09-Security Configuration Guide

HomeSupportResource CenterH3C S6520X-EI[HI][SI] & S6520-SI & S5560X-HI Switch Series Configuration Guides-R65xx-6W10309-Security Configuration Guide
02-802.1X configuration
Title Size Download
02-802.1X configuration 677.51 KB

Contents

802.1X overview·· 1

About the 802.1X protocol 1

802.1X architecture· 1

Controlled/uncontrolled port and port authorization status· 1

Packet exchange methods· 2

Packet formats· 3

802.1X authentication procedures· 5

802.1X authentication initiation· 7

Access control methods· 8

802.1X VLAN manipulation· 8

Authorization VLAN· 8

Guest VLAN· 11

Auth-Fail VLAN· 12

Critical VLAN· 13

Critical voice VLAN· 15

802.1X VSI manipulation· 15

802.1X support for VXLANs· 15

Authorization VSI 16

Guest VSI 16

Auth-Fail VSI 17

Critical VSI 17

ACL assignment 18

User profile assignment 19

Redirect URL assignment 19

CAR attribute assignment 20

Periodic 802.1X reauthentication· 20

EAD assistant 21

Configuring 802.1X·· 22

Restrictions and guidelines: 802.1X configuration· 22

802.1X tasks at a glance· 22

Prerequisites for 802.1X· 23

Enabling 802.1X· 24

Enabling EAP relay or EAP termination· 24

Setting the port authorization state· 25

Specifying an access control method· 25

Specifying a mandatory authentication domain on a port 26

Setting the 802.1X authentication timeout timers· 26

Configuring 802.1X reauthentication· 27

Setting the quiet timer 28

Configuring an 802.1X guest VLAN· 28

Enabling 802.1X guest VLAN assignment delay· 29

Configuring an 802.1X Auth-Fail VLAN· 30

Configuring an 802.1X critical VLAN· 31

Enabling the 802.1X critical voice VLAN feature· 32

Configuring an 802.1X guest VSI 32

Enabling 802.1X guest VSI assignment delay· 33

Configuring an 802.1X Auth-Fail VSI 33

Configuring an 802.1X critical VSI 34

Configuring 802.1X unauthenticated user aging· 34

Sending EAP-Success packets on assignment of users to the 802.1X Auth-Fail VLAN or VSI 35

Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN or VSI 36

Enabling 802.1X online user synchronization· 36

Configuring the authentication trigger feature· 37

Setting the maximum number of concurrent 802.1X users on a port 38

Setting the maximum number of authentication request attempts· 38

Discarding duplicate 802.1X EAPOL-Start requests· 38

Configuring online user handshake· 39

Specifying supported domain name delimiters· 40

Removing the VLAN tags of 802.1X protocol packets sent out of a port 41

Setting the maximum number of 802.1X authentication attempts for MAC authenticated users· 41

Enabling 802.1X user IP freezing· 42

Enabling generation of dynamic IPSG binding entries for 802.1X authenticated users· 42

Configuring 802.1X MAC address binding· 43

Configuring the EAD assistant feature· 44

Setting the maximum size of EAP-TLS fragments sent to the server 45

Logging off 802.1X users· 46

Enabling 802.1X user logging· 46

Display and maintenance commands for 802.1X· 46

802.1X authentication configuration examples· 47

Example: Configuring basic 802.1X authentication· 47

Example: Configuring 802.1X guest VLAN and authorization VLAN· 49

Example: Configuring 802.1X with ACL assignment 52

Example: Configuring 802.1X guest VSI and authorization VSI 54

Example: Configuring 802.1X with EAD assistant (with DHCP relay agent) 56

Example: Configuring 802.1X with EAD assistant (with DHCP server) 59

Troubleshooting 802.1X· 61

EAD assistant URL redirection failure· 61

 


802.1X overview

About the 802.1X protocol

802.1X is a port-based network access control protocol widely used on Ethernet networks. The protocol controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.

802.1X architecture

802.1X operates in the client/server model. As shown in Figure 1, 802.1X authentication includes the following entities:

·     Client (supplicant)—A user terminal seeking access to the LAN. The terminal must have 802.1X software to authenticate to the access device.

·     Access device (authenticator)—Authenticates the client to control access to the LAN. In a typical 802.1X environment, the access device uses an authentication server to perform authentication.

·     Authentication server—Provides authentication services for the access device. The authentication server first authenticates 802.1X clients by using the data sent from the access device. Then, the server returns the authentication results to the access device to make access decisions. The authentication server is typically a RADIUS server. In a small LAN, you can use the access device as the authentication server.

Figure 1 802.1X architecture

 

Controlled/uncontrolled port and port authorization status

802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports.

·     Uncontrolled port—Is always open to receive and transmit authentication packets.

·     Controlled port—Filters packets depending on the port state.

¡     Authorized state—The controlled port is in authorized state when the client has passed authentication. The port allows traffic to pass through.

¡     Unauthorized state—The port is in unauthorized state when the client has failed authentication. The port controls traffic by using one of the following methods:

-     Performs bidirectional traffic control to deny traffic to and from the client.

-     Performs unidirectional traffic control to deny traffic from the client. The device supports only unidirectional traffic control.

Figure 2 Authorization state of a controlled port

 

Packet exchange methods

802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server. EAP is an authentication framework that uses the client/server model. The framework supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).

802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the access device over a wired or wireless LAN. Between the access device and the authentication server, 802.1X delivers authentication information by either EAP relay or EAP termination.

EAP relay

EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAP over RADIUS (EAPOR) packets to send authentication information to the RADIUS server, as shown in Figure 3.

Figure 3 EAP relay

 

In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the access device, you only need to use the dot1x authentication-method eap command to enable EAP relay.

EAP termination

As shown in Figure 4, the access device performs the following operations in EAP termination mode:

1.     Terminates the EAP packets received from the client.

2.     Encapsulates the client authentication information in standard RADIUS packets.

3.     Uses PAP or CHAP to authenticate to the RADIUS server.

Figure 4 EAP termination

 

Comparing EAP relay and EAP termination

Packet exchange method

Benefits

Limitations

EAP relay

·     Supports various EAP authentication methods.

·     The configuration and processing are simple on the access device.

The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client.

EAP termination

Works with any RADIUS server that supports PAP or CHAP authentication.

·     Supports only the following EAP authentication methods:

¡     MD5-Challenge EAP authentication.

¡     The username and password EAP authentication initiated by an iNode 802.1X client.

·     The processing is complex on the access device.

 

Packet formats

EAP packet format

Figure 5 shows the EAP packet format.

Figure 5 EAP packet format

 

·     Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4).

·     Identifier—Used for matching Responses with Requests.

·     Length—Length (in bytes) of the EAP packet. The EAP packet length is the sum of the Code, Identifier, Length, and Data fields.

·     Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identity) and type 4 (MD5-Challenge) are two examples for the type field.

EAPOL packet format

Figure 6 shows the EAPOL packet format.

Figure 6 EAPOL packet format

 

·     PAE Ethernet type—Protocol type. It takes the value 0x888E for EAPOL.

·     Protocol version—The EAPOL protocol version used by the EAPOL packet sender.

·     Type—Type of the EAPOL packet. Table 1 lists the types of EAPOL packets supported by the 802.1X implementation of the device.

Table 1 Types of EAPOL packets

Value

Type

Description

0x00

EAP-Packet

The client and the access device uses EAP-Packets to transport authentication information.

0x01

EAPOL-Start

The client sends an EAPOL-Start message to initiate 802.1X authentication to the access device.

0x02

EAPOL-Logoff

The client sends an EAPOL-Logoff message to tell the access device that the client is logging off.

 

·     Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or EAPOL-Logoff, this field is set to 0, and no Packet body field follows.

·     Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet.

EAP over RADIUS

RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see "Configuring AAA."

·     EAP-Message.

RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 7. The Type field takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than 253 bytes, RADIUS encapsulates it in multiple EAP-Message attributes.

Figure 7 EAP-Message attribute format

 

·     Message-Authenticator.

As shown in Figure 8, RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP authentication packets from being tampered with during EAP authentication.

Figure 8 Message-Authenticator attribute format

 

802.1X authentication procedures

802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode depending on support of the RADIUS server for EAP packets and EAP authentication methods.

EAP relay

Figure 9 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that MD5-Challenge EAP authentication is used.

Figure 9 802.1X authentication procedure in EAP relay mode

 

The following steps describe the 802.1X authentication procedure:

1.     When a user launches the 802.1X client and enters a registered username and password, the 802.1X client sends an EAPOL-Start packet to the access device.

2.     The access device responds with an EAP-Request/Identity packet to ask for the client username.

3.     In response to the EAP-Request/Identity packet, the client sends the username in an EAP-Response/Identity packet to the access device.

4.     The access device relays the EAP-Response/Identity packet in a RADIUS Access-Request packet to the authentication server.

5.     The authentication server uses the identity information in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5-Challenge) to encrypt the password in the entry. Then, the server sends the challenge in a RADIUS Access-Challenge packet to the access device.

6.     The access device transmits the EAP-Request/MD5-Challenge packet to the client.

7.     The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5-Challenge packet to the access device.

8.     The access device relays the EAP-Response/MD5-Challenge packet in a RADIUS Access-Request packet to the authentication server.

9.     The authentication server compares the received encrypted password with the encrypted password it generated at step 5. If the two passwords are identical, the server considers the client valid and sends a RADIUS Access-Accept packet to the access device.

10.     Upon receiving the RADIUS Access-Accept packet, the access device performs the following operations:

a.     Sends an EAP-Success packet to the client.

b.     Sets the controlled port in authorized state.

The client can access the network.

11.     After the client comes online, the access device periodically sends handshake requests to check whether the client is still online. By default, if two consecutive handshake attempts fail, the device logs off the client.

12.     Upon receiving a handshake request, the client returns a response. If the client fails to return a response after a number of consecutive handshake attempts (two by default), the access device logs off the client. This handshake mechanism enables timely release of the network resources used by 802.1X users that have abnormally gone offline.

13.     The client can also send an EAPOL-Logoff packet to ask the access device for a logoff.

14.     In response to the EAPOL-Logoff packet, the access device changes the status of the controlled port from authorized to unauthorized. Then, the access device sends an EAP-Failure packet to the client.

EAP termination

Figure 10 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used.

Figure 10 802.1X authentication procedure in EAP termination mode

 

In EAP termination mode, the access device rather than the authentication server generates an MD5 challenge for password encryption. The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

802.1X authentication initiation

Both the 802.1X client and the access device can initiate 802.1X authentication.

802.1X client as the initiator

The client sends an EAPOL-Start packet to the access device to initiate 802.1X authentication. The destination MAC address of the packet is the IEEE 802.1X specified multicast address 01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client that can send broadcast EAPOL-Start packets. For example, you can use the iNode 802.1X client.

Access device as the initiator

If the client cannot send EAPOL-Start packets, configure the access device to initiate authentication. One example is the 802.1X client available with Windows XP.

The access device supports the following modes:

·     Multicast trigger mode—The access device multicasts EAP-Request/Identity packets to initiate 802.1X authentication at the identity request interval.

·     Unicast trigger mode—Upon receiving a frame from an unknown MAC address, the access device sends an EAP-Request/Identity packet out of the receiving port to the MAC address. The device retransmits the packet if no response has been received within the identity request timeout interval. This process continues until the maximum number of request attempts set by using the dot1x retry command is reached.

The username request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger.

Access control methods

The device implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control.

·     Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

·     MAC-based access control—Each user is separately authenticated on a port. When a user logs off, no other online users are affected.

802.1X VLAN manipulation

Authorization VLAN

The authorization VLAN controls the access of an 802.1X user to authorized network resources. The device supports authorization VLANs assigned locally or by a remote server.

 

IMPORTANT

IMPORTANT:

Only remote servers can assign tagged authorization VLANs.

Remote VLAN authorization

In remote VLAN authorization, you must configure an authorization VLAN for a user on the remote server. After the user authenticates to the server, the server assigns authorization VLAN information to the device. Then, the device assigns the user access port to the authorization VLAN as a tagged or untagged member.

The device supports assignment of the following authorization VLAN information by the remote server:

·     VLAN ID.

·     VLAN name, which must be the same as the VLAN description on the access device.

·     A string of VLAN IDs and VLAN names.

In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.

·     VLAN group name.

For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.

·     VLAN ID with a suffix of t or u.

The t and u suffixes require the device to assign the access port to the VLAN as a tagged or untagged member, respectively. For example, 2u indicates assigning the port to VLAN 2 as an untagged member.

If a VLAN name or VLAN group name is assigned, the device converts the information into a VLAN ID before VLAN assignment.

 

IMPORTANT

IMPORTANT:

For a VLAN represented by its VLAN name to be assigned successfully, you must make sure the VLAN has been created on the device.

To assign VLAN IDs with suffixes, make sure the user access port is a hybrid or trunk port that performs port-based access control.

To ensure a successful assignment, the authorization VLANs assigned by the remote server cannot be any of the following types:

·     Dynamically learned VLANs.

·     Reserved VLANs.

·     Super VLANs.

·     Private VLANs.

If the server assigns a group of VLANs, the access device selects a VLAN as described in Table 2.

