Configuration procedure
Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.)
Configure the RADIUS servers and add user accounts for the 802.1X users. For information about the RADIUS commands used on the access device in this example, see Security Command Reference. (Details not shown.)
Assign an IP address to each interface on the access device. (Details not shown.)
Configure user accounts for the 802.1X users on the access device:
# Add a local user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS server.)
<Device> system-view [Device] local-user localuser [Device-luser-localuser] service-type lan-access [Device-luser-localuser] password simple localpass
# Configure the idle cut function to log off any online user that has been idled for 20 minutes.
[Device-luser-localuser] authorization-attribute idle-cut 20 [Device-luser-localuser] quit
Configure a RADIUS scheme:
# Create the RADIUS scheme radius1 and enter its view.
[Device] radius scheme radius1
# Specify the IP addresses of the primary authentication and accounting RADIUS servers.
[Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1
# Configure the IP addresses of the secondary authentication and accounting RADIUS servers.
[Device-radius-radius1] secondary authentication 10.1.1.2 [Device-radius-radius1] secondary accounting 10.1.1.2
# Specify the shared key between the access device and the authentication server.
[Device-radius-radius1] key authentication name
# Specify the shared key between the access device and the accounting server.
[Device-radius-radius1] key accounting money
# Exclude the ISP domain name from the username sent to the RADIUS servers.
[Device-radius-radius1] user-name-format without-domain [Device-radius-radius1] quit
NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. | ||
Configure the ISP domain:
# Create the ISP domain aabbcc.net and enter its view.
[Device] domain aabbcc.net
# Apply the RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.
[Device-isp-aabbcc.net] authentication lan-access radius-scheme radius1 local [Device-isp-aabbcc.net] authorization lan-access radius-scheme radius1 local [Device-isp-aabbcc.net] accounting lan-access radius-scheme radius1 local
# Set the maximum number of concurrent users in the domain to 30.
[Device-isp-aabbcc.net] access-limit enable 30
# Configure the idle cut function to log off any online domain user that has been idle for 20 minutes.
[Device-isp-aabbcc.net] idle-cut enable 20 [Device-isp-aabbcc.net] quit
# Specify aabbcc.net as the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain.
[Device] domain default enable aabbcc.net
Configure 802.1X:
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on port Ethernet 1/0/1.
[Device] interface ethernet 1/0/1 [Device-Ethernet1/0/1] dot1x [Device-Ethernet1/0/1] quit
# Enable MAC-based access control on the port. (Optional. MAC-based access control is the default setting.)
[Device] dot1x port-method macbased interface ethernet 1/0/1