•
The shared key is expert and the authentication port is 1812.
•
Exclude domain names from the usernames sent to the RADIUS server.
•
The user name for 802.1X authentication is dot1x.
•
After the user passes authentication, the RADIUS server authorizes VLAN 4 to the NAS port
that the user is connecting to.
Figure 28 Network diagram
802.1X user
Configuration procedure
1.
Configure interfaces and VLANs, so the host promptly obtains a new IP address to access
resources in the authorized VLAN after passing authentication. (Details not shown.)
2.
Configure the NAS:
a. Configure a RADIUS scheme:
# Configure a RADIUS scheme named rad and enter RADIUS scheme view.
<SwitchA> system-view
[SwitchA] radius scheme rad
# Specify the primary authentication server with IP address 10.1.1.1 and set the shared key
to expert in plaintext form.
[SwitchA-radius-rad] primary authentication 10.1.1.1 key simple expert
# Exclude domain names from the usernames sent to the RADIUS server.
[SwitchA-radius-rad] user-name-format without-domain
[SwitchA-radius-rad] quit
b. Configure an authentication domain:
# Create an ISP domain named bbb and enter ISP domain view.
[SwitchA] domain bbb
# Configure the ISP domain to use RADIUS scheme rad for authentication and
authorization of LAN users and not to perform accounting for LAN users.
[SwitchA-isp-bbb] authentication lan-access radius-scheme rad
[SwitchA-isp-bbb] authorization lan-access radius-scheme rad
[SwitchA-isp-bbb] accounting lan-access none
[SwitchA-isp-bbb] quit
c. Configure 802.1X authentication:
# Enable 802.1X for GigabitEthernet 1/0/1.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] dot1x
# Specify bbb as the mandatory authentication domain for 802.1X users on the interface.
[SwitchA-GigabitEthernet1/0/1] dot1x mandatory-domain bbb
[SwitchA-GigabitEthernet1/0/1] quit
RADIUS server
Switch B
Vlan-int3
10.1.1.1/24
Vlan-int3
10.1.1.2/24
Vlan-int4
Vlan-int2
GE1/0/1
Switch A
NAS
Internet
79