Table 2 Authorization VLAN selection from a group of VLANs

VLAN information

Authorization VLAN selection

VLANs by IDs

VLANs by names

VLAN group name

If the 802.1X-enabled port performs MAC-based access control, the device selects an authorization VLAN from the VLAN group for a user according to the following rules:

·     On a hybrid port with MAC-based VLAN enabled:

¡     If the port does not have online users, the device selects the VLAN with the lowest ID.

¡     If the port has online users, the device selects the VLAN that has the fewest online users. If two VLANs have the same number of online 802.1X users, the device selects the VLAN with the lower ID.

·     On an access, trunk, or MAC-based VLAN disabled hybrid port:

¡     If the port does not have online users, the device selects the VLAN with the lowest ID.

¡     If the port has online users, the device examines the VLAN group for the VLAN of the online users. If the VLAN is found, the VLAN is assigned to the user as the authorization VLAN. If the VLAN is not found, VLAN authorization fails.

If the 802.1X-enabled port performs port-based access control, the device selects the VLAN with the lowest ID from the VLAN group. All subsequent 802.1X users are assigned to that VLAN.

VLAN IDs with suffixes

1.     The device selects the leftmost VLAN ID without a suffix, or the leftmost VLAN ID suffixed by u as an untagged VLAN, whichever is more leftmost.

2.     The device assigns the untagged VLAN to the port as the PVID, and it assigns the remaining as tagged VLANs. If no untagged VLAN is assigned, the PVID of the port does not change. The port permits traffic from these tagged and untagged VLANs to pass through.

For example, the authentication server sends the string 1u 2t 3 to the access device for a user. The device assigns VLAN 1 as an untagged VLAN and all remaining VLANs (including VLAN 3) as tagged VLANs. VLAN 1 becomes the PVID.

Local VLAN authorization

To perform local VLAN authorization for a user, specify the VLAN ID in the authorization attribute list of the local user account for that user. For each local user, you can specify only one authorization VLAN ID. The user access port is assigned to the VLAN as an untagged member.

 

IMPORTANT

IMPORTANT:

Local VLAN authorization does not support assignment of tagged VLANs.

For more information about local user configuration, see "Configuring AAA."

Authorization VLAN manipulation on an 802.1X-enabled port

Table 3 describes how the access device handles VLANs (except for the VLANs specified with suffixes) on an 802.1X-enabled port.

Table 3 VLAN manipulation

Port access control method

VLAN manipulation

Port-based

The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication.

If the authorization VLAN has the untagged attribute, the device assigns the port to the authorization VLAN as an untagged member and sets the VLAN as the PVID.

If the authorization VLAN has the tagged attribute, the device assigns the port to the VLAN as a tagged member without changing the PVID.

NOTE:

The tagged attribute is supported only on trunk and hybrid ports.

MAC-based

On a hybrid port with MAC-based VLAN enabled, the device maps the MAC address of each user to its own authorization VLAN. The PVID of the port does not change.

On an access, trunk, or MAC-based VLAN disabled hybrid port:

·     The device assigns the port to the first authenticated user's authorization VLAN and sets the VLAN as the PVID if that authorization VLAN has the untagged attribute.

·     If the authorization VLAN has the tagged attribute, the device assigns the port to the authorization VLAN without changing its PVID.

 

IMPORTANT

IMPORTANT:

·     If the users are attached to a port whose link type is access, make sure the authorization VLAN assigned by the server has the untagged attribute. VLAN assignment will fail if the server issues a VLAN that has the tagged attribute.

·     When you assign VLANs to users attached to a trunk port or a MAC-based VLAN disabled hybrid port, make sure there is only one untagged VLAN. If a different untagged VLAN is assigned to a subsequent user, the user cannot pass authentication.

·     As a best practice to enhance network security, do not use the port hybrid vlan command to assign a hybrid port to an authorization VLAN as a tagged member.

 

The VLAN assigned by the server to a user as an authorization VLAN might have been configured on the user access port but with a different tagging mode. For example, the server assigns an authorization VLAN with a tagged attribute, but the same VLAN configured on the port has an untagged attribute. In this situation, the VLAN settings that take effect on the user depend on the link type of the port.

·     If the link type of the port is access or trunk, the authorization VLAN settings assigned by the server always take effect on the user as long as the user is online. After the user goes offline, the VLAN settings on the port take effect.

·     If the link type of the port is hybrid, the VLAN settings configured on the port take effect. For example, the server assigns VLAN 30 with an untagged attribute to a user on the hybrid port. However, VLAN 30 has been configured on the port with a tagged attribute by using the port hybrid vlan tagged command. Finally, the VLAN has a tagged attribute on the port.

For an 802.1X authenticated user to access the network on a hybrid port when no authorization VLAN is configured for the user, perform one of the following tasks:

·     If the port receives tagged authentication packets from the user in a VLAN, use the port hybrid vlan command to configure the port as a tagged member in the VLAN.

·     If the port receives untagged authentication packets from the user in a VLAN, use the port hybrid vlan command to configure the port as an untagged member in the VLAN.

On a port with periodic online user reauthentication enabled, the MAC-based VLAN feature does not take effect on a user that has been online since before this feature was enabled. The access device creates a MAC-to-VLAN mapping for the user when the following requirements are met:

·     The user passes reauthentication.

·     The authorization VLAN for the user is changed.

For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide.

Guest VLAN

The 802.1X guest VLAN on a port accommodates users that have not performed 802.1X authentication. Users in the guest VLAN can access a limited set of network resources, such as a software server, to download antivirus software and system patches. Once a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources.

The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method.

Port-based access control

Authentication status

VLAN manipulation

A user accesses the 802.1X-enabled port when the port is in auto state.

The device assigns the port to the 802.1X guest VLAN. All 802.1X users on this port can access only resources in the guest VLAN.

The guest VLAN assignment varies by port link mode. For more information, see Table 3 in "Authorization VLAN."

A user in the 802.1X guest VLAN fails 802.1X authentication.

If an 802.1X Auth-Fail VLAN is available, the device assigns the port to the Auth-Fail VLAN. All users on this port can access only resources in the Auth-Fail VLAN.

If no Auth-Fail VLAN is configured, the port is still in the 802.1X guest VLAN. All users on the port are in the guest VLAN.

For information about the 802.1X Auth-Fail VLAN, see "Auth-Fail VLAN."

A user in the 802.1X guest VLAN passes 802.1X authentication.

The device removes the port from the 802.1X guest VLAN and assigns the port to the authorization VLAN of the user.

If the authentication server does not assign an authorization VLAN, the initial PVID of the port applies. The user and all subsequent 802.1X users are assigned to the initial port VLAN.

After the user logs off, the port is assigned to the guest VLAN again.

NOTE:

The initial PVID of an 802.1X-enabled port refers to the PVID used by the port before the port is assigned to any 802.1X VLANs.

 

IMPORTANT

IMPORTANT:

When the port receives a packet with a VLAN tag, the packet will be forwarded within the tagged VLAN if the VLAN is not the guest VLAN.

MAC-based access control

Authentication status

VLAN manipulation

A user accesses the 802.1X-enabled port and has not performed 802.1X authentication.

The device creates a mapping between the MAC address of the user and the 802.1X guest VLAN. The user can access only resources in the guest VLAN.

A user in the 802.1X guest VLAN fails 802.1X authentication.

If an 802.1X Auth-Fail VLAN is available, the device remaps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN.

If no 802.1X Auth-Fail VLAN is configured, the user is removed from the guest VLAN and added to the initial PVID.

A user in the 802.1X guest VLAN passes 802.1X authentication.

The device remaps the MAC address of the user to the authorization VLAN.

If the authentication server does not assign an authorization VLAN, the device remaps the MAC address of the user to the initial PVID on the port.

Auth-Fail VLAN

The 802.1X Auth-Fail VLAN on a port accommodates users that have failed 802.1X authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates users that have entered a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download antivirus software and system patches.

The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method.

Port-based access control

Authentication status

VLAN manipulation

A user accesses the port and fails 802.1X authentication.

The device assigns the port to the Auth-Fail VLAN. All 802.1X users on this port can access only resources in the Auth-Fail VLAN.

The Auth-Fail VLAN assignment varies by port link mode. For more information, see Table 3 in "Authorization VLAN."

A user in the 802.1X Auth-Fail VLAN fails 802.1X authentication.

The port is still in the Auth-Fail VLAN, and all 802.1X users on this port are in this VLAN.

A user in the 802.1X Auth-Fail VLAN passes 802.1X authentication.

The device assigns the port to the authorization VLAN of the user, and it removes the port from the Auth-Fail VLAN.

If the authentication server does not assign an authorization VLAN, the initial PVID of the port applies. The user and all subsequent 802.1X users are assigned to the initial PVID.

After the user logs off, the port is assigned to the guest VLAN. If no guest VLAN is configured, the port is assigned to the initial PVID of the port.

MAC-based access control

Authentication status

VLAN manipulation

A user accesses the port and fails 802.1X authentication.

The device maps the MAC address of the user to the 802.1X Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN.

A user in the 802.1X Auth-Fail VLAN fails 802.1X authentication.

The user is still in the Auth-Fail VLAN.

A user in the 802.1X Auth-Fail VLAN passes 802.1X authentication.

The device remaps the MAC address of the user to the authorization VLAN.

If the authentication server does not assign an authorization VLAN, the device remaps the MAC address of the user to the initial PVID on the port.

Critical VLAN

The 802.1X critical VLAN on a port accommodates 802.1X users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable. Users in the critical VLAN can access a limited set of network resources depending on the configuration.

The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA."

The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method.

Port-based access control

Authentication status

VLAN manipulation

A user accesses the port and fails 802.1X authentication because all the RADIUS servers are unreachable.

The device assigns the port to the critical VLAN. The 802.1X user and all subsequent 802.1X users on this port can access only resources in the 802.1X critical VLAN.

The critical VLAN assignment varies by port link mode. For more information, see Table 3 in "Authorization VLAN."

A user in the 802.1X critical VLAN fails authentication because all the RADIUS servers are unreachable.

The port is still in the critical VLAN.

A user in the 802.1X critical VLAN fails authentication for any reason other than unreachable servers.

If an 802.1X Auth-Fail VLAN has been configured, the port is assigned to the Auth-Fail VLAN. If no 802.1X Auth-Fail VLAN is configured, the port is assigned to the initial PVID of the port.

A user in the 802.1X critical VLAN passes 802.1X authentication.

The device assigns the port to the authorization VLAN of the user, and it removes the port from the 802.1X critical VLAN.

If the authentication server does not assign an authorization VLAN, the initial PVID of the port applies. The user and all subsequent 802.1X users are assigned to this port VLAN.

After the user logs off, the port is assigned to the guest VLAN. If no 802.1X guest VLAN is configured, the initial PVID of the port is restored.

A user in the 802.1X guest VLAN fails authentication because all the RADIUS servers are unreachable.

The device assigns the port to the 802.1X critical VLAN, and all 802.1X users on this port are in this VLAN.

A user in the 802.1X Auth-Fail VLAN fails authentication because all the RADIUS servers are unreachable.

The port is still in the 802.1X Auth-Fail VLAN. All 802.1X users on this port can access only resources in the 802.1X Auth-Fail VLAN.

A user that has passed authentication fails reauthentication because all the RADIUS servers are unreachable, and the user is logged out of the device.

The device assigns the port to the 802.1X critical VLAN.

If the port is added to the critical VLAN because no RADIUS servers are reachable, the device performs the following operations after it detects a reachable RADIUS server:

1.     Removes the port from the critical VLAN.

2.     Sends a multicast EAP-Request/Identity message out of the port to trigger authentication.

MAC-based access control

Authentication status

VLAN manipulation

A user accesses the port and fails 802.1X authentication because all the RADIUS servers are unreachable.

The device maps the MAC address of the user to the 802.1X critical VLAN. The user can access only resources in the 802.1X critical VLAN.

A user in the 802.1X critical VLAN fails authentication because all the RADIUS servers are unreachable.

The user is still in the critical VLAN.

A user in the 802.1X critical VLAN fails 802.1X authentication for any reason other than unreachable servers.

If an 802.1X Auth-Fail VLAN has been configured, the device remaps the MAC address of the user to the Auth-Fail VLAN ID.

If no 802.1X Auth-Fail VLAN has been configured, the device remaps the MAC address of the user to the initial PVID.

A user in the 802.1X critical VLAN passes 802.1X authentication.

The device remaps the MAC address of the user to the authorization VLAN.

If the authentication server does not assign an authorization VLAN to the user, the device remaps the MAC address of the user to the initial PVID on the port.

A user in the 802.1X guest VLAN fails authentication because all the RADIUS servers are unreachable.

The device remaps the MAC address of the user to the 802.1X critical VLAN. The user can access only resources in the 802.1X critical VLAN.

A user in the 802.1X Auth-Fail VLAN fails authentication because all the RADIUS servers are unreachable.

The user remains in the 802.1X Auth-Fail VLAN.

If a user is added to the critical VLAN because no RADIUS servers are reachable, the device performs the following operations after it detects a reachable RADIUS server:

1.     Removes the user from the critical VLAN.

2.     Sends a unicast EAP-Request/Identity message out of the port to the user for reauthentication.

Critical voice VLAN

The 802.1X critical voice VLAN on a port accommodates 802.1X voice users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable.

