Triple authentication basic function configuration example

Network requirements

As shown in Figure 61, the terminals are connected to a switch to access the IP network. Configure triple authentication on the Layer-2 interface of the switch that connects to the terminals so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network.

Figure 61: Network diagram

Configuration procedure

Make sure that the terminals, the server, and the switch can reach each other.

The host of the web user must have a route to the listening IP address of the local portal server.

  • Configure the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally. In this example, configure on the RADIUS server an 802.1X user (with username userdot), a portal user (with username userpt), and a MAC authentication user (with a username and password both being the MAC address of the printer 001588f80dd7).

  • Configure portal authentication:

  • # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.)

    # Configure the local portal server to support HTTP.

    <Switch> system-view
    [Switch] portal local-server http
    

    # Configure the IP address of interface loopback 0 as 4.4.4.4.

    [Switch] interface loopback 0
    [Switch-LoopBack0] ip address 4.4.4.4 32
    [Switch-LoopBack0] quit
    

    # Specify the listening IP address of the local portal server for Layer-2 portal authentication as 4.4.4.4.

    [Switch] portal local-server ip 4.4.4.4
    

    # Enable Layer-2 portal authentication on Ethernet 1/0/1.

    [Switch] interface ethernet 1/0/1
    [Switch–Ethernet1/0/1] portal local-server enable
    [Switch–Ethernet1/0/1] quit
    
  • Configure 802.1X authentication:

  • # Enable 802.1X authentication globally.

    [Switch] dot1x
    

    # Enable 802.1X authentication (MAC-based access control required) on Ethernet 1/0/1.

    [Switch] interface ethernet 1/0/1 
    [Switch–Ethernet1/0/1] dot1x port-method macbased
    [Switch–Ethernet1/0/1] dot1x
    [Switch–Ethernet1/0/1] quit
    
  • Configure MAC authentication:

  • # Enable MAC authentication globally.

    [Switch] mac-authentication
    

    # Enable MAC authentication on Ethernet 1/0/1.

    [Switch] interface ethernet 1/0/1
    [Switch–Ethernet1/0/1] mac-authentication
    [Switch–Ethernet1/0/1] quit
    
  • Configure a RADIUS scheme:

  • # Create a RADIUS scheme named rs1.

    [Switch] radius scheme rs1
    

    # Specify the server type for the RADIUS scheme, which must be extended when the IMC server is used.

    [Switch-radius-rs1] server-type extended
    

    # Specify the primary authentication and accounting servers and keys.

    [Switch-radius-rs1] primary authentication 1.1.1.2
    [Switch-radius-rs1] primary accounting 1.1.1.2
    [Switch-radius-rs1] key authentication radius
    [Switch-radius-rs1] key accounting radius
    

    # Specify usernames sent to the RADIUS server to carry no domain names.

    [Switch-radius-rs1] user-name-format without-domain
    [Switch-radius-rs1] quit
    
  • Configure an ISP domain:

  • # Create an ISP domain named triple.

    [Switch] domain triple
    

    # Configure the default AAA methods for all types of users in the domain.

    [Switch-isp-triple] authentication default radius-scheme rs1
    [Switch-isp-triple] authorization default radius-scheme rs1
    [Switch-isp-triple] accounting default radius-scheme rs1
    [Switch-isp-triple] quit
    

    # Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication scheme of the default domain is used.

    [Switch] domain default enable triple
    

    Verifying the configuration

    User userdot uses the 802.1X client to initiate authentication. After inputting the correct username and password, the user can pass 802.1X authentication. Web user userpt uses a web browser to access an external network. The web request is redirected to the authentication page http://4.4.4.4/portal/logon.htm. After inputting the correct username and password, the web user can pass portal authentication. The printer can pass MAC authentication after being connected to the network.

    Use the display connection command to view online users.

    [Switch] display connection
    Slot:  1
    Index=30  , Username=userpt@triple
     IP=192.168.1.2
     IPv6=N/A
     MAC=0015-e9a6-7cfe
    Index=31  , Username=userdot@triple
     IP=192.168.1.3
     IPv6=N/A
     MAC=0002-0002-0001
    Index=32  , Username=001588f80dd7@triple
     IP=192.168.1.4
     IPv6=N/A
     MAC=0015-88f8-0dd7
    
     Total 3 connection(s) matched on slot 1.
     Total 3 connection(s) matched.