Login
- Table of Contents
-
- 10-Security
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-802.1X client configuration
- 04-MAC authentication configuration
- 05-Portal configuration
- 06-User profile configuration
- 07-Password control configuration
- 08-Public key management
- 09-PKI configuration
- 10-IPsec configuration
- 11-SSH configuration
- 12-SSL configuration
- 13-Session management
- 14-Connection limit configuration
- 15-Attack detection and prevention configuration
- 16-IP source guard configuration
- 17-ARP attack protection configuration
- 18-ND attack defense configuration
- 19-User isolation configuration
- 20-ASPF configuration
| Title | Size | Download |
|---|---|---|
| 03-802.1X client configuration | 89.87 KB |
Contents
802.1X client configuration task list
Enabling the 802.1X client feature
Configuring the 802.1X client username and password
Specifying the 802.1X client EAP authentication method
Configuring the 802.1X client anonymous identifier
802.1X client configuration example
Configuring 802.1X client
As shown in Figure 1, the 802.1X client feature allows the access device to act as the supplicant in the 802.1X architecture. For information about the 802.1X architecture, see "802.1X overview."
Figure 1 802.1X client network diagram
802.1X client configuration task list
|
Tasks at a glance |
|
(Required.) Enabling the 802.1X client feature |
|
(Required.) Configuring the 802.1X client username and password |
|
(Required.) Specifying the 802.1X client EAP authentication method |
|
(Optional.) Configuring the 802.1X client anonymous identifier |
Enabling the 802.1X client feature
Before enabling the 802.1X client feature, make sure you have configured 802.1X authentication on the authenticator. For information about 802.1X configuration, see "Configuring 802.1X."
If an 802.1X client-enabled AP has online clients, disabling the 802.1X client feature will log off these online clients.
To enable the 802.1X client feature:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a manual AP and enter AP view. |
wlan ap ap-name [ model model-name ] |
By default, no manual APs exist. You must specify the model name when you create an AP. |
|
3. Enable AP preprovisioning and enter AP provision view. |
provision |
By default, AP preprovisioning is disabled. |
|
4. Enable the 802.1X client feature. |
dot1x supplicant enable |
By default, the 802.1X client feature is disabled. |
Configuring the 802.1X client username and password
An 802.1X client-enabled device uses the configured username and password for 802.1X authentication.
Make sure the username and password configured on the device is consistent with the username and password configured on the authentication server. If any inconsistency occurs, the device cannot pass 802.1X authentication to access the network.
To configure the 802.1X client username and password:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a manual AP and enter AP view. |
wlan ap ap-name [ model model-name ] |
N/A |
|
3. Enable AP preprovisioning and enter AP provision view. |
provision |
N/A |
|
4. Configure the 802.1X client username. |
dot1x supplicant username username |
By default, no 802.1X client username exists. |
|
5. Set the 802.1X client password. |
dot1x supplicant password { cipher | simple } password |
By default, no 802.1X client password exists. |
Specifying the 802.1X client EAP authentication method
An 802.1X client-enabled device supports the following EAP authentication methods:
· MD5-Challenge.
· PEAP-MSCHAPv2.
· PEAP-GTC.
· TTLS-MSCHAPv2.
· TTLS-GTC.
An 802.1X authenticator supports the EAP relay and EAP termination modes. Support of the EAP authentication methods for the two modes varies.
· The MD5-Challenge EAP authentication supports both modes.
· Other EAP authentication methods support only the EAP relay mode.
For information about EAP relay and EAP termination, see "Configuring 802.1X."
To specify the 802.1X client EAP authentication method:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a manual AP and enter AP view. |
wlan ap ap-name [ model model-name ] |
N/A |
|
3. Enable AP preprovisioning and enter AP provision view. |
provision |
N/A |
|
4. Specify the 802.1X client EAP authentication method. |
dot1x supplicant eap-method { md5 | peap-gtc | peap-mschapv2 | ttls-gtc | ttls-mschapv2 } |
By default, the 802.1X client-enabled device uses the MD5-Challenge EAP authentication. Make sure the specified 802.1X client EAP authentication method is supported by the RADIUS server. |
Configuring the 802.1X client anonymous identifier
At the first authentication phase, packets sent to the authenticator are not encrypted. The use of an 802.1X client anonymous identifier prevents the 802.1X client username from being disclosed at the first phase. The 802.1X client-enabled device sends the anonymous identifier to the authenticator instead of the 802.1X client username. The 802.1X client username will be sent to the authenticator in encrypted packets at the second phase.
If no 802.1X client anonymous identifier is configured, the device sends the 802.1X client username at the first authentication phase.
The configured 802.1X client anonymous identifier takes effect only if one of the following EAP authentication methods is used:
· PEAP-MSCHAPv2.
· PEAP-GTC.
· TTLS-MSCHAPv2.
· TTLS-GTC.
If the MD5-Challenge EAP authentication is used, the configured 802.1X client anonymous identifier does not take effect. The device still uses the 802.1X client username at the first authentication phase.
Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers.
