As shown in Figure 1, there are different types of terminal access the network in a company. For the security of the company network, the administrator needs to employ different types of NAC authentication modes on the access switch to control the access rights of different users.
Figure1. Topology for Configuring Multiple Authentication Modes
Figure 1 shows the topology for configuring multiple authentication modes. Follow the configuration roadmap below to complete the configuration.
- Ensure that PICA8 Switch is properly connected to the AAA server. In this example, the switch uses the management port Eth0 to connect to the AAA server.
- Complete the NAC configurations on the AAA server. For details about how to configure NAC on AAA server, please refer to documents Typical Configuration of NAC.
Configuration Roadmap on PICA8 Switch
- A printer accesses the network through interface ge-1/1/1 of the switch. It is a dumb terminal and lacks the supplicant feature which is needed to pass on the 802.1X authentication credentials between the client and the authentication server. In this case, you can configure MAB authentication. You can use the set protocols dot1x interface <interface-name> auth-mode mac-radius command to enable MAB authentication mode on the interface.
- A guest user accesses the network through interface ge-1/1/2 of the switch, it doesn’t have proper 802.1X or MAC Radius credentials saved on the authentication servers. In this case, you can configure CWA authentication to control the guest user's network access rights. Remember to enable MAB authentication before using CWA authentication.
- On interface ge-1/1/3, a PC and an IP telephone are connected to the switch so that both data and voice services can be transmitted.
- Enable LLDP protocol for OUI learning from LLDP packets.
- Configure 802.1X authentication on the ge-1/1/3 interface to perform access authentication on the connected PC.
- Since there are two devices, a PC and an IP telephone, on port ge-1/1/3, you need to configure access port ge-1/1/3 for multiple host mode authentication.
- It is strongly recommended not to use both voice VLAN and dynamic VLAN on the port enabled with NAC function. If both voice VLAN and dynamic VLAN are enabled on the port, dynamic VLAN A has a higher priority.
- In this example, on the AAA server, you have to configure voice VLAN 300 for IP phone communication and dynamic VLAN 400 for data communication for the PC on the ge-1/1/3 interface.
- On the switch, you need to use the set vlans vlan-id <vlan-id> command to create the dynamic VLANs in advance. And the link type of interface ge-1/1/3 should be configured as trunk port.
- Multiple PCs are connected to the switch on ge-1/1/4 interface. Enable 802.1X authentication on ge-1/1/4, and configure access port ge-1/1/4 for multiple host mode authentication.
Step1 Create VLANs on the switch for dynamic VLAN.
Step2 Configure the access ports to trunk mode.
Step3 Enable the authentication mode.
Step4 Configure IP address of AAA server, WEB authentication server and CoA client.
Step5 Configure a block VLAN for CWA authentication.
Step6 Configure the NAS IP address to the IP of the management interface eth0 which connected to the AAA server.
This command is to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the AAA server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.
Step7 Configure the host mode for NAC authentication interface.
Step8 Enable LLDP protocol for OUI learning from LLDP packets.
Step9 (Optional) Enable PoE function on the interface ge-1/1/3 if the IP telephone obtains power through the PoE port of the switch.
Step10 Commit the configuration.
Verify the configuration
a) Run the run show dot1x interface or run show dot1x interface gigabit-ethernet <interface-name> to check the NAC authentication configurations. The command output shows that the NAC authentication has been enabled and the terminals are successfully authenticated on each port.
b) Use run show lldp neighbor command to check the LLDP neighbor information on interface ge-1/1/3.
c) The terminal can access the network after passed the corresponding authentication method.