H3C S5500-EI Series Operation Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Switch
  5. S5500-EI series
  6. Operation manual
H3C S5500-EI Series Operation Manual

H3C S5500-EI Series Operation Manual

802.1x-habp-mac authentication
Hide thumbs Also See for S5500-EI Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Operating Manual
Operation Manual - 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration ................................................................................................... 1-1
1.1 802.1x Overview ................................................................................................................ 1-1
1.1.1 Architecture of 802.1x ............................................................................................. 1-1
1.1.2 Operation of 802.1x................................................................................................. 1-3
1.1.3 EAP Encapsulation over LANs................................................................................ 1-4
1.1.4 EAP Encapsulation over RADIUS........................................................................... 1-6
1.1.5 Authentication Process of 802.1x............................................................................ 1-6
1.1.6 802.1x Timers........................................................................................................ 1-10
1.1.7 Implementation of 802.1x in the Devices .............................................................. 1-11
1.1.8 Features Working Together with 802.1x ............................................................... 1-12
1.2 Configuring 802.1x........................................................................................................... 1-14
1.2.1 Configuration Prerequisites................................................................................... 1-14
1.2.2 Configuring 802.1x Globally .................................................................................. 1-14
1.2.3 Configuring 802.1x for a Port ................................................................................ 1-15
1.3 Configuring a Guest VLAN .............................................................................................. 1-17
1.3.1 Configuration Prerequisites................................................................................... 1-17
1.3.2 Configuration Procedure ....................................................................................... 1-17
1.4 Displaying and Maintaining 802.1x .................................................................................. 1-18
1.5 802.1x Configuration Example......................................................................................... 1-18
1.6 Guest VLAN Configuration Example ............................................................................... 1-21
1.7 ACL Assignment Configuration Example ........................................................................ 1-24
Chapter 2 EAD Fast Deployment Configuration ........................................................................ 2-1
2.1 EAD Fast Deployment Overview ....................................................................................... 2-1
2.2 Configuring EAD Fast Deployment.................................................................................... 2-1
2.2.1 Configuration Prerequisites..................................................................................... 2-1
2.2.2 Configuration Procedure ......................................................................................... 2-2
2.3 Displaying and Maintaining EAD Fast Deployment ........................................................... 2-3
2.4 EAD Fast Deployment Configuration Example.................................................................. 2-3
2.5 Troubleshooting EAD Fast Deployment ............................................................................ 2-5
2.5.1 Users Cannot be Redirected Correctly ................................................................... 2-5
Chapter 3 HABP Configuration .................................................................................................... 3-1
3.1 Introduction to HABP ......................................................................................................... 3-1
3.2 Configuring HABP.............................................................................................................. 3-1
3.2.1 Configuring the HABP Server ................................................................................. 3-1
3.2.2 Configuring an HABP Client.................................................................................... 3-2
3.3 Displaying and Maintaining HABP ..................................................................................... 3-2

Table of Contents

i
Table of Contents

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S5500-EI Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for H3C S5500-EI Series

Summary of Contents for H3C S5500-EI Series

  • Page 1: Table Of Contents

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Table of Contents Table of Contents Chapter 1 802.1x Configuration ....................1-1 1.1 802.1x Overview ........................ 1-1 1.1.1 Architecture of 802.1x ..................... 1-1 1.1.2 Operation of 802.1x....................1-3 1.1.3 EAP Encapsulation over LANs................1-4 1.1.4 EAP Encapsulation over RADIUS................
  • Page 2 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Table of Contents Chapter 4 MAC Authentication Configuration................4-1 4.1 MAC Authentication Overview ................... 4-1 4.1.1 RADIUS-Based MAC Authentication ..............4-1 4.1.2 Local MAC Authentication..................4-2 4.2 Related Concepts ......................4-2 4.2.1 MAC Authentication Timers ..................

