As shown in Figure 1, there are different types of terminal access the network in a company. For the security of the company network, the administrator needs to employ different types of NAC authentication modes on the access switch to control the access rights of different users.
Figure1. Topology for Configuring Multiple Authentication Modes
Figure 1 shows the topology for configuring multiple authentication modes. Follow the configuration roadmap below to complete the configuration.
- Ensure that PICA8 Switch is properly connected to the AAA server. In this example, the switch uses the management port Eth0 to connect to the AAA server.
- Complete the NAC configurations on the AAA server. For details about how to configure NAC on AAA server, please refer to documents Typical Configuration of NAC.
Configuration Roadmap on PICA8 Switch
- A printer accesses the network through interface ge-1/1/1 of the switch. It is a dumb terminal and lacks the supplicant feature which is needed to pass on the 802.1X authentication credentials between the client and the authentication server. In this case, you can configure MAB authentication. You can use the set protocols dot1x interface <interface-name> auth-mode mac-radius command to enable MAB authentication mode on the interface.
- A guest user accesses the network through interface ge-1/1/2 of the switch, it doesn’t have proper 802.1X or MAC Radius credentials saved on the authentication servers. In this case, you can configure CWA authentication to control the guest user's network access rights. Remember to enable MAB authentication before using CWA authentication.
- On interface ge-1/1/3, a PC and an IP telephone are connected to the switch so that both data and voice services can be transmitted.
- Create a voice VLAN and add the ge-1/1/3 interface to this voice VLAN.
- Enable LLDP protocol for OUI learning from LLDP packets.
- Configure 802.1X authentication on the ge-1/1/3 interface to perform access authentication on the connected PC.
- Since there are two devices, a PC and an IP telephone, on port ge-1/1/3, you need to configure access port ge-1/1/3 for multiple host mode authentication.
- It is strongly recommended not to use both voice VLAN and dynamic VLAN on the port enabled with NAC function. If you use a voice VLAN on ge-1/1/3 interface, don’t use dynamic VLAN on this interface.
- Multiple PCs are connected to the switch on ge-1/1/4 interface. Enable 802.1X authentication on ge-1/1/4, and configure access port ge-1/1/4 for multiple host mode authentication.
Step1 Configure the access ports to trunk mode.
Step2 Enable the authentication mode.
Step3 Configure IP address of AAA server, WEB authentication server and CoA client.
Step4 Configure block VLAN.
Step5 Configure the NAS IP address to the IP of the management interface eth0 which connected to the AAA server.
This command is to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the AAA server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.
Step6 Configure the host mode for NAC authentication interface.
Step7 Configure voice VLAN on interface ge-1/1/3.
Step8 Enable LLDP protocol for OUI learning from LLDP packets.
Step9 (Optional) Enable PoE function on the interface ge-1/1/3 if the IP telephone obtains power through the PoE port of the switch.
Step10 Commit the configuration.
Verify the configuration
a) Run the run show dot1x interface or run show dot1x interface gigabit-ethernet <interface-name> to check the NAC authentication configurations. The command output shows that the NAC authentication has been enabled and the terminals are successfully authenticated on each port.
b) Use run show lldp neighbor command to check the LLDP neighbor information on interface ge-1/1/3.
c) The terminal can access the network after passed the corresponding authentication method.