The critical voice VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers. If an 802.1X voice user fails local authentication after RADIUS authentication, the voice user is not assigned to the critical voice VLAN. For more information about the authentication methods, see "Configuring AAA."

When a reachable RADIUS server is detected, the device performs operations on a port based on its 802.1X access control method.

Port-based access control

When a reachable RADIUS server is detected, the device removes the port from the critical voice VLAN. The port sends a multicast EAP-Request/Identity packet to all 802.1X voice users on the port to trigger authentication.

MAC-based access control

When a reachable RADIUS server is detected, the device removes 802.1X voice users from the critical voice VLAN. The port sends a unicast EAP-Request/Identity packet to each 802.1X voice user that was assigned to the critical voice VLAN to trigger authentication.

802.1X VSI manipulation

IMPORTANT

IMPORTANT:

This feature is supported only on 802.1X-enabled ports that perform MAC-based access control.

802.1X support for VXLANs

As shown in Figure 11, when the device acts as both a VXLAN VTEP and a NAS, users' service information cannot be identified by VLANs. To resolve this issue, you must configure the RADIUS server to assign VSIs to authenticated 802.1X users. The NAS will map a user's traffic to the VXLAN that is associated with the user's authorization VSI. The mapping criteria include the user's access VLAN, access port, and MAC address. MAC address information is required only when the access port performs MAC-based access control.

For information about VSIs and VXLANs, see VXLAN Configuration Guide.

Figure 11 VXLAN network diagram for 802.1X authentication

 

Authorization VSI

An authorization VSI is associated with a VXLAN that has network resources inaccessible to unauthenticated users.

802.1X supports remote VSI authorization. When a user passes remote 802.1X authentication, the remote server assigns the authorization VSI information of the user to the user's access port. Upon receiving the authorization VSI information, the VTEP performs the following operations:

·     Dynamically creates an Ethernet service instance based on the user's access port, VLAN, and MAC address.

·     Maps the Ethernet service instance to the authorization VSI.

The user then can access resources in the VXLAN associated with the authorization VSI.

If the VTEP does not receive authorization VSI information for the user from the remote server, the user cannot access resources in any VXLAN after passing authentication.

For information about dynamic creation of Ethernet service instances, see VXLAN configuration Guide.

Guest VSI

The 802.1X guest VSI on a port accommodates users that have not performed 802.1X authentication. You can deploy a limited set of network resources in the VXLAN that is associated with the guest VSI. For example, deploy a software server for users to download anti-virus software and system patches. Once a user in the guest VSI passes 802.1X authentication, the user is removed from the guest VSI and can access authorized network resources.

The access device handles VSIs on an 802.1X-enabled port, as shown in Table 4:

Table 4 VSI manipulation when a guest VSI is configured

Authentication status

VSI manipulation

A user accesses the port and has not performed 802.1X authentication.

The VTEP maps the user's MAC address and access VLAN to the 802.1X guest VSI on the port. The user can access only resources in the VXLAN associated with the guest VSI.

A user in the 802.1X guest VSI fails 802.1X authentication.

If an 802.1X Auth-Fail VSI is available on the port, the VTEP remaps the user's MAC address and access VLAN to the Auth-Fail VSI. The user can access only resources in the VXLAN associated with the Auth-Fail VSI.

If no 802.1X Auth-Fail VSI is configured on the port, the user is removed from the 802.1X guest VSI.

A user in the 802.1X guest VSI passes 802.1X authentication.

The VTEP removes the user from the 802.1X guest VSI and remaps the user's MAC address and access VLAN to the authorization VSI.

Auth-Fail VSI

The 802.1X Auth-Fail VSI on a port accommodates users that have failed 802.1X authentication because of the failure to comply with the organization security strategy. For example, the VSI accommodates users with wrong passwords entered. Users in the Auth-Fail VSI can access a limited set of network resources in the VXLAN associated with this VSI. You can deploy a software server in the Auth-Fail VSI for users to download antivirus software and system patches.

The access device handles VSIs on an 802.1X-enabled port, as shown in Table 5:

Table 5 VSI manipulation when an Auth-Fail VSI is configured

Authentication status

VSI manipulation

A user accesses the port and fails 802.1X authentication.

The VTEP maps the user's MAC address and access VLAN to the 802.1X Auth-Fail VSI on the port. The user can access only resources in the VXLAN associated with the Auth-Fail VSI.

A user in the 802.1X Auth-Fail VSI fails 802.1X authentication because of any reason other than unreachable servers.

The user is still in the Auth-Fail VSI.

A user in the 802.1X Auth-Fail VSI passes 802.1X authentication.

The VTEP removes the user from the 802.1X Auth-Fail VSI and remaps the user's MAC address and access VLAN to the authorization VSI.

Critical VSI

The 802.1X critical VSI on a port accommodates 802.1X users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable. Users in the critical VSI can access a limited set of network resources in the VXLAN associated with this VSI.

The critical VSI feature takes effect when 802.1X authentication is performed only through RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned to the critical VSI. For more information about the authentication methods, see "Configuring AAA."

The access device handles VSIs on an 802.1X-enabled port, as shown in Table 6:

Table 6 VSI manipulation when a critical VSI is configured

Authentication status

VSI manipulation

A user accesses the port and fails 802.1X authentication because all the RADIUS servers are unreachable.

The VTEP maps the user's MAC address and access VLAN to the 802.1X critical VSI on the port. The user can access only resources in the VXLAN associated with the critical VSI.

A user in the 802.1X critical VSI fails authentication because all the RADIUS servers are unreachable.

The user is still in the critical VSI.

A user in the 802.1X critical VSI fails 802.1X authentication for any reason other than unreachable servers.

If an 802.1X Auth-Fail VSI has been configured on the port, the VTEP remaps the user's MAC address and access VLAN to the Auth-Fail VSI.

If no 802.1X Auth-Fail VSI has been configured on the port, the VTEP logs off the user.

A user in the 802.1X critical VSI passes 802.1X authentication.

The VTEP remaps the user's MAC address and access VLAN to the authorization VSI.

A user in the 802.1X guest VSI fails authentication because all the RADIUS servers are unreachable.

The VTEP maps the user's MAC address and access VLAN to the 802.1X critical VSI on the port. The user can access only resources in the VXLAN associated with the critical VSI.

A user in the 802.1X Auth-Fail VSI fails authentication because all the RADIUS servers are unreachable.

The user remains in the 802.1X Auth-Fail VSI.

ACL assignment

You can specify an authorization ACL for an 802.1X user on a remote server or the access device to control the user's access to network resources. After the user passes 802.1X authentication, the server or access device assigns the authorization ACL to the user access port. Then, the port permits or drops the matching traffic for the user depending on the rules in the ACL.

The device supports assignment of static and dynamic authorization ACLs.

·     Assignment of static authorization ACLs—Static ACLs can be assigned by a RADIUS server or the access device. When the server or access device assigns a static ACL to a user, it assigns only the ACL number. You must manually create the ACL and configure its rules on the access device.

To change the access permissions of a user, you can use one of the following methods:

¡     Modify ACL rules in the authorization ACL on the access device.

¡     Assign another ACL to the user as the authorization ACL from the RADIUS server or the access device.

Static ACLs and their rules can be manually deleted from the access device.

·     Assignment of dynamic authorization ACLs—Dynamic ACLs and their rules are automatically deployed by a RADIUS server, which are not configurable on the access device. Dynamic ACLs can only be named ACLs. After the device receives a server-deployed dynamic ACL and its rules, it automatically creates the ACL and configures its rules.

If the dynamic ACL assigned by the server to a user has the same name as a static ACL, the dynamic ACL cannot be issued and the user cannot come online.

A dynamic ACL and its rules are automatically deleted from the access device after all its users go offline.

Dynamic ACLs and their rules cannot be manually modified or deleted on the access device. To display information about dynamic ACLs and their rules, use the display dot1x connection or display acl command.

IMPORTANT

IMPORTANT:

The supported authorization ACLs include the following types:

·     Basic ACLs, which are numbered in the range of 2000 to 2999.

·     Advanced ACLs, which are numbered in the range of 3000 to 3999.

For an authorization ACL to take effect, make sure the ACL exists with rules and none of the rules contains the counting, established, fragment, or logging keyword.

For more information about ACLs, see ACL and QoS Configuration Guide.

User profile assignment

You can specify a user profile for an 802.1X user on the authentication server to control the user's access to network resources. After the user passes 802.1X authentication, the authentication server assigns the user profile to the user for filtering traffic.

The authentication server can be the local access device or a RADIUS server. In either case, the server only specifies the user profile name. You must configure the user profile on the access device.

To change the user's access permissions, you can use one of the following methods:

·     Modify the user profile configuration on the access device.

·     Specify another user profile for the user on the authentication server.

For more information about user profiles, see "Configuring user profiles."

Redirect URL assignment

The device supports the URL attribute assigned by a RADIUS server when the 802.1X-enabled port performs MAC-based access control and the port authorization state is auto. During authentication, the HTTP or HTTPS requests of an 802.1X user are redirected to the Web interface specified by the server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server records the MAC address of the user and uses a DM (Disconnect Message) to log off the user. When the user initiates 802.1X authentication again, it will pass the authentication and come online successfully.

This feature is mutually exclusive with the EAD assistant feature.

By default, the device listens to port 6654 for HTTPS requests to be redirected. To change the redirect listening port number, see configuring HTTP redirect in Layer 3—IP Services Configuration Guide.

CAR attribute assignment

The device can use the CAR attributes assigned through RADIUS extended attributes to control the access rates of authenticated online 802.1X users. For information about extended RADIUS attributes, see "Configuring AAA."

The following CAR attributes are available:

·     Input-Peak-Rate—Peak rate of inbound traffic in bps.

·     Input-Average-Rate—Average rate of inbound traffic in bps.

·     Output-Peak-Rate—Peak rate of outbound traffic in bps.

·     Output-Average-Rate—Average rate of outbound traffic in bps.

If the server assigns CAR attributes for controlling both the peak and average rates, the device implements double-rate traffic policing on user traffic. If the server does not assign the Input-Peak-Rate or Output-Peak-Rate attribute, the device implements single-rate traffic policing on user traffic. For more information about traffic policing, see QoS configuration in ACL and QoS Configuration Guide.

Periodic 802.1X reauthentication

Periodic 802.1X reauthentication tracks the connection status of online users and updates the authorization attributes (such as ACL and VLAN) assigned by the server.

The device reauthenticates online 802.1X users at the periodic reauthentication interval when the periodic online user reauthentication feature is enabled. The interval is controlled by a timer and the timer is user configurable. A change to the periodic reauthentication timer applies to online users only after the old timer expires and the users pass authentication.

The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) together can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).

·     If the termination action is Default (logoff), periodic online user reauthentication on the device takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.

·     If the termination action is Radius-request, the periodic online user reauthentication settings on the device do not take effect. The device reauthenticates the online 802.1X users after the session timeout timer expires.

If no session timeout timer is assigned by the server, whether the device performs periodic 802.1X reauthentication depends on the periodic reauthentication configuration on the device. Support for the assignment of Session-Timeout and Termination-Action attributes depends on the server model.

With the RADIUS DAS feature enabled, the device immediately reauthenticates a user upon receiving a CoA message that carries the reauthentication attribute from a RADIUS authentication server. In this case, reauthentication will be performed regardless of whether 802.1X periodic reauthentication is enabled on the device. For more information about RADIUS DAS configuration, see "Configuring AAA."

By default, the device logs off online 802.1X users if no server is reachable for 802.1X reauthentication. The keep-online feature keeps authenticated 802.1X users online when no server is reachable for 802.1X reauthentication.

The VLANs assigned to an online user before and after reauthentication can be the same or different.

EAD assistant

Endpoint Admission Defense (EAD) is an integrated endpoint access control solution to improve the threat defensive capability of a network. The solution enables the security client, security policy server, access device, and third-party server to operate together. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.

The EAD assistant feature enables the access device to redirect the HTTP or HTTPS requests of a user to a redirect URL for downloading and installing an EAD client. This feature eliminates the administrative task to deploy EAD clients.

EAD assistant is implemented by the following functionality:

·     Free IP.

A free IP is a freely accessible network segment, which has a limited set of network resources such as software and DHCP servers. To ensure security strategy compliance, an unauthenticated user can access only this segment to perform operations. For example, the user can download EAD client from a software server or obtain a dynamic IP address from a DHCP server.

·     Redirect URL.

If an unauthenticated 802.1X user is using a Web browser to access the network, EAD assistant redirects the network access requests of the user to a specific URL. For example, you can use this feature to redirect the user to the EAD client software download page.

The EAD assistant feature creates an ACL-based EAD rule automatically to open access to the redirect URL for each redirected user.

EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user passes authentication, the rule is removed. If users fail to download EAD client or fail to pass authentication before the timer expires, they must reconnect to the network to access the free IP.


Configuring 802.1X

Restrictions and guidelines: 802.1X configuration

You can configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network (a WLAN, for example) that requires different authentication methods for different users on a port. For more information about the port security feature, see "Configuring port security."

