10-Security Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10310-Security Configuration Guide
02-802.1X Configuration
Title Size Download
02-802.1X Configuration 442.06 KB

Contents

802.1X fundamentals· 1

802.1X architecture· 1

Controlled/uncontrolled port and port authorization status 1

802.1X-related protocols 2

Packet formats 2

EAP over RADIUS· 4

Initiating 802.1X authentication· 4

802.1X client as the initiator 4

Access device as the initiator 4

802.1X authentication procedures 5

A comparison of EAP relay and EAP termination· 5

EAP relay· 6

EAP termination· 7

Configuring 802.1X· 1

H3C implementation of 802.1X· 1

Access control methods 1

Using 802.1X authentication with other features 1

Configuration prerequisites 3

802.1X configuration task list 3

Enabling 802.1X· 4

Enabling EAP relay or EAP termination· 4

Setting the port authorization state· 5

Specifying an access control method· 6

Setting the maximum number of concurrent 802.1X users on a port 6

Setting the maximum number of authentication request attempts 7

Setting the 802.1X authentication timeout timers 7

Configuring the online user handshake function· 8

Configuration guidelines 8

Configuration procedure· 8

Enabling the proxy detection function· 9

Prerequisites 9

Configuration procedure· 9

Configuring the authentication trigger function· 9

Configuration guidelines 10

Configuration procedure· 10

Specifying a mandatory authentication domain on a port 10

Configuring the quiet timer 11

Enabling the periodic online user re-authentication function· 11

Configuring an 802.1X guest VLAN·· 12

Configuration guidelines 12

Configuration prerequisites 12

Configuration procedure· 12

Configuring an Auth-Fail VLAN·· 13

Configuration guidelines 13

Configuration prerequisites 13

Specifying supported domain name delimiters 13

Configuring 802.1X to reference a COPS scheme· 14

Displaying and maintaining 802.1X· 14

802.1X authentication configuration example· 14

Network requirements 14

Configuration procedure· 15

Verifying the configuration· 17

802.1X with guest VLAN and VLAN assignment configuration example· 17

Network requirements 17

Configuration procedure· 18

Verifying the configuration· 19

 


802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control.

802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.

802.1X architecture

802.1X operates in the client/server model. It comprises three entities: the client (the supplicant), the network access device (the authenticator), and the authentication server, as shown in Figure 1.

Figure 1 Architecture of 802.1X

 

·     The client is a user terminal seeking access to the LAN. It must have 802.1X software to authenticate to the network access device.

·     The network access device authenticates the client to control access to the LAN. In a typical 802.1X environment, the network access device uses an authentication server to perform authentication.

·     The authentication server is the entity that provides authentication services for the network access device. It authenticates 802.1X clients by using the data sent from the network access device, and returns the authentication results for the network access device to make access decisions. The authentication server is typically a Remote Authentication Dial-in User Service (RADIUS) server. In a small LAN, you can also use the network access device as the authentication server.

Controlled/uncontrolled port and port authorization status

802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports.

·     The controlled port allows incoming and outgoing traffic to pass through when it is in the authorized state, and denies incoming and outgoing traffic when it is in the unauthorized state, as shown in Figure 2. The controlled port is set in the authorized state if the client has passed authentication, and in the unauthorized state, if the client has failed authentication.

·     The uncontrolled port is always open to receive and transmit EAPOL frames.

Figure 2 Authorization state of a controlled port

 

In unauthorized state, a controlled port controls traffic in one of the following ways:

·     Performs bidirectional traffic control to deny traffic to and from the client.

·     Performs unidirectional traffic control to deny traffic from the client.

 

 

NOTE:

The H3C devices support only unidirectional traffic control.

 

802.1X-related protocols

802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model. It supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).

802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the network access device over a wired or wireless LAN. Between the network access device and the authentication server, 802.1X delivers authentication information in one of the following methods:

·     Encapsulates EAP packets in RADIUS by using EAP over RADIUS (EAPOR), as described in “EAP relay.”

·     Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets, as described in “EAP termination.”

Packet formats

EAP packet format

Figure 3 shows the EAP packet format.

Figure 3 EAP packet format

 

·     Code: Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4).

·     Identifier: Used for matching Responses with Requests.

·     Length: Length (in bytes) of the EAP packet, which is the sum of the Code, Identifier, Length, and Data fields.

·     Data: Content of the EAP packet. This field appears only in a Request or Response EAP packet. The field comprises the request type (or the response type) and the type data. Type 1 (Identify) and type 4 (MD5-challenge) are two examples for the type field.

EAPOL packet format

Figure 4 shows the EAPOL packet format.

Figure 4 EAPOL packet format

 

·     PAE Ethernet type: Protocol type. It takes the value 0x888E for EAPOL.

·     Protocol version: The EAPOL protocol version used by the EAPOL packet sender.

·     Type: Type of the EAPOL packet. Table 1 lists the types of EAPOL packets that the H3C implementation of 802.1X supports.

Table 1 Types of EAPOL packets

Value

Type

Description

0x00

EAP-Packet

The client and the network access device uses EAP-Packets to transport authentication information.

0x01

EAPOL-Start

The client sends an EAPOL-Start message to initiate 802.1X authentication to the network access device.

0x02

EAPOL-Logoff

The client sends an EAPOL-Logoff message to tell the network access device that it is logging off.

 

·     Length: Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or EAPOL-Logoff, this field is set to 0, and no Packet body field follows.

·     Packet body: Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet.

EAP over RADIUS

RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For information about the RADIUS packet format, see the chapter “Configuring AAA.”

EAP-Message

RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 5. The Type field takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than 253 bytes, RADIUS encapsulates it in multiple EAP-Message attributes.

Figure 5 EAP-Message attribute format

 

Message-Authenticator

RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different than the Message-Authenticator attribute value. The Message-Authenticator prevents EAP authentication packets from being tampered with during EAP authentication.

Figure 6 Message-Authenticator attribute format

 

Initiating 802.1X authentication

Both the 802.1X client and the access device can initiate 802.1X authentication.

802.1X client as the initiator

The client sends an EAPOL-Start packet to the access device to initiate 802.1X authentication. The destination MAC address of the packet is the IEEE 802.1X specified multicast address 01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client, the H3C iNode 802.1X client for example, that can send broadcast EAPOL-Start packets.

Access device as the initiator

The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets.

The access device supports the following modes:

·     Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication.

·     Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC address table, the access device sends an Identity EAP-Request packet out of the receiving port to the unknown MAC address. It retransmits the packet if no response has been received within a certain time interval.

802.1X authentication procedures

802.1X authentication has two approaches: EAP relay and EAP termination. You choose either mode depending on the support of the RADIUS server for EAP packets and EAP authentication methods.

EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPoR packets to send authentication information to the RADIUS server, as shown in Figure 7.

Figure 7 EAP relay

 

In EAP termination mode, the network access device terminates the EAP packets received from the client, encapsulates the client authentication information in standard RADIUS packets, and uses PAP or CHAP to authenticate to the RADIUS server, as shown in Figure 8.

Figure 8 EAP termination

 

A comparison of EAP relay and EAP termination

 

Packet exchange method

Benefits

Limitations

EAP relay

·     Supports various EAP authentication methods.

·     The configuration and processing is simple on the network access device

The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client.

EAP termination

Works with any RADIUS server that supports PAP or CHAP authentication.

·     Supports only MD5-Challenge EAP authentication and the "username + password" EAP authentication initiated by an H3C iNode 802.1X client.

·     The processing is complex on the network access device.

 

EAP relay

Figure 9 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used.

Figure 9 802.1X authentication procedure in EAP relay mode

 

1.     When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device.

2.     The network access device responds with an Identity EAP-Request packet to ask for the client username.

3.     In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to the network access device.

4.     The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server.

5.     The authentication server uses the identity information in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5 challenge) to encrypt the password in the entry, and sends the challenge in a RADIUS Access-Challenge packet to the network access device.

6.     The network access device relays the EAP-Request/MD5 Challenge packet in a RADIUS Access-Request packet to the client.

7.     The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5 Challenge packet to the network access device.

8.     The network access device relays the EAP-Response/MD5 Challenge packet in a RADIUS Access-Request packet to the authentication server.

9.     The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device.

10.     Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in authorized state so the client can access the network.

11.     After the client comes online, the network access device periodically sends handshake requests to check whether the client is still online. By default, if two consecutive handshake attempts fail, the device logs off the client.

12.     Upon receiving a handshake request, the client returns a response. If the client fails to return a response after a certain number of consecutive handshake attempts (two by default), the network access device logs off the client. This handshake mechanism enables timely release of the network resources used by 802.1X users that have abnormally gone offline.

13.     The client can also send an EAPOL-Logoff packet to ask the network access device for a logoff. Then

14.     In response to the EAPOL-Logoff packet, the network access device changes the status of the controlled port from authorized to unauthorized and sends an EAP-Failure packet to the client.

 

 

NOTE:

In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the network access device, you only need to execute the dot1x authentication-method eap command to enable EAP relay.

 

EAP termination

Figure 10 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used.

Figure 10 802.1X authentication procedure in EAP termination mode

 

In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

 


H3C implementation of 802.1X

Access control methods

H3C implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control.

·     Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

·     MAC-based access control—Each user is separately authenticated on a port. When a user logs off, no other online users are affected.

Using 802.1X authentication with other features

VLAN assignment

You can configure the authentication server to assign a VLAN for an 802.1X user that has passed authentication.

VLAN assignment is supported on ports that perform port-based access control. The device assigns the VLAN to the port as the default VLAN. All subsequent 802.1X users can access the default VLAN without authentication. When the user logs off, the previous default VLAN restores, and all other online users are logged off.

 

 

NOTE:

With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.

 

Guest VLAN

You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. After a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources.

Guest VLAN is supported on ports that perform port-based access control. The following describes how the network access device handles guest VLANs on a port that performs port-based access control.

 

Authentication status

VLAN manipulation

No 802.1X user has performed authentication within 90 seconds after 802.1X is enabled

Assigns the 802.1X guest VLAN to the port as the default VLAN. All 802.1X users on this port can access only resources in the guest VLAN.

If no 802.1X guest VLAN is configured, the access device does not perform any VLAN operation.

A user in the 802.1X guest VLAN fails 802.1X authentication

If an 802.1X Auth-Fail VLAN (see “Auth-Fail VLAN”) is available, assigns the Auth-Fail VLAN to the port as the default VLAN. All users on this port can access only resources in the Auth-Fail VLAN.

If no Auth-Fail VLAN is configured, the default VLAN on the port is still the 802.1X guest VLAN. All users on the port are in the guest VLAN.

A user in the 802.1X guest VLAN passes 802.1X authentication

·     Assigns the VLAN specified for the user to the port as the default VLAN, and removes the port from the 802.1X guest VLAN. After the user logs off, the user configured default VLAN restores.

·     If the authentication server assigns no VLAN, the user configured default VLAN applies. The user and all subsequent 802.1X users are assigned to the user-configured default VLAN. After the user logs off, the default VLAN remains unchanged.

 

 

NOTE:

·     The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.

·     For more information about VLAN configuration, see Layer 2LAN Switching Configuration Guide.

 

Auth-Fail VLAN

You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.

The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for authentication timeouts or network connection problems.

Auth-Fail VLAN is supported on ports that perform port-based access control. The following describes how the network access device handles Auth-Fail VLAN on a port that performs port-based access control.

 

Authentication status

VLAN manipulation

A user fails 802.1X authentication

Assigns the Auth-Fail VLAN to the port as the default VLAN. All 802.1X users on this port can access only resources in the Auth-Fail VLAN.

A user in the Auth-Fail VLAN fails 802.1X re-authentication

The Auth-Fail VLAN is still the default VLAN on the port, and all 802.1X users on this port are in this VLAN.

A user passes 802.1X authentication

·     Assigns the VLAN specified for the user to the port as the default VLAN, and removes the port from the Auth-Fail VLAN. After the user logs off, the user-configured default VLAN restores.

·     If the authentication server assigns no VLAN, the initial default VLAN applies. The user and all subsequent 802.1X users are assigned to the user-configured default VLAN. After the user logs off, the default VLAN remains unchanged.

 

 

NOTE:

·     The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.

·     For more information about VLAN configuration, see Layer 2LAN Switching Configuration Guide.

 

COPS

You can use a Common Open Policy Service (COPS) server to authorize 802.1X user. COPS is a service-oriented network management protocol. It can perform policy-based admission control for a variety of network applications.

With COPS, the network access device acts as a policy enforcement point (PEP) to establish a COPS connection with the remote policy server, the policy decision point (PDP), and requests the remote policy server to authorize 802.1X users, for example, assign VLANs or ACLs to 802.1X users. The remote policy server, after receiving the request, returns the authorization information to the access device.

For more information about COPS and its applications, see the chapter “Configuring COPS.”

Configuration prerequisites

·     Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.

·     If RADIUS authentication is used, create user accounts on the RADIUS server.

·     If local authentication is used, create local user accounts on the access device and set the service type to lan-access.

802.1X configuration task list

Complete the following tasks to configure 802.1X:

 

Task

Remarks

Enabling 802.1X

Required

Enabling EAP relay or EAP termination

Optional

Setting the port authorization state

Optional

Specifying an access control method

Optional

Setting the maximum number of concurrent 802.1X users on a port

Optional

Setting the maximum number of authentication request attempts

Optional

Setting the 802.1X authentication timeout timers

Optional

Configuring the online user handshake function

Optional

Enabling the proxy detection function

Optional

Configuring the authentication trigger function

Optional

Specifying a mandatory authentication domain on a port

Optional

Configuring the quiet timer

Optional

Enabling the periodic online user re-authentication function

Optional

Configuring an 802.1X guest VLAN

Optional

Configuring an Auth-Fail VLAN

Optional

Specifying supported domain name delimiters

Optional

Configuring 802.1X to reference a COPS scheme

Optional

 

Enabling 802.1X

 

 

NOTE:

802.1X is mutually exclusive with link aggregation and service loopback group configuration on a port.

 

To enable 802.1X on a port:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable 802.1X globally.

dot1x

By default, 802.1X is disabled globally.

3.     Enable 802.1X on a port.

·     (Approach 1) In system view:
dot1x interface interface-list

·     (Approach 2) In Ethernet interface view:

a.     interface interface-type interface-number

b.     dot1x

Use either approach.

By default, 802.1X is disabled on a port.

 

Enabling EAP relay or EAP termination

When configuring EAP relay or EAP termination, consider the following factors:

·     The support of the RADIUS server for EAP packets

·     The authentication methods supported by the 802.1X client and the RADIUS server

If the client supports only MD5-Challenge EAP authentication, you can use both EAP termination and EAP relay. To use EAP-TLS, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP termination" for help.

For more information about EAP relay and EAP termination, see "802.1X authentication procedures."

To configure EAP relay or EAP termination:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure EAP relay or EAP termination.

dot1x authentication-method { chap | eap | pap }

By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server.

Specify the eap keyword to enable EAP termination.

Specify the chap or pap keyword to enable CHAP-enabled or PAP-enabled EAP relay.

 

 

NOTE:

If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The access device sends the authentication data from the client to the server without any modification. For more information about the user-name-format command, see Security Command Reference.

 

Setting the port authorization state

The port authorization state determines whether the client is granted access to the network. You can control the authorization state of a port by using the dot1x port-control command and the following keywords:

·     authorized-force—Places the port in authorized state, enabling users on the port to access the network without authentication.

·     unauthorized-force—Places the port in unauthorized state, denying any access requests from users on the port.

·     auto—Places the port initially in unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in the authorized state to allow access to the network. You can use this option in most scenarios.

You can set authorization state for one port in interface view, or for multiple ports in system view. If different authorization state is set for a port in system view and interface view, the one set later takes effect.

To set the authorization state of a port:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the port authorization state.

·     (Approach 1) In system view:
dot1x port-control
{ authorized-force | auto | unauthorized-force } [ interface interface-list ]

·     (Approach 2) In Ethernet interface view:

a.     interface interface-type interface-number

b.     dot1x port-control { authorized-force | auto | unauthorized-force }

Use either approach.

By default, auto applies.

 

Specifying an access control method

You can specify an access control method for one port in interface view or for multiple ports in system view. If different access control methods are specified for a port in system view and interface view, the one specified later takes effect.

To specify the access control method:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify an access control method.

·     (Approach 1) In system view:
dot1x port-method { macbased | portbased } [ interface interface-list ]

·     (Approach 2) In Ethernet interface view:

a.     interface interface-type interface-number

b.     dot1x port-method { macbased | portbased }

Use either approach.

By default, MAC-based access control applies.

 

 

NOTE:

To use both 802.1X and portal authentication on a port, you must specify MAC-based access control. For information about portal authentication, see the chapter “Configuring portal authentication.

 

Setting the maximum number of concurrent 802.1X users on a port

You can set the maximum number of concurrent 802.1X users for ports individually in interface view or in bulk in system view. If different settings are configured for a port in both views, the setting configured later takes effect.

To set the maximum number of concurrent 802.1X users on a port:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the maximum number of concurrent 802.1X users on a port.

·     (Approach 1) In system view:
dot1x max-user user-number [ interface interface-list ]

·     (Approach 2) In Ethernet interface view:

a.     interface interface-type interface-number

b.     dot1x max-user user-number [ interface interface-list ]

Use either approach.

The default depends on the device model.

 

Setting the maximum number of authentication request attempts

The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command). The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.

To set the maximum number of authentication request attempts:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the maximum number of attempts for sending an authentication request.

dot1x retry max-retry-value

The default setting is 2.

 

Setting the 802.1X authentication timeout timers

The network device uses the following 802.1X authentication timeout timers:

·     Client timeout timerStarts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

·     Server timeout timer—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.

You can set the client timeout timer to a high value in a low-performance network, and adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient.

To set the 802.1X authentication timeout timers:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the client timeout timer.

dot1x timer supp-timeout supp-timeout-value

The default is 30 seconds.

3.     Set the server timeout timer.

dot1x timer server-timeout server-timeout-value

The default is 100 seconds.

 

Configuring the online user handshake function

The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command. If no response is received from an online user after the maximum number of handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in offline state.

If iNode clients are deployed, you can also enable the online handshake security function to check for 802.1X users that use illegal client software to bypass security inspection such as dual network interface cards (NICs) detection. This function checks the authentication information in client handshake messages. If a user fails the authentication, the network access device logs the user off.

Configuration guidelines

Follow these guidelines when you configure the online user handshake function:

·     To use the online handshake security function, make sure the online user handshake function is enabled. H3C recommends that you use the iNode client software and iMC server to guarantee the normal operation of the online user handshake security function.

·     If the network has 802.1X clients that cannot exchange handshake packets with the network access device, disable the online user handshake function to prevent their connections from being inappropriately torn down.

·     You must disable proxy detection before disabling the online user handshake function.

Configuration procedure

To configure the online user handshake function:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the handshake timer.

dot1x timer handshake-period handshake-period-value

Optional.

The default is 15 seconds.

3.     Enter Ethernet interface view.

interface interface-type interface-number

N/A

4.     Enable the online handshake function.

dot1x handshake

Optional.

By default, the function is enabled.

5.     Enable the online handshake security function.

dot1x handshake secure

Optional.

By default, the function is disabled.

 

Enabling the proxy detection function

The proxy detection function prevents users from using an authenticated 802.1X client as a network access proxy to bypass monitoring and accounting. When a user is detected accessing the network through a proxy, the network access device can send traps to the network management system or log the user off by sending an offline message.

Prerequisites

·     Enable the online user handshake function (see Configuring the online user handshake function”).

·     Deploy H3C iNode client software in your network.

Configuration procedure

To configure the proxy detection function:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable the proxy detection function globally.

dot1x supp-proxy-check { logoff | trap }

By default, the function is disabled.

3.     Enable the proxy detection function on one or more ports.

·     (Approach 1) In system view:
dot1x supp-proxy-check { logoff | trap } interface interface-list

·     (Approach 2) In Ethernet interface view:

a.     interface interface-type interface-number

b.     dot1x supp-proxy-check { logoff | trap }

Use either approach.

By default, the function is disabled.

 

 

NOTE:

If you configure the proxy detection function for a port in both system view and interface view, the setting configured the last takes effect.

 

Configuring the authentication trigger function

The authentication trigger function enables the network access device to initiate 802.1X authentication when 802.1X clients cannot initiate authentication.

This function provides the following types of authentication trigger:

·     Multicast trigger—Periodically multicasts Identity EAP-Request packets out of a port to detect 802.1X clients and trigger authentication.

·     Unicast trigger—Enables the network device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time. This process continues until the maximum number of request attempts set with the dot1x retry command (see “Setting the maximum number of authentication request attempts”) is reached.

The identity request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger.

Configuration guidelines

Follow these guidelines when you configure the authentication trigger function:

·     Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication.

·     Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these clients cannot initiate authentication.

·     To avoid duplicate authentication packets, do not enable both triggers on a port.

Configuration procedure

To configure the authentication trigger function on a port:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the username request timeout timer.

dot1x timer tx-period tx-period-value

Optional.

