Table of Contents

Chapter 1 802.1x Configuration. 1-1

1.1 802.1x Overview. 1-1

1.1.1 Architecture of 802.1x. 1-1

1.1.2 Operation of 802.1x. 1-3

1.1.3 EAP Encapsulation over LANs. 1-4

1.1.4 EAP Encapsulation over RADIUS. 1-6

1.1.5 Authentication Process of 802.1x. 1-6

1.1.6 802.1x Timers. 1-10

1.1.7 Implementation of 802.1x in the Devices. 1-11

1.1.8 Features Working Together with 802.1x. 1-12

1.2 Configuring 802.1x. 1-14

1.2.1 Configuration Prerequisites. 1-14

1.2.2 Configuring 802.1x Globally. 1-14

1.2.3 Configuring 802.1x for a Port 1-15

1.3 Configuring a Guest VLAN. 1-17

1.3.1 Configuration Prerequisites. 1-17

1.3.2 Configuration Procedure. 1-17

1.4 Displaying and Maintaining 802.1x. 1-18

1.5 802.1x Configuration Example. 1-18

1.6 Guest VLAN Configuration Example. 1-21

1.7 ACL Assignment Configuration Example. 1-24

Chapter 2 EAD Fast Deployment Configuration. 2-1

2.1 EAD Fast Deployment Overview. 2-1

2.2 Configuring EAD Fast Deployment 2-1

2.2.1 Configuration Prerequisites. 2-1

2.2.2 Configuration Procedure. 2-2

2.3 Displaying and Maintaining EAD Fast Deployment 2-3

2.4 EAD Fast Deployment Configuration Example. 2-3

2.5 Troubleshooting EAD Fast Deployment 2-5

2.5.1 Users Cannot be Redirected Correctly. 2-5

Chapter 3 HABP Configuration. 3-1

3.1 Introduction to HABP. 3-1

3.2 Configuring HABP. 3-1

3.2.1 Configuring the HABP Server 3-1

3.2.2 Configuring an HABP Client 3-2

3.3 Displaying and Maintaining HABP. 3-2

Chapter 4 MAC Authentication Configuration. 4-1

4.1 MAC Authentication Overview. 4-1

4.1.1 RADIUS-Based MAC Authentication. 4-1

4.1.2 Local MAC Authentication. 4-2

4.2 Related Concepts. 4-2

4.2.1 MAC Authentication Timers. 4-2

4.2.2 Quiet MAC Address. 4-2

4.2.3 VLAN Assigning. 4-3

4.2.4 ACL Assigning. 4-3

4.3 Configuring MAC Authentication. 4-3

4.3.1 Configuration Prerequisites. 4-3

4.3.2 Configuration Procedure. 4-4

4.4 Displaying and Maintaining MAC Authentication. 4-5

4.5 MAC Authentication Configuration Examples. 4-5

4.5.1 Local MAC Authentication Configuration Example. 4-5

4.5.2 RADIUS-Based MAC Authentication Configuration Example. 4-7

4.5.3 ACL Assigning Configuration Example. 4-9

 

Chapter 1  802.1x Configuration

When configuring 802.1x, go to these sections for information you are interested in:

l           802.1x Overview

l           Configuring 802.1x

l           Configuring a Guest VLAN

l           Displaying and Maintaining 802.1x

l           802.1x Configuration Example

l           Guest VLAN Configuration Example

l           ACL Assignment Configuration Example

1.1  802.1x Overview

The 802.1x protocol was proposed by IEEE 802 LAN/WAN committee for security problems on wireless LANs (WLAN). Currently, it is widely used on Ethernet as a common port access control mechanism.

As a port-based network access control protocol, 802.1x authenticates and controls accessing devices at the level of port. A device connected to an 802.1x-enabled port of an access control device can access the resources on the LAN only after passing authentication.

To get more information about 802.1x, go to these topics:

l           Architecture of 802.1x

l           Operation of 802.1x

l           EAP Encapsulation over LANs

l           EAP Encapsulation over RADIUS

l           Authentication Process of 802.1x

l           802.1x Timers

l           Implementation of 802.1x in the Devices

l           Features Working Together with 802.1x

1.1.1  Architecture of 802.1x

802.1x operates in the typical client/server model and defines three entities: supplicant system, authenticator system, and authentication server system, as shown in Figure 1-1.

Figure 1-1 Architecture of 802.1x

l           Supplicant system: A system at one end of the LAN segment, which is authenticated by the authenticator system at the other end. A supplicant system is usually a user-end device and initiates 802.1x authentication through 802.1x client software supporting the EAP over LANs (EAPOL) protocol.

l           Authenticator system: A system at the other end of the LAN segment, which authenticates the connected supplicant system. An authenticator system is usually an 802.1x-enabled network device and provides ports (physical or logical) for supplicants to access the LAN.

l           Authentication server system: The system providing authentication, authorization, and accounting services for the authenticator system. The authentication server, usually a Remote Authentication Dial-in User Service (RADIUS) server, maintains user information like username, password, VLAN that the user belongs to, committed access rate (CAR) parameters, priority, and ACLs.

The above systems involve three basic concepts: PAE, controlled port, control direction.

I. PAE

Port access entity (PAE) refers to the entity that performs the 802.1x algorithm and protocol operations.

l           The authenticator PAE uses the authentication server to authenticate a supplicant trying to access the LAN and controls the status of the controlled port according to the authentication result, putting the controlled port in the state of authorized or unauthorized. In authorized state, the supplicant can access network resources without authentication; in unauthorized state, the supplicant can receive and send EAPOL frames rather than accessing network resources.

l           The supplicant PAE responds to the authentication request of the authenticator PAE and provides authentication information. The supplicant PAE can also send authentication requests and logoff requests to the authenticator.

II. Controlled port and uncontrolled port

An authenticator provides ports for supplicants to access the LAN. Each of the ports can be regarded as two logical ports: a controlled port and an uncontrolled port.

l           The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOL protocol frames to pass, guaranteeing that the supplicant can always send and receive authentication frames.

l           The controlled port is open to allow normal traffic to pass only when it is in the authorized state.

l           The controlled port and uncontrolled port are two parts of the same port. Any frames arriving at the port are visible to both of them.

III. Control direction

In the unauthorized state, the controlled port can be set to deny traffic to and from the supplicant or just the traffic from the supplicant.

 

 

1.1.2  Operation of 802.1x

The 802.1x authentication system employs the Extensible Authentication Protocol (EAP) to exchange authentication information between the supplicant PAE, authenticator PAE, and authentication server.

Figure 1-2 Operation of 802.1x

l           Between the supplicant PAE and authenticator PAE, EAP protocol packets are encapsulated using EAP Encapsulation over LANs and transferred over the LAN.

l           Between the authenticator PAE and authentication server, EAP protocol packets can be handled in two modes: EAP relay and EAP termination. In EAP relay mode, EAP protocol packets are encapsulated by using the EAP Encapsulation over RADIUS (Remote Authentication Dial-In User Service) and then relayed to the RADIUS server. In EAP termination mode, EAP protocol packets are terminated at the authenticator PAE, repackaged in the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) attributes of RADIUS packets, and then transferred to the RADIUS server.

l           After a user passes the authentication, the authentication server passes information about the user to the authenticator, which then controls the status of the controlled port according to the instruction of the authentication server.

1.1.3  EAP Encapsulation over LANs

I. EAPOL frame format

EAPOL, defined by 802.1x, is intended to carry EAP protocol packets between supplicants and authenticators over LANs. Figure 1-3 shows the EAPOL frame format.

Figure 1-3 EAPOL frame format

l           PAE Ethernet type: Protocol type. It takes the value 0x888E.

l           Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender.

l           Type: Type of the EAPOL frame. Table 1-1 shows the defined types of EAPOL frames.

Table 1-1 Types of EAPOL frames

Type	Description
EAP-Packet (a value of 0x00)	Frame for carrying authentication information, present between an authenticator system and the authentication server. A frame of this type is repackaged and transferred by RADIUS to get through complex networks to reach the authentication server.
EAPOL-Start (a value of 0x01)	Frame for initiating authentication, present between a supplicant and an authenticator.
EAPOL-Logoff (a value of 0x02)	Frame for logoff request, present between a supplicant and an authenticator.
EAPOL-Key (a value of 0x03)	Frame for carrying key information, present between a supplicant and an authenticator.
EAPOL-Encapsulated-ASF-Alert (a value of 0x04)	Frame for carrying alerting information compliant to Alert Standard Forum (ASF). A frame of this type carries network management-related information like warning messages and is terminated at the authenticator.

 

l           Length: Length of the data, that is, length of the Packet body field, in bytes. If the value of this field is 0, no subsequent data field is present.

l           Packet body: Content of the packet. The format of this field varies with the value of the Type field.

II. EAP Packet Format

An EAPOL frame of the type of EAP-Packet carries an EAP packet in its Packet body field. The format of the EAP packet is shown in Figure 1-4.

Figure 1-4 EAP packet format

l           Code: Type of the EAP packet, which can be Request, Response, Success, or Failure.

An EAP packet of the type of Success or Failure has no Data field, and has a length of 4.

An EAP packet of the type of Request or Response has a Data field in the format shown in Figure 1-5. The Type field indicates the EAP authentication type. A value of 1 represents Identity, indicating that the packet is for querying the identity of the supplicant. A value of 4 represents MD5-Challenge, which corresponds closely to the PPP CHAP protocol.

Figure 1-5 Format of the Data field in an EAP request/response packet

l           Identifier: Allows matching of responses with requests.

l           Length: Length of the EAP packet, including the Code, Identifier, Length, and Data fields, in bytes.

l           Data: Content of the EAP packet. This field is zero or more bytes and its format is determined by the Code field.

1.1.4  EAP Encapsulation over RADIUS

Two attributes of RADIUS are intended for supporting EAP authentication: EAP-Message and Message-Authenticator. For information about RADIUS packet format, refer to AAA RADIUS HWTACACS Configuration.

I. EAP-Message

The EAP-Message attribute is used to encapsulate EAP packets. Figure 1-6 shows its encapsulation format. The value of the Type field is 79. The String field can be up to 253 bytes. If the EAP packet is longer than 253 bytes, it can be fragmented and encapsulated into multiple EAP-Message attributes.

Figure 1-6 Encapsulation format of the EAP-Message attribute

II. Message-Authenticator

Figure 1-7 shows the encapsulation format of the Message-Authenticator attribute. The Message-Authenticator attribute is used to prevent access requests from being snooped during EAP or CHAP authentication. It must be included in any packet with the EAP-Message attribute; otherwise, the packet will be considered invalid and get discarded.

Figure 1-7 Encapsulation format of the Message-Authenticator attribute

1.1.5  Authentication Process of 802.1x

802.1x authentication can be initiated by either a supplicant or the authenticator system. A supplicant initiates authentication by launching the 802.1x client software to send an EAPOL-Start frame to the authenticator system, while the authenticator system sends an EAP-Request/Identity packet to an unauthenticated supplicant when detecting that the supplicant is trying to login.

An 802.1x authenticator system communicates with a remotely located RADIUS server in two modes: EAP relay and EAP termination. The following description takes the first case as an example to show the 802.1x authentication process.

I. EAP relay

EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried in an upper layer protocol, such as RADIUS, so that they can go through complex networks and reach the authentication server. Generally, EAP relay requires that the RADIUS server support the EAP attributes of EAP-Message and Message-Authenticator.

At present, the EAP relay mode supports four authentication methods: EAP-MD5, EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security), and PEAP (Protected Extensible Authentication Protocol).

l           EAP-MD5: EAP-MD5 authenticates the identity of a supplicant. The RADIUS server sends an MD5 challenge (through an EAP-Request/MD5 Challenge packet) to the supplicant. Then the supplicant encrypts the password with the offered challenge.

l           EAP-TLS: With EAP-TLS, a supplicant and the RADIUS server verify each other’s security certificates and identities, guaranteeing that EAP packets are sent to the intended destination and thus preventing network traffic from being snooped.

l           EAP-TTLS: EAP-TTLS extends EAP-TLS. EAP-TLS allows for mutual authentication between a supplicant and the authentication server. EAP-TTLS extends this implementation by transferring packets through the secure tunnels set up by TLS.

l           PEAP: With PEAP, the RADIUS server sets up a TLS tunnel with a supplicant system for integrity protection and then performs a new round of EAP negotiation with the supplicant system for identity authentication.

Figure 1-8 shows the message exchange procedure with EAP-MD5.

Figure 1-8 Message exchange in EAP relay mode

1)         When a user launches the 802.1x client software and enters the registered username and password, the 802.1x client software generates an EAPOL-Start frame and sends it to the authenticator to initiate an authentication process.

2)         Upon receiving the EAPOL-Start frame, the authenticator responds with an EAP-Request/Identity packet for the username of the supplicant.

3)         When the supplicant receives the EAP-Request/Identity packet, it encapsulates the username in an EAP-Response/Identity packet and sends the packet to the authenticator.

4)         Upon receiving the EAP-Response/Identity packet, the authenticator relays the packet in a RADIUS Access-Request packet to the authentication server.

