The 802.1x protocol was proposed by IEEE802 LAN/WAN committee for security problems on wireless LANs (WLAN). Currently, it is used on Ethernet as a common port access control mechanism.

When configuring 802.1x, use the following table to identify where to go for interested information:

If you need to…	Go to…
Get familiar with the basic concepts involved in 802.1x, its architecture, how it operates, and how it authenticate users	802.1x Overview
Know how to configure 802.1x	Configuring 802.1x
Consult the display commands available for verifying 802.1x configuration	Displaying and Maintaining 802.1x
See how to configure 802.1x in typical scenarios	802.1x Configuration Example

1.1 802.1x Overview

802.1x is a port-based access control protocol. It authenticates and controls accessing devices at the level of port. A device connecting to an 802.1x-enabled port of an access device can access the resources behind only after passing authentication. A user failing the authentication is physically disconnected.

To get more information about 802.1x, go to these topics:

l Architecture of 802.1x

l Operation of 802.1x

l EAP Encapsulation over LANs

l EAP Encapsulation over RADIUS

l Authentication Process of 802.1x

l 802.1x Timers

l Implementation of 802.1x

l Features Working Together with 802.1x

1.1.1 Architecture of 802.1x

802.1x operates in the typical client/server model and defines three entities: supplicant system, authenticator system, and authentication server system, as shown in Figure 1-1.

Figure 1-1 Architecture of 802.1x

l Supplicant system: A system at one end of the LAN segment, which is authenticated by the system at the other end. A supplicant system is usually a user-end device and initiates 802.1x authentication through 802.1x client software supporting the EAP over LANs (EAPOL) protocol.

l Authenticator system: A system at one end of the LAN segment, which authenticates the system at the other end. An authenticator system is usually an 802.1x-enabled network device and provides ports (physical or logical) for supplicants to access the LAN.

l Authentication server system: The system providing authentication, authorization, and accounting services for the authenticator system.

The above systems involve three basic concepts: PAE, controlled port, control direction.

I. PAE

Port access entity (PAE) refers to the entity on a given port of a device that performs the 802.1x algorithm and protocol operations. The authenticator PAE uses the authentication server to authenticate the supplicant trying to access the LAN and controls the status of the controlled port (authorized or unauthorized) according to the authentication result. The supplicant PAE responds to the authentication request of the authenticator PAE and provides authentication information. The supplicant PAE can also send authentication requests and logoff requests to the authenticator.

II. Controlled port

An authenticator provides ports for supplicants to access the LAN. Each of the ports can be regarded as two virtual ports: a controlled port and an uncontrolled port.

l The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOL protocol frames to pass, guaranteeing that the supplicant can always send or receive authentication frames.

l The controlled port is open to allow normal traffic to pass only when it is in the authorized state.

l The controlled port and uncontrolled port are two parts of the same port. Any frames arriving at the port are visible to both of them.

III. Control direction

In the unauthorized state, the controlled port can be set to deny traffic to and from the supplicant or just the traffic from the supplicant. Currently, Devices support only denying the traffic from the supplicant.

1.1.2 Operation of 802.1x

The 802.1x authentication system employs the extensible authentication protocol (EAP) to support authentication information exchange between the supplicant PAE, authenticator PAE, and authentication server.

Figure 1-2 Operation of 802.1x

l Between the supplicant PAE and authenticator PAE, EAP protocol packets are encapsulated using EAPOL and transferred over LANs.

l Between the authenticator PAE and authentication server, EAP protocol packets can be encapsulated using the EAP attributes of RADIUS and then relayed to the RADIUS server, or terminated at the authenticator PAE, repackaged in the PAP or CHAP attributes of RADIUS, and then transferred to the RADIUS server. The former is referred to as EAP relay mode, and the latter as EAP termination mode.

l The authentication server is usually a RADIUS server. It maintains information about users, such as the account, password, VLAN to which the user belongs, CAR parameters, priority level, and ACL.

l After a user passes the authentication, the authentication server passes information about the user to the authenticator, which controls the status of the controlled port according to the instruction of the authentication server.

1.1.3 EAP Encapsulation over LANs

I. EAPOL frame format

EAPOL, defined by 802.1x, is intended to carry EAP protocol packets between supplicants and authenticators over LANs. Figure 1-3 shows the EAPOL frame format.

Figure 1-3 EAPOL frame format

PAE Ethernet Type: Protocol type. It takes the value 0x888E.

Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender.

Type: Type of the packet. The following types are defined:

l EAP-Packet (a value of 0x00), frame for carrying authentication information.

l EAPOL-Start (a value of 0x01), frame for initiating authentication.

l EAPOL-Logoff (a value of 0x02), frame for logoff request.

l EAPOL-Key (a value of 0x03), frame for carrying key information.

l EAPOL-Encapsulated-ASF-Alert (a value of 0x04), frame for carrying alerting information conforming to Alert Standard Forum (ASF).

Length: Length of the data, that is, length of the Packet body field, in bytes. If the value of this field is 0, no subsequent data field is present.

Packet body: The format of this field varies with the value of the Type field.

A frame with a type of EAPOL-Start, EAPOL-Logoff, or EAPOL-Key exists between a supplicant and an authenticator. A frame with a type of EAP-Packet is repackaged and transferred over RADIUS to get through complex networks to reach the authentication server. A frame with a type of EAPOL-Encapsulated-ASF-Alert encapsulates network management-related information (for example, various warning messages) and is terminated at the authenticator.

II. EAP packet format

An EAPOL frame with a type of EAP-Packet carries an EAP packet in its Packet body field. The structure of the EAP packet is shown in Figure 1-4.

Figure 1-4 EAP packet format

Code: Type of the EAP packet, which can be Request, Response, Success, or Failure.

Identifier: Allows matching of responses with requests.

Length: Length of the EAP packet, including the Code, Identifier, Length, and Data fields.

Data: This field is zero or more bytes and its format is determined by the Code field.

An EAP packet of the type of Success or Failure has no Data field, and has a length of 4. An EAP packet of the type of Request or Response is in the format shown in Figure 1-5.

Figure 1-5 Format of the EAP request/response packet

Type: EAP authentication type. A value of 1 represents Identity, indicating that the packet is for querying the identity of the supplicant. A value of 4 represents MD5-Challenge, which corresponds closely to the PPP CHAP protocol.

1.1.4 EAP Encapsulation over RADIUS

Two attributes of RADIUS are intended for supporting EAP authentication: EAP-Message and Message-Authenticator. For information about RADIUS packet format, refer to the RADIUS overview part in AAA&RADIUS&HWTACACS Operation Manual.

I. EAP-Message

The EAP-Message attribute is used to encapsulate EAP packets. Figure 1-6 shows its encapsulation format. The value of the Type field is 79. The String field can be up to 253 bytes. If the EAP packet is longer than 253 bytes, it can be fragmented and encapsulated into multiple EAP-Message attributes.

Figure 1-6 Encapsulation format of the EAP-Message attribute

II. Message-Authenticator

The Message-Authenticator attribute is used to prevent access requests from being snooped during EAP authentication. It must be included in any packet with the EAP-Message attribute; otherwise, the packet will be considered invalid and get discarded. Figure 1-7 shows the encapsulation format of the Message-Authenticator attribute.

Figure 1-7 Encapsulation format of the Message-Authenticator attribute

1.1.5 Authentication Process of 802.1x

802.1x authentication can be initiated by either a user or the authenticator system. A user initiates authentication by launching the 802.1x client software to send an EAPOL-Start frame to the authenticator system, while the authenticator system sends an EAP-Request/Identity frame to an unauthenticated user when detecting that the user is trying to login. An 802.1x authenticator system communicates with a remotely located RADIUS server in two modes: EAP relay and EAP termination. The following description takes the first case as an example to show the 802.1x authentication process.

I. EAP relay

EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried in a high layer protocol, such as RADIUS, so that they can go through complex networks and reach the authentication server. Generally, EAP relay requires that the RADIUS server support the EAP attributes of EAP-Message and Message-Authenticator. See Figure 1-8 for the message exchange procedure.