The default is 30 seconds.

3.     Enter Ethernet interface view.

interface interface-type interface-number

N/A

4.     Enable an authentication trigger.

dot1x { multicast-trigger | unicast-trigger }

Required if you want to enable the unicast trigger.

Use either command.

By default, the multicast trigger is enabled, and the unicast trigger is disabled.

 

Specifying a mandatory authentication domain on a port

You can place all 802.1X users in a mandatory authentication domain for authentication, authorization, and accounting on a port. No user can use an account in any other domain to access the network through the port. The implementation of a mandatory authentication domain enhances the flexibility of 802.1X access control deployment.

To specify a mandatory authentication domain for a port:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.     Specify a mandatory 802.1X authentication domain on the port.

dot1x mandatory-domain domain-name

By default, no mandatory 802.1X authentication domain is specified.

 

Configuring the quiet timer

The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication.

You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response.

To configure the quiet timer:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable the quiet timer.

dot1x quiet-period

By default, the timer is disabled.

3.     Set the quiet timer.

dot1x timer quiet-period quiet-period-value

Optional.

The default is 60 seconds.

 

Enabling the periodic online user re-authentication function

Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the VLAN. The re-authentication interval is user configurable.

To enable the periodic online user re-authentication function:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the periodic re-authentication timer.

dot1x timer reauth-period reauth-period-value

Optional.

The default is 3600 seconds.

3.     Enter Ethernet interface view.

interface interface-type interface-number

N/A

4.     Enable periodic online user re-authentication.

dot1x re-authenticate

By default, the function is disabled.

 

The periodic online user re-authentication timer can also be set by the authentication server in the session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and enables periodic online user re-authentication, even if the function is not configured. Support for the server assignment of re-authentication timer and the re-authentication timer configuration on the server vary with servers.

 

 

NOTE:

The VLAN assignment status must be consistent before and after re-authentication. If the authentication server has assigned a VLAN before re-authentication, it must also assign a VLAN at re-authentication. If the authentication server has assigned no VLAN before re-authentication, it must not assign one at re-authentication. Violation of either rule can cause the user to be logged off. The VLANs assigned to an online user before and after re-authentication can be the same or different.

 

Configuring an 802.1X guest VLAN

Configuration guidelines

Follow these guidelines when you configure an 802.1X guest VLAN:

·     You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different.

·     Assign different IDs for the default VLAN and 802.1X guest VLAN on a port, so the port can correctly process incoming VLAN tagged traffic.

·     With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.

Configuration prerequisites

·     Create the VLAN to be specified as the 802.1X guest VLAN.

·     If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.

Configuration procedure

To configure an 802.1X guest VLAN:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure an 802.1X guest VLAN for one or more ports.

·     In system view:
dot1x guest-vlan guest-vlan-id [ interface interface-list ]

·     In Ethernet interface view:

a.     interface interface-type interface-number

b.     dot1x guest-vlan guest-vlan-id

Use either approach.

By default, no 802.1X guest VLAN is configured on any port.

 

Configuring an Auth-Fail VLAN

Configuration guidelines

Assign different IDs for the default VLAN and 802.1X Auth-Fail VLAN on a port, so the port can correctly process VLAN tagged incoming traffic.

Configuration prerequisites

·     Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.

·     If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.

To configure an Auth-Fail VLAN:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.     Configure the Auth-Fail VLAN on the port.

dot1x auth-fail vlan authfail-vlan-id

By default, no Auth-Fail VLAN is configured.

You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on different ports can be different.

 

Specifying supported domain name delimiters

By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users that use other domain name delimiters.

The configurable delimiters include the at sign (@), back slash (\), and forward slash (/).

If an 802.1X username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter. For example, if you configure @, /, and \ as delimiters, the domain name delimiter for the username string 123/22\@abc is the forward slash (/).

If a username string contains none of the delimiters, the access device authenticates the user in the mandatory or default ISP domain. The access selects a domain delimiter from the delimiter set in this order: @, /, and \.

Follow the steps to specify a set of domain name delimiters:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify a set of domain name delimiters for 802.1X users.

dot1x domain-delimiter string

By default, only the at sign (@) delimiter is supported.

 

 

NOTE:

If you configure the access device to include the domain name in the username sent to the RADIUS server, make sure the domain delimiter in the username can be recognized by the RADIUS server. For username format configuration, see the user-name-format command in Security Command Reference.

 

Configuring 802.1X to reference a COPS scheme

You can apply a COPS scheme to 802.1X, so after a user passes 802.1X authentication, the access device can request the policy server to assign authorization information, for example, a VLAN or ACL, to the user.

Before you reference a COPS scheme, complete the following tasks:

·     Configure the PEP ID of the device.

·     Create and configure the COPS scheme to be referenced.

For more information about COPS configuration, see the chapter “Configuring COPS.”

To reference the COPS scheme:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify a COPS scheme for 802.1X.

dot1x cops cops-scheme-name

By default, 802.1X references no COPS scheme.

 

Displaying and maintaining 802.1X

 

Task

Command

Remarks

Display 802.1X session information, statistics, or configuration information of specified or all ports.

display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Clear 802.1X statistics.

reset dot1x statistics [ interface interface-list ]

Available in user view

 

802.1X authentication configuration example

Network requirements

As shown in Figure 11, the access device performs 802.1X authentication for users that connect to port GigabitEthernet 2/1/1. Implement MAC-based access control on the port, so the logoff of one user does not affect other online 802.1X users.

Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS authentication fails, perform local authentication on the access device. If RADIUS accounting fails, the access device logs the user off.

Configure the host at 10.1.1.1 as the primary authentication and accounting servers, and the host at 10.1.1.2 as the secondary authentication and accounting servers. Assign all users to the ISP domain aabbcc.net, which accommodates up to 30 users.

Configure the shared key as name for packets between the access device and the authentication server, and as money for packets between the access device and the accounting server.

Figure 11 Network diagram

 

Configuration procedure

 

 

NOTE:

For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

 

1.     Configure the 802.1X client. If H3C iNode is used, do not select the Carry version info option in the client configuration. (Details not shown)

2.     Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown)

3.     Assign an IP address for each interface on the access device. (Details not shown)

4.     Configure user accounts for the 802.1X users on the access device.

# Add a local user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS server.)

<Device> system-view

[Device] local-user localuser

[Device-luser-localuser] service-type lan-access

[Device-luser-localuser] password simple localpass

# Configure the idle cut function to log off any online user that has been idled for 20 minutes.

[Device-luser-localuser] authorization-attribute idle-cut 20

[Device-luser-localuser] quit

5.     Configure a RADIUS scheme

# Create the RADIUS scheme radius1 and enter its view.

[Device] radius scheme radius1

# Specify the IP addresses of the primary authentication and accounting RADIUS servers.

[Device-radius-radius1] primary authentication 10.1.1.1

[Device-radius-radius1] primary accounting 10.1.1.1

# Configure the IP addresses of the secondary authentication and accounting RADIUS servers.

[Device-radius-radius1] secondary authentication 10.1.1.2

[Device-radius-radius1] secondary accounting 10.1.1.2

# Specify the shared key between the access device and the authentication server.

[Device-radius-radius1] key authentication name

# Specify the shared key between the access device and the accounting server.

[Device-radius-radius1] key accounting money

# Exclude the ISP domain name from the username sent to the RADIUS servers.

[Device-radius-radius1] user-name-format without-domain

[Device-radius-radius1] quit

 

 

NOTE:

The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device.

 

6.     Configure the ISP domain.

# Create the ISP domain aabbcc.net and enter its view.

[Device] domain aabbcc.net

# Apply the RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.

[Device-isp-aabbcc.net] authentication lan-access radius-scheme radius1 local

[Device-isp-aabbcc.net] authorization lan-access radius-scheme radius1 local

[Device-isp-aabbcc.net] accounting lan-access radius-scheme radius1 local

# Set the maximum number of concurrent users in the domain to 30.

[Device-isp-aabbcc.net] access-limit enable 30

# Configure the idle cut function to log off any online domain user that has been idle for 20 minutes.

[Device-isp-aabbcc.net] idle-cut enable 20

[Device-isp-aabbcc.net] quit

# Specify aabbcc.net as the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain.

[Device] domain default enable aabbcc.net

7.     Configure 802.1X.

# Enable 802.1X globally.

[Device] dot1x

# Enable 802.1X on port GigabitEthernet 2/1/1.

[Device] interface GigabitEthernet 2/1/1

[Device-GigabitEthernet2/1/1] dot1x

[Device-GigabitEthernet2/1/1] quit

# Enable MAC-based access control on the port. (Optional. MAC-based access control is the default setting.)

[Device] dot1x port-method macbased interface GigabitEthernet 2/1/1

Verifying the configuration

Use the display dot1x interface GigabitEthernet 2/1/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view information about the user connection. If the user fails RADIUS authentication, local authentication is performed.