To configure the 802.1X client anonymous identifier:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a manual AP and enter AP view. |
wlan ap ap-name [ model model-name ] |
N/A |
|
3. Enable AP preprovisioning and enter AP provision view. |
provision |
N/A |
|
4. Configure the 802.1X client anonymous identifier. |
dot1x supplicant anonymous identify identifier |
By default, no 802.1X client anonymous identifier exists. |
802.1X client configuration example
Network requirements
As shown in Figure 2, the switch acts as the authenticator to perform 802.1X client authentication for the AP that connects to the port GigabitEthernet 1/0/1.
Configure the switch to meet the following requirements:
· Use RADIUS servers to perform 802.1X authentication and authorization for the AP.
· Enable EAP relay for the switch to communicate with the RADIUS servers.
· Assign the AP to the ISP domain bbb.
· Set the shared key to name for secure communication between the switch and the RADIUS servers.
· Implement 802.1X port-based access control for the AP.
Perform the following tasks on the AC:
· Enable the 802.1X client feature for the AP.
· Set the following 802.1X client parameters for the AP:
¡ Configure the authentication username as aaa.
¡ Set the password to 123456 in plain text.
¡ Specify PEAP-MSCHAPv2 as the EAP authentication method.
· Save the 802.1X client settings to the configuration file on the AP.
Configuration procedure
1. Configure the RADIUS servers:
# Add a user account with the username aaa and password 123456. (Details not shown.)
# Configure the servers to provide authentication and authorization services. (Details not shown.)
2. Configure the AC:
a. Assign an IP address to each interface, as shown in Figure 2. (Details not shown.)
b. Configure the 802.1X client feature:
# Create a manual AP named ap1, and specify the AP model and serial ID.
<AC> system-view
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
[AC-wlan-ap-ap1] quit
# Enable AP preprovisioning and enter AP provision view.
[AC-wlan-ap-ap1] provision
# Specify PEAP-MSCHAPv2 as the 802.1X client EAP authentication method.
[AC-wlan-ap-ap1-prvs] dot1x supplicant eap-method peap-mschapv2
# Configure the 802.1X client username as aaa, and set the password to 123456 in plain text.
[AC-wlan-ap-ap1-prvs] dot1x supplicant username aaa
[AC-wlan-ap-ap1-prvs] dot1x supplicant password simple 123456
# Configure the 802.1X client anonymous identifier as bbb.
[AC-wlan-ap-ap1-prvs] dot1x supplicant anonymous identify bbb
# Enable the 802.1X client feature.
[AC-wlan-ap-ap1-prvs] dot1x supplicant enable
# Save the 802.1X client configuration in AP provision view to the configuration file wlan_ap_prvs.xml on the AP ap1.
[AC-wlan-ap-ap1-prvs] save wlan ap provision name ap1
[AC-wlan-ap-ap1-prvs] quit
[AC-wlan-ap-ap1] quit
3. Configure the switch:
a. Assign an IP address to each interface, as shown in Figure 2. (Details not shown.)
b. Configure a RADIUS scheme:
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
<Switch> system-view
[Switch] radius scheme radius1
# Specify the IP address of the primary authentication RADIUS server.
[Switch-radius-radius1] primary authentication 10.1.1.1
# Specify the IP address of the secondary authentication RADIUS server.
[Switch-radius-radius1] secondary authentication 10.1.1.2
# Specify the shared key between the switch and the authentication RADIUS servers.
[Switch-radius-radius1] key authentication simple name
# Exclude the ISP domain names from the usernames sent to the RADIUS servers.
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
|
|
NOTE: The authenticator must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the authenticator. |
c. Configure the ISP domain:
# Create an ISP domain named bbb and enter ISP domain view.
[Switch] domain bbb
# Perform authentication and authorization for 802.1X clients in the ISP domain bbb based on the RADIUS scheme radius1.
[Switch-isp-bbb] authentication lan-access radius-scheme radius1
[Switch-isp-bbb] authorization lan-access radius-scheme radius1
[Switch-isp-bbb] accounting lan-access none
[Switch-isp-bbb] quit
d. Configure 802.1X:
# Enable EAP relay.
[Switch] dot1x authentication-method eap
# Enable port-based access control on the port GigabitEthernet 1/0/1.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] dot1x port-method portbased
# Specify the ISP domain bbb as the 802.1X mandatory domain.
[Switch-GigabitEthernet1/0/1] dot1x mandatory-domain bbb
# Enable 802.1X on GigabitEthernet 1/0/1.
[Switch-GigabitEthernet1/0/1] dot1x
[Switch-GigabitEthernet1/0/1] quit
# Enable 802.1X globally.
[Switch] dot1x
Verifying the configuration
# Display online 802.1X client information.
[Switch] display dot1x connection
Slot ID: 1
User MAC address: 70f9-6dd7-d1e0
Access interface: GigabitEthernet1/0/1
Username: aaa
Authentication domain: bbb
Authentication method: EAP
Initial VLAN: 1
Authorization untagged VLAN: N/A
Authorization tagged VLAN list: N/A
Authorization ACL ID: N/A
Authorization user profile: N/A
Termination action: N/A
Session timeout period: N/A
Online from: 2015/06/16 19:10:32
Online duration: 0h 1m 1s
Total connections: 1
