[Background description]
Before the user passes 802.1x authentication, the user belongs to a VLAN, which is the guest vlan. The unauthenticated client computers are in the guest vlan. They can only access the resources of the guest vlan server. After successful authentication, the port leaves the Guest VLAN and users can access their specific network resources.
In the above example, after the computer connecting to port 1 passes authentication, Port 1 is automatically added to VLAN10 by the switch. In this case, the client computer can access resources in Server 2. Client 2 and client 3 do not pass authentication. They can only stay in the Guest VLAN and only Access Server 1 resources, but not Server 2 resources. Note that the Guest vlan only supports port-based 802.1X protocol and does not support 802.1X protocol based on MAC addresses.
[Experiment topology] divides Port 1-12 of the switch into V10, sets V10 as the guest vlan, and sets Port 1-8 as the port to be authenticated. Set the 13-24 port of the vswitch to the port in V20. Through the experiment, the following results are achieved: after connecting PC1 to any one of Port 1-8 of the vswitch, after the authentication of the authentication server, the port connected to PC1 is automatically added to V20 by the vswitch, in addition, PC1 and PC2 can communicate with each other. Topology Description: Authentication Server IP: 192.168.0.10 switch IP: 192.168.0.250 certified computer IP: 192.168.0.101V20 pc ip: 192.168.0.100 orange port belongs to the VLAN Guest VLAN, name is V10, the VLAN name of the blue port of VID 10 is V20, the green port of VID is 20, and the port of 802.1X authentication is required. [experimental equipment] 1 DGS-3627 switch, 3 pcs are tested, several Network cables.
[Tutorial step] connect the control port of the switch to the serial port of the PC and enter the configuration interface of the switch through the Super Terminal, as shown in. We use PC's "Start> program> attachment> communication> Super Terminal" to enter the Super Terminal interface.
Set the number of bits per second to 115200, data bit: 8, parity: None, stop bit: 1, data stream control: hardware. Note: Different vswitch port attributes are different. For details, refer to the manual. Click OK to go to The vswitch configuration page, prompting you to enter the user name and password. If no user name or password exists,
Press ENTER twice to enter the configurable mode.
Create VLAN 10 and VLAN 20, add Ports 1-12 of the switch to VLAN 10, and add ports 13-24 to VLAN 20.
"Config vlan default dele 1-24" deletes Port 1-24 from the default VLAN. Create vlan v10 tag 10 and create VLAN 10. "Config vlan v10 add untag 1-12" adds port 1-12 of the switch to VLAN 10 as a non-label. You can also create VLAN 20 and add switch ports 13-24 to V20.
Change the IP address of the vswitch to 192.168.0.1 and specify it to V10. For PC authentication, the Radius server and the switch can communicate normally. We place the Radius server in V10. the IP address of the switch belongs to the default VLAN by default and must be specified to V10.
By default, the 802.1X protocol of the vswitch is disabled. You can use the "enable 802.1x" command to enable it. Create a Guest VLAN, specify V10 as the Guest VLAN, and enable the Guest VLAN function of 1-12 of the switch port. Then, configure the authentication information on the vswitch:
Set port 1st-8 of the vswitch as the port to be authenticated. Computers connected to these ports must pass the authentication before they can access the network. Otherwise, they can only communicate with computers in the same Guest VLAN.
Prepare the authentication server: the authentication server used here is FreeRADIUS.net-1.1.5-r0.0.3. The following describes how to prepare the authentication server. Open the clients. conf file in the X: \ FreeRADIUS.net \ etc \ raddb folder and add the content. 123456 is the communication key between the authentication server and the switch. "X" is the drive letter installed on the server software.
Open the users. conf file in the X: \ FreeRADIUS.net \ etc \ raddb folder and add the content. "Test" is the user name and password of the computer to be authenticated, and "20" is the vlan id to be added to the computer that passes authentication.
Before starting the authentication server, make sure that the server can communicate with the switch. Otherwise, the switch cannot transmit authentication information between the computer and the server.
After the authentication server is started, a circular icon is displayed in the lower right corner of the desktop. Right-click the icon. Click the button shown in the figure to open the debug mode of the server. This mode can observe the computer authentication process.
The operating system of the authentication client (PC 1) takes win xp as an example. First, ensure that the 802.1x authentication function is enabled. Select "Local Connection"> "property"> "Identity Verification" and perform operations as shown in the figure below. When authentication starts, the user is prompted to enter the user name and password.
Enter the username "test" and password "test" to wait for the server to authenticate. We can see the authentication process from the authentication server, as shown in.
This is the status of the switch before PC1 passes the authentication. The first port of the vswitch shows that it has been connected but has not passed the authentication.
The "Show vlan" command shows that the 1st ports are still in V10.
It indicates that the client computer PC1 has been authenticated.
In this case, the computer connected to Port 1 is authenticated.
Run the Show vlan command to view the port number. You can see that the first port of the vswitch has been added to V20 by the vswitch. Verify that the configuration of the Guest VLAN is correct. In this case, it is normal to test the communication between PC1 and pc2.
[Experiment conclusion] Port-based access control protocol 802.1X is widely used in wired LAN and WLAN to prevent unauthorized users from accessing the network and ensure network security. In 802.1X applications, if the switch port specifies the Guest VLAN entry, access users under this port will become members of the Guest VLAN group if authentication fails or there is no user account at all, you can enjoy the corresponding network resources in the group. This function can also provide the minimum resources for some groups of network applications and provide a peripheral access security for the entire network. If the client authentication succeeds, more network functions can be exercised and more resources in the network can be used. Guest VLAN is a flexible network access solution.