Professional Documents
Culture Documents
OHCSCP1305 802.1X Authentication and MAC Address Authentication ISSUE 3.0
OHCSCP1305 802.1X Authentication and MAC Address Authentication ISSUE 3.0
1X Authentication
and MAC Address Authe
ntication
www.huawei.com
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 3
Objectives
Upon completion of this course, you will be able to:
Know 802.1X authentication and MAC address authenticati
on principles and the application scenarios
Understand 802.1X authentication and MAC address authen
tication configurations and deployment
Have a good command of the 802.1X authentication troubl
eshooting procedure
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 4
Contents
1. Access Control Overview
2. 802.1X Authentication and MAC Address Authentication
Principles
3. 802.1X Authentication and MAC Address Authentication
Configurations and Deployment
4. 802.1X Authentication Troubleshooting
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 5
Access Control Overview
Modify the policies
Administrator
Check the effects
General information
resources
Develop policies
Access Control
Sensitive
information
resources
Access requests Identity Access Control
authentication
Core information
resources
Access Control
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 6
Authorization Rules
Account
Person
Identity Role
Organization Organization
Policy
Terminal Operating system /Type/Vendor
dimension
Access mode Windows authentication/Wired/Wireless
Location IP segment/Access device/SSID
Authorization rule
Time
VLAN
ACL
Dynamic ACL
Policy
Security group
element
Bandwidth
RADIUS attribute
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 7
Contents
1. Access Control Overview
2. 802.1X Authentication and MAC Address Authentication
Principles
3. 802.1X Authentication and MAC Address Authentication
Configurations and Deployment
4. 802.1X Authentication Troubleshooting
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 8
802.1X Authentication Introduction
The 802.1X protocol is originated from the WLAN 802.11 protocol, and is u
sed to control the link layer access from wireless users and authenticate
user identities. After extension, the 802.1X protocol can use Ethernet pa
ckets as bearer packets, enabling the 802.1X protocol to be applicable to
PEA LEA
Ethernet and
MD5otherTLS
wired TTLS
access modes. SIM AKA
P P
EAP
802.1X
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 9
802.1X Authentication Scenario
802.1X authentication, also called Extensible Authentication Prot
ocol Over Ethernet (EAPOE) authentication, can solve the problem
of access authentication of LAN users in the wired environment.
In the following figure, the 802.1X system is a typical client/se
rver structure and includes three entities: terminal, access cont
rol device, and RADIUS server.
EAPoL RADIU
S
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 10
Basic Concepts of 802.1X
Port-based
authentication
Authentication
method
MAC address-based
802.1X authentication
EAP termination
Authentication
mode
EAP relay
Automatic
identification
Forcible
Port control mode
authorization
Forcible non-
authorization
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 12
802.1X Authentication Process
2 EAP-Request/Identity
4 RADIUS Access-Request
3 EAP-Response/Identity
(EAP-Response/Identity)
5 RADIUS Access-Challenge
(EAP-Request/MD5 Challenge)
6 EAP-Request/MD5 Challenge
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 14
MAC Address Authentication Introducti
on
MAC address authentication uses the MAC address of a terminal as
the identity credential for authentication in the system. With MA
C address authentication enabled, when a terminal connects to the
network, the network access device obtains the MAC address of the
terminal, and uses the MAC address as the user name and password
for authentication.
Office area
Printer
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 16
MAC Address Authentication Scenari
o
MAC address authentication application scenario
Dumb terminals, such as printers and IP phones, cannot enter user acc
ount information for authentication and authorization.
Some special users, such as intelligent terminal users, want to acces
s the network "without being authenticated" and do not want to enter
the user account information for authentication.
Intelligent terminal
IP phone
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 17
MAC Address Authentication Process
Delete the user from the online user list Delete the user from the online user list
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 18
Contents
1. Access Control Overview
2. 802.1X Authentication and MAC Address Authentication Prin
ciples
3. 802.1X Authentication and MAC Address Authentication Conf
igurations and Deployment
Wired 802.1X Authentication
Wireless 802.1X Authentication
Wired MAC Address Authentication
Wireless MAC Address Authentication
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 19
802.1X Authentication Application
Scenario
802.1X authentication
application scenario
Wired aggregation
Wired access layer layer Wireless access
Highest security performance Medium and high security High security performance
Large number of devices performance Small number of devices
Complex management Small number of devices Easy management
Easy management
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 20
Wired 802.1X Authentication
A company maintains user accounts and organizations on the AD server, and
wants to provide wired access for office in its campus. Wired 802.1X auth
entication can be used to ensure security. Authenticated users can access
Core switch
Internet resources.Campus egress S7700 Server area
router
G1/0/2
VLAN 200
G1/0/1 DNS Agile Controller- AD
VLAN 102
Campus
192.168.100.0/24
G0/0/2
192.168.11.0/24
Aggregation switch
S5720HI
G0/0/1
Authentication control point
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 21
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Configuration of transparent
transmission of EAP packets on
the access switch
802.1X configuration
Configuration of the authentication
control point on the aggregation
switch
Agile Controller-Campus
authentication configuration
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 22
Configure Basic Data for Network C
onnectivity
Configure basic data for network connectivity.
Configure the VLAN and IP address on the access switch.
Configure the aggregation switch.
Configure the VLAN and IP address, and enable DHCP.
Configure a static route to the network segment where the authenti
cation server resides.
Configure the core switch.
Configure the VLAN and IP address.
Configure a static route to the network segment where terminals re
side.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 23
Configure 802.1X Authentication on
the Access Switch
Configure transparent transmission of EAP packets on the a
ccess switch.
Define Layer 2 transparent transmission of EAP packets.
[S2700] l2protocol-tunnel user-defined-protocol dot1x protocol-
mac 0180-c200-0003 group-mac 0100-0000-0002
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 25
Configure 802.1X Authentication on
the Aggregation Switch (1/3)
Configure wired 802.1X authentication on the aggregation switch.
Configure a RADIUS server template, an authentication scheme, and an
accounting scheme.
[S5700] authentication unified-mode
//If the default mode unified-mode is used, you do not need to run this
command.
[S5700] radius-server template radius_template
[S5700-radius-radius_template] radius-server authentication
192.168.11.10 1812 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server accounting 192.168.11.10
1813 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server shared-key cipher
Admin@123
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 26
Configure 802.1X Authentication on
the Aggregation Switch (2/3)
Configure wired 802.1X authentication on the aggregation switch.
Invoke the RADIUS authentication template in the AAA.
[S5700] aaa
[S5700-aaa] authentication-scheme auth_scheme //Authentication
scheme.
[S5700-aaa-authen-auth_scheme] authentication-mode radius
//Set the authentication scheme to RADIUS.
[S5700-aaa] accounting-scheme acco_scheme //Accounting
scheme.
[S5700-aaa-accounting-acco_scheme] accounting-mode radius
//Set the accounting scheme to RADIUS.
[S5700-aaa-accounting-acco_scheme] accounting realtime 15
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 27
Configure 802.1X Authentication on
the Aggregation Switch (3/3)
Configure wired 802.1X authentication on the aggregation switch.
Set wired 802.1X authentication parameters.
[S5700] interface GigabitEthernet 0/0/1
[S5700-GigabitEthernet0/0/1] authentication dot1x
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 28
Configure the Agile Controller-Cam
pus - Add Authentication Devices
Choose Resource > Device > Device Management, and add authenticat
ion devices.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 30
Configure the Agile Controller-Campus -
Configure Authentication and Authorizat
ion
Choose Policy > Permission Control > Authentication & Authorization > Authenticati
on Rule, and modify the default authentication rule or create authentication rules
.
Choose Policy > Permission Control > Authentication & Authorization > Authorizatio
n Result, and add authorization ACLs.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 31
Configure the Agile Controller-Cam
pus - Bind Authorization Results
Choose Policy > Permission Control > Authentication & Authorization > Aut
horization Rule, and bind the authorization results to specify the resour
ces accessible to users after successful authentication.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 32
Verify the Result
On a fixed terminal, use the built-in 802.1X client of the operat
ing system for authentication:
Before being authenticated, you can ping only resources in the server
area.
After being authenticated, you can ping Internet resources.
On the aggregation switch, run display access-user and display ac
cess-user user-id user-id commands to view the detailed informati
on about online users.
On the Agile Controller-Campus, choose Resource > User > RADIUS L
og to view the RADIUS logs containing the detailed information ab
out end users.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 33
Contents
1. Access Control Overview
2. 802.1X Authentication and MAC Address Authentication Prin
ciples
3. 802.1X Authentication and MAC Address Authentication Conf
igurations and Deployment
Wired 802.1X Authentication
Wireless 802.1X Authentication
Wired MAC Address Authentication
Wireless MAC Address Authentication
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 34
Wireless 802.1X Authentication
A company maintains user accounts and organizations on the AD server, and
wants to provide wireless access for office in its campus. Wireless 802.1
X authentication can be used to ensure security. Authenticated users can
Firewall Core router Server
access Internet resources. area
Agile Controller- AD
172.16.21.0/24 G1/0/1 Campus
192.168.11.0/24
G0/0/2
Aggregation switch G0/0/1
S5720HI G0/0/3
G0/0/1 AC 6605
VLAN 10 10.10.10.254/24
G0/0/2
Access switch
S2750EI
VLAN 10 G0/0/3
AP
Authentication control
VLAN 100 point
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 35
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 36
Configure Basic Data for Network C
onnectivity
Configure basic data for network connectivity.
Configure the VLAN and IP address on the access switch.
Configure the VLAN and IP address on the aggregation switch.
Configure the AC.
Configure the interfaces to allow packets from the management VLAN
and service VLAN to pass through.
Configure the gateway IP address, and enable DHCP.
Configure the default route with the core router as the next hop.
Set the parameters for connecting APs to the AC.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 37
Configure 802.1X Access on the AC (1/
2)
Configure a RADIUS server template, an authentication sche
me, and an accounting scheme.
[AC] radius-server template radius_template
[AC-radius-radius_template] radius-server authentication 192.168.11.10
1812 source ip-address 10.10.10.254
[AC-radius-radius_template] radius-server accounting 192.168.11.10
1813 source ip-address 10.10.10.254
[AC-radius-radius_template] radius-server shared-key cipher Admin@123
[AC-radius-radius_template] radius-server user-name original
[AC] radius-server authorization 192.168.11.10 shared-key cipher
Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //Authentication scheme.
[AC-aaa-authen-auth_scheme] authentication-mode radius
[AC-aaa] accounting-scheme acco_scheme //Accounting scheme.
[AC-aaa-accounting-acco_scheme] accounting-mode radius
[AC-aaa-accounting-acco_scheme] accounting realtime 15
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 39
Configure 802.1X Access on the AC (2/
2)
Configure an access profile.
[AC] dot1x-access-profile name acc_dot1x
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 40
Set Wireless 802.1X Service Parame
ters on the AC (1/2)
Create a security profile and configure the security polic
y[AC]
in wlan
the profile.
[AC-wlan-view] security-profile name security_dot1x
[AC-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
Create an SSIDssid-profile
[AC-wlan-view] profile andnameset the SSID name.
wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid dot1x_access
Warning: This action may cause service interruption. Continue?
[Y/N]y
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 41
Set Wireless 802.1X Service Parame
ters on the AC (2/2)
Create a VAP profile, configure the service data forwardin
g mode and service VLAN, and apply the security, SSID, and
authentication profiles to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap] security-profile security_dot1x
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 42
Configure the Agile Controller-Cam
pus - Add Authentication Devices
Choose Resource > Device > Device Management, and add an AC, whic
h will, together with the access control device, implement RADIUS
interconnection.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 43
Configure the Agile Controller-Campus -
Configure Authentication and Authorizati
on
Choose Policy > Permission Control > Authentication & Authorization > Aut
hentication Rule, and modify the default authentication rule or create au
thentication rules.
Choose Policy > Permission Control > Authentication & Authorization > Aut
horization Result, and add authorization ACLs.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 44
Configure the Agile Controller-Cam
pus - Bind Authorization Results
Choose Policy > Permission Control > Authentication & Authorizati
on > Authorization Rule, and bind the authorization results to sp
ecify the resources accessible to users after successful authenti
cation.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 45
Verify the Result
Use a mobile phone to associate with the SSID dot1x_access
, and enter an AD domain user name and password.
Obtain an IP address on the network segment 172.16.21.0/24
after successful authentication, and access Internet resou
rces using this IP address.
Run the display access-user and display access-user user-i
d user-id commands on the AC to view detailed information
about the online user.
On the Agile Controller-Campus, choose Resource > User > R
ADIUS Log to view RADIUS logs.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 46
Contents
1. Access Control Overview
2. 802.1X Authentication and MAC Address Authentication Prin
ciples
3. 802.1X Authentication and MAC Address Authentication Conf
igurations and Deployment
Wired 802.1X Authentication
Wireless 802.1X Authentication
Wired MAC Address Authentication
Wireless MAC Address Authentication
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 47
MAC Address Authentication Applica
tion Scenario
MAC address authentication
application scenario
Dumb terminal
Characteristics
The authentication is
No authentication
performed automatically, MAC addresses can be
client needs to be
and does not require users easily forged, leading
installed on the
to enter user names and to low security.
terminals.
passwords.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 48
Wired MAC Address Authentication
Unauthorized access to the intranet of a company may lead to system damag
e and information leakage. Therefore, the administrator wants to control
the network access rights of users. However, dumb terminals in the physic
al access control department of the company do not support the installati
on of the AnyOffice. In this case, wired MAC address authentication
Pre-authentication domain needs
Campus egress Core switch
to be used. firewall S7700
G1/0/2
VLAN 102 G1/0/1 DNS Agile Controller-
192.168.100.0/24 Campus
G0/0/2
Aggregation switch VLAN 200
S5720HI 192.168.11.0/24
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 49
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
RADIUS interconnection
802.1X and MAC address- parameter setting
based access configuration
Setting of parameters for the
MAC address-based access
Agile Controller-Campus service
authentication configuration
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 50
Configure Basic Data for Network C
onnectivity
Configure basic data for network connectivity.
Configure the VLAN and IP address on the access switch.
Configure the VLAN and IP address on the aggregation switch.
Configure the core switch.
Configure the VLAN and IP address.
Configure a static route to the network segment where terminals re
side.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 51
Set RADIUS Interconnection Paramet
ers on the Aggregation Switch
On the aggregation switch, configure a RADIUS server template, an authent
ication scheme, and an accounting scheme.
[S5700] radius-server template radius_template
[S5700-radius-radius_template] radius-server authentication
192.168.11.10 1812 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server accounting 192.168.11.10
1813 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server shared-key cipher
Admin@123
[S5700] radius-server authorization 192.168.11.10 shared-key cipher
Admin@123
[S5700] aaa
[S5700-aaa] authentication-scheme auth_scheme //Authentication scheme.
[S5700-aaa-authen-auth_scheme] authentication-mode radius
[S5700-aaa] accounting-scheme acco_scheme //Accounting scheme.
[S5700-aaa-accounting-acco_scheme] accounting-mode radius
[S5700-aaa-accounting-acco_scheme] accounting realtime 15
[S5700-aaa] domain default.
[S5700-aaa-domain-default] authentication-scheme auth_scheme
[S5700-aaa-domain-default] accounting-scheme acco_scheme
[S5700-aaa-domain-default] radius-server radius_template
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 52
Configure MAC Address Authenticati
on on the Aggregation Switch
Enable MAC address authentication on GE0/0/1 of the aggreg
ation switch.
[S5700]interface gigabitethernet 0/0/1
[S5700-GigabitEthernet0/0/1]authentication mac-authen
[S5700-GigabitEthernet0/0/1]authentication mode multi-authen max-
user 100
// Specify the interface allowing multiple users to go online and
specify the maximum number of online users allowed on the interface
to 100.
