OHCSCP1305 802.1X Authentication and MAC Address Authentication ISSUE 3.0

802.
1X Authentication
and MAC Address Authe
ntication
www.huawei.com
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

Foreword
 802.1X technology, as a general port access control mechanism for
local area networks (LANs), is widely used in the Ethernet, mainl
y to solve the Ethernet authentication and security problems.
 MAC address authentication is an authentication method for contro
lling network access rights based on the combination of the port
and MAC address. Users do not need to install any client software
. The MAC address of a user's device is used as the user name and
password for authentication. MAC address authentication is applic
able to dumb terminals.
 This chapter describes the 802.1X authentication and MAC address
authentication principles and the deployment and troubleshooting
procedures.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 3
Objectives
 Upon completion of this course, you will be able to:
 Know 802.1X authentication and MAC address authenticati
on principles and the application scenarios
 Understand 802.1X authentication and MAC address authen
tication configurations and deployment
 Have a good command of the 802.1X authentication troubl
eshooting procedure
Contents
1. Access Control Overview
2. 802.1X Authentication and MAC Address Authentication
Principles
Configurations and Deployment
4. 802.1X Authentication Troubleshooting
Access Control Overview
Modify the policies
Administrator
Check the effects
General information
resources
Develop policies
Access Control
Sensitive
information
resources
Access requests Identity Access Control
authentication
Core information
resources
Access Control
Prevent rogue users Authorize users to access Monitor users' behavior

certain resources Collect evidence for audit
Authorization Rules
Account
Person
Identity Role
Organization Organization
Policy
Terminal Operating system /Type/Vendor
dimension
Access mode Windows authentication/Wired/Wireless
Location IP segment/Access device/SSID
Authorization rule
Time
Terminal security check result
VLAN
ACL
Dynamic ACL
Policy
Security group
element
Bandwidth
RADIUS attribute
Contents
Principles
802.1X Authentication Introduction
 The 802.1X protocol is originated from the WLAN 802.11 protocol, and is u
sed to control the link layer access from wireless users and authenticate
user identities. After extension, the 802.1X protocol can use Ethernet pa
ckets as bearer packets, enabling the 802.1X protocol to be applicable to
PEA LEA
Ethernet and
MD5otherTLS
wired TTLS
access modes. SIM AKA
P P
EAP
802.1X
802.3 802.11 PPP
EAP: Extensible Authentication Protocol

PPP: Point-to-Point Protocol
802.1X Authentication Scenario
 802.1X authentication, also called Extensible Authentication Prot
ocol Over Ethernet (EAPOE) authentication, can solve the problem
of access authentication of LAN users in the wired environment.
 In the following figure, the 802.1X system is a typical client/se
rver structure and includes three entities: terminal, access cont
rol device, and RADIUS server.
EAPoL RADIU
S
Terminal Access control device RADIUS server
Basic Concepts of 802.1X
Port-based
authentication
Authentication
method
MAC address-based
802.1X authentication
EAP termination
Authentication
mode
EAP relay
Automatic
identification
Forcible
Port control mode
authorization
Forcible non-
authorization
802.1X Authentication Process
Client Access control device RADIUS server

1 EAPoL-Start
2 EAP-Request/Identity
4 RADIUS Access-Request
3 EAP-Response/Identity
(EAP-Response/Identity)
5 RADIUS Access-Challenge
(EAP-Request/MD5 Challenge)
6 EAP-Request/MD5 Challenge
Calculate the MD5 code and perform

check based on the security policy
7 EAP-Response/MD5 Challenge 8 RADIUS Access-Request

(EAP-Response/MD5 Challenge)
Verify the identity and calculate

VLAN parameters
9 RADIUS Access-Accept
(EAP-Success)
10 EAP-Success
MAC Address Authentication Introducti
on
 MAC address authentication uses the MAC address of a terminal as
the identity credential for authentication in the system. With MA
C address authentication enabled, when a terminal connects to the
network, the network access device obtains the MAC address of the
terminal, and uses the MAC address as the user name and password
for authentication.
Office area
Employee IP phone Access device RADIUS

server
Printer
MAC Address Authentication Scenari
o
 MAC address authentication application scenario
 Dumb terminals, such as printers and IP phones, cannot enter user acc
ount information for authentication and authorization.
 Some special users, such as intelligent terminal users, want to acces
s the network "without being authenticated" and do not want to enter
the user account information for authentication.
Intelligent terminal
IP phone
Access device RADIUS

server
Printer
MAC Address Authentication Process
Printer Access control device RADIUS server

1 Set up a pre-connection
2 Send ARP, DHCP, ND, or DHCPv6

packets to trigger MAC address 3 Send a user name and a
authentication password to the RADIUS server
4 Send authentication success packets
after successful verification
Enable the user to log in after successful
authentication
Authorize the port
Enable the user to log in after successful

authentication
5 Send a deregistration request

6 Send an accounting stop request
7 Send an accounting stop response
Stop the port authorization
Delete the user from the online user list Delete the user from the online user list
Contents
2. 802.1X Authentication and MAC Address Authentication Prin
ciples
3. 802.1X Authentication and MAC Address Authentication Conf
igurations and Deployment
 Wired 802.1X Authentication
 Wireless 802.1X Authentication
 Wired MAC Address Authentication
 Wireless MAC Address Authentication
802.1X Authentication Application
Scenario
802.1X authentication
application scenario
Wired aggregation
Wired access layer layer Wireless access
 Highest security performance  Medium and high security  High security performance
 Large number of devices performance  Small number of devices
 Complex management  Small number of devices  Easy management
 Easy management
Wired 802.1X Authentication
 A company maintains user accounts and organizations on the AD server, and
wants to provide wired access for office in its campus. Wired 802.1X auth
entication can be used to ensure security. Authenticated users can access
Core switch
Internet resources.Campus egress S7700 Server area
router
G1/0/2
VLAN 200
G1/0/1 DNS Agile Controller- AD
VLAN 102
Campus
192.168.100.0/24
G0/0/2
192.168.11.0/24
Aggregation switch
S5720HI
VLAN 101 G0/0/1

172.16.11.0/24
G0/0/2
Access switch
S2750EI
G0/0/1
Authentication control point
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Configuration of transparent
transmission of EAP packets on
the access switch
802.1X configuration
Configuration of the authentication
control point on the aggregation
switch
Agile Controller-Campus
authentication configuration
Configure Basic Data for Network C
onnectivity
 Configure basic data for network connectivity.
 Configure the VLAN and IP address on the access switch.
 Configure the aggregation switch.
 Configure the VLAN and IP address, and enable DHCP.
 Configure a static route to the network segment where the authenti
cation server resides.
 Configure the core switch.
 Configure the VLAN and IP address.
 Configure a static route to the network segment where terminals re
side.
Configure 802.1X Authentication on
the Access Switch
 Configure transparent transmission of EAP packets on the a
ccess switch.
 Define Layer 2 transparent transmission of EAP packets.
[S2700] l2protocol-tunnel user-defined-protocol dot1x protocol-
mac 0180-c200-0003 group-mac 0100-0000-0002
 Enable Layer 2 transparent transmission on the uplink and down

link interfaces on the access switch.
[S2700] interface GigabitEthernet 0/0/1
[S2700-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-
protocol dot1x enable
[S2700-GigabitEthernet0/0/1] bpdu enable

[S2700-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-
protocol dot1x enable
[S2700-GigabitEthernet0/0/2] bpdu enable
the Aggregation Switch (1/3)
 Configure wired 802.1X authentication on the aggregation switch.
 Configure a RADIUS server template, an authentication scheme, and an
accounting scheme.
[S5700] authentication unified-mode
//If the default mode unified-mode is used, you do not need to run this
command.
[S5700] radius-server template radius_template
[S5700-radius-radius_template] radius-server authentication
192.168.11.10 1812 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server accounting 192.168.11.10
1813 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server shared-key cipher
Admin@123
[S5700] radius-server authorization 192.168.11.10 shared-key cipher

Admin@123
 Invoke the RADIUS authentication template in the AAA.
[S5700] aaa
[S5700-aaa] authentication-scheme auth_scheme //Authentication
scheme.
[S5700-aaa-authen-auth_scheme] authentication-mode radius
//Set the authentication scheme to RADIUS.
[S5700-aaa] accounting-scheme acco_scheme //Accounting
scheme.
[S5700-aaa-accounting-acco_scheme] accounting-mode radius
//Set the accounting scheme to RADIUS.
[S5700-aaa-accounting-acco_scheme] accounting realtime 15
[S5700-aaa] domain default //Configure the default global

domain.
[S5700-aaa-domain-default] authentication-scheme auth_scheme
[S5700-aaa-domain-default] accounting-scheme acco_scheme
[S5700-aaa-domain-default] radius-server radius_template
//Invoke the RADIUS authentication template.
 Set wired 802.1X authentication parameters.
[S5700-GigabitEthernet0/0/1] authentication dot1x
 Configure the user pre-authentication domain.

[S5700] authentication free-rule 1 destination ip 192.168.11.1
mask 255.255.255.255
[S5700] authentication free-rule 2 destination ip 192.168.11.100
mask 255.255.255.255
[S5700] acl 3001

 Configure an ACL to define accessible resources after authentication.
[S5700-acl-adv-3001] rule 1 permit ip
Configure the Agile Controller-Cam
pus - Add Authentication Devices
 Choose Resource > Device > Device Management, and add authenticat
ion devices.
Configure the Agile Controller-Campus -
Configure Authentication and Authorizat
ion
 Choose Policy > Permission Control > Authentication & Authorization > Authenticati
on Rule, and modify the default authentication rule or create authentication rules
.
 Choose Policy > Permission Control > Authentication & Authorization > Authorizatio
n Result, and add authorization ACLs.
pus - Bind Authorization Results
 Choose Policy > Permission Control > Authentication & Authorization > Aut
horization Rule, and bind the authorization results to specify the resour
ces accessible to users after successful authentication.
Verify the Result
 On a fixed terminal, use the built-in 802.1X client of the operat
ing system for authentication:
 Before being authenticated, you can ping only resources in the server
area.
 After being authenticated, you can ping Internet resources.
 On the aggregation switch, run display access-user and display ac
cess-user user-id user-id commands to view the detailed informati
on about online users.
 On the Agile Controller-Campus, choose Resource > User > RADIUS L
og to view the RADIUS logs containing the detailed information ab
out end users.
Contents
ciples
Wireless 802.1X Authentication
 A company maintains user accounts and organizations on the AD server, and
wants to provide wireless access for office in its campus. Wireless 802.1
X authentication can be used to ensure security. Authenticated users can
Firewall Core router Server
access Internet resources. area
Agile Controller- AD
172.16.21.0/24 G1/0/1 Campus
192.168.11.0/24
G0/0/2
Aggregation switch G0/0/1
S5720HI G0/0/3
G0/0/1 AC 6605
VLAN 10 10.10.10.254/24
G0/0/2
Access switch
S2750EI
VLAN 10 G0/0/3
AP
Authentication control
VLAN 100 point
Basic configuration
802.1X and wireless RADIUS authentication

access configuration parameter setting
Wireless access service

Agile Controller-Campus parameter setting
onnectivity
 Configure the VLAN and IP address on the aggregation switch.
 Configure the AC.
 Configure the interfaces to allow packets from the management VLAN
and service VLAN to pass through.
 Configure the gateway IP address, and enable DHCP.
 Configure the default route with the core router as the next hop.
 Set the parameters for connecting APs to the AC.
Configure 802.1X Access on the AC (1/
2)
 Configure a RADIUS server template, an authentication sche
me, and an accounting scheme.
[AC] radius-server template radius_template
[AC-radius-radius_template] radius-server authentication 192.168.11.10
[AC-radius-radius_template] radius-server accounting 192.168.11.10
[AC-radius-radius_template] radius-server shared-key cipher Admin@123
[AC-radius-radius_template] radius-server user-name original
[AC] radius-server authorization 192.168.11.10 shared-key cipher
Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //Authentication scheme.
[AC-aaa-authen-auth_scheme] authentication-mode radius
[AC-aaa] accounting-scheme acco_scheme //Accounting scheme.
[AC-aaa-accounting-acco_scheme] accounting-mode radius
[AC-aaa-accounting-acco_scheme] accounting realtime 15
Configure 802.1X Access on the AC (2/
2)
 Configure an access profile.
[AC] dot1x-access-profile name acc_dot1x
 Configure an authentication profile.

 Specify the user access mode in the authentication profile thr
ough the access profile. Bind the RADIUS authentication scheme
, accounting scheme, and server template to the authentication
profile so that RADIUS authentication is used.
[AC] authentication-profile name auth_dot1x
[AC-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
[AC-authentication-profile-auth_dot1x] authentication-scheme
auth_scheme
[AC-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
[AC-authentication-profile-auth_dot1x] radius-server radius_template
Set Wireless 802.1X Service Parame
ters on the AC (1/2)
 Create a security profile and configure the security polic
y[AC]
in wlan
the profile.
[AC-wlan-view] security-profile name security_dot1x
[AC-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
 Create an SSIDssid-profile
[AC-wlan-view] profile andnameset the SSID name.
wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid dot1x_access
Warning: This action may cause service interruption. Continue?
[Y/N]y
Set Wireless 802.1X Service Parame
ters on the AC (2/2)
 Create a VAP profile, configure the service data forwardin
g mode and service VLAN, and apply the security, SSID, and
authentication profiles to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap] security-profile security_dot1x
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
 Create an AP group and apply the VAP profile to the AP gro

up.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
pus - Add Authentication Devices
 Choose Resource > Device > Device Management, and add an AC, whic
h will, together with the access control device, implement RADIUS
interconnection.
Configure the Agile Controller-Campus -
Configure Authentication and Authorizati
on
hentication Rule, and modify the default authentication rule or create au
thentication rules.
horization Result, and add authorization ACLs.
pus - Bind Authorization Results
 Choose Policy > Permission Control > Authentication & Authorizati
on > Authorization Rule, and bind the authorization results to sp
ecify the resources accessible to users after successful authenti
cation.
Verify the Result
 Use a mobile phone to associate with the SSID dot1x_access
, and enter an AD domain user name and password.
 Obtain an IP address on the network segment 172.16.21.0/24
after successful authentication, and access Internet resou
rces using this IP address.
 Run the display access-user and display access-user user-i
d user-id commands on the AC to view detailed information
about the online user.
 On the Agile Controller-Campus, choose Resource > User > R
ADIUS Log to view RADIUS logs.
Contents
ciples
MAC Address Authentication Applica
tion Scenario
MAC address authentication
application scenario
Dumb terminal
802.1X authentication scenario

MAC address MAC address bypass
authentication authentication
Characteristics
The authentication is
No authentication
performed automatically, MAC addresses can be
client needs to be
and does not require users easily forged, leading
installed on the
to enter user names and to low security.
terminals.
passwords.
Wired MAC Address Authentication
 Unauthorized access to the intranet of a company may lead to system damag
e and information leakage. Therefore, the administrator wants to control
the network access rights of users. However, dumb terminals in the physic
al access control department of the company do not support the installati
on of the AnyOffice. In this case, wired MAC address authentication
Pre-authentication domain needs
Campus egress Core switch
to be used. firewall S7700
G1/0/2
VLAN 102 G1/0/1 DNS Agile Controller-
192.168.100.0/24 Campus
G0/0/2
Aggregation switch VLAN 200
S5720HI 192.168.11.0/24
VLAN 101 G0/0/1

172.16.11.0/24 G0/0/2
Access switch
S2750EI
G0/0/1
Printer
Basic configuration
RADIUS interconnection
802.1X and MAC address- parameter setting
based access configuration
Setting of parameters for the
MAC address-based access
Agile Controller-Campus service
onnectivity
 Configure the core switch.
 Configure the VLAN and IP address.
 Configure a static route to the network segment where terminals re
side.
Set RADIUS Interconnection Paramet
ers on the Aggregation Switch
 On the aggregation switch, configure a RADIUS server template, an authent
ication scheme, and an accounting scheme.
[S5700] radius-server template radius_template
[S5700-radius-radius_template] radius-server authentication
192.168.11.10 1812 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server accounting 192.168.11.10
[S5700-radius-radius_template] radius-server shared-key cipher
Admin@123
[S5700] radius-server authorization 192.168.11.10 shared-key cipher
Admin@123
[S5700] aaa
[S5700-aaa] authentication-scheme auth_scheme //Authentication scheme.
[S5700-aaa-authen-auth_scheme] authentication-mode radius
[S5700-aaa] accounting-scheme acco_scheme //Accounting scheme.
[S5700-aaa-accounting-acco_scheme] accounting-mode radius
[S5700-aaa-accounting-acco_scheme] accounting realtime 15
[S5700-aaa] domain default.
[S5700-aaa-domain-default] authentication-scheme auth_scheme
[S5700-aaa-domain-default] accounting-scheme acco_scheme
[S5700-aaa-domain-default] radius-server radius_template
Configure MAC Address Authenticati
on on the Aggregation Switch
 Enable MAC address authentication on GE0/0/1 of the aggreg
ation switch.
[S5700]interface gigabitethernet 0/0/1
[S5700-GigabitEthernet0/0/1]authentication mac-authen
[S5700-GigabitEthernet0/0/1]authentication mode multi-authen max-
user 100
// Specify the interface allowing multiple users to go online and
specify the maximum number of online users allowed on the interface
to 100.
 Globally set the user name format used for MAC address aut
hentication to MAC address without hyphens (-).
[S5700] mac-authen username macaddress format without-hyphen
pus - Add Devices
 Choose Resource > Device > Device Management, and click Ad
d. Set the device connection parameters.
pus - Add Authentication Rules
on > Authentication Rule, and click Add. Set the authentication r
ule parameters.
Configure the Agile Controller-Campus - Add
Devices Requiring MAC Address Authentication
 Choose Resource > Terminal > Terminal List. Select the first node in the
Device Group list and click Add on the right to create a device group for
MAC authentication.
 In the Device Group list, select MAC. On the Device List tab page on the
right, click Add and enter the MAC address of the device to be added.
pus - Add Authorization Rules
horization Rule, and click Add. Create authorization rules that allow the
access of devices passing MAC authentication and reject the access of oth
er devices.
Verify the Result
 After the configuration is complete, run the display mac-authen command o
n the aggregation switch to view the MAC address authentication configura
tion. In the output, you can get the information indicating that MAC addr
ess authentication is enabled on GE0/0/1.
 After a user starts a dumb terminal, the aggregation switch automatically
obtains the dumb terminal's MAC address as the user name and password for
authentication. After successful authentication, the dumb terminal can ac
cess the Internet.
 After the dumb terminal goes online, run the display access-user access-t
ype mac-authen command on the aggregation switch to view the information
about the online terminal authenticated based on the MAC address.
 On the Agile Controller-Campus, choose Resource > User > RADIUS Log to vi
ew RADIUS logs.
Contents
ciples
Wireless MAC Address Authenticatio
n
 Dumb terminals in the physical access control department of a company ass
ociate with the AP with the SSID mac_access. The AC functions as a DHCP s
erver to assign IP addresses on the network segment 10.10.10.0/24 to APs,
Pre-authentication domain
Core router
and controls and manages all users in centralized mode.
Firewall
Agile Controller- DNS

172.16.21.254/24 G1/0/1 Campus
192.168.11.0/24
G0/0/2
Aggregation switch G0/0/1
S5720HI G0/0/3
G0/0/1 AC 6605
VLAN 10 10.10.10.254/24
G0/0/2
Access switch
S2750EI
VLAN 10 G0/0/3
AP

