Example of RADIUS authentication, authorization, and billing configuration for 18.6.3 802.1x users
In 802.1x authentication, the use of remote RADIUS servers is the most commonly used AAA access control, and the RADIUS server can not only realize the required authentication of 802.1x users, but also authorize and charge them. This example topology, as shown in Figure 18-6, uses a RADIUS server that is widely used by the H3C company to develop the IMC system. It is now necessary to implement authentication, authorization, and billing for 802.1x users who are connected through the switch using a RADIUS server. The specific requirements are as follows:
L The 802.1X authentication of the access user on the access port GIGABITETHERNET1/0/1, and the access control mode based on MAC address is adopted.
The shared key used by the L switch with the RADIUS server interaction message is expert, the authentication/authorization, billing port number is 1812 and 1813, respectively, and the user name sent to the RADIUS server carries the domain name.
L user authentication using the username is dot1x@bbb.
L user authentication successful, authentication server authorization issued VLAN 4, the user's port to join the VLAN, allowing users to access the network resources in the VLAN.
L for 802.1X subscribers to the monthly billing, the cost of 120 yuan/month, the monthly cycle of user access to the Internet services in a long time to statistics, allowing the maximum monthly Internet use of 120 hours.
As you can see from the example in the previous section, the requirements for this example are significantly higher than the example in the previous section, although they are all using the IMC RADIUS server. In addition, this example has two more requirements than the example in the previous section, that is, IEEE 802.1x authentication and RADIUS billing based on MAC address access control, and in particular, the configuration of the RADIUS billing feature is more complex, and the billing policy is configured. The specific configuration method for IEEE 802.1x authentication for H3C Ethernet switches will be presented in chapter 19th of this book.
A comprehensive analysis of the requirements of this example, can be derived from its basic configuration ideas. In general, the following four aspects are enabled: IEEE 802.1X authentication and access control based on MAC addresses on switches and corresponding ports, configuration of IMC RADIUS authentication/authorization, billing server capabilities, RADIUS authentication, authorization and billing schemes, configuration of IEEE 802.1x User ISP domain AAA scheme, call the previously configured RADIUS server scenario. The following are described separately.
Figure 18-6 802.1x User RADIUS authentication, authorization, and Billing configuration sample