Example: Configuring 802.1X guest VSI and authorization VSI

Network configuration

As shown in Figure 40:

Figure 40: Network diagram

Procedure

  1. Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VSI or an authorization VSI. (Details not shown.)

  2. Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VSI (VSI vpn5 in this example) for the users. (Details not shown.)

    If an ADCAM server is used for authentication and authorization, configure VSIs on the server. The server will assign these VSIs to the device. You do not need to configure VSIs on the device.

  3. Enable L2VPN.

    <Device> system-view
    [Device] l2vpn enable
    
  4. Create VSIs and the corresponding VXLANs.

    [Device] vsi vpn10
    [Device-vsi-vpn10] vxlan 10
    [Device-vsi-vpn10-vxlan-10] quit
    [Device-vsi-vpn10] quit
    [Device] vsi vpn5
    [Device-vsi-vpn5] vxlan 5
    [Device-vsi-vpn5-vxlan-5] quit
    [Device-vsi-vpn5] quit
    
  5. Configure a RADIUS scheme on the access device:

    # Create RADIUS scheme 2000 and enter RADIUS scheme view.

    [Device] radius scheme 2000
    

    # Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.

    [Device-radius-2000] primary authentication 10.11.1.1 1812
    

    # Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813.

    [Device-radius-2000] primary accounting 10.11.1.1 1813
    

    # Set the shared key to abc in plain text for secure communication between the authentication server and the device.

    [Device-radius-2000] key authentication simple abc
    

    # Set the shared key to abc in plain text for secure communication between the accounting server and the device.

    [Device-radius-2000] key accounting simple abc
    

    # Exclude the ISP domain names from the usernames sent to the authentication and accounting servers.

    [Device-radius-2000] user-name-format without-domain
    [Device-radius-2000] quit
    
  6. Configure an ISP domain:

    # Create ISP domain bbb and enter ISP domain view.

    [Device] domain bbb
    

    # Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.

    [Device-isp-bbb] authentication lan-access radius-scheme 2000
    [Device-isp-bbb] authorization lan-access radius-scheme 2000
    [Device-isp-bbb] accounting lan-access radius-scheme 2000
    [Device-isp-bbb] quit
    
  7. Configure 802.1X on the access device:

    # Enable 802.1X on HundredGigE 1/0/2.

    [Device] interface hundredgige 1/0/2
    [Device-HundredGigE1/0/2] dot1x
    

    # Implement port-based access control on the port.

    [Device-HundredGigE1/0/2] dot1x port-method portbased
    

    # Set the port authorization mode to auto. By default, the port uses the auto mode.

    [Device-HundredGigE1/0/2] dot1x port-control auto
    

    # Specify VSI vpn10 as the 802.1X guest VSI on HundredGigE 1/0/2.

    [Device-HundredGigE1/0/2] dot1x guest-vsi vpn10
    [Device-HundredGigE1/0/2] quit
    

    # Enable 802.1X globally.

    [Device] dot1x
    

Verifying the configuration

# Verify that HundredGigE 1/0/2 is assigned to VSI vpn10 before any user passes authentication on the port.

[Device] display l2vpn forwarding ac verbose

# Verify that HundredGigE 1/0/2 is assigned to VSI vpn5 after a user passes authentication on the port.

[Device] display l2vpn forwarding ac verbose