Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
Page tree
Skip to end of metadata
Go to start of metadata

Networking Requirements

As shown in Figure 1, a large number of user terminals in a company access the Internet through ge-1/1/1 of the PICA8 Switch (as the access device). To ensure network access security, the administrator employs 802.1X authentication on the Switch and AAA server, to control the network access rights of the user terminals. The Switch allows the user terminals to access resources on the Internet only when the authentication is successfully passed.

Prerequisite

Ensure that PICA8 Switch is properly connected to the AAA server. In this example, the switch uses the management port Eth0 to connect to the AAA server.

Configuration on the AAA Server

  • Configure the Eth0 IP address of the switch to establish a connection to the switch.
  • Configure the username and password on the AAA server.
  • Configure the shared key.
  • Configure other RADIUS attributes for 802.1X authentication.

Configuration on the Switch

  • Use Eth0 management port connects to the AAA server.
  • Configure the 802.1X authentication server IP and shared key on the Switch.
  • Enable 802.1X authentication on the Switch.
  • Configure the host mode to multiple on interface ge-1/1/1.

Figure 1. Networking Diagram for Configuring 802.1X Authentication

Procedure

Step1         Configure the access port to trunk mode and enable 802.1X authentication mode.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode trunk
admin@XorPlus# set protocols dot1x interface ge-1/1/1 auth-mode 802.1x

Step2         Configure IP address of AAA server and the shared key.

admin@XorPlus# set protocols dot1x aaa radius authentication server-ip 10.10.51.4 shared-key pica8

Step3         Configure the NAS IP address to the L3 VLAN interface IP which is connected to the RADIUS server.

admin@XorPlus# set protocols dot1x aaa radius nas-ip 10.10.51.100

This command is used to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the RADIUS server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.

Step4         Configure the host mode for NAC authentication interface.

admin@XorPlus# set protocols dot1x interface ge-1/1/1 host-mode multiple

Step5         Commit the configuration.

admin@XorPlus# commit

Step6         Verify the configuration.

   a)      Run the run show dot1x interface to check the 802.1X authentication configurations. The command output (802.1x = enable) shows that the 802.1X authentication has been enabled on the interface ge-1/1/1 and MAC address ae:11:01:39:1a:00 is successfully authenticated.

admin@Xorplus# run show dot1x interface 
Interface 802.1x  MAC-RADIUS  WEB     HOST-MODE  CLIENT-MAC        CLIENT-STATUS
---------------------------------------------------------------------------------
ge-1/1/1  enable  disable     disable  multiple  00:11:22:33:44:55  authorized 
                                                 33:12:a1:49:1b:0c authorized 
                                                 b3:55:c1:d7:2f:22 authorized

    b)      The user starts the 802.1X client software on the terminal, enters the username and password, and starts authentication.

    c)      If the user name and password are correct, there will be an authentication success message displayed. Then users can access the network through this port.

  • No labels