Configure Secure Channel Authentication
Configuration Condition
None
Enable Secure Channel Authentication
Based on the 802.1X authentication function, the secure channel authentication function can achieve both the 802.1X authentication and pioneer a secure channel for the specified end users. Thus, the end user can visit the resources in the specified network in the unauthentication mode or specify an end user to visit the network resources without authentication.
Table 12–4 Enable the secure channel authentication
Step
|
Command
|
Description
|
Enter the global configuration mode
|
configure terminal
|
-
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration can only take effect on the current interface. After entering the aggregation group configuration mode, the subsequent configuration can only take effect on the aggregation group.
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
Enable the secure channel authentication
|
dot1x free-ip
|
Mandatory
By default, the secure channel authentication function under the interface is disabled.
|
-
Do not enable the secure channel authentication function and port security function simultaneously on one port.
- Do not enable the 802.1X authentication function and secure channel authentication function simultaneously on one interface.
- Do not enable the MAC address authentication function and the secure channel authentication function simultaneously on one interface.
- When the secure channel authentication function is enabled under the interface but the secure channel rule is not applied or the secure channle rule is not configured, the secure channel authentication function adn the 802.1X authentication function is identical.
- During the secure channel authentication, when the user authentication succeeds, it will occupy the chip resources. If the chip resources are insufficient, it will cause user authentication failure.
Configure and Apply Secure Channel
After the secure channel authentication is enabled under the interface, it is hoped that the end user can visit the resources in the specified network when the end user is not authenticated or specify an end user to visit the network resources without authentication. In this case, configure and apply the secure channel.
Rules for configuring the secure channel can be classified into the following types:
- Configure to allow the end user to visit the specified network resources.
- Configure the specified end user to visit the network resources.
Table 12-5 Apply secure channel
Step
|
Command
|
Description
|
Enter the global configuration mode
|
configure terminal
|
-
|
Configure the secure channel
|
hybrid access-list advanced { access-list-number | access-list-name }
|
Mandatory
By default, the secure channel is not configured on the device.
|
Configure the secure channel rule
|
[ sequence ] permit [ether-ipv6] protocol { any | source-ip-addr source-wildcard | host source-ip-addr } { any | source-mac-addr source-wildcard | host source-mac-addr } { any | destination-ip-addr destination-wildcard | host destination-ip-addr } { any | destination-mac-addr destination-wildcard | host destination-mac-addr }
|
Mandatory
By default, the secure channel rule is not configured in the secure channel.
|
Apply the secure channel
|
global security access-group { access-group-number | access-group-name }
|
Mandatory
By default, no any secure channel is applied in the system.
|
-
The device can be configured with multiple secure channels. A secure channel can be configured with multiple secure channel rules.
- The secure channel type can only be the hybrid advanced ACL. Only one secure channel is allowed to be applied to the device.
Configure Re-direct URL Function
If the re-direct URL is configured on the authentication device and when the user accesses the segment network not free from the authentication without passing the authentication or not being authenticated, the authentication device re-direct the user accessed URL address to the configured re-direct URL address. On the specified URL interface, the user can download/upgrade the authentication client, update the software, and so on.
Table 12-6 Configure the re-direct URL function
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Configure the secure channel
|
hybrid access-list advanced { access-list-number | access-list-name }
|
Mandatory
By default, the device is not configured with the secure channel.
|
Configure the secure channel rule
|
[ sequence ] permit [ether-ipv6] protocol { any | source-ip-addr source-wildcard | host source-ip-addr } { any | source-mac-addr source-wildcard | host source-mac-addr } { any | destination-ip-addr destination wildcard | host destination-ip-addr } { any | destination-mac-addr destination-wildcard | host destination-mac-addr }
|
Mandatory
By default, the secure channel is not configured with the secure channel rule.
|
Apply the secure channel
|
global security access-group { access-group-number | access-group-name }
|
Mandatory
By default, no secure channel is applied in the system.
|
Configure the re-direct URL function
|
dot1x url url-redirect-string
|
Mandatory
By default, the re-direct URL address is not configured on the device.
|
-
The segment free from the authentication needs to include the IP address of the DNS server and the IP address of the re-direct URL link.
- When the client needs to apply for address from the DHCP server, and the authentication device is not the DHCP server, it is necessary to enable the DHCP RELAY function on the authentication device, so as to ensure that the client can get the IP address normally.