Huawei Switch 802.1x Configuration

This configuration document was created by muscal for configzone.

If you want to configure 802.1X authentication on a Huawei switch, you need to follow these steps:

Set the NAC mode to unified by running the command authentication unified-mode. The switch will restart after this command.

First of all, you need to create a domain. If you do not create a domain, many problems may arise during configuration. There may be problems such as SSH or verification. This domain must be the same on all devices.

aaa domain configzone.com
domain configzone.com

Now we will create the vlans we need. These vlans are Guest Vlan, Down Vlan, Pre-Auth Vlan.

Guest Vlan, Down Vlan, Pre-Auth Vlan

Guest Vlan: When a new user/computer enters our network, if he/she is not registered in the domain, NAC assigns this user/computer to the Guest vlan. We can isolate the people in this vlan from our network by writing rules accordingly.

Down Vlan: In this vlan, if our NAC device is inaccessible, the user/computer falls into this vlan. We should write our rules accordingly to avoid any access problems for users/computers falling into this vlan.

Pre-Auth Vlan: This vlan is included in this vlan first when a user/computer is included in the network. It then communicates with NAC. If this user/computer is assigned to a vlan, NAC removes it from this vlan and assigns that it is registered.

vlan 1001
description Guest
vlan 1002
description Down
vlan 1003
description Pre-Auth
mac-address learning disable

Huawei Radius Server Template

Create and configure a RADIUS server template by running the commands radius-server template name and radius-server authentication ip-address port. You also need to set a shared key for the RADIUS server by running the command radius-server shared-key cipher password.

Create and configure a RADIUS server template by running the commands radius-server template name and radius-server authentication ip-address port. You also need to set a shared key for the RADIUS server by running the command radius-server shared-key cipher password.

radius-server template configzone-radius-server-template
radius-server shared-key cipher Password1
radius-server authentication 10.10.10.10 1812 weight 80
radius-server accounting 10.10.10.10 1813 weight 80
radius-server detect-server up-server interval 300
undo authentication pre-authen-access enable

We also have to choose authorization and authorization type.

radius-server authorization 10.10.10.10 shared-key cipher Password1
radius-server authorization match-type all

Huawei Switch aaa Configuration

Create an AAA authentication scheme by running the commands aaa and authentication-scheme name. Set the authentication mode to RADIUS by running the command authentication-mode radius.

aaa
authentication-scheme configzone-authentication-scheme
authentication-mode radius
service-scheme guest.configzone-service-scheme
user-vlan 1001
service-scheme down.configzone-service-scheme
user-vlan 1002
service-scheme pre.configzone-service-scheme
user-vlan 1003

Create an AAA domain by running the command domain name. Bind the AAA authentication scheme and the RADIUS server template to the domain by running the commands authentication-scheme name and radius-server name.

aaa
domain configzone.com
authentication-scheme configzone-authentication-scheme
accounting-scheme default
radius-server configzone-radius-server-template

Dot1x Configuration

Configure an 802.1X access profile by running the command dot1x-access-profile name. You can configure various parameters for 802.1X authentication in this profile, such as re-authentication, guest VLAN, and quiet period.

dot1x timer tx-period 10
dot1x timer mac-bypass-delay 30

dot1x-access-profile name configzone-dot1x-access-profile
dot1x authentication-method eap
dot1x port-control auto
dot1x reauthenticate
dot1x timer reauthenticate-period 3600
authentication event client-no-response action authorize service-scheme guest.configzone-service-scheme

Here we need to create a mac-address profile. It is needed in the next command lines. If we don’t create it in this step, it will give an error in the next commands.

mac-access-profile name configzone-mac-access-profile

Explain Profile and Schema

Configure an authentication profile by running the command authentication-profile name. Bind the 802.1X access profile to the authentication profile by running the command dot1x-access-profile name.

There are many definitions here. All of these definitions have separate explanations. But it will be enough to change the proper names in these sections. But you should not forget that a definition you define in the above commands is the same in the whole configuration.

authentication-profile name configzone-auth-profile
authentication mode multi-authen
dot1x-access-profile configzone-dot1x-access-profile
mac-access-profile configzone-mac-access-profile
access-domain configzone.com dot1x
link-down offline delay 10
authentication event authen-fail action authorize service-scheme guest.configzone-service-scheme
authentication event pre-authen action authorize service-scheme pre.configzone-service-scheme
authentication event authen-server-down action authorize service-scheme down.configzone-service-scheme
authentication event authen-server-up action re-authen
authentication dot1x-mac-bypass

Mac Authen

This section shows the mac verification steps. These values are written in accordance with best practice. I have used it in a few places before and it works without any problems. You can change them if you want

mac-access-profile name configzone-mac-access-profile
mac-authen offline dhcp-release
mac-authen reauthenticate dhcp-renew
mac-authen timer reauthenticate-period 60
mac-authen trigger dhcp-binding

Port Configuration

The port configuration is as follows. I added extra vlan 200 Vlan 200 is my IT unit’s vlan. If a user from IT unit connects to this port, he will get vlan 200 after authentication. NAC will send this vlan. If we don’t define this vlan on this port there will be a problem. You should also make sure that all relevant vlans pass through the uplink ports.

interface GigabitEthernet0/2
 description Test-Client
 port link-type hybrid
 port hybrid pvid vlan 1003
 port hybrid untagged vlan 1002 1003 1001
 authentication-profile configzone-auth-profile

Verification and troubleshooting

You can verify and debug with the following commands. Each of these commands will give a lot of output. Try to understand these outputs. If there is a problem somewhere you can find the problem with these commands. If you are stuck, you can comment here and we will get back to you during the day

The Huawei official document is available at this link.

display domain name your-domain-name
display radius-server configuration template configzone-radius-server-template display radius-server item template configzone-radius-server-template 
display authentication-profile configuration name configzone-auth-profile
display dot1x-access-profile configuration name configzone-dot1x-access-profile 
display dot1x 
display access-user interface GigabitEthernet0/2
display access-user interface GigabitEthernet0/2
display access-user      
display access-user user-id 25

Muscal

Leave a Reply

Your email address will not be published. Required fields are marked *

Next Post

Checkpoint Three Tier Architecture

Wed May 24 , 2023
Checkpoint is a leading provider of network security solutions that protect organizations from cyberattacks and threats. One of the key features of Checkpoint products is the three-tier architecture, which consists of three components: Smart Console The SmartConsole is the component that provides a graphical user interface for the administrators to […]
Checkpoint Three Tier Architecture

You May Like