Login
- Table of Contents
-
- 09-Security Configuration Examples
- 01-802.1X Configuration Examples
- 02-AAA Configuration Examples
- 03-ARP Attack Protection Configuration Examples
- 04-IP Source Guard Configuration Examples
- 05-MAC Authentication Configuration Examples
- 06-Portal Configuration Examples
- 07-SSH Configuration Examples
- 08-Attack Protection Configuration Examples
- 09-Port Security and AAA Configuration Examples
- 10-Port Security Configuration Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-Port Security and AAA Configuration Examples | 100.85 KB |
Example: Configuring fail-permit and recovery for port security static users
Applicable hardware and software versions
Verifying the configuration when the RADIUS server is available
Verifying the configuration when the RADIUS server is unavailable
Verifying the configuration when the RADIUS server becomes available from unavailable
Introduction
In network environments, administrators typically assign static IP addresses to dumb terminals such as printers. To authenticate such users more flexibly, you can configure them as static users. After you configure a static user, the device can use the IP address or other information of the static user as the username for authentication, as long as any one of 802.1X authentication, MAC address authentication, or Web authentication is enabled on the interface connected to the static user.
If all RADIUS servers in the authentication scheme are unavailable during the user authentication process, the device will not receive any response to the RADIUS authentication request packets. In this case, users cannot come online. To resolve this issue, you can specify a critical domain for the authentication domain. The critical domain will accommodate users in the authentication domain when no RADIUS servers are available to authenticate the users in the authentication domain. Users in the critical domain can access limited network resources.
Prerequisites
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of port security and AAA authentication domain features.
Example: Configuring fail-permit and recovery for port security static users
Network configuration
As shown in Figure 1, hosts within certain network segments use static IP addresses to perform authentication and come online. Make sure the hosts can still visit some network resources when the RADIUS server is unreachable.
Configure the devices to meet the following requirements:
· Only users whose IP addresses are within the range of 192.168.2.29 to 192.168.2.49 can trigger authentication as static users.
· When the RADIUS server is available, Host A is assigned to VLAN 100 after it passes static user authentication.
· When the RADIUS server becomes unavailable, Host A stays online. However, Host B is assigned to the critical domain of the authentication domain after it triggers authentication as a static user. In the critical domain, Host B is assigned to VLAN 200 and accounting is not performed for Host B.
· After the RADIUS server becomes available, Host B can trigger authentication again as a static user and can come online successfully.
Analysis
· For the device to perform RADIUS-based authentication for users, you must create and configure a RADIUS scheme and authentication domain, and apply the RADIUS scheme to the authentication domain.
· To move users that request to come online in the authentication domain to a critical domain when the RADIUS server is unavailable, you must create and specify the critical domain for the authentication domain and configure the fail-permit and recovery feature in the authentication domain.
· To identify static users, you can configure the static users to use their IP addresses as usernames when they come online. To ensure that the unknown source packets that include the IP addresses of the static users can trigger authentication, you can enable 802.1X authentication on the port connected to the static users.
Applicable hardware and software versions
Table 1 Applicable hardware and software versions
|
Product |
Software version |
|
S12500G-AF switch series |
Release 7639P01 and higher |
|
S10500X switch series |
Release 7639P01 and higher |
|
S10500 switch series |
Release 7639P01 and higher |
|
S7500E-X switch series |
Release 7639P01 and higher |
|
S7500E switch series |
Release 7639P01 and higher |
|
S7500X switch series |
Release 7639P01 and higher |
Restrictions and guidelines
· The first packet sent by a user host is not controllable. If the first packet sent by the host does not carry an IP address and the port connected to the static user is also configured with other authentication methods (such as MAC authentication), the packet might trigger other authentication processes first.
· As a best practice, enable 802.1X unicast trigger on the port connected to the static users if 802.1X is enabled on that port and some static users cannot actively send authentication packets.
Prerequisites
On the RADIUS server, create static users, configure authentication settings, and specify VLAN 100 for authenticated static users.
Procedures
Configuring the device
Creating VLANs and configuring IP addresses for VLAN interfaces
Details not shown.
Configuring AAA
1. Configure the RADIUS scheme.
# Create a RADIUS scheme. In the RADIUS scheme, specify the primary authentication and accounting servers and their shared keys, and exclude the domain name from the usernames sent to the RADIUS server.
<Device> system
[Device] radius scheme radius1
[Device-radius-radius1] primary authentication 192.168.56.10
[Device-radius-radius1] primary accounting 192.168.56.10
[Device-radius-radius1] key authentication simple 123456
[Device-radius-radius1] key accounting simple 123456
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
2. Configure the authentication domain.
# Create ISP domain bbb and configure LAN users to use RADIUS scheme radius1 for authentication, authorization, and accounting.
[Device] domain bbb
[Device-isp-bbb] authentication lan-access radius-scheme radius1
[Device-isp-bbb] authorization lan-access radius-scheme radius1
[Device-isp-bbb] accounting lan-access radius-scheme radius1
[Device-isp-bbb] quit
3. Configure the critical domain.
# Create ISP domain critical, and assign authorization VLAN 200 to users added to that ISP domain and configure the ISP domain to not perform accounting for LAN users.
[Device] domain critical
[Device-isp-critical] authorization-attribute vlan 200
[Device-isp-critical] accounting lan-access none
[Device-isp-critical] quit
4. Configure AAA fail-permit and recovery:
# Specify the critical domain for domain bbb and enable reauthentication of fail-permit users when the server connection recovers.
[Device] domain bbb
[Device-isp-bbb] authen-radius-unavailable online domain critical
[Device-isp-bbb] authen-radius-recover re-authen
[Device-isp-bbb] quit
Configuring port security static users
# Configure a static user range for port access authentication, and specify ISP domain bbb as the authentication domain for static users.
[Device] port-security static-user ip 192.168.2.29 192.168.2.49 domain bbb
# Configure static users to use their IP addresses as usernames when they come online and configure the password as 123456 in plaintext form.
[Device] port-security static-user user-name-format ip-address
[Device] port-security static-user password simple 123456
Enabling an authentication method (for example, 802.1X)
# Enable 802.1X authentication on port GigabitEthernet 1/0/1.
[Device] interface GigabitEthernet1/0/1
[Device-GigabitEthernet1/0/1] dot1x
# Enable 802.1X unicast trigger.
[Device-GigabitEthernet1/0/1] dot1x unicast-trigger
[Device-GigabitEthernet1/0/1] quit
# Enable the 802.1X feature globally.
[Device] dot1x
Configuring routing
[Device] ip route-static 192.168.56.0 24 192.168.56.20
Verifying the configuration
Verifying the configuration when the RADIUS server is available
# Both Host A and Host C initiate authentication when the RADIUS server is available. Verify that Host A can pass static user authentication successfully to come online and the RADIUS server assigns VLAN 100 to Host A. Verify that Host C cannot pass static user authentication to come online.
<Sysname> display port-security static-user connection
Total connections: 1
Slot ID: 1
User MAC address: 9c7b-ef28-cd89
Access interface: GigabitEthernet1/0/1
Username: 192.168.2.49
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.49
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:43:37
Online duration: 0h 4m 8s
Port-down keep online: Disabled (offline)
Verifying the configuration when the RADIUS server is unavailable
# Host B initiates authentication when the RADIUS server is unavailable. Verify that Host A stays online and Host B is assigned to ISP domain critical and is assigned VLAN 200.
<Sysname> display port-security static-user connection
Total connections: 2
Slot ID: 1
User MAC address: 9c7b-ef28-cd89
Access interface: GigabitEthernet1/0/1
Username: 192.168.2.49
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.49
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:44:37
Online duration: 0h 5m 8s
Port-down keep online: Disabled (offline)
Slot ID: 1
User MAC address: ecb1-d73d-be70
Access interface: GigabitEthernet1/0/1
Username: 192.168.2.29
User access state: critical domain
Authentication domain: bbb
IPv4 address: 192.168.2.29
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 200
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 10:59:05
Online duration: 0h 0m 58s
Port-down keep online: Disabled (offline)
Verifying the configuration when the RADIUS server becomes available from unavailable
# When the RADIUS server becomes available, verify that Host B can trigger authentication again and successfully pass authentication to come online.
<Sysname> display port-security static-user connection
Total connections: 2
Slot ID: 1
User MAC address: 9c7b-ef28-cd89
Access interface: GigabitEthernet1/0/1
Username: 192.168.2.49
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.49
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:44:37
Online duration: 0h 5m 8s
Port-down keep online: Disabled (offline)
Slot ID: 1
User MAC address: ecb1-d73d-be70
Access interface: GigabitEthernet1/0/1
Username: 192.168.2.29
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.29
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:44:37
Online duration: 0h 5m 8s
Port-down keep online: Disabled (offline)
Configuration files
#
dot1x
#
port-security static-user password cipher $c$3$ozaGPAIK8wBDwF9rXSdkBqk10lXJBbrdpg==
port-security static-user user-name-format ip-address
port-security static-user ip 192.168.2.29 192.168.2.49 domain bbb
#
vlan 2
#
interface Vlan-interface1
ip address 192.168.56.20 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.2.220 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-mode bridge
port access vlan 2
dot1x
dot1x unicast-trigger
#
ip route-static 192.168.56.0 24 192.168.56.20
#
radius scheme radius1
primary authentication 192.168.56.10
primary accounting 192.168.56.10
key authentication cipher $c$3$ZR6Jz13mrYRSvW91VRUZVtuTIBsyK6Le8A==
key accounting cipher $c$3$qAgtx0xzADC9RFRI7nQ6LbGoYefOwmFtjg==
user-name-format without-domain
#
domain bbb
authen-radius-unavailable online domain critical
authen-radius-recover re-authen
authentication lan-access radius-scheme radius1
authorization lan-access radius-scheme radius1
accounting lan-access radius-scheme radius1
#
domain critical
authorization-attribute vlan 200
accounting lan-access none
#
