Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example
Network requirement
As shown in Figure 74, the terminals are connected to a switch to access the IP network. Configure triple authentication on the Layer-2 interface of the switch which connects to the terminals so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network. More specifically,
Portal terminals use DHCP to get IP addresses in 192.168.1.0/24 before authentication and in 3.3.3.0/24 after passing authentication.
802.1X terminals use IP addresses in 192.168.1.0/24 before authentication, and request IP addresses in 3.3.3.0/24 through DHCP after passing authentication. If the terminal fails authentication, it uses an IP address in 2.2.2.0/24.
After passing authentication, the printer obtains the IP address 3.3.3.111/24 that is bound with its MAC address through DHCP.
Use the remote RADIUS server to perform authentication, authorization, and accounting and configure the switch to remove the ISP domain names from usernames sent to the RADIUS server.
The local portal authentication server on the switch uses listening IP address 4.4.4.4. The switch sends a default authentication page to the web user and forwards authentication data by using HTTPS.
Configure VLAN 3 as the authorized VLAN on the RADIUS server. Users passing authentication are added to this VLAN.
Configure VLAN 2 as the Auth-Fail VLAN on the access device. Users failing authentication are added to this VLAN, and are allowed to access only the Update server.
Figure 74: Network diagram
Configuration prerequisites and guidelines
Make sure the terminals, the servers, and the switch can reach each other.
When using an external DHCP server, make sure the terminals can get IP addresses from the server before and after authentication.
Configure the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally. In this example, configure on the RADIUS server an 802.1X user (with username userdot), a portal user (with username userpt), a MAC authentication user (with a username and password both being the MAC address of the printer 001588f80dd7), and an authorized VLAN (VLAN 3).
Configure PKI domain pkidm and acquire the local and CA certificates. For more information, see "Configuring PKI."
Complete the editing of a self-defined default authentication page file, compress the file to a zip file named defaultfile and save the zip file at the root directory.
Configuration procedure
Configure DHCP:
# Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.)
# Enable DHCP.
<Switch> system-view [Switch] dhcp enable
# Exclude the IP address of the update server from assignment.
[Switch] dhcp server forbidden-ip 2.2.2.2
# Configure IP address pool 1, including the address range, lease and gateway address. A short lease is recommended to shorten the time terminals use to re-acquire IP addresses after the terminals passing or failing authentication.
[Switch] dhcp server ip-pool 1 [Switch-dhcp-pool-1] network 192.168.1.0 mask 255.255.255.0 [Switch-dhcp-pool-1] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-1] gateway-list 192.168.1.1 [Switch-dhcp-pool-1] quit
A short lease is recommended to shorten the time that terminals use to re-acquire IP addresses after passing or failing authentication. However, in some applications, a terminal can require a new IP address before the lease duration expires. For example, the iNode 802.1X client automatically renews its IP address after disconnecting from the server.
# Configure IP address pool 2, including the address range, lease and gateway address. A short lease is recommended to shorten the time terminals use to re-acquire IP addresses after the terminals pass authentication.
[Switch] dhcp server ip-pool 2 [Switch-dhcp-pool-2] network 2.2.2.0 mask 255.255.255.0 [Switch-dhcp-pool-2] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-2] gateway-list 2.2.2.1 [Switch-dhcp-pool-2] quit
# Configure IP address pool 3, including the address range, lease and gateway address. A short lease is recommended to shorten the time terminals use to re-acquire IP addresses after the terminals are offline.
[Switch] dhcp server ip-pool 3 [Switch-dhcp-pool-3] network 3.3.3.0 mask 255.255.255.0 [Switch-dhcp-pool-3] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-3] gateway-list 3.3.3.1 [Switch-dhcp-pool-3] quit
# Configure IP address pool 4, and bind the printer MAC address 0015-e9a6-7cfe to the IP address 3.3.3.111/24 in this address pool.
[Switch] dhcp server ip-pool 4 [Switch-dhcp-pool-4] static-bind ip-address 3.3.3.111 mask 255.255.255.0 [Switch-dhcp-pool-4] static-bind mac-address 0015-e9a6-7cfe [Switch-dhcp-pool-4] quit
Configure portal authentication:
# Create SSL server policy sslsvr and specify it to use PKI domain pkidm.
[Switch] ssl server-policy sslsvr [Switch-ssl-server-policy-sslsvr] pki pkidm [Switch-ssl-server-policy-sslsvr] quit
# Configure the local portal server to support HTTPS and use SSL server policy sslsvr.
[Switch] portal local-server https server-policy sslsvr
# Configure IP address 4.4.4.4 for interface loopback 12.
[Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit
# Specify the listening IP address of the local portal server as 4.4.4.4.
[Switch] portal local-server ip 4.4.4.4
# Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the Auth-Fail VLAN, to which terminals failing authentication are added.
[Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] port link-type hybrid [Switch–GigabitEthernet1/0/1] mac-vlan enable [Switch–GigabitEthernet1/0/1] portal local-server enable [Switch–GigabitEthernet1/0/1] portal auth-fail vlan 2 [Switch–GigabitEthernet1/0/1] quit
Configure 802.1X authentication:
# Enable 802.1X authentication globally.
[Switch] dot1x
# Enable 802.1X authentication (MAC-based access control required) on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN.
[Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] dot1x port-method macbased [Switch–GigabitEthernet1/0/1] dot1x [Switch–GigabitEthernet1/0/1] dot1x auth-fail vlan 2 [Switch–GigabitEthernet1/0/1] quit
Configure MAC authentication:
# Enable MAC authentication globally.
[Switch] mac-authentication
# Enable MAC authentication on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN
[Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] mac-authentication [Switch–GigabitEthernet1/0/1] mac-authentication guest-vlan 2 [Switch–GigabitEthernet1/0/1] quit
Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1.
[Switch] radius scheme rs1
# Specify the server type for the RADIUS scheme, which must be extended when the IMC server is used.
[Switch-radius-rs1] server-type extended
# Specify the primary authentication and accounting servers and keys.
[Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius
# Specify usernames sent to the RADIUS server to carry no domain names.
[Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit
Configure an ISP domain:
# Create an ISP domain named triple.
[Switch] domain triple
# Configure the default AAA methods for all types of users in the domain.
[Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit
# Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication scheme of the default domain is used.
[Switch] domain default enable triple
Verifying the configuration
User userdot uses the 802.1X client to initiate authentication. After inputting the correct username and password, the user can pass 802.1X authentication. Web user userpt uses a web browser to access an external network. The web request is redirected to the authentication page http://4.4.4.4/portal/logon.htm. After inputting the correct username and password, the web user can pass portal authentication. The printer can pass MAC authentication after being connected to the network.
Use the display connection command to view connection information about online users.
[Switch] display connection Slot: 1 Index=30 , Username=userpt@triple IP=192.168.1.2 IPv6=N/A MAC=0015-e9a6-7cfe Index=31 , Username=userdot@triple IP=3.3.3.2 IPv6=N/A MAC=0002-0002-0001 Index=32 , Username=001588f80dd7@triple IP=N/A IPv6=N/A MAC=0015-88f8-0dd7 Total 3 connection(s) matched on slot 1. Total 3 connection(s) matched.
Use the display mac-vlan all command to view the MAC-VLAN entries of online users. VLAN 3 is the authorized VLAN.
[Switch] display mac-vlan all The following MAC VLAN addresses exist: S:Static D:Dynamic MAC ADDR MASK VLAN ID PRIO STATE -------------------------------------------------------- 0015-e9a6-7cfe ffff-ffff-ffff 3 0 D 0002-0002-0001 ffff-ffff-ffff 3 0 D 0015-88f8-0dd7 ffff-ffff-ffff 3 0 D Total MAC VLAN address count:3
Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users.
[Switch] display dhcp server ip-in-use all
Pool utilization: 0.59%
IP address Client-identifier/ Lease expiration Type
Hardware address
3.3.3.111 0015-88f8-0dd7 Dec 15 2009 17:40:52 Auto:COMMITTED
3.3.3.2 0002-0002-0001 Dec 15 2009 17:41:02 Auto:COMMITTED
3.3.3.3 0015-e9a6-7cfe Unlimited Manual
--- total 3 entry ---
When a terminal fails authentication, it is added to VLAN 2. You can also use the display commands to view the MAC-VLAN entry and IP address of the terminal.