802.1X with guest VLAN and VLAN assignment configuration example

Network requirements

As shown in Figure 12:

·     A host is connected to port GigabitEthernet 2/1/2 of the device and must pass 802.1X authentication to access the Internet. GigabitEthernet 2/1/2 is in VLAN 1.

·     GigabitEthernet 2/1/2 implements port-based access control.

·     GigabitEthernet 2/1/3 is in VLAN 5 and is for accessing the Internet.

·     The authentication server runs RADIUS and is in VLAN 2.

·     The update server in VLAN 10 is for client software download and upgrade.

If no user performs 802.1X authentication on GigabitEthernet 2/1/2 within a period of time, the device adds GigabitEthernet 2/1/2 to its guest VLAN, VLAN 10. The host and the update server are both in VLAN 10 and the host can access the update server and download the 802.1X client software.

After the host passes 802.1X authentication, the network access device assigns the host to VLAN 5 where GigabitEthernet 2/1/3 is. The host can access the Internet.

Figure 12 Network diagram

 

Configuration procedure

 

 

NOTE:

The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference.

 

1.     Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN. (Details not shown)

2.     Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and server-assigned VLAN, VLAN 5 in this example. (Details not shown)

3.     Create VLANs, and assign ports to the VLANs.

<Device> system-view

[Device] vlan 1

[Device-vlan1] port GigabaitEthernet 2/1/2

[Device-vlan1] quit

[Device] vlan 10

[Device-vlan10] port GigabaitEthernet 2/1/1

[Device-vlan10] quit

[Device] vlan 2

[Device-vlan2] port GigabaitEthernet 2/1/4

[Device-vlan2] quit

[Device] vlan 5

[Device-vlan5] port GigabaitEthernet 2/1/3

[Device-vlan5] quit

4.     Configure a RADIUS scheme.

# Configure RADIUS scheme 2000 and enter its view.

<Device> system-view

[Device] radius scheme 2000

# Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets.

[Device-radius-2000] primary authentication 10.11.1.1 1812

[Device-radius-2000] primary accounting 10.11.1.1 1813

[Device-radius-2000] key authentication abc

[Device-radius-2000] key accounting abc

# Exclude the ISP domain name from the username sent to the RADIUS server.

[Device-radius-2000] user-name-format without-domain

[Device-radius-2000] quit

5.     Configure an ISP domain.

# Create ISP domain bbb and enter its view.

[Device] domaim bbb

# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.

[Device-isp-bbb] authentication lan-access radius-scheme 2000

[Device-isp-bbb] authorization lan-access radius-scheme 2000

[Device-isp-bbb] accounting lan-access radius-scheme 2000

[Device-isp-bbb] quit

6.     Configure 802.1X

# Enable 802.1X globally.

[Device] dot1x

# Enable 802.1X for port GigabaitEthernet 2/1/2.

[Device] interface GigabitEthernet 2/1/2

[Device-GigabitEthernet2/1/2] dot1x

# Implement port-based access control on the port.

[Device-GigabitEthernet2/1/2] dot1x port-method portbased

# Set the port authorization mode to auto. This step is optional. By default, the port is in auto mode.

[Device-GigabitEthernet2/1/2] dot1x port-control auto

[Device-GigabitEthernet2/1/2] quit

# Set VLAN 10 as the 802.1X guest VLAN for port GigabitEthernet 2/1/2.

[Device] dot1x guest-vlan 10 interface GigabitEthernet 2/1/2

Verifying the configuration

Use the display dot1x interface GigabitEthernet 2/1/2 command to verify the 802.1X guest VLAN configuration on GigabitEthernet 2/1/2. If no user passes authentication on the port within a specific period of time, use the display vlan 10 command to verify whether GigabitEthernet 2/1/2 is assigned to VLAN 10.

After a user passes authentication, you can use the display interface GigabitEthernet 2/1/2 command to verity that port GigabitEthernet 2/1/2 has been added to VLAN 5.