Configure Secure Channel

Network Requirements

• User PC1 and PC2 on the same VLAN access the IP network through Device. Enable the secure channel access control on Device.
• Authentication adopts the RADIUS authentication.
• PC1 is allowed to visit Update Server before authentication success and is allowed to visit Update Server and IP Network after authentication success.
• PC2 is allowed to visit Update Server and IP Network without authentication.

Network Topology

Figure 8–8 Networking of configuring secure channel

Configuration Steps

Step 1: Configure the link type of the VLAN and interface on the interface.

#Create VLAN2 and VLAN5 on Device.

#Configure the link type of interface gigabitethernet0/2 as Access, permitting services of VLAN2 to pass.

#Configure link type of interface gigabitethernet 0/3–gigabitethernet 0/4 as Access on Device, permitting services of VLAN2 to pass. Configure the link type of interface gigabitethernet 0/5 as Access, permitting services of VLAN5 to pass. (Omitted)

Step 2: Configure the interface IP address of Device.

#Configure the IP address of VLAN5 as 130.255.167.1/24.

Step 3: Configure AAA authentication.

#Enable AAA authentication on Device and adopt the RADIUS authentication mode. Configure the server key as admin, priority as 1, and IP address of RADIUS server as 130.255.167.167/24.

Step 4: Configure AAA server.

#Configure the user name, password, and key value on the AAA server as admin. (Omitted)

Step 5: Configure secure channel.

#Enable the secure channel access control on the interface gigabitethernet 0/2.

#Configure a secure channel named channel and configure to allow PC1 to visit Update Server and configure to allow PC2 to visit Update Server and IP Network.

#Apply the secure channel named channel.

Step 6: Check the result.

#View the secure channel configuration information.

It can be viewed that the secure channel is enabled on the interface gigabitethernet 0/2 and the interface is bound to the channel secure channel rule.

#PC1 can visit the Update Server and cannot visit other network resources before the authentication success.

#View the user authentication information after user PC1 initiates the authentication and authentication succeeds.

Device#show dot1x user  
------------------------------------------
NO 1 : MAC_ADDRESS= 3883.45ef.7984 STATUS=      Authorized   USER_NAME= admin
         VLAN=    2       INTERFACE= gi0/2          USER_TYPE= DOT1X
         AUTH_STATE= AUTHENTICATED BACK_STATE= IDLE           IP_ADDRESS= 199.0.0.1
         IPV6_ADDRESS= Unknown
 
         Online time: 0 week 0 day 0 hours 0 minute 51 seconds

 Total: 1 Authorized: 1 Unauthorized/guest/critical: 0/0/0 Unknown: 0

It can be viewed that user PC1 has passed the authentication and then PC1 can visit Update Server and IP Network.

#PC2 can visit Update Server and IP Network without authentication.