Table of Contents
This configuration document was created by muscal for configzone.
If you want to configure 802.1X authentication on a Huawei switch, you need to follow these steps:
Set the NAC mode to unified by running the command authentication unified-mode
. The switch will restart after this command.
First of all, you need to create a domain. If you do not create a domain, many problems may arise during configuration. There may be problems such as SSH or verification. This domain must be the same on all devices.
aaa domain configzone.com
domain configzone.com
Now we will create the vlans we need. These vlans are Guest Vlan, Down Vlan, Pre-Auth Vlan.
Guest Vlan, Down Vlan, Pre-Auth Vlan
Guest Vlan: When a new user/computer enters our network, if he/she is not registered in the domain, NAC assigns this user/computer to the Guest vlan. We can isolate the people in this vlan from our network by writing rules accordingly.
Down Vlan: In this vlan, if our NAC device is inaccessible, the user/computer falls into this vlan. We should write our rules accordingly to avoid any access problems for users/computers falling into this vlan.
Pre-Auth Vlan: This vlan is included in this vlan first when a user/computer is included in the network. It then communicates with NAC. If this user/computer is assigned to a vlan, NAC removes it from this vlan and assigns that it is registered.
vlan 1001
description Guest
vlan 1002
description Down
vlan 1003
description Pre-Auth
mac-address learning disable
Huawei Radius Server Template
Create and configure a RADIUS server template by running the commands radius-server template name
and radius-server authentication ip-address port
. You also need to set a shared key for the RADIUS server by running the command radius-server shared-key cipher password
.
Create and configure a RADIUS server template by running the commands radius-server template name
and radius-server authentication ip-address port
. You also need to set a shared key for the RADIUS server by running the command radius-server shared-key cipher password
.
radius-server template configzone-radius-server-template
radius-server shared-key cipher Password1
radius-server authentication 10.10.10.10 1812 weight 80
radius-server accounting 10.10.10.10 1813 weight 80
radius-server detect-server up-server interval 300
undo authentication pre-authen-access enable
We also have to choose authorization and authorization type.
radius-server authorization 10.10.10.10 shared-key cipher Password1
radius-server authorization match-type all
Huawei Switch aaa Configuration
Create an AAA authentication scheme by running the commands aaa and authentication-scheme name. Set the authentication mode to RADIUS by running the command authentication-mode radius.
aaa
authentication-scheme configzone-authentication-scheme
authentication-mode radius
service-scheme guest.configzone-service-scheme
user-vlan 1001
service-scheme down.configzone-service-scheme
user-vlan 1002
service-scheme pre.configzone-service-scheme
user-vlan 1003
Create an AAA domain by running the command domain name. Bind the AAA authentication scheme and the RADIUS server template to the domain by running the commands authentication-scheme name and radius-server name.
aaa
domain configzone.com
authentication-scheme configzone-authentication-scheme
accounting-scheme default
radius-server configzone-radius-server-template
Dot1x Configuration
Configure an 802.1X access profile by running the command dot1x-access-profile name. You can configure various parameters for 802.1X authentication in this profile, such as re-authentication, guest VLAN, and quiet period.
dot1x timer tx-period 10
dot1x timer mac-bypass-delay 30
dot1x-access-profile name configzone-dot1x-access-profile
dot1x authentication-method eap
dot1x port-control auto
dot1x reauthenticate
dot1x timer reauthenticate-period 3600
authentication event client-no-response action authorize service-scheme guest.configzone-service-scheme
Here we need to create a mac-address profile. It is needed in the next command lines. If we don’t create it in this step, it will give an error in the next commands.
mac-access-profile name configzone-mac-access-profile
Explain Profile and Schema
Configure an authentication profile by running the command authentication-profile name. Bind the 802.1X access profile to the authentication profile by running the command dot1x-access-profile name.
There are many definitions here. All of these definitions have separate explanations. But it will be enough to change the proper names in these sections. But you should not forget that a definition you define in the above commands is the same in the whole configuration.
authentication-profile name configzone-auth-profile
authentication mode multi-authen
dot1x-access-profile configzone-dot1x-access-profile
mac-access-profile configzone-mac-access-profile
access-domain configzone.com dot1x
link-down offline delay 10
authentication event authen-fail action authorize service-scheme guest.configzone-service-scheme
authentication event pre-authen action authorize service-scheme pre.configzone-service-scheme
authentication event authen-server-down action authorize service-scheme down.configzone-service-scheme
authentication event authen-server-up action re-authen
authentication dot1x-mac-bypass
Mac Authen
This section shows the mac verification steps. These values are written in accordance with best practice. I have used it in a few places before and it works without any problems. You can change them if you want
mac-access-profile name configzone-mac-access-profile
mac-authen offline dhcp-release
mac-authen reauthenticate dhcp-renew
mac-authen timer reauthenticate-period 60
mac-authen trigger dhcp-binding
Port Configuration
The port configuration is as follows. I added extra vlan 200 Vlan 200 is my IT unit’s vlan. If a user from IT unit connects to this port, he will get vlan 200 after authentication. NAC will send this vlan. If we don’t define this vlan on this port there will be a problem. You should also make sure that all relevant vlans pass through the uplink ports.
interface GigabitEthernet0/2
description Test-Client
port link-type hybrid
port hybrid pvid vlan 1003
port hybrid untagged vlan 1002 1003 1001
authentication-profile configzone-auth-profile
Verification and troubleshooting
You can verify and debug with the following commands. Each of these commands will give a lot of output. Try to understand these outputs. If there is a problem somewhere you can find the problem with these commands. If you are stuck, you can comment here and we will get back to you during the day
The Huawei official document is available at this link.
display domain name your-domain-name
display radius-server configuration template configzone-radius-server-template display radius-server item template configzone-radius-server-template
display authentication-profile configuration name configzone-auth-profile
display dot1x-access-profile configuration name configzone-dot1x-access-profile
display dot1x
display access-user interface GigabitEthernet0/2
display access-user interface GigabitEthernet0/2
display access-user
display access-user user-id 25