Login
- Table of Contents
-
- 06-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Triple Authentication Configuration
- 05-Port Security Configuration
- 06-User Profile Configuration
- 07-HABP Configuration
- 08-Public Key Configuration
- 09-PKI Configuration
- 10-SSH2.0 Configuration
- 11-SSL Configuration
- 12-TCP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-ND Attack Defense Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-802.1X Configuration | 443.96 KB |
Contents
Controlled/uncontrolled port and port authorization status
Initiating 802.1X authentication
802.1X client as the initiator
Access device as the initiator
802.1X authentication procedures
A comparison of EAP relay and EAP termination
Using 802.1X authentication with other features
802.1X configuration task list
Enabling EAP relay or EAP termination
Setting the port authorization state
Specifying an access control method
Setting the maximum number of concurrent 802.1X users on a port
Setting the maximum number of authentication request attempts
Setting the 802.1X authentication timeout timers
Configuring the online user handshake function
Configuring the authentication trigger function
Specifying a mandatory authentication domain on a port
Enabling the periodic online user re-authentication function
Configuring an 802.1X guest VLAN
Displaying and maintaining 802.1X
802.1X authentication configuration example
802.1X with guest VLAN and VLAN assignment configuration example
802.1X with ACL assignment configuration example
EAD fast deployment configuration
EAD fast deployment implementation
Configuring EAD fast deployment
Displaying and maintaining EAD fast deployment
EAD fast deployment configuration example
Troubleshooting EAD fast deployment
Web browser users cannot be correctly redirected
802.1X overview
802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
This chapter includes these sections:
· Controlled/uncontrolled port and port authorization status
· Initiating 802.1X authentication
· 802.1X authentication procedures
|
|
NOTE: · The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. · The WX3000E series comprises WX3024E and WX3010E wireless switches. · The port numbers in this chapter are for illustration only. |
Architecture of 802.1X
802.1X operates in the client/server model. It comprises three entities: the client (the supplicant), the network access device (the authenticator), and the authentication server, as shown in Figure 1.
Figure 1 Architecture of 802.1X
· The client is a user terminal seeking access to the LAN. It must have 802.1X software to authenticate to the network access device.
· The network access device authenticates the client to control access to the LAN. In a typical 802.1X environment, the network access device uses an authentication server to perform authentication.
· The authentication server is the entity that provides authentication services for the network access device. It authenticates 802.1X clients by using the data sent from the network access device, and returns the authentication results for the network access device to make access decisions. The authentication server is typically a Remote Authentication Dial-in User Service (RADIUS) server. In a small LAN, you can also use the network access device as the authentication server.
Controlled/uncontrolled port and port authorization status
802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports.
· The controlled port allows incoming and outgoing traffic to pass through when it is in the authorized state, and denies incoming and outgoing traffic when it is in the unauthorized state, as shown in Figure 2. The controlled port is set in the authorized state if the client has passed authentication, and in the unauthorized state, if the client has failed authentication.
· The uncontrolled port is always open to receive and transmit EAPOL frames.
Figure 2 Authorization state of a controlled port
In the unauthorized state, a controlled port controls traffic in one of the following ways:
· Performs bidirectional traffic control to deny traffic to and from the client.
· Performs unidirectional traffic control to deny traffic from the client.
|
|
NOTE: The H3C devices support only unidirectional traffic control. |
802.1X-related protocols
802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model. It supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).
802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the network access device over a wired or wireless LAN. Between the network access device and the authentication server, 802.1X delivers authentication information in one of the following methods:
Encapsulates EAP packets in RADIUS by using EAP over RADIUS (EAPOR), as described in “EAP relay.”
Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets, as described in “EAP termination.”
Packet formats
EAP packet format
Figure 3 shows the EAP packet format.
· Code: Type of the EAP packet, which can be Request (1), Response (2), Success (3), or Failure (4).
· Identifier: Used for matching Responses with Requests.
· Length: Length (in bytes) of the EAP packet, which is the sum of the Code, Identifier, Length, and Data fields.
· Data: Content of the EAP packet. This field appears only in a Request or Response EAP packet.
EAPOL packet format
Figure 4 shows the EAPOL packet format.
· PAE Ethernet type: Protocol type. It takes the value 0x888E for EAPOL.
· Protocol version: The EAPOL protocol version used by the EAPOL packet sender.
· Type: Type of the EAPOL packet. Table 1 lists the types of EAPOL packets that the H3C implementation of 802.1X supports.
Table 1 Types of EAPOL packets
|
Value |
Type |
Description |
|
0x00 |
EAP-Packet |
The client and the network access device uses EAP-Packets to transport authentication information. |
|
0x01 |
EAPOL-Start |
The client sends an EAPOL-Start message to initiate 802.1X authentication to the network access device. |
|
0x02 |
EAPOL-Logoff |
The client sends an EAPOL-Logoff message to tell the network access device that it is logging off. |
· Length: Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or EAPOL-Logoff, this field is set to 0, and no Packet body field follows.
· Packet body: Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet.
EAP over RADIUS
RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see the chapter “AAA configuration.”
EAP-Message
RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 5. The Type field takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than 253 bytes, RADIUS encapsulates it in multiple EAP-Message attributes.
