Triple authentication basic function configuration example

Network requirements

As shown in Figure 170, the terminals are connected to the device to access the IP network. Configure triple authentication on the device's Layer 2 interface that connects to the terminals. A terminal passing one of the three authentication methods, 802.1X authentication, Web authentication, and MAC authentication, can access the IP network.

Figure 169: Network diagram

Configuration prerequisites and restrictions

Configuration procedure

  1. Configure Web authentication:

    # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.)

    # Configure the local Web server to use HTTP. Configure file abc.zip as the default authentication page file of the local Web server.

    <Device> system-view
    [Device] portal local-web-server http
    [Device-portal-local-websvr-http] default-logon-page abc.zip
    [Device-portal-local-websvr-http] quit
    

    # Configure the IP address of interface loopback 0 as 4.4.4.4.

    [Device] interface loopback 0
    [Device-LoopBack0] ip address 4.4.4.4 32
    [Device-LoopBack0] quit
    

    # Create a Web authentication server named webserver and enter its view.

    [Device] web-auth server webserver
    

    # Configure the redirection URL for the Web authentication server as http://4.4.4.4/portal/.

    [Device-web-auth-server-webserver] url http://4.4.4.4/portal/
    

    # Set the IP address and port number of Web authentication server to 4.4.4.4 and 80.

    [Device-web-auth-server-webserver] ip 4.4.4.4 port 80
    [Device-web-auth-server-webserver] quit 
    

    # Enable Web authentication on GigabitEthernet 1/0/1, and specify the Web authentication server webserver for the port.

    [Device] interface gigabitethernet 1/0/1
    [Device–GigabitEthernet1/0/1] web-auth enable apply server webserver
    [Device–GigabitEthernet1/0/1] quit 
    
  2. Configure 802.1X authentication:

    # Enable 802.1X authentication globally.

    [Device] dot1x
    

    # Enable 802.1X authentication (MAC-based access control required) on GigabitEthernet 1/0/1.

    [Device] interface gigabitethernet 1/0/1 
    [Device–GigabitEthernet1/0/1] dot1x port-method macbased
    [Device–GigabitEthernet1/0/1] dot1x
    [Device–GigabitEthernet1/0/1] quit
    
  3. Configure MAC authentication:

    # Enable MAC authentication globally.

    [Device] mac-authentication 
    

    # Enable MAC authentication on GigabitEthernet 1/0/1.

    [Device] interface gigabitethernet 1/0/1
    [Device–GigabitEthernet1/0/1] mac-authentication
    [Device–GigabitEthernet1/0/1] quit
    
  4. Configure a RADIUS scheme:

    # Create a RADIUS scheme named rs1.

    [Device] radius scheme rs1
    

    # Specify the primary authentication and accounting servers and keys.

    [Device-radius-rs1] primary authentication 1.1.1.2
    [Device-radius-rs1] primary accounting 1.1.1.2
    [Device-radius-rs1] key authentication simple radius
    [Device-radius-rs1] key accounting simple radius
    

    # Specify usernames sent to the RADIUS server to carry no domain names.

    [Device-radius-rs1] user-name-format without-domain
    [Device-radius-rs1] quit
    
  5. Configure an ISP domain:

    # Create an ISP domain named triple.

    [Device] domain triple
    

    # Configure the domain to use RADIUS scheme rs1 for authentication, authorization and accounting of LAN access users.

    [Device-isp-triple] authentication lan-access radius-scheme rs1
    [Device-isp-triple] authorization lan-access radius-scheme rs1
    [Device-isp-triple] accounting lan-access radius-scheme rs1
    [Device-isp-triple] quit
    

    # Configure domain triple as the default domain. If a username entered by a user includes no ISP domain name, the AAA method of the default domain is used.

    [Device] domain default enable triple
    

Verifying the configuration

  1. Verify that the Web user can pass Web authentication.

    # On the Web user terminal, use a Web browser to access an external network and then enter the correct username and password on the authentication page http://4.4.4.4/portal/logon.html. (Details not shown.)

    # Display information about online Web authentication users.

    [Device] display web-auth user
    User Name: userpt
      MAC address: 6805-ca17-4a0b
      Access interface: GigabitEthernet1/0/1
      Initial VLAN: 14
      Authorization VLAN: 14
      Authorization ACL ID: N/A
      Authorization user profile: N/A
    
    Total 1 users matched.
    
  2. Verify that the printer can pass MAC authentication.

    # Connect the printer to the network. (Details not shown.)

    # Display information about online MAC authentication users.

    [Device] display mac-authentication connection
    Slot ID: 1
    User MAC address: f07d-6870-725f
    Access interface: GigabitEthernet1/0/1
    Username: f07d6870725f
    Authentication domain: triple
    Initial VLAN: 14
    Authorization untagged VLAN: 14
    Authorization tagged VLAN: N/A
    Authorization ACL ID: N/A
    Authorization user profile: N/A
    Authorization URL: N/A
    Termination action: N/A
    Session timeout period: N/A
    Online from: 2015/01/04 18:01:43
    Online duration: 0h 0m 2s 
    Total 1 connections matched.
    
  3. Verify that the 802.1X client can pass 802.1X authentication.

    # On the 802.1X client, initiate 802.1X authentication and then enter the correct username and password. (Details not shown.)

    # Display information about online 802.1X users.

    [Device] display dot1x connection
    Slot ID: 1
    User MAC address: 7446-a091-84fe
    Access interface: GigabitEthernet1/0/1
    Username: userdot
    Authentication domain: triple
    Authentication method: CHAP
    Initial VLAN: 14
    Authorization untagged VLAN: 14
    Authorization tagged VLAN list: N/A
    Authorization ACL ID: N/A
    Authorization user profile: N/A
    Authorization URL: N/A
    Termination action: N/A
    Session timeout period: N/A
    Online from: 2015/01/04 18:13:01
    Online duration: 0h 0m 14s
    Total 1 connection(s) matched.