H3C Routers

Local 802.1X Authentication Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring local 802.1X authentication· 1

Network configuration· 1

Software versions used· 1

Restrictions and guidelines· 1

Procedures· 1

Verifying the configuration· 2

Configuration files· 3

Related documentation· 4

 

Introduction

The following information provides an example for configuring local 802.1X authentication on routers.

Prerequisites

The following information applies to Comware 9-based routers. Procedures and information in the examples might be slightly different depending on the software or hardware version of the routers.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of AAA and 802.1X.

Example: Configuring local 802.1X authentication

Network configuration

As shown in Figure 1, configure the router to perform local 802.1X authentication for users connected to GigabitEthernet 0/0/1. Implement port-based access control on the port.

Figure 1 Network diagram

‌

Software versions used

This configuration example was created and verified on R9141P16 of the MSR2630E-X1 router.

Restrictions and guidelines

This example can be implemented on only devices installed with Layer 2 switching cards and having fixed Layer 2 interfaces.

Procedures

# Enable 802.1X globally.

<Router> system-view

[Router] dot1x

# Create VLAN-interface 1, and assign an IP address to it. The VLAN interface acts as the gateway for the host.

[Router] interface vlan-interface 1

[Router-Vlan-interface1] ip address 192.168.100.1 255.255.255.0

[Router-Vlan-interface1] quit

# Create a network access user named localuser and set the password to localpass in plaintext form.

[Router] local-user localuser class network

[Router-luser-network-localuser] password simple localpass

# Set the service type to lan-access.

[Router-luser-network-localuser] service-type lan-access

[Router-luser-network-localuser] quit

# Enable 802.1X on GigabitEthernet 0/0/1.

[Router] interface gigabitethernet 0/0/1

[Router-GigabitEthernet0/0/1] dot1x

# Enable port-based access control on the port. By default, the port uses MAC-based access control.

[Router-GigabitEthernet0/0/1] dot1x port-method portbased

[Router-GigabitEthernet0/0/1] quit

Verifying the configuration

# Use the display dot1x interface command to view 802.1X information on GigabitEthernet 0/0/1.

[Router] display dot1x interface gigabitethernet 0/0/1

Global 802.1X parameters:

   802.1X authentication      : Enabled

   CHAP authentication        : Enabled

   Max-tx period              : 30 s

   Handshake period           : 15 s

   Quiet timer                : Disabled

       Quiet period           : 60 s

   Supp timeout               : 30 s

   Server timeout             : 100 s

   Reauth period              : 3600 s

   Max auth requests          : 2

   SmartOn supp timeout       : 30 s

   SmartOn retry counts       : 3

   EAD assistant function     : Disabled

       EAD timeout            : 30 min

   Domain delimiter           : @

 Online 802.1X wired users    : 0

 Online 802.1X wireless users : 0

 

 GigabitEthernet0/0/1  is link-up

   802.1X authentication      : Enabled

   Handshake                  : Enabled

   Handshake reply            : Disabled

   Handshake security         : Disabled

   Unicast trigger            : Disabled

   Periodic reauth            : Disabled

   Port role                  : Authenticator

   Authorization mode         : Auto

   Port access control        : Port-based

   Multicast trigger          : Enabled

   Mandatory auth domain      : Not configured

   Guest VLAN                 : Not configured

   Auth-Fail VLAN             : Not configured

   Critical VLAN              : Not configured

  Critical voice VLAN         : Disabled

   Re-auth server-unreachable : Logoff

   Max online users           : 4294967295

   SmartOn                    : Disabled

 

   EAPOL packets: Tx 3, Rx 0

   Sent EAP Request/Identity packets : 3

        EAP Request/Challenge packets: 0

        EAP Success packets: 0

        EAP Failure packets: 0

        EAP Notification packets: 0

   Received EAPOL Start packets : 0

            EAPOL LogOff packets: 0

            EAP Response/Identity packets : 0

            EAP Response/Challenge packets: 0

            Error packets: 0

   Online 802.1X users: 0

# Execute the display dot1x sessions command to verify that you can come online after entering the correct username and password.

Configuration files

#

 dot1x

#

interface Vlan-interface1

 ip address 192.168.100.1 255.255.255.0

#

interface GigabitEthernet0/0/1

 port link-mode bridge

 dot1x port-method portbased

 dot1x

#

local-user localuser class network

 password cipher $c$3$YPkufRcxFR3KdpUCHFiNkns/YFPmbJkG/pQxBg==

 service-type lan-access

 authorization-attribute user-role network-operator

#

Related documentation

·     User Access and Authentication Configuration Guide in H3C MSR1000[2600][3600] Routers Configuration Guides(V9)

·     User Access and Authentication Command Reference in H3C MSR1000[2600][3600] Routers Command References(V9)