< Home

Web: Example for Configuring 802.1x Authentication

Networking Requirements

In Figure 1, terminals in a company's offices are connected to the company's intranet through the FW. GE0/0/2 to GE0/0/n on the FW are directly connected to terminals in offices. GE0/0/1 on the FW is connected to the RADIUS server through the intranet.

To meet the company's high security requirements, configure 802.1x authentication, use the RADIUS server to authenticate terminals in offices, and deploy authentication points GE0/0/2 to GE0/0/n of the FW.

Figure 1 Networking diagram for configuring 802.1x authentication

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure network interworking.
  2. Configure RADIUS server.
  3. Configure an authentication domain, set the access type to 802.1X, and set the authentication mode to RADIUS server authentication.
  4. Configure 802.1x authentication to control network access rights of the employees in offices.

Before performing the following operations, ensure that there are reachable routes between user terminals and the server.

If the LAN switch exists between the FW and users. To ensure that users can pass 802.1x authentication, you must configure the EAP packet transparent transmission function on the LAN switch. The S5700 is used as an example of the LAN switch. Perform the following operations:

  1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the LAN switch to transparently transmit EAP packets.
  2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable and bpdu enable commands on the interface connecting to users and the interface connecting to the FW to enable the Layer 2 protocol transparent transmission function.

Procedure

  1. Configure network interworking.
    1. Choose Network > Interface.
    2. Configure GE0/0/2 to GE0/0/n connecting the FW to users as access interfaces and add the interfaces to VLAN 20. The following uses the configuration of GE0/0/2 as an example. The configurations of other interfaces are similar to the configuration of GE0/0/2, and are not mentioned here.

    3. Configure VLANIF 20.

    4. Configure GE0/0/1 connecting the FW to the RADIUS server.

    5. Choose Policy > Security Policy. Configure a security policy for communication between the client and FW and a security policy for the FW to access the RADIUS server.

      Name

      policy_sec_01

      Source Zone

      trust

      Destination Zone

      local

      Action

      Permit

      Name

      policy_sec_02

      Source Zone

      local

      Destination Zone

      trust

      Action

      Permit

      Name

      policy_sec_03

      Source Zone

      local

      Destination Zone

      untrust

      Destination Address

      192.168.1.30/32

      Action

      Permit

  2. Configure RADIUS server.
    1. Choose Object > Authentication Server > RADIUS.

    2. Click Add and configure RADIUS server.

    3. Click Detect, and enter the user name and password that are configured on the RADIUS server. Click Start Checking to check the connectivity to the RADIUS server.
  3. Configure authentication domain.
    1. Choose Object > User > Authentication Domain.

    2. Click Add and create authentication domain huawei.com.

    3. Choose Object > User > huawei.com and configure authentication domain.

  4. Configure 802.1x authentication.
    1. Choose Network > 802.1x > 802.1x.

    2. Click Add and configure 802.1x access.

      By default, an 802.1x access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1x authentication request packets.

  5. Verify the configuration.

    1. A user starts the 802.1x client on a terminal, and enters the user name and password for authentication.

      Some clients upload the client version number to the FW by default. The FW cannot parse the version number. Therefore, disable these clients from uploading the client version number to the FW.

    2. If the user name and password are correct, an authentication success message is displayed on the client page. The user can access the network.
    3. After users go online, you can choose Network > 802.1x > Monitor to view information about online 802.1x authentication users.

Configuration Files

#
sysname FW
#
vlan batch 20
#
authentication-profile name p1
 dot1x-access-profile d1
 access-domain huawei.com force
#
radius-server template rd1
 radius-server shared-key cipher %^%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%^%#
 radius-server authentication 192.168.1.30 1812 weight 80
#
aaa
 authentication-scheme abc
    authentication-mode radius
 domain huawei.com
  authentication-scheme abc
  radius-server rd1
  service-type dot1x

#
interface Vlanif20
 ip address 192.168.2.10 255.255.255.0
#
interface GigabitEthernet 0/0/1
 ip address 192.168.1.10 255.255.255.0
#
interface GigabitEthernet 0/0/2
 portswitch
 port link-type access
 port default vlan 20
 authentication-profile p1
#
firewall zone trust
 add interface Vlanif20
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
dot1x-access-profile name d1
#
security-policy 
 rule name policy_sec_01
  source-zone trust 
  destination-zone local 
  action permit          
 rule name policy_sec_02
  source-zone local 
  destination-zone trust
  action permit
 rule name policy_sec_03    
  source-zone local
  destination-zone untrust
  destination-address 192.168.1.30 32
  action permit
#
return
Parent Topic: Configuration Examples for 802.1x
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >