802.1X authentication configuration example
Network requirements
As shown in
Ethernet 1/1. Implement MAC-based access control on the port, so the logoff of one user does not affect
other online 802.1X users.
Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If
RADIUS authentication fails, perform local authentication on the access device.
Configure the host at 10.1.1.1/24 as the primary authentication and accounting servers, and the host at
10.1.1.2/24 as the secondary authentication and accounting servers. Assign all users to the ISP domain
aabbcc.net.
Configure the shared key as name for packets between the access device and the authentication server,
and the shared key as money for packets between the access device and the accounting server.
Figure 25 Network diagram
Configuration procedure
1.
Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the
client configuration. (Details not shown.)
2.
Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.)
For information about the RADIUS commands used on the access device in this example, see
Security Command Reference.
3.
Assign an IP address for each interface on the access device. (Details not shown.)
4.
Configure user accounts for the 802.1X users on the access device:
# Add a local network access user with the username localuser, and password localpass in
plaintext. (Make sure the username and password are the same as those configured on the
RADIUS server.)
<Device> system-view
[Device] local-user localuser class network
[Device-luser-network-localuser] password simple localpass
# Set the service type to lan-access.
[Device-luser-network-localuser] service-type lan-access
Figure
25, the access device performs 802.1X authentication for users that connect to port
66