< Home

Configuring an 802.1X Access Profile

Context

After creating an 802.1X access profile, you need to configure it. You can select a proper authentication mode based on the authentication modes supported by the client and server and the processing capability of the device and server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x-access-profile name access-profile-name

    The 802.1X access profile view is displayed.

  3. Run dot1x authentication-method { chap | pap | eap }

    An authentication mode is configured for 802.1X users.

    By default, the authentication mode of 802.1X users is eap, which indicates Extensible Authentication Protocol (EAP) relay authentication.

    The processing capability of the RADIUS server determines whether EAP termination or EAP relay is used. If the RADIUS server has a higher processing capability and can parse a large number of EAP packets before authentication, the EAP relay mode is recommended. If the RADIUS server has a processing capability not good enough to parse a large number of EAP packets and complete authentication, the EAP termination mode is recommended and the device parses EAP packets for the RADIUS server. When the authentication packet processing method is configured, ensure that the client and server both support this method; otherwise, the users cannot pass authentication.

    • The EAP relay can be configured for 802.1X users only when RADIUS authentication is used.

    • If AAA local authentication is used, the authentication mode for 802.1X users can only be set to EAP termination.

    • Because mobile phones do not support EAP termination mode (PAP and CHAP), the 802.1X authentication + local authentication mode cannot be configured for mobile phones. Terminals such as laptop computers support EAP termination mode only after having third-party clients installed.

    • If the 802.1X client uses the MD5 encryption mode, the user authentication mode on the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication mode, the authentication mode on the device can be set to EAP.

    • In a wireless access scenario, if WPA or WPA2 authentication mode is configured in the security policy profile, 802.1X authentication does not support pre-authentication domain-based authorization.
    • If an interface has online 802.1X users and the authentication mode is changed between EAP termination and EAP relay in the 802.1X access profile bound to the interface, the online 802.1X users will be logged out. If the authentication mode is changed between CHAP and PAP in EAP termination mode, the online 802.1X users will not be logged out.

  4. (Optional) Run authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet } *

    The types of packets that can trigger 802.1X authentication are configured.

    By default, DHCP, DHCPv6, ND, and ARP packets can trigger 802.1X authentication.

  5. (Optional) Run dot1x unicast-trigger

    802.1X authentication triggered by a unicast packet is enabled.

    By default, 802.1X authentication triggered by a unicast packet is disabled

  6. (Optional) Run dot1x port-control { auto | authorized-force | unauthorized-force }

    The authorization state of interfaces is configured.

    By default, the authorization state of an interface is auto.

  7. (Optional) Configure the device to handshake with online 802.1X users.

    When a user goes offline due to causes such as network interruption, the device still reserves the user's online information. This may result in incorrect accounting, and brings security threats if a bogus user accesses the network.

    To ensure that user online information is normal, you can configure handshake with online 802.1X authentication users on the device. The device then periodically sends handshake request packets to online 802.1X users. If a user does not respond to the handshake request packets when the retransmission count is reached, the device sets the user status to offline.

    If the 802.1X client cannot exchange handshake packets with the device, the device will not receive the handshake response packets within the handshake period. Therefore, to prevent the device from disconnecting users mistakenly, disable the online user handshake function.

    This function takes effect only for the wired users.

    1. Run dot1x handshake

      The device is configured to handshake with online 802.1X users is enabled.

      By default, handshake with online 802.1X users is disabled.

    2. Run dot1x handshake packet-type { request-identity | srp-sha1-part2 }

      The type of 802.1X authentication handshake packets is configured.

      By default, the type of 802.1X authentication handshake packets is request-identity.

      To ensure interoperability with devices from other vendors, you can configure the handshake packet type based on your networking requirements.

    3. Run dot1x timer handshake-period handshake-period-value

      The interval at which the device handshakes with online 802.1X users on non-Eth-Trunk interfaces is configured.

      By default, the interval for sending handshake packets to online 802.1X users on non-Eth-Trunk interfaces is 15 seconds.

    4. Run dot1x timer eth-trunk-access handshake-period handshake-period-value

      The interval at which the device handshakes with online 802.1X users on Eth-Trunks is configured.

      By default, the interval for sending handshake packets to online 802.1X users on Eth-Trunks is 120 seconds.

    5. Run dot1x retry max-retry-value

      The number of times a handshake packet is retransmitted to an 802.1X user is configured.

      By default, the device retransmits a handshake packet to an 802.1X user twice.

  8. (Optional) Run dot1x eap-notify-packet eap-code code-number data-type type-number

    The device is configured to send EAP packets with a code number to 802.1X users.

    By default, the device does not send EAP packets with a code number to 802.1X users.

    If an H3C iMC functions as the RADIUS server, run the dot1x eap-notify-packet eap-code 10 data-type 25 command on the device.

  9. (Optional) Run dot1x trigger dhcp-binding

    The device is configured to automatically generate DHCP snooping binding entries after static IP users pass 802.1X authentication or when the users are in pre-connection state.

    By default, the device does not automatically generate DHCP snooping binding entries after static IP users pass 802.1X authentication or when the users are in pre-connection state.

  10. (Optional) Run dot1x no-response authorize authen-server-down

    The function of not responding to the authentication triggering packets sent by clients when the AAA server is Down is enabled.

    By default, the device responds to the authentication triggering packets sent by clients when the AAA server is Down.

    This function needs to be configured when Cisco AnyConnect is used for packet-triggered authentication.

Parent Topic: Configuring an 802.1X Access Profile
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >