Chapter 1 802.1x Configuration

Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Table of Contents
Table of Contents
Chapter 1 802.1x Configuration ................................................................................................... 1-1
1.1 802.1x Overview ................................................................................................................ 1-1
1.1.1 Architecture of 802.1x ............................................................................................. 1-1
1.1.2 Operation of 802.1x................................................................................................. 1-3
1.1.3 EAP Encapsulation over LANs................................................................................ 1-4
1.1.4 EAP Encapsulation over RADIUS........................................................................... 1-6
1.1.5 Authentication Process of 802.1x............................................................................ 1-6
1.1.6 802.1x Timers........................................................................................................ 1-10
1.1.7 Implementation of 802.1x in the Devices .............................................................. 1-11
1.1.8 Features Working Together with 802.1x ............................................................... 1-12
1.2 Configuring 802.1x........................................................................................................... 1-14
1.2.1 Configuration Prerequisites................................................................................... 1-14
1.2.2 Configuring 802.1x Globally .................................................................................. 1-14
1.2.3 Configuring 802.1x for a Port ................................................................................ 1-15
1.3 Configuring a Guest VLAN .............................................................................................. 1-17
1.3.1 Configuration Prerequisites................................................................................... 1-17
1.3.2 Configuration Procedure ....................................................................................... 1-17
1.4 Displaying and Maintaining 802.1x .................................................................................. 1-18
1.5 802.1x Configuration Example......................................................................................... 1-18
1.6 Guest VLAN Configuration Example ............................................................................... 1-21
1.7 ACL Assignment Configuration Example ........................................................................ 1-24
Chapter 2 EAD Fast Deployment Configuration ........................................................................ 2-1
2.1 EAD Fast Deployment Overview ....................................................................................... 2-1
2.2 Configuring EAD Fast Deployment.................................................................................... 2-1
2.2.1 Configuration Prerequisites..................................................................................... 2-1
2.2.2 Configuration Procedure ......................................................................................... 2-2
2.3 Displaying and Maintaining EAD Fast Deployment ........................................................... 2-3
2.4 EAD Fast Deployment Configuration Example.................................................................. 2-3
2.5 Troubleshooting EAD Fast Deployment ............................................................................ 2-5
2.5.1 Users Cannot be Redirected Correctly ................................................................... 2-5
Chapter 3 HABP Configuration .................................................................................................... 3-1
3.1 Introduction to HABP ......................................................................................................... 3-1
3.2 Configuring HABP.............................................................................................................. 3-1
3.2.1 Configuring the HABP Server ................................................................................. 3-1
3.2.2 Configuring an HABP Client.................................................................................... 3-2
3.3 Displaying and Maintaining HABP ..................................................................................... 3-2
i
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Table of Contents
Chapter 4 MAC Authentication Configuration............................................................................ 4-1
4.1 MAC Authentication Overview ........................................................................................... 4-1
4.1.1 RADIUS-Based MAC Authentication ...................................................................... 4-1
4.1.2 Local MAC Authentication....................................................................................... 4-2
4.2 Related Concepts .............................................................................................................. 4-2
4.2.1 MAC Authentication Timers .................................................................................... 4-2
4.2.2 Quiet MAC Address ................................................................................................ 4-2
4.2.3 VLAN Assigning ...................................................................................................... 4-3
4.2.4 ACL Assigning......................................................................................................... 4-3
4.3 Configuring MAC Authentication........................................................................................ 4-3
4.3.1 Configuration Prerequisites..................................................................................... 4-3
4.3.2 Configuration Procedure ......................................................................................... 4-4
4.4 Displaying and Maintaining MAC Authentication............................................................... 4-5
4.5 MAC Authentication Configuration Examples.................................................................... 4-5
4.5.1 Local MAC Authentication Configuration Example ................................................. 4-5
4.5.2 RADIUS-Based MAC Authentication Configuration Example................................. 4-7
4.5.3 ACL Assigning Configuration Example ................................................................... 4-9
ii
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
Chapter 1 802.1x Configuration
When configuring 802.1x, go to these sections for information you are interested in:
z
802.1x Overview
z
Configuring 802.1x
z
Configuring a Guest VLAN
z
Displaying and Maintaining 802.1x
z
802.1x Configuration Example
z
Guest VLAN Configuration Example
z
ACL Assignment Configuration Example
1.1 802.1x Overview
The 802.1x protocol was proposed by IEEE 802 LAN/WAN committee for security
problems on wireless LANs (WLAN). Currently, it is widely used on Ethernet as a
common port access control mechanism.
As a port-based network access control protocol, 802.1x authenticates and controls
accessing devices at the level of port. A device connected to an 802.1x-enabled port of
an access control device can access the resources on the LAN only after passing
authentication.
To get more information about 802.1x, go to these topics:
z
Architecture of 802.1x
z
Operation of 802.1x
z
EAP Encapsulation over LANs
z
EAP Encapsulation over RADIUS
z
Authentication Process of 802.1x
z
802.1x Timers
z
Implementation of 802.1x in the Devices
z
Features Working Together with 802.1x
1.1.1 Architecture of 802.1x
802.1x operates in the typical client/server model and defines three entities: supplicant
system, authenticator system, and authentication server system, as shown in Figure
1-1.
1-1
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
Figure 1-1 Architecture of 802.1x
z
Supplicant system: A system at one end of the LAN segment, which is
authenticated by the authenticator system at the other end. A supplicant system is
usually a user-end device and initiates 802.1x authentication through 802.1x client
software supporting the EAP over LANs (EAPOL) protocol.
z
Authenticator system: A system at the other end of the LAN segment, which
authenticates the connected supplicant system. An authenticator system is
usually an 802.1x-enabled network device and provides ports (physical or logical)
for supplicants to access the LAN.
z
Authentication server system: The system providing authentication, authorization,
and accounting services for the authenticator system. The authentication server,
usually a Remote Authentication Dial-in User Service (RADIUS) server, maintains
user information like username, password, VLAN that the user belongs to,
committed access rate (CAR) parameters, priority, and ACLs.
The above systems involve three basic concepts: PAE, controlled port, control
direction.
I. PAE
Port access entity (PAE) refers to the entity that performs the 802.1x algorithm and
protocol operations.
z
The authenticator PAE uses the authentication server to authenticate a supplicant
trying to access the LAN and controls the status of the controlled port according to
the authentication result, putting the controlled port in the state of authorized or
unauthorized. In authorized state, the supplicant can access network resources
without authentication; in unauthorized state, the supplicant can receive and send
EAPOL frames rather than accessing network resources.
z
The supplicant PAE responds to the authentication request of the authenticator
PAE and provides authentication information. The supplicant PAE can also send
authentication requests and logoff requests to the authenticator.
1-2
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
II. Controlled port and uncontrolled port
An authenticator provides ports for supplicants to access the LAN. Each of the ports
can be regarded as two logical ports: a controlled port and an uncontrolled port.
z
The uncontrolled port is always open in both the inbound and outbound directions
to allow EAPOL protocol frames to pass, guaranteeing that the supplicant can
always send and receive authentication frames.
z
The controlled port is open to allow normal traffic to pass only when it is in the
authorized state.
z
The controlled port and uncontrolled port are two parts of the same port. Any
frames arriving at the port are visible to both of them.
III. Control direction
In the unauthorized state, the controlled port can be set to deny traffic to and from the
supplicant or just the traffic from the supplicant.
Note:
Currently, the devices support only denying the traffic from the supplicant.
1.1.2 Operation of 802.1x
The 802.1x authentication system employs the Extensible Authentication Protocol
(EAP) to exchange authentication information between the supplicant PAE,
authenticator PAE, and authentication server.
Figure 1-2 Operation of 802.1x
z
Between the supplicant PAE and authenticator PAE, EAP protocol packets are
encapsulated using EAP Encapsulation over LANs and transferred over the LAN.
z
Between the authenticator PAE and authentication server, EAP protocol packets
can be handled in two modes: EAP relay and EAP termination. In EAP relay mode,
EAP protocol packets are encapsulated by using the EAP Encapsulation over
RADIUS (Remote Authentication Dial-In User Service) and then relayed to the
RADIUS server. In EAP termination mode, EAP protocol packets are terminated at
the authenticator PAE, repackaged in the Password Authentication Protocol (PAP)
or Challenge Handshake Authentication Protocol (CHAP) attributes of RADIUS
packets, and then transferred to the RADIUS server.
1-3
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
z
Chapter 1 802.1x Configuration
After a user passes the authentication, the authentication server passes
information about the user to the authenticator, which then controls the status of
the controlled port according to the instruction of the authentication server.
1.1.3 EAP Encapsulation over LANs
I. EAPOL frame format
EAPOL, defined by 802.1x, is intended to carry EAP protocol packets between
supplicants and authenticators over LANs. Figure 1-3 shows the EAPOL frame format.
Figure 1-3 EAPOL frame format
z
PAE Ethernet type: Protocol type. It takes the value 0x888E.
z
Protocol version: Version of the EAPOL protocol supported by the EAPOL frame
sender.
z
Type: Type of the EAPOL frame. Table 1-1 shows the defined types of EAPOL
frames.
Table 1-1 Types of EAPOL frames
Type
Description
Frame for carrying authentication
information, present between an
authenticator system and the
authentication server.
EAP-Packet (a value of 0x00)
A frame of this type is repackaged and
transferred by RADIUS to get through
complex networks to reach the
authentication server.
EAPOL-Start (a value of 0x01)
Frame for initiating authentication, present
between a supplicant and an authenticator.
EAPOL-Logoff (a value of 0x02)
Frame for logoff request, present between
a supplicant and an authenticator.
EAPOL-Key (a value of 0x03)
Frame for carrying key information, present
between a supplicant and an authenticator.
1-4
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Type
Chapter 1 802.1x Configuration
Description
Frame for carrying alerting information
compliant to Alert Standard Forum (ASF).
EAPOL-Encapsulated-ASF-Alert (a
value of 0x04)
z
A frame of this type carries network
management-related information like
warning messages and is terminated at the
authenticator.
Length: Length of the data, that is, length of the Packet body field, in bytes. If the
value of this field is 0, no subsequent data field is present.
z
Packet body: Content of the packet. The format of this field varies with the value of
the Type field.
II. EAP Packet Format
An EAPOL frame of the type of EAP-Packet carries an EAP packet in its Packet body
field. The format of the EAP packet is shown in Figure 1-4.
Figure 1-4 EAP packet format
z
Code: Type of the EAP packet, which can be Request, Response, Success, or
Failure.
An EAP packet of the type of Success or Failure has no Data field, and has a length of
4.
An EAP packet of the type of Request or Response has a Data field in the format shown
in Figure 1-5. The Type field indicates the EAP authentication type. A value of 1
represents Identity, indicating that the packet is for querying the identity of the
supplicant. A value of 4 represents MD5-Challenge, which corresponds closely to the
PPP CHAP protocol.
Figure 1-5 Format of the Data field in an EAP request/response packet
z
Identifier: Allows matching of responses with requests.
z
Length: Length of the EAP packet, including the Code, Identifier, Length, and Data
fields, in bytes.
1-5
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
z
Chapter 1 802.1x Configuration
Data: Content of the EAP packet. This field is zero or more bytes and its format is
determined by the Code field.
1.1.4 EAP Encapsulation over RADIUS
Two attributes of RADIUS are intended for supporting EAP authentication:
EAP-Message and Message-Authenticator. For information about RADIUS packet
format, refer to AAA RADIUS HWTACACS Configuration.
I. EAP-Message
The EAP-Message attribute is used to encapsulate EAP packets. Figure 1-6 shows its
encapsulation format. The value of the Type field is 79. The String field can be up to 253
bytes. If the EAP packet is longer than 253 bytes, it can be fragmented and
encapsulated into multiple EAP-Message attributes.
Figure 1-6 Encapsulation format of the EAP-Message attribute
II. Message-Authenticator
Figure 1-7 shows the encapsulation format of the Message-Authenticator attribute. The
Message-Authenticator attribute is used to prevent access requests from being
snooped during EAP or CHAP authentication. It must be included in any packet with the
EAP-Message attribute; otherwise, the packet will be considered invalid and get
discarded.
Figure 1-7 Encapsulation format of the Message-Authenticator attribute
1.1.5 Authentication Process of 802.1x
802.1x authentication can be initiated by either a supplicant or the authenticator system.
A supplicant initiates authentication by launching the 802.1x client software to send an
EAPOL-Start frame to the authenticator system, while the authenticator system sends
an EAP-Request/Identity packet to an unauthenticated supplicant when detecting that
the supplicant is trying to login.
1-6
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
An 802.1x authenticator system communicates with a remotely located RADIUS server
in two modes: EAP relay and EAP termination. The following description takes the first
case as an example to show the 802.1x authentication process.
I. EAP relay
EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried in
an upper layer protocol, such as RADIUS, so that they can go through complex
networks and reach the authentication server. Generally, EAP relay requires that the
RADIUS
server
support
the
EAP
attributes
of
EAP-Message
and
Message-Authenticator.
At present, the EAP relay mode supports four authentication methods: EAP-MD5,
EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security),
and PEAP (Protected Extensible Authentication Protocol).
z
EAP-MD5: EAP-MD5 authenticates the identity of a supplicant. The RADIUS
server sends an MD5 challenge (through an EAP-Request/MD5 Challenge packet)
to the supplicant. Then the supplicant encrypts the password with the offered
challenge.
z
EAP-TLS: With EAP-TLS, a supplicant and the RADIUS server verify each other’s
security certificates and identities, guaranteeing that EAP packets are sent to the
intended destination and thus preventing network traffic from being snooped.
z
EAP-TTLS: EAP-TTLS extends EAP-TLS. EAP-TLS allows for mutual
authentication between a supplicant and the authentication server. EAP-TTLS
extends this implementation by transferring packets through the secure tunnels
set up by TLS.
z
PEAP: With PEAP, the RADIUS server sets up a TLS tunnel with a supplicant
system for integrity protection and then performs a new round of EAP negotiation
with the supplicant system for identity authentication.
Figure 1-8 shows the message exchange procedure with EAP-MD5.
1-7
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
Figure 1-8 Message exchange in EAP relay mode
1)
When a user launches the 802.1x client software and enters the registered
username and password, the 802.1x client software generates an EAPOL-Start
frame and sends it to the authenticator to initiate an authentication process.
2)
Upon receiving the EAPOL-Start frame, the authenticator responds with an
EAP-Request/Identity packet for the username of the supplicant.
3)
When the supplicant receives the EAP-Request/Identity packet, it encapsulates
the username in an EAP-Response/Identity packet and sends the packet to the
authenticator.
4)
Upon receiving the EAP-Response/Identity packet, the authenticator relays the
packet in a RADIUS Access-Request packet to the authentication server.
5)
When receiving the RADIUS Access-Request packet, the RADIUS server
compares the identify information against its user information table to obtain the
corresponding password information. Then, it encrypts the password information
using a randomly generated challenge, and sends the challenge information
through a RADIUS Access-Challenge packet to the authenticator.
1-8
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
6)
Chapter 1 802.1x Configuration
After receiving the RADIUS Access-Challenge packet, the authenticator relays the
contained EAP-Request/MD5 Challenge packet to the supplicant.
7)
When receiving the EAP-Request/MD5 Challenge packet, the supplicant uses the
offered challenge to encrypt the password part (this process is not reversible),
creates an EAP-Response/MD5 Challenge packet, and then sends the packet to
the authenticator.
8)
After receiving the EAP-Response/MD5 Challenge packet, the authenticator
relays the packet in a RADIUS Access-Request packet to the authentication
server.
9)
When receiving the RADIUS Access-Request packet, the RADIUS server
compares the password information encapsulated in the packet with that
generated by itself. If the two are identical, the authentication server considers the
user valid and sends to the authenticator a RADIUS Access-Accept packet.
10) Upon receiving the RADIUS Access-Accept packet, the authenticator opens the
port to grant the access request of the supplicant. After the supplicant gets online,
the authenticator periodically sends handshake requests to the supplicant to
check whether the supplicant is still online. By default, if two consecutive
handshake attempts end up with failure, the authenticator concludes that the
supplicant has gone offline and performs the necessary operations, guaranteeing
that the authenticator always knows when a supplicant goes offline.
11) The supplicant can also send an EAPOL-Logoff frame to the authenticator to go
offline unsolicitedly. In this case, the authenticator changes the status of the port
from authorized to unauthorized.
Note:
In EAP relay mode, a supplicant must use the same authentication method as that of
the RADIUS server, no matter whichever of the above mentioned authentication
methods is used. On the device, however, you only need to execute the dot1x
authentication-method eap command to enable EAP relay.
II. EAP termination
In EAP termination mode, EAP packets are terminated at the authenticator and then
repackaged into the PAP or CHAP attributes of RADIUS and transferred to the RADIUS
server for authentication, authorization, and accounting. Figure 1-9 shows the
message exchange procedure with CHAP authentication.
1-9
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Supplicant system
PAE
EAPOL
Chapter 1 802.1x Configuration
RADIUS
Authenticator system
PAE
RADUIS
server
EAPOL- Start
EAP- Resquest / Identity
EAP- Response / Identity
EAP - Request / MD 5 challenge
EAP- Response / MD5 challenge
RADIUS Access - Request
(CHAP- Response / MD 5 challenge)
RADIUS Access- Accept
(CHAP- Success)
EAP- Success
Port authorized
Handshake timer
Handshake request
[ EAP- Request / Identity ]
Handshake response
[ EAP- Response / Identity]
......
EAPOL- Logoff
Port unauthorized
Figure 1-9 Message exchange in EAP termination mode
Different from the authentication process in EAP relay mode, it is the authenticator that
generates the random challenge for encrypting the user password information in EAP
termination authentication process. Consequently, the authenticator sends the
challenge together with the username and encrypted password information from the
supplicant to the RADIUS server for authentication.
1.1.6 802.1x Timers
Several timers are used in the 802.1x authentication process to guarantee that the
supplicants, the authenticators, and the RADIUS server interact with each other in a
reasonable manner. The following are the major 802.1x timers:
z
Username request timeout timer (tx-period): This timer is used in two cases, one is
when an authenticator retransmits an EAP-Request/Identity frame and the other is
1-10
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
when an authenticator multicasts an EAP-Request/Identity frame. Once an
authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this
timer. If this timer expires but it receives no response from the supplicant, it
retransmits the request. To cooperate with a supplicant system that does not send
EAPOL-Start
requests
unsolicitedly,
the
authenticator
multicasts
EAP-Request/Identity frames to the supplicant system at an interval defined by
this timer.
z
Supplicant timeout timer (supp-timeout): Once an authenticator sends an
EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this timer
expires but it receives no response from the supplicant, it retransmits the request.
z
Server timeout timer (server-timeout): Once an authenticator sends a RADIUS
Access-Request packet to the authentication server, it starts this timer. If this timer
expires but it receives no response from the server, it retransmits the request.
z
Handshake timer (handshake-period): After a supplicant passes authentication,
the authenticator sends to the supplicant handshake requests at this interval to
check whether the supplicant is online. If the authenticator receives no response
after sending the allowed maximum number of handshake requests, it considers
that the supplicant is offline.
z
Quiet timer (quiet-period): When a supplicant fails the authentication, the
authenticator refuses further authentication requests from the supplicant in this
period of time.
1.1.7 Implementation of 802.1x in the Devices
The devices extend and optimize the mechanism that the 802.1x protocol specifies by:
z
Allowing multiple users to access network services through the same physical
port.
z
Supporting two authentication methods: portbased and macbased. With the
portbased method, after the first user of a port passes authentication, all other
users of the port can access the network without authentication, and when the first
user goes offline, all other users get offline at the same time. With the macbased
method, each user of a port must be authenticated separately, and when an
authenticated user goes offline, no other users are affected.
1-11
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
Note:
After an 802.1x supplicant passes authentication, the authentication server sends
authorization information to the authenticator. If the authorization information contains
VLAN authorization information, the authenticator adds the port connecting the
supplicant to the assigned VLAN. This neither changes nor affects the configurations of
the port. The only result is that the assigned VLAN takes precedence over the manually
configured one, that is, the assigned VLAN takes effect. After the supplicant goes
offline, the configured one takes effect.
1.1.8 Features Working Together with 802.1x
I. VLAN assigning
After an 802.1x user passes the authentication, the server will send an authorization
message to the device. If the server is enabled with the VLAN assigning function, the
assigned VLAN information will be included in the message. The device, depending on
the link type of the port used to log in, adds the port to the assigned VLAN according to
the following rules:
z
If the port link type is Access, the port leaves its current VLAN and joins the
assigned VLAN.
z
If the port link type is Trunk, the assigned VLAN is allowed to pass the current
trunk port. The default VLAN ID of the port is that of the assigned VLAN.
z
If the port link type is Hybrid, the assigned VLAN is allowed to pass the current port
without carrying the tag. The default VLAN ID of the port is that of the assigned
VLAN.
The assigned VLAN neither changes nor affects the configuration of a port. However,
as the assigned VLAN has higher priority than the user-configured VLAN, it is the
assigned VLAN that takes effect after a user passes authentication. After the user goes
offline, the port returns to its original VLAN.
For details about VLAN configuration, refer to VLAN Configuration.
Note:
z
With a Hybrid port, the VLAN assigning will fail if you have configured the assigned
VLAN to carry tags.
z
With a Hybrid port, you cannot configure an assigned VLAN to carry tags after the
VLAN has been assigned.
1-12
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
II. Guest VLAN
Guest VLAN allows unauthenticated users to access some special resources.
Guest VLAN is the default VLAN that a supplicant on a port can access without
authentication. After the supplicant passes 802.1x authentication, the port leaves the
guest VLAN and the supplicant can access other network resources.
A user of the guest VLAN can perform operations such as downloading and upgrading
the authentication client software. If a supplicant does not have the required
authentication client software or the version of the client software is lower, the
supplicant will fail the authentication. If no supplicant on a port passes authentication in
a certain period of time (45 seconds by default), the port will be added into the guest
VLAN.
If a device with 802.1x enabled and the guest VLAN correctly configured sends an
EAP-Request/Identity packet for the allowed maximum number of times but gets no
response, it adds the port into the guest VLAN according to port link type in the similar
way as described in VLAN assigning.
When a supplicant added into the guest VLAN initiates another authentication process,
if the authentication is not successful, the supplicant stays in the guest VLAN;
otherwise, two cases may occur:
z
The authentication server assigns a VLAN: The port leaves the guest VLAN and
joins the assigned VLAN. If the supplicant goes offline, the port returns to its
original VLAN, that is, the VLAN to which it is configured to belong and it belongs
before joining the guest VLAN.
z
The authentication server does not assign any VLAN: The port leaves the guest
VLAN and returns to its original VLAN. If the supplicant goes offline, the port just
stays in its original VLAN.
III. ACL assignment
ACLs provide a way of controlling access to network resources and defining access
rights. When a user logs in through a port, and the RADIUS server is configured with
authorization ACLs, the device will permit or deny data flows traversing through the port
according to the authorization ACLs. Before specifying authorization ACLs on the
server, you need to configure the ACL rules on the device. You can change the access
rights of users by modifying authorization ACL settings on the RADIUS server or
changing the corresponding ACL rules on the device.
1-13
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
1.2 Configuring 802.1x
1.2.1 Configuration Prerequisites
802.1x provides a user identity authentication scheme. However, 802.1x cannot
implement the authentication scheme solely by itself. RADIUS or local authentication
must be configured to work with 802.1x.
z
Configure the ISP domain to which the 802.1x user belongs and the AAA scheme
to be used (that is, local authentication or RADIUS).
z
For remote RADIUS authentication, the username and password information must
be configured on the RADIUS server.
z
For local authentication, the username and password information must be
configured on the authenticator and the service type must be set to lan-access.
For detailed configuration of the RADIUS client, refer to AAA RADIUS HWTACACS
Configuration.
1.2.2 Configuring 802.1x Globally
Follow these steps to configure 802.1x globally:
To do…
Use the command…
Enter system view
system-view
Enable 802.1x globally
dot1x
Set the authentication
method
dot1x
authentication-method
{ chap | eap | pap }
Set the port
access
control
parameters
Set the port
access
control
mode for
specified or
all ports
dot1x port-control
{ authorized-force | auto
| unauthorized-force }
[ interface interface-list ]
Set the port
access
control
method for
specified or
all ports
dot1x port-method
{ macbased |
portbased } [ interface
interface-list ]
Set the
maximum
number of
users for
specified or
all ports
dot1x max-user
user-number [ interface
interface-list ]
Remarks
—
Required
Disabled by default
Optional
CHAP by default
Optional
auto by default
Optional
macbased by default
Optional
1-14
By default, the maximum
number of concurrent
users accessing a port is
256.
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
To do…
Set the maximum number
of attempts to send an
authentication request to
a supplicant
Chapter 1 802.1x Configuration
Use the command…
dot1x retry
max-retry-value
Remarks
Optional
2 by default
Optional
Set timers
dot1x timer
{ handshake-period
handshake-period-value |
quiet-period
quiet-period-value |
server-timeout
server-timeout-value |
supp-timeout
supp-timeout-value |
tx-period
tx-period-value }
The defaults are as
follows:
15 seconds for the
handshake timer,
60 seconds for the quiet
timer,
100 seconds for the
server timeout timer,
30 seconds for the
supplicant timeout timer,
and
30 seconds for the
username request timeout
timer.
Enable the quiet timer
dot1x quiet-period
Optional
Disabled by default
Note that:
z
For 802.1x to take effect on a port, you must enable it both globally in system view
and for the port in system view or Ethernet interface view.
z
You can also enable 802.1x and set port access control parameters (that is, the
port access control mode, port access method, and the maximum number of users)
for a port in Ethernet interface view. For detailed configuration, refer to Configuring
802.1x for a Port. The only difference between configuring 802.1x globally and
configuring 802.1x for a port lies in the applicable scope. If both a global setting
and a local setting exist for an argument of a port, the last configured one is in
effect.
z
Generally, it is unnecessary to change 802.1x timers unless in some special or
extreme network environments.
1.2.3 Configuring 802.1x for a Port
I. Enabling 802.1x for a port
Follow these steps to enable 802.1x for a port:
1-15
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
To do…
Enter system view
Enable
802.1x for
one or
more ports
Chapter 1 802.1x Configuration
Use the command…
Remarks
system-view
—
In system
view
dot1x interface
interface-list
Required
In Ethernet
interface
view
interface interface-type
interface-number
Use either approach.
Disabled by default
dot1x
II. Configuring 802.1x parameters for a port
Follow these steps to configure 802.1x parameters for a port:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter Ethernet interface
view
interface interface-type
interface-number
—
Set the port access
control mode for the port
dot1x port-control
{ authorized-force | auto
| unauthorized-force }
Optional
Set the port access
control method for the port
dot1x port-method
{ macbased |
portbased }
Optional
auto by default
macbased by default
Optional
Set the maximum number
of users for the port
dot1x max-user
user-number
Enable online user
handshake
dot1x handshake
Enable multicast trigger
dot1x multicast-trigger
By default, the maximum
number of concurrent
users accessing a port is
256.
Optional
Enabled by default
Optional
Enabled by default
Note that:
z
You can neither add an 802.1x-enabled port into an aggregation group nor enable
802.1x on a port being a member of an aggregation group.
z
Once enabled with the 802.1x multicast trigger function, a port sends multicast
trigger messages to the client periodically to initiate authentication.
z
For a user-side device sending untagged traffic, the voice VLAN function and
8021.x are mutually exclusive and cannot be configured together on the same port.
For details about voice VLAN, refer to VLAN Configuration.
1-16
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
z
Chapter 1 802.1x Configuration
In EAP relay authentication mode, the authenticator encapsulates the 802.1x user
information in the EAP attributes of RADIUS packets and sends the packets to the
RADIUS server for authentication. In this case, you can configure the
user-name-format command but it does not take effect. For information about the
user-name-format command, refer to AAA RADIUS HWTACACS Commands.
z
If the username of a supplicant contains the version number or one or more blank
spaces, you can neither retrieve information nor disconnect the supplicant by
using the username. However, you can use items such as IP address and
connection index number to do so.
1.3 Configuring a Guest VLAN
1.3.1 Configuration Prerequisites
z
Enable 802.1x
z
Set the port access control method to portbased for the port
z
Set the port access control mode to auto for the port
z
Create the VLAN to be specified as the guest VLAN
1.3.2 Configuration Procedure
Follow these steps to configure Guest VLAN:
To do…
Enter system view
Use the command…
system-view
Remarks
—
dot1x guest-vlan vlan-id
[ interface interface-list ]
Required
Configure the guest VLAN
for specified or all ports
Or in Ethernet interface
view
interface interface-type
interface-number
dot1x guest-vlan vlan-id
1-17
By default, a port is
configured with no guest
VLAN.
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
Note:
z
You can specify a tagged VLAN as the guest VLAN for a Hybrid port, but the guest
VLAN does not take effect. Similarly, if a guest VLAN for a Hybrid port is in operation,
you cannot configure the guest VLAN to carry tags.
z
Configurations in system view are effective to all ports while configurations in
interface view are effective to the current port only.
z
If a port’s access control method is portbased, its guest VLAN can take effect; if a
port’s access control method is macbased, its guest VLAN can be configured but
cannot take effect.
z
A port can be configured with only one guest VLAN. But different ports can have
different guest VLANs.
Caution:
If the data flows from a user-side device include VLAN tags, and 802.1x and guest
VLAN are enabled on the access port, you are recommended to configure different
VLAN IDs for the Voice VLAN, the default port VLAN, and the guest VLAN of 802.1x.
1.4 Displaying and Maintaining 802.1x
To do…
Use the command…
Remarks
Display 802.1x session
information, statistics, or
configuration information
of specified or all ports
display dot1x [ sessions
| statistics ] [ interface
interface-list ]
Available in any view
Clear 802.1x statistics
reset dot1x statistics
[ interface interface-list ]
Available in user view
1.5 802.1x Configuration Example
I. Network requirements
z
The access control method of macbased is required on the port to control
supplicants.
z
All supplicants belong to default domain aabbcc.net, which can accommodate up
to 30 users. RADIUS authentication is performed at first, and then local
authentication when no response from the RADIUS server is received. If the
RADIUS accounting fails, the authenticator gets users offline.
1-18
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
z
Chapter 1 802.1x Configuration
A server group with two RADIUS servers is connected to the switch. The IP
addresses of the servers are 10.1.1.1 and 10.1.1.2 respectively. Use the former as
the primary authentication/secondary accounting server, and the latter as the
secondary authentication/primary accounting server.
z
Set the shared key for the switch to exchange packets with the authentication
server and the accounting server as secret.
z
Specify the switch to try up to five times at an interval of 5 seconds in transmitting
a packet to the RADIUS server until it receives a response from the server, and to
send real time accounting packets to the accounting server every 15 minutes.
z
Specify the switch to remove the domain name from the username before passing
the username to the RADIUS server.
z
Set the username of the 802.1x user as localuser and the password as localpass
and specify to use plain text mode. Enable the idle cut function to get the user
offline whenever the user remains idle for over 20 minutes.
II. Network diagram
Figure 1-10 Network diagram for 802.1x configuration
III. Configuration procedure
Note:
The following configuration procedure covers most AAA/RADIUS configuration
commands for the authenticator, while configuration on the supplicant and RADIUS
server are omitted. For information about AAA/RADIUS configuration commands, refer
to AAA RADIUS HWTACACS Configuration.
# Configure the IP addresses for each interface. (Omitted)
# Add local access user localuser, enable the idle cut function, and set the idle cut
interval.
<Sysname> system-view
1-19
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
[Sysname] local-user localuser
[Sysname-luser-localuser] service-type lan-access
[Sysname-luser-localuser] password simple localpass
[Sysname-luser-localuser] attribute idle-cut 20
[Sysname-luser-localuser] quit
# Create RADIUS scheme radius1 and enter its view.
[Sysname] radius scheme radius1
# Configure the IP addresses of the primary authentication and accounting RADIUS
servers.
[Sysname-radius-radius1] primary authentication 10.1.1.1
[Sysname-radius-radius1] primary accounting 10.1.1.2
# Configure the IP addresses of the secondary authentication and accounting RADIUS
servers.
[Sysname-radius-radius1] secondary authentication 10.1.1.2
[Sysname-radius-radius1] secondary accounting 10.1.1.1
# Specify the shared key for the device to exchange packets with the authentication
server and the accounting server.
[Sysname-radius-radius1] key authentication secret
# Set the interval for the device to retransmit packets to the RADIUS server and the
maximum number of transmission attempts.
[Sysname-radius-radius1] timer response-timeout 5
[Sysname-radius-radius1] retry 5
# Set the interval for the device to send real time accounting packets to the RADIUS
server.
[Sysname-radius-radius1] timer realtime-accounting 15
# Specify the device to remove the domain name of any username before passing the
username to the RADIUS server.
[Sysname-radius-radius1] user-name-format without-domain
[Sysname-radius-radius1] quit
# Create domain aabbcc.net and enter its view.
[Sysname] domain aabbcc.net
# Set radius1 as the RADIUS scheme for users of the domain and specify to use local
authentication as the secondary scheme.
[Sysname-isp-aabbcc.net] authentication default radius-scheme radius1 local
[Sysname-isp-aabbcc.net] authorization default radius-scheme radius1 local
[Sysname-isp-aabbcc.net] accounting default radius-scheme radius1 local
# Set the maximum number of users for the domain as 30.
1-20
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
[Sysname-isp-aabbcc.net] access-limit enable 30
# Enable the idle cut function and set the idle cut interval.
[Sysname-isp-aabbcc.net] idle-cut enable 20
[Sysname-isp-aabbcc.net] quit
# Configure aabbcc.net as the default domain.
[Sysname] domain default enable aabbcc.net
# Enable 802.1x globally.
[Sysname] dot1x
# Enable 802.1x for port GigabitEthernet 1/0/1.
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitGigabitEthernet1/0/1] dot1x
[Sysname-GigabitGigabitEthernet1/0/1] quit
# Set the port access control method. (Optional. The default answers the requirement.)
[Sysname] dot1x port-method macbased interface GigabitEthernet 1/0/1
1.6 Guest VLAN Configuration Example
I. Network requirements
As shown in Figure 1-11:
z
A host is connected to port GigabitEthernet 1/0/1 of the switch and must pass
802.1x authentication to access the Internet.
z
The authentication server run RADIUS and is in VLAN 2.
z
The update server, which is in VLAN 10, is for client software download and
upgrade.
z
Port GigabitEthernet 1/0/2 of the switch, which is in VLAN 5, is for accessing the
Internet.
As shown in Figure 1-12:
z
On port GigabitEthernet 1/0/1, enable 802.1x and set VLAN 10 as the guest
VLAN.
As shown in Figure 1-13:
z
Authenticated supplicants are assigned to VLAN 5 and permitted to access the
Internet.
1-21
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
II. Network diagrams
Update server
Authenticator server
VLAN 10 VLAN 2
GE1/0/4 GE1/0/3
VLAN 1
GE1/0/1
VLAN 5
GE1/0/2
Switch
Internet
Supplicant
Figure 1-11 Network diagram for guest VLAN configuration
Update server
Authenticator server
VLAN 10
GE1/0/4
VLAN 2
GE1/0/3
GuestVlan 10
GE1/0/1
VLAN 5
GE1/0/2
VLAN 10
Switch
Internet
Supplicant
Figure 1-12 Network diagram with VLAN 10 as the guest VLAN
1-22
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
Update server
Authenticator server
VLAN 10
GE1/0/4
VLAN 2
GE1/0/3
VLAN 5
GE1/0/1
VLAN 5
GE1/0/2
Switch
Internet
VLAN 5
Supplicant
Figure 1-13 Network diagram when the supplicant passes authentication
III. Configuration procedure
# Configure RADIUS scheme 2000.
<Sysname> system-view
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.11.1.1 1812
[Sysname-radius-2000] primary accounting 10.11.1.1 1813
[Sysname-radius-2000] key authentication abc
[Sysname-radius-2000] key accounting abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit
# Configure domain system and specify to use RADIUS scheme 2000 for users of the
domain.
[Sysname] domain system
[Sysname-isp-system] authentication default radius-scheme 2000
[Sysname-isp-system] authorization
default radius-scheme 2000
[Sysname-isp-system] accounting default radius-scheme 2000
[Sysname-isp-system] quit
# Enable 802.1x globally.
[Sysname] dot1x
# Enable 802.1x for port GigabitEthernet 1/0/1.
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitGigabitEthernet1/0/1] dot1x
# Set the port access control method to portbased.
1-23
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
[Sysname-GigabitGigabitEthernet1/0/1] dot1x port-method portbased
# Set the port access control mode to auto.
[Sysname-GigabitGigabitEthernet1/0/1] dot1x port-control auto
[Sysname-GigabitGigabitEthernet1/0/1] quit
# Create VLAN 10.
[Sysname] vlan 10
[Sysname-vlan10] quit
# Specify port GigabitEthernet 1/0/1 to use VLAN 10 as its guest VLAN.
[Sysname] dot1x guest-vlan 10 interface GigabitEthernet 1/0/1
You can use the display current-configuration or display interface GigabitEthernet
1/0/1 command to view your configuration. You can also use the display vlan 10
command in the following cases to verify whether the configured guest VLAN functions:
z
When no users log in.
z
When a user fails the authentication.
z
When a user goes offline.
1.7 ACL Assignment Configuration Example
I. Network requirements
As shown in Figure 1-14, a host is connected to port GigabitEthernet1/0/1 of the device
and must pass 802.1x authentication to access the Internet.
z
Configure the RADIUS server to assign ACL 3000.
z
Enable 802.1x authentication on GigabitEthernet1/0/1 of the device, and configure
ACL 3000.
