Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
Page tree
Skip to end of metadata
Go to start of metadata

Networking Requirements

As shown in Figure 1, there are different types of terminal access the network in a company. For the security of the company network, the administrator needs to employ different types of NAC authentication modes on the access switch to control the access rights of different users.

Figure1. Topology for Configuring Multiple Authentication Modes

Figure 1 shows the topology for configuring multiple authentication modes. Follow the configuration roadmap below to complete the configuration.

Prerequisite

  • Ensure that PICA8 Switch is properly connected to the AAA server. In this example, the switch uses the management port Eth0 to connect to the AAA server.
  • Complete the NAC configurations on the AAA server. For details about how to configure NAC on AAA server, please refer to documents Typical Configuration of NAC.

Configuration Roadmap on PICA8 Switch

  • A printer accesses the network through interface ge-1/1/1 of the switch. It is a dumb terminal and lacks the supplicant feature which is needed to pass on the 802.1X authentication credentials between the client and the authentication server. In this case, you can configure MAB authentication. You can use the set protocols dot1x interface <interface-name> auth-mode mac-radius command to enable MAB authentication mode on the interface.
  • A guest user accesses the network through interface ge-1/1/2 of the switch, it doesn’t have proper 802.1X or MAC Radius credentials saved on the authentication servers. In this case, you can configure CWA authentication to control the guest user's network access rights. Remember to enable MAB authentication before using CWA authentication.
  • On interface ge-1/1/3, a PC and an IP telephone are connected to the switch so that both data and voice services can be transmitted.
    • Create a voice VLAN and add the ge-1/1/3 interface to this voice VLAN.
    • Enable LLDP protocol for OUI learning from LLDP packets.
    • Configure 802.1X authentication on the ge-1/1/3 interface to perform access authentication on the connected PC.
    • Since there are two devices, a PC and an IP telephone, on port ge-1/1/3, you need to configure access port ge-1/1/3 for multiple host mode authentication.
    • It is strongly recommended not to use both voice VLAN and dynamic VLAN on the port enabled with NAC function. If you use a voice VLAN on ge-1/1/3 interface, don’t use dynamic VLAN on this interface.
  • Multiple PCs are connected to the switch on ge-1/1/4 interface. Enable 802.1X authentication on ge-1/1/4, and configure access port ge-1/1/4 for multiple host mode authentication.

Procedure

Step1         Configure the access ports to trunk mode.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode trunk
admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching port-mode trunk
admin@XorPlus# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode trunk
admin@XorPlus# set interface gigabit-ethernet ge-1/1/4 family ethernet-switching port-mode trunk

Step2         Enable the authentication mode.

admin@XorPlus# set protocols dot1x interface ge-1/1/1 auth-mode mac-radius
admin@XorPlus# set protocols dot1x interface ge-1/1/2 auth-mode web
admin@XorPlus# set protocols dot1x interface ge-1/1/2 auth-mode mac-radius
admin@XorPlus# set protocols dot1x interface ge-1/1/3 auth-mode 802.1x
admin@XorPlus# set protocols dot1x interface ge-1/1/3 auth-mode mac-radius
admin@XorPlus# set protocols dot1x interface ge-1/1/4 auth-mode 802.1x

Step3         Configure IP address of AAA server, WEB authentication server and CoA client.

admin@XorPlus# set protocols dot1x aaa radius authentication server-ip 10.10.51.4 shared-key pica8
admin@XorPlus# set protocols dot1x aaa radius dynamic-author client 10.10.51.4 shared-key pica8
admin@Xorplus# set protocols dot1x aaa web server-ip 10.10.51.4 port 500

Step4         Configure block VLAN.

admin@Xorplus# set protocols dot1x block-vlan-id 200
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 200
admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 200
admin@XorPlus# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 200
admin@XorPlus# set interface gigabit-ethernet ge-1/1/4 family ethernet-switching native-vlan-id 200
admin@XorPlus# set vlans vlan-id 200 l3-interface vlan200
admin@XorPlus# set vlan-interface interface vlan200 vif vlan200 address 10.10.51.11 prefix-length 24

Step5         Configure the NAS IP address to the IP of the management interface eth0 which connected to the AAA server.

admin@XorPlus# set protocols dot1x aaa radius nas-ip 10.10.51.100

This command is to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the AAA server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.

Step6         Configure the host mode for NAC authentication interface.

admin@XorPlus# set protocols dot1x interface ge-1/1/3 host-mode multiple
admin@XorPlus# set protocols dot1x interface ge-1/1/4 host-mode multiple

Step7         Configure voice VLAN on interface ge-1/1/3.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/3 voice-vlan vlan-id 10

Step8         Enable LLDP protocol for OUI learning from LLDP packets.

admin@XorPlus# set protocols lldp enable true

Step9         (Optional) Enable PoE function on the interface ge-1/1/3 if the IP telephone obtains power through the PoE port of the switch.

admin@XorPlus# set poe interface ge-1/1/3 enable true

Step10         Commit the configuration.

admin@XorPlus# commit

Verify the configuration

a)  Run the run show dot1x interface or run show dot1x interface gigabit-ethernet <interface-name> to check the NAC authentication configurations. The command output shows that the NAC authentication has been enabled and the terminals are successfully authenticated on each port.

admin@Xorplus# run show dot1x interface
Interface  802.1x   MAC-RADIUS  WEB     HOST-MODE   CLIENT-MAC  CLIENT-STATUS
----------------------------------------------------------------------------------------------
ge-1/1/1   disable  enable      disable      single        f8:9e:01:9e:cc:a1    authorized   
ge-1/1/2   disable  enable      enable       single        23:5e:81:77:ac:a2    authorized   
ge-1/1/3   enable   enable      disable      multiple       ad:ee:02:45:d3:a3    authorized
                                                            6d:33:12:4b:ef:a4    authorized
ge-1/1/4   enable   enable      disable      multiple       f2:3e:00:8a:90:a5    authorized 
                                                            a2:44:00:5a:90:3d    authorized  
                                                            56:33:a0:ee:f0:ab    authorized

admin@Xorplus# run show dot1x interface gigabit-ethernet ge-1/1/3
Interface ge-1/1/3:
============================================================
  Client MAC                 : ad:ee:02:45:d3:a3
  Status                      : authorized
  Success Auth Method         : Dot1x
  Dynamic VLAN ID           : 200 (active)
============================================================
  Client MAC                  : 6d:33:12:4b:ef:a4
  Status                       : authorized
  Success Auth Method           : MAB
  Dynamic VLAN ID            : 200 (active)

b)  Use run show lldp neighbor command to check the LLDP neighbor information on interface ge-1/1/3.

admin@Xorplus# run show lldp neighbor
LLDP Remote Devices Information
LocalPort   ChassisId                 PortId             Management Address  System Name      Platform           Capability
----------  ------------------------  -----------------  ------------------  ---------------  -----------------  -----------------
ge-1/1/3    3C:2C:99:41:47:E1         ge-1/1/13          10.10.51.100        Xorplus          as4610_30t         B, R

c)  The terminal can access the network after passed the corresponding authentication method.

  • No labels