H3C Low-End Ethernet Switches Configuration Examples(V1.04)

HomeSupportResource CenterSwitchesH3C S3100 Switch SeriesH3C S3100 Switch SeriesTechnical DocumentsConfigure & DeployConfiguration ExamplesH3C Low-End Ethernet Switches Configuration Examples(V1.04)
03-802.1x Configuration Examples
Title Size Download
03-802.1x Configuration Examples 638.75 KB

802.1x Configuration Example

Keywords: 802.1x and AAA

Abstract: This article introduces the application of 802.1x on Ethernet switches in real network environments, and then presents detailed configurations of the 802.1x client, LAN Switch and AAA server respectively.

Acronyms: AAA (Authentication, Authorization and Accounting)

 


Chapter 1  802.1X Overview

 

&  Note:

The use of this document is restricted to H3C S3600, H3C S5600, H3C S3100, H3C S5100 and H3C S3100-52P Series Ethernet switches.

 

1.1  Introduction to 802.1X

The LAN defined in IEEE 802 protocols does not provide access authentication. In general, users can access network devices or resources in a LAN as long as they access the LAN. When it comes to application circumstances like telecom network access, building, LAN and mobile office, however, administrators need to control and configure the access of user devices. Therefore, port- or user-based access control comes into being.

802.1x is a port-based network access control protocol. It is widely accepted by vendors, service providers and end users for its low cost, superior service continuity and scalability, and high security and flexibility.

1.2  Features Configuration

1.2.1  Global Configuration

l           Enable 802.1x globally

l           Set time parameters

l           Set the maximum number of authentication request attempts

l           Enable the quiet timer

l           Enable re-authentication upon reboot

1.2.2  Configuration in Port View

l           Enable dot1x on the port

l           Enable Guest VLAN

l           Set the maximum number of users supported on the port

l           Set a port access control method (port-based or MAC-based)

l           Set a port access control mode (force-authorized, force-unauthorized or auto)

l           Enable client version checking

l           Enable proxy detection

1.2.3  Precautions

l           The configuration of dot1x takes effect only after the dot1x feature is enabled globally.

l           You can configure dot1x parameters associated with Ethernet ports or devices before enabling dot1x. However, the configured dot1x parameters only take effect after dot1x is enabled.

l           The configured dot1x parameters are reserved after dot1x is disabled and will take effect if dot1x is re-enabled.

 


Chapter 2  802.1X Configuration Commands

To implement 802.1x, you need to configure the supplicant system (client), authenticator system (switch) and authentication/authorization server correctly.

l           Supplicant system: Ensures that the PC uses a right client.

l           Authenticator system: Configuring 802.1x and AAA on the authenticator system is required.

l           Authentication/authorization server: Configuring the authentication/authorization server correctly is required.

The following table shows 802.1x configuration commands necessary for configuring the switch (authenticator system). For configuration information on other devices, refer to related manuals.

Table 2-1 802.1x configuration commands

To do…

Use the command…

Remarks

Enable 802.1x globally

dot1x

Required

Disabled by default

Enable 802.1x on one or more ports

In system view

dot1x [ interface interface-list ]

Required

Disabled on a port by default

802.1x must be enabled both globally in system view and on the intended port in system view or port view. Otherwise, it does not function.

In port view

dot1x

Set a port access control method for the specified or all ports

dot1x port-method { macbased | portbased } [ interface interface-list ]

Optional

macbased by default

Port-based access control is required for Guest VLAN.

Enable a Guest VLAN on the specified or all ports

dot1x guest-vlan vlan-id [ interface interface-list ]

Required

Not enabled by default. The vlan-id of the Guest VLAN must be created beforehand.

 


Chapter 3  Enterprise Network Access Authentication Configuration Example

 

&  Note:

The configuration or information displayed may vary with devices. The following takes the H3C S3600 series switch (using software Release 1510) as an example.

 

3.1  Network Application Analysis

An administrator of an enterprise network needs to authenticate users accessing the network on a per-port basis on the switch to control access to network resources. Table 3-1 shows the details of network application analysis.

Table 3-1 Network application analysis

Network requirements

Solution

Access of users is controlled by authentication.

Enable 802.1x

Users can only access VLAN 10 before the authentication succeeds.

Enable Guest VLAN

Users can access VLAN 100 after the authentication succeeds.

Enable dynamic VLAN assignment

Users select the monthly payment service of 50 dollars and use 2M bandwidth to access the network.

Configure an accounting policy and bandwidth restraint policy on the RADIUS server

IP address and MAC address are bound after a user logs in.

Set MAC-to-IP binding

Tear down the connection by force if it is idle for 20 minutes.

Enable idle cut

Users can be re-authenticated successfully after the switch reboots abnormally.

Enable re-authentication upon reboot

 

3.2  Network Diagram

Figure 3-1 Network diagram for enterprise network application

3.3  Configuration Procedure

3.3.1  Configuring the Switch

# Create a RADIUS scheme named cams, and specify the primary and secondary authentication/accounting servers.

<H3C> system-view

[H3C] radius scheme cams

[H3C-radius-cams] primary authentication 192.168.1.19

[H3C-radius-cams] primary accounting 192.168.1.19

[H3C-radius-cams] secondary authentication 192.168.1.20

[H3C-radius-cams] secondary accounting 192.168.1.20

# Set the password to expert for the switch to exchange messages with the RADIUS authentication and accounting servers.

[H3C-radius-cams] key authentication expert

[H3C-radius-cams] key accounting expert

# Set the username format to fully qualified user name with domain name.

[H3C-radius-cams] user-name-format with-domain

# Set the server type to extended.

[H3C-radius-cams] server-type extended

# Enable re-authentication upon reboot.

[H3C-radius-cams] accounting-on enable

# Create an ISP domain named abc and adopt the RADIUS scheme cams for authentication.

[H3C] domain abc

[H3C-isp-abc] radius-scheme cams

[H3C-isp-abc] quit

# Set the ISP domain abc as the default ISP domain.

[H3C] domain default enable abc

# Enable dynamic VLAN assignment.

[H3C-isp-abc] vlan-assignment-mode integer

# Enable Guest VLAN 10 on the specified port.

[H3C] vlan 10

[H3C-Ethernet1/0/3] dot1x port-method portbased

[H3C-Ehternet1/0/3] dot1x guest-vlan 10

# Enable 802.1x.

[H3C] dot1x

# Enable dot1x in port view.

[H3C-Ethernet1/0/3] dot1x

# Use the display command to view the configuration associated with 802.1x and AAA parameters.

[H3C] display dot1x interface ethernet1/0/3

Global 802.1x protocol is enabled

 CHAP authentication is enabled

 DHCP-launch is disabled

 Proxy trap checker is disabled

 Proxy logoff checker is disabled

 

 Configuration: Transmit Period     30 s,  Handshake Period       15 s

                ReAuth Period     3600 s,  ReAuth MaxTimes        2

                Quiet Period        60 s,  Quiet Period Timer is disabled

                Supp Timeout        30 s,  Server Timeout         100 s

                Interval between version requests is 30s

                Maximal request times for version information is 3

                The maximal retransmitting times          2

 

 Total maximum 802.1x user resource number is 1024

 Total current used 802.1x resource number is 0

 

 Ethernet1/0/3  is link-up

   802.1x protocol is enabled

   Proxy trap checker is disabled

   Proxy logoff checker is disabled

   Version-Check is disabled

   The port is an authenticator

   Authentication Mode is Auto

   Port Control Type is Port-based

   ReAuthenticate is disabled

   Max number of on-line users is 256

 

   Authentication Success: 0, Failed: 0

   EAPOL Packets: Tx 0, Rx 0

   Sent EAP Request/Identity Packets : 0

        EAP Request/Challenge Packets: 0

   Received EAPOL Start Packets : 0

            EAPOL LogOff Packets: 0

            EAP Response/Identity Packets : 0

            EAP Response/Challenge Packets: 0

            Error Packets: 0

 

   Controlled User(s) amount to 0    

 

[H3C] display radius scheme cams

SchemeName  =cams                             Index=1    Type=extended

Primary Auth IP  =192.168.1.19     Port=1812

Primary Acct IP  =192.168.1.19     Port=1813

Second  Auth IP  =192.168.1.20     Port=1812

Second  Acct IP  =192.168.1.20     Port=1813

Auth Server Encryption Key= expert

Acct Server Encryption Key= expert

Accounting method = required

Accounting-On packet enable, send times = 15 , interval = 3s

TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12

Permitted send realtime PKT failed counts       =5

Retry sending times of noresponse acct-stop-PKT =500

Quiet-interval(min)                             =5

Username format                                 =with-domain

Data flow unit                                  =Byte

Packet unit                                     =1

unit 1 :

Primary Auth State=active,   Second Auth State=active

Primary Acc  State=active,   Second Acc  State=active  

[H3C] display domain abc

The contents of Domain abc:

   State = Active

   RADIUS Scheme = cams

   Access-limit = Disable

   Vlan-assignment-mode = Integer

   Domain User Template:

   Idle-cut = Disable

   Self-service = Disable

   Messenger Time = Disable  

3.3.2  Configuring the RADIUS Server

The configuration of CAMS authentication, authorization and accounting server consists of four parts:

l           Creating an accounting policy

l           Adding a service

l           Adding an account user

l           Configuring the access device

The following parts take CAMS server V1.20 (standard version) as an example to introduce CAMS configuration.

I. Logging in the CAMS configuration console

1)         Enter the correct user name and password on the login page to log in to the CAMS configuration console.

Figure 3-2 Login page of CAMS configuration console

2)         After login, the following page appears:

Figure 3-3 CAMS configuration console

II. Creating an accounting policy

1)         Enter the Accounting Policy Management page.

Log in the CAMS configuration console. On the navigation tree, select [Charges Management/Accounting Policy] to enter the [Accounting Policy Management] page, as shown in Figure 3-4.

Figure 3-4 Accounting Policy Management

The list shows the created accounting policies. You can query, modify or maintain these policies.

2)         Create an accounting policy.

Click <Add> to enter the [Accounting Policy Basic Information] page and create a monthly payment accounting policy, as shown in Figure 3-5.

Figure 3-5 Accounting Policy Basic Information

3)         Click <Next> to enter the [Accounting Attribute Settings] page, and set Accounting Type to By duration, Monthly Cycle to Monthly and Monthly Fixed Fee to 50 dollars, as shown in Figure 3-6.

Figure 3-6 Accounting Attribute Settings

Click <OK>. A monthly payment accounting policy is created.

III. Adding a service

1)         Enter the Service Config page.

Log in the CAMS configuration console. On the navigation tree, select [Service Management/Service Config] to enter the [Service Config] page, as shown in Figure 3-7.

Figure 3-7 Service Config

The list shows the created service types. You can query, modify or delete these service types.

2)         Add a service.

Click <Add> to enter the [Add Service] page and configure as follows:

l           Service Name: abc

l           Service Suffix Name: abc

l           Accounting Policy: Monthly Fixed Payment

l           Upstream Rate Limitation: 2M (2048 Kbps)

l           Downstream Rate Limitation: 2M (2048 Kbps)

l           VLAN Assignment: VLAN 100

l           Authentication Binding: Bind user IP address and bind user MAC address

Figure 3-8 Add Service

Click <OK>. A service type is added.

IV. Adding an account user

1)         Enter the Account Management page.

Log in the CAMS configuration console. On the navigation tree, select [User Management/Account User] to enter the [Account Management] page, as shown in Figure 3-9.

Figure 3-9 Account Management

The list shows the created account users. You can maintain these account users.

2)         Add an account user.

Click <Add> to enter the [Add Account] page and configure as follows:

l           Account: info

l           Password: info

l           Full Name: Bruce

l           Prepaid Money: 100 dollars

l           Bind multiple IP address and MAC address: enable

l           Online Limit: 1

l           Max. Idle Time: 20 minutes

l           Service Information: abc

Figure 3-10 Add Account

Click <OK>. An account user is added.

V. Configuring the access device

1)         Enter the System Configuration page.

Log in the CAMS configuration console. On the navigation tree, select [System Management/System Configuration] to enter the [System Configuration] page, as shown in Figure 3-11.

Figure 3-11 System Configuration

2)         Click the Modify link for the Access Device item to enter the [Access Device Configuration] page to modify access device configuration like IP address, shared key, and authentication and accounting ports.

Figure 3-12 Access Device Configuration

VI. Adding configuration item

1)         Click <Add> to enter the [Add Access Device] page and add configuration items, as shown in Figure 3-13.

Figure 3-13 Add Access Device

2)         Click <OK>. The prompt page appears as shown in Figure 3-14.

Figure 3-14 Page prompting that system configuration is modified successfully

3)         Return to the [System Configuration] page and click <Validate Now> to make the configuration take effect immediately.

Figure 3-15 Validate Now on System Management page

3.3.3  Configuring the Supplicant System

You need to install an 802.1x client on the PC, which may be H3C’s 802.1x client, the client shipped with Windows XP or other client from the third party. The following takes H3C’s 802.1X as an example to introduce how to configure the supplicant system.

I. Starting up H3C authentication client

Figure 3-16 H3C authentication client

II. Creating a connection

Right click the 802.1x Authentication icon and select [Create an 802.1x connection], as shown in Figure 3-17.

Figure 3-17 Create an 802.1x connection

III. Configuring connection attributes

Click <Next> to enter the [Set special properties] page:

Figure 3-18 Set special properties

Keep default settings and click <OK>. The prompt page appears as shown in Figure 3-19.

Figure 3-19 Page prompting that a connection is created successfully

IV. Initiating the connection

Double click the info connection:

Figure 3-20  Connecting

The connection succeeds:

Figure 3-21 Page prompting that the Authentication succeeds

3.3.4  Verifying Configuration

To verify that the configuration of Guest VLAN is taking effect, check that users can access VLAN 10 before 802.1x authentication or the 802.1x authentication fails.

To verify that the dynamically assigned VLAN is taking effect, check that users can access VLAN 100 after 802.1x authentication succeeds. At the same time, 802.1x authentication cooperates with CAMS to complete accounting and real time monitoring.

To verify that the configuration of IP-to-MAC binding is taking effect, check that users can be re-authenticated and access the Internet when the device reboots abnormally. If the configured IP-to-MAC binding is different from that on the CAMS, the user cannot access the Internet.

3.3.5  Troubleshooting

I. Symptom: 802.1x authentication failed

Solution:

l           Use the display dot1x command to verify 802.1x is enabled globally and on the specified ports.

l           Verify the username and password are set correctly.

l           Verify the connection works well.

l           Use the debugging dot1x packet command to verify the switch receives and sends EAP and EAPoL packets normally.

II. Symptom: Users can access network resources without 802.1x authentication

l           Use the display dot1x command to verify 802.1x is enabled globally and on the specified ports.

l           Use the display interface command to verify the statistics of incoming packets are available for the specified port. 802.1x authentication applies only to incoming packets, not outgoing packets.