Triple authentication basic function configuration example

Network requirements

As shown in Figure 73, the terminals are connected to a switch to access the IP network. Configure triple authentication on the Layer-2 interface of the switch that connects to the terminals so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network. More specifically,

Figure 73: Network diagram

Configuration prerequisites

Configuration procedure

  • Configure portal authentication:

  • # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.)

    # Configure the local portal server to support HTTP.

    <Switch> system-view
    [Switch] portal local-server http
    

    # Configure the IP address of interface loopback 12 as 4.4.4.4.

    [Switch] interface loopback 12
    [Switch-LoopBack12] ip address 4.4.4.4 32
    [Switch-LoopBack12] quit
    

    # Specify the listening IP address of the local portal server for Layer-2 portal authentication as 4.4.4.4.

    [Switch] portal local-server ip 4.4.4.4
    

    # Enable Layer-2 portal authentication on GigabitEthernet 1/0/1.

    [Switch] interface gigabitethernet 1/0/1
    [Switch–GigabitEthernet1/0/1] portal local-server enable
    [Switch–GigabitEthernet1/0/1] quit
    
  • Configure 802.1X authentication:

  • # Enable 802.1X authentication globally.

    [Switch] dot1x
    

    # Enable 802.1X authentication (MAC-based access control required) on GigabitEthernet 1/0/1.

    [Switch] interface gigabitethernet 1/0/1 
    [Switch–GigabitEthernet1/0/1] dot1x port-method macbased
    [Switch–GigabitEthernet1/0/1] dot1x
    [Switch–GigabitEthernet1/0/1] quit
    
  • Configure MAC authentication:

  • # Enable MAC authentication globally.

    [Switch] mac-authentication
    

    # Enable MAC authentication on GigabitEthernet 1/0/1.

    [Switch] interface gigabitethernet 1/0/1
    [Switch–GigabitEthernet1/0/1] mac-authentication
    [Switch–GigabitEthernet1/0/1] quit
    
  • Configure a RADIUS scheme:

  • # Create a RADIUS scheme named rs1.

    [Switch] radius scheme rs1
    

    # Specify the server type for the RADIUS scheme, which must be extended when the IMC server is used.

    [Switch-radius-rs1] server-type extended
    

    # Specify the primary authentication and accounting servers and keys.

    [Switch-radius-rs1] primary authentication 1.1.1.2
    [Switch-radius-rs1] primary accounting 1.1.1.2
    [Switch-radius-rs1] key authentication radius
    [Switch-radius-rs1] key accounting radius
    

    # Specify usernames sent to the RADIUS server to carry no domain names.

    [Switch-radius-rs1] user-name-format without-domain
    [Switch-radius-rs1] quit
    
  • Configure an ISP domain:

  • # Create an ISP domain named triple.

    [Switch] domain triple
    

    # Configure the default AAA methods for all types of users in the domain.

    [Switch-isp-triple] authentication default radius-scheme rs1
    [Switch-isp-triple] authorization default radius-scheme rs1
    [Switch-isp-triple] accounting default radius-scheme rs1
    [Switch-isp-triple] quit
    

    # Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication scheme of the default domain is used.

    [Switch] domain default enable triple
    

    Verifying the configuration

    User userdot uses the 802.1X client to initiate authentication. After inputting the correct username and password, the user can pass 802.1X authentication. Web user userpt uses a web browser to access an external network. The web request is redirected to the authentication page http://4.4.4.4/portal/logon.htm. After inputting the correct username and password, the web user can pass portal authentication. The printer can pass MAC authentication after being connected to the network.

    Use the display connection command to view online users.

    [Switch] display connection
    Slot:  1
    Index=30  , Username=userpt@triple
     IP=192.168.1.2
     IPv6=N/A
     MAC=0015-e9a6-7cfe
    Index=31  , Username=userdot@triple
     IP=192.168.1.3
     IPv6=N/A
     MAC=0002-0002-0001
    Index=32  , Username=001588f80dd7@triple
     IP=192.168.1.4
     IPv6=N/A
     MAC=0015-88f8-0dd7
    
     Total 3 connection(s) matched on slot 1.
     Total 3 connection(s) matched.