The 802.1x protocol was proposed by IEEE802
LAN/WAN committee for security problems on wireless LANs (WLAN). Currently, it
is used on Ethernet as a common port access control mechanism.
When configuring 802.1x, use the following
table to identify where to go for interested information:
|
If you need to…
|
Go to…
|
|
Get familiar with the basic concepts involved
in 802.1x, its architecture, how it operates, and how it authenticate users
|
802.1x Overview
|
|
Know how to configure 802.1x
|
Configuring 802.1x
|
|
Consult the display commands available
for verifying 802.1x configuration
|
Displaying and Maintaining 802.1x
|
|
See how to configure 802.1x in typical
scenarios
|
802.1x Configuration Example
|
1.1 802.1x Overview
802.1x is a port-based access control
protocol. It authenticates and controls accessing devices at the level of port.
A device connecting to an 802.1x-enabled port of an access device can access
the resources behind only after passing authentication. A user failing the
authentication is physically disconnected.
To get more information about 802.1x, go to
these topics:
l
Architecture of 802.1x
l
Operation of 802.1x
l
EAP Encapsulation over LANs
l
EAP Encapsulation over RADIUS
l
Authentication Process of 802.1x
l
802.1x Timers
l
Implementation of 802.1x
l
Features Working Together with 802.1x
1.1.1 Architecture of 802.1x
802.1x operates in the typical
client/server model and defines three entities: supplicant system,
authenticator system, and authentication server system, as shown in Figure 1-1.
Figure 1-1 Architecture of 802.1x
l
Supplicant system: A system at one end of the
LAN segment, which is authenticated by the system at the other end. A
supplicant system is usually a user-end device and initiates 802.1x
authentication through 802.1x client software supporting the EAP over LANs
(EAPOL) protocol.
l
Authenticator system: A system at one end of the
LAN segment, which authenticates the system at the other end. An authenticator system
is usually an 802.1x-enabled network device and provides ports (physical or
logical) for supplicants to access the LAN.
l
Authentication server system: The system
providing authentication, authorization, and accounting services for the
authenticator system.
The above systems involve three basic concepts: PAE, controlled
port, control direction.
Port access entity (PAE) refers to the
entity on a given port of a device that performs the 802.1x algorithm and
protocol operations. The authenticator PAE uses the authentication server to
authenticate the supplicant trying to access the LAN and controls the status of
the controlled port (authorized or unauthorized) according to the
authentication result. The supplicant PAE responds to the authentication
request of the authenticator PAE and provides authentication information. The
supplicant PAE can also send authentication requests and logoff requests to the
authenticator.
II. Controlled port
An authenticator provides ports for
supplicants to access the LAN. Each of the ports can be regarded as two virtual
ports: a controlled port and an uncontrolled port.
l
The uncontrolled port is always open in both the
inbound and outbound directions to allow EAPOL protocol frames to pass,
guaranteeing that the supplicant can always send or receive authentication
frames.
l
The controlled port is open to allow normal
traffic to pass only when it is in the authorized state.
l
The controlled port and uncontrolled port are
two parts of the same port. Any frames arriving at the port are visible to both
of them.
III. Control direction
In the unauthorized state, the controlled
port can be set to deny traffic to and from the supplicant or just the traffic
from the supplicant. Currently, Devices support only denying the traffic from
the supplicant.
1.1.2
Operation of 802.1x
The 802.1x authentication system employs
the extensible authentication protocol (EAP) to support authentication
information exchange between the supplicant PAE, authenticator PAE, and
authentication server.
Figure
1-2 Operation of 802.1x
l
Between the supplicant PAE and authenticator
PAE, EAP protocol packets are encapsulated using EAPOL and transferred over LANs.
l
Between the authenticator PAE and authentication
server, EAP protocol packets can be encapsulated using the EAP attributes of RADIUS
and then relayed to the RADIUS server, or terminated at the authenticator PAE,
repackaged in the PAP or CHAP attributes of RADIUS, and then transferred to the
RADIUS server. The former is referred to as EAP relay mode, and the latter as
EAP termination mode.
l
The authentication server is usually a RADIUS
server. It maintains information about users, such as the account, password,
VLAN to which the user belongs, CAR parameters, priority level, and ACL.
l
After a user passes the authentication, the
authentication server passes information about the user to the authenticator,
which controls the status of the controlled port according to the instruction
of the authentication server.
1.1.3 EAP Encapsulation over LANs
I. EAPOL frame format
EAPOL, defined by 802.1x, is intended to
carry EAP protocol packets between supplicants and authenticators over LANs. Figure 1-3 shows the EAPOL frame format.
Figure 1-3 EAPOL frame format
PAE Ethernet Type: Protocol type. It takes
the value 0x888E.
Protocol version: Version of the EAPOL
protocol supported by the EAPOL frame sender.
Type: Type of the packet. The following
types are defined:
l
EAP-Packet (a value of 0x00), frame for carrying
authentication information.
l
EAPOL-Start (a value of 0x01), frame for
initiating authentication.
l
EAPOL-Logoff (a value of 0x02), frame for logoff
request.
l
EAPOL-Key (a value of 0x03), frame for carrying key
information.
l
EAPOL-Encapsulated-ASF-Alert (a value of 0x04),
frame for carrying alerting information conforming to Alert Standard Forum
(ASF).
Length: Length of the data, that is, length
of the Packet body field, in bytes. If the value of this field is 0, no
subsequent data field is present.
Packet body: The format of this field
varies with the value of the Type field.
A frame with a type of EAPOL-Start,
EAPOL-Logoff, or EAPOL-Key exists between a supplicant and an authenticator. A
frame with a type of EAP-Packet is repackaged and transferred over RADIUS to
get through complex networks to reach the authentication server. A frame with a
type of EAPOL-Encapsulated-ASF-Alert encapsulates network management-related
information (for example, various warning messages) and is terminated at the
authenticator.
II. EAP packet format
An EAPOL frame with a type of EAP-Packet
carries an EAP packet in its Packet body field. The structure of the EAP packet
is shown in Figure 1-4.
Figure 1-4 EAP packet format
Code: Type of the EAP packet, which can be
Request, Response, Success, or Failure.
Identifier: Allows matching of responses
with requests.
Length: Length of the EAP packet, including
the Code, Identifier, Length, and Data fields.
Data: This field is zero or more bytes and
its format is determined by the Code field.
An EAP packet of the type of Success or
Failure has no Data field, and has a length of 4. An EAP packet of the type of
Request or Response is in the format shown in Figure
1-5.
Figure 1-5 Format of the EAP request/response packet
Type: EAP authentication type. A value of 1
represents Identity, indicating that the packet is for querying the identity of
the supplicant. A value of 4 represents MD5-Challenge, which corresponds
closely to the PPP CHAP protocol.
1.1.4 EAP Encapsulation over RADIUS
Two attributes of RADIUS are intended for supporting
EAP authentication: EAP-Message and Message-Authenticator. For information
about RADIUS packet format, refer to the RADIUS overview part in AAA&RADIUS&HWTACACS
Operation Manual.
I. EAP-Message
The EAP-Message attribute is used to
encapsulate EAP packets. Figure
1-6 shows its encapsulation format. The value of the Type field is 79.
The String field can be up to 253 bytes. If the EAP packet is longer than 253
bytes, it can be fragmented and encapsulated into multiple EAP-Message
attributes.
Figure 1-6 Encapsulation format of the
EAP-Message attribute
II. Message-Authenticator
The Message-Authenticator attribute is used
to prevent access requests from being snooped during EAP authentication. It
must be included in any packet with the EAP-Message attribute; otherwise, the
packet will be considered invalid and get discarded. Figure 1-7 shows the encapsulation format of the Message-Authenticator
attribute.
