Example for Configuring 802.1X Authentication (Authentication Point on the Access Switch)

Networking Requirements

In Figure 1, terminals in a company's offices are connected to the company's intranet through the switch. GE0/0/2 to GE0/0/n on the switch are directly connected to terminals in offices. GE0/0/1 on the switch is connected to the RADIUS server through the intranet.

To meet the company's high security requirements, configure 802.1X authentication, use the RADIUS server to authenticate terminals in offices, and deploy authentication points on GE0/0/2 to GE0/0/n of the switch.

Figure 1 Networking diagram for configuring 802.1X authentication

Configuration Roadmap

The configuration roadmap is as follows:

Specify the VLANs to which interfaces belong.
Configure an IP address for each VLANIF interface.
Configure AAA on the switch to implement identity authentication on access users through the RADIUS server. The configuration includes configuring a RADIUS server template, an AAA scheme, and an authentication domain, and binding the RADIUS server template and AAA scheme to the authentication domain.
Configure 802.1X authentication to control network access rights of the employees in offices, including the 802.1X profile, authentication profile, and 802.1X authentication on interfaces.

Before performing the following operations, ensure that there are reachable routes between user terminals and the server.

Procedure

Specify the VLANs to which interfaces belong.
1. Choose Configuration > Basic Services > Interface Settings > Service Interface Setting. Click Connect to PC.
2. Select GE0/0/2 from Step 2: Select Interface, set Interface Status below Step 3: Configure Interface to ON, and enter 20 for Default VLAN. The other parameters do not need to be set. Configure GE0/0/1 in the same way, as shown in Figure 2 and Figure 3.
  Figure 2 Configure GE0/0/2
  
  Figure 3 Configure GE0/0/1
3. Click Apply. In the dialog box that is displayed, click OK.
4. The configurations of GE0/0/3 to GE0/0/n are the same as the configuration of GE0/0/2.
Configure an IP address for each VLANIF interface.
1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page.
2. Click a record below VLAN ID to open the Modify VLAN page. Select Create VLANIF and set IPv4 address and Mask, as shown in Figure 4 and Figure 5.
  Figure 4 Configure VLANIF 10
  
  Figure 5 Configure VLANIF 20
3. After setting the parameters, click OK.
Configure AAA.
1. Choose Configuration > Security Services > AAA, click the RADIUS tab, and click Create to create and configure the RADIUS server template rd1. Set parameters according to Figure 6 and click OK.
  Figure 6 Configure a RADIUS server template
2. Click the Authentication/Authorization/Accounting Scheme tab, and click Create to create the AAA authentication scheme abc and set the authentication mode to RADIUS. Set parameters according to Figure 7 and click OK.
  Figure 7 Configure an AAA authentication scheme
3. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > Domain Profile to open the Domain Profile List page. Click Create to access the Create Domain Profile page. Enter huawei.com for Profile name and click OK. The authentication domain huawei.com is created and the AAA authentication scheme abc and RADIUS server template rd1 are bound to the authentication domain. Set parameters according to Figure 8 and click Apply.
  Figure 8 Configure an authentication domain
Configure 802.1X authentication.
1. Run the authentication unified-mode command in the system view to set the NAC mode to unified.
  
  By default, the unified mode is used. The switch restarts after the NAC mode is changed between the common mode and unified mode.
2. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > 802.1X Profile to access the 802.1X Profile List page. Click Create. The Create 802.1X Profile page is displayed. Enter d1 for Profile name and click OK to create an 802.1X profile. Set parameters according to Figure 9 and click Apply to complete the configuration of the 802.1X profile d1.
  Figure 9 Configure the 802.1X profile
3. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile to access the Authentication Profile List page. Click Create and enter p1 for Profile name, as shown in Figure 10. Click OK to create the authentication profile p1.
  Figure 10 Create an Authentication Profile
4. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > p1 > 802.1X Profile. Select d1 from the 802.1X Profile drop-down list, as shown in Figure 11, and click Apply to bind the 802.1X profile d1 to the authentication profile p1.
  Figure 11 Bind the authentication profile to 802.1X profile
5. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > p1 > Domain Profile. Select huawei.com from the Domain Profile drop-down list, as shown in Figure 12, and click Apply to apply the authentication domain huawei.com to the authentication profile p1.
  Figure 12 Bind authentication profile to authentication domain
6. Choose Configuration > Security Services > AAA Service App > Wired Interface Authentication. Select GE0/0/2 on the front panel. Select p1 from Authentication Profile, as shown in Figure 13, and click Apply. Configure GE0/0/3 to GE0/0/n in the same way.
  Figure 13 Bind authentication profile to interface

Operation Result

Start the 802.1X client on a terminal, and enter the user name and password for authentication.
If the user name and password are correct, a client page displays an authentication success information and you can access the Internet.
After going online, log in to the web system. Choose Monitoring > User > Wired User Statistics. The 802.1X user information is displayed.