Triple authentication supporting authorization VLAN and authentication failure VLAN configuration example

As shown in Figure 171, the terminals are connected to the device to access the IP network. Configure triple authentication on the device's Layer 2 interface connected to the terminals. A terminal passing one of the three authentication methods, 802.1X authentication, Web authentication, and MAC authentication, can access the IP network.

• The Web authentication terminal uses DHCP to get an IP address in 192.168.1.0/24 before authentication and in 3.3.3.0/24 after passing authentication. If the terminal fails authentication, it requests IP addresses in 2.2.2.0/24 through DHCP.

  You can use the access device or an attached device as the DHCP server. In this example, the access device (the device) provides the DHCP service.

• The 802.1X terminal uses DHCP to get an IP address in 192.168.1.0/24 before authentication and in 3.3.3.0/24 after passing authentication. If the terminal fails authentication, it requests IP addresses in 2.2.2.0/24 through DHCP.

• After passing authentication, the printer obtains IP address 3.3.3.111/24 that is bound with its MAC address through DHCP.

• Use the remote RADIUS server to perform authentication, authorization, and accounting. Configure the device to remove the ISP domain names from usernames sent to the RADIUS server.

• Configure the local Web authentication server on the device to use listening IP address 4.4.4.4. Configure the device to send a default authentication page to the Web user and forward authentication data by using HTTP.

• Configure VLAN 3 as the authorization VLAN. Users passing authentication are added to this VLAN.

• Configure VLAN 2 as the authentication failure VLAN. Users failing authentication are added to this VLAN.

  Figure 170: Network diagram

• Make sure the terminals, the servers, and the device can reach each other.

• Configure the RADIUS server to provide normal authentication, authorization, and accounting for users. In this example, configure the following on the RADIUS server:

  • An 802.1X user with username userdot.

  • A Web authentication user with username userpt.

  • A MAC authentication user with a username and password both being the MAC address of the printer f07d6870725f.

  • An authorization VLAN (VLAN 3).

• Configure the IP address of server update as the authentication-free IP address.

• Edit authentication pages, compress the pages to a .zip file named defaultfile and upload the .zip file to the device by FTP.

• Set the DHCP lease according to the network condition and how the terminals update their IP addresses.

  A short lease is recommended to shorten the time that terminals use to re-acquire IP addresses after passing or failing authentication. This example uses the lease of 1 minute.

  Some terminals do not need to wait for the lease to update their IP addresses. For example, the iNode 802.1X client can automatically renew its IP address after disconnecting from the server.

1. Configure DHCP:

   # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.)

   # Enable DHCP.

   <Device> system-view
   [Device] dhcp enable
   

   # Exclude the IP address of the update server from dynamic address assignment.

   [Device] dhcp server forbidden-ip 2.2.2.2
   

   # Configure DHCP address pool 1 to assign IP addresses and other configuration parameters to clients on subnet 192.168.1.0.

   [Device] dhcp server ip-pool 1
   [Device-dhcp-pool-1] network 192.168.1.0 mask 255.255.255.0
   [Device-dhcp-pool-1] expired day 0 hour 0 minute 1
   [Device-dhcp-pool-1] gateway-list 192.168.1.1
   [Device-dhcp-pool-1] quit
   

   # Configure DHCP address pool 2 to assign IP address and other configuration parameters to clients on subnet 2.2.2.0.

   [Device] dhcp server ip-pool 2
   [Device-dhcp-pool-2] network 2.2.2.0 mask 255.255.255.0
   [Device-dhcp-pool-2] expired day 0 hour 0 minute 1
   [Device-dhcp-pool-2] gateway-list 2.2.2.1
   [Device-dhcp-pool-2] quit
   

   # Configure DHCP address pool 3 to assign IP address and other configuration parameters to clients on subnet 3.3.3.0.

   [Device] dhcp server ip-pool 3
   [Device-dhcp-pool-3] network 3.3.3.0 mask 255.255.255.0
   [Device-dhcp-pool-3] expired day 0 hour 0 minute 1
   [Device-dhcp-pool-3] gateway-list 3.3.3.1
   [Device-dhcp-pool-3] quit
   

   # Configure DHCP address pool 4, and bind the printer's MAC address f07d-6870-725f to IP address 3.3.3.111/24 in this address pool.

   [Device] dhcp server ip-pool 4
   [Device-dhcp-pool-4] static-bind ip-address 3.3.3.111 mask 255.255.255.0 client-identifier f07d-6870-725f
   [Device-dhcp-pool-4] quit
   

2. Configure Web authentication:

   # Configure the local Web server to use HTTP. Configure file defaultfile.zip as the default authentication page file of the local Web server.

   [Device] portal local-server http
   [Device-portal-local-websvr-http] default-logon-page defaultfile.zip
   [Device-portal-local-websvr-http] quit
   

   # Assign IP address 4.4.4.4 to interface Loopback 0.

   [Device] interface loopback 0
   [Device-LoopBack0] ip address 4.4.4.4 32
   [Device-LoopBack0] quit
   

   # Create a Web authentication server named webserver.

   # Specify the listening IP address of the local portal server as 4.4.4.4.

   [Device] web-auth server webserver
   

   #Configure the redirection URL of the Web authentication server as http://4.4.4.4/portal/.

   [Device-web-auth-server-webserver] url http://4.4.4.4/portal/
   

   #Specify 4.4.4.4 as the IP address and 80 as the port number of Web authentication server.

   [Device-web-auth-server-webserver] ip 4.4.4.4 port 80
   [Device-web-auth-server-webserver] quit
   

   # Configure the IP address of Update server as the authentication-free IP address.

   [Device] web-auth free-ip 2.2.2.2 24
   

   # Enable Web authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the Auth-Fail VLAN.

   [Device] interface gigabitethernet 1/0/1
   [Device–GigabitEthernet1/0/1] port link-type hybrid
   [Device–GigabitEthernet1/0/1] mac-vlan enable
   [Device–GigabitEthernet1/0/1] web-auth enable apply server webserver
   [Device–GigabitEthernet1/0/1] web-auth auth-fail vlan 2
   [Device–GigabitEthernet1/0/1] quit
   

3. Configure 802.1X authentication:

   # Enable 802.1X authentication globally.

   [Device] dot1x
   

   # Enable 802.1X authentication (MAC-based access control required) on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN.

   [Device] interface gigabitethernet 1/0/1
   [Device–GigabitEthernet1/0/1] dot1x port-method macbased
   [Device–GigabitEthernet1/0/1] dot1x
   [Device–GigabitEthernet1/0/1] dot1x auth-fail vlan 2
   [Device–GigabitEthernet1/0/1] quit
   

4. Configure MAC authentication:

   # Enable MAC authentication globally.

   [Device] mac-authentication
   

   # Enable MAC authentication on GigabitEthernet 1/0/1, and specify VLAN 2 as the guest VLAN.

   [Device] interface gigabitethernet 1/0/1
   [Device–GigabitEthernet1/0/1] mac-authentication
   [Device–GigabitEthernet1/0/1] mac-authentication guest-vlan 2
   [Device–GigabitEthernet1/0/1] quit
   

5. Configure a RADIUS scheme:

   # Create a RADIUS scheme named rs1.

   [Device] radius scheme rs1
   

   # Specify the primary authentication and accounting servers and keys.

   [Device-radius-rs1] primary authentication 1.1.1.2
   [Device-radius-rs1] primary accounting 1.1.1.2
   [Device-radius-rs1] key authentication simple radius
   [Device-radius-rs1] key accounting simple radius
   

   # Specify usernames sent to the RADIUS server to carry no domain names.

   [Device-radius-rs1] user-name-format without-domain
   [Device-radius-rs1] quit
   

6. Configure an ISP domain:

   # Create an ISP domain named triple.

   [Device] domain triple
   

   # Configure the domain to use RADIUS scheme rs1 for authentication, authorization and accounting of LAN access users.

   [Device-isp-triple] authentication lan-access radius-scheme rs1
   [Device-isp-triple] authorization lan-access radius-scheme rs1
   [Device-isp-triple] accounting lan-access radius-scheme rs1
   [Device-isp-triple] quit
   

   # Configure domain triple as the default domain. If a username entered by a user includes no ISP domain name, the AAA methods of the default domain is used.

   [Device] domain default enable triple
   

1. Verify that the Web user can pass Web authentication.

   # On the Web user terminal, use a Web browser to access an external network and then enter the correct username and password on the authentication page http://4.4.4.4/portal/logon.html. (Details not shown.)

   # Use the display web-auth user command to display information about online users.

   [Device] display web-auth user
   User Name: userpt
     MAC address: 6805-ca17-4a0b
     Access interface: GigabitEthernet1/0/1
     Initial VLAN: 14
     Authorization VLAN: 3
     Authorization ACL ID: N/A
     Authorization user profile: N/A
   
   Total 1 users matched.
   

2. Verify that the printer can pass MAC authentication.

   # Connect the printer to the network. (Details not shown.)

   # Display information about online MAC authentication users.

   [Device] display mac-authentication connection
   Slot ID: 1
   User MAC address: f07d-6870-725f
   Access interface: GigabitEthernet1/0/1
   Username: f07d6870725f
   Authentication domain: triple
   Initial VLAN: 14
   Authorization untagged VLAN: 3
   Authorization tagged VLAN: N/A
   Authorization ACL ID: N/A
   Authorization user profile: N/A
   Authorization URL: N/A
   Termination action: N/A
   Session timeout period: N/A
   Online from: 2015/01/04 18:01:43
   Online duration: 0h 0m 2s
   
   Total 1 connections matched.
   

3. Verify that the 802.1X user can pass 802.1X authentication.

   # On the 802.1X client, initiate 802.1X authentication and enter the correct username and password. (Details not shown.)

   # Display information about online 802.1X users.

   [Device] display dot1x connection
   Slot ID: 1
   User MAC address: 7446-a091-84fe
   Access interface: GigabitEthernet1/0/1
   Username: userdot
   Authentication domain: triple
   Authentication method: CHAP
   Initial VLAN: 14
   Authorization untagged VLAN: 3
   Authorization tagged VLAN list: N/A
   Authorization ACL ID: N/A
   Authorization user profile: N/A
   Authorization URL: N/A
   Termination action: N/A
   Session timeout period: N/A
   Online from: 2015/01/04 18:13:01
   Online duration: 0h 0m 14s
   
   Total 1 connection(s) matched.
   

4. Verify that users that pass authentication have been assigned authorization VLANs.

   # Display MAC-VLAN entries of online users.

   [Device] display mac-vlan all
     The following MAC VLAN addresses exist:
     S:Static  D:Dynamic
     MAC ADDR         MASK             VLAN ID   PRIO   STATE
     --------------------------------------------------------
     6805-ca17-4a0b   ffff-ffff-ffff   3         0      D
     f07d-6870-725f   ffff-ffff-ffff   3         0      D
     7446-a091-84fe   ffff-ffff-ffff   3         0      D
     Total MAC VLAN address count:3 
   

5. Verify that online users have been assigned IP addresses.

   [Device] display dhcp server ip-in-use
   IP address       Client-identifier/    Lease expiration          Type
                     Hardware address
    3.3.3.111        01f0-7d68-7072-5f     Jan  4 18:14:17 2015      Auto:(C)
    3.3.3.2          0168-05ca-174a-0b     Jan  4 18:15:01 2015      Auto:(C)
    3.3.3.3          0174-46a0-9184-fe     Jan  4 18:15:03 2015      Auto:(C)
   

6. When a terminal fails authentication, it is added to VLAN 2. You can use the previous display commands to display the MAC-VLAN entry and IP address of the terminal. (Details not shown.)