After the host passes 802.1x authentication, the RADIUS server assigns ACL 3000 to
GigabitEthernet1/0/1. As a result, the host can access the Internet but cannot access
the FTP server, whose IP address is 10.0.0.1.
II. Network diagram
Figure 1-14 Network diagram for ACL assignment
1-24
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
III. Configuration procedure
# Configure the IP addresses of the interfaces. (Omitted)
# Configure the RADIUS scheme.
<Sysname> system-view
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication abc
[Sysname-radius-2000] key accounting abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit
# Create an ISP domain and specify the AAA schemes.
[Sysname] domain 2000
[Sysname-isp-2000] authentication default radius-scheme 2000
[Sysname-isp-2000] authorization default radius-scheme 2000
[Sysname-isp-2000] accounting default radius-scheme 2000
[Sysname-isp-2000] quit
# Configure ACL 3000 to deny packets destined for 10.0.0.1.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
# Enable 802.1x globally.
[Sysname] dot1x
# Enable 802.1x for GigabitEthernet1/0/1.
[Sysname] interface GigabitEthernet1/0/1
[Sysname-GigabitEthernet1/0] dot1x
After logging in successfully, a user can use the ping command to verify whether the
ACL 3000 assigned by the RADIUS server functions.
[Sysname] ping 10.0.0.1
PING 10.0.0.1: 56
data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.0.0.1 ping statistics ---
1-25
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
1-26
Chapter 1 802.1x Configuration
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 2 EAD Fast Deployment Configuration
Chapter 2 EAD Fast Deployment Configuration
When configuring EAD fast deployment, go to these sections for information you are
interested in:
z
EAD Fast Deployment Overview
z
Configuring EAD Fast Deployment
z
Displaying and Maintaining EAD Fast Deployment
z
EAD Fast Deployment Configuration Example
z
Troubleshooting EAD Fast Deployment
2.1 EAD Fast Deployment Overview
As an integrated security scheme, an endpoint admission defense (EAD) scheme can
improve the overall defense capability of a network. However, EAD deployment brings
much workload in actual applications. To solve this problem, you can use 802.1x
functions to implement fast deployment of EAD scheme.
To support the fast deployment of EAD schemes, 802.1x provides the following two
mechanisms:
1)
Limit on accessible network resources
Before successful 802.1x authentication, a user can access only specific IP segments,
each of which may have one or more servers. Users can download EAD client software
or obtain dynamic IP address from the servers.
2)
IE URL redirection
Before successful 802.1x authentication, a user using IE to access the network is
automatically redirected to a specified URL, for example, the EAD client software
download page.
The above two functions bring all 802.1x users accessing the network to a specified
server to download and install the EAD client software, thus easing the deployment of
an EAD scheme.
2.2 Configuring EAD Fast Deployment
2.2.1 Configuration Prerequisites
z
Enable 802.1x globally
z
Enable 802.1x on the specified port, and set the access control mode to auto.
2-1
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 2 EAD Fast Deployment Configuration
2.2.2 Configuration Procedure
I. Configuring a freely accessible network segment
A freely accessible network segment, also called a free IP, is a network segment that
users can access before passing 802.1x authentication.
Once a free IP is configured, the fast deployment of EAD is enabled.
Follow these steps to configure a freely accessible network segment:
To do…
Use the command…
Enter system view
system-view
Configure a freely
accessible network
segment
dot1x free-ip ip-address
{ mask-address |
mask-length }
Remarks
—
Required
No freely accessible
network segment is
configured by default.
Note:
z
Currently, MAC authentication and port security cannot work together with EAD fast
deployment. Once MAC authentication or port security is enabled globally, the EAD
fast deployment is disabled automatically.
z
If no freely accessible network segment is configured, a user cannot obtain a
dynamic IP address before passing 802.1x authentication. To solve this problem,
you can configure a freely accessible network segment that is on the same network
segment with the DHCP server.
II. Configuring the IE redirect URL
Follow these steps to configure the IE redirect URL:
To do…
Enter system view
Configure the IE redirect
URL
Use the command…
system-view
Remarks
—
Required
dot1x url url-string
No redirect URL is
configured by default.
Note:
The redirect URL and the freely accessible network segment must belong to the same
network segment. Otherwise, the specified URL is unaccessible.
2-2
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 2 EAD Fast Deployment Configuration
III. Setting the EAD rule timeout time
With the EAD fast deployment function, a user is authorized by an EAD rule (generally
an ACL rule) to access the freely accessible network segment before passing
authentication. After successful authentication, the occupied ACL will be released. If a
large amount of users access the freely accessible network segment but fail the
authentication, ACLs will soon be used up and new users will be rejected.
An EAD rule timeout timer is designed to solve this problem. When a user accesses the
network, this timer is started. If the user neither downloads client software nor performs
authentication before the timer expires, the occupied ACL will be released so that other
users can use it. When there are a large number of users, you can shorten the timeout
time to improve the ACL usage efficiency.
Follow these steps to set the EAD rule timeout time:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Set EAD rule timeout
time
dot1x timer ead-timeout
ead-timeout-value
Optional
30 minutes by default
2.3 Displaying and Maintaining EAD Fast Deployment
To do…
Use the command…
Display 802.1x session
information, statistics, or
configuration information
display dot1x [ sessions
| statistics ] [ interface
interface-list ]
Remarks
Available in any view
2.4 EAD Fast Deployment Configuration Example
I. Network requirements
As shown in Figure 2-1, the host is connected to the Switch, and the Switch is
connected to the freely accessible network segment and outside network.
It is required that:
z
Before successful 802.1 authentication, the host using IE to access outside
network will be redirected to the WEB server, and it can download and install
802.1x client software.
z
After successful 802.1x authentication, the host can access outside network.
2-3
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 2 EAD Fast Deployment Configuration
II. Network diagram
Internet
Free IP:
GE1/0/1
WEB server
192.168.1.3/24
192.168.1.0/24
192.168.1.1/24
Host
Switch
192.168.1.10/24
Figure 2-1 Network diagram for EAD fast deployment
III. Configuration procedure
1)
Configure the WEB server
Before using the EAD fast deployment function, you need to configure the WEB server
to provide the download service of 802.1x client software.
2)
Configure the Switch to support EAD fast deployment
# Configure the IP addresses of the interfaces (omitted).
# Configure the free IP.
<Sysname> system-view
[Sysname] dot1x free-ip 192.168.1.0 24
# Configure the redirect URL for client software download.
[Sysname] dot1x url http://192.168.1.3
# Enable 802.1x globally.
[Sysname] dot1x
# Enable 802.1x on the port.
[Sysname] interface GigabitEthernet 1/0/1
[Sysname - GigabitEthernet1/0/1] dot1x
3)
Verify your configuration
# Use the ping command to ping an IP address within the network segment specified
by free IP to check that the user can access that segment before passing 802.1x
authentication.
C:\>ping 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
2-4
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 2 EAD Fast Deployment Configuration
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Besides, if the user uses IE to access any external website, the user will be taken to the
WEB server, which provides the client software download service.
2.5 Troubleshooting EAD Fast Deployment
2.5.1 Users Cannot be Redirected Correctly
Symptom: When a user enters an external website address in the IE browser, the user
is not redirected to the specified URL.
Analysis:
z
The address is in the string format. In this case, the operating system of the host
regards the string a website name and tries to have it resolved. If the resolution
fails, the operating system sends an ARP request with the address in the format
other than X.X.X.X. The redirection function does redirect this kind of ARP
request.
z
The address is within the freely accessible network segment. In this case, the
Switch regards that the user is trying to access a host in the freely accessible
network segment, and redirection will not take place, even if no host is present
with the address.
z
The redirect URL is not in the freely accessible network segment, no server is
present with that URL, or the server with the URL does not provide WEB services.
Solution:
z
Enter an IP address that is not within the freely accessible network segment in
dotted decimal notation (X.X.X.X).
z
Ensure that the Switch and the server are configured correctly.
2-5
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 3 HABP Configuration
Chapter 3 HABP Configuration
When configuring HABP, go to these sections for the information you are interested in:
z
Introduction to HABP
z
Configuring HABP
z
Displaying and Maintaining HABP
3.1 Introduction to HABP
When a switch is configured with the 802.1x function, 802.1x will authenticate and
authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.
If a port fails 802.1x authentication and authorization, protocol packets passing the port
will be blocked. The Huawei Authentication Bypass Protocol (HABP) aims at solving
this problem.
On an HABP-capable switch, HABP packets can bypass 802.1x authentication and
MAC authentication, allowing communication among switches.
HABP is built on the client-server model. Typically, the HABP server sends HABP
requests to the client periodically to collect the MAC address(es) of the attached
switch(es). The client responds to the requests, and forwards the HABP requests to the
attached switch(es). The HABP server usually runs on the administrative device while
the HABP client runs on the attached switches.
3.2 Configuring HABP
Complete the following tasks to configure HABP:
z
Configuring the HABP Server
z
Configuring an HABP Client
3.2.1 Configuring the HABP Server
With enabled with HABP server, the administrative device starts to send HABP
requests to the attached switch(es). The HABP responses include the MAC address(es)
of the attached switch(es). This makes it possible for the administrative device to
manage the attached switch(es).
You only need to configure the interval of sending HABP requests on the administrative
device.
3-1
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 3 HABP Configuration
Follow these steps to configure an HABP server:
To do…
Use the command…
Enter system view
system-view
Enable HABP
habp enable
Configure HABP to work
in server mode
habp server vlan vlan-id
Set the interval to send
HABP requests
habp timer interval
Remarks
—
Optional
Enabled by default
Required
HABP works in client
mode by default.
Optional
20 seconds by default
3.2.2 Configuring an HABP Client
Configure HABP to work in client mode on a device connected to the administrative
device. Since HABP is enabled and works in client mode by default, this configuration
task is optional.
Follow these steps to configure an HABP client:
To do…
Use the command…
Enter system view
system-view
Enable HABP
habp enable
Configure HABP to work
in client mode
undo habp server
Remarks
—
Optional
Enabled by default
Optional
HABP works in client
mode by default.
3.3 Displaying and Maintaining HABP
To do…
Use the command…
Remarks
Display HABP
configuration information
display habp
Available in any view
Display HABP MAC
address table entries
display habp table
Available in any view
Display HABP packet
statistics
display habp traffic
Available in any view
3-2
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 4 MAC Authentication Configuration
Chapter 4 MAC Authentication Configuration
When configuring MAC authentication, go to these sections for information you are
interested in:
z
MAC Authentication Overview
z
Related Concepts
z
Configuring MAC Authentication
z
Displaying and Maintaining MAC Authentication
z
MAC Authentication Configuration Examples
z
ACL Assigning Configuration Example
4.1 MAC Authentication Overview
MAC authentication provides a way for authenticating users based on ports and MAC
addresses, without requiring any client software to be installed on the hosts. Once
detecting a new MAC address, it initiates the authentication process without requiring
username or password.
Currently, the device supports two MAC authentication modes:
z
Remote Authentication Dial-In User Service (RADIUS) based MAC authentication
z
Local MAC authentication
For detailed information about RADIUS authentication and local authentication, refer to
AAA RADIUS HWTACACS Configuration.
After determining the authentication mode to be used, you can choose the type of MAC
authentication username, including:
z
MAC address, where the MAC address of a user serves as both the username and
password.
z
Fixed username, where all users use the same preconfigured username and
password for authentication, regardless of the MAC addresses.
4.1.1 RADIUS-Based MAC Authentication
In RADIUS-base MAC authentication, the device serves as a RADIUS client and
requires a RADIUS server to cooperate with it.
z
If the type of MAC authentication username is MAC address, the device forwards
a detected MAC address as the username and password to the RADIUS server for
authentication of the user.
z
If the type of MAC authentication username is fixed username, the device sends
the same username and password configured locally to the RADIUS server for
authentication of each user.
4-1
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 4 MAC Authentication Configuration
If the authentication succeeds, the user will be granted permission to access the
network resources.
4.1.2 Local MAC Authentication
In local MAC authentication, the device performs authentication of users locally and
different items need to be manually configured for users on the device according to the
type of MAC authentication username:
z
If the type of MAC authentication username is MAC address, a local user must be
configured for each user on the device, using the MAC address of the user as both
the username and password.
z
If the type of MAC authentication username is fixed username, a single username
and optionally a single password are required for the device to authenticate all
users.
4.2 Related Concepts
4.2.1 MAC Authentication Timers
The following timers function in the process of MAC authentication:
z
Offline detect timer: At this interval, the device checks to see whether an online
user has gone offline. Once detecting that a user becomes offline, the device
sends to the RADIUS server a stop accounting notice.
z
Quiet timer: Whenever a user fails MAC authentication, the device does not initiate
any MAC authentication of the user during such a period.
z
Server timeout timer: During authentication of a user, if the device receives no
response from the RADIUS server in this period, it assumes that its connection to
the RADIUS server has timed out and forbids the user from accessing the
network.
4.2.2 Quiet MAC Address
When a user fails MAC authentication, the MAC address becomes a quiet MAC
address, which means that any packets from the MAC address will be discarded simply
by the device until the quiet timer expires. This prevents the device from authenticating
invalid users repeatedly in a short time.
4-2
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 4 MAC Authentication Configuration
Caution:
If the quiet MAC is the same as the static MAC configured or an authentication-passed
MAC, then the quiet function is not effective.
4.2.3 VLAN Assigning
For separation of users from restricted network resources, a more general way is to put
the users and restricted resources into different VLANs. After a user passes identity
authentication, the authorization server assigns the VLAN where the restricted
resources reside as an authorized VLAN and the port to which the user is connected
will become a member of the authorized VLAN. As a result, the user can access those
restricted network resources.
4.2.4 ACL Assigning
ACLs assigned by an authorization server are referred to as authorization ACLs, which
are designed to control access to network resources with a very fine granularity. When
a user logs in, if the RADIUS server is configured with authorization ACLs, the device
will permit or deny data flows traversing through the port through which the user
accesses the device according to the authorization ACLs assigned by the RADIUS
server. You can change access rights of users by modifying authorization ACL settings
on the RADIUS server.
4.3 Configuring MAC Authentication
4.3.1 Configuration Prerequisites
z
Create and configure an ISP domain.
z
For local authentication, create the local users and configure the passwords.
z
For RADIUS authentication, ensure that a route is available between the device
and the RADIUS server.
4-3
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 4 MAC Authentication Configuration
Caution:
For local authentication:
z
The type of username and password of a local user must be consistent with that
used for MAC authentication.
z
All the letters in the MAC address to be used as the username and password of a
local user must be in lower case.
z
The service type of the local user must be configured as lan-access.
4.3.2 Configuration Procedure
Follow these steps to configure MAC authentication:
To do…
Use the command…
Enter system view
system-view
Enable MAC
authentication globally
mac-authentication
Remarks
—
Required
Disabled by default
mac-authentication
interface interface-list
Enable MAC
authentication for
specified ports
interface interface-type
interface-number
Required
Disabled by default
mac-authentication
quit
Optional
Specify the ISP domain
for MAC authentication
mac-authentication
domain isp-name
The default ISP domain
(system) is used by
default.
Set the offline detect timer
mac-authentication
timer offline-detect
offline-detect-value
Optional
Set the quiet timer
mac-authentication
timer quiet quiet-value
Optional
Set the server timeout
timer
mac-authentication
timer server-timeout
server-timeout-value
Optional
4-4
300 seconds by default
60 seconds by default
100 seconds by default
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
To do…
Configure the username
and password for MAC
authentication
Chapter 4 MAC Authentication Configuration
Use the command…
mac-authentication
user-name-format
{ fixed [ account name ]
[ password { cipher |
simple } password ] |
mac-address
[ with-hyphen |
without-hyphen ] }
Remarks
Optional
By default, the user’s
source MAC address
serves as the username
and password, and the
MAC address does not
contain hyphen “-“.
Note:
z
You can configure MAC authentication for various ports in advance. The
configuration, however, takes effect only after the global MAC authentication is
enabled.
z
You can neither add a MAC authentication enabled port into an aggregation group,
nor enable MAC authentication on a port added into an aggregation group.
4.4 Displaying and Maintaining MAC Authentication
To do…
Use the command…
Remarks
Display the global MAC
authentication information or the
MAC authentication information
about specified ports
display mac-authentication
[ interface interface-list ]
Available in
any view
Clear the MAC authentication
statistics
reset mac-authentication
statistics [ interface
interface-list ]
Available in
user view
4.5 MAC Authentication Configuration Examples
4.5.1 Local MAC Authentication Configuration Example
I. Network requirements
As illustrated in Figure 4-1, a supplicant is connected to the device through port
GigabitEthernet 1/0/1.
z
Local MAC authentication is required on every port to control user access to the
Internet.
z
All users belong to domain aabbcc.net.
z
A local user uses aaa as the username and 123456 as the password for
authentication.
4-5
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 4 MAC Authentication Configuration
Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes.
z
II. Network Diagram
Figure 4-1 Network diagram for local MAC authentication
III. Configuration Procedure
1)
Configure MAC authentication on the switch.
# Add a local user.
<Sysname> system-view
[Sysname] local-user aaa
[Sysname-luser-aaa] password simple 123456
[Sysname-luser-aaa] service-type lan-access
[Sysname-luser-aaa] quit
# Configure ISP domain aabbcc.net, and specify to perform local authentication.
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] authentication lan-access local
[Sysname-isp-aabbcc.net] quit
# Enable MAC authentication globally.
[Sysname] mac-authentication
# Enable MAC authentication for port GigabitEthernet 1/0/1.
[Sysname] mac-authentication interface GigabitEthernet 1/0/1
# Specify the ISP domain for MAC authentication.
[Sysname] mac-authentication domain aabbcc.net
# Set the MAC authentication timers.
[Sysname] mac-authentication timer offline-detect 180
[Sysname] mac-authentication timer quiet 3
[Sysname] mac-authentication user-name-format fixed account aaa password
simple 123456
2)
Verify the configuration
# Display global MAC authentication information.
<Sysname> display mac-authentication
MAC address authentication is Enabled.
User name format is fixed account
Fixed username:aaa
4-6
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 4 MAC Authentication Configuration
Fixed password:123456
Offline detect period is 180s
Quiet period is 60s.
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 1
Current domain is aabbcc.net
Silent Mac User info:
MAC ADDR
From Port
Port Index
GigabitGigabitEthernet1/0/1 is link-up
MAC address authentication is Enabled
Authenticate success: 1, failed: 0
Current online user number is 1
MAC ADDR
Authenticate state
00e0-fc12-3456
MAC_AUTHENTICATOR_SUCCESS
AuthIndex
29
4.5.2 RADIUS-Based MAC Authentication Configuration Example
I. Network requirements
As illustrated in Figure 4-2, a host is connected to the device through port
GigabitEthernet 1/0/1. The device authenticates the host through the RADIUS server.
z
MAC authentication is required on every port to control user access to the Internet.
z
Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes.
II. Network diagram
Figure 4-2 Network diagram for MAC authentication using RADIUS
III. Configuration procedure
1)
Configure MAC authentication on the device
# Configure the IP addresses of the interfaces. (Omitted)
# Configure a RADIUS scheme.
<Sysname> system-view
4-7
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 4 MAC Authentication Configuration
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication abc
[Sysname-radius-2000] key accounting abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit
# Specify the AAA schemes for the ISP domain.
[Sysname] domain 2000
[Sysname-isp-2000] authentication default radius-scheme 2000
[Sysname-isp-2000] authorization default radius-scheme 2000
[Sysname-isp-2000] accounting default radius-scheme 2000
[Sysname-isp-2000] quit
# Enable MAC authentication globally.
[Sysname] mac-authentication
# Enable MAC authentication for port GigabitEthernet 1/0/1.
[Sysname] mac-authentication interface GigabitEthernet 1/0/1
# Specify the ISP domain for MAC authentication.
[Sysname] mac-authentication domain 2000
# Set the MAC authentication timers.
[Sysname] mac-authentication timer offline-detect 180
[Sysname] mac-authentication timer quiet 3
[Sysname] mac-authentication user-name-format fixed account aaa password
simple 123456
2)
Verify the configuration
# Display global MAC authentication information.
<Sysname> display mac-authentication
MAC address authentication is Enabled.
User name format is fixed account
Fixed username:aaa
Fixed password:123456
Offline detect period is 180s
Quiet period is 60s.
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 1
Current domain is 2000
Silent Mac User info:
MAC ADDR
From Port
4-8
Port Index
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 4 MAC Authentication Configuration
GigabitGigabitEthernet1/0/1 is link-up
MAC address authentication is Enabled
Authenticate success: 1, failed: 0
Current online user number is 1
MAC ADDR
Authenticate state
00e0-fc12-3456
MAC_AUTHENTICATOR_SUCCESS
AuthIndex
29
4.5.3 ACL Assigning Configuration Example
I. Network requirements
As shown in Figure 4-3, a host is connected to port GigabitEthernet1/0/1 of the switch
and must pass MAC authentication to access the Internet.
z
Configure the RADIUS server to assign ACL 3000.
z
On port Ethernet 1/0 of the switch, enable MAC authentication and configure ACL
3000.
After the host passes MAC authentication, the RADIUS server assigns ACL 3000 to
port Ethernet 1/0 of the switch. As a result, the host can access the Internet but cannot
access the FTP server, whose IP address is 10.0.0.1.
II. Network diagram
Figure 4-3 Network diagram for ACL assigning
III. Configuration procedure
# Configure the IP addresses of the interfaces. (Omitted)
# Configure the RADIUS scheme.
<Sysname> system-view
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication abc
[Sysname-radius-2000] key accounting abc
[Sysname-radius-2000] user-name-format without-domain
4-9
Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 4 MAC Authentication Configuration
[Sysname-radius-2000] quit
# Create an ISP domain and specify the AAA schemes.
[Sysname] domain 2000
[Sysname-isp-2000] authentication default radius-scheme 2000
[Sysname-isp-2000] authorization default radius-scheme 2000
[Sysname-isp-2000] accounting default radius-scheme 2000
[Sysname-isp-2000] quit
# Configure ACL 3000 to deny packets destined for 10.0.0.1.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Sysname-acl-adv-3000] quit
# Enable MAC authentication globally.
[Sysname] mac-authentication
# Enable MAC authentication for port GigabitEthernet1/0/1.
[Sysname] interface GigabitEthernet 1/0/1.
[Sysname- GigabitEthernet1/0/1] mac-authentication
After completing the above configurations, you can use the ping command to verify
whether the ACL 3000 assigned by the RADIUS server functions.
[Sysname] ping 10.0.0.1
PING 10.0.0.1: 56
data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.0.0.1 ping statistics --5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
4-10
Download PDF
Similar pages