Figure 5 EAP-Message attribute format
Message-Authenticator
RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different than the Message-Authenticator attribute value. The Message-Authenticator prevents EAP authentication packets from being tampered with during EAP authentication.
Figure 6 Message-Authenticator attribute format
Initiating 802.1X authentication
Both the 802.1X client and the access device can initiate 802.1X authentication.
802.1X client as the initiator
The client sends an EAPOL-Start packet to the access device to initiate 802.1X authentication. The destination MAC address of the packet is the IEEE 802.1X specified multicast address 01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client, the H3C iNode 802.1X client for example, that can send broadcast EAPOL-Start packets.
Access device as the initiator
The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets.
The access device supports the following modes:
· Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication.
· Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC address table, the access device sends an Identity EAP-Request packet out of the receiving port to the unknown MAC address. It retransmits the packet if no response has been received within a certain time interval.
802.1X authentication procedures
802.1X authentication has two approaches: EAP relay and EAP termination. You choose either mode depending on the support of the RADIUS server for EAP packets and EAP authentication methods.
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPoR packets to send authentication information to the RADIUS server, as shown in Figure 7.
|
|
NOTE: Some network access devices provide the EAP server function so you can use EAP relay even if the RADIUS server does not support any EAP authentication method or no RADIUS server is available. For the local EAP authentication configuration procedure, see the chapter "AAA configuration" in this configuration guide. |
In EAP termination mode, the network access device terminates the EAP packets received from the client, encapsulates the client authentication information in standard RADIUS packets, and uses (Password Authentication Protocol) PAP or (Password Authentication Protocol) CHAP to authenticate to the RADIUS server, as shown in Figure 8.
A comparison of EAP relay and EAP termination
|
Packet exchange method |
Benefits |
Limitations |
|
EAP relay |
· Supports various EAP authentication methods. · The configuration and processing is simple on the network access device |
The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client. |
|
EAP termination |
Works with any RADIUS server that supports PAP or CHAP authentication. |
· Supports only MD5-Challenge EAP authentication and the "username + password" EAP authentication initiated by an H3C iNode 802.1X client. · The processing is complex on the network access device. |
EAP relay
Figure 9 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used.
Figure 9 802.1X authentication procedure in EAP relay mode
1. When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device.
2. The network access device responds with an Identity EAP-Request packet to ask for the client username.
3. In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to the network access device.
4. The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server.
5. The authentication server uses the identity information in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5 challenge) to encrypt the password in the entry, and sends the challenge in a RADIUS Access-Challenge packet to the network access device.
6. The network access device relays the EAP-Request/MD5 Challenge packet in a RADIUS Access-Request packet to the client.
7. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5 Challenge packet to the network access device.
8. The network access device relays the EAP-Response/MD5 Challenge packet in a RADIUS Access-Request packet to the authentication server.
9. The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device.
10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.
11. After the client comes online, the network access device periodically sends handshake requests to check whether the client is still online. By default, if two consecutive handshake attempts fail, the device logs off the client.
13. The client can also send an EAPOL-Logoff packet to ask the network access device for a logoff. Then
14. In response to the EAPOL-Logoff packet, the network access device changes the status of the controlled port from authorized to unauthorized and sends an EAP-Failure packet to the client.
|
|
NOTE: In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the network access device, you only need to execute the dot1x authentication-method eap command to enable EAP relay. |
EAP termination
Figure 10 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used.
Figure 10 802.1X authentication procedure in EAP termination mode
In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
This chapter describes how to configure 802.1X on an H3C device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter. It is described in the chapter “Port security configuration.”
This chapter includes these sections:
· H3C implementation of 802.1X
· Displaying and maintaining 802.1X
· 802.1X configuration examples
|
|
NOTE: · The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. · The WX3000E series comprises WX3024E and WX3010E wireless switches. · The port numbers in this chapter are for illustration only. |
H3C implementation of 802.1X
Access control methods
H3C implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control.
· With port-based access control, once an 802.1X user passes authentication on a port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.
· With MAC-based access control, each user is separately authenticated on a port. When a user logs off, no other online users are affected.
Using 802.1X authentication with other features
VLAN assignment
You can configure the authentication server to assign a VLAN for an 802.1X user that has passed authentication. The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X access control mode.
|
Access control |
VLAN manipulation |
|
Port-based |
Assigns the VLAN to the port as the default VLAN. All subsequent 802.1X users can access the default VLAN without authentication. When the user logs off, the previous default VLAN restores, and all other online users are logged off. |
|
MAC-based |
· If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The default VLAN of the port does not change. When a user logs off, the MAC-to-VLAN mapping for the user is removed. · If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assigns the first authenticated user's VLAN to the port as the default VLAN. If a different VLAN is assigned for a subsequent user, the user cannot pass the authentication. |
|
· With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN. · On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed. · For more information about VLAN configuration and MAC-based VLAN, see the Layer 2—LAN Switching Configuration Guide. |
|
Guest VLAN
You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. After a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.