  • Page 3: Chapter 1 802.1X Configuration

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration Chapter 1 802.1x Configuration When configuring 802.1x, go to these sections for information you are interested in: 802.1x Overview Configuring 802.1x Configuring a Guest VLAN Displaying and Maintaining 802.1x 802.1x Configuration Example...
  • Page 4 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration Figure 1-1 Architecture of 802.1x Supplicant system: A system at one end of the LAN segment, which is authenticated by the authenticator system at the other end. A supplicant system is usually a user-end device and initiates 802.1x authentication through 802.1x client...

  • Page 5: Operation Of 802.1X

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration II. Controlled port and uncontrolled port An authenticator provides ports for supplicants to access the LAN. Each of the ports can be regarded as two logical ports: a controlled port and an uncontrolled port.

  • Page 6: Eap Encapsulation Over Lans

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration After a user passes the authentication, the authentication server passes information about the user to the authenticator, which then controls the status of the controlled port according to the instruction of the authentication server.
  • Page 7 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration Type Description Frame for carrying alerting information compliant to Alert Standard Forum (ASF). EAPOL-Encapsulated-ASF-Alert (a A frame of this type carries network value of 0x04) management-related information like warning messages and is terminated at the authenticator.

  • Page 8: Eap Encapsulation Over Radius

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration Data: Content of the EAP packet. This field is zero or more bytes and its format is determined by the Code field. 1.1.4 EAP Encapsulation over RADIUS Two attributes of RADIUS are intended for supporting EAP authentication: EAP-Message and Message-Authenticator.
  • Page 9 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration An 802.1x authenticator system communicates with a remotely located RADIUS server in two modes: EAP relay and EAP termination. The following description takes the first case as an example to show the 802.1x authentication process.
  • Page 10 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration Figure 1-8 Message exchange in EAP relay mode When a user launches the 802.1x client software and enters the registered username and password, the 802.1x client software generates an EAPOL-Start frame and sends it to the authenticator to initiate an authentication process.
  • Page 11 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration After receiving the RADIUS Access-Challenge packet, the authenticator relays the contained EAP-Request/MD5 Challenge packet to the supplicant. When receiving the EAP-Request/MD5 Challenge packet, the supplicant uses the...

  • Page 12: 802.1X Timers

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration RADIUS EAPOL Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Resquest / Identity EAP- Response / Identity EAP - Request / MD 5 challenge...

  • Page 13: Implementation Of 802.1X In The Devices

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration when an authenticator multicasts an EAP-Request/Identity frame. Once an authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request.

  • Page 14: Features Working Together With 802.1X

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration Note: After an 802.1x supplicant passes authentication, the authentication server sends authorization information to the authenticator. If the authorization information contains VLAN authorization information, the authenticator adds the port connecting the supplicant to the assigned VLAN.
  • Page 15 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration II. Guest VLAN Guest VLAN allows unauthenticated users to access some special resources. Guest VLAN is the default VLAN that a supplicant on a port can access without authentication.

  • Page 16: Configuring 802.1X

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration 1.2 Configuring 802.1x 1.2.1 Configuration Prerequisites 802.1x provides a user identity authentication scheme. However, 802.1x cannot implement the authentication scheme solely by itself. RADIUS or local authentication must be configured to work with 802.1x.

  • Page 17: Configuring 802.1X For A Port

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration To do… Use the command… Remarks Set the maximum number Optional of attempts to send an dot1x retry authentication request to max-retry-value 2 by default a supplicant...
  • Page 18 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration To do… Use the command… Remarks Enter system view system-view — In system dot1x interface view interface-list Enable Required 802.1x for Use either approach. interface interface-type...

  • Page 19: Configuring A Guest Vlan

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration In EAP relay authentication mode, the authenticator encapsulates the 802.1x user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication. In this case, you can configure the user-name-format command but it does not take effect.