Figure 1-7 Encapsulation format of the
Message-Authenticator attribute
1.1.5 Authentication Process of 802.1x
802.1x authentication can be initiated by
either a user or the authenticator system. A user initiates authentication by
launching the 802.1x client software to send an EAPOL-Start frame to the
authenticator system, while the authenticator system sends an
EAP-Request/Identity frame to an unauthenticated user when detecting that the
user is trying to login. An 802.1x authenticator system communicates with a
remotely located RADIUS server in two modes: EAP relay and EAP termination. The
following description takes the first case as an example to show the 802.1x
authentication process.
I. EAP relay
EAP relay is an IEEE 802.1x standard mode.
In this mode, EAP packets are carried in a high layer protocol, such as RADIUS,
so that they can go through complex networks and reach the authentication
server. Generally, EAP relay requires that the RADIUS server support the EAP
attributes of EAP-Message and Message-Authenticator. See Figure 1-8 for the message exchange procedure.
Figure 1-8 Message exchange in EAP relay
mode
1)
When a user launches the 802.1x client software
and enters the registered username and password, the 802.1x client software generates
an EAPOL-Start frame and sends it to the authenticator to initiate an
authentication process.
2)
Upon receiving the EAPOL-Start frame, the
authenticator responds with an EAP-Request/Identity packet for the identity of
the supplicant.
3)
When the supplicant receives the
EAP-Request/Identity packet, it encapsulates the identity information in an
EAP-Response/Identity packet and sends the packet to the authenticator.
4)
Upon receiving the EAP-Response/Identity packet,
the authenticator relays the packet in a RADIUS Access-Request packet to the
authentication server.
5)
When receiving the RADIUS Access-Request packet,
the authentication server compares the identify information against its user
information table to obtain the corresponding password information. Then, it
encrypts the password information using a randomly generated challenge, and
sends the challenge information through a RADIUS Access-Challenge packet to the
authenticator.
6)
After receiving the RADIUS Access-Challenge packet,
the authenticator relays the contained EAP-Request/MD5 Challenge packet to the
supplicant.
7)
When receiving the EAP-Request/MD5 Challenge packet,
the supplicant uses the offered challenge to encrypt the password part (this
process is not reversible), creates an EAP-Response/MD5 Challenge packet, and
then sends the packet to the authenticator.
8)
After receiving the EAP-Response/MD5 Challenge packet,
the authenticator relays the packet in a RADIUS Access-Request packet to the
authentication server.
9)
When receiving the RADIUS Access-Request packet,
the authentication server compares the password information encapsulated in the
packet with that generated by itself. If the two are identical, the
authentication server considers the user valid and sends to the supplicant a
RADIUS Access-Accept packet, instructing the authenticator to open the port to
permit the access request of the supplicant.
10)
After the supplicant gets online, the authenticator
periodically sends EAP-Request/Identity packets to the supplicant to check
whether the supplicant is still online. By default, if two consecutive
handshake attempts end up with failure, the authenticator concludes that the
supplicant has gone offline and performs the necessary operations, guaranteeing
that the authenticator always knows when a supplicant goes offline.
11)
The supplicant can also sends an EAPOL-Logoff
frame to the authenticator to terminate the authenticated status. In this case,
the authenticator changes the status of the port from authorized to
unauthorized.
II. EAP termination
In EAP termination mode, EAP packets are
terminated at the authenticator and then repackaged into the PAP or CHAP
attributes of RADIUS and transferred to the RADIUS server for authentication,
authorization, and accounting. See Figure 1-9 for the message exchange procedure.
Figure 1-9
Message exchange in EAP termination mode
Different from the authentication process
in EAP relay mode, it is the authenticator that generates the random challenge
for encrypting the user password information in EAP termination authentication
process. Consequently, the authenticator sends the challenge together with the
username and encrypted password information from the supplicant to the
authentication server for authentication.
