Example: Configuring basic triple authentication

Network configuration

As shown in Figure 92, the terminals are connected to the device to access the IP network. Configure triple authentication on the device's Layer 2 interface that connects to the terminals. A terminal passing one of the three authentication methods, 802.1X authentication, Web authentication, and MAC authentication, can access the IP network.

Figure 92: Network diagram

Procedure

  1. Make sure that the terminals, the server, and the device can reach each other. (Details not shown.)

  2. Configure the RADIUS server to provide normal authentication, authorization, and accounting for users. In this example, configure the following on the RADIUS server:

    • An 802.1X user with username userdot.

    • A Web authentication user with username userpt.

    • A MAC authentication user with a username and password both being the MAC address of the printer f07d6870725f.

  3. Configure Web authentication:

    # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.)

    # Edit authentication pages, compress the pages to a .zip file named abc, and upload the .zip file to the device by FTP. (Details not shown.)

    # Configure the local Web server to use HTTP. Configure file abc.zip as the default authentication page file of the local Web server.

    <Device> system-view
    [Device] portal local-web-server http
    [Device-portal-local-websvr-http] default-logon-page abc.zip
    [Device-portal-local-websvr-http] quit
    

    # Configure the IP address of interface loopback 0 as 4.4.4.4.

    [Device] interface loopback 0
    [Device-LoopBack0] ip address 4.4.4.4 32
    [Device-LoopBack0] quit
    

    # Create a Web authentication server named webserver and enter its view.

    [Device] web-auth server webserver
    

    # Configure the redirection URL for the Web authentication server as http://4.4.4.4/portal/.

    [Device-web-auth-server-webserver] url http://4.4.4.4/portal/
    

    # Set the IP address and port number of Web authentication server to 4.4.4.4 and 80.

    [Device-web-auth-server-webserver] ip 4.4.4.4 port 80
    [Device-web-auth-server-webserver] quit 
    

    # Enable Web authentication on HundredGigE 1/0/1, and specify the Web authentication server webserver for the port.

    [Device] interface hundredgige 1/0/1
    [Device–HundredGigE1/0/1] web-auth enable apply server webserver
    [Device–HundredGigE1/0/1] quit 
    
  4. Configure 802.1X authentication:

    # Enable 802.1X authentication globally.

    [Device] dot1x
    

    # Enable 802.1X authentication (MAC-based access control required) on HundredGigE 1/0/1.

    [Device] interface hundredgige 1/0/1 
    [Device–HundredGigE1/0/1] dot1x port-method macbased
    [Device–HundredGigE1/0/1] dot1x
    [Device–HundredGigE1/0/1] quit
    
  5. Configure MAC authentication:

    # Enable MAC authentication globally.

    [Device] mac-authentication 
    

    # Enable MAC authentication on HundredGigE 1/0/1.

    [Device] interface hundredgige 1/0/1
    [Device–HundredGigE1/0/1] mac-authentication
    [Device–HundredGigE1/0/1] quit
    
  6. Configure a RADIUS scheme:

    # Create a RADIUS scheme named rs1.

    [Device] radius scheme rs1
    

    # Specify the primary authentication and accounting servers and keys.

    [Device-radius-rs1] primary authentication 1.1.1.2
    [Device-radius-rs1] primary accounting 1.1.1.2
    [Device-radius-rs1] key authentication simple radius
    [Device-radius-rs1] key accounting simple radius
    

    # Specify usernames sent to the RADIUS server to carry no domain names.

    [Device-radius-rs1] user-name-format without-domain
    [Device-radius-rs1] quit
    
  7. Configure an ISP domain:

    # Create an ISP domain named triple.

    [Device] domain triple
    

    # Configure the domain to use RADIUS scheme rs1 for authentication, authorization and accounting of LAN access users.

    [Device-isp-triple] authentication lan-access radius-scheme rs1
    [Device-isp-triple] authorization lan-access radius-scheme rs1
    [Device-isp-triple] accounting lan-access radius-scheme rs1
    [Device-isp-triple] quit
    

    # Configure domain triple as the default domain. If a username entered by a user includes no ISP domain name, the AAA method of the default domain is used.

    [Device] domain default enable triple
    

Verifying the configuration

  1. Verify that the Web user can pass Web authentication.

    # On the Web user terminal, use a Web browser to access an external network and then enter the correct username and password on the authentication page http://4.4.4.4/portal/logon.html. (Details not shown.)

    # Display information about online Web authentication users.

    [Device] display web-auth user
      Total online web-auth users: 1
    User Name: localuser
      MAC address: acf1-df6c-f9ad
      Access interface: HundredGigE1/0/1
      Initial VLAN: 1
      Authorization VLAN: N/A
      Authorization ACL ID: N/A
      Authorization user profile: N/A 
    
  2. Verify that the printer can pass MAC authentication.

    # Connect the printer to the network. (Details not shown.)

    # Display information about online MAC authentication users.

    Total connections: 1
    Slot ID: 1
    User MAC address: f07d-6870-725f
    Access interface: HundredGigE1/0/1
    Username: f07d6870725f
    User access state: Successful
    Authentication domain: triple
    Initial VLAN: 14
    Authorization untagged VLAN: 14
    Authorization tagged VLAN: N/A
    Authorization VSI: N/A
    Authorization ACL ID: N/A
    Authorization user profile: N/A
    Authorization URL: N/A
    Termination action: Default
    Session timeout period: N/A
    Online from: 2015/01/04 18:01:43
    Online duration: 0h 0m 2s
    
  3. Verify that the 802.1X client can pass 802.1X authentication.

    # On the 802.1X client, initiate 802.1X authentication and then enter the correct username and password. (Details not shown.)

    # Display information about online 802.1X users.

    Total connections: 1
    Slot ID: 1
    User MAC address: 7446-a091-84fe
    Access interface: HundredGigE1/0/1
    Username: userdot
    User access state: Successful
    Authentication domain: triple
    IPv4 address: 192.168.1.2
    Authentication method: CHAP
    Initial VLAN: 14
    Authorization untagged VLAN: 14
    Authorization tagged VLAN list: N/A
    Authorization VSI: N/A
    Authorization ACL ID: N/A
    Authorization user profile: N/A
    Authorization URL: N/A
    Termination action: Default
    Session timeout period: N/A
    Online from: 2015/01/04 18:13:01
    Online duration: 0h 0m 14s