Figure 1-8 Message exchange in EAP relay mode

1) When a user launches the 802.1x client software and enters the registered username and password, the 802.1x client software generates an EAPOL-Start frame and sends it to the authenticator to initiate an authentication process.

2) Upon receiving the EAPOL-Start frame, the authenticator responds with an EAP-Request/Identity packet for the identity of the supplicant.

3) When the supplicant receives the EAP-Request/Identity packet, it encapsulates the identity information in an EAP-Response/Identity packet and sends the packet to the authenticator.

4) Upon receiving the EAP-Response/Identity packet, the authenticator relays the packet in a RADIUS Access-Request packet to the authentication server.

5) When receiving the RADIUS Access-Request packet, the authentication server compares the identify information against its user information table to obtain the corresponding password information. Then, it encrypts the password information using a randomly generated challenge, and sends the challenge information through a RADIUS Access-Challenge packet to the authenticator.

6) After receiving the RADIUS Access-Challenge packet, the authenticator relays the contained EAP-Request/MD5 Challenge packet to the supplicant.

7) When receiving the EAP-Request/MD5 Challenge packet, the supplicant uses the offered challenge to encrypt the password part (this process is not reversible), creates an EAP-Response/MD5 Challenge packet, and then sends the packet to the authenticator.

8) After receiving the EAP-Response/MD5 Challenge packet, the authenticator relays the packet in a RADIUS Access-Request packet to the authentication server.

9) When receiving the RADIUS Access-Request packet, the authentication server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the supplicant a RADIUS Access-Accept packet, instructing the authenticator to open the port to permit the access request of the supplicant.

10) After the supplicant gets online, the authenticator periodically sends EAP-Request/Identity packets to the supplicant to check whether the supplicant is still online. By default, if two consecutive handshake attempts end up with failure, the authenticator concludes that the supplicant has gone offline and performs the necessary operations, guaranteeing that the authenticator always knows when a supplicant goes offline.

11) The supplicant can also sends an EAPOL-Logoff frame to the authenticator to terminate the authenticated status. In this case, the authenticator changes the status of the port from authorized to unauthorized.

II. EAP termination

In EAP termination mode, EAP packets are terminated at the authenticator and then repackaged into the PAP or CHAP attributes of RADIUS and transferred to the RADIUS server for authentication, authorization, and accounting. See Figure 1-9 for the message exchange procedure.

Figure 1-9 Message exchange in EAP termination mode

Different from the authentication process in EAP relay mode, it is the authenticator that generates the random challenge for encrypting the user password information in EAP termination authentication process. Consequently, the authenticator sends the challenge together with the username and encrypted password information from the supplicant to the authentication server for authentication.

1.1.6 802.1x Timers

Several timers are used in the 802.1x authentication process to guarantee that the accessing users, the authenticators, and the RADIUS server interact with each other in a reasonable manner. The following are the major 802.1x timers:

l Identity request timeout timer (tx-period): Once an authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request.

l Password request timeout timer (supp-timeout): Once an authenticator sends an EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request.

l Authentication server timeout timer (server-timeout): Once an authenticator sends a RADIUS Access-Request packet to the authentication server, it starts this timer. If this timer expires but it receives no response from the server, it retransmits the request.

l Handshake timer (handshake-period): After a supplicant passes authentication, the authenticator sends to the supplicant handshake requests at this interval to check whether the supplicant is online. If the authenticator receives no response after sending the allowed maximum number of handshake requests, it considers that the supplicant is offline.

l Quiet timer (quiet-period): When a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in this period of time.

1.1.7 Implementation of 802.1x

Devices extend and optimize the mechanism that the 802.1x protocol specifies by:

l Allowing multiple users to access network services through the same physical port.

l Supporting two authentication methods: portbased and macbased. With the portbased method, after the first user of a port passes authentication, all other users of the port can access the network without authentication, and when the first user goes offline, all other users get offline at the same time. With the macbased method, each user of a port must be authenticated separately, and when an authenticated user goes offline, no other users are affected.