5)         When receiving the RADIUS Access-Request packet, the RADIUS server compares the identify information against its user information table to obtain the corresponding password information. Then, it encrypts the password information using a randomly generated challenge, and sends the challenge information through a RADIUS Access-Challenge packet to the authenticator.

6)         After receiving the RADIUS Access-Challenge packet, the authenticator relays the contained EAP-Request/MD5 Challenge packet to the supplicant.

7)         When receiving the EAP-Request/MD5 Challenge packet, the supplicant uses the offered challenge to encrypt the password part (this process is not reversible), creates an EAP-Response/MD5 Challenge packet, and then sends the packet to the authenticator.

8)         After receiving the EAP-Response/MD5 Challenge packet, the authenticator relays the packet in a RADIUS Access-Request packet to the authentication server.

9)         When receiving the RADIUS Access-Request packet, the RADIUS server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the authenticator a RADIUS Access-Accept packet.

10)     Upon receiving the RADIUS Access-Accept packet, the authenticator opens the port to grant the access request of the supplicant. After the supplicant gets online, the authenticator periodically sends handshake requests to the supplicant to check whether the supplicant is still online. By default, if two consecutive handshake attempts end up with failure, the authenticator concludes that the supplicant has gone offline and performs the necessary operations, guaranteeing that the authenticator always knows when a supplicant goes offline.

11)     The supplicant can also send an EAPOL-Logoff frame to the authenticator to go offline unsolicitedly. In this case, the authenticator changes the status of the port from authorized to unauthorized.

 

 

II. EAP termination

In EAP termination mode, EAP packets are terminated at the authenticator and then repackaged into the PAP or CHAP attributes of RADIUS and transferred to the RADIUS server for authentication, authorization, and accounting. Figure 1-9 shows the message exchange procedure with CHAP authentication.

Figure 1-9 Message exchange in EAP termination mode

Different from the authentication process in EAP relay mode, it is the authenticator that generates the random challenge for encrypting the user password information in EAP termination authentication process. Consequently, the authenticator sends the challenge together with the username and encrypted password information from the supplicant to the RADIUS server for authentication.

1.1.6  802.1x Timers

Several timers are used in the 802.1x authentication process to guarantee that the supplicants, the authenticators, and the RADIUS server interact with each other in a reasonable manner. The following are the major 802.1x timers:

l           Username request timeout timer (tx-period): This timer is used in two cases, one is when an authenticator retransmits an EAP-Request/Identity frame and the other is when an authenticator multicasts an EAP-Request/Identity frame. Once an authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request. To cooperate with a supplicant system that does not send EAPOL-Start requests unsolicitedly, the authenticator multicasts EAP-Request/Identity frames to the supplicant system at an interval defined by this timer.

l           Supplicant timeout timer (supp-timeout): Once an authenticator sends an EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request.

l           Server timeout timer (server-timeout): Once an authenticator sends a RADIUS Access-Request packet to the authentication server, it starts this timer. If this timer expires but it receives no response from the server, it retransmits the request.

l           Handshake timer (handshake-period): After a supplicant passes authentication, the authenticator sends to the supplicant handshake requests at this interval to check whether the supplicant is online. If the authenticator receives no response after sending the allowed maximum number of handshake requests, it considers that the supplicant is offline.

l           Quiet timer (quiet-period): When a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in this period of time.

1.1.7  Implementation of 802.1x in the Devices

The devices extend and optimize the mechanism that the 802.1x protocol specifies by:

l           Allowing multiple users to access network services through the same physical port.

l           Supporting two authentication methods: portbased and macbased. With the portbased method, after the first user of a port passes authentication, all other users of the port can access the network without authentication, and when the first user goes offline, all other users get offline at the same time. With the macbased method, each user of a port must be authenticated separately, and when an authenticated user goes offline, no other users are affected.

 

 

1.1.8  Features Working Together with 802.1x

I. VLAN assigning

After an 802.1x user passes the authentication, the server will send an authorization message to the device. If the server is enabled with the VLAN assigning function, the assigned VLAN information will be included in the message. The device, depending on the link type of the port used to log in, adds the port to the assigned VLAN according to the following rules:

l           If the port link type is Access, the port leaves its current VLAN and joins the assigned VLAN.

l           If the port link type is Trunk, the assigned VLAN is allowed to pass the current trunk port. The default VLAN ID of the port is that of the assigned VLAN.

l           If the port link type is Hybrid, the assigned VLAN is allowed to pass the current port without carrying the tag. The default VLAN ID of the port is that of the assigned VLAN.

The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned VLAN has higher priority than the user-configured VLAN, it is the assigned VLAN that takes effect after a user passes authentication. After the user goes offline, the port returns to its original VLAN.

For details about VLAN configuration, refer to VLAN Configuration.

 

 

II. Guest VLAN

Guest VLAN allows unauthenticated users to access some special resources.

Guest VLAN is the default VLAN that a supplicant on a port can access without authentication. After the supplicant passes 802.1x authentication, the port leaves the guest VLAN and the supplicant can access other network resources.

A user of the guest VLAN can perform operations such as downloading and upgrading the authentication client software. If a supplicant does not have the required authentication client software or the version of the client software is lower, the supplicant will fail the authentication. If no supplicant on a port passes authentication in a certain period of time (45 seconds by default), the port will be added into the guest VLAN.

If a device with 802.1x enabled and the guest VLAN correctly configured sends an EAP-Request/Identity packet for the allowed maximum number of times but gets no response, it adds the port into the guest VLAN according to port link type in the similar way as described in VLAN assigning.

When a supplicant added into the guest VLAN initiates another authentication process, if the authentication is not successful, the supplicant stays in the guest VLAN; otherwise, two cases may occur:

l           The authentication server assigns a VLAN: The port leaves the guest VLAN and joins the assigned VLAN. If the supplicant goes offline, the port returns to its original VLAN, that is, the VLAN to which it is configured to belong and it belongs before joining the guest VLAN.

l           The authentication server does not assign any VLAN: The port leaves the guest VLAN and returns to its original VLAN. If the supplicant goes offline, the port just stays in its original VLAN.

III. ACL assignment

ACLs provide a way of controlling access to network resources and defining access rights. When a user logs in through a port, and the RADIUS server is configured with authorization ACLs, the device will permit or deny data flows traversing through the port according to the authorization ACLs. Before specifying authorization ACLs on the server, you need to configure the ACL rules on the device. You can change the access rights of users by modifying authorization ACL settings on the RADIUS server or changing the corresponding ACL rules on the device.

1.2  Configuring 802.1x

1.2.1  Configuration Prerequisites

802.1x provides a user identity authentication scheme. However, 802.1x cannot implement the authentication scheme solely by itself. RADIUS or local authentication must be configured to work with 802.1x.

l           Configure the ISP domain to which the 802.1x user belongs and the AAA scheme to be used (that is, local authentication or RADIUS).

l           For remote RADIUS authentication, the username and password information must be configured on the RADIUS server.

l           For local authentication, the username and password information must be configured on the authenticator and the service type must be set to lan-access.

For detailed configuration of the RADIUS client, refer to AAA RADIUS HWTACACS Configuration.

1.2.2  Configuring 802.1x Globally

Follow these steps to configure 802.1x globally:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Enable 802.1x globally		dot1x	Required Disabled by default
Set the authentication method		dot1x authentication-method { chap | eap | pap }	Optional CHAP by default
Set the port access control parameters	Set the port access control mode for specified or all ports	dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ]	Optional auto by default
	Set the port access control method for specified or all ports	dot1x port-method { macbased | portbased } [ interface interface-list ]	Optional macbased by default
	Set the maximum number of users for specified or all ports	dot1x max-user user-number [ interface interface-list ]	Optional By default, the maximum number of concurrent users accessing a port is 256.
Set the maximum number of attempts to send an authentication request to a supplicant		dot1x retry max-retry-value	Optional 2 by default
Set timers		dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }	Optional The defaults are as follows: 15 seconds for the handshake timer, 60 seconds for the quiet timer, 100 seconds for the server timeout timer, 30 seconds for the supplicant timeout timer, and 30 seconds for the username request timeout timer.
Enable the quiet timer		dot1x quiet-period	Optional Disabled by default

 

Note that:

l           For 802.1x to take effect on a port, you must enable it both globally in system view and for the port in system view or Ethernet interface view.

l           You can also enable 802.1x and set port access control parameters (that is, the port access control mode, port access method, and the maximum number of users) for a port in Ethernet interface view. For detailed configuration, refer to Configuring 802.1x for a Port. The only difference between configuring 802.1x globally and configuring 802.1x for a port lies in the applicable scope. If both a global setting and a local setting exist for an argument of a port, the last configured one is in effect.

l           Generally, it is unnecessary to change 802.1x timers unless in some special or extreme network environments.

1.2.3  Configuring 802.1x for a Port

I. Enabling 802.1x for a port

Follow these steps to enable 802.1x for a port:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Enable 802.1x for one or more ports	In system view	dot1x interface interface-list	Required Use either approach. Disabled by default
	In Ethernet interface view	interface interface-type interface-number
		dot1x

 

II. Configuring 802.1x parameters for a port

Follow these steps to configure 802.1x parameters for a port:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter Ethernet interface view	interface interface-type interface-number	—
Set the port access control mode for the port	dot1x port-control { authorized-force | auto | unauthorized-force }	Optional auto by default
Set the port access control method for the port	dot1x port-method { macbased | portbased }	Optional macbased by default
Set the maximum number of users for the port	dot1x max-user user-number	Optional By default, the maximum number of concurrent users accessing a port is 256.
Enable online user handshake	dot1x handshake	Optional Enabled by default
Enable multicast trigger	dot1x multicast-trigger	Optional Enabled by default

 

Note that:

l           You can neither add an 802.1x-enabled port into an aggregation group nor enable 802.1x on a port being a member of an aggregation group.

l           Once enabled with the 802.1x multicast trigger function, a port sends multicast trigger messages to the client periodically to initiate authentication.

l           For a user-side device sending untagged traffic, the voice VLAN function and 8021.x are mutually exclusive and cannot be configured together on the same port. For details about voice VLAN, refer to VLAN Configuration.

l           In EAP relay authentication mode, the authenticator encapsulates the 802.1x user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication. In this case, you can configure the user-name-format command but it does not take effect. For information about the user-name-format command, refer to AAA RADIUS HWTACACS Commands.

l           If the username of a supplicant contains the version number or one or more blank spaces, you can neither retrieve information nor disconnect the supplicant by using the username. However, you can use items such as IP address and connection index number to do so.

1.3  Configuring a Guest VLAN

1.3.1  Configuration Prerequisites

l           Enable 802.1x

l           Set the port access control method to portbased for the port

l           Set the port access control mode to auto for the port

l           Create the VLAN to be specified as the guest VLAN

1.3.2  Configuration Procedure

Follow these steps to configure Guest VLAN:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Configure the guest VLAN for specified or all ports	dot1x guest-vlan vlan-id [ interface interface-list ]	Required By default, a port is configured with no guest VLAN.
	Or in Ethernet interface view interface interface-type interface-number dot1x guest-vlan vlan-id

 

 

 

1.4  Displaying and Maintaining 802.1x

To do…	Use the command…	Remarks
Display 802.1x session information, statistics, or configuration information of specified or all ports	display dot1x [ sessions | statistics ] [ interface interface-list ]	Available in any view
Clear 802.1x statistics	reset dot1x statistics [ interface interface-list ]	Available in user view

 

1.5  802.1x Configuration Example

I. Network requirements

l           The access control method of macbased is required on the port to control supplicants.

l           All supplicants belong to default domain aabbcc.net, which can accommodate up to 30 users. RADIUS authentication is performed at first, and then local authentication when no response from the RADIUS server is received. If the RADIUS accounting fails, the authenticator gets users offline.

l           A server group with two RADIUS servers is connected to the switch. The IP addresses of the servers are 10.1.1.1 and 10.1.1.2 respectively. Use the former as the primary authentication/secondary accounting server, and the latter as the secondary authentication/primary accounting server.

l           Set the shared key for the switch to exchange packets with the authentication server and the accounting server as secret.

l           Specify the switch to try up to five times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server, and to send real time accounting packets to the accounting server every 15 minutes.

l           Specify the switch to remove the domain name from the username before passing the username to the RADIUS server.

l           Set the username of the 802.1x user as localuser and the password as localpass and specify to use plain text mode. Enable the idle cut function to get the user offline whenever the user remains idle for over 20 minutes.

II. Network diagram

Figure 1-10 Network diagram for 802.1x configuration

III. Configuration procedure

 

 

# Configure the IP addresses for each interface. (Omitted)

# Add local access user localuser, enable the idle cut function, and set the idle cut interval.

<Sysname> system-view

[Sysname] local-user localuser

[Sysname-luser-localuser] service-type lan-access

[Sysname-luser-localuser] password simple localpass

[Sysname-luser-localuser] attribute idle-cut 20

[Sysname-luser-localuser] quit

# Create RADIUS scheme radius1 and enter its view.

[Sysname] radius scheme radius1

# Configure the IP addresses of the primary authentication and accounting RADIUS servers.

[Sysname-radius-radius1] primary authentication 10.1.1.1

[Sysname-radius-radius1] primary accounting 10.1.1.2

# Configure the IP addresses of the secondary authentication and accounting RADIUS servers.

[Sysname-radius-radius1] secondary authentication 10.1.1.2

[Sysname-radius-radius1] secondary accounting 10.1.1.1

# Specify the shared key for the device to exchange packets with the authentication server and the accounting server.

[Sysname-radius-radius1] key authentication secret

# Set the interval for the device to retransmit packets to the RADIUS server and the maximum number of transmission attempts.