VLAN 100 ...
Basic configuration
RADIUS interconnection
802.1X and MAC address- parameter setting
based access configuration
Setting of parameters for the
MAC address-based access
Agile Controller-Campus service
onnectivity
 Configure the AC.
 Configure the interfaces to allow packets from the management VLAN
and service VLAN to pass through.
 Configure the gateway IP address, and enable DHCP.
 Configure the default route with the core router as the next hop.
 Set the parameters for connecting APs to the AC.
ers on the AC (1/2)
 Configure a RADIUS server template, an authentication sche
me, and an accounting scheme.
[AC] radius-server template radius_template
[AC-radius-radius_template] radius-server authentication 192.168.11.10
[AC-radius-radius_template] radius-server accounting 192.168.11.10
[AC-radius-radius_template] radius-server shared-key cipher Admin@123
[AC-radius-radius_template] radius-server user-name original
// Configure the device to send the user names entered by users to the
RADIUS server.
[AC] radius-server authorization 192.168.11.10 shared-key cipher
Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //Authentication scheme.
[AC-aaa-authen-auth_scheme] authentication-mode radius
[AC-aaa] accounting-scheme acco_scheme //Accounting scheme.
[AC-aaa-accounting-acco_scheme] accounting-mode radius
[AC-aaa-accounting-acco_scheme] accounting realtime 15
ers on the AC (2/2)
 Configure an access profile.
[AC] mac-access-profile name mac
 Configure an authentication profile.

[AC] authentication-profile name mac
[AC-authentication-profile-mac] mac-access-profile mac
[AC-authentication-profile-mac] authentication-scheme
auth_scheme
[AC-authentication-profile-mac] accounting-scheme
acco_scheme
[AC-authentication-profile-mac] radius-server
radius_template
Set Wireless MAC Address Authenticat
ion Parameters on the AC (1/2)
 Create a security profile and configure the security polic
[AC] wlan
y[AC-wlan-view]
in the profile.
security-profile name security-mac
 [AC-wlan-view]
Create an SSID ssid-profile
profile and name wlan-ssid
set the SSID name.
[AC-wlan-ssid-prof-wlan-ssid] ssid mac_access
Warning: This action may cause service interruption.
Continue?[Y/N]y
Set Wireless MAC Address Authenticat
ion Parameters on the AC (2/2)
 Create a VAP profile, configure the service data forwardin
g mode and service VLAN, and apply the security, SSID, and
authentication profiles to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap] security-profile security-mac
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile mac
 Configure an AP group and apply the VAP profile to the AP

[AC-wlan-view] ap-group name ap-group1
group.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
pus - Add Devices
 Choose Resource > Device > Device Management, and click Ad
d. Set device connection parameters.
pus - Add Authentication Rules
on > Authentication Rule, and click Add. Set authentication rule
parameters.
Configure the Agile Controller-Campus - Add D
evices Requiring MAC Address Authentication
 Choose Resource > Terminal > Terminal List. Select the first node
in the Device Group list and click Add on the right to create a d
evice group for MAC authentication.
 In the Device Group list, select MAC. On the Device List tab page
on the right, click Add and enter the MAC address of the device t
o be added.
pus - Add Authorization Rules
horization Rule, and click Add. Create authorization rules that allow the
access of devices passing MAC authentication and reject the access of oth
er devices.
Verify the Result
 After the configuration is complete, run the display mac-authen c
ommand on the AC to view MAC address authentication configuration
.
 After a dumb terminal associates with the WLAN with the SSID mac_
access, the AC automatically obtains the dumb terminal's MAC addr
ess as the user name and password for authentication. After succe
ssful authentication, the dumb terminal can access the Internet.
 After the dumb terminal goes online, run the display access-user
access-type mac-authen command on the AC to view the information
about the online terminal authenticated based on the MAC address.
 On the Agile Controller-Campus, choose Resource > User > RADIUS L
og to view RADIUS logs.
Contents
Principles
802.1X Access Fault
 To locate and rectify the 802.1X access fault, perform operations
802.1X authentication fails
according to the following flowchart.
Check the execution result of the test-aaa
command on the access control device
Failure Success Timeout
Check whether the RADIUS Check whether the SM

generates RADIUS Check whether the SC
keys of the SM match those of
logs ports are occupied
the access control device
Check whether the Check whether the SC is

account/password is correct Logs generated started
or not?
Yes No
Check configuration on Check configuration on

the Agile Controller- the access control
Campus device
SC: Service Controller
SM: Service Manager
The fault is rectified
Check the Execution Result of the tes
t-aaa Command on the Access Control D
evice
 If the 802.1X access fault occurs, check the execution result of
the test-aaa command on the access control device.
 On the switch or AC, test the RADIUS server template to check whether
the RADIUS server template configuration is correct.
 Assume that the RADIUS server template name is template1. If you use
the common account tony for identity authentication, enter the follow
ing command to perform the test:
<AC> test-aaa tony Admin@123 radius-template template1 pap
 If you use the AD account tony@exaple.com for identity authentication

, enter the following command to perform the test:
<AC> test-aaa tony@exaple.com Admin@123 radius-template
template1 pap
Check Whether Keys of the SM Match
Those of the Access Control Device
 On the access control device, run the display radius-server configuration
template XXX (template name) command to view the shared key specified by
Shared-secret-key.
 On the Agile Controller-Campus, choose Resource > Device > Device Managem
ent, and set the RADIUS authentication key and accounting key of the Agil
e Controller-Campus to the same as those of the access control device, as
shown in the following figure.
Check Whether the SC Ports Are Occ
upied
 Check whether a conflict occurs on the ports 1812 and 1813 used by the SC.
C:\ netstat -nao | findstr 1812 //Find all processes occupying the port 1812.
UDP 0.0.0.0:1812 *:* 1803
UDP [::]:1812 *:* 1804
 Identifiers of the processes occupying the port are displayed in the last column of the comma
nd output. If different process identifiers are displayed in the output, different processes
occupy the port, indicating that a port conflict occurs.
C:\ tasklist /fi "pid eq 1804" //List the names of the processes with the identifier
1804.
Image name PID session name Session# Memory usage
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
svchost.exe 1804 Services 0 234,208 K
 The preceding information indicates that the Network Policy Server service of the Windows ope
rating system occupies the port 1812.
 Disable or uninstall the Network Policy Server service.

 Choose Start > Control Panel > Management tools, and double-click Services. (On the Control P
anel page, if you set View By to Small icons or Large icons, the Administrative Tools icon is
displayed.)
 Find the Network Policy Server service and disable it.
Check Whether the SC Is Started No
rmally
 On the hardware server where the SC is installed, choose Start >
All Programs > Huawei > Agile Controller > Server Startup Config,
click the SC Monitor tab, and check whether AuthServer, RadiusSer
ver, and PortalServer are in Running state.
Check the Configuration on the Acc
ess Control Device (1/2)
 After the preceding check operations are complete, check whether
RADIUS authentication logs are generated on the Agile Controller-
Campus. If no, perform the following operations:
 Wired scenario: On the access control device interface, check whether
802.1X authentication is enabled and whether the authentication proto
col is configured correctly.
 In the wired 802.1X authentication scenario, if 802.1X authentication is no
t enabled or the authentication protocol is configured incorrectly, end use
rs fail 802.1X authentication.
 Wireless scenario: Check whether the security profile is correctly co
nfigured on the access control device.
 In the wireless 802.1X authentication scenario, if the access control devic
e is not configured with the security profile, end users fail wireless 802.
1X authentication.
Check the Configuration on the Acc
ess Control Device (2/2)
 DHCP + AnyOffice scenario: Before authentication, check whether the t
erminal can communicate with the SC directly.
 If the AnyOffice on the terminal can communicate with the SC directly befor
e authentication, the SC directly initiates common authentication rather th
an 802.1X authentication. As a result, the terminal cannot go online throug
h the access control device.
 Aggregation layer 802.1X authentication scenario: Check whether EAP t
ransparent transmission is enabled on the access switch.
 EAP packets transmitted between the terminal and the access control device
at the aggregation layer are Layer 2 protocol packets. If Layer 2 switches
exist between the terminal and the access control device and these Layer 2
switches do not forward Layer 2 protocol packets by default, the terminal a
nd the access control device at the aggregation layer may fail to communica
te with each other.
Check the Configuration on the Agi
le Controller-Campus (1/2)
 After the preceding check operations are complete, check whether
RADIUS authentication logs are generated on the Agile Controller-
Campus. If yes, perform the following operations:
 AD authentication scenario: 1. Check whether the SC is added to the A
D domain. 2. Check whether the domain name is contained in the accoun
t information sent by the access control device. 3. Check whether the
password consists of more than 32 characters.
 AD/LDAP authentication scenario: 1. Check whether a third-party data
source is selected in the authentication rule. 2. Check whether the p
rotocol in the authentication rule is correct.
 Check whether the RADIUS keys of the Agile Controller-Campus are cons
istent with those of the access control device.
Check the Configuration on the Agi
le Controller-Campus (2/2)
 Check whether the Portal authentication option is disabled.
 Check whether the authorization result is configured on the access co
ntrol device.
 RADIUS relay scenario: 1. Check whether keys of the third-party RADIU
S server match those of the SM. 2. Check whether authentication proto
col negotiation fails.
 Check whether the authentication server certificate of the built-in 8
02.1X authentication client of the Windows operating system is enable
d.
 Check whether any third-party 801.1X authentication client conflicts
with the AnyOffice.
 Check whether there is an authentication error code. Search for the e
rror code and perform corresponding operations.
Quiz
1. Which of the following user name formats cannot be used for MAC
address authentication? ( )
A. MAC address
B. Fixed user name
C. DHCP option
D. ARP option
2. Which of the following are access control technologies? (

)
A. 802.1X authentication
B. MAC address authentication
C. Portal authentication
D. SACG authentication
Summary
 802.1X Authentication and MAC Authentication Principl
es
 802.1X Authentication and MAC Address Authentication
 802.1X Authentication Troubleshooting
Thank You
www.huawei.com

OHCSCP1305 802.1X Authentication and MAC Address Authentication ISSUE 3.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OHCSCP1305 802.1X Authentication and MAC Address Authentication ISSUE 3.0

Uploaded by

Copyright:

Available Formats

802.

Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

Prevent rogue users Authorize users to access Monitor users' behavior

Terminal security check result

802.3 802.11 PPP

EAP: Extensible Authentication Protocol

Terminal Access control device RADIUS server

Client Access control device RADIUS server

Calculate the MD5 code and perform

7 EAP-Response/MD5 Challenge 8 RADIUS Access-Request

Verify the identity and calculate

Employee IP phone Access device RADIUS

Access device RADIUS

Printer Access control device RADIUS server

2 Send ARP, DHCP, ND, or DHCPv6

Enable the user to log in after successful

5 Send a deregistration request

Stop the port authorization

4. 802.1X Authentication Troubleshooting

VLAN 101 G0/0/1

 Enable Layer 2 transparent transmission on the uplink and down

[S2700] interface GigabitEthernet 0/0/2

[S5700] radius-server authorization 192.168.11.10 shared-key cipher

[S5700-aaa] domain default //Configure the default global

 Configure the user pre-authentication domain.

[S5700] acl 3001

4. 802.1X Authentication Troubleshooting

802.1X and wireless RADIUS authentication

Wireless access service

 Configure an authentication profile.

 Create an AP group and apply the VAP profile to the AP gro

4. 802.1X Authentication Troubleshooting

802.1X authentication scenario

VLAN 101 G0/0/1

4. 802.1X Authentication Troubleshooting

Agile Controller- DNS

Authentication control point

 Configure an authentication profile.

 Configure an AP group and apply the VAP profile to the AP

Failure Success Timeout

Check whether the RADIUS Check whether the SM

Check whether the Check whether the SC is

Check configuration on Check configuration on

 If you use the AD account tony@exaple.com for identity authentication

 Disable or uninstall the Network Policy Server service.

2. Which of the following are access control technologies? (

You might also like