Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure 802.1X Macbased Authentication

Network Requirements

  1. The user PC1 and PC2 on one VLAN are connected to IP Network via Device. Device adopts the 802.1X access control;
  2. The authentication mode adopts the RADIUS authentication;
  3. When PC does not pass the authentication, only permit accessing Update Server; after passing the authentication, only permit accessing IP Network;
  4. After one user on LAN passes authentication, the other users on the VLAN still cannot access IP Network without passing the authentication.

Network Topology

Networking of configuring 802.1X Macbased authentication

Figure 12-7 Networking of configuring 802.1X Macbased authentication

Configuration Steps

Step 1: Configure the link type of the VLAN and interface on Device.

#Create VLAN2–VLAN5 on Device.

Device#configure terminal
Device(config)#vlan 2-5
Device(config)#exit

#Configure the link type of interface gigabitethernet 0/2 as Hybrid, permitting services of VLAN2 to pass. Conifgure PVID as 2.

Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#switchport hybrid untagged vlan 2
Device(config-if-gigabitethernet0/2)#switchport hybrid pvid vlan 2
Device(config-if-gigabitethernet0/2)#exit

#Configure the port link type on gigabitethernet0/3-gigabitethernet0/5 of Device as Access, permitting the services of VLAN3-VLAN5 to pass respectively. (Omitted)

Step 2: Configure the interface IP address of Device.

#Configure the IP address of VLAN5 as 130.255.167.1/24.

Device(config)#interface vlan 5
Device(config-if-vlan5)#ip address 130.255.167.1 255.255.255.0
Device(config-if-vlan5)#exit

Step 3: Configure the AAA authentication.

#Enable the AAA authentication on Device, adopt the RADIUS authentication mode, the server key is admin, the priority is 1, and the RADIUS server address is 130.255.167.167/24.

Device(config)#domain system
Device(config-isp-system)# aaa authentication dot1x radius-group radius
Device(config-isp-system)#exit
Device(config)#aaa server group radius radius
Device(config-sg-radius-radius)#server 130.255.167.167 priority 1 key admin

Step 4: Configure the AAA server.

#Configure the user name, password and key as admin on the AAA server. (Omitted)

#On the AAA server, configure RADIUS to deliver the three attributes of Auto VLAN: 64 is VLAN, 65 is 802, and 81 is VLAN3. (Omitted)

Step 5: Configure the 802.1X authentication.

#Enable the 802.1X authentication on the port and configure the authentication mode as Macbased.

Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#dot1x port-control enable
Device(config-if-gigabitethernet0/2)#authentication port-method macbased
Device(config-if-gigabitethernet0/2)#exit

#Enable MAC VLAN of gigabitethernet0/2.

Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#mac-vlan enable
Device(config-if-gigabitethernet0/2)exit

#Configure Guest VLAN of the port as VLAN4.

Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)# authentication guest-vlan 4
Device(config-if-gigabitethernet0/2)#exit

Step 6: Check the result.

#Before passing the authentication, gigabitethernet0/2 is added to Guest VLAN. Here. PC1 and PC2 are in VLAN4, and PC1 and PC2 can access Update server.

Device#show vlan 4 
---- ---- ----------  ------  --------  -----------------
NO.  VID  VLAN-Name   Owner   Mode      Interface            
1    4    VLAN0004    static  Untagged  gi0/2  gi0/4 

#After the PC1 user initiates the authentication and passes the authentication, PC1 user is in Auto VLAN3 and can access IP Network. Here, PC2 still cannot access IP Network without authentication.

Device#show dot1x user
---------------------------------------  
NO 1 : MAC_ADDRESS= 3883.45ef.7984 STATUS=     Authorized    USER_NAME= admin
         VLAN=    3       INTERFACE= gi0/2            USER_TYPE= DOT1X
         AUTH_STATE= AUTHENTICATED BACK_STATE= IDLE             IP_ADDRESS= Unknown
         IPV6_ADDRESS= Unknown
 
         Online time: 0 week 0 day 0 hours 0 minute 51 seconds

 Total: 1 Authorized: 1 Unauthorized/guest/critical: 0/0/0 Unknown: 0

#After PC2 user inputs the wrong user name or password and failed to be authenticated, PC2 user is in Guest VLAN4 and can access Update Server.

Device#show dot1x user 
------------------------------------
NO 1 : MAC_ADDRESS= 3883.45ef.f395 STATUS=     Unauth(guest)   USER_NAME= admin
        VLAN=    4              INTERFACE= gi0/2             USER_TYPE= DOT1X
        AUTH_STATE= GUEST_HELD     BACK_STATE= IDLE               IP_ADDRESS= Unknown
        IPV6_ADDRESS= Unknown
 
Total:1  Authorized: 0 Unauthorized/guest/critical: 0/1/0 Unknown: 0