These extensions can help improve network security and manageability dramatically.

1.1.8 Features Working Together with 802.1x

I. VLAN assignment

After an 802.1x supplicant passes authentication, the authentication server sends authorization information to the authenticator. If the authorization information contains VLAN authorization information, the authenticator adds the port connecting the supplicant to the assigned VLAN. This neither changes nor affects the configurations of the port. The only result is that the assigned VLAN takes precedence over the manually configured one, that is, the assigned VLAN takes effect.

For information on how to configure CAMS or Windows 2000 Server for VLAN assignment, refer to the configuration guides for CAMS or Windows 2000 server.

& Note:

For S5500-SI series Ethernet switches, currently the VLAN assignment function is available only for the ports whose link type is ACCESS.

II. GuestVlan

If you fail to pass authentication for many reasons such as there is no proprietary authentication Client or lower Client version, you will be added into GuestVlan. GuestVlan is a default VLAN that you can access it without authentication. You can access the resources in the VLAN, like Client download and upgrade. After installing or upgrading the authentication Client, with these resources, you can carry out the authentication procedure so as to access network resources.

After 802.1x is enabled and GuestVlan is configured correctly, the switch sends authentication-triggering packet (EAP-Request/identity) through a port. The port will be added in GuestVlan when the switch sends authentication-triggering packet (EAP-Request/Identity) beyond the maximum times before it receives no response packet.

At this point, you initiate an authentication. If you fail to pass the authentication, the port is still in GuestVlan. If you pass the authentication, there are two following cases:

l The authentication server delivers a VLAN. In this case, the port leaves from GuestVlan and joins the delivered VLAN. After you disconnect the Internet, the port first returns back to the configured VLAN (the one where the port locates before it joins GuestVlan, i.e. “original VLAN”).

l The authentication server does not deliver a VLAN. In this case, the port leaves from GuestVLan and joins the configured VLAN. After you disconnect the Internet, the port is still in the configured VLAN.

1.2 Configuring 802.1x

Except the configuration of enabling 802.1x globally or on ports, other configurations of 802.1 x are optional. You can perform these configurations as required. For specific parameters and parameter meanings, see 802.1x-HABP-MAC Authentication Command Manual.

1.2.1 Configuration Prerequisites

802.1x provides a user identity authentication scheme. However, 802.1x cannot implement the authentication scheme solely by itself. RADIUS or local authentication must be configured to work with 802.1x:

l For remote RADIUS authentication, the username and password information must be configured on the RADIUS server and the relevant configurations must be performed on the authenticator.

l For local authentication, the username and password information must be configured on the authenticator and the service type must be set to lan-access.

For details about these configuration tasks, refer to AAA&RADIUS&HWTACAC+ Operation Manual.

1.2.2 Configuration Procedure

Follow these steps to configure 802.1x:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable 802.1x globally	dot1x	Required Disabled by default
Enable 802.1x for specified ports	dot1x interface interface-list	Required Disabled by default
Enable 802.1x for specified ports	In Ethernet interface view, use interface interface-type interface-number dot1x quit	Required Disabled by default
Set the port access control mode for specified or all ports	dot1x port-control { authorized-force \| unauthorized-force \| auto } [ interface interface-list ]	Optional auto by default
Set the port access control method for specified or all ports	dot1x port-method { macbased \| portbased } [ interface interface-list ]	Optional macbased by default
Set the maximum number of accessing users for specified or all ports	dot1x max-user user-number [ interface interface-list ]	Optional 256 per port by default
Set the 802.1x authentication method	dot1x authentication-method { chap \| pap \| eap }	Optional CHAP by default
Set the maximum number of attempts for sending authentication requests to the supplicant	dot1x retry max-retry-value	Optional 2 by default
Set timers	dot1x timer { handshake-period handshake-period-value \| quiet-period quiet-period-value \| tx-period tx-period-value \| supp-timeout supp-timeout-value \| server-timeout server-timeout-value }	Optional The defaults are as follows: 15 seconds for the handshake timer, 60 seconds for the quiet timer, 30 seconds for the identity request timeout timer, 30 seconds for the password request timeout timer, 100 seconds for the authentication server timeout timer.
Enable the quiet timer	dot1x quiet-period	Optional Disabled by default
Enter Ethernet interface view	interface interface-type interface-num	—
Enable online user handshake	dot1x handshake	Optional Enabled by default

Caution:

l 802.1x must be enabled both globally in system view and definitely for the intended ports in system view or Ethernet interface view. Otherwise, it does not function.

l Some 802.1x timers are configurable. This makes sense in some special or extreme network environments. Normally, leave the defaults unchanged.

l With 802.1x enabled on a port, you cannot configure the maximum number of MAC addresses that the port can learn (by using the mac-address max-mac-count command), and vice versa.

l 802.1x-related configurations can all be performed in system view. Enable 802.1x ,Port access control mode, port access method, and the maximum number of accessing users can also be configured in port view.

l If you perform a configuration in system view and do not specify the interface-list argument, the configuration applies to all ports. Configurations performed in Ethernet port view apply to the current Ethernet port only and the interface-list argument is not needed in this case.

l If EAP authentication is used for 802.1x users, the contents you enter on the client will be directly sent to the server after encapsulation. In this case, the configuration with the user-name-format command is invalid.

l If version number included is configured on the client or you enter a username with a blank character included, you cannot search or release user connections by username. However, you can search or release user connections in other ways, such as using IP addresses or connection indexes.

l If 802.1x is enabled on a port, the port cannot be added in an aggregation group. If a port is added into an aggregation group, you cannot enable 802.1x on the port.

l 802.1x cannot block cluster handshake packets.

l Currently 10GE ports of S5500-SI series Ethernet switches do not support 802.1x.

1.3 Configuring GuestVlan

1.3.1 Configuration Prerequisites

l Enable 802.1x.

l Configure the way of access control on the port as portbased.

l Configure the mode of access control on the port as auto.

l Configure the link type of the port as access.

l A VLAN is already created, which will be configured as GuestVlan.

1.3.2 Configuring GuestVlan

Follow these steps to configure GuestVlan

Operation	Command	Remarks
Enter system view	system-view	—
Configure GuestVlan of the specified port	dot1x guest-vlan vlan-id [ interface interface-list ]	Required By default, GuestVlan is not configured on the port.

Operation

Command

Remarks

Enter system view

system-view

—

Configure GuestVlan of the specified port

dot1x guest-vlan vlan-id [ interface interface-list ]

Required

By default, GuestVlan is not configured on the port.

1.4 Displaying and Maintaining 802.1x

To do…	Use the command…	Remarks
Display 802.1x session information, statistics, or configuration information of specified or all ports	display dot1x [ sessions \| statistics ] [ interface interface-list ]	Available in any view
Clear 802.1x statistics	reset dot1x statistics [ interface interface-list ]	Available in user view

1.5 802.1x Configuration Example

I. Network requirements

l As shown in Figure 1-10, a host is connected to port GigabitEthernet1/0/1 on the switch.

l The access control method of macbased is required on the port to control accessing users.

l All AAA accessing users belong to default domain aabbcc.net, which can accommodate up to 30 users. For authentication, RADIUS authentication is performed at first, and then local authentication when no response from the RADIUS server is received. For accounting, get a user offline if the RADIUS accounting fails. Whenever a user remains idle for over 20 minutes, tear down the connection.

l A server group with two RADIUS servers is connected to the switch. The IP addresses of the servers are 10.11.1.1 and 10.11.1.2 respectively. Use the former as the primary authentication/secondary accounting server, and the latter as the secondary authentication/primary accounting server.

l Set the shared key for the device to exchange packets with the authentication server as name, and that for the device to exchange packets with the accounting server as money.

l Specify the device to try up to five times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server, and to send real time accounting packets to the accounting server every 15 minutes.

l Specify the device to remove the domain name from the username before passing the username to the RADIUS server.

l Set the username of the 802.1x user as localuser and the password as localpass and specify to use clear text mode. Enable the idle cut function.

II. Network diagram

Figure 1-10 Network diagram for 802.1x configuration

III. Configuration procedure

& Note:

The following configuration procedure covers most AAA/RADIUS configuration commands for the authenticator, while configuration on the supplicant and RADIUS server are omitted.

For information about AAA/RADIUS configuration commands, refer to AAA&RADIUS& HWTACACS Operation Manual.

# Add local access user localuser, Enable the idle cut function and set the idle interval.

[Sysname] local-user localuser

[Sysname-luser-localuser] service-type lan-access

[Sysname-luser-localuser] password simple localpass

[Sysname-luser-localuser] attribute idle-cut 20

# Create RADIUS scheme radius1 and enter its view.

[Sysname] radius scheme radius1

# Configure the IP addresses of the primary authentication and accounting RADIUS servers.

[Sysname-radius-radius1] primary authentication 10.11.1.1

[Sysname-radius-radius1] primary accounting 10.11.1.2

# Configure the IP addresses of the secondary authentication and accounting RADIUS servers.

[Sysname-radius-radius1] secondary authentication 10.11.1.2

[Sysname-radius-radius1] secondary accounting 10.11.1.1

# Specify the shared key for the device to exchange packets with the authentication server.

[Sysname-radius-radius1] key authentication name

# Specify the shared key for the device to exchange packets with the accounting server.

[Sysname-radius-radius1] key accounting money

# Set the interval for the device to retransmit packets to the RADIUS server and the maximum number of transmission attempts.

[Sysname-radius-radius1] timer response-timeout 5

[Sysname-radius-radius1] retry 5

# Set the interval for the device to send real time accounting packets to the RADIUS server.

[Sysname-radius-radius1] timer realtime-accounting 15

# Specify the device to remove the domain name of any username before passing the username to the RADIUS server.

[Sysname-radius-radius1] user-name-format without-domain

[Sysname-radius-radius1] quit

# Create default user domain aabbcc.net and enter its view.

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] quit

[Sysname] domain default enable aabbcc.net

[Sysname] domain aabbcc.net

# Set radius1 as the RADIUS scheme for users of the domain and specify to use local authentication as the secondary scheme.

[Sysname-isp-aabbcc.net] authentication default radius-scheme radius1 local

[Sysname-isp-aabbcc.net] authorization default radius-scheme radius1 local

[Sysname-isp-aabbcc.net] accounting default radius-scheme radius1 local

# Set the maximum number of users for the domain as 30.

[Sysname-isp-aabbcc.net] access-limit enable 30

# Enable the idle cut function and set the idle interval.

[Sysname-isp-aabbcc.net] idle-cut enable 20

[Sysname-isp-aabbcc.net] quit

# Enable 802.1x globally.

<Sysname> system-view

[Sysname] dot1x

# Enable 802.1x for port GigabitEthernet1/0/1.

[Sysname] dot1x interface GigabitEthernet 1/0/1

# Set the port access control method. (Optional. The default answers the requirement.)

[Sysname] dot1x port-method macbased interface GigabitEthernet 1/0/1

1.6 Typical GuestVlan Configuration Example

I. Network requirement

As shown in Figure 1-11, a PC connects to the network through 802.1x authentication. The authentication server is radius server. GigabitEthernet1/0/3 of the Supplicant access switch belongs to VLAN 1; Authentication Server belongs to VLAN 2; Update Server belongs to VLAN 10 which is used for Client download and upgrade; GigabitEthernet1/0/8 through which the switch accesses the Internet belongs to VLAN 5.

Figure 1-11 Typical network diagram

As shown in Figure 1-12, enable 802.1x and GuestVlan 10 on GigabitEthernet1/0/3. When the switch transmits authentication-triggering packet (EAP-Request/Identity) through the port beyond the maximum times before it receives any response packet, GigabitEthernet1/0/3 is added in GuestVlan 10. In this case, Supplicant and Update Server belong to VLAN 10. So Supplicant can access Update Server and download 1x Client.

