Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-802.1x Configuration Examples | 756 KB |
Table of Contents
1.2.2 Configuration in Port View
Chapter 2 802.1X Configuration Commands
Chapter 3 Enterprise Network Access Authentication Configuration Example
3.1 Network Application Analysis
3.3.2 Configuring the RADIUS Server
3.3.3 Configuring the Supplicant System
Keywords: 802.1x and AAA
Abstract: This article introduces the application of 802.1x on Ethernet switches in real network environments, and then presents detailed configurations of the 802.1x client, LAN Switch and AAA server respectively.
Acronyms: AAA (Authentication, Authorization and Accounting)
Chapter 1 802.1X Overview
& Note:
The use of this document is restricted to H3C S7500 Series Ethernet switches.
1.1 Introduction to 802.1X
The LAN defined in IEEE 802 protocols does not provide access authentication. In general, users can access network devices or resources in a LAN as long as they access the LAN. When it comes to application circumstances like telecom network access, building, LAN and mobile office, however, administrators need to control and configure the access of user devices. Therefore, port- or user-based access control comes into being.
802.1x is a port-based network access control protocol. It is widely accepted by vendors, service providers and end users for its low cost, superior service continuity and scalability, and high security and flexibility.
1.2 Features Configuration
1.2.1 Global Configuration
l Enable 802.1x globally
l Set time parameters
l Set the maximum number of authentication request attempts
l Enable the quiet timer
l Enable re-authentication upon reboot
1.2.2 Configuration in Port View
l Enable dot1x on the port
l Enable Guest VLAN
l Set the maximum number of users supported on the port
l Set a port access control method (port-based or MAC-based)
l Set a port access control mode (force-authorized, force-unauthorized or auto)
l Enable client version checking
l Enable proxy detection
1.2.3 Precautions
l The configuration of dot1x on a specific port takes effect only after the dot1x feature is enabled globally and on the port.
l You can configure dot1x parameters associated with Ethernet ports or devices before enabling dot1x. However, the configured dot1x parameters only take effect after dot1x is enabled.
l The configured dot1x parameters are reserved after dot1x is disabled and will take effect if dot1x is re-enabled.
Chapter 2 802.1X Configuration Commands
To implement 802.1x, you need to configure the supplicant system (client), authenticator system (switch) and authentication/authorization server correctly.
l Supplicant system: Ensures that the PC uses a right client.
l Authenticator system: Configuring 802.1x and AAA on the authenticator system is required.
l Authentication/authorization server: Configuring the authentication/authorization server correctly is required.
The following table shows 802.1x configuration commands necessary for configuring the switch (authenticator system). For configuration information on other devices, refer to related manuals.
Table 2-1 802.1x configuration commands
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable 802.1x globally |
dot1x |
Required Disabled by default |
|
Enable 802.1x for one or more ports |
In system view dot1x [ interface interface-list ] |
Required Disabled on a port by default 802.1x must be enabled both globally in system view and on the intended port in system view or port view. Otherwise, it does not function. |
|
In port view dot1x |
||
|
Set a port access control method for the specified or all ports |
In system view: dot1x port-method { macbased | portbased } [ interface interface-list ] |
Optional macbased by default Port-based access control is required for Guest VLAN. |
|
In port view: dot1x port-method { macbased | portbased } |
||
|
Enable Guest VLAN on the specified or all ports |
In system view: dot1x guest-vlan vlan-id [ interface interface-list ] |
Optional Not enabled by default The vlan-id of the Guest VLAN must be created beforehand. |
|
In port view: dot1x guest-vlan vlan-id |
Chapter 3 Enterprise Network Access Authentication Configuration Example
& Note:
The configuration or information displayed may vary with devices. The following takes the H3C S7500 series switch (using software Release 3135) as an example.
3.1 Network Application Analysis
An administrator of an enterprise network needs to authenticate users accessing the network on a per-port basis on the switch to control access to network resources. Table 3-1 shows the details of network application analysis.
Table 3-1 Network application analysis
|
Network requirements |
Solution |
|
Access of users is controlled by authentication. |
Enable 802.1x |
|
Users can only access VLAN 10 before the authentication succeeds. |
Enable Guest VLAN |
|
Users can access VLAN 100 after the authentication succeeds. |
Enable dynamic VLAN assignment |
|
Users select the monthly payment service of 50 dollars and use 2M bandwidth to access the network. |
Configure an accounting policy and bandwidth restraint policy on the RADIUS server |
|
IP address and MAC address are bound after a user logs in. |
Set MAC-to-IP binding |
|
Tear down the connection by force if it is idle for 20 minutes. |
Enable idle cut |
|
Users can be re-authenticated successfully after the switch reboots abnormally. |
3.2 Network Diagram
Figure 3-1 Network diagram for enterprise network application
3.3 Configuration Procedure
3.3.1 Configuring the Switch
# Create a RADIUS scheme named “cams”, and specify the primary and secondary authentication/accounting servers.
<H3C> system-view
[H3C] radius scheme cams
[H3C-radius-cams] primary authentication 192.168.1.19
[H3C-radius-cams] primary accounting 192.168.1.19
[H3C-radius-cams] secondary authentication 192.168.1.20
[H3C-radius-cams] secondary accounting 192.168.1.20
# Set the password to expert for the switch to exchange messages with the RADIUS authentication and accounting servers.
[H3C-radius-cams] key authentication expert
[H3C-radius-cams] key accounting expert
# Set the username format to fully qualified username with domain name.
[H3C-radius-cams] user-name-format with-domain
# Set the server type to extended.
[H3C-radius-cams] server-type extended
# Enable re-authentication upon reboot.
[H3C-radius-cams] accounting-on enable
# Create an ISP domain named “abc” and adopt the RADIUS scheme “cams” for authentication.
[H3C] domain abc
[H3C-isp-abc] radius-scheme cams
# Set the dynamic VLAN assignment mode.
[H3C-isp-abc] vlan-assignment-mode integer
[H3C-isp-abc] quit
# Set the ISP domain “abc” as the default ISP domain.
[H3C] domain default enable abc
# Enable Guest VLAN 10 on the specified port.
[H3C] vlan 10
[H3C-Ethernet3/0/3] dot1x port-method portbased
[H3C-Ehternet3/0/3] dot1x guest-vlan 10
# Enable 802.1x globally.
[H3C] dot1x
# Enable dot1x for port Ethernet 3/0/3.
[H3C] dot1x interface ethernet3/0/3
# Use the display command to view the configuration associated with 802.1x and AAA parameters.
[H3C] display dot1x interface ethernet3/0/3
Equipment 802.1x protocol is enabled
CHAP authentication is enabled
DHCP-launch is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Guest Vlan is enabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
ReAuth Period 003600 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Interval between version requests is 30s
maximal request times for version information is 3
The maximal retransmitting times 2
Total maximum 802.1x user resource number is 4096
Total current used 802.1x resource number is 0
Ethernet3/0/3 is link-up
802.1x protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Guest Vlan: 10
Version-Check is disabled
The port is a(n) authenticator
Authentication Mode is Auto
Port Control Type is Port-based
ReAuthenticate is disabled
Max on-line user number is 1024
Authentication Success: 0, Failed: 0
EAPOL Packets: Tx 0, Rx 0
Sent EAP Request/Identity Packets : 0
EAP Request/Challenge Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 0
EAP Response/Challenge Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
[H3C] display radius cams
SchemeName =cams Index=1 Type=extended
Primary Auth IP =192.168.1.19 Port=1812
Primary Acct IP =192.168.1.19 Port=1813
Second Auth IP =192.168.1.20 Port=1812
Second Acct IP =192.168.1.20 Port=1813
Auth Server Encryption Key= expert
Acct Server Encryption Key= expert
Accounting method = required
Accounting-On packet enable, send times = 40 , interval = 3s
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =with-domain
Data flow unit =Byte
Packet unit =1
[H3C] display domain abc
The contents of Domain abc:
State = Active
RADIUS Scheme = cams
Access-limit = Disable
Vlan-assignment-mode = Integer
accounting-mode = time
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable
3.3.2 Configuring the RADIUS Server
The configuration of CAMS authentication, authorization and accounting server consists of four parts:
l Creating an accounting policy
l Configuring the access device
The following parts take CAMS server V1.20 (standard version) as an example to introduce CAMS configuration.
I. Logging in the CAMS configuration console
1) Enter the correct username and password on the login page to log in to the CAMS configuration console.
Figure 3-2 Login page of CAMS configuration console
2) After login, the following page appears:
Figure 3-3 CAMS configuration console
II. Creating an accounting policy
1) Enter the Accounting Policy Management page.
Log in the CAMS configuration console. On the navigation tree, select Charges Management > Accounting Policy to enter the Accounting Policy Management page, as shown in Figure 3-4.
Figure 3-4 Accounting Policy Management
The list shows the created accounting policies. You can query, modify or copy these policies.
2) Create an accounting policy.
Click Add to enter the Accounting Policy Basic Information page and create a monthly payment accounting policy, as shown in Figure 3-5.
Figure 3-5 Accounting Policy Basic Information
3) Click Next to enter the Accounting Attribute Settings page, and set Accounting Type to By duration, Monthly Cycle to Monthly and Monthly Fixed Fee to 50 dollars, as shown in Figure 3-6.
Figure 3-6 Accounting Attribute Settings
Click OK. A monthly payment accounting policy is created.
III. Adding a service
1) Enter the Service Config page.
Log in the CAMS configuration console. On the navigation tree, select Service Management > Service Config to enter the Service Config page, as shown in Figure 3-7.
The list shows the created service types. You can query, modify or delete these service types.
2) Add a service.
Click Add to enter the Add Service page and configure as follows:
l Service Name: abc
l Service Suffix Name: abc
l Accounting Policy: Monthly Fixed Payment
l Upstream Rate Limitation: 2M (2048 Kbps)
l Downstream Rate Limitation: 2M (2048 Kbps)
l VLAN Assignment: VLAN 100
l Authentication Binding: Bind user IP address and bind user MAC address
Figure 3-8 Add Service
Click OK. A service type is added.
IV. Adding an account user
1) Enter the Account Management page.
Log in the CAMS configuration console. On the navigation tree, select User Management > Account User to enter the Account Management page, as shown in Figure 3-9.
Figure 3-9 Account Management
The list shows the created account users. You can maintain these account users.
2) Add an account user.
Click Add to enter the Add Account page and configure as follows:
l Account: info
l Password: info
l Full Name: Bruce
l Prepaid Money: 100 dollars
l Bind multiple IP address and MAC address: enable
l Online Limit: 1
l Max. Idle Time: 20 minutes
l Service Information: abc
Figure 3-10 Add Account
Click OK. An account user is added.
V. Configuring the access device
1) Enter the System Configuration page.
Log in the CAMS configuration console. On the navigation tree, select System Management > System Configuration to enter the System Configuration page, as shown in Figure 3-11.
Figure 3-11 System Configuration
2) Click the Modify link for the Access Device item to enter the Access Device Configuration page to modify access device configuration like IP address, shared key, and authentication and accounting ports.
Figure 3-12 Access Device Configuration
VI. Adding configuration item
1) Click Add to enter the Add Access Device page and add configuration items, as shown in Figure 3-13.
2) Click OK. The prompt page appears as shown in Figure 3-14.
Figure 3-14 Page prompting that system configuration is modified successfully
3) Return to the System Configuration page and click Validate Now to make the configuration take effect immediately.
Figure 3-15 Validate Now on System Management page
3.3.3 Configuring the Supplicant System
You need to install an 802.1x client on the PC, which may be H3C’s 802.1x client, the client shipped with Windows XP or other client from the third party. The following takes H3C’s iNode client as an example to introduce how to configure the supplicant system.
I. Starting up H3C iNode intelligent client
Figure 3-16 H3C iNode intelligent client
II. Creating a connection
To create a connection, follow the steps below:
1) Click the New Connection link in the left pane of the client interface to launch the Create New Connection Wizard dialog box.
2) Click Next in the wizard dialog box, and then select 802.1x protocol as the authentication protocol.
3) Click Next and then select Common connection as the connection type.
4) Click Next to enter the Account Information page, as shown in Figure 3-17.
Figure 3-17 Create an 802.1x connection
5) Enter a connection name, username and password, and check/uncheck the Save password checkbox as required.
6) Click Next to enter the Network Property Settings page, as shown in Figure 3-18, to configure the connection attributes.
Figure 3-18 Set special properties
7) Keep the default settings and click OK, and then click Create after confirming the settings. The connection is created and the connection icon is displayed on the client interface.
III. Initiating the connection
Double click the Info connection icon on the client interface, and then click Connect in the popup dialog box, as shown in Figure 3-19.
Figure 3-19 Connection dialog box
The connection is established after successful authentication.
3.3.4 Verifying Configuration
To verify that the configuration of Guest VLAN is taking effect, check that users can access VLAN 10 before 802.1x authentication or the 802.1x authentication fails.
To verify that the dynamically assigned VLAN is taking effect, check that users can access VLAN 100 after 802.1x authentication succeeds. At the same time, 802.1x authentication cooperates with CAMS to complete accounting and real time monitoring.
To verify that the configuration of IP-to-MAC binding is taking effect, check that users can be re-authenticated and access the Internet when the device reboots abnormally. If the configured IP-to-MAC binding is different from that on the CAMS, the user cannot access the Internet.
3.3.5 Troubleshooting
I. Symptom: 802.1x authentication failed
Solution:
l Use the display dot1x command to verify 802.1x is enabled globally and on the specified ports.
l Verify that the username and password are set correctly.
l Verify that the connection works well.
l Use the debugging dot1x packet command to verify that the switch receives and sends EAP packets and EAPoL frames normally.
II. Symptom: Users can access network resources without 802.1x authentication
l Use the display dot1x command to verify 802.1x is enabled globally and on the specified ports.
l Use the display interface command to verify the statistics of incoming packets are available for the specified port. 802.1x authentication applies only to incoming packets, not outgoing packets.