Globally set the user name format used for MAC address aut
hentication to MAC address without hyphens (-).
[S5700] mac-authen username macaddress format without-hyphen
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 53
Configure the Agile Controller-Cam
pus - Add Devices
Choose Resource > Device > Device Management, and click Ad
d. Set the device connection parameters.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 54
Configure the Agile Controller-Cam
pus - Add Authentication Rules
Choose Policy > Permission Control > Authentication & Authorizati
on > Authentication Rule, and click Add. Set the authentication r
ule parameters.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 55
Configure the Agile Controller-Campus - Add
Devices Requiring MAC Address Authentication
Choose Resource > Terminal > Terminal List. Select the first node in the
Device Group list and click Add on the right to create a device group for
MAC authentication.
In the Device Group list, select MAC. On the Device List tab page on the
right, click Add and enter the MAC address of the device to be added.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 56
Configure the Agile Controller-Cam
pus - Add Authorization Rules
Choose Policy > Permission Control > Authentication & Authorization > Aut
horization Rule, and click Add. Create authorization rules that allow the
access of devices passing MAC authentication and reject the access of oth
er devices.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 57
Verify the Result
After the configuration is complete, run the display mac-authen command o
n the aggregation switch to view the MAC address authentication configura
tion. In the output, you can get the information indicating that MAC addr
ess authentication is enabled on GE0/0/1.
After a user starts a dumb terminal, the aggregation switch automatically
obtains the dumb terminal's MAC address as the user name and password for
authentication. After successful authentication, the dumb terminal can ac
cess the Internet.
After the dumb terminal goes online, run the display access-user access-t
ype mac-authen command on the aggregation switch to view the information
about the online terminal authenticated based on the MAC address.
On the Agile Controller-Campus, choose Resource > User > RADIUS Log to vi
ew RADIUS logs.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 58
Contents
1. Access Control Overview
2. 802.1X Authentication and MAC Address Authentication Prin
ciples
3. 802.1X Authentication and MAC Address Authentication Conf
igurations and Deployment
Wired 802.1X Authentication
Wireless 802.1X Authentication
Wired MAC Address Authentication
Wireless MAC Address Authentication
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 59
Wireless MAC Address Authenticatio
n
Dumb terminals in the physical access control department of a company ass
ociate with the AP with the SSID mac_access. The AC functions as a DHCP s
erver to assign IP addresses on the network segment 10.10.10.0/24 to APs,
Pre-authentication domain
Core router
and controls and manages all users in centralized mode.
Firewall
AP
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 60
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
RADIUS interconnection
802.1X and MAC address- parameter setting
based access configuration
Setting of parameters for the
MAC address-based access
Agile Controller-Campus service
authentication configuration
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 61
Configure Basic Data for Network C
onnectivity
Configure basic data for network connectivity.
Configure the VLAN and IP address on the access switch.
Configure the VLAN and IP address on the aggregation switch.
Configure the AC.
Configure the interfaces to allow packets from the management VLAN
and service VLAN to pass through.
Configure the gateway IP address, and enable DHCP.
Configure the default route with the core router as the next hop.
Set the parameters for connecting APs to the AC.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 62
Set RADIUS Interconnection Paramet
ers on the AC (1/2)
Configure a RADIUS server template, an authentication sche
me, and an accounting scheme.
[AC] radius-server template radius_template
[AC-radius-radius_template] radius-server authentication 192.168.11.10
1812 source ip-address 10.10.10.254
[AC-radius-radius_template] radius-server accounting 192.168.11.10
1813 source ip-address 10.10.10.254
[AC-radius-radius_template] radius-server shared-key cipher Admin@123
[AC-radius-radius_template] radius-server user-name original
// Configure the device to send the user names entered by users to the
RADIUS server.
[AC] radius-server authorization 192.168.11.10 shared-key cipher
Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //Authentication scheme.
[AC-aaa-authen-auth_scheme] authentication-mode radius
[AC-aaa] accounting-scheme acco_scheme //Accounting scheme.
