Example for Configuring 802.1X Authentication to Control User Access
802.1X Authentication Overview
802.1X is a port-based network access control protocol and 802.1X authentication is one of NAC authentication modes. 802.1X authentication ensures security of enterprise intranets.
802.1X authentication ensures high security; however, it requires that 802.1X client software be installed on user terminals, resulting in inflexible network deployment. Another two NAC authentication methods have their advantages and disadvantages: MAC address authentication does not require client software installation, but MAC addresses must be registered on an authentication server. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.
As a result, 802.1X authentication is applied to scenarios with new networks, centralized user distribution, and strict information security requirements. In addition, 802.1X authentication supports MAC address bypass authentication so that the dumb terminals on 802.1X authentication networks can be connected after passing authentication.
Networking Requirements
As shown in Figure 1, the terminals in an office are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control the users' network access rights to ensure internal network security.
Configuration Roadmap
The configuration roadmap is as follows:
- Create and configure a RADIUS server template, an AAA scheme, and an authentication domain. Bind the RADIUS server template and AAA scheme to the authentication domain so that the Switch can authenticate access users through the RADIUS server.
- Configure 802.1X authentication on the Switch.
- Enable 802.1X authentication to control network access rights of the employees in the office.
- Enable MAC address bypass authentication to authenticate terminals (such as printers) that cannot install 802.1X authentication client software.
- Before configuring this example, ensure that devices can communicate with each other in the network.
- In this example, the LAN switch exists between the access switch Switch and users. To ensure that users can pass 802.1X authentication, you must configure the EAP packet transparent transmission function on the LAN switch. Method 1: The S5700-LI is used as an example of the LAN switch. Perform the following operations:
- Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the LAN switch to transparently transmit EAP packets.
- Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface connecting to users and the interface connecting to the access switch to enable the Layer 2 protocol tunneling function.
- Run the following commands in the system view:
- undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
- bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
- bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
- bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
- bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
- (This step is mandatory when you switch from method 1 to method 2.) Run the undo l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to delete the configuration of transparent transmission of 802.1x protocol packets.
Procedure
- Create VLANs and configure the VLAN allowed by the interface to ensure network communication.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20
# On the Switch, set GE0/0/1 connecting to users as an access interface, and add GE0/0/1 to VLAN 10.
[Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 10 [Switch-GigabitEthernet0/0/1] quit
Configure the interface type and VLANs according to the actual situation. In this example, users are added to VLAN 10.
# On the Switch, set GE0/0/2 connecting to the RADIUS server as an access interface, and add GE0/0/2 to VLAN 20.
[Switch] interface gigabitethernet0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 20 [Switch-GigabitEthernet0/0/2] quit
- Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1 [Switch-radius-rd1] radius-server authentication 192.168.2.30 1812 [Switch-radius-rd1] radius-server shared-key cipher Huawei@2012 [Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa [Switch-aaa] authentication-scheme abc [Switch-aaa-authen-abc] authentication-mode radius [Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS server template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1 [Switch-aaa-domain-isp1] authentication-scheme abc [Switch-aaa-domain-isp1] radius-server rd1 [Switch-aaa-domain-isp1] quit [Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the user name in the format of user@isp1, the user is authenticated in the authentication domain isp1. If the user name does not carry the domain name or carries a nonexistent domain name, the user is authenticated in the default domain.
[Switch] domain isp1 - Configure 802.1X authentication.
# Switch the NAC mode to common mode. This step applies to only switches in V200R005C00 and later versions.
[Switch] undo authentication unified-mode Warning: Switching the authentication mode will take effect after system restart . Some configurations are invalid after the mode is switched. For the invalid co mmands, see the user manual. Save the configuration file and reboot now? [Y/N] y - By default, the NAC unified mode is used.
- After the unified mode is switched to common mode, you must save the configuration and restart the device to make each function in the new configuration mode take effect. In versions earlier than V200R007C00, you need to manually run the commands for saving the configuration and restarting the device.
# Enable 802.1X authentication globally and on an interface.
<Switch> system-view [Switch] dot1x enable [Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] dot1x enable [Switch-GigabitEthernet0/0/1] dot1x authentication-method eap
# Configure MAC address bypass authentication.
[Switch-GigabitEthernet0/0/1] dot1x mac-bypass
- Verify the configuration.
- Run the display dot1x command to check the 802.1X authentication configuration. The command output (802.1x protocol is Enabled) shows that the 802.1X authentication has been enabled on the interface GE0/0/1.
- The user starts the 802.1X client on the terminal, and enters the user name and password for authentication.
- If the user name and password are correct, an authentication success message is displayed on the client page. The user can access the network.
- After the user goes online, you can run the display access-user command on the device to check the online 802.1X user information.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 20 # undo authentication unified-mode # domain isp1 # dot1x enable # radius-server template rd1 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%# radius-server authentication 192.168.2.30 1812 weight 80 # aaa authentication-scheme abc authentication-mode radius domain isp1 authentication-scheme abc radius-server rd1 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 dot1x mac-bypass # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # return