitchB. [SwitchA-GigabitEthernet0/0/3] port link-type trunk [SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 30 [SwitchA-GigabitEthernet0/0/3] quit [SwitchA] interface vlanif 30 [SwitchA-Vlanif30] ip address 192.168.30.1 24    //Configure the IP address for communicating with the Aruba device. [SwitchA-Vlanif30] quit 

    3. Create and configure a RADIUS server template, an AAA authentication scheme, an accounting scheme, and an authentication domain.

      # Create and configure the RADIUS server template rd1.
      [SwitchA] radius-server template rd1 [SwitchA-radius-rd1] radius-server authentication 192.168.100.2 1812 [SwitchA-radius-rd1] radius-server accounting 192.168.100.2 1813 [SwitchA-radius-rd1] radius-server shared-key cipher Huawei@123 [SwitchA-radius-rd1] quit 
      # Create the AAA authentication scheme abc and set the authentication mode to RADIUS.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme abc [SwitchA-aaa-authen-abc] authentication-mode radius [SwitchA-aaa-authen-abc] quit
      # Configure the accounting scheme acco1 and set the accounting mode to RADIUS.
      [SwitchA-aaa] accounting-scheme acco1 [SwitchA-aaa-accounting-acco1] accounting-mode radius [SwitchA-aaa-accounting-acco1] accounting realtime 15 [SwitchA-aaa-accounting-acco1] quit
      # Create an authentication domain huawei, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.
      [SwitchA-aaa] domain huawei [SwitchA-aaa-domain-huawei] authentication-scheme abc [SwitchA-aaa-domain-huawei] accounting-scheme acco1 [SwitchA-aaa-domain-huawei] radius-server rd1 [SwitchA-aaa-domain-huawei] quit [SwitchA-aaa] quit

    4. Configure an authentication-free rule profile default_free_rule.

      [SwitchA] free-rule-template name default_free_rule [SwitchA-free-rule-default_free_rule] free-rule 10 destination ip 192.168.200.0 mask 24 [SwitchA-free-rule-default_free_rule] quit 

    5. Enable 802.1X and MAC address authentication.

      # Configure the 802.1X access profile d1.
      [SwitchA] dot1x-access-profile name d1 [SwitchA-dot1x-access-profile-d1] quit
      # Configure the MAC access profile m1.
      [SwitchA] mac-access-profile name m1 [SwitchA-mac-access-profile-m1] quit

      # Configure the authentication profile p1. Bind the 802.1X access profile d1, MAC access profile m1, and authentication-free rule profile default_free_rule to the authentication profile, and specify the huawei domain as the forcible authentication domain in the authentication profile.

      [SwitchA] authentication-profile name p1 [SwitchA-authen-profile-p1] dot1x-access-profile d1 [SwitchA-authen-profile-p1] mac-access-profile m1 [SwitchA-authen-profile-p1] free-rule-template default_free_rule [SwitchA-authen-profile-p1] access-domain huawei force [SwitchA-authen-profile-p1] quit

      # Bind the authentication profile p1 to GE0/0/1, and enable 802.1X and MAC address authentication.

      [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] authentication-profile p1 [SwitchA-GigabitEthernet0/0/1] quit 

  3. Configure ClearPass.
    1. Configure RADIUS information.

      1. Log in to ClearPass. Then click ClearPass Policy Manager to access the main page of ClearPass Policy Manager.

      2. Choose Configuration > Authentication > Sources on the left, click Add in the upper-right corner, and add authentication sources. After the configuration is complete, click Save.

        imgDownload?uuid=41c4961caed042df8b633ff

        imgDownload?uuid=8f0e2c9e0cb4462495a30c8

    2. Configure the access authentication device.

      1. Choose Configuration > Network > Devices on the left, click Add in the upper-right corner, and add network devices. After the configuration is complete, click Save.

        imgDownload?uuid=743ea3f3046e4d76a486eda

    3. Configure 802.1X authentication information.

      1. Choose Configuration > Identity > Roles on the left, click Add in the upper-right corner, and add roles. After the configuration is complete, click Save.

        imgDownload?uuid=31d03589d0254b3f8ed17b3

      2. Choose Configuration > Identity > Role Mappings on the left, click Add in the upper-right corner, and add role mappings. After the configuration is complete, click Save.

        imgDownload?uuid=4836d83750364f1a8b7d8d6

        imgDownload?uuid=da6997739da84530bc0fe77

      3. Choose Configuration > Identity > Local Users on the left, click Add in the upper-right corner, and add local users. After the configuration is complete, click Add.

        imgDownload?uuid=846ed0bc52ed474e8ed678d

      4. Choose Configuration > Enforcement > Profiles on the left, click Add in the upper-right corner, and add enforcement profiles. After the configuration is complete, click Save.

        imgDownload?uuid=a076983e9a0e4c2db6e6ec9

        imgDownload?uuid=6ef9cbe5a3ff44b49e5d179

      5. Choose Configuration > Enforcement > Policies on the left, click Add in the upper-right corner, and add enforcement policies. After the configuration is complete, click Save.

        imgDownload?uuid=4fc304f57c2347a6ae7de9d

      6. Choose Configuration > Services on the left, click Add in the upper-right corner, and add services. After the configuration is complete, click Save.

        imgDownload?uuid=2ac9bb6a75c24321813bf3c

        imgDownload?uuid=1e1dabd2ce254138a93824a

        imgDownload?uuid=a5d0e51daf7e4f0ea6e4776

        imgDownload?uuid=fcee6e8d0c384841a87f935

    4. Configure MAC address authentication information.

      1. Choose Configuration > Identity > Local Users on the left, click Add in the upper-right corner, and add local users. After the configuration is complete, click Add.

        imgDownload?uuid=a8511291bf8d4b2686b1733

      2. Choose Configuration > Identity > Roles on the left, click Add in the upper-right corner, and add roles. After the configuration is complete, click Save.

        imgDownload?uuid=6a259bf0d35e4cdeb108b0a

      3. Choose Configuration > Identity > Role Mappings on the left, click Add in the upper-right corner, and add role mappings. After the configuration is complete, click Save.

        imgDownload?uuid=3e81f33ab52242d6889e775

        imgDownload?uuid=ddc180e0b16f49c0af7334b

      4. Choose Configuration > Enforcement > Profiles on the left, click Add in the upper-right corner, and add enforcement profiles. After the configuration is complete, click Save.

        imgDownload?uuid=cdee0bb867544758b8da050

        imgDownload?uuid=68130775344f4d6f9a7010b

      5. Choose Configuration > Enforcement > Policies on the left, click Add in the upper-right corner, and add enforcement policies. After the configuration is complete, click Save.

        imgDownload?uuid=dee7a1fb1aa14736b937edb

        imgDownload?uuid=7d357e5df1cc4d2d943d732

      6. Choose Configuration > Services on the left, click Add in the upper-right corner, and add services. After the configuration is complete, click Save.

        imgDownload?uuid=72895a563e76476880f65a3

        imgDownload?uuid=76bb368bba264b9ab385b06

        imgDownload?uuid=d46b6afc1a5d4614b4f14b8

        imgDownload?uuid=ec87cde4f2da4f69923a7ea

  4. Verify the configuration.

    After a client connects successfully to the network, verify that the client passes 802.1X or MAC address authentication and obtains appropriate network access rights.

Configuration Files

# Configuration file of SwitchA

# sysname SwitchA # vlan batch 10 20 30 # authentication-profile name p1  dot1x-access-profile d1  mac-access-profile m1  free-rule-template default_free_rule  access-domain huawei force # radius-server template rd1  radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#  radius-server authentication 192.168.100.2 1812 weight 80  radius-server accounting 192.168.100.2 1813 weight 80 # free-rule-template name default_free_rule  free-rule 10 destination ip 192.168.200.0 mask 255.255.255.0 #  aaa  authentication-scheme abc   authentication-mode radius  accounting-scheme acco1   accounting-mode radius   accounting realtime 15  domain huawei   authentication-scheme abc   accounting-scheme acco1   radius-server rd1 # interface Vlanif30  ip address 192.168.30.1 255.255.255.0 # interface GigabitEthernet0/0/1  port link-type hybrid  port hybrid pvid vlan 10   port hybrid untagged vlan 10  authentication-profile p1 # interface GigabitEthernet0/0/2  port link-type hybrid  port hybrid untagged vlan 20 # interface GigabitEthernet0/0/3  port link-type trunk  port trunk allow-pass vlan 10 30 # dot1x-access-profile name d1 # mac-access-profile name m1 # return 

# Configuration file of SwitchB

# sysname SwitchB # vlan batch 10 30 100 200 300 # dhcp enable # interface Vlanif10  ip address 192.168.10.1 255.255.255.0  dhcp select interface # interface Vlanif100  ip address 192.168.100.1 255.255.255.0 # interface Vlanif200  ip address 192.168.200.1 255.255.255.0 # interface Vlanif300  ip address 192.168.300.1 255.255.255.0 # interface GigabitEthernet1/0/1  port link-type access  port default vlan 100 # interface GigabitEthernet1/0/2  port link-type access  port default vlan 200 # interface GigabitEthernet1/0/3  port link-type access  port default vlan 300 # interface GigabitEthernet1/0/5  port link-type trunk  port trunk allow-pass vlan 10 30 # return 

Cards or switches where the authentication control point can be deployed

Version

Cards or Switches Where the Authentication Control Point Can Be Deployed

V200R010C00

S5720HI fixed switch or X series cards of modular switches

V200R011C00

All fixed switches

V200R011C10 or a later version

All switches or cards

Configuring Authentication for Access Users and Terminal Health Check on Aruba ClearPass

This section includes the following content:

Overview

As enterprise networks develop, information security threats such as viruses, Trojan horses, spyware, and network attacks also increase. In traditional enterprise network designs, enterprise intranets are considered secure and main threats come from external networks. However, researches show that 80% network security vulnerabilities occur on intranets. These vulnerabilities affect the network severely and may even cause system and network crashes. In addition, malicious software such as spyware and Trojan horses can be downloaded to computers without being noticed when intranet users are browsing websites. The software may be spread on the entire intranet, which severely threats the network security.

Aruba ClearPass provides the terminal health check function and can automatically repair or isolate terminals that do not meet an enterprise's requirements to ensure the enterprise intranet security.

Networking Requirements

An enterprise wants to perform heath checks on terminals that can access the intranet.

  • Users whose terminal health check result is healthy can access the service server.
  • Users whose terminal health check result is unhealthy can only access the public server.

Figure 2-57  Enterprise intranet topology 
imgDownload?uuid=62e3d50b228545d7bd461d7

Configuration Logic

Figure 2-58  Configuration logic of Huawei switch 
imgDownload?uuid=783cfd63c718443db63253bFigure 2-59  Configuration logic of Aruba ClearPass 
imgDownload?uuid=1a9eb672c2854a01aab7122

Configuration Notes
  • Aruba ClearPass in version 6.5.0.71095 works as the RADIUS server in this configuration example. The access switches are S5700LI switches and are only used for Layer 2 access.
  • The RADIUS shared key configured on the switch and the server must be the same.
  • By default, the switch allows the packets sent to the RADIUS server to pass through. You do not need to configure an authentication-free rule for the packets on the switch.

Data Plan

Table 2-92  Basic data plan

Item

Data

Description

SwitchC

VLAN 10

VLAN that users belong to before authentication.

VLAN 20

VLAN that users whose terminal health check result is unhealthy belong to.

VLAN 30

VLAN that users whose terminal health check result is healthy belong to.

VLAN 40

VLAN that SwitchC uses to connect to the servers.

DHCP server

  • VLANIF 10: 192.168.10.1/24
  • VLANIF 20: 192.168.20.1/24
  • VLANIF 30: 192.168.30.1/24

Public server

192.168.101.1/24

All users can access the public server.

Service server

192.168.102.1/24

Only users whose terminal health check result is healthy can access the service server.

Table 2-93  Authentication data plan

Item

Data

RADIUS server template

  • Name: dot1x
  • RADIUS shared key: Huawei@2017
  • Source IP address: 192.168.40.1/24
  • IP address of the RADIUS server: 192.168.100.1/24
  • Authentication port: 1812
  • Accounting port: 1813

AAA authentication scheme

  • Name: auth
  • Authentication mode: RADIUS

AAA accounting scheme

  • Name: acco
  • Accounting mode: RADIUS
  • Real-time accounting interval: 3 minutes

Authentication domain

  • Name: huawei.com
  • Referenced profiles: AAA authentication scheme auth, AAA accounting scheme acco, and RADIUS server template dot1x

802.1x access profile

  • Name: 802.1x-access
  • Authentication protocol: EAP

Authentication profile

  • Name: 802.1x-auth
  • Referenced profile: 802.1x access profile 802.1x-access

Procedure

  1. Configure the switches.
    1. Add interfaces to VLANs to ensure network connectivity.

      <HUAWEI> system-view [HUAWEI] sysname SwitchC [SwitchC] vlan batch 10 20 30 40 [SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] port link-type hybrid [SwitchC-GigabitEthernet1/0/1] undo port hybrid vlan 1 [SwitchC-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [SwitchC-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [SwitchC-GigabitEthernet1/0/1] quit [SwitchC] interface gigabitethernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] port link-type hybrid [SwitchC-GigabitEthernet1/0/2] undo port hybrid vlan 1 [SwitchC-GigabitEthernet1/0/2] port hybrid pvid vlan 10 [SwitchC-GigabitEthernet1/0/2] port hybrid untagged vlan 10 [SwitchC-GigabitEthernet1/0/2] quit [SwitchC] interface gigabitethernet 1/0/3 [SwitchC-GigabitEthernet1/0/3] port link-type trunk [SwitchC-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1 [SwitchC-GigabitEthernet1/0/3] port trunk allow-pass vlan 40 [SwitchC-GigabitEthernet1/0/3] quit

    2. Configure SwitchC as a DHCP server to allocate IP addresses to user terminals.

      [SwitchC] dhcp enable   //Enable DHCP globally. [SwitchC] interface Vlanif 10 [SwitchC-Vlanif10] ip address 192.168.10.1 24 [SwitchC-Vlanif10] dhcp select interface [SwitchC-Vlanif10] quit [SwitchC] interface Vlanif 20 [SwitchC-Vlanif20] ip address 192.168.20.1 24 [SwitchC-Vlanif20] dhcp select interface [SwitchC-Vlanif20] quit [SwitchC] interface Vlanif 30 [SwitchC-Vlanif30] ip address 192.168.30.1 24 [SwitchC-Vlanif30] dhcp select interface [SwitchC-Vlanif30] quit [SwitchC] interface Vlanif 40 [SwitchC-Vlanif40] ip address 192.168.40.1 24 [SwitchC-Vlanif40] quit

    3. Configure static routes to ensure that SwitchC can communicate with the servers. Assume that the next-hop address from SwitchC to the servers is 192.168.40.2.

      [SwitchC] ip route-static 192.168.100.0 24 192.168.40.2 [SwitchC] ip route-static 192.168.101.0 24 192.168.40.2 [SwitchC] ip route-static 192.168.102.0 24 192.168.40.2

    4. Configure a RADIUS server template.

      [SwitchC] radius-server template dot1x [SwitchC-radius-dot1x] radius-server authentication 192.168.100.1 1812 source ip-address 192.168.40.1   //Configure a RADIUS authentication server. [SwitchC-radius-dot1x] radius-server accounting 192.168.100.1 1813 source ip-address 192.168.40.1   //Configure a RADIUS accounting server. [SwitchC-radius-dot1x] radius-server shared-key cipher Huawei@2017   //Set the RADIUS shared key to Huawei@2017. [SwitchC-radius-dot1x] calling-station-id mac-format hyphen-split mode2 uppercase   //Set the format of the MAC address in the Calling-Station-Id attribute of RADIUS packets to XX-XX-XX-XX-XX-XX. [SwitchC-radius-dot1x] undo radius-server user-name domain-included   //Configure the switch not to modify the original user name in the packets sent to the RADIUS server. [SwitchC-radius-dot1x] quit [SwitchC] radius-server authorization attribute-decode-sameastemplate   //Configure the switch to parse the Calling-Station-Id attribute of RADIUS dynamic authorization packets based on the configuration in the RADIUS server template.

    5. Configure common ACLs.

      # Configure an ACL to allow users whose terminal health check result is unhealthy to access each other and the public server.
      [SwitchC] acl number 3001 [SwitchC-acl-adv-3001] rule 5 permit ip destination 192.168.101.0 0.0.0.255 [SwitchC-acl-adv-3001] rule 8 permit ip destination 192.168.20.0 0.0.0.255 [SwitchC-acl-adv-3001] rule 10 deny ip [SwitchC-acl-adv-3001] quit
      # Configure an ACL to prohibit users whose terminal health check result is healthy and those whose terminal health check result is unhealthy from accessing each other.
      [SwitchC] acl number 3002 [SwitchC-acl-adv-3002] rule 5 deny ip destination 192.168.20.0 0.0.0.255 [SwitchC-acl-adv-3002] rule 10 permit ip [SwitchC-acl-adv-3002] quit

    6. Configure a redirection ACL.

      imgDownload?uuid=d0dfc76597524b769c571d5 NOTE:

      A redirection ACL differs from a common ACL in the following aspects:

      • permit: indicates that the switch redirects packets instead of allowing packets matching the rule to pass through.
      • deny: indicates that the switch does not redirect packets and allows packets matching the rule to pass through.

      A redirection ACL takes precedence over a common ACL. If the RADIUS server assigns a redirection ACL and a common ACL to users simultaneously and you want to control the user rights through the common ACL, do not configure the last rule of the redirection ACL to rule rule-id deny ip. If you configure the last rule of the redirection ACL to rule rule-id deny ip, the assigned common ACL does not take effect.

      Do not configure source-ip in the redirection ACL rules; otherwise, data transmission may be interrupted and authentication cannot be performed for users.

      # Configure redirection ACL 3003. Rules 1 and 2 allow DNS packets to pass through. Rule 3 allows packets to ClearPass to pass through. The switch redirects other types of packets.
      [SwitchC] acl number 3003 [SwitchC-acl-adv-3003] rule 1 deny udp destination-port eq dns [SwitchC-acl-adv-3003] rule 2 deny udp source-port eq dns [SwitchC-acl-adv-3003] rule 3 deny ip destination 192.168.100.1 0 [SwitchC-acl-adv-3003] rule 4 permit ip [SwitchC-acl-adv-3003] quit

    7. Configure AAA schemes and an authentication domain.

      # Configure an AAA authentication scheme.
      [SwitchC] aaa [SwitchC-aaa] authentication-scheme auth [SwitchC-aaa-authen-auth] authentication-mode radius   //Set the authentication mode to RADIUS. [SwitchC-aaa-authen-auth] quit
      # Configure an AAA accounting scheme. You must set the accounting mode to RADIUS so that the RADIUS server can maintain the account status, such as login, log-off, and forced log-off.
      [SwitchC-aaa] accounting-scheme acco [SwitchC-aaa-accounting-acco] accounting-mode radius   //Set the accounting mode to RADIUS. [SwitchC-aaa-accounting-acco] accounting realtime 3   //Set the real-time accounting interval to 3 minutes. [SwitchC-aaa-accounting-acco] quit
      # Configure a user authentication domain.
      [SwitchC-aaa] domain huawei.com [SwitchC-aaa-domain-huawei.com] authentication-scheme auth [SwitchC-aaa-domain-huawei.com] accounting-scheme acco [SwitchC-aaa-domain-huawei.com] radius-server dot1x [SwitchC-aaa-domain-huawei.com] quit [SwitchC-aaa] quit [SwitchC] domain huawei.com   //Configure the authentication domain huawei.com as the global default authentication domain.

    8. Configure the Layer 2 transparent transmission function for 802.1X authentication packets. The following uses SwitchA as an example. The configuration of SwitchB is similar and is not provided here.

      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002   //group-mac can be set to any MAC address except one of the reserved multicast MAC addresses (0180-C200-0000-0180-C200-002F) and other special MAC addresses. [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchA-GigabitEthernet0/0/1] bpdu enable [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchA-GigabitEthernet0/0/2] bpdu enable [SwitchA-GigabitEthernet0/0/2] quit

    9. Configure 802.1X authentication.

      # Set the NAC mode to unified.imgDownload?uuid=d0dfc76597524b769c571d5 NOTE:

      By default, the unified mode is used. After changing the NAC mode from common to unified, you must enter y as prompted to restart the switch immediately to make the configuration take effect.

      [SwitchC] authentication unified-mode
      # Configure an 802.1X access profile.imgDownload?uuid=d0dfc76597524b769c571d5 NOTE:

      By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

      [SwitchC] dot1x-access-profile name 802.1x-access [SwitchC-dot1x-access-profile-802.1x-access] quit
      # Configure an authentication profile.
      [SwitchC] authentication-profile name 802.1x-auth [SwitchC-authen-profile-802.1x-auth] dot1x-access-profile 802.1x-access [SwitchC-authen-profile-802.1x-auth] quit
      # Enable the switch to perform 802.1x authentication for users.
      [SwitchC] interface gigabitethernet 1/0/1 [SwitchC-GigabitEthernet1/0/1] authentication-profile 802.1x-auth [SwitchC-GigabitEthernet1/0/1] quit [SwitchC] interface gigabitethernet 1/0/2 [SwitchC-GigabitEthernet1/0/2] authentication-profile 802.1x-auth [SwitchC-GigabitEthernet1/0/2] quit

  2. Configure ClearPass.
    1. Log in to ClearPass.

      1. Open the Internet Explorer, enter the ClearPass access address in the address bar, and press Enter to access the ClearPass welcome page.

      2. Click ClearPass Policy Manager, and enter the user name and password of the ClearPass administrator to log in to the ClearPass Policy Manager.

    2. Add a local user.

      # Choose Configuration > Identity > Local Users. Click Add on the right to add the local user Paul and set the role to Employee. After completing the configuration, click Add.

      imgDownload?uuid=89a0979208f04c2284fb8ea

    3. Import Huawei extended RADIUS attributes.

      # Choose Administration > Dictionaries > RADIUS. Click Import on the right to add Huawei extended RADIUS attributes. Obtain the RADIUS attribute profile from Aruba. It is not provided in this example. Huawei's Vendor ID is 2011. Table 2-94 lists Huawei extended RADIUS attributes required in this example.

      Table 2-94  Huawei extended RADIUS attributes required in this example

      Name

      ID

      Type

      Profile

      HW-Portal-URL

      156

      String

      in out

      HW-Redirect-ACL

      173

      String

      in out

      imgDownload?uuid=a06a2df4e09f4a0a98c133e

    4. Add an access authentication switch.

      # Choose Configuration > Network > Devices. Click Add on the right to add the access authentication switch SwitchC. The value of RADIUS Shared Secret must be the same as the RADIUS shared key configured on the switch. After completing the configuration, click Add.

      imgDownload?uuid=c5627dca0eb1486ca6cc4f3

    5. Configure a redirection URL page.

      1. Return to the ClearPass welcome page and click ClearPass Onboard.

      2. Choose Configuration > Pages > Web Logins. Click Create a new web login page on the right and configure the login page according to the following figures. After completing the configuration, click Save and Reload.

        imgDownload?uuid=24d0751640b0466ca105ada

        imgDownload?uuid=495beb68c48a4ec580245a5

        imgDownload?uuid=e90e8c6b7c26411cb305b17

      3. Choose Configuration > Pages > Web Logins. Choose onguard > Test on the right. The URL https://192.168.100.1/guest/onguard.php?_browser=1 of the displayed page is the redirection URL granted to users.

    6. Create a service rule.

      # Choose Configuration > Start Here. Click 802.1X Wired on the right to create a service rule, and configure the service rule according to the following figures. After completing the configuration, click Add Service.

      imgDownload?uuid=b5df5bc216434099b6cb3cc

      imgDownload?uuid=8ce710b3c1734d778ed2a76

      imgDownload?uuid=5e561f3d2a61471195b638d

      imgDownload?uuid=274a7f6974f04ad9bb65a6a

      imgDownload?uuid=67da81d372594a7abafe03f

    7. Configure the configuration file to be forcibly executed.

      1. Return to the ClearPass welcome page and click ClearPass Policy Manager.

      2. Choose Configuration > Enforcement > Profiles.

      3. Click Posture 802.1X Wired Initial Profile. Click the Attributes tab and configure the attributes according to the following figure. After completing the configuration, click Save.

        imgDownload?uuid=7d5bcd4713784e13899dade

      4. Click Posture 802.1X Wired Quarantined Profile. Click the Attributes tab and configure the attributes according to the following figure. After completing the configuration, click Save.

        imgDownload?uuid=8ab472d1d8d7432aaa34ca4

      5. Click Posture 802.1X Wired Profile1. Click the Attributes tab and configure the attributes according to the following figure. After completing the configuration, click Save.

        imgDownload?uuid=384a75c0f5b34985a95e2ea

      6. Click Posture 802.1X Wired Default Profile. Click the Attributes tab and configure the attributes according to the following figure. After completing the configuration, click Save.

        imgDownload?uuid=0ea98312c0914652bedc3e7

    8. Configure the policy to be forcibly executed.

      # Choose Configuration > Enforcement > Policies. Click Posture 802.1X Wired Enforcement Policy. Click the Rules tab and configure the rules according to the following figure. After completing the configuration, click Save.

      imgDownload?uuid=e26f6d96ae2b4a7eae7c978

Switch Configuration Files

# SwitchA configuration file

# sysname SwitchA # l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1  l2protocol-tunnel user-defined-protocol dot1x enable # interface GigabitEthernet0/0/2  l2protocol-tunnel user-defined-protocol dot1x enable # return

# SwitchB configuration file

# sysname SwitchB # l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1  l2protocol-tunnel user-defined-protocol dot1x enable # interface GigabitEthernet0/0/2  l2protocol-tunnel user-defined-protocol dot1x enable # return

# SwitchC configuration file

#  sysname SwitchC #  vlan batch 10 20 30 40 #  authentication-profile name 802.1x-auth  dot1x-access-profile 802.1x-access #  domain huawei.com #  radius-server authorization attribute-decode-sameastemplate #  dhcp enable #  radius-server template dot1x   radius-server shared-key cipher %^%#=*UGC_lQC@3i<1;S-,|.^B:a"N$P-*0*W.!gnhnQ%^%#  radius-server authentication 192.168.100.1 1812 source ip-address 192.168.40.1 weight 80  radius-server accounting 192.168.100.1 1813 source ip-address 192.168.40.1 weight 80  undo radius-server user-name domain-included  calling-station-id mac-format hyphen-split mode2 uppercase #  acl number 3001  rule 5 permit ip destination 192.168.101.0 0.0.0.255  rule 8 permit ip destination 192.168.20.0 0.0.0.255  rule 10 deny ip acl number 3002  rule 5 deny ip destination 192.168.20.0 0.0.0.255  rule 10 permit ip acl number 3003  rule 1 deny udp destination-port eq dns  rule 2 deny udp source-port eq dns  rule 3 deny ip destination 192.168.100.1 0   rule 4 permit ip #  aaa  authentication-scheme auth   authentication-mode radius  accounting-scheme acco   accounting-mode radius   accounting realtime 3  domain huawei.com   authentication-scheme auth   accounting-scheme acco   radius-server dot1x #  interface Vlanif10  ip address 192.168.10.1 255.255.255.0  dhcp select interface #  interface Vlanif20  ip address 192.168.20.1 255.255.255.0  dhcp select interface #  interface Vlanif30  ip address 192.168.30.1 255.255.255.0  dhcp select interface #  interface Vlanif40  ip address 192.168.40.1 255.255.255.0 # interface GigabitEthernet1/0/1  port link-type hybrid  port hybrid pvid vlan 10   undo port hybrid vlan 1  port hybrid untagged vlan 10  authentication-profile 802.1x-auth #  interface GigabitEthernet1/0/2  port link-type hybrid  port hybrid pvid vlan 10   undo port hybrid vlan 1  port hybrid untagged vlan 10  authentication-profile 802.1x-auth #  interface GigabitEthernet1/0/3  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 40 #  ip route-static 192.168.100.0 255.255.255.0 192.168.40.2 ip route-static 192.168.101.0 255.255.255.0 192.168.40.2 ip route-static 192.168.102.0 255.255.255.0 192.168.40.2  #  dot1x-access-profile name 802.1x-access #  return

Cards or switches where the authentication control point can be deployed

Version

Cards or Switches Where the Authentication Control Point Can Be Deployed

V200R010C00

S5720HI fixed switch or X series cards of modular switches

V200R011C00

All fixed switches

V200R011C10 or a later version

All switches or cards

Configuring Authentication for Access Users on Aruba ClearPass (Single-Gateway Free Mobility Scenario)

This section includes the following content:

Overview

On an enterprise network, different network access policies can be deployed for users on access devices to meet different network access requirements. The application of mobile office and BYOD technologies brings frequent changes of users' physical locations and IP addresses. Therefore, the original network control solution based on physical ports and IP addresses cannot ensure consistency of network access experience. For example, the network access policy of a user does not change when the user's physical location changes.

The free mobility solution allows a user to obtain the same network access policy regardless of the user's location and IP address changes on an agile network. The free mobility solution is used together with switches and the Agile Controller-Campus. Administrators only need to centrally deploy network access policies on the Agile Controller-Campus, and then deliver these policies to all associated switches. Users will obtain the same network access policies regardless of their physical locations and IP addresses.

Aruba ClearPass can be used as a RADIUS server to authenticate access users, ensuring security of the enterprise intranet.

Networking Requirements

An enterprise has the following requirements to ensure its intranet security:

  • Users can access the network only after passing 802.1X authentication.
  • The gateway functions as a DHCP server to allocate IP addresses to terminals.
  • Both PC1 and PC2 can access the customer problem handling system after being authenticated.
  • PC1 and PC2 cannot communicate with each other even after being authenticated.
  • The Agile Controller-Campus and ClearPass control the security groups and network access policies of PCs, improving O&M efficiency.

Figure 2-60  Enterprise intranet topology 
imgDownload?uuid=3af251a86bf746b888122c2

Requirement Analysis
  • The Agile Controller-Campus creates security groups to which PCs belong, defines the network access policies of each security group, and delivers these policies to SwitchA.
  • ClearPass performs 802.1X authentication on access users and adds authenticated users to corresponding security groups.

Configuration Logic

Figure 2-61  Configuration logic of Huawei switch 
imgDownload?uuid=f702b849dc0e4d859f17c7bFigure 2-62  Configuration logic of Huawei Agile Controller-Campus 
imgDownload?uuid=8d413e3acef54b4a979f007Table 2-95  Configuration logic of Aruba ClearPass

ItemDescription
Adding roles and users-
Adding a switchSet parameters for the switch connected to the ClearPass.
Adding configuration files to be forcibly executedDeliver specified attributes to authenticated users. In this example, security groups are divided based on RADIUS standard attribute Filter-ID.
Adding policies to be forcibly executedBind the created configuration files to the specified roles, that is, deliver specified attributes to users with specified roles.
Adding service rulesIf a user matches certain conditions (such as authentication mode, authentication protocol, and user role), the created policies are forcibly executed.

Configuration Notes
  • In this example, ClearPass running 6.5.0.71095 is used as the RADIUS server, and the Agile Controller-Campus runs V100R002C10. The access switches are S5720SI switches and are only used for Layer 2 access.
  • In this example, all users have the same gateway.
  • Free mobility is supported only on switches that have NAC configured in unified mode.
  • The RADIUS shared keys configured on the switch and the server must be the same.
  • By default, the switch allows the packets sent to the RADIUS server to pass through. You do not need to configure an authentication-free rule for the packets on the switch.
  • When the controller delivers a UCL group name that is not supported by the switch, for example, this group name contains Chinese characters or special characters, the switch cannot parse the group name. A UCL group name that can be supported by the switch must be consistent with the value of group-name in the ucl-group group-index [ name group-name ] command, cannot be -, --, a, an, or any, and cannot contain any of the following characters: / \ : * ? " < > | @ ' %. Therefore, when configuring a UCL group name on the controller, do not use Chinese characters or special characters.

  • If the switch has been associated with an Agile Controller-Campus and has free mobility configured, perform the following steps to delete historical data and reconfigure the core switch.

    1. Run the undo group-policy controller command in the system view to disable free mobility and disconnect the switch from the Agile Controller-Campus.
    2. Run the undo acl all command to delete the access control policy.
    3. Run the undo ucl-group ip all command to delete IP addresses bound to security groups.
    4. Run the undo ucl-group all command to delete security groups.
    5. Return to the user view and run the save command. The system automatically deletes the configured version number.

Data Plan

Table 2-96  Basic data plan of SwitchA

Item

VLAN

IP Address

GE1/0/130192.168.30.1/24
GE1/0/3
GE1/0/250192.168.254.55/24

Table 2-97  Authentication data plan

Item

Data

RADIUS server template

  • Name: dot1x
  • RADIUS shared key: Huawei@2017
  • Source IP address: 192.168.254.55/24
  • IP address of the RADIUS server: 192.168.254.252/24
  • Authentication port: 1812
  • Accounting port: 1813

AAA authentication scheme

  • Name: auth
  • Authentication mode: RADIUS

AAA accounting scheme

  • Name: acco
  • Accounting mode: RADIUS
  • Real-time accounting interval: 15 minutes

Authentication domain

  • Name: huawei.com
  • Referenced profiles: AAA authentication scheme auth, AAA accounting scheme acco, and RADIUS server template dot1x

802.1X access profile

  • Name: 802.1x-access
  • Authentication protocol: EAP

Authentication profile

  • Name: 802.1x-auth
  • Referenced profile: 802.1X access profile 802.1x-access

Table 2-98  Free mobility data plan

ItemData
IP address of SwitchA192.168.254.55/24
IP address of the Agile Controller-Campus192.168.254.253/24
Interoperation passwordAdmin@2017
Security group
  • pc_group1: security group to which PC1 belongs
  • pc_group2: security group to which PC2 belongs
  • Problem: security group to which the customer problem handling system belongs

Procedure

  1. Configure switches.
    1. Add interfaces to VLANs to ensure network connectivity.

      # Configure SwitchA.
      <HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 30 50 [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type access [SwitchA-GigabitEthernet1/0/1] port default vlan 30 [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type access [SwitchA-GigabitEthernet1/0/2] port default vlan 50 [SwitchA-GigabitEthernet1/0/2] stp disable [SwitchA-GigabitEthernet1/0/2] quit [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type access [SwitchA-GigabitEthernet1/0/3] port default vlan 30 [SwitchA-GigabitEthernet1/0/3] stp disable [SwitchA-GigabitEthernet1/0/3] quit
      # Configure SwitchB.
      <HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] vlan batch 30 [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] port link-type access [SwitchB-GigabitEthernet0/0/1] port default vlan 30 [SwitchB-GigabitEthernet0/0/1] port-isolate enable group 1   //Configure port isolation between PC1 and PC2. [SwitchB-GigabitEthernet0/0/1] stp disable [SwitchB-GigabitEthernet0/0/1] quit [SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] port link-type access [SwitchB-GigabitEthernet0/0/2] port default vlan 30 [SwitchB-GigabitEthernet0/0/2] port-isolate enable group 1 [SwitchB-GigabitEthernet0/0/2] stp disable [SwitchB-GigabitEthernet0/0/2] quit [SwitchB] interface gigabitethernet 0/0/3 [SwitchB-GigabitEthernet0/0/3] port link-type access [SwitchB-GigabitEthernet0/0/3] port default vlan 30 [SwitchB-GigabitEthernet0/0/3] quit

    2. Configure SwitchA as a DHCP server to allocate IP addresses to user terminals.

      [SwitchA] dhcp enable   //Enable DHCP globally. [SwitchA] interface Vlanif 30 [SwitchA-Vlanif30] ip address 192.168.30.1 24 [SwitchA-Vlanif30] dhcp select interface [SwitchA-Vlanif30] arp-proxy inner-sub-vlan-proxy enable [SwitchA-Vlanif30] quit [SwitchA] interface Vlanif 50 [SwitchA-Vlanif50] ip address 192.168.254.55 24 [SwitchA-Vlanif50] quit

    3. Configure the Layer 2 transparent transmission function for 802.1X authentication packets.

      [SwitchB] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002   //group-mac can be set to any MAC address except one of the reserved multicast MAC addresses (0180-C200-0000 to 0180-C200-002F) and other special MAC addresses. [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchB-GigabitEthernet0/0/1] bpdu enable [SwitchB-GigabitEthernet0/0/1] quit [SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchB-GigabitEthernet0/0/2] bpdu enable [SwitchB-GigabitEthernet0/0/2] quit [SwitchB] interface gigabitethernet 0/0/3 [SwitchB-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol dot1x enable [SwitchB-GigabitEthernet0/0/3] bpdu enable [SwitchB-GigabitEthernet0/0/3] quit

    4. Configure free mobility.

      [SwitchA] group-policy controller 192.168.254.253 password Admin@2017 src-ip 192.168.254.55

    5. Configure a RADIUS server template.

      [SwitchA] radius-server template dot1x [SwitchA-radius-dot1x] radius-server authentication 192.168.254.252 1812 source ip-address 192.168.254.55   //Configure a RADIUS authentication server. [SwitchA-radius-dot1x] radius-server accounting 192.168.254.252 1813 source ip-address 192.168.254.55   //Configure a RADIUS accounting server. [SwitchA-radius-dot1x] radius-server shared-key cipher Huawei@2017   //Set the RADIUS shared key to Huawei@2017. [SwitchA-radius-dot1x] quit