Figure 1-12 Enable GuestVlan

As shown in Figure 1-13, Authentication Server delivers Vlan 5 after you pass authentication and access the Internet. In this case, Supplicant and GigabitEthernet1/0/8 belong to VLAN 5. Supplicant can access the Internet.

Figure 1-13 User online and VLAN delivery

II. Configuration procedure

# Configure a Radius Scheme.

[Sysname] radius scheme 2000

[Sysname-radius-2000] primary authentication 10.11.1.1 1812

[Sysname-radius-2000] primary accouting 10.11.1.1 1813

[Sysname-radius-2000] key authorcation nec

[Sysname-radius-2000] key accouting nec

[Sysname-radius-2000] user-name-format without-domain

[Sysname-radius-2000] quit

# Configure a domain which uses the just configured Radius Scheme.

[Sysname] domain system

[Sysname-isp-system] authentication default radius-scheme 2000

[Sysname-isp-system] authorization default radius-scheme 2000

[Sysname-isp-system] accounting default radius-scheme 2000

# Enable 802.1x globally.

<Sysname> system-view

[Sysname] dot1x

# Enable 802.1x on the specified port. .

[Sysname] interface GigabitEthernet 1/0/3

[Sysname-GigabitEthernet1/0/3] dot1x

# Configure the way of access control on the port as portbased.

[Sysname-ethernet1/0/3] dot port-method portbased

# Configure the mode of access control on the port as auto.

[Sysname-ethernet1/0/3] dot1x port-control auto

# Configure the link type of the port as access.

[Sysname-ethernet1/0/3] port link-type access

[Sysname-ethernet1/0/3] quit

# Create VLAN 10.

[Sysname] vlan 10

[Sysname-vlan10] quit

# Configure GuestVlan of the specified port.

[Sysname] dot1x guest-vlan 10 interface GigabitEthernet1/0/3

Use the display current-configuration or display interface GigabitEthernet1/0/3 command to display GuestVlan configuration. In some cases such as you disconnect the Internet or fail to pass authentication, when the switch transmits authentication-triggering packet (EAP-Request/Identity) beyond the maximum times you set, you can use the display vlan 10 command to view whether the GuestVlan configured on the specified port takes effect.

Chapter 2 HABP Configuration

2.1 Introduction to HABP

With 802.1x (or MAC authentication) enabled, a switch authenticates 802.1x-enabled (or MAC authentication-enabled) ports. Packets can be forwarded only by authorized ports. If ports connected to the switch are not authenticated, their received packets will be filtered.

This means that users can no longer manage the attached switches. To address this problem, Huawei authentication bypass protocol (HABP) has been developed.

An HABP packet carries the MAC addresses of the attached switches with it. It can bypass the 802.1x authentications or MAC authentications when traveling between HABP-enabled switches, through which management devices can obtain the MAC addresses of the attached switches and thus the management of the attached switches is feasible.

HABP is implemented by HABP server and HABP client. Normally, an HABP server sends HABP request packets regularly to HABP clients to collect the MAC addresses of the attached switches. HABP clients respond to the HABP request packets and forward the HABP request packets to lower-level switches. HABP servers usually reside on management devices and HABP clients usually on attached switches.

& Note:

To enable both cluster and 802.1x authentication (or MAC address authentication) for a device at the same time, make sure that HABP is enabled on the device. Otherwise, the management device will fail to manage the devices attached to it.

2.2 Configuring HABP

2.2.1 HABP Server Configuration

With the HABP server launched, a management device sends HABP request packets regularly to the attached switches to collect their MAC addresses. You need also to configure the interval on the management device for an HABP server to send HABP request packets.

Table 2-1 Configure an HABP server

Operation	Command	Description
Enter system view	system-view	—
Enable HABP	habp enable	Optional HABP is enabled by default.
Configure the current switch to be an HABP server	habp server vlan vlan-id	Required By default, a switch operates as an HABP client after you enable HABP on the switch.
Configure the interval to send HABP request packets.	habp timer interval-time	Optional The default interval for an HABP server to send HABP request packets is 20 seconds.

2.2.2 HABP Client Configuration

HABP clients reside on switches attached to HABP servers. After you enable HABP for a switch, the switch operates as an HABP client by default. So you only need to enable HABP on a switch to make it an HABP client.

Table 2-2 Configure an HABP client

Operation	Command	Description
Enter system view	system-view	—
Enable HABP	habp enable	Optional HABP is enabled by default. And a switch operates as an HABP client after you enable HABP for it.
Set the current switch to be an HABP Client	undo hapb server	Optional By default. And a switch operates as an HABP client

2.3 Displaying HABP

After performing the above configuration, you can display and verify your HABP-related configuration by execute the display command in any view.

Table 2-3 Display HABP

Operation	Command	Description
Display HABP configuration and status information	display habp	You can execute the display command in any view
Display the MAC address table maintained by HABP	display habp table
Display statistics on HABP traffic	display habp traffic

Chapter 3 MAC Authentication Configuration

MAC authentication is a method for authenticating users based on port and MAC address.

When configuring MAC authentication, use the following table to identify where to go for interested information:

If you need to…	Go to…
Get an overall idea of MAC authentication	MAC Authentication Overview
Know the normal procedure to configure MAC authentication	Configuring MAC Authentication
Learn how to display and maintain MAC authentication	Displaying and Maintaining MAC Authentication
See an example of how to configure MAC authentication	MAC Authentication Configuration Example

3.1 MAC Authentication Overview

MAC authentication controls user network access based on port and MAC address. It does not require users to have any supplicant system software installed. The MAC address of the host is used as the user name and password for authentication. Once a switch detects a MAC address, it initiates the authentication process.

Ethernet switches support remote RADIUS authentication and local authentication:

l With RADIUS authentication, the switch serves as a RADIUS client. It forwards a detected user MAC address to the RADIUS server as the user name and password for authentication and, if a user passes the authentication, permits the user to access the network.

l With local authentication, MAC addresses of users must be manually configured on the switch to be used as user names and passwords for authentication.

3.2 Configuring MAC Authentication

3.2.1 Configuration Prerequisites

l Create and configure the ISP domain.

l For local authentication, create a local user and configure the password.

l For RADIUS authentication, ensure that the switch and the RADIUS server can reach each other. On the other hand, configure the user name and password on the RADIUS server, and then carry out the corresponding setting for the device serving as a RADIUS client.

Caution:

For local authentication:

l The MAC address to be used as the user name and password of a local user must be in the format of HHH.

l The service type of the local user must be configured as lan-access.

3.2.2 Configuration Procedure

Follow these steps to configure MAC authentication:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable MAC authentication globally	mac-authentication	Required Disabled by default
Enable MAC authentication for specified ports	mac-authentication interface interface-list	Required Disabled by default
Specify the ISP domain for MAC authentication	mac-authentication domain isp-name	Optional The default ISP domain is used by default
Set the offline-detect timer	mac-authentication timer offline-detect offline-detect-value	Optional 300 seconds by default
Set the quiet timer	mac-authentication timer quiet quiet-value	Optional 1 minute by default
Set the server timeout timer	mac-authentication timer server-timeout server-timeout-value	Optional 100 seconds by default

Caution:

l You can enable MAC authentication for specified ports or set MAC authentication parameters before enabling MAC authentication globally. However, your configuration takes effect only after you enable MAC authentication globally.

l MAC authentication cannot coexist with 802.1x authentication on the same port.

l If MAC authentication is enabled on a port, you cannot configure the maximum number of MAC addresses to be learned on the port. You can use the mac-address max-mac-count command to configure the maximum number of MAC addresses to be learned on the port. If the maximum number of MAC addresses to be learned is configured on a port, you cannot enable MAC authentication on the port.

l Ports with MAC address authentication enabled cannot be added to a link aggregation group. Conversely, MAC address authentication is unavailable to ports belonging to a link aggregation group.

3.3 Displaying and Maintaining MAC Authentication

To do…	Use the command…	Remarks
Display the global MAC authentication information or the MAC authentication information about specified interfaces	display mac-authentication [ interface interface-list ]	Available in any view