1. On a port that performs port-based access control
|
Authentication status |
VLAN manipulation |
|
No 802.1X user has performed authentication within 90 seconds after 802.1X is enabled |
Assigns the 802.1X guest VLAN to the port as the default VLAN. All 802.1X users on this port can access only resources in the guest VLAN. If no 802.1X guest VLAN is configured, the access device does not perform any VLAN operation. |
|
A user in the 802.1X guest VLAN fails 802.1X authentication |
If an 802.1X Auth-Fail VLAN (see “Auth-Fail VLAN”) is available, assigns the Auth-Fail VLAN to the port as the default VLAN. All users on this port can access only resources in the Auth-Fail VLAN. If no Auth-Fail VLAN is configured, the default VLAN on the port is still the 802.1X guest VLAN. All users on the port are in the guest VLAN. |
|
A user in the 802.1X guest VLAN passes 802.1X authentication |
· Assigns the VLAN specified for the user to the port as the default VLAN, and removes the port from the 802.1X guest VLAN. After the user logs off, the user configured default VLAN restores. · If the authentication server assigns no VLAN, the user configured default VLAN applies. The user and all subsequent 802.1X users are assigned to the user-configured default VLAN. After the user logs off, the default VLAN remains unchanged. |
2. On a port that performs MAC-based access control
|
Authentication status |
VLAN manipulation |
|
A user has not passed 802.1X authentication yet |
Creates a mapping between the MAC address of the user and the 802.1X guest VLAN. The user can access resources in the guest VLAN. |
|
A user in the 802.1X guest VLAN fails 802.1X authentication |
If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN. If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest VLAN. |
|
A user in the 802.1X guest VLAN passes 802.1X authentication |
Re-maps the MAC address of the user to the VLAN specified for the user. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial default VLAN on the port. |
|
|
NOTE: · To use the 802.1X guest VLAN function on a port that performs MAC-based access control, ensure that the port is a hybrid port, and enable MAC-based VLAN on the port. · The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member. · For more information about VLAN configuration and MAC-based VLAN, see the Layer 2—LAN Switching Configuration Guide. |
Auth-Fail VLAN
You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for authentication timeouts or network connection problems. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.
1. On a port that performs port-based access control
|
Authentication status |
VLAN manipulation |
|
A user fails 802.1X authentication |
Assigns the Auth-Fail VLAN to the port as the default VLAN. All 802.1X users on this port can access only resources in the Auth-Fail VLAN. |
|
A user in the Auth-Fail VLAN fails 802.1X re-authentication |
The Auth-Fail VLAN is still the default VLAN on the port, and all 802.1X users on this port are in this VLAN. |
|
A user passes 802.1X authentication |
· Assigns the VLAN specified for the user to the port as the default VLAN, and removes the port from the Auth-Fail VLAN. After the user logs off, the user-configured default VLAN restores. · If the authentication server assigns no VLAN, the initial default VLAN applies. The user and all subsequent 802.1X users are assigned to the user-configured default VLAN. After the user logs off, the default VLAN remains unchanged. |
2. On a port that performs MAC-based access control
|
Authentication status |
VLAN manipulation |
|
A user fails 802.1X authentication |
Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN. |
|
A user in the Auth-Fail VLAN fails 802.1X re-authentication |
The user is still in the Auth-Fail VLAN. |
|
A user in the Auth-Fail VLAN passes 802.1X authentication |
Re-maps the MAC address of the user to the server-assigned VLAN. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the initial default VLAN on the port. |
|
|
NOTE: · To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you must ensure that the port is a hybrid port, and enable MAC-based VLAN on the port. · The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member. · For more information about VLAN configuration and MAC-based VLAN, see the Layer 2—LAN Switching Configuration Guide. |
ACL assignment
You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes 802.1X authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the ACL on the access device. You can change ACL rules while the user is online.
Configuring 802.1X
Configuration prerequisites
· Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
· If RADIUS authentication is used, create user accounts on the RADIUS server.
· If local authentication is used, create local user accounts on the access device and set the service type to lan-access.
· If you want to use EAP relay when the RADIUS server does not support any EAP authentication method or no RADIUS server is available, configure the EAP server function on your network access device.
For how to configure RADIUS client and local EAP authentication, see the chapter “AAA configuration.”
802.1X configuration task list
Complete the following tasks to configure 802.1X:
|
Task |
Remarks |
|
Required |
|
|
Optional |
|
|
Optional |
|
|
Optional |
|
|
Setting the maximum number of concurrent 802.1X users on a port |
Optional |
|
Setting the maximum number of authentication request attempts |
Optional |
|
Optional |
|
|
Optional |
|
|
Optional |
|
|
Optional |
|
|
Optional |
|
|
Enabling the periodic online user re-authentication function |
Optional |
|
Optional |
|
|
Optional |
Enabling 802.1X
|
|
NOTE: · If the default VLAN of a port is a voice VLAN, the 802.1X function cannot take effect on the port. For more information about voice VLANs, see the Layer 2—LAN Switching Configuration Guide. · 802.1X is mutually exclusive with link aggregation configuration on a port. |
Follow these steps to enable 802.1X on a port:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enable 802.1X globally |
dot1x |
Required Disabled by default. |
|
|
Enable 802.1X on a port |
In system view |
dot1x interface interface-list |
Required Use either approach. Disabled by default. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
dot1x |
|||
Enabling EAP relay or EAP termination
When configuring EAP relay or EAP termination, consider the following factors:
· The support of the RADIUS server for EAP packets
· The authentication methods supported by the 802.1X client and the RADIUS server
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP termination" for help.
For more information about EAP relay and EAP termination, see "802.1X authentication procedures."
Follow these steps to configure EAP relay or EAP termination:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure EAP relay or EAP termination |
dot1x authentication-method { chap | eap | pap } |
Optional By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server. Specify the eap keyword to enable EAP termination. Specify the chap or pap keyword to enable CHAP-enabled or PAP-enabled EAP relay. |
|
|
NOTE: If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The access device sends the authentication data from the client to the server without any modification. For more information about the user-name-format command, see the Security Command Reference. |
Setting the port authorization state
The port authorization state determines whether the client is granted access to the network. You can control the authorization state of a port by using the dot1x port-control command and the following keywords:
· authorized-force—Places the port in the authorized state, enabling users on the port to access the network without authentication.
· unauthorized-force—Places the port in the unauthorized state, denying any access requests from users on the port.
· auto—Places the port initially in the unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in the authorized state to allow access to the network. You can use this option in most scenarios.
You can set authorization state for one port in interface view, or for multiple ports in system view. If different authorization state is set for a port in system view and interface view, the one set later takes effect.
Follow these steps to set the authorization state of a port:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Set the port authorization state |
In system view |
dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ] |
Optional Use either approach. By default, auto applies. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
dot1x port-control { authorized-force | auto | unauthorized-force } |
|||
Specifying an access control method
You can specify an access control method for one port in interface view or for multiple ports in system view. If different access control methods are specified for a port in system view and interface view, the one specified later takes effect.
Follow these steps to specify the access control method:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Specify an access control method |
In system view |
dot1x port-method { macbased | portbased } [ interface interface-list ] |
Optional Use either approach. By default, MAC-based access control applies. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
dot1x port-method { macbased | portbased } |
|||
Setting the maximum number of concurrent 802.1X users on a port
You can set the maximum number of concurrent 802.1X users for ports individually in interface view or in bulk in system view. If different settings are configured for a port in both views, the setting configured later takes effect.
Follow these steps to set the maximum number of concurrent 802.1X users on a port:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Set the maximum number of concurrent 802.1X users on a port |
In system view |
dot1x max-user user-number [ interface interface-list ] |
Optional Use either approach. The default setting is 256. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
dot1x max-user user-number [ interface interface-list ] |
|||
Setting the maximum number of authentication request attempts
The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command). The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.
Follow these steps to set the maximum number of authentication request attempts:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the maximum number of attempts for sending an authentication request |
dot1x retry max-retry-value |
Optional 2 by default |
Setting the 802.1X authentication timeout timers
The network device uses the following 802.1X authentication timeout timers:
· Client timeout timer—Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.
· Server timeout timer—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.
You can set the client timeout timer to a high value in a low-performance network, and adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient.
Follow these steps to set the 802.1X authentication timeout timers:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the client timeout timer |
dot1x timer supp-timeout supp-timeout-value |
Optional The default is 30 seconds. |
|
Set the server timeout timer |
dot1x timer server-timeout server-timeout-value |
Optional The default is 100 seconds. |
Configuring the online user handshake function
About the online user handshake function
The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command. If no response is received from an online user after the maximum number of handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in the offline state.
If iNode clients are deployed, you can also enable the online handshake security function to check for 802.1X users that use illegal client software to bypass security inspection such as proxy detection and dual network interface cards (NICs) detection. This function checks the authentication information in client handshake messages. If a user fails the authentication, the network access device logs the user off.
Configuration guidelines
Follow these guidelines when you configure the online user handshake function:
· To use the online handshake security function, make sure the online user handshake function is enabled. H3C recommends that you use the iNode client software and iMC server to ensure the normal operation of the online user handshake security function.
· If the network has 802.1X clients that cannot exchange handshake packets with the network access device, disable the online user handshake function to prevent their connections from being inappropriately torn down.
Configuration procedure
Follow these steps to configure the online user handshake function:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the handshake timer |
dot1x timer handshake-period handshake-period-value |
Optional The default is 15 seconds. |
|
Enter Ethernet interface view |
interface interface-type interface-number |
— |
|
Enable the online handshake function |
dot1x handshake |
Optional Enabled by default. |
|
Enable the online handshake security function |
dot1x handshake secure |
Optional Disabled by default. |
Configuring the authentication trigger function
About the authentication trigger function
The authentication trigger function enables the network access device to initiate 802.1X authentication when 802.1X clients cannot initiate authentication.
This function provides the following types of authentication trigger:
· Multicast trigger—Periodically multicasts Identity EAP-Request packets out of a port to detect 802.1X clients and trigger authentication.
· Unicast trigger—Enables the network device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time. This process continues until the maximum number of request attempts set with the dot1x retry command (see “Setting the maximum number of authentication request attempts”) is reached.
The identity request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger.
Configuration guidelines
Follow these guidelines when you configure the authentication trigger function:
· Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication.
· Disable the multicast trigger in a wireless LAN. Wireless clients and the wireless module of the network access device can both initiate 802.1X authentication.
· Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these clients cannot initiate authentication.
· To avoid duplicate authentication packets, do not enable both triggers on a port.
Configuration procedure
Follow these steps to configure the authentication trigger function on a port:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the username request timeout timer |
dot1x timer tx-period tx-period-value |
Optional The default is 30 seconds. |
|
Enter Ethernet interface view |
interface interface-type interface-number |
— |
|
Enable an authentication trigger |
dot1x { multicast-trigger | unicast-trigger } |
Required if you want to enable the unicast trigger. Use either command. By default, the multicast trigger is enabled, and the unicast trigger is disabled. |
Specifying a mandatory authentication domain on a port
You can place all 802.1X users in a mandatory authentication domain for authentication, authorization, and accounting on a port. No user can use an account in any other domain to access the network through the port. The implementation of a mandatory authentication domain enhances the flexibility of 802.1X access control deployment.
Follow these steps to specify a mandatory authentication domain for a port:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet interface view |
interface interface-type interface-number |
— |
|
Specify a mandatory 802.1X authentication domain on the port |
dot1x mandatory-domain domain-name |
Required Not specified by default. |
Configuring the quiet timer
The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication.
You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response.
Follow these steps to configure the quiet timer:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the quiet timer |
dot1x quiet-period |
Required Disabled by default. |
|
Set the quiet timer |
dot1x timer quiet-period quiet-period-value |
Optional The default is 60 seconds. |
Enabling the periodic online user re-authentication function
Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. The re-authentication interval is user configurable.
Follow these steps to enable the periodic online user re-authentication function:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the periodic re-authentication timer |
dot1x timer reauth-period reauth-period-value |
Optional The default is 3600 seconds. |
|
Enter Ethernet interface view |
interface interface-type interface-number |
— |
|
Enable periodic online user re-authentication |
dot1x re-authenticate |
Required Disabled by default |
The periodic online user re-authentication timer can also be set by the authentication server in the session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and enables periodic online user re-authentication, even if the function is not configured. Support for the server assignment of re-authentication timer and the re-authentication timer configuration on the server vary with servers.
|
|
NOTE: The VLAN assignment status must be consistent before and after re-authentication. If the authentication server has assigned a VLAN before re-authentication, it must also assign a VLAN at re-authentication. If the authentication server has assigned no VLAN before re-authentication, it must not assign one at re-authentication. Violation of either rule can cause the user to be logged off. The VLANs assigned to an online user before and after re-authentication can be the same or different. |
Configuring an 802.1X guest VLAN
Configuration guidelines
Follow these guidelines when you configure an 802.1X guest VLAN:
· You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different.
· Assign different IDs for the voice VLAN, default VLAN, and 802.1X guest VLAN on a port, so the port can correctly process incoming VLAN tagged traffic.
· With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
· Use Table 2 when configuring multiple security features on a port.
Table 2 Relationships of the 802.1X guest VLAN and other security features
|
Feature |
Relationship description |
Reference |
|
MAC authentication guest VLAN on a port that performs MAC-based access control |
Only the 802.1X guest VLAN take effect. A user that fails MAC authentication will not be assigned to the MAC authentication guest VLAN. |
MAC authentication configuration in the Security Configuration Guide |
|
802.1X Auth-Fail VLAN on a port that performs MAC-based access control |
The 802.1X Auth-Fail VLAN has a higher priority |
802.1X configuration in the Security Configuration Guide |
|
Port intrusion protection on a port that performs MAC-based access control |
The 802.1X guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. |
Port security configuration in the Security Configuration Guide |
Configuration prerequisites
· Create the VLAN to be specified as the 802.1X guest VLAN.
· If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
· If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an untagged member. For more information about the MAC-based VLAN function, see the Layer 2—LAN Switching Configuration Guide.
Configuration procedure
Follow these steps to configure an 802.1X guest VLAN:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Configure an 802.1X guest VLAN for one or more ports |
In system view |
dot1x guest-vlan guest-vlan-id [ interface interface-list ] |
Required Use either approach. By default, no 802.1X guest VLAN is configured on any port. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
dot1x guest-vlan guest-vlan-id |
|||
Configuring an Auth-Fail VLAN
Configuration guidelines
Assign different IDs for the voice VLAN, default VLAN, and 802.1X Auth-Fail VLAN on a port, so the port can correctly process VLAN tagged incoming traffic. Use Table 3 when configuring multiple security features on a port.
Table 3 Relationships of the 802.1X Auth-Fail VLAN with other features
|
Feature |
Relationship description |
Reference |
|
MAC authentication guest VLAN on a port that performs MAC-based access control |
The 802.1X Auth-Fail VLAN has a high priority. |
MAC authentication configuration in the Security Configuration Guide |
|
Port intrusion protection on a port that performs MAC-based access control |
The 802.1X Auth-Fail VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. |
Port security configuration in the Security Configuration Guide |
Configuration prerequisites
· Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
· If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
· If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged member. For more information about the MAC-based VLAN function, see the Layer 2—LAN Switching Configuration Guide.
Follow these steps to configure an Auth-Fail VLAN:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet interface view |
interface interface-type interface-number |
— |
|
Configure the Auth-Fail VLAN on the port |
dot1x auth-fail vlan authfail-vlan-id |
Required By default, no Auth-Fail VLAN is configured. You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on different ports can be different. |
Displaying and maintaining 802.1X
|
To do… |
Use the command… |
Remarks |
|
Display 802.1X session information, statistics, or configuration information of specified or all ports |
display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Clear 802.1X statistics |
reset dot1x statistics [ interface interface-list ] |
Available in user view |
802.1X configuration examples
802.1X authentication configuration example
Network requirements
As shown in Figure 11, the access device performs 802.1X authentication for users that connect to port GigabitEthernet 1/0/1. Implement MAC-based access control on the port, so the logoff of one user does not affect other online 802.1X users.
Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS authentication fails, perform local authentication on the access device. If RADIUS accounting fails, the access device logs the user off.
Configure the host at 10.1.1.1 as the primary authentication and accounting servers, and the host at 10.1.1.2 as the secondary authentication and accounting servers. Assign all users to the ISP domain aabbcc.net, which accommodates up to 30 users.
Configure the shared key as name for packets between the access device and the authentication server, and as money for packets between the access device and the accounting server.
Figure 11 Network diagram for 802.1X authentication configuration
Configuration procedure
|
|
NOTE: For information about the RADIUS commands used on the access device in this example, see the Security Command Reference. |
1. Configure the 802.1X client. If H3C iNode is used, do not select the Carry version info option in the client configuration. (Configuration omitted)
2. Configure the RADIUS servers and add user accounts for the 802.1X users. (configuration omitted)
3. Assign an IP address for each interface on the access device. (Omitted)
4. Configure user accounts for the 802.1X users on the access device.
# Add a local user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS server.)
<Device> system-view
[Device] local-user localuser
[Device-luser-localuser] service-type lan-access
[Device-luser-localuser] password simple localpass
# Configure the idle cut function to log off any online user that has been idled for 20 minutes.
[Device-luser-localuser] authorization-attribute idle-cut 20
[Device-luser-localuser] quit
5. Configure a RADIUS scheme
# Create the RADIUS scheme radius1 and enter its view.
[Device] radius scheme radius1
# Specify the IP addresses of the primary authentication and accounting RADIUS servers.
[Device-radius-radius1] primary authentication 10.1.1.1
[Device-radius-radius1] primary accounting 10.1.1.1
# Configure the IP addresses of the secondary authentication and accounting RADIUS servers.
[Device-radius-radius1] secondary authentication 10.1.1.2
[Device-radius-radius1] secondary accounting 10.1.1.2
# Specify the shared key between the access device and the authentication server.
[Device-radius-radius1] key authentication name
# Specify the shared key between the access device and the accounting server.
[Device-radius-radius1] key accounting money
# Exclude the ISP domain name from the username sent to the RADIUS servers.
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
|
|
NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. |
6. Configure the ISP domain.
# Create the ISP domain aabbcc.net and enter its view.
[Device] domain aabbcc.net
# Apply the RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.
[Device-isp-aabbcc.net] authentication lan-access radius-scheme radius1 local
[Device-isp-aabbcc.net] authorization lan-access radius-scheme radius1 local
[Device-isp-aabbcc.net] accounting lan-access radius-scheme radius1 local
# Set the maximum number of concurrent users in the domain to 30.
[Device-isp-aabbcc.net] access-limit enable 30
# Configure the idle cut function to log off any online domain user that has been idle for 20 minutes.
[Device-isp-aabbcc.net] idle-cut enable 20
[Device-isp-aabbcc.net] quit
# Specify aabbcc.net as the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain.
[Device] domain default enable aabbcc.net
7. Configure 802.1X.
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on port GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
[Device-GigabitEthernet1/0/1] quit
# Enable MAC-based access control on the port. (Optional. MAC-based access control is the default setting.)
[Device] dot1x port-method macbased interface gigabitethernet 1/0/1
Verifying the configuration
Use the display dot1x interface gigabitethernet 1/0/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view information about the user connection. If the user fails RADIUS authentication, local authentication is performed.
802.1X with guest VLAN and VLAN assignment configuration example
Network requirements
As shown in Figure 12:
· A host is connected to port GigabitEthernet 1/0/2 of the device and must pass 802.1X authentication to access the Internet. GigabitEthernet 1/0/2 is in VLAN 1.
· GigabitEthernet 1/0/2 implements port-based access control.
· GigabitEthernet 1/0/3 is in VLAN 5 and is for accessing the Internet.
· The authentication server runs RADIUS and is in VLAN 2.
· The update server in VLAN 10 is for client software download and upgrade.
If no user performs 802.1X authentication on GigabitEthernet 1/0/2 within a period of time, the device adds GigabitEthernet 1/0/2 to its guest VLAN, VLAN 10. The host and the update server are both in VLAN 10 and the host can access the update server and download the 802.1X client software.
After the host passes 802.1X authentication, the network access device assigns the host to VLAN 5 where GigabitEthernet 1/0/3 is. The host can access the Internet.
Figure 12 Network diagram for 802.1X with guest VLAN and VLAN assignment configuration
Configuration procedure
|
|
NOTE: The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are omitted. For more information about AAA/RADIUS configuration commands, see the Security Command Reference. |
1. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN. (Configuration omitted)
2. Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and server-assigned VLAN, VLAN 5 in this example. (Configuration omitted)
3. Create VLANs, and assign ports to the VLANs.
<Device> system-view
[Device] vlan 1
[Device-vlan1] port gigabitethernet 1/0/2
[Device-vlan1] quit
[Device] vlan 10
[Device-vlan10] port gigabitethernet 1/0/1
[Device-vlan10] quit
[Device] vlan 2
[Device-vlan2] port gigabitethernet 1/0/4
[Device-vlan2] quit
[Device] vlan 5
[Device-vlan5] port gigabitethernet 1/0/3
[Device-vlan5] quit
4. Configure a RADIUS scheme.
# Configure RADIUS scheme 2000 and enter its view.
<Device> system-view
[Device] radius scheme 2000
# Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets.
[Device-radius-2000] primary authentication 10.11.1.1 1812
[Device-radius-2000] primary accounting 10.11.1.1 1813
[Device-radius-2000] key authentication abc
[Device-radius-2000] key accounting abc
# Exclude the ISP domain name from the username sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
5. Configure an ISP domain.
# Create ISP domain bbb and enter its view.
[Device] domaim bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
6. Configure 802.1X
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X for port GigabitEthernet 1/0/2.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] dot1x
# Implement port-based access control on the port.
[Device-GigabitEthernet1/0/2] dot1x port-method portbased
# Set the port authorization mode to auto. This step is optional. By default, the port is in auto mode.
[Device-GigabitEthernet1/0/2] dot1x port-control auto
[Device-GigabitEthernet1/0/2] quit
# Set VLAN 10 as the 802.1X guest VLAN for port GigabitEthernet 1/0/2.
[Device] dot1x guest-vlan 10 interface gigabitethernet 1/0/2
Verifying the configuration
Use the display dot1x interface gigabitethernet 1/0/2 command to verify the 802.1X guest VLAN configuration on GigabitEthernet 1/0/2. If no user passes authentication on the port within a specified period of time, use the display vlan 10 command to verify whether GigabitEthernet 1/0/2 is assigned to VLAN 10.
After a user passes authentication, you can use the display interface gigabitethernet 1/0/2 command to verity that port GigabitEthernet 1/0/2 has been added to VLAN 5.
802.1X with ACL assignment configuration example
Network requirements
As shown in Figure 13, the host 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device.
Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server. Assign an ACL to Ethernet 1/1 to deny the access of 802.1X users to the FTP server at 10.0.0.1/24.
Figure 13 Network diagram for ACL assignment
Configuration procedure
|
|
NOTE: The following configuration procedure provides the major AAA and RADIUS configuration on the access device. The configuration procedures on the 802.1X client and RADIUS server are beyond the scope of this configuration example. For information about AAA and RADIUS configuration commands, see the Security Command Reference. |
1. Configure 802.1X client. Make sure the client is able to update its IP address after the access port is assigned to the 802.1X guest VLAN or a server-assigned VLAN. (Omitted)
2. Configure the RADIUS servers, user accounts, and authorization ACL, ACL 3000 in this example. (Omitted)
3. Configure the access device.
# Assign IP addresses to interfaces. (Omitted)
# Configure the RADIUS scheme.
<Device> system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication abc
[Device-radius-2000] key accounting abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain.
[Device] domain 2000
[Device-isp-2000] authentication default radius-scheme 2000
[Device-isp-2000] authorization default radius-scheme 2000
[Device-isp-2000] accounting default radius-scheme 2000
[Device-isp-2000] quit
# Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 on the weekdays during business hours.
[Device] acl number 3000
[Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Device-acl-adv-3000] quit
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on port GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
Verification
Use the user account to pass authentication, and then ping the FTP server.
C:\>ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The output shows that ACL 3000 has taken effect on the user, and the user cannot access the FTP server.
This chapter includes these sections:
· EAD fast deployment overview
· Configuring EAD fast deployment
· Displaying and maintaining EAD fast deployment
· EAD fast deployment configuration example
· Troubleshooting EAD fast deployment
|
|
NOTE: · The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. · The WX3000E series comprises WX3024E and WX3010E wireless switches. · The port numbers in this chapter are for illustration only. |
EAD fast deployment overview
Endpoint Admission Defense (EAD) is an H3C integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defense capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
EAD fast deployment enables the access device to redirect a user seeking to access the network to download and install EAD client. This function eliminates the tedious job of the administrator to deploy EAD clients.
EAD fast deployment implementation
EAD fast deployment is implemented by the following functions:
· Free IP
Free IP
A free IP is a freely accessible network segment, which has a limited set of network resources such as software and DHCP servers. An unauthenticated user can access only this segment to download EAD client, obtain a dynamic IP address from a DHCP server, or perform some other tasks to be compliant with the network security strategy.
URL redirection
If an unauthenticated 802.1X user is using a web browser to access the network, the EAD fast deployment function redirects the user to a specified URL, for example, the EAD client software download page.
The server that provides the URL must be on the free IP accessible to unauthenticated users.
Configuring EAD fast deployment
Configuration prerequisites
· Enable 802.1X globally.
· Enable 802.1X on the port, and set the port authorization mode to auto.
Configuration procedure
Configuring a free IP
When a free IP is configured, the EAD fast deployment is enabled. To allow a user to obtain a dynamic IP address before passing 802.1X authentication, make sure the DHCP server is on the free IP segment.
Follow these steps to configure a free IP:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure a free IP |
dot1x free-ip ip-address { mask-address | mask-length } |
Required By default, no free IP is configured. |
|
|
NOTE: · When global MAC authentication, or port security is enabled, the free IP does not take effect. · If you use free IP, guest VLAN, and Auth-Fail VLAN features together, make sure that the free IP segments are in both guest VLAN and Auth-Fail VLAN. Users can access only the free IP segments. |
Configuring the redirect URL
Follow these steps to configure a redirect URL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the redirect URL |
dot1x url url-string |
Required By default, no redirect URL is configured. |
|
|
NOTE: The redirect URL must be on the free IP subnet. |
Setting the EAD rule timer
EAD fast deployment automatically creates an ACL rule, or an EAD rule, to open access to the redirect URL for each redirected user seeking to access the network. The EAD rule timer sets the lifetime of each ACL rule. When the timer expires or the user passes authentication, the rule is removed. If users fail to download EAD client or fail to pass authentication before the timer expires, they must reconnect to the network to access the free IP.
To prevent ACL rule resources from being used up, you can shorten the timer when the amount of EAD users is large.
Follow these steps to set the EAD rule timer:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the EAD rule timer |
dot1x timer ead-timeout ead-timeout-value |
Optional The default timer is 30 minutes. |
Displaying and maintaining EAD fast deployment
|
To do… |
Use the command… |
Remarks |
|
Display 802.1X session information, statistics, or configuration information |
display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
EAD fast deployment configuration example
Network requirements
As shown in Figure 14, the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet 1/0/1 of the network access device, and they use DHCP to obtain IP addresses.
Deploy EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the network.
To allow all intranet users to install and update 802.1X client program from a web server, configure the following:
· Allow unauthenticated users to access the segment of 192.168.2.0/24, and to obtain IP address on the segment of 192.168.1.0/24 through DHCP.
· Redirect unauthenticated users to a preconfigured web page when the users use a web browser to access any external network except 192.168.2.0/24. The web page allows users to download the 802.1X client program.
· Allow authenticated 802.1X users to access the network.
Figure 14 Network diagram for EAD fast deployment
|
|
NOTE: In addition to the configuration on the access device, complete the following tasks: · Configure the DHCP server so that the host can obtain an IP address on the segment of 192.168.1.0/24. · Configure the web server so that users can log in to the web page to download 802.1X clients. · Configure the authentication server to provide authentication, authorization, and accounting services. |
Configuration procedure
1. Configure an IP address for each interface. (Omitted)
2. Configure DHCP relay.
# Enable DHCP.
<Device> system-view
[Device] dhcp enable
# Configure a DHCP server for a DHCP server group.
[Device] dhcp relay server-group 1 ip 192.168.2.2
# Enable the relay agent VLAN interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] dhcp select relay
# Correlate VLAN interface 2 to the DHCP server group.
[Device-Vlan-interface2] dhcp relay server-select 1
[Device-Vlan-interface2] quit
3. Configure a RADIUS scheme and an ISP domain.
For more information about configuration procedure, see the chapter “802.1X configuration.”
4. Configure 802.1X.
# Configure the free IP.
[Device] dot1x free-ip 192.168.2.0 24
# Configure the redirect URL for client software download.
[Device] dot1x url http://192.168.2.3
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on the port.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
Verification
Use the display dot1x command to display the 802.1X configuration. After the host obtains an IP address from a DHCP server, use the ping command from the host to ping an IP address on the network segment specified by free IP.
C:\>ping 192.168.2.3
Pinging 192.168.2.3 with 32 bytes of data:
Reply from 192.168.2.3: bytes=32 time<1ms TTL=128
Reply from 192.168.2.3: bytes=32 time<1ms TTL=128
Reply from 192.168.2.3: bytes=32 time<1ms TTL=128
Reply from 192.168.2.3: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.2.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
The output shows that you can access that segment before passing 802.1X authentication. If you use a web browser to access any external website beyond the free IP segments, you are redirected to the web server, which provides the 802.1X client software download service. Enter the external website address in dotted decimal notation, for example, 3.3.3.3 or http://3.3.3.3, in the address bar.
Troubleshooting EAD fast deployment
Web browser users cannot be correctly redirected
Symptom
Unauthenticated users are not redirected to the specified redirect URL after they enter external website addresses in their web browsers.
Analysis
Redirection will not happen for one of the following reasons:
· The address is in the string format. The operating system of the host regards the string as a website name and tries to resolve it. If the resolution fails, the operating system sends an ARP request, but the target address is not in the dotted decimal notation. The redirection function does redirect this kind of ARP request.
· The address is within a free IP segment. No redirection will take place, even if no host is present with the address.
· The redirect URL is not in a free IP segment, no server is using the redirect URL, or the server with the URL does not provide web services.
Solution
· Enter a dotted decimal IP address that is not in any free IP segment.
· Ensure that the network access device and the server are correctly configured.