1.1.6 802.1x Timers
Several timers are used in the 802.1x
authentication process to guarantee that the accessing users, the
authenticators, and the RADIUS server interact with each other in a reasonable
manner. The following are the major 802.1x timers:
l
Identity request timeout timer (tx-period): Once
an authenticator sends an EAP-Request/Identity frame to a supplicant, it starts
this timer. If this timer expires but it receives no response from the
supplicant, it retransmits the request.
l
Password request timeout timer (supp-timeout):
Once an authenticator sends an EAP-Request/MD5 Challenge frame to a supplicant,
it starts this timer. If this timer expires but it receives no response from
the supplicant, it retransmits the request.
l
Authentication server timeout timer
(server-timeout): Once an authenticator sends a RADIUS Access-Request packet to
the authentication server, it starts this timer. If this timer expires but it
receives no response from the server, it retransmits the request.
l
Handshake timer (handshake-period): After a
supplicant passes authentication, the authenticator sends to the supplicant
handshake requests at this interval to check whether the supplicant is online. If
the authenticator receives no response after sending the allowed maximum number
of handshake requests, it considers that the supplicant is offline.
l
Quiet timer (quiet-period): When a supplicant
fails the authentication, the authenticator refuses further authentication
requests from the supplicant in this period of time.
1.1.7 Implementation of 802.1x
Devices extend and optimize the mechanism
that the 802.1x protocol specifies by:
l
Allowing multiple users to access network
services through the same physical port.
l
Supporting two authentication methods: portbased
and macbased. With the portbased method, after the first user of
a port passes authentication, all other users of the port can access the
network without authentication, and when the first user goes offline, all other
users get offline at the same time. With the macbased method, each user
of a port must be authenticated separately, and when an authenticated user goes
offline, no other users are affected.
These extensions can help improve network
security and manageability dramatically.
1.1.8 Features Working Together with 802.1x
I. VLAN assignment
After an 802.1x supplicant passes
authentication, the authentication server sends authorization information to
the authenticator. If the authorization information contains VLAN authorization
information, the authenticator adds the port connecting the supplicant to the
assigned VLAN. This neither changes nor affects the configurations of the port.
The only result is that the assigned VLAN takes precedence over the manually
configured one, that is, the assigned VLAN takes effect.
For information on how to configure CAMS
or Windows 2000 Server for VLAN assignment, refer to the configuration guides
for CAMS or Windows 2000 server.
For S5500-SI series
Ethernet switches, currently the VLAN assignment function is available only for
the ports whose link type is ACCESS.
II. GuestVlan
If you fail to pass authentication for many
reasons such as there is no proprietary authentication Client or lower Client
version, you will be added into GuestVlan. GuestVlan is a default VLAN that you
can access it without authentication. You can access the resources in the VLAN,
like Client download and upgrade. After installing or upgrading the
authentication Client, with these resources, you can carry out the
authentication procedure so as to access network resources.
After 802.1x is enabled and GuestVlan is
configured correctly, the switch sends authentication-triggering packet
(EAP-Request/identity) through a port. The port will be added in GuestVlan when
the switch sends authentication-triggering packet (EAP-Request/Identity) beyond
the maximum times before it receives no response packet.
At this point, you initiate an
authentication. If you fail to pass the authentication, the port is still in GuestVlan.
If you pass the authentication, there are two following cases:
l
The authentication server delivers a VLAN. In
this case, the port leaves from GuestVlan and joins the delivered VLAN. After
you disconnect the Internet, the port first returns back to the configured VLAN
(the one where the port locates before it joins GuestVlan, i.e. “original
VLAN”).
l
The authentication server does not deliver a
VLAN. In this case, the port leaves from GuestVLan and joins the configured
VLAN. After you disconnect the Internet, the port is still in the configured
VLAN.
1.2
Configuring 802.1x
Except the configuration of enabling 802.1x
globally or on ports, other configurations of 802.1 x are optional. You can
perform these configurations as required. For specific parameters and parameter
meanings, see 802.1x-HABP-MAC Authentication Command Manual.
802.1x provides a user identity
authentication scheme. However, 802.1x cannot implement the authentication
scheme solely by itself. RADIUS or local authentication must be configured to
work with 802.1x:
l
For remote RADIUS authentication, the username
and password information must be configured on the RADIUS server and the
relevant configurations must be performed on the authenticator.
l
For local authentication, the username and
password information must be configured on the authenticator and the service
type must be set to lan-access.
For details about these configuration tasks,
refer to AAA&RADIUS&HWTACAC+ Operation Manual.
Follow these steps to configure 802.1x:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable 802.1x globally
|
dot1x
|
Required
Disabled by default
|
|
Enable 802.1x for specified ports
|
dot1x interface
interface-list
|
Required
Disabled by default
|
|
In Ethernet interface view, use
interface interface-type
interface-number
dot1x
quit
|
|
Set the port access control mode for specified
or all ports
|
dot1x port-control
{ authorized-force | unauthorized-force | auto } [ interface
interface-list ]
|
Optional
auto by
default
|
|
Set the port access control method for specified
or all ports
|
dot1x port-method
{ macbased | portbased } [ interface interface-list
]
|
Optional
macbased
by default
|
|
Set the maximum number of accessing users
for specified or all ports
|
dot1x max-user
user-number [ interface interface-list ]
|
Optional
256 per port by
default
|
|
Set the 802.1x authentication method
|
dot1x authentication-method
{ chap | pap | eap }
|
Optional
CHAP by default
|
|
Set the maximum number of attempts for
sending authentication requests to the supplicant
|
dot1x retry max-retry-value
|
Optional
2 by default
|
|
Set timers
|
dot1x timer { handshake-period handshake-period-value | quiet-period
quiet-period-value | tx-period tx-period-value |
supp-timeout supp-timeout-value | server-timeout server-timeout-value
}
|
Optional
The defaults are as follows:
15 seconds for the handshake timer,
60 seconds for the quiet timer,
30 seconds for the identity request
timeout timer,
30 seconds for the password request
timeout timer,
100 seconds for the authentication server
timeout timer.
|
|
Enable the quiet timer
|
dot1x quiet-period
|
Optional
Disabled by default
|
|
Enter Ethernet interface view
|
interface interface-type
interface-num
|
—
|
|
Enable online user handshake
|
dot1x handshake
|
Optional
Enabled by default
|
Caution:
l
802.1x must be enabled both globally in system
view and definitely for the intended ports in system view or Ethernet interface
view. Otherwise, it does not function.
l
Some 802.1x timers are configurable. This makes
sense in some special or extreme network environments. Normally, leave the
defaults unchanged.
l
With 802.1x enabled on a port, you cannot
configure the maximum number of MAC addresses that the port can learn (by using
the mac-address max-mac-count command), and vice versa.
l
802.1x-related configurations can all be
performed in system view. Enable 802.1x ,Port access control mode, port access
method, and the maximum number of accessing users can also be configured in
port view.
l
If you perform a configuration in system view
and do not specify the interface-list argument, the configuration
applies to all ports. Configurations performed in Ethernet port view apply to
the current Ethernet port only and the interface-list argument is not
needed in this case.
l
If EAP authentication is used for 802.1x users, the
contents you enter on the client will be directly sent to the server after
encapsulation. In this case, the configuration with the user-name-format
command is invalid.
l
If version number included is configured on the
client or you enter a username with a blank character included, you cannot
search or release user connections by username. However, you can search or
release user connections in other ways, such as using IP addresses or connection
indexes.
l
If 802.1x is enabled on a port, the port cannot
be added in an aggregation group. If a port is added into an aggregation group,
you cannot enable 802.1x on the port.
l
802.1x cannot block cluster handshake packets.
l
Currently 10GE ports of S5500-SI series Ethernet
switches do not support 802.1x.
l
Enable 802.1x.
l
Configure the way of access control on the port
as portbased.
l
Configure the mode of access control on the port
as auto.
l
Configure the link type of the port as access.
l
A VLAN is already created, which will be
configured as GuestVlan.
