Triple authentication basic function configuration example
Network requirements
As shown in Figure 61, the terminals are connected to a switch to access the IP network. Configure triple authentication on the Layer-2 interface of the switch that connects to the terminals so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network.
Configure static IP addresses in network 192.168.1.0/24 for the terminals.
Use the remote RADIUS server to perform authentication, authorization, and accounting and configure the switch to send usernames carrying no ISP domain names to the RADIUS server.
The local portal authentication server on the switch uses listening IP address 4.4.4.4. The switch sends a default authentication page to the web user and forwards authentication data using HTTP.
Figure 61: Network diagram
Configuration procedure
Make sure that the terminals, the server, and the switch can reach each other.
The host of the web user must have a route to the listening IP address of the local portal server.
Configure the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally. In this example, configure on the RADIUS server an 802.1X user (with username userdot), a portal user (with username userpt), and a MAC authentication user (with a username and password both being the MAC address of the printer 001588f80dd7).
Configure portal authentication:
# Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.)
# Configure the local portal server to support HTTP.
<Switch> system-view [Switch] portal local-server http
# Configure the IP address of interface loopback 0 as 4.4.4.4.
[Switch] interface loopback 0 [Switch-LoopBack0] ip address 4.4.4.4 32 [Switch-LoopBack0] quit
# Specify the listening IP address of the local portal server for Layer-2 portal authentication as 4.4.4.4.
[Switch] portal local-server ip 4.4.4.4
# Enable Layer-2 portal authentication on Ethernet 1/0/1.
[Switch] interface ethernet 1/0/1 [Switch–Ethernet1/0/1] portal local-server enable [Switch–Ethernet1/0/1] quit
Configure 802.1X authentication:
# Enable 802.1X authentication globally.
[Switch] dot1x
# Enable 802.1X authentication (MAC-based access control required) on Ethernet 1/0/1.
[Switch] interface ethernet 1/0/1 [Switch–Ethernet1/0/1] dot1x port-method macbased [Switch–Ethernet1/0/1] dot1x [Switch–Ethernet1/0/1] quit
Configure MAC authentication:
# Enable MAC authentication globally.
[Switch] mac-authentication
# Enable MAC authentication on Ethernet 1/0/1.
[Switch] interface ethernet 1/0/1 [Switch–Ethernet1/0/1] mac-authentication [Switch–Ethernet1/0/1] quit
Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1.
[Switch] radius scheme rs1
# Specify the server type for the RADIUS scheme, which must be extended when the IMC server is used.
[Switch-radius-rs1] server-type extended
# Specify the primary authentication and accounting servers and keys.
[Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius
# Specify usernames sent to the RADIUS server to carry no domain names.
[Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit
Configure an ISP domain:
# Create an ISP domain named triple.
[Switch] domain triple
# Configure the default AAA methods for all types of users in the domain.
[Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit
# Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication scheme of the default domain is used.
[Switch] domain default enable triple
Verifying the configuration
User userdot uses the 802.1X client to initiate authentication. After inputting the correct username and password, the user can pass 802.1X authentication. Web user userpt uses a web browser to access an external network. The web request is redirected to the authentication page http://4.4.4.4/portal/logon.htm. After inputting the correct username and password, the web user can pass portal authentication. The printer can pass MAC authentication after being connected to the network.
Use the display connection command to view online users.
[Switch] display connection Slot: 1 Index=30 , Username=userpt@triple IP=192.168.1.2 IPv6=N/A MAC=0015-e9a6-7cfe Index=31 , Username=userdot@triple IP=192.168.1.3 IPv6=N/A MAC=0002-0002-0001 Index=32 , Username=001588f80dd7@triple IP=192.168.1.4 IPv6=N/A MAC=0015-88f8-0dd7 Total 3 connection(s) matched on slot 1. Total 3 connection(s) matched.