Scribd Logo
Upload

Welcome to Scribd!

  • 802.1x Authentication Guide

    Uploaded by

    luis
    262 views6 pages
    802.1x authentication uses a client/server structure with three entities - a client, device, and authentication server. The client initiates authentication by sending username and password to the authentication server through the access device. If authentication is successful, the access device allows the client access to internal network resources. Configuring both 802.1x authentication on the access device and AAA is required to implement user access control.

    Original Description:

    802.1x

    Original Title

    802.1x Authentication Configuration

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    802.1x authentication uses a client/server structure with three entities - a client, device, and authentication server. The client initiates authentication by sending username and password to the authentication server through the access device. If authentication is successful, the access device allows the client access to internal network resources. Configuring both 802.1x authentication on the access device and AAA is required to implement user access control.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    262 views6 pages

    802.1x Authentication Guide

    Uploaded by

    luis
    802.1x authentication uses a client/server structure with three entities - a client, device, and authentication server. The client initiates authentication by sending username and password to the authentication server through the access device. If authentication is successful, the access device allows the client access to internal network resources. Configuring both 802.1x authentication on the access device and AAA is required to implement user access control.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    802.

    1x Authentication Principles and Application Scenarios


    802.1x authentication is an important method used for network admission control (NAC). Only users passing 802.1x authentication
    are given access to the network, ensuring the internal network security.

    The 802.1x authentication system uses a typical client/server


    structure and consists of three entities: client, device, and
    Authorized user 802.1x authentication
    authentication server.
    Internal
    network
    The client is the software that is installed on a user terminal. A resources

    user can start the client software to initiate 802.1x A user enters the user name The client sends the user
    and password on the client to name and password to the
    authentication. The device is an access device in which 802.1x initiate authentication. authentication server through
    the access device.
    authentication is enabled to authenticate a user terminal. The
    Unauthorized The authentication server
    authentication server is an entity that provides an authentication user compares the received user name
    and password with the locally
    service for the device and implements authentication, If the user name and password are
    stored user name and password.

    correct, the server instructs the


    authorization, and accounting on users. access device to notify the user that
    the authentication is successful.

    To control user access through 802.1x authentication, AAA must The access device opens the
    interface connected to the
    be configured. The user access control can be implemented only authenticated client and the user
    obtains network access rights.

    after both 802.1x authentication and AAA have been configured.

    0
    Configure 802.1x Authentication for Implementing User Access
    Control

    GE0/0/36 GE0/0/46 Objective: The user terminal can access the network only
    after passing authentication.
    User terminal Access Authentication server Verification scheme:
    192.168.2.215 switch 192.168.2.216 1813
    1. Before passing authentication, the user terminal fails to ping
    the authentication server (data packets cannot be forwarded
    through the access switch).
    2. After passing authentication, the user terminal can
    Configuration Roadmap
    successfully ping the authentication server.
    1. Configure network connectivity. (The configuration
    procedure is not discussed here.)
    2. Configure AAA.
    3. Configure 802.1x authentication.
    4. Configure the authentication server.

    1
    1. Configure AAA on the Access Switch (1/2)
    Configuration Roadmap
    1. Create an AAA scheme and set the authentication mode to RADIUS.
    2. Create and configure a RADIUS server template.
    3. Create an authentication domain and bind the AAA scheme and RADIUS server template to the authentication domain.
    4. Configure the global default domain.
    Configuration Procedure
    Step 1:
    <HUAWEI> system-view // Enter the system view.
    [HUAWEI] aaa // Enter the AAA view.
    [HUAWEI-aaa] authentication-scheme abc // Create the AAA scheme abc.
    [HUAWEI-aaa-authen-abc] authentication-mode radius // Set the authentication mode to RADIUS for the authentication scheme.
    [HUAWEI-aaa-authen-abc] quit
    [HUAWEI-aaa] quit
    Step 2:
    [HUAWEI] radius-server template test // Create a RADIUS server template named test.
    [HUAWEI-radius-test] radius-server authentication 192.168.2.216 1812 // Set the IP address and port number of the RADIUS server.
    [HUAWEI-radius-test] radius-server shared-key cipher Huawei@2012 // Set the shared key of the access device and RADIUS server.
    [HUAWEI-radius-test] quit

    2
    1. Configure AAA on the Access Switch (2/2)
    Configuration Roadmap
    1. Create an AAA scheme and set the authentication mode to RADIUS.
    2. Create and configure a RADIUS server template.
    3. Create an authentication domain and bind the AAA scheme and RADIUS server template to the authentication domain.
    4. Configure the global default domain.

    Configuration Procedure
    Step 3:
    [HUAWEI] aaa // Enter the AAA view.
    [HUAWEI-aaa] domain huawei // Create an authentication domain huawei.
    [HUAWEI-aaa-domain-huawei] authentication-scheme abc // Bind the created AAA scheme abc to the authentication domain.
    [HUAWEI-aaa-domain-huawei] radius-server test // Bind the RADIUS server template test to the authentication domain.
    [HUAWEI-aaa-domain-huawei] quit
    [HUAWEI-aaa] quit // Return to the system view.

    Step 4:
    [HUAWEI] domain huawei // Configure the global default domain huawei.

    3
    2. Configure 802.1x Authentication on the Access Switch
    Note: 802.1x authentication on switches in SV200R500 and later versions can be configured in two modes: traditional mode
    and unified mode.

    Configuration Roadmap
    1. Switch to the desired configuration mode.
    2. Enable 802.1x authentication.

    Configuration Procedure in the United Mode


    <HUAWEI> system-view // Enter the system view.
    [HUAWEI] authentication unified-mode // Switch to the unified mode. The unified mode takes effect after the switch restarts.
    [HUAWEI] interface gigabitethernet 0/0/36 // Enter the interface view.
    [HUAWEI-GigabitEthernet0/0/36] authentication dot1x // Enable 802.1x authentication.
    [HUAWEI-GigabitEthernet0/0/36] dot1x authentication-method eap // Set the 802.1x authentication mode to EAP.

    Configuration Procedure in the Traditional Mode


    <HUAWEI> system-view // Enter the system view.
    [HUAWEI] undo authentication unified-mode // Switch to the traditional mode. The traditional mode takes effect after the
    switch restarts.
    [HUAWEI] dot1x enable //Enable 802.1x authentication globally.
    [HUAWEI] interface gigabitethernet 0/0/36 // Enter the interface view.
    [HUAWEI-GigabitEthernet0/0/36] dot1x enable // Enable 802.1x authentication in the interface view.
    [HUAWEI-GigabitEthernet0/0/36] dot1x authentication-method eap // Set the 802.1x authentication mode to EAP.

    4
    3. Configure the RADIUS Server on the Policy Center
    Note: There are many types of RADIUS server. Huawei Policy Center is taken as an example here.
    Configuration Roadmap
    1. Configure parameters for the access device on the RADIUS server.
    2. Configure access control policies on the RADIUS server.
    3. Add accounts to the RADIUS server.
    Procedure:
    1. Configure parameters for the access device on the RADIUS server.
    Choose Access Control Policy > Access Device > Device.
    Click Add.
    Set the device's connection parameters.
    2. Configure access control policies on the RADIUS server.
    Choose Access Control Policy > Authentication and Authorization > Authorization Rule.
    Click to change the default authorization rule.
    3. Add accounts to the RADIUS server.
    Choose Users And Terminals > Department User > User Management > User.
    Click Add, and enter parameters of the user to be added.
    Chick next to User.
    Click Add, and enter parameters of the account to be added.

    You might also like