802.1X guest VLAN and authorization VLAN configuration example
Network requirements
As shown in Figure 41, use RADIUS servers to perform authentication, authorization, and accounting for 802.1X users who connect to GigabitEthernet 1/0/2. Implement port-based access control on the port.
Configure VLAN 10 as the 802.1X guest VLAN on GigabitEthernet 1/0/2. The host and the update server are both in VLAN 10, and the host can access the update server and download the 802.1X client software.
After the host passes 802.1X authentication, the access device assigns the host to VLAN 5 where GigabitEthernet 1/0/3 is. The host can access the Internet.
Figure 40: Network diagram
Configuration procedure
Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or an authorization VLAN. (Details not shown.)
Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users. (Details not shown.)
Create VLANs, and assign ports to the VLANs on the access device.
<Device> system-view [Device] vlan 1 [Device-vlan1] port gigabitethernet 1/0/2 [Device-vlan1] quit [Device] vlan 10 [Device-vlan10] port gigabitethernet 1/0/1 [Device-vlan10] quit [Device] vlan 2 [Device-vlan2] port gigabitethernet 1/0/4 [Device-vlan2] quit [Device] vlan 5 [Device-vlan5] port gigabitethernet 1/0/3 [Device-vlan5] quit
Configure a RADIUS scheme on the access device:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
[Device] radius scheme 2000
# Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.
[Device-radius-2000] primary authentication 10.11.1.1 1812
# Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813.
[Device-radius-2000] primary accounting 10.11.1.1 1813
# Set the shared key to abc in plain text for secure communication between the authentication server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit
Configure an ISP domain:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000 [Device-isp-bbb] authorization lan-access radius-scheme 2000 [Device-isp-bbb] accounting lan-access radius-scheme 2000 [Device-isp-bbb] quit
Configure 802.1X on the access device:
# Enable 802.1X on GigabitEthernet 1/0/2.
[Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] dot1x
# Implement port-based access control on the port.
[Device-GigabitEthernet1/0/2] dot1x port-method portbased
# Set the port authorization mode to auto. By default, the port uses the auto mode.
[Device-GigabitEthernet1/0/2] dot1x port-control auto
# Specify VLAN 10 as the 802.1X guest VLAN on GigabitEthernet 1/0/2.
[Device-GigabitEthernet1/0/2] dot1x guest-vlan 10 [Device-GigabitEthernet1/0/2] quit
# Enable 802.1X globally.
[Device] dot1x
Verifying the configuration
# Verify the 802.1X guest VLAN configuration on GigabitEthernet 1/0/2.
[Device] display dot1x interface gigabitethernet 1/0/2
# Verify that GigabitEthernet 1/0/2 is assigned to VLAN 10 before any user passes authentication on the port.
[Device] display vlan 10
# After a user passes authentication, display information on GigabitEthernet 1/0/2. Verify that GigabitEthernet 1/0/2 is assigned to VLAN 5.
[Device] display interface gigabitethernet 1/0/2