Professional Documents
Culture Documents
user can start the client software to initiate 802.1x A user enters the user name The client sends the user
and password on the client to name and password to the
authentication. The device is an access device in which 802.1x initiate authentication. authentication server through
the access device.
authentication is enabled to authenticate a user terminal. The
Unauthorized The authentication server
authentication server is an entity that provides an authentication user compares the received user name
and password with the locally
service for the device and implements authentication, If the user name and password are
stored user name and password.
To control user access through 802.1x authentication, AAA must The access device opens the
interface connected to the
be configured. The user access control can be implemented only authenticated client and the user
obtains network access rights.
0
Configure 802.1x Authentication for Implementing User Access
Control
GE0/0/36 GE0/0/46 Objective: The user terminal can access the network only
after passing authentication.
User terminal Access Authentication server Verification scheme:
192.168.2.215 switch 192.168.2.216 1813
1. Before passing authentication, the user terminal fails to ping
the authentication server (data packets cannot be forwarded
through the access switch).
2. After passing authentication, the user terminal can
Configuration Roadmap
successfully ping the authentication server.
1. Configure network connectivity. (The configuration
procedure is not discussed here.)
2. Configure AAA.
3. Configure 802.1x authentication.
4. Configure the authentication server.
1
1. Configure AAA on the Access Switch (1/2)
Configuration Roadmap
1. Create an AAA scheme and set the authentication mode to RADIUS.
2. Create and configure a RADIUS server template.
3. Create an authentication domain and bind the AAA scheme and RADIUS server template to the authentication domain.
4. Configure the global default domain.
Configuration Procedure
Step 1:
<HUAWEI> system-view // Enter the system view.
[HUAWEI] aaa // Enter the AAA view.
[HUAWEI-aaa] authentication-scheme abc // Create the AAA scheme abc.
[HUAWEI-aaa-authen-abc] authentication-mode radius // Set the authentication mode to RADIUS for the authentication scheme.
[HUAWEI-aaa-authen-abc] quit
[HUAWEI-aaa] quit
Step 2:
[HUAWEI] radius-server template test // Create a RADIUS server template named test.
[HUAWEI-radius-test] radius-server authentication 192.168.2.216 1812 // Set the IP address and port number of the RADIUS server.
[HUAWEI-radius-test] radius-server shared-key cipher Huawei@2012 // Set the shared key of the access device and RADIUS server.
[HUAWEI-radius-test] quit
2
1. Configure AAA on the Access Switch (2/2)
Configuration Roadmap
1. Create an AAA scheme and set the authentication mode to RADIUS.
2. Create and configure a RADIUS server template.
3. Create an authentication domain and bind the AAA scheme and RADIUS server template to the authentication domain.
4. Configure the global default domain.
Configuration Procedure
Step 3:
[HUAWEI] aaa // Enter the AAA view.
[HUAWEI-aaa] domain huawei // Create an authentication domain huawei.
[HUAWEI-aaa-domain-huawei] authentication-scheme abc // Bind the created AAA scheme abc to the authentication domain.
[HUAWEI-aaa-domain-huawei] radius-server test // Bind the RADIUS server template test to the authentication domain.
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit // Return to the system view.
Step 4:
[HUAWEI] domain huawei // Configure the global default domain huawei.
3
2. Configure 802.1x Authentication on the Access Switch
Note: 802.1x authentication on switches in SV200R500 and later versions can be configured in two modes: traditional mode
and unified mode.
Configuration Roadmap
1. Switch to the desired configuration mode.
2. Enable 802.1x authentication.
4
3. Configure the RADIUS Server on the Policy Center
Note: There are many types of RADIUS server. Huawei Policy Center is taken as an example here.
Configuration Roadmap
1. Configure parameters for the access device on the RADIUS server.
2. Configure access control policies on the RADIUS server.
3. Add accounts to the RADIUS server.
Procedure:
1. Configure parameters for the access device on the RADIUS server.
Choose Access Control Policy > Access Device > Device.
Click Add.
Set the device's connection parameters.
2. Configure access control policies on the RADIUS server.
Choose Access Control Policy > Authentication and Authorization > Authorization Rule.
Click to change the default authorization rule.
3. Add accounts to the RADIUS server.
Choose Users And Terminals > Department User > User Management > User.
Click Add, and enter parameters of the user to be added.
Chick next to User.
Click Add, and enter parameters of the account to be added.