< Home

Configuring 802.1X and MAC Address Authentication for Access Users on Huawei Agile Controller-Campus

This section includes the following content:

Overview

On a NAC network, the 802.1X, MAC address, and Portal authentication modes are configured on the user access interfaces of a device to meet various authentication requirements. Users can access the network using any authentication mode.

If multiple authentication modes are enabled, the authentication modes take effect in the sequence they are configured. In addition, after multiple authentication modes are deployed, users can be authenticated in different modes by default and assigned different network rights accordingly by the device.

Networking Requirements

Enterprises have high requirements on network security. To prevent unauthorized access and protect information security, an enterprise requests users to pass identity authentication and security check before they access the enterprise network. Only authorized users are allowed to access the enterprise network.

In addition, dumb terminals, such as IP phones and printers, can access the enterprise network only after passing authentication.

The enterprise network has the following characteristics:

  • The access switches on the network do not support 802.1X authentication.

  • The enterprise network has a small size and does not have branch networks.

  • The enterprise has no more than 1000 employees. A maximum of 2000 users, including guests, access the network every day.

  • Dumb terminals, such as IP phones and printers, are connected to the enterprise network.

To reduce network reconstruction investment, you are advised to configure the 802.1X authentication function on the aggregation switch and connect a single centralized authentication server to the aggregation switch in bypass mode. MAC address authentication needs to be configured for dumb terminals.

Figure 1 Wired access networking diagram

Configuration Logic

Figure 2 Configuration logic of Huawei switch
Table 1 Configuration logic of Huawei Agile Controller-Campus

Item

Description

Creating a department and an account

-

Adding switches

Set parameters for switches connected to the Agile Controller-Campus.

Adding an authentication rule

Configure the conditions for users to pass the authentication.

Adding an authorization result

Create network access right profiles so that users granted with different profiles have different network access rights.

Adding an authorization rule

Select network access right profiles and users in an authorization rule so that specified network access rights are granted to specific users.

Configuration Notes

This configuration example applies to all switches running V200R009C00 or a later version, Huawei Agile Controller-Campus in V100R001 functions as the RADIUS server. For the Agile Controller-Campus, the version required is V100R001, V100R002, V100R003.

The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.

By default, the switch allows the packets from RADIUS server to pass. You do not need to configure authentication-free rules for the server on the switch.

When you run the access-user arp-detect command to configure the IP address and MAC address of the user gateway as the source IP address and source MAC address of user offline detection packets, ensure that the MAC address of the gateway remains unchanged, especially in active/standby switchover scenarios. If the gateway MAC address is changed, ARP entries of terminals will be incorrect on the device, and the terminals cannot communicate with the device.

Data Plan

Table 2 Network data plan

Item

Data

Agile Controller-Campus

IP address: 192.168.100.100

Post-authentication domain server

IP address: 192.168.102.100

Aggregation switch (SwitchA)

  • VLAN to which 0/0/6 connected to the server belongs: VLAN 100

  • VLAN to which downstream interfaces GE0/0/1 and GE0/0/2 belong: VLAN 200

Access switch (SwitchC)

User VLAN ID: 200

Access switch (SwitchD)

User VLAN ID: 200
Table 3 Aggregation switch service data plan

Item

Data

RADIUS scheme

  • Authentication server IP address: 192.168.100.100

  • Authentication server port number: 1812

  • Accounting server IP address: 192.168.100.100

  • Accounting server port number: 1813
  • Shared key for the RADIUS server: Huawei@2014
  • Accounting interval: 15 minutes

  • Authentication domain: isp

ACL number of the post-authentication domain

3002
Table 4 Agile Controller-Campus service data plan

Item

Data

Department

R&D department

Access user

User name: A

Wired access account: A-123

Password: Huawei123

Device group

Wired device group: Switch
Switch IP address SwitchA: 192.168.10.10

RADIUS authentication key

Huawei@2014

Charging Key

Huawei@2014

Procedure

  1. Configure the access switches.
    1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.

      # Create VLAN 200.
      <HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 200
      # Configure the interface connected to users as an access interface and add the interface to VLAN 200.
      [SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 200 
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] port link-type access
[SwitchC-GigabitEthernet0/0/2] port default vlan 200
[SwitchC-GigabitEthernet0/0/2] quit

      # Configure the interface connected to the upstream network as a trunk interface and configure the interface to allow VLAN 200.

      [SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] port link-type trunk
[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 200
[SwitchC-GigabitEthernet0/0/3] quit

    2. Configure the device to transparently transmit 802.1X packets. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.

      In this example, SwitchC and SwitchD are deployed between the authentication switch SwitchA and users. 802.1X packet transparent transmission needs to be configured on SwitchC and SwitchD so that SwitchA can perform 802.1X authentication for users.

      • Method 1:
        [SwitchC] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/1] bpdu enable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/2] bpdu enable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/3] bpdu enable
[SwitchC-GigabitEthernet0/0/3] quit

      • Method 2: This method is recommended when a large number of users exist or high network performance is required. Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-EI, S6720-HI, S6720S-EI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S support this method.

        [SwitchC] undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
[SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
[SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
[SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
[SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8

        This following step is mandatory when you switch from method 1 to method 2.

        [SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] undo l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] undo l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/2] quit
[SwitchC] interface gigabitethernet 0/0/3
[SwitchC-GigabitEthernet0/0/3] undo l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/3] quit

  2. Configure the aggregation switch.
    1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded. 

      <HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200
[SwitchA] interface gigabitethernet 0/0/1    //Configure the interface connected to SwitchC.
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    //Configure the interface connected to SwitchD.
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/6    //Configure the interface connected to the server.
[SwitchA-GigabitEthernet0/0/6] port link-type trunk
[SwitchA-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/6] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 192.168.10.10 24    //Configure the management IP address for SwitchA. This IP address is used when SwitchA is added to Agile Controller-Campus.
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 192.168.200.1 24    //Configure the gateway address for terminal users.
[SwitchA-Vlanif200] quit
[SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.10.10    //Configure a route to the network segment where the pre-authentication domain resides.
[SwitchA] ip route-static 192.168.102.0 255.255.255.0 192.168.10.10    //Configure a route to the network segment where the post-authentication domain resides.

    2. Configure network access rights for users after successful authentication. 

      [SwitchA] acl 3002
[SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0
[SwitchA-acl-adv-3002] rule 2 deny ip destination any
[SwitchA-acl-adv-3002] quit

    3. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

      # Create and configure the RADIUS server template rd1. 
      [SwitchA] radius-server template rd1
[SwitchA-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchA-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchA-radius-rd1] radius-server shared-key cipher Huawei@2014
[SwitchA-radius-rd1] quit
      # Create an AAA authentication scheme abc and set the authentication mode to RADIUS.
      [SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit
      # Configure an accounting scheme acco1. Set the accounting mode to RADIUS so that the RADIUS server can maintain account status, such as login, log-off and forced log-off. 
      [SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] accounting realtime 15    //Set the real-time accounting interval to 15 minutes.
[SwitchA-aaa-accounting-acco1] quit
      # Create an authentication domain isp, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.
      [SwitchA-aaa] domain isp
[SwitchA-aaa-domain-isp] authentication-scheme abc
[SwitchA-aaa-domain-isp] accounting-scheme acco1
[SwitchA-aaa-domain-isp] radius-server rd1
[SwitchA-aaa-domain-isp] quit
[SwitchA-aaa] quit
      # Configure the global default domain isp. During access authentication, enter a user name in the format user@isp to perform AAA authentication in the domain isp. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.
      [SwitchA] domain isp

    4. Enable 802.1X and MAC address authentication.

      # Set the NAC mode to unified.
      [SwitchA] authentication unified-mode

      By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.

      # Configure an 802.1X access profile.

      By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

      [SwitchA] dot1x-access-profile name d1
[SwitchA-dot1x-access-profile-d1] dot1x authentication-method eap
[SwitchA-dot1x-access-profile-d1] dot1x timer client-timeout 30
[SwitchA-dot1x-access-profile-d1] quit
      # Configure a MAC access profile.
      [SwitchA] mac-access-profile name m1
[SwitchA-mac-access-profile-m1] mac-authen username fixed A-123 password cipher Huawei123    //Set the user name mode for MAC address authentication to fixed user name. Set the user name to A-123 and password to Huawei123.
[SwitchA-mac-access-profile-m1] quit
      # Configure an authentication profile.
      [SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] mac-access-profile m1    //Bind the MAC access profile m1.
[SwitchA-authen-profile-p1] dot1x-access-profile d1    //Bind the 802.1X access profile d1.
[SwitchA-authen-profile-p1] quit
      # Enable 802.1X authentication and MAC address authentication on GE0/0/1 and GE0/0/2.
      [SwitchA] interface gigabitethernet 0/0/1
[SwitchA-Gigabitethernet0/0/1] authentication-profile p1    //Bind the authentication profile p1 and enable 802.1X + MAC address combined authentication.
[SwitchA-Gigabitethernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-Gigabitethernet0/0/2] authentication-profile p1    //Bind the authentication profile p1 and enable 802.1X + MAC address combined authentication.
[SwitchA-Gigabitethernet0/0/2] quit

      # (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

      [SwitchA] access-user arp-detect vlan 200 ip-address 192.168.200.1 mac-address 2222-1111-1234

  3. Configure the Agile Controller-Campus.
    1. Log in to the Agile Controller-Campus.

      1. Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.
        The following table provides two types of Agile Controller-Campus addresses.

        Address Format

        Description

        https://Agile Controller-Campus-IP:8443

        In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address.

        Agile Controller-Campus IP address

        If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443.
      2. Enter the administrator account and password.

        If you log in to the Agile Controller-Campus for the first time, use the super administrator account admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.

    2. Create a department and an account.

      1. Choose Resource > User > User Management.
      2. Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.

      3. Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.

      4. Click in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password Huawei123.

      5. On the User tab page, select user A and click Transfer to add user A to the R&D department.

    3. Add switches to the Agile Controller-Campus so that the switches can communicate with the Agile Controller-Campus.

      1. Choose Resource > Device > Device Management.

      2. Click Permission Control Device Group in the navigation tree, and click and Add SubGroup to create a device group Switch.

      3. Click the device group in the navigation tree and select ALL Device. Click Add to add network access devices.

      4. Set connection parameters on the Add Device page.

        Parameter

        Value

        Description

        Name

        SwitchA

        -

        IP Address

        192.168.10.10

        The interface on the switch must communicate with the Agile Controller-Campus.
        Device Series Huawei Quidway series switch

        -

        Authentication Key

        Huawei@2014

        It must be the same as the shared key of the RADIUS authentication server configured on the switch.

        Charging Key

        Huawei@2014

        It must be the same as the shared key of the RADIUS accounting server configured on the switch.

        Real-time charging interval (minute)

        15

        It must be the same as the real-time accounting interval configured on the switch.

      5. Click Permission Control Device Group in the navigation tree, select SwitchC, and click Move to move SwitchA to the Switch group. The configuration on SwitchD is the same as that on SwitchC.

    4. Add an authentication rule.

      1. Choose Policy > Permission Control > Authentication and Authorization > Authentication Rule and click Add to create an authentication rule.

      2. Configure basic information for the authentication rule.

        Parameter

        Value

        Description
        Name Access authentication rule

        -

        Service Type

        Access service

        -

        Authentication Condition

        Device group Switch

        Customize authentication rules based on the requirements of your network.

        Please select the allowed authentication protocol
        • PAP
        • CHAP
        • EAP-MD5
        • EAP-PEAP-MSCHAPv2
        • EAP-TLS
        • EAP-PEAP-GTC
        • EAP-TTLS-PAP

        -

    5. Add an authorization result.

      1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result and click Add to create an authorization result.

      2. Configure basic information for the authorization result.

        Parameter

        Value

        Description

        Name

        Post-authentication domain

        -

        Service Type

        Access service

        -

        ACL Number/AAA User Group

        3002

        The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

    6. Add an authorization rule.

      After a user passes the authentication, authorization phase starts. The Agile Controller-Campus grants the user access rights based on the authorization rule.

      1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule and click Add to create an authorization rule.

      2. Configure basic information for the authorization rule.

        Parameter

        Value

        Description

        Name

        Authorization rule for R&D employees

        -

        Service Type

        Access service

        -

        Access Device Group

        Switch

        -

        Authorization Result

        Post-authentication domain

        -

  4. Verify the configuration.

    • An employee can only access the Agile Controller-Campus server before passing the authentication.
    • After passing the authentication, the employee can access resources in the post-authentication domain.
    • After the employee passes the authentication, run the display access-user command on the switch. The command output shows information about the online employee.

Configuration Files

  • SwitchA configuration file

    #
sysname SwitchA
#
vlan batch 100 200
#
authentication-profile name p1
 dot1x-access-profile d1
 mac-access-profile m1
#
domain isp
#
access-user arp-detect vlan 200 ip-address 192.168.200.1 mac-address 2222-1111-1234
#
radius-server template rd1
 radius-server shared-key cipher %#%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%#%#
 radius-server authentication 192.168.100.100 1812 weight 80
 radius-server accounting 192.168.100.100 1813 weight 80
#
dot1x-access-profile name d1
#
mac-access-profile name m1
 mac-authen username fixed A-123 password cipher %#%#'Fxw8E,G-81(A3U<^HH9Sj\:&hTdd>R>HILQYLtW%#%#
#
acl number 3002
 rule 1 permit ip destination 192.168.102.100 0
 rule 2 deny ip
#
aaa
 authentication-scheme abc
  authentication-mode radius
 accounting-scheme acco1
  accounting-mode radius
  accounting realtime 15
 domain isp
  authentication-scheme abc
  accounting-scheme acco1
  radius-server rd1
#
interface Vlanif100
 ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
 ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 200
 authentication-profile p1
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 200
 authentication-profile p1
#
interface GigabitEthernet0/0/6
 port link-type trunk
 port trunk allow-pass vlan 100
#
ip route-static 192.168.100.0 255.255.255.0 192.168.10.10
ip route-static 192.168.102.0 255.255.255.0 192.168.10.10
#
return

  • SwitchC configuration file

    #
sysname SwitchC
#
vlan batch 200
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 200
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 200
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 200
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
return
Parent Topic: Typical NAC Configuration (Unified Mode) (the Agile Controller-Campus as the Authentication Server) (V200R009C00 and Later Versions)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >