Login
- Table of Contents
-
- 08-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Web authentication configuration
- 06-Triple authentication configuration
- 07-Port security configuration
- 08-Password control configuration
- 09-Keychain configuration
- 10-Public key management
- 11-PKI configuration
- 12-IPsec configuration
- 13-SSH configuration
- 14-SSL configuration
- 15-Attack detection and prevention configuration
- 16-TCP attack prevention configuration
- 17-IP source guard configuration
- 18-ARP attack protection configuration
- 19-ND attack defense configuration
- 20-uRPF configuration
- 21-MFF configuration
- 22-FIPS configuration
- 23-MACsec configuration
- 24-802.1X client configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 24-802.1X client configuration | 103.90 KB |
Contents
Restrictions: Hardware compatibility with 802.1X client
802.1X client tasks at a glance
Enabling the 802.1X client feature
Configuring an 802.1X client username and password
Specifying an 802.1X client EAP authentication method
Configuring an 802.1X client MAC address
Specifying an 802.1X client mode for sending EAP-Response and EAPOL-Logoff packets
Configuring an 802.1X client anonymous identifier
Specifying an SSL client policy
Display and maintenance commands for 802.1X client
Configuring an 802.1X client
About 802.1X clients
As shown in Figure 1, the 802.1X client feature allows the access device to act as the supplicant in the 802.1X architecture. For information about the 802.1X architecture, see "802.1X overview."
Figure 1 802.1X client network diagram
Restrictions: Hardware compatibility with 802.1X client
The S5130S-EI-G switch series does not support the 802.1X client feature.
802.1X client tasks at a glance
To configure an 802.1X client, perform the following tasks:
1. Enabling the 802.1X client feature
2. Configuring an 802.1X client username and password
3. Specifying an 802.1X client EAP authentication method
4. (Optional.) Configuring an 802.1X client MAC address
5. (Optional.) Specifying an 802.1X client mode for sending EAP-Response and EAPOL-Logoff packets
6. (Optional.) Configuring an 802.1X client anonymous identifier
7. Specifying an SSL client policy
This task is required when you specify PEAP-MSCHAPv2, PEAP-GTC, TTLS-MSCHAPv2, or TTLS-GTC authentication as the 802.1X client EAP authentication method.
Enabling the 802.1X client feature
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable the 802.1X client feature.
dot1x supplicant enable
By default, the 802.1X client feature is disabled.
Configuring an 802.1X client username and password
Restrictions and guidelines
To ensure successful authentication, make sure the username and password configured on the 802.1X client is consistent with the username and password configured on the authentication server.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Configure an 802.1X client username.
dot1x supplicant username username
By default, no 802.1X client username is configured.
4. Set an 802.1X client password.
dot1x supplicant password { cipher | simple } string
By default, no 802.1X client password is configured.
Specifying an 802.1X client EAP authentication method
About this task
The following EAP authentication methods are available for the 802.1X client feature:
· MD5-Challenge.
· PEAP-MSCHAPv2.
· PEAP-GTC.
· TTLS-MSCHAPv2.
· TTLS-GTC.
Restrictions and guidelines
The following matrix shows the restrictions for the selection of authentication methods on the 802.1X client and the authenticator:
|
Authentication method specified on the 802.1X client |
Packet exchange method specified on the authenticator |
|
MD5-Challenge |
· CHAP · EAP |
|
· PEAP-MSCHAPv2 · PEAP-GTC · TTLS-MSCHAPv2 · TTLS-GTC |
EAP |
For information about 802.1X packet exchange methods, see "Configuring 802.1X."
Make sure the specified 802.1X client EAP authentication method is supported by the authentication server.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Specify an 802.1X client EAP authentication method.
dot1x supplicant eap-method { md5 | peap-gtc | peap-mschapv2 | ttls-gtc | ttls-mschapv2 }
By default, the EAP authentication method is MD5-Challenge.
Configuring an 802.1X client MAC address
About this task
The authenticator adds the MAC address of an authenticated 802.1X client to the MAC address table and then assigns access rights to the client.
If the device has multiple Ethernet interfaces that act as 802.1X clients to seek MACsec protection, configure a unique MAC address for each interface to ensure successful 802.1X client authentication. For information about MACsec, see "Configuring MACsec."
You can use either of the following methods to configure a unique MAC address for each interface:
· Execute the mac-address command in Ethernet interface view. For information about this command, see Layer 2—LAN Switching Command Reference.
· Configure an 802.1X client MAC address.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Configure an 802.1X client MAC address.
dot1x supplicant mac-address mac-address
By default, the 802.1X client on an Ethernet interface uses the MAC address of the interface for 802.1X authentication. If the interface's MAC address is unavailable, the client uses the device's MAC address for 802.1X authentication.
Specifying an 802.1X client mode for sending EAP-Response and EAPOL-Logoff packets
About this task
802.1X client authentication supports unicast and multicast modes to send EAP-Response and EAPOL-Logoff packets. As a best practice, use multicast mode to avoid 802.1X client authentication failures if the NAS device in the network does not support receiving unicast EAP-Response or EAPOL-Logoff packets.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Specify a mode for 802.1X client authentication to send EAP-Response and EAPOL-Logoff packets.
dot1x supplicant transmit-mode { multicast | unicast }
By default, 802.1X client authentication uses unicast mode to send EAP-Response and EAPOL-Logoff packets.
Configuring an 802.1X client anonymous identifier
About this task
At phase 1, packets sent to the authenticator are not encrypted. The use of an 802.1X client anonymous identifier prevents the 802.1X client username from being disclosed at phase 1. The 802.1X client sends the anonymous identifier to the authenticator instead of the 802.1X client username. The 802.1X client username will be sent to the authenticator in encrypted packets at phase 2.
If no 802.1X client anonymous identifier is configured, the 802.1X client sends the 802.1X client username at phase 1.
The configured 802.1X client anonymous identifier takes effect only if one of the following EAP authentication methods is used:
· PEAP-MSCHAPv2.
· PEAP-GTC.
· TTLS-MSCHAPv2.
· TTLS-GTC.
If the MD5-Challenge EAP authentication is used, the configured 802.1X client anonymous identifier does not take effect. The 802.1X client uses the 802.1X client username at phase 1.
Restrictions and guidelines
Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Configure an 802.1X client anonymous identifier.
dot1x supplicant anonymous identify identifier
By default, no 802.1X client anonymous identifier is configured.
Specifying an SSL client policy
About this task
If the PEAP-MSCHAPv2, PEAP-GTC, TTLS-MSCHAPv2, or TTLS-GTC authentication is used, the 802.1X client authentication process is as follows:
· Phase 1—The 802.1X client acts as an SSL client to negotiate with the SSL server.
The SSL client uses the SSL parameters defined in the specified SSL client policy to establish a connection with the SSL server for negotiation. The SSL parameters include a PKI domain, supported cipher suites, and the SSL version. For information about SSL client policy configuration, see "Configuring SSL."
· Phase 2—The 802.1X client uses the negotiated result to encrypt and transmit the interchanged authentication packets.
If the MD5-Challenge authentication is used, the 802.1X client does not use an SSL client policy during the authentication process.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Specify an SSL client policy.
dot1x supplicant ssl-client-policy policy-name
By default, the default SSL client policy is used.
Display and maintenance commands for 802.1X client
Execute display commands in any view.
|
Task |
Command |
|
Display 802.1X client information. |
display dot1x supplicant [ interface interface-type interface-number ] |
