[x]

802.1X guest VLAN and VLAN assignment configuration example > Configuration procedure

 

 Next

Configuration procedure

The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference.

  • Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN. (Details not shown.)

  • Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and server-assigned VLAN, VLAN 5 in this example. (Details not shown.)

  • Create VLANs, and assign ports to the VLANs:

    • <Device> system-view
[Device] vlan 1
[Device-vlan1] port gigabitethernet1/0/2
[Device-vlan1] quit
[Device] vlan 10
[Device-vlan10] port gigabitethernet1/0/1
[Device-vlan10] quit
[Device] vlan 2
[Device-vlan2] port gigabitethernet1/0/4
[Device-vlan2] quit
[Device] vlan 5
[Device-vlan5] port gigabitethernet1/0/3
[Device-vlan5] quit

  • Configure a RADIUS scheme:

    • # Configure RADIUS scheme 2000 and enter its view.

    <Device> system-view
[Device] radius scheme 2000

    # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets.

    [Device-radius-2000] primary authentication 10.11.1.1 1812
[Device-radius-2000] primary accounting 10.11.1.1 1813
[Device-radius-2000] key authentication abc
[Device-radius-2000] key accounting abc

    # Exclude the ISP domain name from the username sent to the RADIUS server.

    [Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit

  • Configure an ISP domain:

    • # Create ISP domain bbb and enter its view.

    [Device] domaim bbb

    # Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.

    [Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit

  • Configure 802.1X:

    • # Enable 802.1X globally.

    [Device] dot1x

    # Enable 802.1X for port GigabitEthernet 1/0/2.

    [Device] interface gigabitethernet1/0/2
[Device-GigabitEthernet1/0/2] dot1x

    # Implement port-based access control on the port.

    [Device-GigabitEthernet1/0/2] dot1x port-method portbased

    # Set the port authorization mode to auto. This step is optional. By default, the port is in auto mode. 

    [Device-GigabitEthernet1/0/2] dot1x port-control auto
[Device-GigabitEthernet1/0/2] quit

    # Set VLAN 10 as the 802.1X guest VLAN for port GigabitEthernet 1/0/2.

    [Device] dot1x guest-vlan 10 interface gigabitethernet1/0/2

    prev

     

    up

     next

    Network requirements 

    home

     Verifying the configuration

    © Copyright 2016 Hewlett Packard Enterprise Development LP