Follow these steps to configure GuestVlan
|
Operation
|
Command
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure GuestVlan of the specified port
|
dot1x guest-vlan vlan-id [ interface interface-list ]
|
Required
By default, GuestVlan is not configured
on the port.
|
1.4 Displaying and Maintaining 802.1x
|
To do…
|
Use the command…
|
Remarks
|
|
Display 802.1x session information,
statistics, or configuration information of specified or all ports
|
display dot1x [ sessions | statistics ] [ interface interface-list
]
|
Available in any view
|
|
Clear 802.1x statistics
|
reset dot1x statistics [ interface interface-list ]
|
Available in user view
|
1.5 802.1x Configuration Example
I. Network requirements
l
As shown in Figure 1-10, a host is connected to port GigabitEthernet1/0/1 on the switch.
l
The access control method of macbased is
required on the port to control accessing users.
l
All AAA accessing users belong to default domain
aabbcc.net, which can accommodate up to 30 users. For authentication, RADIUS
authentication is performed at first, and then local authentication when no
response from the RADIUS server is received. For accounting, get a user offline
if the RADIUS accounting fails. Whenever a user remains idle for over 20
minutes, tear down the connection.
l
A server group with two RADIUS servers is
connected to the switch. The IP addresses of the servers are 10.11.1.1 and
10.11.1.2 respectively. Use the former as the primary authentication/secondary
accounting server, and the latter as the secondary authentication/primary
accounting server.
l
Set the shared key for the device to exchange
packets with the authentication server as name, and that for the device to
exchange packets with the accounting server as money.
l
Specify the device to try up to five times at an
interval of 5 seconds in transmitting a packet to the RADIUS server until it
receives a response from the server, and to send real time accounting packets
to the accounting server every 15 minutes.
l
Specify the device to remove the domain name
from the username before passing the username to the RADIUS server.
l
Set the username of the 802.1x user as localuser
and the password as localpass and specify to use clear text mode. Enable the
idle cut function.
II. Network diagram
Figure 1-10
Network diagram for 802.1x configuration
III. Configuration procedure
The following
configuration procedure covers most AAA/RADIUS configuration commands for the
authenticator, while configuration on the supplicant and RADIUS server are
omitted.
For information
about AAA/RADIUS configuration commands, refer to AAA&RADIUS&
HWTACACS Operation Manual.
# Add local access user localuser, Enable
the idle cut function and set the idle interval.
[Sysname] local-user localuser
[Sysname-luser-localuser] service-type
lan-access
[Sysname-luser-localuser] password
simple localpass
[Sysname-luser-localuser] attribute
idle-cut 20
# Create RADIUS scheme radius1 and enter
its view.
[Sysname] radius scheme radius1
# Configure the IP addresses of the primary
authentication and accounting RADIUS servers.
[Sysname-radius-radius1] primary
authentication 10.11.1.1
[Sysname-radius-radius1] primary
accounting 10.11.1.2
# Configure the IP addresses of the
secondary authentication and accounting RADIUS servers.
[Sysname-radius-radius1] secondary
authentication 10.11.1.2
[Sysname-radius-radius1] secondary
accounting 10.11.1.1
# Specify the shared key for the device to
exchange packets with the authentication server.
[Sysname-radius-radius1] key authentication
name
# Specify the shared key for the device to
exchange packets with the accounting server.
[Sysname-radius-radius1] key
accounting money
# Set the interval for the device to
retransmit packets to the RADIUS server and the maximum number of transmission
attempts.
[Sysname-radius-radius1] timer
response-timeout 5
[Sysname-radius-radius1] retry 5
# Set the interval for the device to send
real time accounting packets to the RADIUS server.
[Sysname-radius-radius1] timer realtime-accounting
15
# Specify the device to remove the domain
name of any username before passing the username to the RADIUS server.
[Sysname-radius-radius1]
user-name-format without-domain
[Sysname-radius-radius1] quit
# Create default user domain aabbcc.net and
enter its view.
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] quit
[Sysname] domain default enable
aabbcc.net
[Sysname] domain aabbcc.net
# Set radius1 as the RADIUS scheme for
users of the domain and specify to use local authentication as the secondary
scheme.
[Sysname-isp-aabbcc.net] authentication
default radius-scheme radius1 local
[Sysname-isp-aabbcc.net] authorization
default radius-scheme radius1 local
[Sysname-isp-aabbcc.net] accounting
default radius-scheme radius1 local
# Set the maximum number of users for the
domain as 30.
[Sysname-isp-aabbcc.net] access-limit
enable 30
# Enable the idle cut function and set the idle
interval.
[Sysname-isp-aabbcc.net] idle-cut
enable 20
[Sysname-isp-aabbcc.net] quit
# Enable 802.1x globally.
<Sysname> system-view
[Sysname] dot1x
# Enable 802.1x for port
GigabitEthernet1/0/1.
[Sysname] dot1x interface
GigabitEthernet 1/0/1
# Set the port access control method.
(Optional. The default answers the requirement.)
[Sysname] dot1x port-method macbased
interface GigabitEthernet 1/0/1
I. Network requirement
As shown in Figure 1-11, a PC connects to the network through 802.1x authentication. The
authentication server is radius server. GigabitEthernet1/0/3 of the Supplicant
access switch belongs to VLAN 1; Authentication Server belongs to VLAN 2; Update
Server belongs to VLAN 10 which is used for Client download and upgrade; GigabitEthernet1/0/8
through which the switch accesses the Internet belongs to VLAN 5.
Figure 1-11 Typical network diagram
As shown in Figure 1-12, enable 802.1x and GuestVlan 10 on GigabitEthernet1/0/3. When the
switch transmits authentication-triggering packet (EAP-Request/Identity)
through the port beyond the maximum times before it receives any response
packet, GigabitEthernet1/0/3 is added in GuestVlan 10. In this case, Supplicant
and Update Server belong to VLAN 10. So Supplicant can access Update Server and
download 1x Client.
Figure 1-12 Enable GuestVlan
As shown in Figure 1-13, Authentication Server delivers Vlan 5 after you pass
authentication and access the Internet. In this case, Supplicant and GigabitEthernet1/0/8
belong to VLAN 5. Supplicant can access the Internet.
Figure 1-13 User online and VLAN
delivery
II. Configuration procedure
# Configure a Radius Scheme.
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary
authentication 10.11.1.1 1812
[Sysname-radius-2000] primary accouting
10.11.1.1 1813
[Sysname-radius-2000] key authorcation
nec
[Sysname-radius-2000] key accouting
nec
[Sysname-radius-2000]
user-name-format without-domain
[Sysname-radius-2000] quit
# Configure a domain which uses the just
configured Radius Scheme.
[Sysname] domain system
[Sysname-isp-system] authentication default
radius-scheme 2000
[Sysname-isp-system] authorization
default radius-scheme 2000
[Sysname-isp-system] accounting default
radius-scheme 2000
# Enable 802.1x globally.
<Sysname> system-view
[Sysname] dot1x
# Enable 802.1x on the specified port. .
[Sysname] interface GigabitEthernet 1/0/3
[Sysname-GigabitEthernet1/0/3] dot1x
# Configure the way of access control on
the port as portbased.
[Sysname-ethernet1/0/3] dot
port-method portbased
# Configure the mode of access control on the
port as auto.
[Sysname-ethernet1/0/3] dot1x
port-control auto
# Configure the link type of the port as access.
[Sysname-ethernet1/0/3] port
link-type access
[Sysname-ethernet1/0/3] quit
# Create VLAN 10.
[Sysname] vlan 10
[Sysname-vlan10] quit
# Configure GuestVlan of the specified
port.
[Sysname] dot1x guest-vlan 10
interface GigabitEthernet1/0/3
Use the display current-configuration or
display interface GigabitEthernet1/0/3 command to display
GuestVlan configuration. In some cases such as you disconnect the Internet or
fail to pass authentication, when the switch transmits
authentication-triggering packet (EAP-Request/Identity) beyond the maximum
times you set, you can use the display vlan 10 command to view
whether the GuestVlan configured on the specified port takes effect.
