H3C Routers

RADIUS-Based 802.1X Authentication Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring RADIUS-based 802.1X authentication· 1

Network configuration· 1

Software versions used· 2

Restrictions and guidelines· 2

Procedures· 2

Configuring the RADIUS server 2

Configure the router 4

Verifying the configuration· 5

Configuration files· 6

Related documentation· 7

 

Introduction

The following information provides an example for configuring RADIUS-based 802.1X authentication.

Prerequisites

The following information applies to Comware 9-based routers. Procedures and information in the examples might be slightly different depending on the software or hardware version of the routers.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of AAA and 802.1X.

Example: Configuring RADIUS-based 802.1X authentication

Network configuration

As shown in Figure 1, the router works together with the RADIUS server to perform 802.1X authentication for users connected to GigabitEthernet 0/0/1. Configure the network to meet the following requirements:

·     Configure the router to exclude the domain names from the usernames sent to the RADIUS server.

·     Set the username to localuser.

·     Use the IMC server as the RADIUS server to perform authentication and accounting for users, and configure local authentication as the secondary authentication method when RADIUS authentication fails.

·     Implement port-based access and specify mandatory 802.1X authentication domain bbb on the port.

Figure 1 Network diagram

‌

Software versions used

This configuration example was created and verified on R9141P16 of the MSR2630E-X1 device.

Restrictions and guidelines

When you configure RADIUS-based 802.1X authentication, follow these restrictions and guidelines:

·     This example can be implemented on only devices installed with Layer 2 switching cards and having fixed Layer 2 interfaces.

·     Make sure the parameters (such as shared keys, authentication ports, and accounting ports) configured on the router and the RADIUS server are the same.

Procedures

Configuring the RADIUS server

Add an access device

1.     Log in to IMC and click the User tab.

2.     From the navigation pane, select User Access Policy > Access Device Management > Access Device.

3.     Click Add.

4.     On the page that opens, configure the following parameters:

¡     Set the authentication port and accounting port to 1812 and 1813, respectively.

¡     Select H3C (General) from the Access Device Type list.

¡     Set the shared key to name for secure communication with the device and confirm the shared key.

¡     Select an access device from the device list or manually add an access device. In this example, the device IP address is 192.168.100.2.

¡     Use the default settings for other parameters, and then click OK.

Figure 2 Adding an access device

 

Adding an access service

1.     Click the User tab.

2.     From the navigation pane, select User Access Policy > Access Service.

3.     Click Add.

4.     On the page that opens, configure the following parameters:

¡     Enter access service name dot1x auth.

¡     Use the default settings for other parameters, and then click OK.

Figure 3 Adding an access service

 

Adding an access user

1.     Click the User tab.

2.     From the navigation pane, select Access User > All Access Users.

3.     Click Add.

The Add Access User page opens.

4.     In the Access Information area, click the Add User button for the User Name field.

5.     On the page that opens, configure the following parameters:

¡     Enter test in the User Name field.

¡     Enter account name localuser and set the password to localpass.

¡     Select dot1x auth in the Access Service area.

¡     Click OK.

Figure 4 Adding an access user

 

Configure the router

# Create VLAN-interface 1, and assign an IP address to it.

[Router] interface vlan-interface 1

[Router-Vlan-interface1] ip address 192.168.200.1 255.255.255.0

[Router-Vlan-interface1] quit

# Configure an IP address for GigabitEthernet 0/0/2.

[Router] interface gigabitethernet 0/0/2

[Router-GigabitEthernet0/0/2] ip address 192.168.100.2 255.255.255.0

[Router-GigabitEthernet0/0/2] quit

# Create a network access user named localuser and set the password to localpass in plaintext form.

[Router] local-user localuser class network

[Router-luser-network-localuser] password simple localpass

# Set the service type to lan-access.

[Router-luser-network-localuser] service-type lan-access

[Router-luser-network-localuser] quit

# Create a RADIUS scheme named radius1 and enter its view.

[Router] radius scheme radius1

# Configure the primary authentication server. Set its IP address to 192.168.100.250, port number to 1812, and shared key to name.

[Router-radius-radius1] primary authentication 192.168.100.250 1812 key simple name

# Configure the primary accounting server. Set its IP address to 192.168.100.250, port number to 1813, and shared key to name.

[Router-radius-radius1] primary accounting 192.168.100.250 1813 key simple name

# Exclude the domain names from the usernames sent to the RADIUS server.

[Router-radius-radius1] user-name-format without-domain

[Router-radius-radius1] quit

# Create an ISP domain named bbb and configure the authentication, authorization, and accounting methods for login users.

[Router] domain bbb

[Router-isp-bbb] authentication lan-access radius-scheme radius1 local

[Router-isp-bbb] authorization lan-access radius-scheme radius1 local

[Router-isp-bbb] accounting lan-access radius-scheme radius1 local

[Router-isp-bbb] quit

# Enable 802.1X on GigabitEthernet 0/0/1.

[Router] interface gigabitethernet 0/0/1

[Router-GigabitEthernet0/0/1] dot1x

# Enable port-based access control and specify mandatory 802.1X authentication domain bbb on the port. By default, the port uses MAC-based access control.

[Router-GigabitEthernet0/0/1] dot1x port-method portbased

[Router-GigabitEthernet0/0/1] dot1x mandatory-domain bbb

[Router-GigabitEthernet0/0/1] quit

# Enable 802.1X globally.

<Router> system-view

[Router] dot1x

Verifying the configuration

# Use the display dot1x interface command to view 802.1X information on GigabitEthernet 0/0/1.

[Router] display dot1x interface gigabitethernet 0/0/1

Global 802.1X parameters:

   802.1X authentication      : Enabled

   CHAP authentication        : Enabled

   Max-tx period              : 30 s

   Handshake period           : 15 s

   Quiet timer                : Disabled

       Quiet period           : 60 s

   Supp timeout               : 30 s

   Server timeout             : 100 s

   Reauth period              : 3600 s

   Max auth requests          : 2

   SmartOn supp timeout       : 30 s

   SmartOn retry counts       : 3

   EAD assistant function     : Disabled

       EAD timeout            : 30 min

   Domain delimiter           : @

 Online 802.1X wired users    : 0

 Online 802.1X wireless users : 0

 

 GigabitEthernet0/0/1  is link-up

   802.1X authentication      : Enabled

   Handshake                  : Enabled

   Handshake reply            : Disabled

   Handshake security         : Disabled

   Unicast trigger            : Disabled

   Periodic reauth            : Disabled

   Port role                  : Authenticator

   Authorization mode         : Auto

   Port access control        : Port-based

   Multicast trigger          : Enabled

   Mandatory auth domain      : bbb

   Guest VLAN                 : Not configured

   Auth-Fail VLAN             : Not configured

   Critical VLAN              : Not configured

   Critical voice VLAN        : Disabled

   Re-auth server-unreachable : Logoff

   Max online users           : 4294967295

   SmartOn                    : Disabled

 

   EAPOL packets: Tx 39, Rx 2

   Sent EAP Request/Identity packets : 39

        EAP Request/Challenge packets: 0

        EAP Success packets: 0

        EAP Failure packets: 0

        EAP Notification packets: 0

   Received EAPOL Start packets : 1

            EAPOL LogOff packets: 1

            EAP Response/Identity packets : 0

            EAP Response/Challenge packets: 0

            Error packets: 0

   Online 802.1X users: 0

# Execute the display dot1x sessions command to verify that you can come online after entering the correct username and password.

# Disconnect the device from the RADIUS server. Verify that you can still come online after entering the username and password.

Configuration files

#

 dot1x

#

interface Vlan-interface1

 ip address 192.168.200.1 255.255.255.0

#

interface GigabitEthernet0/0/1

 port link-mode bridge

 dot1x mandatory-domain bbb

 dot1x port-method portbased

dot1x

#

interface GigabitEthernet0/0/2

 port link-mode route

 ip address 192.168.100.2 255.255.255.0

#

radius scheme radius1

 primary authentication 192.168.100.250 key cipher $c$3$Ua8m/JVT48sS4hXncslGCkRa

VEbAbk

primary accounting 192.168.100.250 key cipher $c$3$x0HaZfI2XD6iXBE5E/zTEgEopD8C

eyI=

 user-name-format without-domain

#

domain bbb

 authentication lan-access radius-scheme radius1 local

 authorization lan-access radius-scheme radius1 local

accounting lan-access radius-scheme radius1 local

#

local-user localuser class network

 password cipher $c$3$TFxtbGxKPAxP3LUXfHeUuky7uuaBi9jAmoCnWA==

 service-type lan-access

 authorization-attribute user-role network-operator

#

Related documentation

·     User Access and Authentication Configuration Guide in H3C MSR1000[2600][3600] Routers Configuration Guides(V9)

·     User Access and Authentication Command Reference in H3C MSR1000[2600][3600] Routers Command References(V9)