  • Page 20: Displaying And Maintaining 802.1X

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration Note: You can specify a tagged VLAN as the guest VLAN for a Hybrid port, but the guest VLAN does not take effect. Similarly, if a guest VLAN for a Hybrid port is in operation, you cannot configure the guest VLAN to carry tags.
  • Page 21 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration A server group with two RADIUS servers is connected to the switch. The IP addresses of the servers are 10.1.1.1 and 10.1.1.2 respectively. Use the former as the primary authentication/secondary accounting server, and the latter as the secondary authentication/primary accounting server.
  • Page 22 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration [Sysname] local-user localuser [Sysname-luser-localuser] service-type lan-access [Sysname-luser-localuser] password simple localpass [Sysname-luser-localuser] attribute idle-cut 20 [Sysname-luser-localuser] quit # Create RADIUS scheme radius1 and enter its view. [Sysname] radius scheme radius1 # Configure the IP addresses of the primary authentication and accounting RADIUS servers.

  • Page 23: Guest Vlan Configuration Example

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration [Sysname-isp-aabbcc.net] access-limit enable 30 # Enable the idle cut function and set the idle cut interval. [Sysname-isp-aabbcc.net] idle-cut enable 20 [Sysname-isp-aabbcc.net] quit # Configure aabbcc.net as the default domain.
  • Page 24 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration II. Network diagrams Update server Authenticator server VLAN 10 VLAN 2 GE1/0/4 GE1/0/3 VLAN 1 VLAN 5 GE1/0/1 GE1/0/2 Switch Internet Supplicant Figure 1-11 Network diagram for guest VLAN configuration...
  • Page 25 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration Update server Authenticator server VLAN 10 VLAN 2 GE1/0/4 GE1/0/3 VLAN 5 VLAN 5 GE1/0/1 GE1/0/2 Switch Internet VLAN 5 Supplicant Figure 1-13 Network diagram when the supplicant passes authentication III.

  • Page 26: Acl Assignment Configuration Example

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration [Sysname-GigabitGigabitEthernet1/0/1] dot1x port-method portbased # Set the port access control mode to auto. [Sysname-GigabitGigabitEthernet1/0/1] dot1x port-control auto [Sysname-GigabitGigabitEthernet1/0/1] quit # Create VLAN 10. [Sysname] vlan 10 [Sysname-vlan10] quit # Specify port GigabitEthernet 1/0/1 to use VLAN 10 as its guest VLAN.
  • Page 27 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration III. Configuration procedure # Configure the IP addresses of the interfaces. (Omitted) # Configure the RADIUS scheme. <Sysname> system-view [Sysname] radius scheme 2000 [Sysname-radius-2000] primary authentication 10.1.1.1 1812 [Sysname-radius-2000] primary accounting 10.1.1.2 1813...
  • Page 28 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss 1-26...

  • Page 29: Chapter 2 Ead Fast Deployment Configuration

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 2 EAD Fast Deployment Configuration Chapter 2 EAD Fast Deployment Configuration When configuring EAD fast deployment, go to these sections for information you are interested in: EAD Fast Deployment Overview...

  • Page 30: Configuration Procedure

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 2 EAD Fast Deployment Configuration 2.2.2 Configuration Procedure I. Configuring a freely accessible network segment A freely accessible network segment, also called a free IP, is a network segment that users can access before passing 802.1x authentication.

  • Page 31: Displaying And Maintaining Ead Fast Deployment

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 2 EAD Fast Deployment Configuration III. Setting the EAD rule timeout time With the EAD fast deployment function, a user is authorized by an EAD rule (generally an ACL rule) to access the freely accessible network segment before passing authentication.
  • Page 32 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 2 EAD Fast Deployment Configuration II. Network diagram Internet Free IP: WEB server 192.168.1.3/24 GE1/0/1 192.168.1.0/24 192.168.1.1/24 Host Switch 192.168.1.10/24 Figure 2-1 Network diagram for EAD fast deployment III. Configuration procedure...

  • Page 33: Troubleshooting Ead Fast Deployment

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 2 EAD Fast Deployment Configuration Reply from 192.168.1.3: bytes=32 time<1ms TTL=128 Reply from 192.168.1.3: bytes=32 time<1ms TTL=128 Reply from 192.168.1.3: bytes=32 time<1ms TTL=128 Reply from 192.168.1.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.1.3:...

  • Page 34: Chapter 3 Habp Configuration

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 3 HABP Configuration Chapter 3 HABP Configuration When configuring HABP, go to these sections for the information you are interested in: Introduction to HABP Configuring HABP Displaying and Maintaining HABP 3.1 Introduction to HABP...

  • Page 35: Configuring An Habp Client

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 3 HABP Configuration Follow these steps to configure an HABP server: To do… Use the command… Remarks Enter system view system-view — Optional Enable HABP habp enable Enabled by default...

  • Page 36: Chapter 4 Mac Authentication Configuration

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 4 MAC Authentication Configuration Chapter 4 MAC Authentication Configuration When configuring MAC authentication, go to these sections for information you are interested in: MAC Authentication Overview Related Concepts Configuring MAC Authentication...

  • Page 37: Local Mac Authentication

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 4 MAC Authentication Configuration If the authentication succeeds, the user will be granted permission to access the network resources. 4.1.2 Local MAC Authentication In local MAC authentication, the device performs authentication of users locally and...

  • Page 38: Vlan Assigning

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 4 MAC Authentication Configuration Caution: If the quiet MAC is the same as the static MAC configured or an authentication-passed MAC, then the quiet function is not effective. 4.2.3 VLAN Assigning For separation of users from restricted network resources, a more general way is to put the users and restricted resources into different VLANs.

  • Page 39: Configuration Procedure

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 4 MAC Authentication Configuration Caution: For local authentication: The type of username and password of a local user must be consistent with that used for MAC authentication. All the letters in the MAC address to be used as the username and password of a local user must be in lower case.

  • Page 40: Displaying And Maintaining Mac Authentication

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 4 MAC Authentication Configuration To do… Use the command… Remarks mac-authentication Optional user-name-format By default, the user’s { fixed [ account name ] Configure the username source MAC address...
  • Page 41 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 4 MAC Authentication Configuration Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes. II. Network Diagram Figure 4-1 Network diagram for local MAC authentication III.

  • Page 42: Radius-Based Mac Authentication Configuration Example

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 4 MAC Authentication Configuration Fixed password:123456 Offline detect period is 180s Quiet period is 60s. Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current domain is aabbcc.net...
  • Page 43 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 4 MAC Authentication Configuration [Sysname] radius scheme 2000 [Sysname-radius-2000] primary authentication 10.1.1.1 1812 [Sysname-radius-2000] primary accounting 10.1.1.2 1813 [Sysname-radius-2000] key authentication abc [Sysname-radius-2000] key accounting abc [Sysname-radius-2000] user-name-format without-domain [Sysname-radius-2000] quit # Specify the AAA schemes for the ISP domain.

  • Page 44: Acl Assigning Configuration Example

    Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 4 MAC Authentication Configuration GigabitGigabitEthernet1/0/1 is link-up MAC address authentication is Enabled Authenticate success: 1, failed: 0 Current online user number is 1 MAC ADDR Authenticate state AuthIndex 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS 4.5.3 ACL Assigning Configuration Example...
  • Page 45 Operation Manual – 802.1x-HABP-MAC Authentication H3C S5500-EI Series Ethernet Switches Chapter 4 MAC Authentication Configuration [Sysname-radius-2000] quit # Create an ISP domain and specify the AAA schemes. [Sysname] domain 2000 [Sysname-isp-2000] authentication default radius-scheme 2000 [Sysname-isp-2000] authorization default radius-scheme 2000...

Table of Contents