18 802.1X Configuration
18 802.1X Configuration
18 802.1X Configuration
i
Setting the quiet timer ··············································································································· 29
Configuring 802.1X reauthentication ···························································································· 29
Overview ························································································································· 29
Configuration restrictions and guidelines ················································································ 30
Configuring 802.1X periodic reauthentication··········································································· 30
Configuring 802.1X manual reauthentication ··········································································· 31
Enabling the keep-online feature ·························································································· 31
Configuring an 802.1X guest VLAN······························································································ 31
Configuration restrictions and guidelines ················································································ 31
Configuration prerequisites ·································································································· 32
Configuration procedure ····································································································· 32
Enabling 802.1X guest VLAN assignment delay ············································································· 32
Configuring an 802.1X Auth-Fail VLAN ························································································· 33
Configuration restrictions and guidelines ················································································ 33
Configuration prerequisites ·································································································· 33
Configuration procedure ····································································································· 34
Configuring an 802.1X critical VLAN ···························································································· 34
Configuration restrictions and guidelines ················································································ 34
Configuration prerequisites ·································································································· 34
Configuration procedure ····································································································· 35
Enabling the 802.1X critical voice VLAN ······················································································· 35
Configuration restrictions and guidelines ················································································ 35
Configuration prerequisites ·································································································· 35
Configuration procedure ····································································································· 35
Configuring an 802.1X guest VSI································································································· 36
Configuration restrictions and guidelines ················································································ 36
Configuration prerequisites ·································································································· 36
Configuration procedure ····································································································· 36
Enabling 802.1X guest VSI assignment delay ················································································ 36
Overview ························································································································· 36
Configuration procedure ····································································································· 37
Configuring an 802.1X Auth-Fail VSI ···························································································· 37
Configuration restrictions and guidelines ················································································ 37
Configuration prerequisites ·································································································· 37
Configuration procedure ····································································································· 37
Configuring an 802.1X critical VSI ······························································································· 38
Configuration restrictions and guidelines ················································································ 38
Configuration prerequisites ·································································································· 38
Configuration procedure ····································································································· 38
Specifying supported domain name delimiters ················································································ 38
Enabling 802.1X user IP freezing ································································································ 39
Removing the VLAN tags of 802.1X protocol packets sent out of a port ··············································· 39
Overview ························································································································· 39
Configuration restrictions and guidelines ················································································ 39
Configuration prerequisites ·································································································· 40
Configuration procedure ····································································································· 40
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ················· 40
Configuring 802.1X MAC address binding ····················································································· 41
Overview ························································································································· 41
Configuration restrictions and guidelines ················································································ 41
Configuration procedure ····································································································· 41
Configuring the EAD assistant feature ·························································································· 41
Enabling logging for 802.1X users ······························································································· 42
Overview ························································································································· 42
Configuration restrictions and guidelines ················································································ 42
Configuration procedure ····································································································· 42
Displaying and maintaining 802.1X ······························································································ 43
802.1X authentication configuration examples ················································································ 43
Basic 802.1X authentication configuration example ·································································· 43
802.1X guest VLAN and authorization VLAN configuration example ············································· 45
802.1X with ACL assignment configuration example ································································· 48
802.1X guest VSI and authorization VSI configuration example ··················································· 50
ii
802.1X with EAD assistant configuration example (with DHCP relay agent) ··································· 52
802.1X with EAD assistant configuration example (with DHCP server) ·········································· 55
Troubleshooting 802.1X ············································································································ 57
EAD assistant URL redirection failure ···················································································· 57
iii
802.1X overview
802.1X is a port-based network access control protocol initially proposed for securing WLANs. The
protocol has also been widely used on Ethernet networks for access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN
ports.
802.1X architecture
802.1X operates in the client/server model. As shown in Figure 1, 802.1X authentication includes the
following entities:
• Client (supplicant)—A user terminal seeking access to the LAN. The terminal must have
802.1X software to authenticate to the access device.
• Access device (authenticator)—Authenticates the client to control access to the LAN. In a
typical 802.1X environment, the access device uses an authentication server to perform
authentication.
• Authentication server—Provides authentication services for the access device. The
authentication server first authenticates 802.1X clients by using the data sent from the access
device. Then, the server returns the authentication results to the access device to make access
decisions. The authentication server is typically a RADIUS server. In a small LAN, you can use
the access device as the authentication server.
Figure 1 802.1X architecture
1
Figure 2 Authorization state of a controlled port
802.1X-related protocols
802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for
the client, the access device, and the authentication server. EAP is an authentication framework that
uses the client/server model. The framework supports a variety of authentication methods, including
MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).
802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the access
device over a wired or wireless LAN. Between the access device and the authentication server,
802.1X delivers authentication information by using one of the following methods:
• Encapsulates EAP packets in RADIUS by using EAP over RADIUS (EAPOR), as described in
"EAP relay."
• Extracts authentication information from the EAP packets and encapsulates the information in
standard RADIUS packets, as described in "EAP termination."
Packet formats
EAP packet format
Figure 3 shows the EAP packet format.
Figure 3 EAP packet format
• Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or
Failure (4).
• Identifier—Used for matching Responses with Requests.
• Length—Length (in bytes) of the EAP packet. The EAP packet length is the sum of the Code,
Identifier, Length, and Data fields.
2
• Data—Content of the EAP packet. This field appears only in a Request or Response EAP
packet. The Data field contains the request type (or the response type) and the type data. Type
1 (Identity) and type 4 (MD5-Challenge) are two examples for the type field.
EAPOL packet format
Figure 4 shows the EAPOL packet format.
Figure 4 EAPOL packet format
0 7 15
Packet body
N
• PAE Ethernet type—Protocol type. It takes the value 0x888E for EAPOL.
• Protocol version—The EAPOL protocol version used by the EAPOL packet sender.
• Type—Type of the EAPOL packet. Table 1 lists the types of EAPOL packets supported by
implementation of 802.1X on the device.
Table 1 Types of EAPOL packets
• Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or
EAPOL-Logoff, this field is set to 0, and no Packet body field follows.
• Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet
body field contains an EAP packet.
3
Figure 5 EAP-Message attribute format
Message-Authenticator
As shown in Figure 6, RADIUS includes the Message-Authenticator attribute in all packets that have
an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the
calculated packet integrity checksum is different from the Message-Authenticator attribute value.
The Message-Authenticator prevents EAP authentication packets from being tampered with during
EAP authentication.
Figure 6 Message-Authenticator attribute format
4
802.1X authentication procedures
802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode
depending on support of the RADIUS server for EAP packets and EAP authentication methods.
• EAP relay mode.
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to
send authentication information to the RADIUS server, as shown in Figure 7.
Figure 7 EAP relay
In EAP relay mode, the client must use the same authentication method as the RADIUS server.
On the access device, you only need to use the dot1x authentication-method eap command
to enable EAP relay.
• EAP termination mode.
As shown in Figure 8, the access device performs the following operations in EAP termination
mode:
a. Terminates the EAP packets received from the client.
b. Encapsulates the client authentication information in standard RADIUS packets.
c. Uses PAP or CHAP to authenticate to the RADIUS server.
Figure 8 EAP termination
5
Packet exchange
Benefits Limitations
method
• The processing is complex on the
access device.
EAP relay
Figure 9 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that
EAP-MD5 is used.
Figure 9 802.1X authentication procedure in EAP relay mode
Client Device Authentication server
EAPOL EAPOR
(1) EAPOL-Start
(2) EAP-Request/Identity
Port authorized
(11) EAP-Request/Identity
(12) EAP-Response/Identity
...
(13) EAPOL-Logoff
Port unauthorized
(14) EAP-Failure
6
challenge (EAP-Request/MD5-Challenge) to encrypt the password in the entry. Then, the
server sends the challenge in a RADIUS Access-Challenge packet to the access device.
6. The access device transmits the EAP-Request/MD5-Challenge packet to the client.
7. The client uses the received challenge to encrypt the password, and sends the encrypted
password in an EAP-Response/MD5-Challenge packet to the access device.
8. The access device relays the EAP-Response/MD5-Challenge packet in a RADIUS
Access-Request packet to the authentication server.
9. The authentication server compares the received encrypted password with the encrypted
password it generated at step 5. If the two passwords are identical, the server considers the
client valid and sends a RADIUS Access-Accept packet to the access device.
10. Upon receiving the RADIUS Access-Accept packet, the access device performs the following
operations:
a. Sends an EAP-Success packet to the client.
b. Sets the controlled port in authorized state.
The client can access the network.
11. After the client comes online, the access device periodically sends handshake requests to
check whether the client is still online. By default, if two consecutive handshake attempts fail,
the device logs off the client.
12. Upon receiving a handshake request, the client returns a response. If the client fails to return a
response after a number of consecutive handshake attempts (two by default), the access
device logs off the client. This handshake mechanism enables timely release of the network
resources used by 802.1X users that have abnormally gone offline.
13. The client can also send an EAPOL-Logoff packet to ask the access device for a logoff.
14. In response to the EAPOL-Logoff packet, the access device changes the status of the
controlled port from authorized to unauthorized. Then, the access device sends an EAP-Failure
packet to the client.
EAP termination
Figure 10 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that
CHAP authentication is used.
7
Figure 10 802.1X authentication procedure in EAP termination mode
In EAP termination mode, the access device rather than the authentication server generates an MD5
challenge for password encryption. The access device then sends the MD5 challenge together with
the username and encrypted password in a standard RADIUS packet to the RADIUS server.
8
Configuring 802.1X
This chapter describes how to configure 802.1X on an H3C device. You can also configure the port
security feature to perform 802.1X. Port security combines and extends 802.1X and MAC
authentication. It applies to a network, a WLAN, for example, that requires different authentication
methods for different users on a port. For more information about the port security feature, see
"Configuring port security."
IMPORTANT:
Only remote servers can assign tagged authorization VLANs.
9
If a VLAN name or VLAN group name is assigned, the device converts the information into a VLAN
ID before VLAN assignment.
IMPORTANT:
For the VLAN represented by its VLAN name to be assigned successfully, you must make sure the
VLAN has been created on the device.
To assign VLAN IDs with suffixes, make sure the access port is a hybrid or trunk port that performs
port-based access control.
IMPORTANT:
To ensure a successful assignment, the authorization VLANs assigned by the remote server cannot
be any of the following types:
• Dynamically learned VLANs.
• Reserved VLANs.
• Super VLANs.
• Private VLANs.
If the server assigns a set of VLANs, the access device selects and assigns a VLAN as described
in Table 2.
Table 2 Authorization VLAN selection from a group of VLANs
10
Local VLAN authorization
To perform local VLAN authorization for a user, specify the VLAN ID in the authorization attribute list
of the local user account for that user. For each local user, you can specify only one authorization
VLAN ID. The port through which the user accesses the device is assigned to the VLAN as an
untagged member.
IMPORTANT:
Local VLAN authorization does not support assignment of tagged VLANs.
For more information about local user configuration, see "Configuring AAA."
Authorization VLAN manipulation for an 802.1X-enabled port
Table 3 describes how the access device handles VLANs (except for the VLANs specified with
suffixes) on an 802.1X-enabled port.
Table 3 VLAN manipulation
IMPORTANT:
• For users attached to an access port, make sure the authorization VLAN assigned by the server
has the untagged attribute. VLAN assignment will fail if the server issues a VLAN that has the
tagged attribute.
• When you assign VLANs to users attached to a trunk or MAC-based VLAN disabled hybrid port,
make sure there is only one untagged VLAN. If a different untagged VLAN is assigned to a
subsequent user, the user cannot pass authentication.
• As a best practice to enhance network security, do not use the port hybrid vlan command to
assign a hybrid port to an authorization VLAN as a tagged member.
Whether the authorization VLAN of an authenticated user takes effect on the 802.1X-enabled port
depends on the port link type and VLAN tagging mode.
• If the port is an access or trunk port, the authorization VLAN always takes effect.
• If the port is a hybrid port, the device compares the VLAN tagging mode assigned by the server
with the VLAN tagging mode configured on the port for the authorization VLAN.
{ If the VLAN tagging modes are the same one (tagged or untagged), the authorization VLAN
takes effect.
11
{ If the VLAN tagging modes are different, the configuration on the port takes effect instead of
the assigned information.
Authorization VLAN assignment does not affect the VLAN configuration on the 802.1X-enabled port.
After the user is logged off, the original VLAN configuration on the port is restored.
For an 802.1X authenticated user to access the network on a hybrid port when no authorization
VLANs are assigned to the user, perform one of the following tasks:
• If the port receives tagged authentication packets from the user in a VLAN, use the port hybrid
vlan command to configure the port as a tagged member in the VLAN.
• If the port receives untagged authentication packets from the user in a VLAN, use the port
hybrid vlan command to configure the port as an untagged member in the VLAN.
On a port with periodic online user reauthentication enabled, the MAC-based VLAN feature does not
take effect on a user that has been online since before this feature was enabled. The access device
creates a MAC-to-VLAN mapping for the user when the following requirements are met:
• The user passes reauthentication.
• The authorization VLAN for the user is changed.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
Guest VLAN
The 802.1X guest VLAN on a port accommodates users that have not performed 802.1X
authentication. Users in the guest VLAN can access a limited set of network resources, such as a
software server, to download antivirus software and system patches. Once a user in the guest VLAN
passes 802.1X authentication, it is removed from the guest VLAN and can access authorized
network resources.
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
Port-based access control
12
IMPORTANT:
When the port receives a packet with a VLAN tag, the packet will be forwarded within the VLAN even
if the VLAN is not the guest VLAN.
Authentication
VLAN manipulation
status
A user accesses the port
The device creates a mapping between the MAC address of the user and the
and has not performed
802.1X guest VLAN. The user can access only resources in the guest VLAN.
802.1X authentication.
If an 802.1X Auth-Fail VLAN is available, the device remaps the MAC address
A user in the 802.1X of the user to the Auth-Fail VLAN. The user can access only resources in the
guest VLAN fails 802.1X Auth-Fail VLAN.
authentication. If no 802.1X Auth-Fail VLAN is configured, the user is removed from the guest
VLAN and added to the initial PVID.
A user in the 802.1X The device remaps the MAC address of the user to the authorization VLAN.
guest VLAN passes If the authentication server does not assign an authorization VLAN, the device
802.1X authentication. remaps the MAC address of the user to the initial PVID on the port.
For the 802.1X guest VLAN feature to take effect on a port that performs MAC-based access control,
make sure the following requirements are met:
• The port is a hybrid port.
• MAC-based VLAN is enabled on the port.
The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
Auth-Fail VLAN
The 802.1X Auth-Fail VLAN on a port accommodates users that have failed 802.1X authentication
because of the failure to comply with the organization security strategy. For example, the VLAN
accommodates users with wrong passwords entered. Users in the Auth-Fail VLAN can access a
limited set of network resources, such as a software server, to download antivirus software and
system patches.
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
Port-based access control
A user in the 802.1X The device assigns the port to the authorization VLAN of the user, and it
Auth-Fail VLAN passes removes the port from the Auth-Fail VLAN.
802.1X authentication. If the authentication server does not assign an authorization VLAN, the initial
13
Authentication status VLAN manipulation
PVID of the port applies. The user and all subsequent 802.1X users are
assigned to the initial PVID.
After the user logs off, the port is assigned to the guest VLAN. If no guest
VLAN is configured, the port is assigned to the initial PVID of the port.
A user in the 802.1X The device remaps the MAC address of the user to the authorization VLAN.
Auth-Fail VLAN passes If the authentication server does not assign an authorization VLAN, the
802.1X authentication. device remaps the MAC address of the user to the initial PVID on the port.
For the 802.1X Auth-Fail VLAN feature to take effect on a port that performs MAC-based access
control, make sure the following requirements are met:
• The port is a hybrid port.
• MAC-based VLAN is enabled on the port.
The access device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
Critical VLAN
The 802.1X critical VLAN on a port accommodates 802.1X users that have failed authentication
because none of the RADIUS servers in their ISP domain are reachable. Users in the critical VLAN
can access a limited set of network resources depending on the configuration.
The critical VLAN feature takes effect when 802.1X authentication is performed only through
RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is
not assigned to the critical VLAN. For more information about the authentication methods, see
"Configuring AAA."
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
Port-based access control
14
Authentication status VLAN manipulation
authentication for any reason other than assigned to the Auth-Fail VLAN. If no 802.1X Auth-Fail VLAN is
unreachable servers. configured, the port is assigned to the initial PVID of the port.
The device assigns the port to the authorization VLAN of the
user, and it removes the port from the 802.1X critical VLAN.
If the authentication server does not assign an authorization
A user in the 802.1X critical VLAN passes VLAN, the initial PVID of the port applies. The user and all
802.1X authentication. subsequent 802.1X users are assigned to this port VLAN.
After the user logs off, the port is assigned to the guest VLAN. If
no 802.1X guest VLAN is configured, the initial PVID of the port
is restored.
A user in the 802.1X guest VLAN fails
The device assigns the port to the 802.1X critical VLAN, and all
authentication because all the RADIUS
802.1X users on this port are in this VLAN.
servers are unreachable.
A user in the 802.1X Auth-Fail VLAN fails The port is still in the 802.1X Auth-Fail VLAN. All 802.1X users
authentication because all the RADIUS on this port can access only resources in the 802.1X Auth-Fail
servers are unreachable. VLAN.
A user that has passed authentication
fails reauthentication because all the
The device assigns the port to the 802.1X critical VLAN.
RADIUS servers are unreachable, and
the user is logged out of the device.
For the 802.1X critical VLAN feature to take effect on a port that performs MAC-based access control,
make sure the following requirements are met:
• The port is a hybrid port.
• MAC-based VLAN is enabled on the port.
15
The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
When a reachable RADIUS server is detected, the device performs the following operations:
• If MAC-based access control is used, the device removes 802.1X users from the critical VLAN.
The port sends a unicast EAP-Request/Identity to these users to trigger authentication.
• If port-based access control is used, the device removes the port from the critical VLAN. The
port sends a multicast EAP-Request/Identity to all 802.1X users on the port to trigger
authentication.
16
Figure 11 VXLAN network diagram for 802.1X authentication
Authorization VSI
An authorization VSI is associated with a VXLAN that has network resources inaccessible to
unauthenticated users.
802.1X supports remote VSI authorization. When a user passes remote 802.1X authentication, the
remote server assigns the authorization VSI information of the user to the user's access port. Upon
receiving the authorization VSI information, the VTEP performs the following operations:
1. Dynamically creates an AC based on the user's access port, VLAN, and MAC address.
2. Maps the AC to the authorization VSI.
The user then can access resources in the VXLAN associated with the authorization VSI.
If the VTEP does not receive authorization VSI information for the user, the user cannot access
resources in any VXLAN after passing authentication.
For information about dynamic creation of ACs, see VXLAN configuration Guide.
Guest VSI
The 802.1X guest VSI on a port accommodates users that have not performed 802.1X
authentication. You can deploy a limited set of network resources in the VXLAN that is associated
with the guest VSI. For example, deploy a software server for users to download anti-virus software
and system patches. Once a user in the guest VSI passes 802.1X authentication, the user is
removed from the guest VSI and can access authorized network resources.
The following table shows how the VTEP handles VSIs on an 802.1X-enabled port that performs
MAC-based access control:
17
Authentication status VSI manipulation
A user accesses the port The VTEP maps the user's MAC address and access VLAN to the 802.1X guest
and has not performed VSI on the port. The user can access only resources in the VXLAN associated
802.1X authentication. with the guest VSI.
If an 802.1X Auth-Fail VSI is available on the port, the VTEP remaps the user's
A user in the 802.1X MAC address and access VLAN to the Auth-Fail VSI. The user can access only
guest VSI fails 802.1X resources in the VXLAN associated with the Auth-Fail VSI.
authentication. If no 802.1X Auth-Fail VSI is configured on the port, the user is removed from
the 802.1X guest VSI.
A user in the 802.1X
The VTEP removes the user from the 802.1X guest VSI and remaps the user's
guest VSI passes 802.1X
MAC address and access VLAN to the authorization VSI.
authentication.
Auth-Fail VSI
The 802.1X Auth-Fail VSI on a port accommodates users that have failed 802.1X authentication
because of the failure to comply with the organization security strategy. For example, the VSI
accommodates users with wrong passwords entered. Users in the Auth-Fail VSI can access a
limited set of network resources in the VXLAN associated with this VSI. You can deploy a software
server in the Auth-Fail VSI for users to download antivirus software and system patches.
The following table shows how the VTEP handles VSIs on an 802.1X-enabled port that performs
MAC-based access control:
Critical VSI
The 802.1X critical VSI on a port accommodates 802.1X users that have failed authentication
because none of the RADIUS servers in their ISP domain are reachable. Users in the critical VSI can
access a limited set of network resources in the VXLAN associated with this VSI.
The critical VSI feature takes effect when 802.1X authentication is performed only through RADIUS
servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not
assigned to the critical VSI. For more information about the authentication methods, see
"Configuring AAA."
The following table shows how the VTEP handles VSIs on an 802.1X-enabled port that performs
MAC-based access control:
18
Authentication status VSI manipulation
A user in the 802.1X critical VSI fails
authentication because all the RADIUS The user is still in the critical VSI.
servers are unreachable.
If an 802.1X Auth-Fail VSI has been configured on the port,
A user in the 802.1X critical VSI fails 802.1X the VTEP remaps the user's MAC address and access
authentication for any reason other than VLAN to the Auth-Fail VSI.
unreachable servers. If no 802.1X Auth-Fail VSI has been configured on the port,
the VTEP logs off the user.
A user in the 802.1X critical VSI passes The VTEP remaps the user's MAC address and access
802.1X authentication. VLAN to the authorization VSI.
A user in the 802.1X guest VSI fails The VTEP maps the user's MAC address and access VLAN
authentication because all the RADIUS to the 802.1X critical VSI on the port. The user can access
servers are unreachable. only resources in the VXLAN associated with the critical VSI.
A user in the 802.1X Auth-Fail VSI fails
authentication because all the RADIUS The user remains in the 802.1X Auth-Fail VSI.
servers are unreachable.
19
For more information about ACLs, see ACL and QoS Configuration Guide.
EAD assistant
Endpoint Admission Defense (EAD) is an H3C integrated endpoint access control solution to
improve the threat defensive capability of a network. The solution enables the security client, security
policy server, access device, and third-party server to operate together. If a terminal device seeks to
access an EAD network, it must have an EAD client, which performs 802.1X authentication.
The EAD assistant feature enables the access device to redirect the HTTP or HTTPS requests of a
user to a redirect URL for downloading and installing an EAD client. This feature eliminates the
administrative task to deploy EAD clients.
EAD assistant is implemented by the following functionality:
• Free IP.
A free IP is a freely accessible network segment, which has a limited set of network resources
such as software and DHCP servers. To ensure security strategy compliance, an
unauthenticated user can access only this segment to perform operations. For example, the
user can download EAD client from a software server or obtain a dynamic IP address from a
DHCP server.
• Redirect URL.
If an unauthenticated 802.1X user is using a Web browser to access the network, EAD
assistant redirects the HTTP or HTTPS requests of the user to a specific URL. For example,
you can use this feature to redirect the user to the EAD client software download page.
The EAD assistant feature creates an ACL-based EAD rule automatically to open access to the
redirect URL for each redirected user.
EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user
passes authentication, the rule is removed. If users fail to download EAD client or fail to pass
authentication before the timer expires, they must reconnect to the network to access the free IP.
20
• In a VXLAN network that is configured with 802.1X authentication, a MAC address cannot move
between local and remote sites. If a MAC address is authenticated on a site, users using the
same MAC address cannot access the network correctly in another site.
• If the authentication server assigns both authorization VSI and authorization VLAN information
to a user, the device uses only authorization VLAN information.
• On a port, the guest VLAN, Auth-Fail VLAN, and critical VLAN settings are mutually exclusive
with the guest VSI, Auth-Fail VSI, and critical VSI settings.
• For successful assignment of authorization VLANs or authorization VSIs, follow these
guidelines:
{ If a port is configured with the guest VLAN, Auth-Fail VLAN, or critical VLAN, configure the
authentication server to assign authorization VLANs to 802.1X users on the port.
{ If a port is configured with the guest VSI, Auth-Fail VSI, or critical VSI, configure the
authentication server to assign authorization VSIs to 802.1X users on the port.
• For the 802.1X guest VSI feature to work correctly, do not configure this feature together with
EAD assistant.
• Do not change the link type of a port when the 802.1X guest VLAN, Auth-Fail VLAN, or critical
VLAN on the port has users.
• 802.1X configuration is supported on Layer 2 Ethernet interfaces and Layer 2 aggregate
interfaces. In this chapter, the term "port" refers to a Layer 2 Ethernet interface or a Layer 2
aggregate interface.
• Do not delete a Layer 2 aggregate interface if the interface has online 802.1X users.
• After a Layer 2 Ethernet interface is added to an aggregation group, the 802.1X configuration
on the interface does not take effect. Before enabling 802.1X on a Layer 2 Ethernet interface,
make sure the interface is not added to a Layer 2 aggregation group.
Configuration prerequisites
Before you configure 802.1X, complete the following tasks:
• Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
• If RADIUS authentication is used, create user accounts on the RADIUS server.
• If local authentication is used, create local user accounts on the access device and set the
service type to lan-access.
21
Tasks at a glance
(Optional.) Configuring 802.1X unauthenticated user aging
(Optional.) Configuring the authentication trigger feature
(Optional.) Specifying a mandatory authentication domain on a port
(Optional.) Setting the quiet timer
(Optional.) Configuring 802.1X reauthentication
(Optional.) Configuring an 802.1X guest VLAN
(Optional.) Enabling 802.1X guest VLAN assignment delay
(Optional.) Configuring an 802.1X Auth-Fail VLAN
(Optional.) Configuring an 802.1X critical VLAN
(Optional.) Enabling the 802.1X critical voice VLAN
(Optional.) Configuring an 802.1X guest VSI
(Optional.) Enabling 802.1X guest VSI assignment delay
(Optional.) Configuring an 802.1X Auth-Fail VSI
(Optional.) Configuring an 802.1X critical VSI
(Optional.) Specifying supported domain name delimiters
(Optional.) Enabling 802.1X user IP freezing
(Optional.) Removing the VLAN tags of 802.1X protocol packets sent out of a port
(Optional.) Setting the maximum number of 802.1X authentication attempts for MAC authenticated users
(Optional.) Configuring 802.1X MAC address binding
(Optional.) Configuring the EAD assistant feature
(Optional.) Enabling logging for 802.1X users
Enabling 802.1X
When you enable 802.1X, follow these guidelines:
• For 802.1X to take effect on a port, you must enable it both globally and on the port.
• If the PVID is a voice VLAN, the 802.1X feature cannot take effect on the port. For more
information about voice VLANs, see Layer 2—LAN Switching Configuration Guide.
• Do not enable 802.1X on a port that is in a link aggregation or service loopback group.
To enable 802.1X:
22
Enabling EAP relay or EAP termination
When configuring EAP relay or EAP termination, consider the following factors:
• Support of the RADIUS server for EAP packets.
• Authentication methods supported by the 802.1X client and the RADIUS server.
You can use both EAP termination and EAP relay in any of the following situations:
• The client is using only MD5-Challenge EAP authentication. If EAP termination is used, you
must enable CHAP authentication on the access device.
• The client is an iNode 802.1X client and initiates only the username and password EAP
authentication. If EAP termination is used, you can enable either PAP or CHAP authentication
on the access device. However, if the password is required to be transmitted in cipher text, you
must use CHAP authentication on the access device.
To use EAP-TLS, PEAP, or any other EAP authentication methods, you must use EAP relay. When
you make your decision, see "Comparing EAP relay and EAP termination" for help.
For more information about EAP relay and EAP termination, see "802.1X authentication
procedures."
To configure EAP relay or EAP termination:
NOTE:
If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view
does not take effect. The access device sends the authentication data from the client to the server
without any modification.
23
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
24
access device stops retransmitting the request if it has made the maximum number of request
transmission attempts but still receives no response.
To set the maximum number of authentication request attempts:
25
802.1X users that use illegal client software from bypassing iNode security check, such as dual
network interface cards (NICs) detection. If a user fails the handshake security checking, the device
sets the user to the offline state.
Configuration procedure
To configure the online user handshake feature:
26
Configuration restrictions and guidelines
The 802.1X offline detection feature takes effect only on a port that performs MAC-based access
control. If you change the port access mode to port-based, the 802.1X offline detection feature
cannot take effect.
For this feature to operate as expected, do not set the offline detect timer to the same value as either
of the following timers:
• Handshake timer (set by using the dot1x timer handshake-period command).
• Periodic reauthentication timer (set by using the dot1x timer reauth-period command).
Configuration procedure
To configure 802.1X offline detection:
27
Configuration procedure
To configure 802.1X unauthenticated user aging:
Configuration procedure
To configure the authentication trigger feature on a port:
28
Specifying a mandatory authentication domain on
a port
You can place all 802.1X users in a mandatory authentication domain for authentication,
authorization, and accounting on a port. No user can use an account in any other domain to access
the network through the port. The implementation of a mandatory authentication domain enhances
the flexibility of 802.1X access control deployment.
To specify a mandatory authentication domain for a port:
29
By default, the device logs off online 802.1X users if no server is reachable for 802.1X
reauthentication. The keep-online feature keeps authenticated 802.1X users online when no server
is reachable for 802.1X reauthentication, either manually or periodically.
By default, no periodic
5. (Optional.) Set the periodic reauthentication timer is set on a
reauthentication timer on the dot1x timer reauth-period
port. The port uses the global
port. reauth-period-value
802.1X periodic reauthentication
timer.
30
Configuring 802.1X manual reauthentication
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
31
Feature Relationship description Reference
See Layer 2—LAN
You cannot specify a VLAN as both a super
Super VLAN Switching Configuration
VLAN and an 802.1X guest VLAN.
Guide.
802.1X Auth-Fail VLAN
on a port that performs The 802.1X Auth-Fail VLAN has higher priority See "802.1X VLAN
MAC-based access than the 802.1X guest VLAN. manipulation."
control
The 802.1X guest VLAN feature has higher
Port intrusion protection priority than the block MAC action.
actions on a port that See "Configuring port
performs MAC-based The 802.1X guest VLAN feature has lower security."
access control priority than the shutdown port action of the
port intrusion protection feature.
Configuration prerequisites
Before you configure an 802.1X guest VLAN, complete the following tasks:
• Create the VLAN to be specified as the 802.1X guest VLAN.
• If the 802.1X-enabled port performs MAC-based access control, perform the following
operations for the port:
{ Configure the port as a hybrid port.
{ Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see
Layer 2—LAN Switching Configuration Guide.
{ Assign the port to the 802.1X guest VLAN as an untagged member.
Configuration procedure
To configure an 802.1X guest VLAN:
32
2. Retransmits the packet if no response is received within the username request timeout interval
set by using the dot1x timer tx-period command.
3. Assigns the port the 802.1X guest VLAN after the maximum number of request attempts set by
using the dot1x retry command is reached.
To enable 802.1X guest VLAN assignment delay on a port:
Configuration prerequisites
Before you configure an 802.1X Auth-Fail VLAN, complete the following tasks:
• Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
• If the 802.1X-enabled port performs MAC-based access control, perform the following
operations for the port:
{ Configure the port as a hybrid port.
33
{ Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see
Layer 2—LAN Switching Configuration Guide.
{ Assign the port to the Auth-Fail VLAN as an untagged member.
Configuration procedure
To configure an 802.1X Auth-Fail VLAN:
Configuration prerequisites
Before you configure an 802.1X critical VLAN, complete the following tasks:
• Create the VLAN to be specified as a critical VLAN.
• If the 802.1X-enabled port performs MAC-based access control, perform the following
operations for the port:
{ Configure the port as a hybrid port.
{ Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see
Layer 2—LAN Switching Configuration Guide.
{ Assign the port to the 802.1X critical VLAN as an untagged member.
34
Configuration procedure
To configure an 802.1X critical VLAN:
Configuration prerequisites
Before you enable the 802.1X critical voice VLAN on a port, complete the following tasks:
• Enable LLDP both globally and on the port.
The device uses LLDP to identify voice users. For information about LLDP, see Layer 2—LAN
Switching Configuration Guide.
• Enable voice VLAN on the port.
For information about voice VLANs, see Layer 2—LAN Switching Configuration Guide.
Configuration procedure
To enable the 802.1X critical voice VLAN feature on a port:
35
Configuring an 802.1X guest VSI
Configuration restrictions and guidelines
You can configure only one 802.1X guest VSI on a port. The 802.1X guest VSIs on different ports can
be different.
Only ports that perform MAC-based access control support the 802.1X guest VSI.
Configuration prerequisites
Before you configure the 802.1X guest VSI on an 802.1X-enabled port, complete the following tasks:
• Enable L2VPN.
• Create the VSI to be specified as the 802.1X guest VSI, and create a VXLAN for the VSI.
• Enable MAC-based traffic match mode for dynamic ACs.
For more information, see VXLAN Configuration Guide.
Configuration procedure
To configure the 802.1X guest VSI on a port:
36
facilitates the port to perform MAC authentication before it is assigned to the 802.1X guest VSI. For
information about the parallel processing of MAC authentication and 802.1X authentication feature,
see "Configuring MAC authentication."
Configuration procedure
To enable 802.1X guest VSI assignment delay on a port:
Configuration prerequisites
Before you configure the 802.1X Auth-Fail VSI on an 802.1X-enabled port, complete the following
tasks:
• Enable L2VPN.
• Create the VSI to be specified as the 802.1X Auth-Fail VSI, and create a VXLAN for the VSI.
• Enable MAC-based traffic match mode for dynamic ACs.
For more information, see VXLAN Configuration Guide.
Configuration procedure
To configure the 802.1X Auth-Fail VSI on a port:
37
Configuring an 802.1X critical VSI
Configuration restrictions and guidelines
You can configure only one 802.1X critical VSI on a port. The 802.1X critical VSIs on different ports
can be different.
Only ports that perform MAC-based access control support the 802.1X critical VSI.
Configuration prerequisites
Before you configure the 802.1X critical VSI on an 802.1X-enabled port, complete the following
tasks:
• Enable L2VPN.
• Create the VSI to be specified as the 802.1X critical VSI, and create a VXLAN for the VSI.
• Enable MAC-based traffic match mode for dynamic ACs.
For more information, see VXLAN Configuration Guide.
Configuration procedure
To configure the 802.1X critical VSI on a port:
38
Step Command Remarks
name delimiters for 802.1X delimiter is supported.
users.
NOTE:
If you configure the access device to send usernames with domain names to the RADIUS server,
make sure the domain delimiter can be recognized by the RADIUS server. For username format
configuration, see the user-name-format command in Security Command Reference.
39
Configuration prerequisites
Set the link type of the 802.1X-enabled port to hybrid. For more information, see VLAN configuration
in Layer 2 LAN Switching Configuration Guide.
Configuration procedure
To remove the VLAN tags of all 802.1X protocol packets sent out of the port to 802.1X clients:
40
Configuring 802.1X MAC address binding
Overview
This feature can automatically bind MAC addresses of authenticated 802.1X users to the users'
access port and generate 802.1X MAC address binding entries. You can also use the dot1x
mac-binding mac-address command to manually add 802.1X MAC address binding entries.
802.1X MAC address binding entries never age out. They can survive a user logoff or a device
reboot. If users in the 802.1X MAC address binding entries perform 802.1X authentication on
another port, they cannot pass authentication.
Configuration procedure
To configure the 802.1X MAC address binding feature on a port:
4. (Optional.) Manually
add an 802.1X MAC By default, no 802.1X
address binding dot1x mac-binding mac-address MAC address binding
entry. entries exist on a port.
41
• For the 802.1X guest VLAN or guest VSI feature to work correctly, do not enable EAD assistant
together with the 802.1X guest VLAN or guest VSI feature.
• When global MAC authentication or port security is enabled, the free IP does not take effect.
• If you use the free IP and Auth-Fail VLAN features together, make sure the resources in the
Auth-Fail VLAN are on the free IP segments.
• To allow a user to obtain a dynamic IP address before it passes 802.1X authentication, make
sure the DHCP server is on the free IP segment.
• The server that provides the redirect URL must be on the free IP accessible to unauthenticated
users.
• To avoid using up ACL resources when a large number of EAD users exist, you can shorten the
EAD rule timer.
To configure the EAD assistant feature:
Configuration procedure
To enable logging for 802.1X users:
42
Step Command Remarks
1. Enter system view. system-view N/A
By default, all types of logging are
dot1x access-user log enable disabled for 802.1X users.
2. Enable logging for 802.1X [ abnormal-logoff | failed-login | If you do not specify any
users. normal-logoff | parameters, this command
successful-login ] * enables all types of logging for
802.1X users.
Task Command
Display 802.1X session information,
display dot1x [ sessions | statistics ] [ interface interface-type
statistics, or configuration information of
interface-number ]
specified or all ports.
display dot1x connection [ open ] [ interface interface-type
(In standalone mode.) Display online
interface-number | slot slot-number | user-mac mac-address |
802.1X user information.
user-name name-string ]
display dot1x connection [ open ] [ chassis chassis-number
(In IRF mode.) Display online 802.1X
slot slot-number | interface interface-type interface-number |
user information.
user-mac mac-address | user-name name-string ]
Display MAC address information of display dot1x mac-address { auth-fail-vlan | auth-fail-vsi |
802.1X users in specific 802.1X VLANs critical-vlan | critical-vsi | guest-vlan | guest-vsi } [ interface
or VSIs. interface-type interface-number ]
reset dot1x statistics [ interface interface-type
Clear 802.1X statistics.
interface-number ]
Remove users from the 802.1X guest reset dot1x guest-vlan interface interface-type
VLAN on a port. interface-number [ mac-address mac-address ]
Remove users from the 802.1X guest reset dot1x guest-vsi interface interface-type interface-number
VSI on a port. [ mac-address mac-address ]
43
Set the shared key to name for packets between the access device and the authentication server.
Set the shared key to money for packets between the access device and the accounting server.
Figure 12 Network diagram
Configuration procedure
For information about the RADIUS commands used on the access device in this example, see
Security Command Reference.
1. Configure the RADIUS servers and add user accounts for the 802.1X users. Make sure the
RADIUS servers can provide authentication, authorization, and accounting services. (Details
not shown.)
2. Assign an IP address to each interface. (Details not shown.)
3. Configure user accounts for the 802.1X users on the access device:
# Add a local network access user with username localuser and password localpass in
plaintext. (Make sure the username and password are the same as those configured on the
RADIUS servers.)
<Device> system-view
[Device] local-user localuser class network
[Device-luser-network-localuser] password simple localpass
# Set the service type to lan-access.
[Device-luser-network-localuser] service-type lan-access
[Device-luser-network-localuser] quit
4. Configure a RADIUS scheme on the access device:
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
[Device] radius scheme radius1
# Specify the IP addresses of the primary authentication and accounting RADIUS servers.
[Device-radius-radius1] primary authentication 10.1.1.1
[Device-radius-radius1] primary accounting 10.1.1.1
# Configure the IP addresses of the secondary authentication and accounting RADIUS servers.
[Device-radius-radius1] secondary authentication 10.1.1.2
[Device-radius-radius1] secondary accounting 10.1.1.2
# Specify the shared key between the access device and the authentication server.
[Device-radius-radius1] key authentication simple name
# Specify the shared key between the access device and the accounting server.
[Device-radius-radius1] key accounting simple money
# Exclude the ISP domain names from the usernames sent to the RADIUS servers.
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
44
NOTE:
The access device must use the same username format as the RADIUS server. If the RADIUS
server includes the ISP domain name in the username, so must the access device.
# Display the user connection information after an 802.1X user passes authentication.
[Device] display dot1x connection
45
Figure 13 Network diagram
Configuration procedure
For information about the RADIUS commands used on the access device in this example, see
Security Command Reference.
1. Configure the RADIUS server to provide authentication, authorization, and accounting services.
Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users.
(Details not shown.)
2. Create VLANs, and assign ports to the VLANs on the access device.
<Device> system-view
[Device] vlan 1
[Device-vlan1] port gigabitethernet 1/0/2
[Device-vlan1] quit
[Device] vlan 10
[Device-vlan10] port gigabitethernet 1/0/1
[Device-vlan10] quit
[Device] vlan 2
[Device-vlan2] port gigabitethernet 1/0/4
[Device-vlan2] quit
[Device] vlan 5
[Device-vlan5] port gigabitethernet 1/0/3
[Device-vlan5] quit
3. Configure a RADIUS scheme on the access device:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
[Device] radius scheme 2000
# Specify the server at 10.11.1.1 as the primary authentication server, and set the
authentication port to 1812.
46
[Device-radius-2000] primary authentication 10.11.1.1 1812
# Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port
to 1813.
[Device-radius-2000] primary accounting 10.11.1.1 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
4. Configure an ISP domain on the access device:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
5. Configure 802.1X on the access device:
# Enable 802.1X on GigabitEthernet 1/0/2.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] dot1x
# Implement port-based access control on the port.
[Device-GigabitEthernet1/0/2] dot1x port-method portbased
# Set the port authorization mode to auto. By default, the port uses the auto mode.
[Device-GigabitEthernet1/0/2] dot1x port-control auto
# Specify VLAN 10 as the 802.1X guest VLAN on GigabitEthernet 1/0/2.
[Device-GigabitEthernet1/0/2] dot1x guest-vlan 10
[Device-GigabitEthernet1/0/2] quit
# Enable 802.1X globally.
[Device] dot1x
6. Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the
access port is assigned to the guest VLAN or an authorization VLAN. (Details not shown.)
Verifying the configuration
# Verify the 802.1X guest VLAN configuration on GigabitEthernet 1/0/2.
[Device] display dot1x interface gigabitethernet 1/0/2
# Verify that GigabitEthernet 1/0/2 is assigned to VLAN 10 before any user passes authentication on
the port.
[Device] display vlan 10
# After a user passes authentication, display information on GigabitEthernet 1/0/2. Verify that
GigabitEthernet 1/0/2 is assigned to VLAN 5.
[Device] display interface gigabitethernet 1/0/2
47
802.1X with ACL assignment configuration example
Network requirements
As shown in Figure 14, the host that connects to GigabitEthernet 1/0/1 must pass 802.1X
authentication to access the Internet.
Perform 802.1X authentication on GigabitEthernet 1/0/1. Use the RADIUS server at 10.1.1.1 as the
authentication and authorization server, and the RADIUS server at 10.1.1.2 as the accounting
server.
Configure ACL assignment on GigabitEthernet 1/0/1 to deny access of 802.1X users to the FTP
server from 8:00 to 18:00 on weekdays.
Figure 14 Network diagram
GE1/0/2
GE1/0/1 GE1/0/3
Vlan-int2
Internet
192.168.1.1/24
Host Device FTP server
192.168.1.10/24 10.0.0.1/24
Configuration procedure
For information about the RADIUS commands used on the access device in this example, see
Security Command Reference.
1. Configure the RADIUS servers to provide authentication, authorization, and accounting
services. Add user accounts and specify the ACL (ACL 3000 in this example) for the users.
(Details not shown.)
2. Assign an IP address to each interface, as shown in Figure 14. (Details not shown.)
3. Configure a RADIUS scheme on the access device:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
<Device> system-view
[Device] radius scheme 2000
# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication
port to 1812.
[Device-radius-2000] primary authentication 10.1.1.1 1812
# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to
1813.
[Device-radius-2000] primary accounting 10.1.1.2 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
48
[Device-radius-2000] quit
4. Configure an ISP domain on the access device:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
5. Configure a time range named ftp from 8:00 to 18:00 on weekdays on the access device.
[Device] time-range ftp 8:00 to 18:00 working-day
6. Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 during the
specified time range on the access device.
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule 0 deny ip destination 10.0.0.1 0 time-range ftp
[Device-acl-ipv4-adv-3000] quit
7. Configure 802.1X on the access device:
# Enable 802.1X on GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
[Device-GigabitEthernet1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
8. Configure the 802.1X client. Make sure the client is able to update its IP address after the
access port is assigned to the 802.1X guest VLAN or an authorization VLAN. (Details not
shown.)
Verifying the configuration
# Use the user account to pass authentication. (Details not shown.)
# Verify that the user cannot ping the FTP server at any time from 8:00 to 18:00 on any weekday.
C:\>ping 10.0.0.1
The output shows that ACL 3000 is active on the user, and the user cannot access the FTP server.
49
802.1X guest VSI and authorization VSI configuration
example
Network requirements
As shown in Figure 15:
• The device acts as both a VXLAN VTEP and a network access device. It uses the RADIUS
server to perform authentication, authorization, and accounting for 802.1X users that connect to
GigabitEthernet 1/0/2.
• GigabitEthernet 1/0/2 uses MAC-based access control and is configured with the 802.1X guest
VSI. VXLAN 10 is created on the guest VSI. Users in the guest VSI can access the update
server in VXLAN 10 and download the 802.1X client software.
• The RADIUS server assigns an authorization VSI to the host. The VSI is associated with
VXLAN 5 on the device. After passing authentication, the host can access the Internet.
Figure 15 Network diagram
Update server RADIUS server
VXLAN 10
VLAN 1
VXLAN 5
GE1/0/2
Device
(VTEP)
Internet
Host
GE1/0/2 is moved to VXLAN 10 on
the guest VSI
VXLAN 10
User passes authentication
Host Host
Configuration procedure
For information about the RADIUS commands used on the access device in this example, see
Security Command Reference.
1. Configure the RADIUS server to provide authentication, authorization, and accounting services.
Configure user accounts and authorization VSI (VSI vpn5 in this example) for the users.
(Details not shown.)
If an H3C ADCAM server is used for authentication and authorization, configure VSIs on the
server. The server will assign these VSIs to the device. You do not need to configure VSIs on
the device.
2. Enable L2VPN on the access device.
<Device> system-view
50
[Device] l2vpn enable
3. Create VSIs and the corresponding VXLANs on the access device.
[Device] vsi vpn10
[Device-vsi-vpn10] vxlan 10
[Device-vsi-vpn10-vxlan-10] quit
[Device-vsi-vpn10] quit
[Device] vsi vpn5
[Device-vsi-vpn5] vxlan 5
[Device-vsi-vpn5-vxlan-5] quit
[Device-vsi-vpn5] quit
4. Configure a RADIUS scheme on the access device:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
[Device] radius scheme 2000
# Specify the server at 10.11.1.1 as the primary authentication server, and set the
authentication port to 1812.
[Device-radius-2000] primary authentication 10.11.1.1 1812
# Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port
to 1813.
[Device-radius-2000] primary accounting 10.11.1.1 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the authentication and
accounting servers.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
5. Configure an ISP domain on the access device:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting of LAN users.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
6. Configure 802.1X on the access device:
# Enable 802.1X on GigabitEthernet 1/0/2.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] dot1x
# Set the port authorization mode to auto. By default, the port uses the auto mode.
[Device-GigabitEthernet1/0/2] dot1x port-control auto
# Enable MAC-based traffic match mode for dynamic Ethernet service instances on
GigabitEthernet 1/0/2.
[Device-GigabitEthernet1/0/2] mac-based ac
# Enable 802.1X unicast trigger on GigabitEthernet 1/0/2.
51
[Device-GigabitEthernet1/0/2] dot1x unicast-trigger
# Specify VSI vpn10 as the 802.1X guest VSI on GigabitEthernet 1/0/2.
[Device-GigabitEthernet1/0/2] dot1x guest-vsi vpn10
[Device-GigabitEthernet1/0/2] quit
# Enable 802.1X globally.
[Device] dot1x
7. Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the
access port is assigned to the guest VSI or an authorization VSI. (Details not shown.)
Verifying the configuration
# Verify that GigabitEthernet 1/0/2 is assigned to VSI vpn10 if no responses are received from the
client after 802.1X authentication is triggered.
[Device] display l2vpn forwarding ac verbose
# Verify that GigabitEthernet 1/0/2 is assigned to VSI vpn5 after a user passes authentication on the
port.
[Device] display l2vpn forwarding ac verbose
52
Figure 16 Network diagram
Configuration procedure
1. Make sure the DHCP server, the Web server, and the authentication servers have been
configured correctly. (Details not shown.)
2. Configure an IP address for each interface. (Details not shown.)
3. Configure DHCP relay:
# Enable DHCP.
<Device> system-view
[Device] dhcp enable
# Enable the DHCP relay agent on VLAN-interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] dhcp select relay
# Specify the DHCP server 192.168.2.2 on the relay agent interface VLAN-interface 2.
[Device-Vlan-interface2] dhcp relay server-address 192.168.2.2
[Device-Vlan-interface2] quit
4. Configure a RADIUS scheme:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
[Device] radius scheme 2000
# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication
port to 1812.
[Device-radius-2000] primary authentication 10.1.1.1 1812
# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to
1813.
[Device-radius-2000] primary accounting 10.1.1.2 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
53
# Exclude the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
5. Configure an ISP domain:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
6. Configure 802.1X:
# Configure the free IP.
[Device] dot1x ead-assistant free-ip 192.168.2.0 24
# Configure the redirect URL for client software download.
[Device] dot1x ead-assistant url http://192.168.2.3
# Enable the EAD assistant feature.
[Device] dot1x ead-assistant enable
# Enable 802.1X on GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
[Device-GigabitEthernet1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
# Verify that you can ping an IP address on the free IP subnet from a host.
C:\>ping 192.168.2.3
The output shows that you can access the free IP subnet before passing 802.1X authentication.
# Verify that you are redirected to the Web server when you enter in your Web browser an IP address
not on the free IP. (Details not shown.)
54
802.1X with EAD assistant configuration example (with
DHCP server)
Network requirements
As shown in Figure 17:
• The intranet 192.168.1.0/24 is attached to GigabitEthernet 1/0/1 of the access device.
• The hosts use DHCP to obtain IP addresses.
• A Web server is deployed on the 192.168.2.0/24 subnet for users to download client software.
Deploy an EAD solution for the intranet to meet the following requirements:
• Allow unauthenticated users and users that have failed 802.1X authentication to access
192.168.2.0/24. The users can download software.
• If these users use a Web browser to access a network other than 192.168.2.0/24, redirect them
to the Web server for 802.1X client downloading.
• Allow authenticated 802.1X users to access the network.
Figure 17 Network diagram
Configuration procedure
1. Make sure the Web server and the authentication servers have been configured correctly.
(Details not shown.)
2. Configure an IP address for each interface. (Details not shown.)
3. Configure the DHCP server:
# Enable DHCP.
<Device> system-view
[Device] dhcp enable
# Enable the DHCP server on VLAN-interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] dhcp select server
[Device-Vlan-interface2] quit
# Create DHCP address pool 0.
55
[Device] dhcp server ip-pool 0
# Specify subnet 192.168.1.0/24 in DHCP address pool 0.
[Device-dhcp-pool-0] network 192.168.1.0 mask 255.255.255.0
# Specify the gateway address 192.168.1.1 in DHCP address pool 0.
[Device-dhcp-pool-0] gateway-list 192.168.1.1
[Device-dhcp-pool-0] quit
4. Configure a RADIUS scheme:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
[Device] radius scheme 2000
# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication
port to 1812.
[Device-radius-2000] primary authentication 10.1.1.1 1812
# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to
1813.
[Device-radius-2000] primary accounting 10.1.1.2 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
5. Configure an ISP domain:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
6. Configure 802.1X:
# Configure the free IP.
[Device] dot1x ead-assistant free-ip 192.168.2.0 24
# Configure the redirect URL for client software download.
[Device] dot1x ead-assistant url http://192.168.2.3
# Enable the EAD assistant feature.
[Device] dot1x ead-assistant enable
# Enable 802.1X on GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
[Device-GigabitEthernet1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
56
Verifying the configuration
# Verify the 802.1X configuration.
[Device] display dot1x
# Verify that you can ping an IP address on the free IP subnet from a host.
C:\>ping 192.168.2.3
The output shows that you can access the free IP subnet before passing 802.1X authentication.
# Verify that you are redirected to the Web server when you enter in your Web browser an IP address
not on the free IP. (Details not shown.)
Troubleshooting 802.1X
EAD assistant URL redirection failure
Symptom
Unauthenticated users are not redirected to the specified redirect URL after they enter external
website addresses in their Web browsers.
Analysis
Redirection will not happen for one of the following reasons:
• The address is in the string format. The operating system of the host regards the string as a
website name and tries to resolve the string. If the resolution fails, the operating system sends
an ARP request, but the target address is not in the dotted decimal notation. The redirection
feature does redirect this kind of ARP request.
• The address is within a free IP segment. No redirection will take place, even if no host is present
with the address.
• The redirect URL is not in a free IP segment.
• No server is using the redirect URL, or the server with the URL does not provide Web services.
Solution
To resolve the issue:
1. Enter a dotted decimal IP address that is not in any free IP segments.
2. Verify that the access device and the server are configured correctly.
3. If the issue persists, contact H3C Support.
57