[Sysname-radius-radius1] timer response-timeout 5

[Sysname-radius-radius1] retry 5

# Set the interval for the device to send real time accounting packets to the RADIUS server.

[Sysname-radius-radius1] timer realtime-accounting 15

# Specify the device to remove the domain name of any username before passing the username to the RADIUS server.

[Sysname-radius-radius1] user-name-format without-domain

[Sysname-radius-radius1] quit

# Create domain aabbcc.net and enter its view.

[Sysname] domain aabbcc.net

# Set radius1 as the RADIUS scheme for users of the domain and specify to use local authentication as the secondary scheme.

[Sysname-isp-aabbcc.net] authentication default radius-scheme radius1 local

[Sysname-isp-aabbcc.net] authorization default radius-scheme radius1 local

[Sysname-isp-aabbcc.net] accounting default radius-scheme radius1 local

# Set the maximum number of users for the domain as 30.

[Sysname-isp-aabbcc.net] access-limit enable 30

# Enable the idle cut function and set the idle cut interval.

[Sysname-isp-aabbcc.net] idle-cut enable 20

[Sysname-isp-aabbcc.net] quit

# Configure aabbcc.net as the default domain.

[Sysname] domain default enable aabbcc.net

# Enable 802.1x globally.

[Sysname] dot1x

# Enable 802.1x for port GigabitEthernet 1/0/1.

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitGigabitEthernet1/0/1] dot1x

[Sysname-GigabitGigabitEthernet1/0/1] quit

# Set the port access control method. (Optional. The default answers the requirement.)

[Sysname] dot1x port-method macbased interface GigabitEthernet 1/0/1

1.6  Guest VLAN Configuration Example

I. Network requirements

As shown in Figure 1-11:

l           A host is connected to port GigabitEthernet 1/0/1 of the switch and must pass 802.1x authentication to access the Internet.

l           The authentication server run RADIUS and is in VLAN 2.

l           The update server, which is in VLAN 10, is for client software download and upgrade.

l           Port GigabitEthernet 1/0/2 of the switch, which is in VLAN 5, is for accessing the Internet.

As shown in Figure 1-12:

l           On port GigabitEthernet 1/0/1, enable 802.1x and set VLAN 10 as the guest VLAN.

As shown in Figure 1-13:

l           Authenticated supplicants are assigned to VLAN 5 and permitted to access the Internet.

II. Network diagrams

Figure 1-11 Network diagram for guest VLAN configuration

Figure 1-12 Network diagram with VLAN 10 as the guest VLAN

Figure 1-13 Network diagram when the supplicant passes authentication

III. Configuration procedure

# Configure RADIUS scheme 2000.

<Sysname> system-view

[Sysname] radius scheme 2000

[Sysname-radius-2000] primary authentication 10.11.1.1 1812

[Sysname-radius-2000] primary accounting 10.11.1.1 1813

[Sysname-radius-2000] key authentication abc

[Sysname-radius-2000] key accounting abc

[Sysname-radius-2000] user-name-format without-domain

[Sysname-radius-2000] quit

# Configure domain system and specify to use RADIUS scheme 2000 for users of the domain.

[Sysname] domain system

[Sysname-isp-system] authentication default radius-scheme 2000

[Sysname-isp-system] authorization  default radius-scheme 2000

[Sysname-isp-system] accounting default radius-scheme 2000

[Sysname-isp-system] quit

# Enable 802.1x globally.

[Sysname] dot1x

# Enable 802.1x for port GigabitEthernet 1/0/1.

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitGigabitEthernet1/0/1] dot1x

# Set the port access control method to portbased.

[Sysname-GigabitGigabitEthernet1/0/1] dot1x port-method portbased

# Set the port access control mode to auto.

[Sysname-GigabitGigabitEthernet1/0/1] dot1x port-control auto

[Sysname-GigabitGigabitEthernet1/0/1] quit

# Create VLAN 10.

[Sysname] vlan 10

[Sysname-vlan10] quit

# Specify port GigabitEthernet 1/0/1 to use VLAN 10 as its guest VLAN.

[Sysname] dot1x guest-vlan 10 interface GigabitEthernet 1/0/1

You can use the display current-configuration or display interface GigabitEthernet 1/0/1 command to view your configuration. You can also use the display vlan 10 command in the following cases to verify whether the configured guest VLAN functions:

l           When no users log in.

l           When a user fails the authentication.

l           When a user goes offline.

1.7  ACL Assignment Configuration Example

I. Network requirements

As shown in Figure 1-14, a host is connected to port GigabitEthernet1/0/1 of the device and must pass 802.1x authentication to access the Internet.

l           Configure the RADIUS server to assign ACL 3000.

l           Enable 802.1x authentication on GigabitEthernet1/0/1 of the device, and configure ACL 3000.

After the host passes 802.1x authentication, the RADIUS server assigns ACL 3000 to GigabitEthernet1/0/1. As a result, the host can access the Internet but cannot access the FTP server, whose IP address is 10.0.0.1.

II. Network diagram

Figure 1-14 Network diagram for ACL assignment

III. Configuration procedure

# Configure the IP addresses of the interfaces. (Omitted)

# Configure the RADIUS scheme.

<Sysname> system-view

[Sysname] radius scheme 2000

[Sysname-radius-2000] primary authentication 10.1.1.1 1812

[Sysname-radius-2000] primary accounting 10.1.1.2 1813

[Sysname-radius-2000] key authentication abc

[Sysname-radius-2000] key accounting abc

[Sysname-radius-2000] user-name-format without-domain

[Sysname-radius-2000] quit

# Create an ISP domain and specify the AAA schemes.

[Sysname] domain 2000

[Sysname-isp-2000] authentication default radius-scheme 2000

[Sysname-isp-2000] authorization default radius-scheme 2000

[Sysname-isp-2000] accounting default radius-scheme 2000

[Sysname-isp-2000] quit

# Configure ACL 3000 to deny packets destined for 10.0.0.1.

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0

# Enable 802.1x globally.

[Sysname] dot1x

# Enable 802.1x for GigabitEthernet1/0/1.

[Sysname] interface GigabitEthernet1/0/1

[Sysname-GigabitEthernet1/0] dot1x

After logging in successfully, a user can use the ping command to verify whether the ACL 3000 assigned by the RADIUS server functions.

