Configuring an 802.1X Access Profile - CloudEngine S3700, S5700, and S6700 Configuration Guide V600R022C10 - User Authentication and Access (2023)

Table of Contents
Configuring an 802.1X access profile (Optional) Configure network access rights for users when the 802.1X client does not respond (Optional) Configure reauthentication for 802.1X users (Optional) Set the timer for 802.1X authentication Check settings References

Huawei uses machine translation combined with human review to translate this document into multiple languages ​​so that you can better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei Contribute assumes no responsibility for the accuracy of the translation and it is recommended that you refer to the document in English (link provided).

Configuring an 802.1X access profile
  • Configuring an 802.1X access profile
  • (Optional) Configure network access rights for users when the 802.1X client does not respond
  • (Optional) Configure reauthentication for 802.1X users
  • (Optional) Set the timer for 802.1X authentication
  • Check settings

Configuring an 802.1X access profile

Context

The device uses 802.1X access profiles to uniformly manage 802.1X access settings. Before configuring 802.1X authentication, you must create an 802.1X access profile. You should select an appropriate authentication mode based on those supported by the 802.1X client and the authentication server, as well as the processing capabilities of the device and the server.

Procedure

  1. Go to system view.
    system view
  2. Create an 802.1X access profile and go to the 802.1X access profile view.
    dot1x access profile name access profile name

    To delete an 802.1X access profile, make sure it is not associated with an authentication profile.

  3. Set the authentication mode for 802.1X users.
    dot1x authentication method{chico|papilla|eep}

    Default is 802.1X user authentication modeeep, that is, EAP relay authentication.

    The RADIUS server processing capabilities determine whether EAP termination or EAP relay authentication is used. If the RADIUS server has high processing capabilities and can parse a large number of EAP packets before authentication, the EAP forwarding mode (specified byeepparameter is recommended). If the RADIUS server processing capabilities cannot parse a large number of EAP packets and cannot complete authentication, the EAP termination mode (specified bypapillaofchicoparameter) where the device parses the EAP packets for the RADIUS server. When configuring the authentication packet processing method, make sure that both the client and the server support it. Otherwise, the user cannot pass the authentication.

    Configuring an 802.1X Access Profile - CloudEngine S3700, S5700, and S6700 Configuration Guide V600R022C10 - User Authentication and Access (1)

  4. (Optional) Configure the authorization state of an interface.
    poor control dot1x{It is|authorized force|unauthorized force}

    The default is the authorization state of an interface.It is.

  5. (Optional) Configure the packet type that can trigger 802.1X authentication.
    authentication activation condition{DHCP|of|dhcpv6|zd|elk-l2 package}*

    By default, DHCP, ARP, DHCPv6, and ND packets can enable 802.1X authentication.

  6. (Optional) Configure the device to send encrypted EAP packets to 802.1X users.
    dot1x eap-notify-packet code eap password Type of data type a number

    By default, the device does not send encrypted EAP packets to 802.1X users.

    Configuring an 802.1X Access Profile - CloudEngine S3700, S5700, and S6700 Configuration Guide V600R022C10 - User Authentication and Access (2)

    If an H3C iMC acts as a RADIUS server, run itdot1x eap-notify packet eap code 10 data type 25command to the device.

  7. (Optional) Turn off the device to answerenable authenticationpackets sent by the client when the AAA server is unavailable.
    dot1x no authorization response authen-server-down

    By default, the device does not respond toenable authenticationpackets sent by the client when the AAA server is unavailable.

    Configuring an 802.1X Access Profile - CloudEngine S3700, S5700, and S6700 Configuration Guide V600R022C10 - User Authentication and Access (3)

    This feature must be configured when using the Cisco AnyConnect clientpacket-based authentication.

  8. (Optional) Run itdot1x shipping package is not labeledCommand to enable VLAN tag stripping of 802.1X packets sent by an endpoint access device.

    By default, the ability to strip VLAN tags from 802.1X packets sent by an endpoint access device is not enabled.

(Optional) Configure network access rights for users when the 802.1X client does not respond

Requirements

Before configuring the network access rights available to users when the 802.1X client does not respond, you must configure the following authorization information on the device.

  • Configure a VLAN and associated network resources on the device.
  • Establish a service plan. See for more details(Optional) Set up a service plan.
  • Form a UCL group. See for more details(Optional) Configure a UCL group.

Context

If the 802.1X client does not respond, users cannot authenticate and therefore do not have network access rights. Before successful authentication, some users may require some basic network access rights to download client software and update antivirus database. Network access rights can be configured for users when the 802.1X client does not respond, allowing users to access specific network resources.

Procedure

  1. Go to the 802.1X access profile view.
    dot1x access profile name access profile name
  2. Configure the network access rights available to users when the 802.1X client does not respond.
    Authentication event authorizes client action without response{service setting service program name|ucl group ucl group name|vlan id-vlan}

    By default, the network access rights available to users when the 802.1X client does not respond are not configured.

(Optional) Configure reauthentication for 802.1X users

Context

If the administrator changes parameters such as access rights and authorization attributes of an online user on the authentication server, the user must re-authenticate to ensure the validity of the user.

If reauthentication is configured for 802.1X users on the Internet, the device sends the user's authentication parameters stored on the Internet when users connect to the authentication server for reauthentication. If a user's authentication information on the authentication server remains unchanged, the user remains logged in. If the information has changed, the user will be logged out and will need to re-authenticate.

There are two methods available to allow the device to re-authenticate 802.1X users:

  • Configure the device to periodically redefine 802.1X users with a specified 802.1X access profile.

    Configuring an 802.1X Access Profile - CloudEngine S3700, S5700, and S6700 Configuration Guide V600R022C10 - User Authentication and Access (4)

    • After configuring this feature, multiple 802.1X authentication records are generated.
    • If the device is connected to a server for authentication and the server responds with an authentication denied message that takes the user offline, it is recommended to address the cause of the authentication failure on the server or disable the reauthentication feature on the device .
  • Configure the device to re-identify a user with a specific MAC address once.

Procedure

  • Configure periodic automatic authentication.
    1. Go to system view.
      system view
    2. Go to the 802.1X access profile view.
      dot1x access profile name access profile name
    3. Configure the device to re-authenticate users online 802.1X.
      dot1x reauthentication

      By default, the device does not re-authenticate 802.1X users to the Internet.

    4. (Optional) Configure the authentication period for 802.1X online users.
      point 1x hour authentication period reauthenticate-period-value

      By default, the authentication period is 3600 seconds for online 802.1X users.

      Configuring an 802.1X Access Profile - CloudEngine S3700, S5700, and S6700 Configuration Guide V600R022C10 - User Authentication and Access (5)

      • In most cases, the default authentication period is recommended.
      • When using remote authentication and authorization, a short authentication period can cause high CPU usage.
      • When multiple users need to reauthenticate, the actual authentication period may be longer than the configured authentication period to reduce the impact of reauthentication on device performance.
  • Configure the device to re-authenticate a user once.
    1. Go to system view.
    2. Configure the device to re-identify a user with a specific MAC address once.
      dot1x reverify mac address identity MAC address

(Optional) Set the timer for 802.1X authentication

Context

With 802.1X authentication, a timer is used to control the retransmission of EAP-Request/Identity packets and EAP-Request/MD5 Challenge packets.

Procedure

  1. Go to system view.
    system view
  2. Set the interval for sending 802.1X authentication requests.
    point 1x hour tx period period value tx

    By default, the device sends 802.1X authentication requests at 30-second intervals.

  3. Set the timeout period for 802.1X authentication after which MAC address authentication is performed.
    dot1x timer mac override delay delay time value

    The device performs standard MAC address authentication if 802.1X authentication fails within 30 seconds.

  4. Go to the 802.1X access profile view.
    dot1x access profile name access profile name
  5. Configure the authentication timeout timer for 802.1X clients.
    point 1x hour customer waiting time client-timeout-wait

    The authentication timeout timer for 802.1X clients is enabled by default and has a value of 5 seconds.

  6. Set the maximum number of times the device forwards an authentication request to an 802.1X user.
    try dot1x again maximum retry value

    By default, the device sends an authentication request twice to an 802.1X user.

Check settings

Context

After configuring an 802.1X access profile, run the following command to verify the configuration.

Procedure

  • Carried outdot1x access profile configuration view[name access profile name] to check the settings of the specified 802.1X access profile.
  • Configuring an 802.1X access profile
  • (Optional) Configure network access rights for users when the 802.1X client does not respond
  • (Optional) Configure reauthentication for 802.1X users
  • (Optional) Set the timer for 802.1X authentication
  • Check settings

References

Top Articles
Latest Posts
Article information

Author: Corie Satterfield

Last Updated: 03/17/2023

Views: 5497

Rating: 4.1 / 5 (62 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Corie Satterfield

Birthday: 1992-08-19

Address: 850 Benjamin Bridge, Dickinsonchester, CO 68572-0542

Phone: +26813599986666

Job: Sales Manager

Hobby: Table tennis, Soapmaking, Flower arranging, amateur radio, Rock climbing, scrapbook, Horseback riding

Introduction: My name is Corie Satterfield, I am a fancy, perfect, spotless, quaint, fantastic, funny, lucky person who loves writing and wants to share my knowledge and understanding with you.