Example for Configuring 802.1X and MAC Address Authentication to Control User Access to the Enterprise Network (Authentication Point on Access Switch)

Overview

802.1X authentication and MAC address authentication are two methods used for Network Admission Control (NAC). 802.1X authentication is implemented based on interfaces and MAC address authentication is implemented based on interfaces and MAC addresses. Both protocols can protect security for enterprise networks.

802.1X authentication is more secure than MAC address authentication; however, it requires that 802.1X client software be installed on all user terminals, allowing low networking flexibility. 802.1X authentication is applicable to the networks requiring high information security.

MAC address authentication does not need 802.1X client software, but user terminals' MAC addresses must be registered on the authentication server. Network configuration and management is complex. MAC address authentication is applicable to dumb terminals such as printers and fax machine.

Configuration Notes

This configuration example applies to all switches running all versions.

Huawei's Agile Controller-Campus in V100R001 functions as the RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001, V100R002, V100R003.

The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.

By default, the switch allows the packets from RADIUS server to pass. You do not need to configure authentication-free rules for the server on the switch.

Networking Requirements

Enterprises have high requirements on network security. To prevent unauthorized access and protect information security, an enterprise requests users to pass identity authentication and security check before they access the enterprise network. Only authorized users are allowed to access the enterprise network.

In addition, dumb terminals, such as IP phones and printers, can access the enterprise network only after passing authentication.

The enterprise network has the following characteristics:

All access switches support 802.1X authentication.
The enterprise network has a small size and does not have branch networks.
The enterprise has no more than 1000 employees. A maximum of 2000 users, including guests, access the network every day.
Dumb terminals, such as IP phones and printers, are connected to the enterprise network.

To provide high security for the network, you are advised to configure the 802.1X authentication function on access switches and connect a single centralized authentication server to the aggregation switch in bypass mode. MAC address authentication needs to be configured for dumb terminals.

Figure 1 Wired access networking diagram

Data Plan

**Table 1** Network data plan
Item	Data
Agile Controller-Campus	IP address: 192.168.100.100
Post-authentication domain server	IP address: 192.168.102.100
Aggregation switch (SwitchA)	Management IP address: 192.168.10.10
Access switch (SwitchC)	User VLAN ID: 10 Management IP address: 192.168.30.30
Access switch (SwitchD)	User VLAN ID: 20 Management IP address: 192.168.40.40

**Table 2** Access switch service data plan
Item	Data
RADIUS scheme	Authentication server IP address: 192.168.100.100 Authentication server port number: 1812 Accounting server IP address: 192.168.100.100 Accounting server port number: 1813 Shared key for the RADIUS server: Huawei@2014 Accounting interval: 15 minutes Authentication domain: isp
ACL number of the post-authentication domain	3002

**Table 3** Agile Controller-Campus service data plan
Item	Data
Department	R&D department
Access user	User name: A Wired access account: A-123 Password: Huawei123
Device group	Wired device group: Switch
Switch IP address	SwitchC: 192.168.30.30 SwitchD: 192.168.40.40
RADIUS authentication key	Huawei@2014
RADIUS accounting key	Huawei@2014

Configuration Roadmap

Configure the access switches, including the VLANs interfaces belong to, parameters for connecting to the RADIUS server, enabling NAC authentication, and access right to the post-authentication domain.

Ensure the reachable routes between the access switches (SwitchC and SwitchD), aggregation switch (SwitchA), and Agile Controller-Campus server.
Configure the Agile Controller-Campus:
1. Log in to the Agile Controller-Campus.
2. Add an account to the Agile Controller-Campus.
3. Add switches to the Agile Controller-Campus.
4. Configure authentication rules, authorization results, and authorization rules on the Agile Controller-Campus.

Procedure

Configure the access switches. This example uses SwitchC to describe the configuration. The domain configuration on SwitchD is the same as that on SwitchC.

Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 10
[SwitchC] interface gigabitethernet 0/0/1    //Configure the interface connected to fixed terminals.
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 10 
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2    //Configure the interface connected to dumb terminals.
[SwitchC-GigabitEthernet0/0/2] port link-type access
[SwitchC-GigabitEthernet0/0/2] port default vlan 10
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3    //Configure the interface connected to SwitchA.
[SwitchC-GigabitEthernet0/0/3] port link-type trunk
[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[SwitchC-GigabitEthernet0/0/3] quit
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ip address 192.168.30.30 24    //Configure the IP address used to communicate with the Controller.

Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

# Create and configure the RADIUS server template rd1.

[SwitchC] radius-server template rd1
[SwitchC-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchC-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchC-radius-rd1] radius-server shared-key cipher Huawei@2014
[SwitchC-radius-rd1] quit

# Create an AAA authentication scheme abc and set the authentication mode to RADIUS.

[SwitchC] aaa
[SwitchC-aaa] authentication-scheme abc
[SwitchC-aaa-authen-abc] authentication-mode radius
[SwitchC-aaa-authen-abc] quit

# Configure the accounting scheme acco1 and set the accounting mode to RADIUS.

[SwitchC-aaa] accounting-scheme acco1
[SwitchC-aaa-accounting-acco1] accounting-mode radius
[SwitchC-aaa-accounting-acco1] accounting realtime 15    //Set the real-time accounting interval to 15 minutes.
[SwitchC-aaa-accounting-acco1] quit

# Create an authentication domain isp, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.

[SwitchC-aaa] domain isp
[SwitchC-aaa-domain-isp] authentication-scheme abc
[SwitchC-aaa-domain-isp] accounting-scheme acco1
[SwitchC-aaa-domain-isp] radius-server rd1
[SwitchC-aaa-domain-isp] quit
[SwitchC-aaa] quit

# Configure isp as the global default domain. During access authentication, enter a user name in the format user@isp to perform AAA authentication in the domain isp. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

[SwitchC] domain isp

Enable 802.1X and MAC address authentication.

# Set the NAC mode to unified.

[SwitchC] authentication unified-mode

By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.

# Enable 802.1X authentication on GE0/0/1.

[SwitchC] interface gigabitEthernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] authentication dot1x
[SwitchC-GigabitEthernet0/0/1] quit

# Enable MAC address authentication on GE0/0/2.

[SwitchC] interface gigabitEthernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] authentication mac-authen
[SwitchC-GigabitEthernet0/0/2] mac-authen username fixed A-123 password cipher Huawei123    //Set the user name mode for MAC address authentication to fixed user name. Set the user name to A-123 and password to Huawei123.
[SwitchC-GigabitEthernet0/0/2] quit

Configure ACL 3002 for the post-authentication domain.

[SwitchC] acl 3002
[SwitchC-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0
[SwitchC-acl-adv-3002] rule 2 deny ip destination any
[SwitchC-acl-adv-3002] quit

Configure the Agile Controller-Campus.

Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.

The following table provides two types of Agile Controller-Campus addresses.

Address Format	Description
https://Agile Controller-Campus-IP:8443	In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address.
Agile Controller-Campus IP address	If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443.

Enter the administrator account and password.
If you log in to the Agile Controller-Campus for the first time, use the super administrator account admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.

Create a department and account.
1. Choose Resource > User > User Management.
2. Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.
3. Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.
4. Click in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password Huawei123.
5. On the User tab page, select user A and click Transfer to add user A to the R&D department.

Add switches to the Agile Controller-Campus so that the switches can communicate with the Agile Controller-Campus.

Choose Resource > Device > Device Management.
Click Permission Control Device Group in the navigation tree, and click and Add SubGroup to create a device group Switch.
Click the device group in the navigation tree and select ALL Device. Click Add to add network access devices.

Set connection parameters on the Add Device page.

This example uses SwitchC to describe the configuration procedure. The configuration on SwitchD is the same as that on SwitchC except that the IP addresses are different.

Parameter	Value	Description
Name	SwitchC	-
IP Address	192.168.30.30	The interface on the switch must communicate with the Agile Controller-Campus.
Device Series	Huawei Quidway series switch	-
Authentication Key	Huawei@2014	It must be the same as the shared key of the RADIUS authentication server configured on the switch.
Charging Key	Huawei@2014	It must be the same as the shared key of the RADIUS accounting server configured on the switch.
Real-time charging interval (minute)	15	It must be the same as the real-time accounting interval configured on the switch.

Click Permission Control Device Group in the navigation tree, select SwitchC, and click Move to move SwitchC to the Switch group. The configuration on SwitchD is the same as that on SwitchC.

Add an authentication rule.

Choose Policy > Permission Control > Authentication and Authorization > Authentication Rule and click Add to create an authentication rule.

Configure basic information for the authentication rule.

Parameter	Value	Description
Name	Access authentication rule	-
Service Type	Access service	-
Authentication Condition	Device group Switch	Customize authentication rules based on the requirements of your network.
Please select the allowed authentication protocol	PAP CHAP EAP-MD5 EAP-PEAP-MSCHAPv2 EAP-TLS EAP-PEAP-GTC EAP-TTLS-PAP	-

Add an authorization result.

Choose Policy > Permission Control > Authentication and Authorization > Authorization Result and click Add to create an authorization result.

Configure basic information for the authorization result.

Parameter	Value	Description
Name	Post-authentication domain	-
Service Type	Access service	-
ACL Number/AAA User Group	3002	The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

Add an authorization rule.

After a user passes the authentication, authorization phase starts. The Agile Controller-Campus grants the user access rights based on the authorization rule.

Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule and click Add to create an authorization rule.

Configure basic information for the authorization rule.

Parameter	Value	Description
Name	Authorization rule for R&D employees	-
Service Type	Access service	-
Access Device Group	Switch	-
Authorization Result	Post-authentication domain	-

Verify the configuration.
- An employee can only access the Agile Controller-Campus server before passing the authentication.
- After passing the authentication, the employee can access resources in the post-authentication domain.
- After the employee passes the authentication, run the display access-user command on the switch. The command output shows information about the online employee.

Switch Configuration File

#
sysname SwitchC
#
vlan batch 10
#
domain isp
#
radius-server template rd1
 radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
 radius-server authentication 192.168.100.100 1812 weight 80
 radius-server accounting 192.168.100.100 1813 weight 80
#
acl number 3002
 rule 1 permit ip destination 192.168.102.100 0
 rule 2 deny ip
#
aaa
 authentication-scheme abc
  authentication-mode radius
 accounting-scheme acco1
  accounting-mode radius
  accounting realtime 15
 domain isp
  authentication-scheme abc
  accounting-scheme acco1
  radius-server rd1
#
interface Vlanif10
 ip address 192.168.30.30 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
 authentication dot1x
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
 authentication mac-authen
 mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|duQ*k{7uXu{J{S=zx-3%^%#
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10
#
return