Example: Configuring 802.1X guest VSI and authorization VSI
Network configuration
As shown in Figure 40:
The device acts as both a VXLAN VTEP and a network access device. It uses the RADIUS server to perform authentication, authorization, and accounting for 802.1X users that connect to HundredGigE 1/0/2.
HundredGigE 1/0/2 uses port-based access control and is configured with the 802.1X guest VSI. VXLAN 10 is created on the guest VSI. Users in the guest VSI can access the update server in VXLAN 10 and download the 802.1X client software.
The RADIUS server assigns an authorization VSI to the host. The VSI is associated with VXLAN 5 on the device. After passing authentication, the host can access the Internet.
Figure 40: Network diagram
Procedure
Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VSI or an authorization VSI. (Details not shown.)
Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VSI (VSI vpn5 in this example) for the users. (Details not shown.)
If an ADCAM server is used for authentication and authorization, configure VSIs on the server. The server will assign these VSIs to the device. You do not need to configure VSIs on the device.
Enable L2VPN.
<Device> system-view [Device] l2vpn enable
Create VSIs and the corresponding VXLANs.
[Device] vsi vpn10 [Device-vsi-vpn10] vxlan 10 [Device-vsi-vpn10-vxlan-10] quit [Device-vsi-vpn10] quit [Device] vsi vpn5 [Device-vsi-vpn5] vxlan 5 [Device-vsi-vpn5-vxlan-5] quit [Device-vsi-vpn5] quit
Configure a RADIUS scheme on the access device:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
[Device] radius scheme 2000
# Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.
[Device-radius-2000] primary authentication 10.11.1.1 1812
# Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813.
[Device-radius-2000] primary accounting 10.11.1.1 1813
# Set the shared key to abc in plain text for secure communication between the authentication server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the authentication and accounting servers.
[Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit
Configure an ISP domain:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000 [Device-isp-bbb] authorization lan-access radius-scheme 2000 [Device-isp-bbb] accounting lan-access radius-scheme 2000 [Device-isp-bbb] quit
Configure 802.1X on the access device:
# Enable 802.1X on HundredGigE 1/0/2.
[Device] interface hundredgige 1/0/2 [Device-HundredGigE1/0/2] dot1x
# Implement port-based access control on the port.
[Device-HundredGigE1/0/2] dot1x port-method portbased
# Set the port authorization mode to auto. By default, the port uses the auto mode.
[Device-HundredGigE1/0/2] dot1x port-control auto
# Specify VSI vpn10 as the 802.1X guest VSI on HundredGigE 1/0/2.
[Device-HundredGigE1/0/2] dot1x guest-vsi vpn10 [Device-HundredGigE1/0/2] quit
# Enable 802.1X globally.
[Device] dot1x
Verifying the configuration
# Verify that HundredGigE 1/0/2 is assigned to VSI vpn10 before any user passes authentication on the port.
[Device] display l2vpn forwarding ac verbose
# Verify that HundredGigE 1/0/2 is assigned to VSI vpn5 after a user passes authentication on the port.
[Device] display l2vpn forwarding ac verbose