    6. Configure AAA schemes and an authentication domain.

      # Configure an AAA authentication scheme.
      [SwitchA] aaa [SwitchA-aaa] authentication-scheme auth [SwitchA-aaa-authen-auth] authentication-mode radius   //Set the authentication mode to RADIUS. [SwitchA-aaa-authen-auth] quit
      # Configure an AAA accounting scheme. You must set the accounting mode to RADIUS so that the RADIUS server can maintain the account status, such as login, log-off, and forced log-off.
      [SwitchA-aaa] accounting-scheme acco [SwitchA-aaa-accounting-acco] accounting-mode radius   //Set the accounting mode to RADIUS. [SwitchA-aaa-accounting-acco] accounting realtime 15   //Set the real-time accounting interval to 15 minutes. [SwitchA-aaa-accounting-acco] quit
      # Configure a user authentication domain.
      [SwitchA-aaa] domain huawei.com [SwitchA-aaa-domain-huawei.com] authentication-scheme auth [SwitchA-aaa-domain-huawei.com] accounting-scheme acco [SwitchA-aaa-domain-huawei.com] radius-server dot1x [SwitchA-aaa-domain-huawei.com] quit [SwitchA-aaa] quit [SwitchA] domain huawei.com   //Configure the authentication domain huawei.com as the global default authentication domain.

    7. Configure 802.1X authentication.

      # Set the NAC mode to unified.imgDownload?uuid=d0dfc76597524b769c571d5 NOTE:

      By default, the unified mode is used. After changing the NAC mode from common to unified, you must enter y as prompted to restart the switch immediately to make the configuration take effect.

      [SwitchA] authentication unified-mode
      # Configure an 802.1X access profile.imgDownload?uuid=d0dfc76597524b769c571d5 NOTE:

      By default, an 802.1X access profile uses the EAP authentication mode.

      This scenario does not support the CHAP or EAP-MD5 authentication mode.

      [SwitchA] dot1x-access-profile name 802.1x-access [SwitchA-dot1x-access-profile-802.1x-access] quit
      # Configure an authentication profile.
      [SwitchA] authentication-profile name 802.1x-auth [SwitchA-authen-profile-802.1x-auth] dot1x-access-profile 802.1x-access [SwitchA-authen-profile-802.1x-auth] quit
      # Enable the switch to perform 802.1X authentication for users.
      [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] authentication-profile 802.1x-auth [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] authentication-profile 802.1x-auth [SwitchA-GigabitEthernet1/0/2] quit

  2. Configure the Agile Controller-Campus.
    1. Log in to the Agile Controller-Campus. Open Internet Explorer, enter the Agile Controller-Campus access address in the address bar, and press Enter. On the login page, enter the user name and password to log in.
    2. Add a switch.

      1. Choose Resource > Device > Device Management. Click Add on the right, set parameters for SwitchA according to Table 2-98 and the following figure. After completing the configuration, click OK.

        imgDownload?uuid=abb7d1fd4af34a598a59345

      2. Select SwitchA and click Synchronize.

        imgDownload?uuid=c167db9ffe7b4fe0894de59

      3. The Status of SwitchA becomes imgDownload?uuid=cd618f84f1d64c0d9cb71c9, indicating a normal communication status. Alternatively, you can run the display group-policy statuscommand on SwitchA to view its communication status. When State is displayed as working, communication between SwitchA and the Agile Controller-Campus is normal.

        [SwitchA] display group-policy status      Controller IP address: 192.168.254.253   Controller port: 5222          Backup controller IP address: -          Backup controller port: -      Source IP address: 192.168.254.55        State: working       Connected controller: master   Device protocol version: 2     Controller protocol version: 2
      4. Choose Device Group > Free Mobility > Custom. Click imgDownload?uuid=cb0e80fc80044d95beee7e9 next to Device Group, create the device group UCL, and click OK.

        imgDownload?uuid=c6b3a5e7a0c34e779fe7ed7

        imgDownload?uuid=da1c77f6a59640b683fc76c

      5. Select the UCL group, and click Join on the right to add SwitchA to this group.

    3. Configure security groups.

      1. Configure dynamic security groups. Choose Policy > Permission Control > Security Group > Dynamic Security Group Management. Click Addon the right, add the dynamic security group pc_group1, and click OK. The following uses pc_group1 as an example. The configuration of pc_group2 is similar and is not provided here.

        imgDownload?uuid=42fea58e1cfc4591b68c297

      2. Deploy the security groups. Select pc_group1 and pc_group2, and click Global Deployment to deploy these security groups to SwitchA. Run the display ucl-group all command on SwitchA to verify that security groups are deployed successfully.
        [SwitchA] display ucl-group all ID       UCL group name -------------------------------------------------------------------------------- 31       pc_group1 32       pc_group2 -------------------------------------------------------------------------------- Total : 2
      3. Configure a static security group. Choose Static Security Group Management on the left. Click Add on the right, add the static security group Problem, bind the IP address of the customer problem handling system, and click OK.

        imgDownload?uuid=b584ecfcb79b491dbe5b828

    4. Configure access control policies.

      1. Choose Policy > Free Mobility > Policy Configuration > Permission Control. Select the UCL group under Common Policy, click Add on the right, and configure policies for controlling access between security groups. In this example, PC1 and PC2 can access the customer problem handling system, but cannot communicate with each other.

      2. Disable PC1 from communicating with PC2, and allow PC1 to access the customer problem handling system.

        imgDownload?uuid=007f4e7f41234a00aa6d313

        imgDownload?uuid=ca6b8f6a8c2c4ce49b675ab

        imgDownload?uuid=eded5fb405dc4edcac0fe43

      3. Disable PC2 from communicating with PC1, and allow PC2 to access the customer problem handling system.

        imgDownload?uuid=b7d5d06206724ab6a72e32a

        imgDownload?uuid=bee2e28d5ae649a88558cfa

        imgDownload?uuid=fc44d0999b8940ddbfdda04

      4. Select the access control policies, and click Global Configuration to deliver the policies to SwitchA. Run the display acl all command on SwitchA to verify that the access control policies are deployed successfully.

        imgDownload?uuid=3ac1e6792309420dbbacc9d

        [SwitchA] display acl all  Total nonempty ACL number is 2 Ucl-group ACL Auto_PGM_U31 9998, 2 rules Acl's step is 5  rule 1 deny ip source ucl-group 31 destination ucl-group 32  rule 2 permit ip source ucl-group 31 destination 192.168.30.2 0 Ucl-group ACL Auto_PGM_U32 9999, 2 rules Acl's step is 5  rule 1 deny ip source ucl-group 32 destination ucl-group 31  rule 2 permit ip source ucl-group 32 destination 192.168.30.2 0

  3. Configure ClearPass.
    1. Log in to ClearPass.

      1. Open Internet Explorer, enter the ClearPass access address in the address bar, and press Enter to access the ClearPass welcome page.

        imgDownload?uuid=eb209f9e88c8454c854c38b

      2. Click ClearPass Policy Manager, and enter the user name and password of the ClearPass administrator to log in to the ClearPass Policy Manager.

    2. Add local users.

      1. Add roles. Choose Configuration > Identity > Roles. Click Add on the right, add roles pc_group1_role and pc_group2_role, and click Save. The following uses pc_group1_role as an example. The configuration of pc_group2_role is similar and is not provided here.

        imgDownload?uuid=dc94d572597d441e85c6068

      2. Add role mappings. Choose Configuration > Identity > Role Mappings. Click Add on the right, add role mappings pc_group1_rolemap and pc_group2_rolemap, and configure the role mappings according to the following figures. After completing the configuration, click Save. The following uses pc_group1_rolemap as an example. The configuration of pc_group2_rolemap is similar and is not provided here.

        imgDownload?uuid=d16b2c7ee3324eac92a5aa5

        imgDownload?uuid=26af468f14e1480e913c133

      3. Add users. Choose Configuration > Identity > Local Users. Click Add on the right, add users PC1 and PC2, and configure their roles to pc_group1_role and pc_group2_role, respectively. After completing the configuration, click Add. The following uses PC1 as an example. The configuration of PC2 is similar and is not provided here.

        imgDownload?uuid=47b2197163b747c29df67ec

    3. Add an access authentication switch.

      # Choose Configuration > Network > Devices. Click Add on the right and add the access authentication switch SwitchA. The value of RADIUS Shared Secret must be the same as the RADIUS shared key configured on the switch. After completing the configuration, click Add.

      imgDownload?uuid=f4d20570173a4c27bd84066

    4. Add configuration files to be forcibly executed.

      # Choose Configuration > Enforcement > Profiles. Click Add on the right, add configuration file pc_group1_profile for PC1 and pc_group2_profile for PC2, and set other parameters based on the site requirements. After completing the configuration, click Save. The following uses pc_group1_profile as an example. The configuration of pc_group2_profile is similar and is not provided here.

      imgDownload?uuid=25d2895192dc4e8793890d4

      imgDownload?uuid=da83fe102bbd4510880057e

    5. Add policies to be forcibly executed.

      # Choose Configuration > Enforcement > Policies. Click Add on the right, add pc_group1_policy and pc_group2_policy for forcibly executing configuration files of PC1 and PC2 respectively, and set other parameters based on the site requirements. After completing the configuration, click Save. The following uses pc_group1_policy as an example. The configuration of pc_group2_policy is similar and is not provided here.

      imgDownload?uuid=ff79f6438ad94425a609ccf

      imgDownload?uuid=42b8fe9684004e14b594194

    6. Add service rules.

      # Choose Configuration > Services. Click Add on the right, add service rule pc_group1_service for PC1 and pc_group2_service for PC2, and set other parameters based on the site requirements. After completing the configuration, click Save. The following uses pc_group1_serviceas an example. The configuration of pc_group2_service is similar and is not provided here.

      imgDownload?uuid=3241e37b490049b29872627

      imgDownload?uuid=886c646f72614a5aaf922ce

      imgDownload?uuid=c2a1041b31d84a45869f2f7

      imgDownload?uuid=cb0c0fc65e4a4420a39df57

  4. Verify the configuration.

    The Agile Controller-Campus delivers access control policies of different security groups to SwitchA. After PC1 and PC2 go online, they pass 802.1X authentication on ClearPass and are added to security groups pc_group1 and pc_group2, respectively. PC1 and PC2 can access the customer problem handling system, but cannot communicate with each other.

Configuration Files

SwitchA configuration file

# sysname SwitchA # vlan batch 30 50 # authentication-profile name 802.1x-auth  dot1x-access-profile 802.1x-access # domain huawei.com # group-policy controller 192.168.254.253 password %^%#PAJ-YQ/]292l+4Oj.MnG826Y2Qx%L+w'gA&M|w&;%^%# src-ip 192.168.254.55 # dhcp enable # radius-server template dot1x  radius-server shared-key cipher %^%#}V!)F5^lk-gCyfV1r~j4W!=R6W1#IDY:zR-so(WJ%^%#  radius-server authentication 192.168.254.252 1812 source ip-address 192.168.254.55 weight 80  radius-server accounting 192.168.254.252 1813 source ip-address 192.168.254.55 weight 80 # aaa  authentication-scheme auth   authentication-mode radius  accounting-scheme acco   accounting-mode radius   accounting realtime 15  domain huawei.com   authentication-scheme auth   accounting-scheme acco   radius-server dot1x # interface Vlanif30  ip address 192.168.30.1 255.255.255.0  arp-proxy inner-sub-vlan-proxy enable  dhcp select interface # interface Vlanif50  ip address 192.168.254.55 255.255.255.0 # interface GigabitEthernet1/0/1  port link-type access  port default vlan 30  authentication-profile 802.1x-auth # interface GigabitEthernet1/0/2  port link-type access  port default vlan 50  stp disable  authentication-profile 802.1x-auth #          interface GigabitEthernet1/0/3  port link-type access  port default vlan 30  stp disable # dot1x-access-profile name 802.1x-access # return

SwitchB configuration file

# sysname SwitchB # vlan batch 30 # l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 30  stp disable  l2protocol-tunnel user-defined-protocol dot1x enable  port-isolate enable group 1 # interface GigabitEthernet0/0/2   port link-type access  port default vlan 30  stp disable  l2protocol-tunnel user-defined-protocol dot1x enable  port-isolate enable group 1 # interface GigabitEthernet0/0/3  port link-type access  port default vlan 30  l2protocol-tunnel user-defined-protocol dot1x enable # return

Cards or Switches Where the Authentication Control Point Can Be Deployed

Switch Version

Cards or Switches Where the Authentication Control Point Can Be Deployed

V200R010C00

  • S5720HI
  • X series cards of S7700, S9700, and S12700 series switches

V200R011C00

S5720HI

V200R011C10

  • S5720HI
  • X series cards of S7700, S9700, and S12700 series switches
V200R012C00 and later versions
  • S5720HI, S5730HI, S6720HI
  • X series cards of S7700, S9700, and S12700 series switches

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login