Example for Configuring 802.1X Authentication to Control User Access

802.1X Authentication Overview

802.1X is a port-based network access control protocol and 802.1X authentication is one of NAC authentication modes. 802.1X authentication ensures security of enterprise intranets.

802.1X authentication ensures high security; however, it requires that 802.1X client software be installed on user terminals, resulting in inflexible network deployment. Another two NAC authentication methods have their advantages and disadvantages: MAC address authentication does not require client software installation, but MAC addresses must be registered on an authentication server. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.

As a result, 802.1X authentication is applied to scenarios with new networks, centralized user distribution, and strict information security requirements.

Configuration Notes

This configuration example applies to all switches running all versions.

When you run the access-user arp-detect command to configure the IP address and MAC address of the user gateway as the source IP address and source MAC address of user offline detection packets, ensure that the MAC address of the gateway remains unchanged, especially in active/standby switchover scenarios. If the gateway MAC address is changed, ARP entries of terminals will be incorrect on the device, and the terminals cannot communicate with the device.

Networking Requirements

As shown in Figure 1, terminals in a company's offices are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control users' network access rights to ensure internal network security.

The 802.1X authentication is configured and the RADIUS server is used to authenticate user identities, to meet the company's high security requirements.

Figure 1 Networking diagram for configuring 802.1X authentication

Configuration Roadmap

The configuration roadmap is as follows:

Configure network interoperation.
Configure AAA on the Switch to implement identity authentication on access users through the RADIUS server. The configuration includes configuring a RADIUS server template, an AAA scheme, and an authentication domain, and binding the RADIUS server template and AAA scheme to the authentication domain.
Configure 802.1X authentication to control network access rights of the employees in the offices. The configuration includes:
1. Configure an 802.1X access profile.
2. Configure an authentication profile.
3. Enable 802.1X authentication on an interface.

Before performing operations in this example, ensure that user access terminals and the server can communicate.
This example only provides the configuration of the Switch. The configurations of the LAN Switch and server are not provided here.
In this example, the LAN switch exists between the access switch Switch and users. To ensure that users can pass 802.1X authentication, you must configure the EAP packet transparent transmission function on the LAN switch. Method 1: The S5700-LI is used as an example of the LAN switch. Perform the following operations:
1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface connecting to users and the interface connecting to the access switch to enable the Layer 2 protocol tunneling function.
Method 2: This method is recommended when a large number of users exist or high network performance is required. Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-EI, S6720-HI, S6720S-EI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S support this method.
1. Run the following commands in the system view:
  - undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
  - bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
  - bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
  - bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
  - bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run the undo l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to delete the configuration of transparent transmission of 802.1x protocol packets.

Procedure

Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

# Create VLAN 10 and VLAN 20.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20

# Configure GE0/0/1 connecting the Switch to users as an access interface and add the interface to VLAN 10.

[Switch] interface gigabitethernet0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10 
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 192.168.1.10 24
[Switch-Vlanif10] quit

# Configure GE0/0/2 connecting the Switch to the RADIUS server as an access interface and add the interface to VLAN 20.

[Switch] interface gigabitethernet0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 20 
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 192.168.2.10 24
[Switch-Vlanif20] quit

Configure AAA.

# Create and configure the RADIUS server template rd1.

[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
[Switch-radius-rd1] quit

# Create the AAA authentication scheme abc and set the authentication mode to RADIUS.

[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit

# Create the authentication domain huawei.com, and bind the AAA authentication scheme abc and RADIUS server template rd1 to the domain.

[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] authentication-scheme abc
[Switch-aaa-domain-huawei.com] radius-server rd1
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit

# Check whether a user can pass RADIUS authentication. The test user test and password Huawei2012 have been configured on the RADIUS server.

[Switch] test-aaa test Huawei2012 radius-template rd1
Info: Account test succeeded.

Configure 802.1X authentication.
# Set the NAC mode to unified.
```
[Switch] authentication unified-mode
```
- By default, the unified mode is used.
- After changing the NAC mode from common to unified, save the configuration and restart the device to make the configuration take effect.
# Configure the 802.1X access profile d1.

By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.
```
[Switch] dot1x-access-profile name d1
[Switch-dot1x-access-profile-d1] dot1x timer client-timeout 30
[Switch-dot1x-access-profile-d1] quit
```
# Configure the authentication profile p1, bind the 802.1X access profile d1 to the authentication profile, specify the domain huawei.com as the forcible authentication domain in the authentication profile, set the user access mode to multi-authen, and set the maximum number of access users to 100.
```
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] dot1x-access-profile d1
[Switch-authen-profile-p1] access-domain huawei.com force
[Switch-authen-profile-p1] authentication mode multi-authen max-user 100
[Switch-authen-profile-p1] quit
```
# Bind the authentication profile p1 to GE0/0/1 and enable 802.1x authentication on the interface.
```
[Switch] interface gigabitethernet0/0/1
[Switch-GigabitEthernet0/0/1] authentication-profile p1
[Switch-GigabitEthernet0/0/1] quit
```
# (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.
```
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 2222-1111-1234
```
Verify the configuration.
1. A user starts the 802.1X client on a terminal, and enters the user name and password for authentication.
2. If the user name and password are correct, an authentication success message is displayed on the client page. The user can access the network.
3. After users go online, you can run the display access-user access-type dot1x command on the device to view information about online 802.1X authentication users.

Configuration Files

Configuration file of the Switch

#
sysname Switch
#
vlan batch 10 20
#
authentication-profile name p1
 dot1x-access-profile d1
 authentication mode multi-authen max-user 100
 access-domain huawei.com force
#
access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 2222-1111-1234
#
radius-server template rd1
 radius-server shared-key cipher %#%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%#%#
 radius-server authentication 192.168.2.30 1812 weight 80
#
dot1x-access-profile name d1
#
aaa
 authentication-scheme abc
  authentication-mode radius
 domain huawei.com
  authentication-scheme abc
  radius-server rd1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
 authentication-profile p1
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
#
interface Vlanif10
 ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
 ip address 192.168.2.10 255.255.255.0
#
return