Switch 802.1X authentication Configuration

Port-based network access control (Port-based) is a technology used to authenticate users before using LAN switches and wireless LAN access points. A common LAN switch can connect a cable to a port to use a LAN. However, a LAN switch that supports 802.1X cannot directly use a LAN after connecting to a cable. The LAN can be used only after the connected pc is authenticated and confirmed to be a valid user. After authentication, the LAN switch can pass or shield information sent by users. Wireless LAN Access Points also basically use this working principle. The architecture of www.2cto.com IEEE802.1x consists of three parts: Supplicant System, client, Authenticator System, Authentication device, Authentication Sever System, and Authentication server. The authentication system that implements IEEE802.1x on the client (such as LanSwitch), that is, Authenticator; the client of IEEE802.1x is generally installed in the user PC, typically the client of the Windows XP operating system; the IEEE802.1x authentication server system generally resides in the AAA center of the carrier. Authentication Sever can adopt standard Radius Authentication Server or service switch. The latter is mainly used in scenarios with a small network size (about 300 users, in the new software version, the Quidway 3000 and later vswitches of Huawei 3Com all provide the built-in Authentication Sever function, the user authentication configuration function is efficiently completed through the internal cluster communication protocol of Huawei 3Com. Before the user passes the authentication, only the authentication port of the physical port E0/1 connected to PC1 is opened, and the data port is closed. Therefore, before PC1 passes the dot1x authentication, only authentication packets are forwarded through port E0/1, while PC1 cannot access the Internet. When PC1 passes dot1x authentication, the data port on port E0/1 is enabled, and PC1 can access the Internet normally. Www.2cto.com [configure environment parameters] 1. PC1 and PC2 belong to VLAN10 and VLAN20 respectively, and connect the ports E0/1 and E0/2 of SwitchA respectively; switchA connects to the remote Radius server switch to connect to the RADIUS server interface vlan 100 through port G1/1, and the address is 192.168.0.100/242. the following two user network segments are mounted: VLAN10 and VLAN20. VLAN10 contains ports ranging from e0/1 to e0/10 and 10.10.1.1/24, VLAN20 includes ports e0/11e0/20 and 10.10.2.1/24. [network requirement] 1. start 802.1X authentication on SwitchA and complete authentication on PC1 and pc2. start 802.1X authentication on SwitchA and perform remote RADIUS Authentication on PC1 and pc2. [SwitchA configuration] 1. create (enter) VLAN10 [SwitchA] vlan 102. set E0/ 1 add to VLAN10 [SwitchA-vlan10] port Ethernet 0/1 to Ethernet 0/103. create (enter) vlan10 Virtual interface [SwitchA] interface Vlan-interface 104. configure the ip address [SwitchA-Vlan-interface10] ip address 10.10.1.1 255.255.255.255.05 for the Virtual Interface of vlan10. create (enter) VLAN20 [SwitchA] vlan 206. add E0/2 to VLAN20 [SwitchA-vlan20] port Ethernet 0/11 to Ethernet 0/207. create (enter) vlan20 Virtual interface [SwitchA] interface Vlan-interface 208. configure ip Address [SwitchA-Vlan-interface20] ip addr for vlan20 Virtual Interface Ess 10.10.2.1 was later than 09. create (enter) VLAN100 [SwitchA] vlan 10010. add G1/1 to VLAN100 [SwitchA-vlan100] port GigabitEthernet 1/111. create (enter) vlan100 Virtual interface [SwitchA] interface Vlan-interface 10012. configure ip address for vlan100 Virtual Interface [SwitchA-Vlan-interface100] ip address 192.168.0.100 255.255.255.0 [802.1X local authentication default domain related configuration] 1. enable 802.1X in the system view. The default authentication method is MAC-based [SwitchA] dot1x2. enable 802.1X on port E0/1-E0/10. If no specific port is added to the dot1x interface, all ports are enabled with port 802. 1X [SwitchA] dot1x interface eth 0/1 to eth 0/103. The default domain system is used here, and the default domain references the default radius scheme system. [SwitchA] local-user test4. set this user password (plaintext) [SwitchA-user-test] password simple test5. set this user access type to 802.1X [SwitchA-user-test] service-type lan-access6. activate this user [SwitchA-user-test] state active [configuration of self-built domain for 802.1X local authentication] 1. enable 802.1X in the system view. The default authentication method is MAC-based [SwitchA] dot1x2. enable 802.1X on E0/1-E0/10. If the dot1x interface is not followed by a specific port, all ports enable 802.1X [SwitchA] dot1x interface eth 0/1 to eth 0/103. set the authentication method to radius [SwitchA] radius scheme ra Dius14. set the master authentication server to local, port 1645 [SwitchA-radius-radius1] primary authentication 127.0.0.1 16455. set the master billing server to local, port 1646 [SwitchA-radius-radius1] primary accounting 127.0.0.1 16466. here, local user authentication uses the self-built domain huawei [SwitchA] domain authentication wei7. the authentication scheme radius1 [SwitchA-isp-huawei] radius-scheme radius18. set the local user name test @ huawei [SwitchA] local -user test @ brief wei9. set the user password (plaintext) [SwitchA-user-test @ huawei] password simple test10. set the user access type to 802.1. X [SwitchA-user-test @ huawei] service-type lan-access11. activate this user [SwitchA-user-test @ huawei] state active [configuration related to 802.1X RADIUS Authentication] 1. enable 802.1X in the system view. The default mode is MAC-based [SwitchA] dot1x2. enable 802.1X on E0/1-E0/10. If the dot1x interface is not followed by a specific port, all ports enable 802.1X [SwitchA] dot1x interface eth 0/1 to eth 0/103. set authentication method to radius, radius authentication fails to take local authentication [SwitchA] radius scheme radius14. set master authentication server [SwitchA-radius-radius1] primary authentication 192.168.0.1005. set master billing server [SwitchA-radius-radius1] primary accounting 192.168.0.1006. set the key of the switch and the authentication server, the two should be consistent [SwitchA-radius-radius1] key authentication test7. set the key of the switch and the billing server, the two should be consistent with the [SwitchA-radius-radius1] key accounting test8. switch to the radius message without the domain name [SwitchA-radius-radius1] user-name-format without-domain9. here, user authentication uses the self-built domain huawei [SwitchA] domain authentication wei10. the authentication scheme radius1 [SwitchA-isp-huawei] radius-scheme radius1 is referenced in the domain. Www.2cto.com [note] After dot1x authentication is enabled on the port, you can use portbased or macbased access control methods. The default access control method is macbased. The difference between the two methods is that when macbased is used, all access users under the Port need to be authenticated separately. When a user is offline, only the user cannot use the network; in portbased mode, network resources can be used by other access users without authentication after the first user under the port is successfully authenticated. However, when the first user is offline, other users are also denied access to the network. For example, change the access control mode of port E0/1 to portbased: [SwitchA] dot1x port-method portbased interface Ethernet 0/1 or: [SwitchA] interface Ethernet 0/1 [SwitchA-Ethernet0/1] dot1x port-method portbased if the RADIUS server is not directly connected to SwitchA, you need to add routing configuration on SwitchA, to ensure that the authentication message communication between SwitchA and the radius server is normal.