Configuration procedure
The following configuration procedure provides the major AAA and RADIUS configuration on the access device. The configuration procedures on the 802.1X client and RADIUS server are beyond the scope of this configuration example. For information about AAA and RADIUS configuration commands, see Security Command Reference.
Configure 802.1X client. Make sure the client is able to update its IP address after the access port is assigned to the 802.1X guest VLAN or a server-assigned VLAN. (Details not shown.)
Configure the RADIUS servers, user accounts, and authorization ACL, ACL 3000 in this example. (Details not shown.)
Configure the access device.
# Assign IP addresses to interfaces. (Details not shown.)
# Configure the RADIUS scheme.
<Device> system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit
# Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA scheme for the domain.
[Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit
# Configure a time range ftp for weekdays from 8:00 to 18:00.
[Device] time-range ftp 8:00 to 18:00 working-day
# Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 on weekdays during business hours.
[Device] acl number 3000 [Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 time-range ftp [Device-acl-adv-3000] quit
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on port GigabitEthernet 1/0/1.
[Device] interface gigabitethernet1/0/1 [Device-GigabitEthernet1/0/1] dot1x