Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Typical Configuration Example of Trusted Device Access

Network Requirements

  • The access device Device1 is connected to IP Network via the authentication device Device2; Device2 adopts the device authentication access control.
  • The access device Device1 regularly initiates the keepalive authentication.
  • During authentication, use the RADIUS authentication mode.
  • After passing the access device authentication, PC permits accessing the network.

Network Topology

Networking of configuring trusted device access

Figure 14-2 Networking of configuring trusted device access

Configuration Steps

Step 1: On Device1, configure the link type of the VLAN and port.

#On gigabitethernet 0/2 of Device1, configure the port link type as Access, permitting the services of VLAN2 to pass.

Device1(config)#interface gigabitethernet 0/2
Device1(config-if-range)#switchport mode access
Device1(config-if-range)#switchport access vlan 2
Device1(config-if-range)#exit

#On gigabitethernet 0/1 of Device1, configure the port link type as Hybrid, and the port is added to VLAN2 in the Tagged mode.

Device1(config)#interface gigabitethernet 0/1
Device1(config-if-range)#switchport mode hybrid
Device1(config-if-range)#switchport hybrid tagged vlan 2
Device1(config-if-range)#exit

Step 2: On Device2, configure the link type of the VLAN and port.

#On Device2, create VLAN2~VLAN3.

Device2#configure terminal
Device2(config)#vlan 2-3
Device2(config)#exit

#On gigabitethernet 0/1 of Device2, configure the port link type as Hybrid, and the port is added to VLAN2 in the Tagged mode.

Device2(config)#interface gigabitethernet 0/1
Device2(config-if-range)#switchport mode hybrid
Device2(config-if-range)# switchport hybrid tagged vlan 2
Device2(config-if-range)#exit

#On gigabitethernet 0/2-gigabitethernet 0/3 of Device2, configure the port link type as Access, permitting the services of VLAN2~VLAN3 to pass. (omitted)

Step 3: Configure the interface IP address of Device2.

#On Device2, configure the IP address of VLAN3 as 130.255.167.1/24.

Device2(config)#interface vlan 3
Device2(config-if-vlan3)#ip address 130.255.167.1 255.255.255.0
Device2(config-if-vlan3)#exit

Step 4 : On Device2, configure the AAA authentication.

#On Device2, enable the AAA authentication, adopt the RADIUS authentication mode, the server key is admin, the priority is 1, and the address of the RADIUS server is 130.255.167.167/24.

Device2(config)#aaa new-model
Device2(config)#aaa authentication connection default radius
Device2(config)#radius-server host 130.255.167.167 priority 1 key admin

Step 5 : Configure the AAA server.

# On the AAA server, configure the user name, password and key as admin. (Omitted)

Step 6 : On Device1, configure the trusted device access.

#On Device1, configure the user name and password of the trusted device access authentication.

Device1(config)#interface gigabitethernet 0/1
Device1(config-if-gigabitethernet0/1)#dot1x client user admin password 0 admin
Device1(config-if-gigabitethernet0/1)#exit

#On Device1, configure initiating the eapol-start packet actively with an interval of 10s to perform the 802.1X device authentication.

Device1(config)#interface gigabitethernet 0/1
Device1(config-if-gigabitethernet0/1)#dot1x client auth-interval 10
Device1(config-if-gigabitethernet0/1)#exit

#On Device1, enable the access function of the trusted device.

Device1(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#dot1x client enable
Device2(config-if-gigabitethernet0/1)#exit

Step 7: On Device2, configure the 802.1X device authentication.

#On Device2, enable the 802.1X authentication.

Device2(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#dot1x port-control enable
Device2(config-if-gigabitethernet0/1)#exit

#On Device2, enable the 802.1X device authentication.

Device2(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#dot1x device-auth enable
Device2(config-if-gigabitethernet0/1)#exit

#On Device2, configure the keepalive period of the 802.1X device authentication as 120s.

Device2(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#dot1x device-auth keepalive 120
Device2(config-if-gigabitethernet0/1)#exit

Step 8: Check the result.

#Before passing the access device authentication, PC cannot access network. After passing authentication, PC can access the network normally.

Device1#show dot1x client user  
 Interface           : gi0/1 
 Status              : Authorized 
 State Machine State : AUTHENTICATED 
 Keep Alive Interval : 120 sec (802.1X Server) 
 
Device2#show dot1x user auth-type device  
 	 
NO 1 : MAC_ADDRESS= 3883.45ef.7984   STATUS= Authorized  USER_NAME= admin 
         VLAN=    2        INTERFACE= gi0/1         USER_TYPE= DOT1X  
         AUTH_STATE= AUTHENTICATED    BACK_STATE= IDLE          IP_ADDRESS= Unknown 
         Online time: 0 week 0 day 0 hour 0 minute 53 seconds 
 
 Total: 1 Authorized: 1 Unauthorized/guest/critical: 0/0/0 Unknown: 0