When you configure 802.1X settings on an interface, follow these restrictions and guidelines:

·     802.1X is supported only on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.

·     If you add a Layer 2 Ethernet interface to an aggregation group, the 802.1X settings configured on it will not take effect until it is removed from the aggregation group.

·     Do not delete a Layer 2 aggregate interface if the interface has online 802.1X users.

·     Do not change the link type of a port when the 802.1X guest VLAN, Auth-Fail VLAN, or critical VLAN on the port has users.

When you configure 802.1X VLANs or VSIs, follow these restrictions and guidelines:

·     If the server assigns both an authorization VSI and authorization VLAN to a user, the device uses only the authorization VLAN.

·     On a port, the guest VLAN, Auth-Fail VLAN, and critical VLAN settings are mutually exclusive with the guest VSI, Auth-Fail VSI, and critical VSI settings.

·     To ensure a successful authentication, you must configure the authentication server to assign authorization VLANs or VSIs to the 802.1X users attached to a port in the following situations:

¡     If the port is configured with the guest VLAN, Auth-Fail VLAN, or critical VLAN, you must configure VLAN authorization for the 802.1X users.

¡     If the port is configured with the guest VSI, Auth-Fail VSI, or critical VSI, you must configure VSI authorization for the 802.1X users.

¡     If both 802.1X and MAC authentication are configured on the port, be careful with the VSI settings of the two authentication features.

-     You must configure VSI authorization for the 802.1X users if the port has a guest or critical VSI for MAC authentication.

-     Likewise, you must configure VSI authorization for the MAC authentication users if the port has an Auth-Fail, guest, or critical VSI for 802.1X authentication.

802.1X tasks at a glance

To configure 802.1X authentication, perform the following tasks:

1.     Enabling 802.1X

2.     Configuring basic 802.1X features

¡     Enabling EAP relay or EAP termination

¡     Setting the port authorization state

¡     Specifying an access control method

¡     (Optional.) Specifying a mandatory authentication domain on a port

¡     (Optional.) Setting the 802.1X authentication timeout timers

¡     (Optional.) Configuring 802.1X reauthentication

¡     (Optional.) Setting the quiet timer

3.     (Optional.) Configuring 802.1X VLAN assignment

¡     Configuring an 802.1X guest VLAN

¡     Enabling 802.1X guest VLAN assignment delay

¡     Configuring an 802.1X Auth-Fail VLAN

¡     Configuring an 802.1X critical VLAN

¡     Enabling the 802.1X critical voice VLAN feature

4.     (Optional.) Configuring 802.1X VSI assignment

¡     Configuring an 802.1X guest VSI

¡     Enabling 802.1X guest VSI assignment delay

¡     Configuring an 802.1X Auth-Fail VSI

¡     Configuring an 802.1X critical VSI

5.     (Optional.) Setting the upper limit for 802.1X parameters

¡     Setting the maximum number of concurrent 802.1X users on a port

¡     Setting the maximum number of authentication request attempts

¡     Setting the maximum number of 802.1X authentication attempts for MAC authenticated users

6.     (Optional.) Configuring other 802.1X features

¡     Configuring 802.1X unauthenticated user aging

¡     Sending EAP-Success packets on assignment of users to the 802.1X Auth-Fail VLAN or VSI

¡     Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN or VSI

¡     Enabling 802.1X online user synchronization

¡     Configuring the authentication trigger feature

Perform this task when 802.1X clients cannot initiate authentication.

¡     Discarding duplicate 802.1X EAPOL-Start requests

¡     Configuring online user handshake

¡     Specifying supported domain name delimiters

¡     Removing the VLAN tags of 802.1X protocol packets sent out of a port

¡     Enabling 802.1X user IP freezing

¡     Enabling generation of dynamic IPSG binding entries for 802.1X authenticated users

¡     Configuring 802.1X MAC address binding

¡     Configuring the EAD assistant feature

¡     Setting the maximum size of EAP-TLS fragments sent to the server

Use this feature to reduce the size of authentication packets sent to the server when the device uses EAP-TLS authentication method in EAP relay mode.

¡     Logging off 802.1X users

¡     Enabling 802.1X user logging

Prerequisites for 802.1X

Before you configure 802.1X, complete the following tasks:

·     Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.

·     If RADIUS authentication is used, create user accounts on the RADIUS server.

·     If local authentication is used, create local user accounts on the access device and set the service type to lan-access.

Enabling 802.1X

Restrictions and guidelines

For 802.1X to take effect on a port, you must enable it both globally and on the port.

If the PVID is a voice VLAN, the 802.1X feature cannot take effect on the port. For more information about voice VLANs, see Layer 2—LAN Switching Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enable 802.1X globally.

dot1x

By default, 802.1X is disabled globally.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable 802.1X on a port.

dot1x

By default, 802.1X is disabled on a port.

Enabling EAP relay or EAP termination

About this task

Consider the following factors to select a proper EAP mode:

·     Support of the RADIUS server for EAP packets.

·     Authentication methods supported by the 802.1X client and the RADIUS server.

Restrictions and guidelines

·     If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The access device sends the authentication data from the client to the server without any modification. For more information about the user-name-format command, see Security Command Reference.

·     You can use both EAP termination and EAP relay in any of the following situations:

¡     The client is using only MD5-Challenge EAP authentication. If EAP termination is used, you must enable CHAP authentication on the access device.

¡     The client is an iNode 802.1X client and initiates only the username and password EAP authentication. If EAP termination is used, you can enable either PAP or CHAP authentication on the access device. However, for the purpose of security, you must use CHAP authentication on the access device.

·     To use EAP-TLS, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "Comparing EAP relay and EAP termination" for help.

Procedure

1.     Enter system view.

system-view

2.     Configure EAP relay or EAP termination.

dot1x authentication-method { chap | eap | pap }

By default, the access device performs EAP termination and uses CHAP to communicate with the RADIUS server.

Setting the port authorization state

About this task

The port authorization state determines whether the client is granted access to the network. You can control the following authorization states of a port:

·     Authorized—Places the port in the authorized state, enabling users on the port to access the network without authentication.

·     Unauthorized—Places the port in the unauthorized state, denying any access requests from users on the port.

·     Auto—Places the port initially in unauthorized state to allow only EAPOL packets to pass. After a user passes authentication, sets the port in the authorized state to allow access to the network. You can use this option in most scenarios.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Set the port authorization state.

dot1x port-control { authorized-force | auto | unauthorized-force }

By default, the auto state applies.

Specifying an access control method

About this task

The device supports port-based and MAC-based access control methods.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify an access control method.

dot1x port-method { macbased | portbased }

By default, MAC-based access control applies.

 

CAUTION

CAUTION:

If online 802.1X users are present on a port, changing its access control method will cause the online users to go offline.

Specifying a mandatory authentication domain on a port

About this task

You can place all 802.1X users in a mandatory authentication domain for authentication, authorization, and accounting on a port. No user can use an account in any other domain to access the network through the port. The implementation of a mandatory authentication domain enhances the flexibility of 802.1X access control deployment.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify a mandatory 802.1X authentication domain on the port.

dot1x mandatory-domain domain-name

By default, no mandatory 802.1X authentication domain is specified.

Setting the 802.1X authentication timeout timers

About this task

The network device uses the following 802.1X authentication timeout timers:

·     Client timeout timer—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

·     Server timeout timer—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the 802.1X authentication fails.

Restrictions and guidelines

In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions.

·     In a low-speed network, increase the client timeout timer.

·     In a network with authentication servers of different performance, adjust the server timeout timer.

To avoid forced logoff before the server timeout timer expires, set the server timeout timer to a value that is lower than or equal to the product of the following values:

·     The maximum number of RADIUS packet transmission attempts set by using the retry command in RADIUS scheme view.

·     The RADIUS server response timeout timer set by using the timer response-timeout command in RADIUS scheme view.

For information about setting the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, see "Configuring AAA."

Procedure

1.     Enter system view.

system-view

2.     Set the client timeout timer.

dot1x timer supp-timeout supp-timeout-value

The default is 30 seconds.

3.     Set the server timeout timer.

dot1x timer server-timeout server-timeout-value

The default is 100 seconds.

Configuring 802.1X reauthentication

Restrictions and guidelines

The device selects a periodic reauthentication timer for 802.1X reauthentication in the following order:

1.     Server-assigned reauthentication timer.

2.     Port-specific reauthentication timer.

3.     Global reauthentication timer.

4.     Default reauthentication timer.

After you perform a manual reauthentication, the device reauthenticates all online 802.1X users on a port regardless of the server-assigned reauthentication attribute and the periodic reauthentication feature on the port.

Modification to the mandatory authentication domain or EAP message handling method setting does not affect the reauthentication of online 802.1X users. The modified setting takes effect only on 802.1X users that come online after the modification.

If periodic reauthentication is triggered for a user while that user is waiting for online synchronization, the system performs online synchronization and does not perform reauthentication for the user.

Procedure

1.     Enter system view.

system-view

2.     Set the periodic reauthentication timer.

¡     Set a global periodic reauthentication timer.

dot1x timer reauth-period reauth-period-value

The default setting is 3600 seconds.

¡     Execute the following commands in sequence to set a port-specific periodic reauthentication timer:

interface interface-type interface-number

dot1x timer reauth-period reauth-period-value

quit

By default, no periodic reauthentication timer is set on a port. The port uses the global 802.1X periodic reauthentication timer.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable periodic online user reauthentication.

dot1x re-authenticate

By default, the feature is disabled.

5.     (Optional.) Manually reauthenticate all online 802.1X users on the port.

dot1x re-authenticate manual

6.     (Optional.) Enable the keep-online feature for 802.1X users.

dot1x re-authenticate server-unreachable keep-online

By default, this feature is disabled. The device logs off online 802.1X users if no authentication server is reachable for 802.1X reauthentication.

Use the keep-online feature according to the actual network condition. In a fast-recovery network, you can use the keep-online feature to prevent 802.1X users from coming online and going offline frequently.

Setting the quiet timer

About this task

The quiet timer enables the access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication.

Restrictions and guidelines

You can edit the quiet timer, depending on the network conditions.

·     In a vulnerable network, set the quiet timer to a high value.

·     In a high-performance network with quick authentication response, set the quiet timer to a low value.

Procedure

1.     Enter system view.

system-view

2.     Enable the quiet timer.

dot1x quiet-period

By default, the timer is disabled.

3.     Set the quiet timer.

dot1x timer quiet-period quiet-period-value

The default is 60 seconds.

Configuring an 802.1X guest VLAN

Restrictions and guidelines

·     You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different.

·     Assign different IDs to the port VLAN, the voice VLAN, and the 802.1X guest VLAN on a port. The assignment makes sure the port can correctly process incoming VLAN-tagged traffic.

·     For the 802.1X guest VLAN feature to work correctly, do not configure this feature together with EAD assistant.

·     On a hybrid port, the guest VLAN can only be an untagged VLAN.

·     If a voice VLAN and an 802.1X guest VLAN are both configured on a hybrid port, the voice VLAN has higher priority than the 802.1X guest VLAN. A packet is forwarded out of the voice VLAN if it matches the voice VLAN settings. If it does not match the voice VLAN settings, its source MAC address might be added to the 802.1X guest VLAN.

·     When you configure multiple security features on a port, follow the guidelines in Table 7.

Table 7 Relationships of the 802.1X guest VLAN and other security features

Feature

Relationship description

Reference

Super VLAN

You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN.

See Layer 2—LAN Switching Configuration Guide.

802.1X Auth-Fail VLAN on a port that performs MAC-based access control

The 802.1X Auth-Fail VLAN has a higher priority than the 802.1X guest VLAN.

See "802.1X VLAN manipulation."

Port intrusion protection actions on a port that performs MAC-based access control

The 802.1X guest VLAN feature has higher priority than the block MAC action.

The 802.1X guest VLAN feature has lower priority than the shutdown port action of the port intrusion protection feature.

See "Configuring port security."

 

Prerequisites

Before you configure an 802.1X guest VLAN, complete the following tasks:

·     Create the VLAN to be specified as the 802.1X guest VLAN.

·     If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port:

¡     Configure the port as a hybrid port.

¡     Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide.

·     If the port type is hybrid, verify that the VLAN to be specified as the guest VLAN is not in the tagged VLAN list on the port.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the 802.1X guest VLAN on the port.

dot1x guest-vlan guest-vlan-id

By default, no 802.1X guest VLAN exists on a port.

Enabling 802.1X guest VLAN assignment delay

About this task

This feature delays assigning an 802.1X-enabled port to the 802.1X guest VLAN when 802.1X authentication is triggered on the port.

This feature applies only to situations where 802.1X authentication is triggered by EAPOL-Start packets from 802.1X clients or packets from unknown MAC addresses.

To use this feature, the 802.1X-enabled port must perform MAC-based access control. To use the new MAC-triggered 802.1X guest VLAN assignment delay, you must also configure 802.1X unicast trigger on the port.

When 802.1X authentication is triggered on a port, the device performs the following operations:

1.     Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the authentication.

2.     Retransmits the packet if no response is received within the username request timeout interval set by using the dot1x timer tx-period command.

3.     Assigns the port to the 802.1X guest VLAN after the maximum number of request attempts set by using the dot1x retry command is reached.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable 802.1X guest VLAN assignment delay on the port.

dot1x guest-vlan-delay { eapol | new-mac }

By default, 802.1X guest VLAN assignment delay is disabled on a port.

Configuring an 802.1X Auth-Fail VLAN

Restrictions and guidelines

·     Assign different IDs to the port VLAN, the voice VLAN, and the 802.1X Auth-Fail VLAN on a port. The assignment makes sure the port can correctly process VLAN-tagged incoming traffic.

·     You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on different ports can be different.

·     On a hybrid port, the Auth-Fail VLAN can only be an untagged VLAN.

·     When you configure multiple security features on a port, follow the guidelines in Table 8.

Table 8 Relationships of the 802.1X Auth-Fail VLAN with other features

Feature

Relationship description

Reference

Super VLAN

You cannot specify a VLAN as both a super VLAN and an 802.1X Auth-Fail VLAN.

See Layer 2—LAN Switching Configuration Guide.

MAC authentication guest VLAN on a port that performs MAC-based access control

The 802.1X Auth-Fail VLAN has a high priority.

See "Configuring MAC authentication."

Port intrusion protection actions on a port that performs MAC-based access control

The 802.1X Auth-Fail VLAN feature has higher priority than the block MAC action.

The 802.1X Auth-Fail VLAN feature has lower priority than the shutdown port action of the port intrusion protection feature.

See "Configuring port security."

 

Prerequisites

Before you configure an 802.1X Auth-Fail VLAN, complete the following tasks:

·     Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.

·     If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port:

¡     Configure the port as a hybrid port.

¡     Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide.

·     If the port type is hybrid, verify that the VLAN to be specified as the Auth-Fail VLAN is not in the tagged VLAN list on the port.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the 802.1X Auth-Fail VLAN on the port.

dot1x auth-fail vlan authfail-vlan-id

By default, no 802.1X Auth-Fail VLAN exists on a port.

Configuring an 802.1X critical VLAN

Restrictions and guidelines

·     Assign different IDs to the PVID, the voice VLAN, and the 802.1X critical VLAN on a port. The assignment makes sure the port can correctly process VLAN-tagged incoming traffic.

·     You can configure only one 802.1X critical VLAN on a port. The 802.1X critical VLANs on different ports can be different.

·     You cannot specify a VLAN as both a super VLAN and an 802.1X critical VLAN. For information about super VLANs, see Layer 2—LAN Switching Configuration Guide.

·     On a hybrid port, the critical VLAN can only be an untagged VLAN.

Prerequisites

Before you configure an 802.1X critical VLAN, complete the following tasks:

·     Create the VLAN to be specified as a critical VLAN.

·     If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port:

¡     Configure the port as a hybrid port.

¡     Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide.

·     If the port type is hybrid, verify that the VLAN to be specified as the critical VLAN is not in the tagged VLAN list on the port.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the 802.1X critical VLAN on the port.

dot1x critical vlan critical-vlan-id

By default, no 802.1X critical VLAN exists on a port.

Enabling the 802.1X critical voice VLAN feature

Restrictions and guidelines

The feature does not take effect if the voice user has been in the 802.1X Auth-Fail VLAN.

Prerequisites

Before you enable the 802.1X critical voice VLAN feature on a port, complete the following tasks:

·     Enable LLDP both globally and on the port.

The device uses LLDP to identify voice users. For information about LLDP, see Layer 2—LAN Switching Configuration Guide.

·     Enable voice VLAN on the port.

For information about voice VLANs, see Layer 2—LAN Switching Configuration Guide.

·     Specify an 802.1X critical VLAN on the port. This setting ensures that a voice user is assigned to the critical VLAN if it has failed authentication for unreachability of RADIUS servers before the device recognizes it as a voice user. If an 802.1X critical VLAN is not available, the voice user might be logged off instead.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable the 802.1X critical voice VLAN feature on a port.

dot1x critical-voice-vlan

By default, the 802.1X critical voice VLAN feature is disabled on a port.

Configuring an 802.1X guest VSI

Restrictions and guidelines

You can configure only one 802.1X guest VSI on a port. The 802.1X guest VSIs on different ports can be different.

For the 802.1X guest VSI feature to work correctly, do not configure this feature together with EAD assistant.

Prerequisites

Before you configure the 802.1X guest VSI on an 802.1X-enabled port, complete the following tasks:

·     Enable L2VPN.

·     Create the VSI to be specified as the 802.1X guest VSI, and create a VXLAN for the VSI.

·     Configure the port to perform MAC-based access control and enable MAC-based traffic match mode for dynamic Ethernet service instances on the port.

For more information, see VXLAN Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the 802.1X guest VSI on the port.

dot1x guest-vsi guest-vsi-name

By default, no 802.1X guest VSI exists on a port.

Enabling 802.1X guest VSI assignment delay

About this task

This feature delays assigning an 802.1X-enabled port to the 802.1X guest VSI when 802.1X authentication is triggered on the port.

This feature applies only to situations where 802.1X authentication is triggered by EAPOL-Start packets from 802.1X clients or packets from unknown MAC addresses.

To use this feature, the 802.1X-enabled port must perform MAC-based access control.

When 802.1X authentication is triggered on a port, the device performs the following operations:

1.     Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the authentication.

2.     Retransmits the packet if no response is received within the username request timeout interval set by using the dot1x timer tx-period command.

3.     Assigns the port to the 802.1X guest VSI after the maximum number of request attempts set by using the dot1x retry command is reached.

This feature can work with the parallel processing of MAC authentication and 802.1X authentication feature when a port performs a combination of 802.1X and MAC authentication. The collaboration facilitates the port to perform MAC authentication before it is assigned to the 802.1X guest VSI. For information about the parallel processing of MAC authentication and 802.1X authentication feature, see "Configuring MAC authentication."

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable 802.1X guest VSI assignment delay on the port.

dot1x guest-vsi-delay { eapol | new-mac }

By default, 802.1X guest VSI assignment delay is disabled on a port.

Configuring an 802.1X Auth-Fail VSI

Restrictions and guidelines

You can configure only one 802.1X Auth-Fail VSI on a port. The 802.1X Auth-Fail VSIs on different ports can be different.

Prerequisites

Before you configure the 802.1X Auth-Fail VSI on an 802.1X-enabled port, complete the following tasks:

·     Enable L2VPN.

·     Create the VSI to be specified as the 802.1X Auth-Fail VSI, and create a VXLAN for the VSI.

·     Configure the port to perform MAC-based access control and enable MAC-based traffic match mode for dynamic Ethernet service instances on the port.

For more information, see VXLAN Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the 802.1X Auth-Fail VSI on the port.

dot1x auth-fail vsi authfail-vsi-name

By default, no 802.1X Auth-Fail VSI exists on a port.

Configuring an 802.1X critical VSI

Restrictions and guidelines

You can configure only one 802.1X critical VSI on a port. The 802.1X critical VSIs on different ports can be different.

The 802.1X critical VSI on a port does not take effect on users already in the 802.1X Auth-Fail VSI.

Prerequisites

Before you configure the 802.1X critical VSI on an 802.1X-enabled port, complete the following tasks:

·     Enable L2VPN.

·     Create the VSI to be specified as the 802.1X critical VSI, and create a VXLAN for the VSI.

·     Configure the port to perform MAC-based access control and enable MAC-based traffic match mode for dynamic Ethernet service instances on the port.

For more information, see VXLAN Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the 802.1X critical VSI on the port.

dot1x critical vsi critical-vsi-name

By default, no 802.1X critical VSI exists on a port.

Configuring 802.1X unauthenticated user aging

About this task

802.1X unauthenticated user aging applies to users added to an 802.1X guest, critical, or Auth-Fail VLAN or VSI because they have not been authenticated or have failed authentication.

When a user in one of those VLANs or VSIs ages out, the device removes the user from the VLAN or VSI and deletes the MAC address entry for the user from the access port.

For users in one of those VLANs or VSIs on one port to be authenticated successfully and come online on another port, enable this feature. In any other scenarios, disable this feature as a best practice.

The 802.1X user aging mechanism on a port depends on its access control mode.

·     If the port uses port-based access control, a user aging timer starts when the port is assigned to the critical or Auth-Fail VLAN. When the aging timer expires, the port is removed from the VLAN and all MAC address entries for users in the VLAN are also removed.

·     If the port uses MAC-based access control, a user aging timer starts for each 802.1X user when they are assigned to the Auth-Fail, critical, or guest VLAN or VSI. When the aging timer for a user expires, the device removes that user from the VLAN or VSI.

The removed users will be unable to access any network resources until after another authentication is triggered.

Restrictions and guidelines

As a best practice, use this feature on a port only if you want to have its unauthenticated users to be authenticated and come online on a different port.

Procedure

1.     Enter system view.

system-view

2.     Set the user aging timer for a type of 802.1X VLAN or VSI.

dot1x timer user-aging { auth-fail-vlan | auth-fail-vsi | critical-vlan | critical-vsi | guest-vlan | guest-vsi } aging-time-value

By default, the user aging timers for all applicable types of 802.1X VLANs and VSIs are 1000 seconds.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable 802.1X unauthenticated user aging.

dot1x unauthenticated-user aging enable

By default, 802.1X unauthenticated user aging is enabled.

Sending EAP-Success packets on assignment of users to the 802.1X Auth-Fail VLAN or VSI

About this task

By default, the device sends EAP-Failure packets to 802.1X clients when the client users are assigned to the 802.1X Auth-Fail VLAN or VSI on a port. However, some 802.1X clients cannot send DHCP requests for IP addresses after they receive EAP-Failure packets.

To have these clients obtain IP addresses and access resources after they are assigned to the 802.1X Auth-Fail VLAN or VSI, perform this task.

This task enables the device to send EAP-Success packets instead of EAP-Failure packets to 802.1X clients when the client users are assigned to the 802.1X Auth-Fail VLAN or VSI on the port.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable the device to send an EAP-Success packet to a client when the client user is assigned to the 802.1X Auth-Fail VLAN or VSI on the port.

dot1x auth-fail eapol

By default, the device sends an EAP-Failure packet to a client when the client user is assigned to the 802.1X Auth-Fail VLAN or VSI.

Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN or VSI

About this task

By default, the device sends EAP-Failure packets to 802.1X clients when the client users are assigned to the 802.1X critical VLAN or VSI. Some 802.1X clients, for example, Windows built-in 802.1X clients, cannot respond to the EAP-Request/Identity packet from the device for reauthentication if they have received an EAP-Failure packet. As a result, reauthentication for these clients will fail after the authentication server becomes reachable.

To avoid this situation, enable the device to send EAP-Success packets instead of EAP-Failure packets to 802.1X clients when the client users are assigned to the 802.1X critical VLAN or VSI.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the device to send an EAP-Success packet to an 802.1X client when its client user is assigned to the critical VLAN or VSI on the port.

dot1x critical eapol

By default, the device sends an EAP-Failure packet to an 802.1X client when its client user is assigned to the critical VLAN or VSI.

Enabling 802.1X online user synchronization

About this task

IMPORTANT

IMPORTANT:

This feature takes effect only when the device uses an IMC RADIUS server to authenticate 802.1X users.

To ensure that the RADIUS server maintains the same online 802.1X user information as the device after the server state changes from unreachable to reachable, use this feature.

This feature synchronizes online 802.1X user information between the device and the RADIUS server when the RADIUS server state is detected having changed from unreachable to reachable.

When synchronizing online 802.1X user information on a port with the RADIUS server, the device initiates 802.1X authentication in turn for each authenticated online 802.1X user to the RADIUS server.

If synchronization fails for an online user, the device logs off that user unless the failure occurs because the server has become unreachable again.

Restrictions and guidelines

The amount of time required to complete online user synchronization increases as the number of online users grows. This might result in an increased delay for new 802.1X users and users in the critical VLAN or VSI to authenticate or reauthenticate to the RADIUS server and come online.

To have this feature take effect, you must use it in conjunction with the RADIUS server status detection feature, which is configurable with the radius-server test-profile command. When you configure this feature, make sure the detection interval is shorter than the RADIUS server quiet timer configured by using the timer quiet command in RADIUS scheme view. The server state changes to active on expiration of the quiet timer regardless of its actual reachability. Setting a shorter detection interval than the quiet timer prevents the RADIUS server status detection feature from falsely reporting the server reachability.

For more information about the RADIUS server status detection feature, see "Configuring AAA."

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable 802.1X online user synchronization.

dot1x server-recovery online-user-sync

By default, 802.1X online user synchronization is disabled.

Configuring the authentication trigger feature

About this task

The authentication trigger feature enables the access device to initiate 802.1X authentication when 802.1X clients cannot initiate authentication.

This feature provides the multicast trigger and unicast trigger (see 802.1X authentication initiation in "802.1X overview").

Restrictions and guidelines

·     Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication.

·     As a best practice to conserve link bandwidth, disable the multicast trigger if a lot of VLANs are configured on the port.

·     Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these clients cannot initiate authentication.

·     To avoid duplicate authentication packets, do not enable both triggers on a port.

·     As a best practice, do not use the unicast trigger on a port that performs port-based access control. If you do so, users on the port might fail to come online.