[AC-aaa-accounting-acco_scheme] accounting-mode radius
[AC-aaa-accounting-acco_scheme] accounting realtime 15
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 64
Set RADIUS Interconnection Paramet
ers on the AC (2/2)
Configure an access profile.
[AC] mac-access-profile name mac
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 65
Set Wireless MAC Address Authenticat
ion Parameters on the AC (1/2)
Create a security profile and configure the security polic
[AC] wlan
y[AC-wlan-view]
in the profile.
security-profile name security-mac
[AC-wlan-view]
Create an SSID ssid-profile
profile and name wlan-ssid
set the SSID name.
[AC-wlan-ssid-prof-wlan-ssid] ssid mac_access
Warning: This action may cause service interruption.
Continue?[Y/N]y
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 66
Set Wireless MAC Address Authenticat
ion Parameters on the AC (2/2)
Create a VAP profile, configure the service data forwardin
g mode and service VLAN, and apply the security, SSID, and
authentication profiles to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap] security-profile security-mac
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile mac
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 67
Configure the Agile Controller-Cam
pus - Add Devices
Choose Resource > Device > Device Management, and click Ad
d. Set device connection parameters.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 68
Configure the Agile Controller-Cam
pus - Add Authentication Rules
Choose Policy > Permission Control > Authentication & Authorizati
on > Authentication Rule, and click Add. Set authentication rule
parameters.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 69
Configure the Agile Controller-Campus - Add D
evices Requiring MAC Address Authentication
Choose Resource > Terminal > Terminal List. Select the first node
in the Device Group list and click Add on the right to create a d
evice group for MAC authentication.
In the Device Group list, select MAC. On the Device List tab page
on the right, click Add and enter the MAC address of the device t
o be added.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 70
Configure the Agile Controller-Cam
pus - Add Authorization Rules
Choose Policy > Permission Control > Authentication & Authorization > Aut
horization Rule, and click Add. Create authorization rules that allow the
access of devices passing MAC authentication and reject the access of oth
er devices.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 71
Verify the Result
After the configuration is complete, run the display mac-authen c
ommand on the AC to view MAC address authentication configuration
.
After a dumb terminal associates with the WLAN with the SSID mac_
access, the AC automatically obtains the dumb terminal's MAC addr
ess as the user name and password for authentication. After succe
ssful authentication, the dumb terminal can access the Internet.
After the dumb terminal goes online, run the display access-user
access-type mac-authen command on the AC to view the information
about the online terminal authenticated based on the MAC address.
On the Agile Controller-Campus, choose Resource > User > RADIUS L
og to view RADIUS logs.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 72
Contents
1. Access Control Overview
2. 802.1X Authentication and MAC Address Authentication
Principles
3. 802.1X Authentication and MAC Address Authentication
Configurations and Deployment
4. 802.1X Authentication Troubleshooting
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 73
802.1X Access Fault
To locate and rectify the 802.1X access fault, perform operations
802.1X authentication fails
according to the following flowchart.
Check the execution result of the test-aaa
command on the access control device
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 74
Check the Execution Result of the tes
t-aaa Command on the Access Control D
evice
If the 802.1X access fault occurs, check the execution result of
the test-aaa command on the access control device.
On the switch or AC, test the RADIUS server template to check whether
the RADIUS server template configuration is correct.
Assume that the RADIUS server template name is template1. If you use
the common account tony for identity authentication, enter the follow
ing command to perform the test:
<AC> test-aaa tony Admin@123 radius-template template1 pap
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 75
Check Whether Keys of the SM Match
Those of the Access Control Device
On the access control device, run the display radius-server configuration
template XXX (template name) command to view the shared key specified by
Shared-secret-key.
On the Agile Controller-Campus, choose Resource > Device > Device Managem
ent, and set the RADIUS authentication key and accounting key of the Agil
e Controller-Campus to the same as those of the access control device, as
shown in the following figure.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 76
Check Whether the SC Ports Are Occ
upied
Check whether a conflict occurs on the ports 1812 and 1813 used by the SC.
C:\ netstat -nao | findstr 1812 //Find all processes occupying the port 1812.
UDP 0.0.0.0:1812 *:* 1803
UDP [::]:1812 *:* 1804
Identifiers of the processes occupying the port are displayed in the last column of the comma
nd output. If different process identifiers are displayed in the output, different processes
occupy the port, indicating that a port conflict occurs.
C:\ tasklist /fi "pid eq 1804" //List the names of the processes with the identifier
1804.
Image name PID session name Session# Memory usage
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
svchost.exe 1804 Services 0 234,208 K
The preceding information indicates that the Network Policy Server service of the Windows ope
rating system occupies the port 1812.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 78
Check the Configuration on the Acc
ess Control Device (1/2)
After the preceding check operations are complete, check whether
RADIUS authentication logs are generated on the Agile Controller-
Campus. If no, perform the following operations:
Wired scenario: On the access control device interface, check whether
802.1X authentication is enabled and whether the authentication proto
col is configured correctly.
In the wired 802.1X authentication scenario, if 802.1X authentication is no
t enabled or the authentication protocol is configured incorrectly, end use
rs fail 802.1X authentication.
Wireless scenario: Check whether the security profile is correctly co
nfigured on the access control device.
In the wireless 802.1X authentication scenario, if the access control devic
e is not configured with the security profile, end users fail wireless 802.
1X authentication.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 79
Check the Configuration on the Acc
ess Control Device (2/2)
DHCP + AnyOffice scenario: Before authentication, check whether the t
erminal can communicate with the SC directly.
If the AnyOffice on the terminal can communicate with the SC directly befor
e authentication, the SC directly initiates common authentication rather th
an 802.1X authentication. As a result, the terminal cannot go online throug
h the access control device.
Aggregation layer 802.1X authentication scenario: Check whether EAP t
ransparent transmission is enabled on the access switch.
EAP packets transmitted between the terminal and the access control device
at the aggregation layer are Layer 2 protocol packets. If Layer 2 switches
exist between the terminal and the access control device and these Layer 2
switches do not forward Layer 2 protocol packets by default, the terminal a
nd the access control device at the aggregation layer may fail to communica
te with each other.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 80
Check the Configuration on the Agi
le Controller-Campus (1/2)
After the preceding check operations are complete, check whether
RADIUS authentication logs are generated on the Agile Controller-
Campus. If yes, perform the following operations:
AD authentication scenario: 1. Check whether the SC is added to the A
D domain. 2. Check whether the domain name is contained in the accoun
t information sent by the access control device. 3. Check whether the
password consists of more than 32 characters.
AD/LDAP authentication scenario: 1. Check whether a third-party data
source is selected in the authentication rule. 2. Check whether the p
rotocol in the authentication rule is correct.
Check whether the RADIUS keys of the Agile Controller-Campus are cons
istent with those of the access control device.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 81
Check the Configuration on the Agi
le Controller-Campus (2/2)
Check whether the Portal authentication option is disabled.
Check whether the authorization result is configured on the access co
ntrol device.
RADIUS relay scenario: 1. Check whether keys of the third-party RADIU
S server match those of the SM. 2. Check whether authentication proto
col negotiation fails.
Check whether the authentication server certificate of the built-in 8
02.1X authentication client of the Windows operating system is enable
d.
Check whether any third-party 801.1X authentication client conflicts
with the AnyOffice.
Check whether there is an authentication error code. Search for the e
rror code and perform corresponding operations.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 82
Quiz
1. Which of the following user name formats cannot be used for MAC
address authentication? ( )
A. MAC address
B. Fixed user name
C. DHCP option
D. ARP option
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 83
Summary
802.1X Authentication and MAC Authentication Principl
es
802.1X Authentication and MAC Address Authentication
Configurations and Deployment
Wired 802.1X Authentication
Wireless 802.1X Authentication
Wired MAC Address Authentication
Wireless MAC Address Authentication
802.1X Authentication Troubleshooting
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 84
Thank You
www.huawei.com