[Sysname] ping 10.0.0.1

  PING 10.0.0.1: 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out

    Request time out

 

  --- 10.0.0.1 ping statistics ---

    5 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss

Chapter 2  EAD Fast Deployment Configuration

When configuring EAD fast deployment, go to these sections for information you are interested in:

l           EAD Fast Deployment Overview

l           Configuring EAD Fast Deployment

l           Displaying and Maintaining EAD Fast Deployment

l           EAD Fast Deployment Configuration Example

l           Troubleshooting EAD Fast Deployment

2.1  EAD Fast Deployment Overview

As an integrated security scheme, an endpoint admission defense (EAD) scheme can improve the overall defense capability of a network. However, EAD deployment brings much workload in actual applications. To solve this problem, you can use 802.1x functions to implement fast deployment of EAD scheme.

To support the fast deployment of EAD schemes, 802.1x provides the following two mechanisms:

1)         Limit on accessible network resources

Before successful 802.1x authentication, a user can access only specific IP segments, each of which may have one or more servers. Users can download EAD client software or obtain dynamic IP address from the servers.

2)         IE URL redirection

Before successful 802.1x authentication, a user using IE to access the network is automatically redirected to a specified URL, for example, the EAD client software download page.

The above two functions bring all 802.1x users accessing the network to a specified server to download and install the EAD client software, thus easing the deployment of an EAD scheme.

2.2  Configuring EAD Fast Deployment

2.2.1  Configuration Prerequisites

l           Enable 802.1x globally

l           Enable 802.1x on the specified port, and set the access control mode to auto.

2.2.2  Configuration Procedure

I. Configuring a freely accessible network segment

A freely accessible network segment, also called a free IP, is a network segment that users can access before passing 802.1x authentication.

Once a free IP is configured, the fast deployment of EAD is enabled.

Follow these steps to configure a freely accessible network segment:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Configure a freely accessible network segment	dot1x free-ip ip-address { mask-address | mask-length }	Required No freely accessible network segment is configured by default.

 

 

II. Configuring the IE redirect URL

Follow these steps to configure the IE redirect URL:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Configure the IE redirect URL	dot1x url url-string	Required No redirect URL is configured by default.

 

 

III. Setting the EAD rule timeout time

With the EAD fast deployment function, a user is authorized by an EAD rule (generally an ACL rule) to access the freely accessible network segment before passing authentication. After successful authentication, the occupied ACL will be released. If a large amount of users access the freely accessible network segment but fail the authentication, ACLs will soon be used up and new users will be rejected.

An EAD rule timeout timer is designed to solve this problem. When a user accesses the network, this timer is started. If the user neither downloads client software nor performs authentication before the timer expires, the occupied ACL will be released so that other users can use it. When there are a large number of users, you can shorten the timeout time to improve the ACL usage efficiency.

Follow these steps to set the EAD rule timeout time:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Set EAD rule timeout time	dot1x timer ead-timeout ead-timeout-value	Optional 30 minutes by default

 

2.3  Displaying and Maintaining EAD Fast Deployment

To do…	Use the command…	Remarks
Display 802.1x session information, statistics, or configuration information	display dot1x [ sessions | statistics ] [ interface interface-list ]	Available in any view

 

2.4  EAD Fast Deployment Configuration Example

I. Network requirements

As shown in Figure 2-1, the host is connected to the Switch, and the Switch is connected to the freely accessible network segment and outside network.

It is required that:

l           Before successful 802.1 authentication, the host using IE to access outside network will be redirected to the WEB server, and it can download and install 802.1x client software.

l           After successful 802.1x authentication, the host can access outside network.

II. Network diagram

Figure 2-1 Network diagram for EAD fast deployment

III. Configuration procedure

1)         Configure the WEB server

Before using the EAD fast deployment function, you need to configure the WEB server to provide the download service of 802.1x client software.

2)         Configure the Switch to support EAD fast deployment

# Configure the IP addresses of the interfaces (omitted).

# Configure the free IP.

<Sysname> system-view

[Sysname] dot1x free-ip 192.168.1.0 24

# Configure the redirect URL for client software download.

[Sysname] dot1x url http://192.168.1.3

# Enable 802.1x globally.

[Sysname] dot1x

# Enable 802.1x on the port.

[Sysname] interface GigabitEthernet 1/0/1

[Sysname - GigabitEthernet1/0/1] dot1x

3)         Verify your configuration

# Use the ping command to ping an IP address within the network segment specified by free IP to check that the user can access that segment before passing 802.1x authentication.

C:\>ping 192.168.1.3

 

Pinging 192.168.1.3 with 32 bytes of data:

 

Reply from 192.168.1.3: bytes=32 time<1ms TTL=128

Reply from 192.168.1.3: bytes=32 time<1ms TTL=128

Reply from 192.168.1.3: bytes=32 time<1ms TTL=128

Reply from 192.168.1.3: bytes=32 time<1ms TTL=128

 

Ping statistics for 192.168.1.3:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Besides, if the user uses IE to access any external website, the user will be taken to the WEB server, which provides the client software download service.

2.5  Troubleshooting EAD Fast Deployment

2.5.1  Users Cannot be Redirected Correctly

Symptom: When a user enters an external website address in the IE browser, the user is not redirected to the specified URL.

Analysis:

l           The address is in the string format. In this case, the operating system of the host regards the string a website name and tries to have it resolved. If the resolution fails, the operating system sends an ARP request with the address in the format other than X.X.X.X. The redirection function does redirect this kind of ARP request.

l           The address is within the freely accessible network segment. In this case, the Switch regards that the user is trying to access a host in the freely accessible network segment, and redirection will not take place, even if no host is present with the address.

l           The redirect URL is not in the freely accessible network segment, no server is present with that URL, or the server with the URL does not provide WEB services.

Solution:

l           Enter an IP address that is not within the freely accessible network segment in dotted decimal notation (X.X.X.X).

l           Ensure that the Switch and the server are configured correctly.

 

Chapter 3  HABP Configuration

When configuring HABP, go to these sections for the information you are interested in:

l           Introduction to HABP

l           Configuring HABP

l           Displaying and Maintaining HABP

3.1  Introduction to HABP

When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets. If a port fails 802.1x authentication and authorization, protocol packets passing the port will be blocked. The Huawei Authentication Bypass Protocol (HABP) aims at solving this problem.

On an HABP-capable switch, HABP packets can bypass 802.1x authentication and MAC authentication, allowing communication among switches.

HABP is built on the client-server model. Typically, the HABP server sends HABP requests to the client periodically to collect the MAC address(es) of the attached switch(es). The client responds to the requests, and forwards the HABP requests to the attached switch(es). The HABP server usually runs on the administrative device while the HABP client runs on the attached switches.

3.2  Configuring HABP

Complete the following tasks to configure HABP:

l           Configuring the HABP Server

l           Configuring an HABP Client

3.2.1  Configuring the HABP Server

With enabled with HABP server, the administrative device starts to send HABP requests to the attached switch(es). The HABP responses include the MAC address(es) of the attached switch(es). This makes it possible for the administrative device to manage the attached switch(es).

You only need to configure the interval of sending HABP requests on the administrative device.

Follow these steps to configure an HABP server:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable HABP	habp enable	Optional Enabled by default
Configure HABP to work in server mode	habp server vlan vlan-id	Required HABP works in client mode by default.
Set the interval to send HABP requests	habp timer interval	Optional 20 seconds by default

 

3.2.2  Configuring an HABP Client

Configure HABP to work in client mode on a device connected to the administrative device. Since HABP is enabled and works in client mode by default, this configuration task is optional.

Follow these steps to configure an HABP client:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable HABP	habp enable	Optional Enabled by default
Configure HABP to work in client mode	undo habp server	Optional HABP works in client mode by default.

 

3.3  Displaying and Maintaining HABP

To do…	Use the command…	Remarks
Display HABP configuration information	display habp	Available in any view
Display HABP MAC address table entries	display habp table	Available in any view
Display HABP packet statistics	display habp traffic	Available in any view

 

Chapter 4  MAC Authentication Configuration

When configuring MAC authentication, go to these sections for information you are interested in:

l           MAC Authentication Overview

l           Related Concepts

l           Configuring MAC Authentication

l           Displaying and Maintaining MAC Authentication

l           MAC Authentication Configuration Examples

l           ACL Assigning Configuration Example

4.1  MAC Authentication Overview

MAC authentication provides a way for authenticating users based on ports and MAC addresses, without requiring any client software to be installed on the hosts. Once detecting a new MAC address, it initiates the authentication process without requiring username or password.

Currently, the device supports two MAC authentication modes:

l           Remote Authentication Dial-In User Service (RADIUS) based MAC authentication

l           Local MAC authentication

For detailed information about RADIUS authentication and local authentication, refer to AAA RADIUS HWTACACS Configuration.

After determining the authentication mode to be used, you can choose the type of MAC authentication username, including:

l           MAC address, where the MAC address of a user serves as both the username and password.

l           Fixed username, where all users use the same preconfigured username and password for authentication, regardless of the MAC addresses.

4.1.1  RADIUS-Based MAC Authentication

In RADIUS-base MAC authentication, the device serves as a RADIUS client and requires a RADIUS server to cooperate with it.

l           If the type of MAC authentication username is MAC address, the device forwards a detected MAC address as the username and password to the RADIUS server for authentication of the user.

l           If the type of MAC authentication username is fixed username, the device sends the same username and password configured locally to the RADIUS server for authentication of each user.

If the authentication succeeds, the user will be granted permission to access the network resources.

4.1.2  Local MAC Authentication

In local MAC authentication, the device performs authentication of users locally and different items need to be manually configured for users on the device according to the type of MAC authentication username:

l           If the type of MAC authentication username is MAC address, a local user must be configured for each user on the device, using the MAC address of the user as both the username and password.

l           If the type of MAC authentication username is fixed username, a single username and optionally a single password are required for the device to authenticate all users.

4.2  Related Concepts

4.2.1  MAC Authentication Timers

The following timers function in the process of MAC authentication:

l           Offline detect timer: At this interval, the device checks to see whether an online user has gone offline. Once detecting that a user becomes offline, the device sends to the RADIUS server a stop accounting notice.

l           Quiet timer: Whenever a user fails MAC authentication, the device does not initiate any MAC authentication of the user during such a period.

l           Server timeout timer: During authentication of a user, if the device receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network.

4.2.2  Quiet MAC Address

When a user fails MAC authentication, the MAC address becomes a quiet MAC address, which means that any packets from the MAC address will be discarded simply by the device until the quiet timer expires. This prevents the device from authenticating invalid users repeatedly in a short time.

 

 

4.2.3  VLAN Assigning

For separation of users from restricted network resources, a more general way is to put the users and restricted resources into different VLANs. After a user passes identity authentication, the authorization server assigns the VLAN where the restricted resources reside as an authorized VLAN and the port to which the user is connected will become a member of the authorized VLAN. As a result, the user can access those restricted network resources.

4.2.4  ACL Assigning

ACLs assigned by an authorization server are referred to as authorization ACLs, which are designed to control access to network resources with a very fine granularity. When a user logs in, if the RADIUS server is configured with authorization ACLs, the device will permit or deny data flows traversing through the port through which the user accesses the device according to the authorization ACLs assigned by the RADIUS server. You can change access rights of users by modifying authorization ACL settings on the RADIUS server.

4.3  Configuring MAC Authentication

4.3.1  Configuration Prerequisites

l           Create and configure an ISP domain.

l           For local authentication, create the local users and configure the passwords.

l           For RADIUS authentication, ensure that a route is available between the device and the RADIUS server.

 

 

4.3.2  Configuration Procedure

Follow these steps to configure MAC authentication:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable MAC authentication globally	mac-authentication	Required Disabled by default
Enable MAC authentication for specified ports	mac-authentication interface interface-list	Required Disabled by default
	interface interface-type interface-number mac-authentication quit
Specify the ISP domain for MAC authentication	mac-authentication domain isp-name	Optional The default ISP domain (system) is used by default.
Set the offline detect timer	mac-authentication timer offline-detect offline-detect-value	Optional 300 seconds by default
Set the quiet timer	mac-authentication timer quiet quiet-value	Optional 60 seconds by default
Set the server timeout timer	mac-authentication timer server-timeout server-timeout-value	Optional 100 seconds by default
Configure the username and password for MAC authentication	mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ with-hyphen | without-hyphen ] }	Optional By default, the user’s source MAC address serves as the username and password, and the MAC address does not contain hyphen “-“.

 

 

4.4  Displaying and Maintaining MAC Authentication

To do…	Use the command…	Remarks
Display the global MAC authentication information or the MAC authentication information about specified ports	display mac-authentication [ interface interface-list ]	Available in any view
Clear the MAC authentication statistics	reset mac-authentication statistics [ interface interface-list ]	Available in user view

 

4.5  MAC Authentication Configuration Examples

4.5.1  Local MAC Authentication Configuration Example

I. Network requirements

As illustrated in Figure 4-1, a supplicant is connected to the device through port GigabitEthernet 1/0/1.

l           Local MAC authentication is required on every port to control user access to the Internet.

l           All users belong to domain aabbcc.net.

l           A local user uses aaa as the username and 123456 as the password for authentication.

l           Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes.

II. Network Diagram

Figure 4-1 Network diagram for local MAC authentication

III. Configuration Procedure

1)         Configure MAC authentication on the switch.

# Add a local user.

<Sysname> system-view

[Sysname] local-user aaa

[Sysname-luser-aaa] password simple 123456

[Sysname-luser-aaa] service-type lan-access

[Sysname-luser-aaa] quit

# Configure ISP domain aabbcc.net, and specify to perform local authentication.

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] authentication lan-access local

[Sysname-isp-aabbcc.net] quit

# Enable MAC authentication globally.

[Sysname] mac-authentication

# Enable MAC authentication for port GigabitEthernet 1/0/1.

[Sysname] mac-authentication interface GigabitEthernet 1/0/1

# Specify the ISP domain for MAC authentication.

[Sysname] mac-authentication domain aabbcc.net

# Set the MAC authentication timers.

[Sysname] mac-authentication timer offline-detect 180

[Sysname] mac-authentication timer quiet 3

[Sysname] mac-authentication user-name-format fixed account aaa password simple 123456

2)         Verify the configuration

# Display global MAC authentication information.

<Sysname> display mac-authentication

MAC address authentication is Enabled.

User name format is fixed account

 Fixed username:aaa

 Fixed password:123456

          Offline detect period is 180s

          Quiet period is 60s.

          Server response timeout value is 100s

          The max allowed user number is 1024 per slot

          Current user number amounts to 1

          Current domain is aabbcc.net

Silent Mac User info:

         MAC ADDR               From Port           Port Index

GigabitGigabitEthernet1/0/1 is link-up

  MAC address authentication is Enabled

  Authenticate success: 1, failed: 0

  Current online user number is 1

    MAC ADDR         Authenticate state           AuthIndex

    00e0-fc12-3456   MAC_AUTHENTICATOR_SUCCESS     29

4.5.2  RADIUS-Based MAC Authentication Configuration Example

I. Network requirements

As illustrated in Figure 4-2, a host is connected to the device through port GigabitEthernet 1/0/1. The device authenticates the host through the RADIUS server.

l           MAC authentication is required on every port to control user access to the Internet.

l           Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes.

II. Network diagram

Figure 4-2 Network diagram for MAC authentication using RADIUS

III. Configuration procedure

1)         Configure MAC authentication on the device

# Configure the IP addresses of the interfaces. (Omitted)

# Configure a RADIUS scheme.

<Sysname> system-view

[Sysname] radius scheme 2000

[Sysname-radius-2000] primary authentication 10.1.1.1 1812

[Sysname-radius-2000] primary accounting 10.1.1.2 1813

[Sysname-radius-2000] key authentication abc

[Sysname-radius-2000] key accounting abc

[Sysname-radius-2000] user-name-format without-domain

[Sysname-radius-2000] quit

# Specify the AAA schemes for the ISP domain.

[Sysname] domain 2000

[Sysname-isp-2000] authentication default radius-scheme 2000

[Sysname-isp-2000] authorization default radius-scheme 2000

[Sysname-isp-2000] accounting default radius-scheme 2000

[Sysname-isp-2000] quit

# Enable MAC authentication globally.

[Sysname] mac-authentication

# Enable MAC authentication for port GigabitEthernet 1/0/1.

[Sysname] mac-authentication interface GigabitEthernet 1/0/1

# Specify the ISP domain for MAC authentication.

[Sysname] mac-authentication domain 2000

# Set the MAC authentication timers.

[Sysname] mac-authentication timer offline-detect 180

[Sysname] mac-authentication timer quiet 3

[Sysname] mac-authentication user-name-format fixed account aaa password simple 123456

2)         Verify the configuration

# Display global MAC authentication information.

<Sysname> display mac-authentication

MAC address authentication is Enabled.

User name format is fixed account

 Fixed username:aaa

 Fixed password:123456

          Offline detect period is 180s

          Quiet period is 60s.

          Server response timeout value is 100s

          The max allowed user number is 1024 per slot

          Current user number amounts to 1

          Current domain is 2000

Silent Mac User info:

         MAC ADDR               From Port           Port Index

GigabitGigabitEthernet1/0/1 is link-up

  MAC address authentication is Enabled

  Authenticate success: 1, failed: 0

  Current online user number is 1

    MAC ADDR         Authenticate state           AuthIndex

    00e0-fc12-3456   MAC_AUTHENTICATOR_SUCCESS     29

4.5.3  ACL Assigning Configuration Example

I. Network requirements

As shown in Figure 4-3, a host is connected to port GigabitEthernet1/0/1 of the switch and must pass MAC authentication to access the Internet.

l           Configure the RADIUS server to assign ACL 3000.

l           On port Ethernet 1/0 of the switch, enable MAC authentication and configure ACL 3000.

After the host passes MAC authentication, the RADIUS server assigns ACL 3000 to port Ethernet 1/0 of the switch. As a result, the host can access the Internet but cannot access the FTP server, whose IP address is 10.0.0.1.

II. Network diagram

Figure 4-3 Network diagram for ACL assigning

III. Configuration procedure

# Configure the IP addresses of the interfaces. (Omitted)

# Configure the RADIUS scheme.

<Sysname> system-view

[Sysname] radius scheme 2000

[Sysname-radius-2000] primary authentication 10.1.1.1 1812

[Sysname-radius-2000] primary accounting 10.1.1.2 1813

[Sysname-radius-2000] key authentication abc

[Sysname-radius-2000] key accounting abc

[Sysname-radius-2000] user-name-format without-domain

[Sysname-radius-2000] quit

# Create an ISP domain and specify the AAA schemes.

[Sysname] domain 2000

[Sysname-isp-2000] authentication default radius-scheme 2000

[Sysname-isp-2000] authorization default radius-scheme 2000

[Sysname-isp-2000] accounting default radius-scheme 2000

[Sysname-isp-2000] quit

# Configure ACL 3000 to deny packets destined for 10.0.0.1.

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0

[Sysname-acl-adv-3000] quit

# Enable MAC authentication globally.

[Sysname] mac-authentication

# Enable MAC authentication for port GigabitEthernet1/0/1.

[Sysname] interface GigabitEthernet 1/0/1.

[Sysname- GigabitEthernet1/0/1] mac-authentication

After completing the above configurations, you can use the ping command to verify whether the ACL 3000 assigned by the RADIUS server functions.

[Sysname] ping 10.0.0.1

  PING 10.0.0.1: 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out

    Request time out

 

  --- 10.0.0.1 ping statistics ---

    5 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss