802.1X With Acl Assignment Configuration Example - HP 5120 SI Series Security Configuration Manual

802.1X with ACL assignment configuration example

Network requirements
As shown in
access device.
Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and
authorization server and the RADIUS server at 10.1.1.2 as the accounting server. Assign an ACL to
GigabitEthernet 1/0/1 to deny 802.1X users to access the FTP server.
Figure 28 Network diagram for ACL assignment
Host
192.168.1.10
NOTE:
The following configuration procedure provides the major AAA and RADIUS configuration on the access
device. The configuration procedures on the 802.1X client and RADIUS server are beyond the scope of
this configuration example. For information about AAA and RADIUS configuration commands, see the
Security Command Reference
Configuration procedure
1. Configure 802.1X client. Make sure the client is able to update its IP address after the access port
is assigned to the 802.1X guest VLAN or a server-assigned VLAN. (Omitted)
2. Configure the RADIUS servers, user accounts, and authorization ACL, ACL 3000 in this example.
(Omitted)
3. Configure the access device.
# Assign IP addresses to interfaces. (Omitted)
# Configure the RADIUS scheme.
<Device> system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication abc
[Device-radius-2000] key accounting abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the
domain.
Figure 33, the host 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network
Authentication servers
(RADIUS server cluster)
GE1/0/2
GE1/0/3
GE1/0/1
Vlan-int2
192.168.1.1/24
Device
.
10.1.1.1/10.1.1.2
Internet
87
FTP server
10.0.0.1