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Set the username request timeout timer.

dot1x timer tx-period tx-period-value

The default is 30 seconds.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable an authentication trigger.

dot1x { multicast-trigger | unicast-trigger }

By default, the multicast trigger is enabled, and the unicast trigger is disabled.

Setting the maximum number of concurrent 802.1X users on a port

About this task

Perform this task to prevent the system resources from being overused.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Set the maximum number of concurrent 802.1X users on a port.

dot1x max-user max-number

The default is 4294967295.

Setting the maximum number of authentication request attempts

About this task

The access device retransmits an authentication request if it does not receive any responses to the request from the client within a period of time. To set the time, use the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command. The access device stops retransmitting the request if it has made the maximum number of request transmission attempts but still receives no response.

Procedure

1.     Enter system view.

system-view

2.     Set the maximum number of attempts for sending an authentication request.

dot1x retry retries

The default setting is 2.

Discarding duplicate 802.1X EAPOL-Start requests

About this task

During 802.1X authentication, the device might receive duplicate EAPOL-Start requests from an 802.1X user. By default, the device delivers the duplicate EAPOL-Start requests to the authentication server as long as they are legal. However, this mechanism might result in authentication failure if the authentication server cannot respond to duplicate EAPOL-Start requests. To resolve this issue, perform this task on the user access interface to discard duplicate EAPOL-Start requests.

Restrictions and guidelines

As a best practice, perform this task only if the server cannot respond to duplicate EAPOL-Start requests. Do not perform this task in other situations.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Discard duplicate EAPOL-Start requests on the interface.

dot1x duplicate-eapol-start discard

By default, the device does not discard duplicate EAPOL-Start requests on an interface if the requests are legal.

Configuring online user handshake

About this task

The online user handshake feature checks the connectivity status of online 802.1X users. The access device sends handshake requests (EAP-Request/Identity) to online users at the interval specified by the dot1x timer handshake-period command. If the device does not receive any EAP-Response/Identity packets from an online user after it has made the maximum handshake attempts, the device sets the user to offline state. To set the maximum handshake attempts, use the dot1x retry command.

Typically, the device does not reply to 802.1X clients' EAP-Response/Identity packets with EAP-Success packets. Some 802.1X clients will go offline if they do not receive the EAP-Success packets for handshake. To avoid this issue, enable the online user handshake reply feature.

If iNode clients are deployed, you can also enable the online user handshake security feature to check authentication information in the handshake packets from clients. This feature can prevent 802.1X users that use illegal client software from bypassing iNode security check, such as dual network interface cards (NICs) detection. If a user fails the handshake security checking, the device sets the user to the offline state.

Restrictions and guidelines

·     If the network has 802.1X clients that cannot exchange handshake packets with the access device, disable the online user handshake feature. This operation prevents the 802.1X connections from being incorrectly torn down.

·     To use the online user handshake security feature, make sure the online user handshake feature is enabled.

·     The online user handshake security feature takes effect only on the network where the iNode client and IMC server are used.

·     Enable the online user handshake reply feature only if 802.1X clients will go offline without receiving EAP-Success packets from the device.

·     To ensure online user handshake and new user authentication when a large number of users are present, set the following parameters to a large value:

¡     Handshake timer (set by using the dot1x timer handshake-period command).

¡     Maximum number of attempts to send an authentication request to a client (set by using the dot1x retry command).

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Set the handshake timer.

dot1x timer handshake-period handshake-period-value

The default is 15 seconds.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable the online user handshake feature.

dot1x handshake

By default, the feature is enabled.

5.     (Optional.) Enable the online user handshake security feature.

dot1x handshake secure

By default, the feature is disabled.

6.     (Optional.) Enable the 802.1X online user handshake reply feature.

dot1x handshake reply enable

By default, the device does not reply to 802.1X clients' EAP-Response/Identity packets during the online handshake process.

Specifying supported domain name delimiters

About this task

By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users that use other domain name delimiters. The configurable delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name.

If an 802.1X username string contains multiple configured delimiters, the rightmost delimiter is the domain name delimiter. For example, if you configure the backslash (\), dot (.), and forward slash (/) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\). The username is @abc and the domain name is 121.123/22.

Restrictions and guidelines

If a username string contains none of the delimiters, the access device authenticates the user in the mandatory or default ISP domain.

If you configure the access device to send usernames with domain names to the RADIUS server, make sure the domain delimiter can be recognized by the RADIUS server. For username format configuration, see the user-name-format command in Security Command Reference.

Procedure

1.     Enter system view.

system-view

2.     Specify a set of domain name delimiters for 802.1X users.

dot1x domain-delimiter string

By default, only the at sign (@) delimiter is supported.

Removing the VLAN tags of 802.1X protocol packets sent out of a port

About this task

This feature operates on a hybrid port to have it send 802.1X protocol packets with their VLAN tags removed, regardless of whether the port is a tagged or untagged member of a VLAN.

Use this feature if the 802.1X-enabled hybrid port is a tagged member of its PVID and the attached 802.1X clients cannot recognize VLAN-tagged 802.1X protocol packets.

Restrictions and guidelines

This feature removes the VLAN tags of all 802.1X protocol packets sent out of the port to 802.1X clients. Do not use this feature if VLAN-aware 802.1X clients are attached to the port. As a best practice, perform this task only in the described applicable scenario.

Prerequisites

Set the link type of the 802.1X-enabled port to hybrid. For more information, see VLAN configuration in Layer 2 LAN Switching Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Remove the VLAN tags of all 802.1X protocol packets sent out of the port to 802.1X clients.

dot1x eapol untag

By default, whether the device removes the VLAN tags of all 802.1X protocol packets sent out of a port to 802.1X clients depends on the configuration in the VLAN module.

 

CAUTION

CAUTION:

This command removes the VLAN tags of all 802.1X protocol packets sent out of the port to 802.1X clients. Do not use this command if VLAN-aware 802.1X clients are attached to the port. As a best practice, use this command only in the described applicable scenario.

Setting the maximum number of 802.1X authentication attempts for MAC authenticated users

About this task

When a port uses both 802.1X authentication and MAC authentication, the device accepts 802.1X authentication requests from MAC authenticated users. If a MAC authenticated user passes 802.1X authentication, the user will come online as an 802.1X user. If the user fails 802.1X authentication, the user continues to make 802.1X authentication attempts depending on client configuration.

Perform this task to limit the number of 802.1X authentication attempts made by a MAC authenticated user.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Set the maximum number of 802.1X authentication attempts for MAC authenticated users on the port.

dot1x after-mac-auth max-attempt max-attempts

By default, the number of 802.1X authentication attempts for MAC authenticated users is not limited on a port.

Enabling 802.1X user IP freezing

About this task

This feature works with the IP source guard feature. 802.1X-based IP source guard requires that 802.1X clients support sending user IP addresses to the access device. The device uses information such as user MAC addresses and IP addresses obtained through 802.1X to generate IPSG bindings to filter out IPv4 packets from unauthenticated 802.1X users. For information about IP source guard, see "Configuring IP source guard."

This feature prevents any authenticated 802.1X users on a port from changing their IP addresses. After you enable this feature, the port does not update the IP addresses in dynamic IPSG bindings for 802.1X users. If an 802.1X user uses an IP address different from the IP address in its IPSG binding entry, the port denies the user access.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable 802.1X user IP freezing.

dot1x user-ip freeze

By default, 802.1X user IP freezing is disabled.

Enabling generation of dynamic IPSG binding entries for 802.1X authenticated users

About this task

IMPORTANT

IMPORTANT:

This feature must operate in conjunction with the IP source guard (IPSG) feature.

 

By default, the device generates a dynamic IPv4SG or IPv6SG binding entry for an 802.1X authenticated user after the user obtains a static or DHCP assigned IP address.

To allow only 802.1X users with DHCP assigned IP addresses to access the network, perform the following operations:

·     Enable IPSG.

·     Disable generation of dynamic IPv4SG or IPv6SG binding entries for 802.1X authenticated users.

·     Enable DHCP snooping. The device will generate IPv4SG or IPv6SG binding entries for the users based on DHCP snooping.

For more information about IPSG, see IP source guard in Security Configuration Guide.

Restrictions and guidelines

This feature takes effect only on 802.1X users that come online after the feature is enabled. If the IP address of an online 802.1X user changes, the device will update the dynamic IPv4SG or IPv6SG binding entry for the user.

Disabling this feature does not delete the existing dynamic IPv4SG or IPv6SG binding entries for online 802.1X users. If the IP address of an online 802.1X user changes after the feature is disabled, the device will delete the dynamic IPv4SG or IPv6SG binding entry for the user.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable generation of dynamic IPv4SG or IPv6SG binding entries for 802.1X authenticated users.

dot1x { ip-verify-source | ipv6-verify-source } enable

By default, generation of dynamic IPv4SG or IPv6SG binding entries for 802.1X authenticated users is enabled.

Configuring 802.1X MAC address binding

About this task

This feature can automatically bind MAC addresses of authenticated 802.1X users to the users' access port and generate 802.1X MAC address binding entries. You can also use the dot1x mac-binding mac-address command to manually add 802.1X MAC address binding entries.

802.1X MAC address binding entries never age out. They can survive a user logoff or a device reboot. If users in the 802.1X MAC address binding entries perform 802.1X authentication on another port, they cannot pass authentication.

Restrictions and guidelines

The 802.1X MAC address binding feature takes effect only when the port performs MAC-based access control.

To delete an 802.1X MAC address binding entry, use the undo dot1x mac-binding mac-address command. An 802.1X MAC address binding entry cannot be deleted when the user in the entry is online.

After the number of 802.1X MAC address binding entries reaches the upper limit of concurrent 802.1X users (set by using the dot1x max-user command), the following restrictions exist:

·     Users not in the binding entries will fail authentication even after users in the binding entries go offline.

·     New 802.1X MAC address binding entries are not allowed.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable the 802.1X MAC address binding feature.

dot1x mac-binding enable

By default, the feature is disabled.

4.     (Optional.) Manually add an 802.1X MAC address binding entry.

dot1x mac-binding mac-address

By default, no 802.1X MAC address binding entries exist on a port.

Configuring the EAD assistant feature

Restrictions and guidelines

·     (In versions earlier than Release 6522.) You must disable port security and MAC authentication globally before you enable the EAD assistant feature.

·     (In Release 6522 and later.) You must disable port security before you enable the EAD assistant feature.

·     To make the EAD assistant feature take effect on an 802.1X-enabled port, you must set the port authorization mode to auto.

·     (In versions earlier than Release 6522.) When global MAC authentication or port security is enabled, the free IP does not take effect.

·     (In Release 6522 and later.) When port security is enabled, the free IP does not take effect.

·     For the 802.1X guest VSI or guest VLAN feature to work correctly, do not enable EAD assistant together with the 802.1X guest VSI or guest VLAN feature.

·     If you use free IP and Auth-Fail VLAN features together, make sure the resources in the Auth-Fail VLAN are on the free IP segments.

·     The server that provides the redirect URL must be on the free IP accessible to unauthenticated users.

In Release 6522 and later, you can use EAD assistant in conjunction with MAC authentication. When you use both EAD assistant and MAC authentication on the device, follow these restrictions and guidelines:

·     If both EAD assistant and MAC authentication are configured, the device does not mark the MAC address of a user that has failed MAC authentication as a silent MAC address. If the user has never passed MAC authentication, packets from the user can trigger authentication again only after the user's EAD entry ages out.

·     As a best practice, do not configure MAC authentication guest VSIs, guest VLANs, critical VSIs, or critical VLANs. The VLANs or VSIs might fail to work correctly when both EAD assistant and MAC authentication are configured on the device.

·     As a best practice, do not configure the Web authentication feature. The feature might fail to work correctly when both EAD assistant and MAC authentication are configured on the device.

·     Configure a reasonable lease term for IP addresses assigned to users processed by EAD assistant to ensure that the users can obtain new IP addresses as soon as possible after they pass MAC authentication.

·     If the MAC address of a user has been marked as a silent MAC address before you enable EAD assistant, packets from the user can trigger EAD assistant only after the quiet timer expires.

Procedure

1.     Enter system view.

system-view

2.     Enable the EAD assistant feature.

dot1x ead-assistant enable

By default, this feature is disabled.

3.     Configure a free IP.

dot1x ead-assistant free-ip ip-address { mask-length | mask-address }

Repeat this command to configure multiple free IPs.

4.     (Optional.) Configure the redirect URL if users will use Web browsers to access the network.

dot1x ead-assistant url url-string

By default, no redirect URL exists.

By default, the device listens to port 6654 for HTTPS requests to be redirected. To change the redirect listening port number, see configuring HTTP redirect in Layer 3—IP Services Configuration Guide.

5.     (Optional.) Set the EAD rule timer.

dot1x timer ead-timeout ead-timeout-value

The default setting is 30 minutes.

To avoid using up ACL resources when a large number of EAD users exist, you can shorten the EAD rule timer.

Setting the maximum size of EAP-TLS fragments sent to the server

About this task

When the device uses EAP-TLS authentication method in EAP relay mode, the RADIUS packets might exceed the maximum packet size supported by the RADIUS server. This situation typically occurs when long EAP-TLS messages are encapsulated in the EAP-Message attribute of the RADIUS packet sent to the RADIUS server.

To avoid authentication failures caused by oversized packets, fragment the EAP-TLS messages depending on the maximum RADIUS packet size supported by the remote RADIUS server.

For example, the maximum packet length allowed by the server is 1200 bytes and the length of a RADIUS packet (excluding the EAP-Message attribute) is 800 bytes. To make sure the maximum length of a RADIUS packet does not exceed 1200 bytes, you must set the maximum length of an EAP-TLS fragment to a value less than 400 bytes.

Restrictions and guidelines

802.1X EAP-TLS fragmentation takes effect only when EAP relay mode is used. For more information about enabling EAP relay, see "Enabling EAP relay or EAP termination."

Procedure

1.     Enter system view.

system-view

2.     Enable 802.1X EAP-TLS fragmentation and set the maximum EAP-TLS fragment size.

dot1x eap-tls-fragment to-server eap-tls-max-length

By default, EAP-TLS messages are not fragmented.

Logging off 802.1X users

About this task

Perform this task to log off specified 802.1X users and clear information about these users from the device. These users must perform 802.1X authentication to come online again.

Procedure

To log off 802.1X users, execute the following command in user view:

reset dot1x access-user [ interface interface-type interface-number | mac mac-address | username username | vlan vlan-id | vsi vsi-name ]

Enabling 802.1X user logging

About this task

This feature enables the device to generate logs about 802.1X users and send the logs to the information center. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

To prevent excessive 802.1X user log entries, use this feature only if you need to analyze abnormal 802.1X user logins or logouts.

Procedure

1.     Enter system view.

system-view

2.     Enable 802.1X user logging.

dot1x access-user log enable [ abnormal-logoff | failed-login | normal-logoff | successful-login ] *

By default, 802.1X user logging is disabled.

If you do not specify any parameters, this command enables all types of 802.1X user logs.

Display and maintenance commands for 802.1X

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display 802.1X session information, statistics, or configuration information of specified or all ports.

display dot1x [ sessions | statistics ] [ interface interface-type interface-number ]

Display online 802.1X user information.

display dot1x connection [ open ] [ interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name name-string ]

Display the MAC addresses of 802.1X users in a type of 802.1X VLAN or VSI.

display dot1x mac-address { auth-fail-vlan | auth-fail-vsi | critical-vlan | critical-vsi | guest-vlan | guest-vsi } [ interface interface-type interface-number ]

Remove users from the 802.1X guest VLAN on a port.

reset dot1x guest-vlan interface interface-type interface-number [ mac-address mac-address ]

Remove users from the 802.1X guest VSI on a port.

reset dot1x guest-vsi interface  interface-type interface-number [ mac-address mac-address ]

Clear 802.1X statistics.

reset dot1x statistics [ interface interface-type interface-number ]

802.1X authentication configuration examples

Example: Configuring basic 802.1X authentication

Network configuration

As shown in Figure 12, the access device performs 802.1X authentication for users that connect to Ten-GigabitEthernet 1/0/1. Implement MAC-based access control on the port, so the logoff of one user does not affect other online 802.1X users.

Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS authentication fails, perform local authentication on the access device.

Configure the RADIUS server at 10.1.1.1/24 as the primary authentication and accounting server, and the RADIUS server at 10.1.1.2/24 as the secondary authentication and accounting server. Assign all users to ISP domain bbb.

Set the shared key to name for packets between the access device and the authentication server. Set the shared key to money for packets between the access device and the accounting server.

Figure 12 Network diagram

Procedure

For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

1.     Configure the RADIUS servers and add user accounts for the 802.1X users. Make sure the RADIUS servers can provide authentication, authorization, and accounting services. (Details not shown.)

2.     Assign an IP address to each interface. (Details not shown.)

3.     Configure user accounts for the 802.1X users on the access device:

# Add a local network access user with username localuser and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS servers.)

<Device> system-view

[Device] local-user localuser class network

[Device-luser-network-localuser] password simple localpass

# Set the service type to lan-access.

[Device-luser-network-localuser] service-type lan-access

[Device-luser-network-localuser] quit

4.     Configure a RADIUS scheme on the access device:

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

[Device] radius scheme radius1

# Specify the IP addresses of the primary authentication and accounting RADIUS servers.

[Device-radius-radius1] primary authentication 10.1.1.1

[Device-radius-radius1] primary accounting 10.1.1.1

# Configure the IP addresses of the secondary authentication and accounting RADIUS servers.

[Device-radius-radius1] secondary authentication 10.1.1.2

[Device-radius-radius1] secondary accounting 10.1.1.2

# Specify the shared key between the access device and the authentication server.

[Device-radius-radius1] key authentication simple name

# Specify the shared key between the access device and the accounting server.

[Device-radius-radius1] key accounting simple money

# Exclude the ISP domain names from the usernames sent to the RADIUS servers.

[Device-radius-radius1] user-name-format without-domain

[Device-radius-radius1] quit

 

 

NOTE:

The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device.

 

5.     Configure an ISP domain on the access device:

# Create an ISP domain named bbb and enter ISP domain view.

[Device] domain bbb

# Apply RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.

[Device-isp-bbb] authentication lan-access radius-scheme radius1 local

[Device-isp-bbb] authorization lan-access radius-scheme radius1 local

[Device-isp-bbb] accounting lan-access radius-scheme radius1 local

[Device-isp-bbb] quit

6.     Configure 802.1X on the access device:

# Enable 802.1X on Ten-GigabitEthernet 1/0/1.

[Device] interface ten-gigabitethernet 1/0/1

[Device-Ten-GigabitEthernet1/0/1] dot1x

# Enable MAC-based access control on the port. By default, the port uses MAC-based access control.

[Device-Ten-GigabitEthernet1/0/1] dot1x port-method macbased

# Specify ISP domain bbb as the mandatory domain.

[Device-Ten-GigabitEthernet1/0/1] dot1x mandatory-domain bbb

[Device-Ten-GigabitEthernet1/0/1] quit

# Enable 802.1X globally.

[Device] dot1x

7.     Configure the 802.1X client. If an iNode client is used, do not select the Carry version info option in the client configuration. (Details not shown.)

Verifying the configuration

# Verify the 802.1X configuration on Ten-GigabitEthernet 1/0/1.

[Device] display dot1x interface ten-gigabitethernet 1/0/1

# Display the user connection information after an 802.1X user passes authentication.

[Device] display dot1x connection

Example: Configuring 802.1X guest VLAN and authorization VLAN

Network configuration

As shown in Figure 13, use RADIUS servers to perform authentication, authorization, and accounting for 802.1X users that connect to Ten-GigabitEthernet 1/0/2. Implement port-based access control on the port.

Configure VLAN 10 as the 802.1X guest VLAN on Ten-GigabitEthernet 1/0/2. The host and the update server are both in VLAN 10, and the host can access the update server and download the 802.1X client software.

After the host passes 802.1X authentication, the access device assigns the host to VLAN 5 where Ten-GigabitEthernet 1/0/3 is. The host can access the Internet.

Figure 13 Network diagram

Procedure

For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

1.     Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users. (Details not shown.)

2.     Create VLANs, and assign ports to the VLANs on the access device.

 

 

NOTE:

By default, VLAN 1 exists and all ports belong to the VLAN. You do not need to create the VLAN or assign Ten-GigabitEthernet 1/0/2 to the VLAN.

 

<Device> system-view

[Device] vlan 10

[Device-vlan10] port ten-gigabitethernet 1/0/1

[Device-vlan10] quit

[Device] vlan 2

[Device-vlan2] port ten-gigabitethernet 1/0/4

[Device-vlan2] quit

[Device] vlan 5

[Device-vlan5] port ten-gigabitethernet 1/0/3

[Device-vlan5] quit

3.     Configure a RADIUS scheme on the access device:

# Create RADIUS scheme 2000 and enter RADIUS scheme view.

[Device] radius scheme 2000

# Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.

[Device-radius-2000] primary authentication 10.11.1.1 1812

# Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813.

[Device-radius-2000] primary accounting 10.11.1.1 1813

# Set the shared key to abc in plain text for secure communication between the authentication server and the device.

[Device-radius-2000] key authentication simple abc

# Set the shared key to abc in plain text for secure communication between the accounting server and the device.

[Device-radius-2000] key accounting simple abc

# Exclude the ISP domain names from the usernames sent to the RADIUS server.

[Device-radius-2000] user-name-format without-domain

[Device-radius-2000] quit

4.     Configure an ISP domain on the access device:

# Create ISP domain bbb and enter ISP domain view.

[Device] domain bbb

# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.

[Device-isp-bbb] authentication lan-access radius-scheme 2000

[Device-isp-bbb] authorization lan-access radius-scheme 2000

[Device-isp-bbb] accounting lan-access radius-scheme 2000

[Device-isp-bbb] quit

5.     Configure 802.1X on the access device:

# Enable 802.1X on Ten-GigabitEthernet 1/0/2.

[Device] interface ten-gigabitethernet 1/0/2

[Device-Ten-GigabitEthernet1/0/2] dot1x

# Implement port-based access control on the port.

[Device-Ten-GigabitEthernet1/0/2] dot1x port-method portbased

# Set the port authorization mode to auto. By default, the port uses the auto mode.

[Device-Ten-GigabitEthernet1/0/2] dot1x port-control auto

# Specify VLAN 10 as the 802.1X guest VLAN on Ten-GigabitEthernet 1/0/2.

[Device-Ten-GigabitEthernet1/0/2] dot1x guest-vlan 10

[Device-Ten-GigabitEthernet1/0/2] quit

# Enable 802.1X globally.

[Device] dot1x

6.     Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or an authorization VLAN. (Details not shown.)

Verifying the configuration

# Verify the 802.1X guest VLAN configuration on Ten-GigabitEthernet 1/0/2.

[Device] display dot1x interface ten-gigabitethernet 1/0/2

# Verify that Ten-GigabitEthernet 1/0/2 is assigned to VLAN 10 before any user passes authentication on the port.

[Device] display vlan 10

# After a user passes authentication, display information on Ten-GigabitEthernet 1/0/2. Verify that Ten-GigabitEthernet 1/0/2 is assigned to VLAN 5.

[Device] display interface ten-gigabitethernet 1/0/2

Example: Configuring 802.1X with ACL assignment

Network configuration

As shown in Figure 14, the host that connects to Ten-GigabitEthernet 1/0/1 must pass 802.1X authentication to access the Internet.

Perform 802.1X authentication on Ten-GigabitEthernet 1/0/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server, and the RADIUS server at 10.1.1.2 as the accounting server.

Configure ACL assignment on Ten-GigabitEthernet 1/0/1 to deny access of 802.1X users to the FTP server from 8:00 to 18:00 on weekdays.

Figure 14 Network diagram

Procedure

For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

1.     Configure the RADIUS servers to provide authentication, authorization, and accounting services. Add user accounts and specify the ACL (ACL 3000 in this example) for the users. (Details not shown.)

2.     Assign an IP address to each interface, as shown in Figure 14. (Details not shown.)

3.     Configure a RADIUS scheme on the access device:

# Create RADIUS scheme 2000 and enter RADIUS scheme view.

<Device> system-view

[Device] radius scheme 2000

# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812.

[Device-radius-2000] primary authentication 10.1.1.1 1812

# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813.

[Device-radius-2000] primary accounting 10.1.1.2 1813

# Set the shared key to abc in plain text for secure communication between the authentication server and the device.

[Device-radius-2000] key authentication simple abc

# Set the shared key to abc in plain text for secure communication between the accounting server and the device.

[Device-radius-2000] key accounting simple abc

# Exclude the ISP domain names from the usernames sent to the RADIUS server.

[Device-radius-2000] user-name-format without-domain

[Device-radius-2000] quit

4.     Configure an ISP domain on the access device:

# Create ISP domain bbb and enter ISP domain view.

[Device] domain bbb

# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.

[Device-isp-bbb] authentication lan-access radius-scheme 2000

[Device-isp-bbb] authorization lan-access radius-scheme 2000

[Device-isp-bbb] accounting lan-access radius-scheme 2000

[Device-isp-bbb] quit

5.     Configure a time range named ftp from 8:00 to 18:00 on weekdays on the access device.

[Device] time-range ftp 8:00 to 18:00 working-day

6.     Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 during the specified time range on the access device.

[Device] acl advanced 3000

[Device-acl-ipv4-adv-3000] rule 0 deny ip destination 10.0.0.1 0 time-range ftp

[Device-acl-ipv4-adv-3000] quit

7.     Configure 802.1X on the access device:

# Enable 802.1X on Ten-GigabitEthernet 1/0/1.

[Device] interface ten-gigabitethernet 1/0/1

[Device-Ten-GigabitEthernet1/0/1] dot1x

[Device-Ten-GigabitEthernet1/0/1] quit

# Enable 802.1X globally.

[Device] dot1x

8.     Configure the 802.1X client. Make sure the client is able to update its IP address after the access port is assigned to the 802.1X guest VLAN or an authorization VLAN. (Details not shown.)

Verifying the configuration

# Use the user account to pass authentication. (Details not shown.)

# Verify that the user cannot ping the FTP server at any time from 8:00 to 18:00 on any weekday.

C:\>ping 10.0.0.1

 

Pinging 10.0.0.1 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

 

Ping statistics for 10.0.0.1:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

The output shows that ACL 3000 is active on the user, and the user cannot access the FTP server.

Example: Configuring 802.1X guest VSI and authorization VSI

Network configuration

As shown in Figure 15:

·     The device acts as both a VXLAN VTEP and a network access device. It uses the RADIUS server to perform authentication, authorization, and accounting for 802.1X users that connect to Ten-GigabitEthernet 1/0/2.

·     Ten-GigabitEthernet 1/0/2 uses MAC-based access control and is configured with the 802.1X guest VSI. VXLAN 10 is created on the guest VSI. Users in the guest VSI can access the update server in VXLAN 10 and download the 802.1X client software.

·     The RADIUS server assigns an authorization VSI to the host. The VSI is associated with VXLAN 5 on the device. After passing authentication, the host can access the Internet.

Figure 15 Network diagram

 

Procedure

For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

1.     Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VSI (VSI vpn5 in this example) for the users. (Details not shown.)

If an ADCAM server is used for authentication and authorization, configure VSIs on the server. The server will assign these VSIs to the device. You do not need to configure VSIs on the device.

2.     Enable L2VPN on the access device.

<Device> system-view

[Device] l2vpn enable

3.     Create VSIs and the corresponding VXLANs on the access device.

[Device] vsi vpn10

[Device-vsi-vpn10] vxlan 10

[Device-vsi-vpn10-vxlan-10] quit

[Device-vsi-vpn10] quit

[Device] vsi vpn5

[Device-vsi-vpn5] vxlan 5

[Device-vsi-vpn5-vxlan-5] quit

[Device-vsi-vpn5] quit

4.     Configure a RADIUS scheme on the access device:

# Create RADIUS scheme 2000 and enter RADIUS scheme view.

[Device] radius scheme 2000

# Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.

[Device-radius-2000] primary authentication 10.11.1.1 1812

# Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813.

[Device-radius-2000] primary accounting 10.11.1.1 1813

# Set the shared key to abc in plain text for secure communication between the authentication server and the device.

[Device-radius-2000] key authentication simple abc

# Set the shared key to abc in plain text for secure communication between the accounting server and the device.

[Device-radius-2000] key accounting simple abc

# Exclude the ISP domain names from the usernames sent to the authentication and accounting servers.

[Device-radius-2000] user-name-format without-domain

[Device-radius-2000] quit

5.     Configure an ISP domain on the access device:

# Create ISP domain bbb and enter ISP domain view.

[Device] domain bbb

# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.

[Device-isp-bbb] authentication lan-access radius-scheme 2000

[Device-isp-bbb] authorization lan-access radius-scheme 2000

[Device-isp-bbb] accounting lan-access radius-scheme 2000

[Device-isp-bbb] quit

6.     Configure 802.1X on the access device:

# Enable 802.1X on Ten-GigabitEthernet 1/0/2.

[Device] interface ten-gigabitethernet 1/0/2

[Device-Ten-GigabitEthernet1/0/2] dot1x

# Set the port authorization mode to auto. By default, the port uses the auto mode.

[Device-Ten-GigabitEthernet1/0/2] dot1x port-control auto

# Enable MAC-based traffic matching for dynamic Ethernet service instances on Ten-GigabitEthernet 1/0/2.

[Device-Ten-GigabitEthernet1/0/2] mac-based ac

# Enable 802.1X unicast trigger on Ten-GigabitEthernet 1/0/2.

[Device-Ten-GigabitEthernet1/0/2] dot1x unicast-trigger

# Specify VSI vpn10 as the 802.1X guest VSI on Ten-GigabitEthernet 1/0/2.

[Device-Ten-GigabitEthernet1/0/2] dot1x guest-vsi vpn10

[Device-Ten-GigabitEthernet1/0/2] quit

# Enable 802.1X globally.

[Device] dot1x

7.     Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VSI or an authorization VSI. (Details not shown.)

Verifying the configuration

# Verify that Ten-GigabitEthernet 1/0/2 is assigned to VSI vpn10 if no responses are received from the client after 802.1X authentication is triggered.

[Device] display l2vpn forwarding ac verbose

# Verify that Ten-GigabitEthernet 1/0/2 is assigned to VSI vpn5 after a user passes authentication on the port.

[Device] display l2vpn forwarding ac verbose

Example: Configuring 802.1X with EAD assistant (with DHCP relay agent)

Network configuration

As shown in Figure 16:

·     The intranet 192.168.1.0/24 is attached to Ten-GigabitEthernet 1/0/1 of the access device.

·     The hosts use DHCP to obtain IP addresses.

·     A DHCP server and a Web server are deployed on the 192.168.2.0/24 subnet for users to obtain IP addresses and download client software.

Deploy an EAD solution for the intranet to meet the following requirements:

·     Allow unauthenticated users and users that have failed 802.1X authentication to access 192.168.2.0/24. The users can obtain IP addresses and download software.

·     If these users use a Web browser to access a network other than 192.168.2.0/24, redirect them to the Web server for 802.1X client downloading.

·     Allow authenticated 802.1X users to access the network.

Figure 16 Network diagram

Procedure

1.     Make sure the DHCP server, the Web server, and the authentication servers have been configured correctly. (Details not shown.)

2.     Configure an IP address for each interface. (Details not shown.)

3.     Configure DHCP relay:

# Enable DHCP.

<Device> system-view

[Device] dhcp enable

# Enable the DHCP relay agent on VLAN-interface 2.

[Device] interface vlan-interface 2

[Device-Vlan-interface2] dhcp select relay

# Specify the DHCP server 192.168.2.2 on the relay agent interface VLAN-interface 2.

[Device-Vlan-interface2] dhcp relay server-address 192.168.2.2

[Device-Vlan-interface2] quit

4.     Configure a RADIUS scheme:

# Create RADIUS scheme 2000 and enter RADIUS scheme view.

[Device] radius scheme 2000

# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812.

[Device-radius-2000] primary authentication 10.1.1.1 1812

# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813.

[Device-radius-2000] primary accounting 10.1.1.2 1813

# Set the shared key to abc in plain text for secure communication between the authentication server and the device.

[Device-radius-2000] key authentication simple abc

# Set the shared key to abc in plain text for secure communication between the accounting server and the device.

[Device-radius-2000] key accounting simple abc

# Exclude the ISP domain names from the usernames sent to the RADIUS server.

[Device-radius-2000] user-name-format without-domain

[Device-radius-2000] quit

5.     Configure an ISP domain:

# Create ISP domain bbb and enter ISP domain view.

[Device] domain bbb

# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.

[Device-isp-bbb] authentication lan-access radius-scheme 2000

[Device-isp-bbb] authorization lan-access radius-scheme 2000

[Device-isp-bbb] accounting lan-access radius-scheme 2000

[Device-isp-bbb] quit

6.     Configure 802.1X:

# Configure the free IP.

[Device] dot1x ead-assistant free-ip 192.168.2.0 24

# Configure the redirect URL for client software download.

[Device] dot1x ead-assistant url http://192.168.2.3

# Enable the EAD assistant feature.

[Device] dot1x ead-assistant enable

# Enable 802.1X on Ten-GigabitEthernet 1/0/1.

[Device] interface ten-gigabitethernet 1/0/1

[Device-Ten-GigabitEthernet1/0/1] dot1x

[Device-Ten-GigabitEthernet1/0/1] quit

# Enable 802.1X globally.

[Device] dot1x

Verifying the configuration

# Verify the 802.1X configuration.

[Device] display dot1x

# Verify that you can ping an IP address on the free IP subnet from a host.

C:\>ping 192.168.2.3

 

Pinging 192.168.2.3 with 32 bytes of data:

 

Reply from 192.168.2.3: bytes=32 time<1ms TTL=128

Reply from 192.168.2.3: bytes=32 time<1ms TTL=128

Reply from 192.168.2.3: bytes=32 time<1ms TTL=128

Reply from 192.168.2.3: bytes=32 time<1ms TTL=128

 

Ping statistics for 192.168.2.3:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

The output shows that you can access the free IP subnet before passing 802.1X authentication.

# Verify that you are redirected to the Web server when you enter in your Web browser an IP address not on the free IP. (Details not shown.)

Example: Configuring 802.1X with EAD assistant (with DHCP server)

Network configuration

As shown in Figure 17:

·     The intranet 192.168.1.0/24 is attached to Ten-GigabitEthernet 1/0/1 of the access device.

·     The hosts use DHCP to obtain IP addresses.

·     A Web server is deployed on the 192.168.2.0/24 subnet for users to download client software.

Deploy an EAD solution for the intranet to meet the following requirements:

·     Allow unauthenticated users and users that have failed 802.1X authentication to access 192.168.2.0/24. The users can download software.

·     If these users use a Web browser to access a network other than 192.168.2.0/24, redirect them to the Web server for 802.1X client downloading.

·     Allow authenticated 802.1X users to access the network.

Figure 17 Network diagram

Procedure

1.     Make sure the Web server and the authentication servers have been configured correctly. (Details not shown.)

2.     Configure an IP address for each interface. (Details not shown.)

3.     Configure the DHCP server:

# Enable DHCP.

<Device> system-view

[Device] dhcp enable

# Enable the DHCP server on VLAN-interface 2.

[Device] interface vlan-interface 2

[Device-Vlan-interface2] dhcp select server

[Device-Vlan-interface2] quit

# Create DHCP address pool 0.

[Device] dhcp server ip-pool 0

# Specify subnet 192.168.1.0/24 in DHCP address pool 0.

[Device-dhcp-pool-0] network 192.168.1.0 mask 255.255.255.0

# Specify the gateway address 192.168.1.1 in DHCP address pool 0.

[Device-dhcp-pool-0] gateway-list 192.168.1.1

[Device-dhcp-pool-0] quit

4.     Configure a RADIUS scheme:

# Create RADIUS scheme 2000 and enter RADIUS scheme view.

[Device] radius scheme 2000

# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812.

[Device-radius-2000] primary authentication 10.1.1.1 1812

# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813.

[Device-radius-2000] primary accounting 10.1.1.2 1813

# Set the shared key to abc in plain text for secure communication between the authentication server and the device.

[Device-radius-2000] key authentication simple abc

# Set the shared key to abc in plain text for secure communication between the accounting server and the device.

[Device-radius-2000] key accounting simple abc

# Exclude the ISP domain names from the usernames sent to the RADIUS server.

[Device-radius-2000] user-name-format without-domain

[Device-radius-2000] quit

5.     Configure an ISP domain:

# Create ISP domain bbb and enter ISP domain view.

[Device] domain bbb

# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.

[Device-isp-bbb] authentication lan-access radius-scheme 2000

[Device-isp-bbb] authorization lan-access radius-scheme 2000

[Device-isp-bbb] accounting lan-access radius-scheme 2000

[Device-isp-bbb] quit

6.     Configure 802.1X:

# Configure the free IP.

[Device] dot1x ead-assistant free-ip 192.168.2.0 24

# Configure the redirect URL for client software download.

[Device] dot1x ead-assistant url http://192.168.2.3

# Enable the EAD assistant feature.

[Device] dot1x ead-assistant enable

# Enable 802.1X on Ten-GigabitEthernet 1/0/1.

[Device] interface ten-gigabitethernet 1/0/1

[Device-Ten-GigabitEthernet1/0/1] dot1x

[Device-Ten-GigabitEthernet1/0/1] quit

# Enable 802.1X globally.

[Device] dot1x

Verifying the configuration

# Verify the 802.1X configuration.

[Device] display dot1x

# Verify that you can ping an IP address on the free IP subnet from a host.

C:\>ping 192.168.2.3

 

Pinging 192.168.2.3 with 32 bytes of data:

 

Reply from 192.168.2.3: bytes=32 time<1ms TTL=128

Reply from 192.168.2.3: bytes=32 time<1ms TTL=128

Reply from 192.168.2.3: bytes=32 time<1ms TTL=128

Reply from 192.168.2.3: bytes=32 time<1ms TTL=128

 

Ping statistics for 192.168.2.3:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

The output shows that you can access the free IP subnet before passing 802.1X authentication.

# Verify that you are redirected to the Web server when you enter in your Web browser an IP address not on the free IP. (Details not shown.)

Troubleshooting 802.1X

EAD assistant URL redirection failure

Symptom

Unauthenticated users are not redirected to the specified redirect URL after they enter external website addresses in their Web browsers.

Analysis

Redirection will not happen for one of the following reasons:

·     The address is in the string format. The operating system of the host regards the string as a website name and tries to resolve the string. If the resolution fails, the operating system sends an ARP request, but the target address is not in the dotted decimal notation. The redirection feature does redirect this kind of ARP request.

·     The address is within a free IP segment. No redirection will take place, even if no host is present with the address.

·     The redirect URL is not in a free IP segment.

·     No server is using the redirect URL, or the server with the URL does not provide Web services.

Solution

To resolve the issue:

1.     Enter a dotted decimal IP address that is not in any free IP segments.

2.     Verify that the access device and the server are configured correctly.

3.     If the issue persists, contact H3C Support.