802.1x wired authentication with Huawei VRP Switch - (Unified Mode)
I found it very difficult to find the actual configuration steps that is required for 802.1x authentication in Huawei's VRP based switches. Huawei have two authentication modes - unified-mode and common-mode. I did not find any straight forward configuration guide on how to configure 802.1X in unified-mode. In today's blog article I will just try to address that.
In this blog, I will just cover Huawei VRP based switches's configuration commands in unified-mode authentication for 802.1x. I will not present a network topology and work with that. If someone is interested about a full network setup and example, I recommend reading part I, part II and compare the configuration accordingly.
First we will, check for current authentication mode the switch is running. If it is running "common-mode", we need to change it to "unified-mode". Changing authentication mode requires a restart of the switch.
[sw]display authentication mode
Current authentication mode is unified-mode
Next authentication mode is unified-mode
To change the authentication mode, type the command below -
[sw]authentication unified-mode
Configuration of switch
When a Huawei VRP switch runs in unified-mode, 802.1x is enabled globally. We will only enable 802.1x on individual switch ports.
Create a domain
domain family.local
Create a radius template -
radius-server template family.local-radius-server-template
radius-server shared-key cipher test123
radius-server authentication 172.16.245.11 1812 source ip-address 172.16.250.2
undo radius-server user-name domain-included
Another nice and optional feature is detecting the liveliness of radius server. We can just auto generate radius trafik from the switch to the servers and check for a response. Here successful or unsuccessful response does not play a role. If no response, we will marked the radius server as down and take an action later on. In our case, if our radius servers are not working then we will place all our switch ports in client vlan 246, so that in case of server downtime our network works normally.
radius-server template family.local-radius-server-template
!!! A dummy user account to generate radius traffic
radius-server testuser username dummyuser password cipher test123
radius-server testuser username dummyuser password cipher test123
!!! Even when the server is UP state we will regularly check the status every 5 minutes
!!! Below command requires the most recent version of Huawei VRP OS, in my case in was R19
radius-server detect-server up-server interval 300
Then under "aaa" configuration we will bind these three things domain, radius-template and authentication-scheme.
!!!Create a authentication scheme, which does authentication,
!!!using radius server
authentication-scheme family.local-authentication-scheme
authentication-mode radius
!!!Under domain, we bind authentication and radius scheme
!!!together
domain family.local
authentication-scheme family.local-authentication-scheme
radius-server family.local-radius-server-template
Now we will start configuring 802.1x settings. Disable pre-authen-access for 802.1x in the switch. By default, Huawei switch allows a client to get it's IP address from the DHCP server in the access VLAN that is defined under switch port configuration. That's defeats the whole purpose of 802.1x. It is completely different than a Cisco switch. In a Cisco switch, a 802.1x enabled port, it will not be granted network access until 802.1x process has determined what to do with the switch port (no mac-address learning). But a Huawei switch learns mac-address, placed the port in access vlan, allows the client to get DHCP address in their so called pre-authentication stage in 802.1x.
To stop this behavior, we will use a dummy vlan during pre-authentication stage. This dummy vlan is only significant in the local switch. This vlan will never pass across inter-switch/trunk links.
!!!Disable pre-authen-access for 802.1x
undo authentication pre-authen-access enableAnd define that dummy vlan which will be used during pre-authentication stage and we will disable mac-address learning on the vlan also.
!!! vlan 4094 only used during pre-authen stage so that no mac-address learning and DHCP adress assignment happens before the switch determines the authentication status of the port
vlan 4094
description dot1x-dummy
name dot1x-dummy
mac-address learning disable
Change below timer for dot1x. The formula used is Timeout = (max-retry-value +1) x tx-period-value. By default max-retry-value=2s and tx-period-value=30s, so we need at least 90s before clients gets an IP adress. Instead we will use a tx-period-value of 10s, so that clients gets an IP address within 30s.
!!!Change tx-period timer from 30s to 10s
dot1x timer tx-period 10
But if you also want to change the max-retry-value, it is under -
!!!This is not recommended to change, just for reference how to !!!change it
dot1x-access-profile name family.local-dot1x-access-profile
dot1x retry 2
Create a service-scheme which will be used when clients connected to switch port is not running any 802.1x capable client software. In that case they will be assigned to VLAN 247. And another service scheme for pre-authen stage which uses our dummy VLAN 4094. If our radius servers go down, they will be assigned the client VLAN 246 directly avoiding network outage.
aaa
service-scheme guest.family.local-service-scheme
user-vlan 247
service-scheme down.family.local-service-scheme
user-vlan 246
user-vlan 246
service-scheme pre.family.local-service-scheme
user-vlan 4094
Now create a dot1x-access-profile, where different dot1x setting are defined -
dot1x-access-profile name family.local-dot1x-access-profile
dot1x authentication-method eap
dot1x port-control auto
!!!Authenticated clients needs to re-authenticate
!!!every 1 hour
dot1x reauthenticate
dot1x timer reauthenticate-period 3600
!!!We are using service-scheme below to assign VLAN
!!!to clients who has no 802.1x client software installed
authentication event client-no-response action authorize service-scheme guest.family.local-service-scheme
user-vlan 4094
Now create a dot1x-access-profile, where different dot1x setting are defined -
dot1x-access-profile name family.local-dot1x-access-profile
dot1x authentication-method eap
dot1x port-control auto
!!!Authenticated clients needs to re-authenticate
!!!every 1 hour
dot1x reauthenticate
dot1x timer reauthenticate-period 3600
!!!We are using service-scheme below to assign VLAN
!!!to clients who has no 802.1x client software installed
authentication event client-no-response action authorize service-scheme guest.family.local-service-scheme
Optional feature - if we want to use so called mac-adress bypass feature where a client is authenticated only with it's mac-adress. Then we need a mac-access-profile and bound to our authentication-profile.
!!! A mac-access-profile for MAB
mac-access-profile name family.local-mac-access-profile
Now we will create authentication-profile and bind everything together.
authentication-profile name family.local-auth-profile
!!!Binding with domain, which in turn finds the radius server
access-domain family.local dot1x
!!!multi-authen means every station connects with the switch
!!!port, must be authenticated. For example, if someone is
!!!running a VM, in the client, that VM also needs to be !!!authenticated.
authentication mode multi-authen
!!!When a authenticated switch port goes down, after 10
!!!seconds the port will return to unauthenticated state
link-down offline delay 10
!!!Binding the dot1x-access-profile with authentiction-profile
dot1x-access-profile family.local-dot1x-access-profile
!!!What happens when the client fails authentication or
!!!the radius server is down
authentication event authen-fail action authorize service-scheme guest.family.local-service-scheme
Now we will create authentication-profile and bind everything together.
authentication-profile name family.local-auth-profile
!!!Binding with domain, which in turn finds the radius server
access-domain family.local dot1x
!!!multi-authen means every station connects with the switch
!!!port, must be authenticated. For example, if someone is
!!!running a VM, in the client, that VM also needs to be !!!authenticated.
authentication mode multi-authen
!!!When a authenticated switch port goes down, after 10
!!!seconds the port will return to unauthenticated state
link-down offline delay 10
!!!Binding the dot1x-access-profile with authentiction-profile
dot1x-access-profile family.local-dot1x-access-profile
!!!What happens when the client fails authentication or
!!!the radius server is down
authentication event authen-fail action authorize service-scheme guest.family.local-service-scheme
!!!During pre-authen stage port will use vlan 4094
authentication event pre-authen action authorize service-scheme pre.family.local-service-scheme
authentication event authen-server-down action authorize service-scheme down.family.local-service-scheme
!!!If a radius server down event occurs, after that when the
!!!server comes back online again, initiate re-authentication.
authentication event authen-server-up action re-authen
authentication event authen-server-down action authorize service-scheme down.family.local-service-scheme
!!!If a radius server down event occurs, after that when the
!!!server comes back online again, initiate re-authentication.
authentication event authen-server-up action re-authen
!!! Only if we are doing mac-authentication bypass or MAB
!!! Binding the mac-access-profile
mac-access-profile family.local-mac-access-profile
!!! Activating MAB, when both EAP and MAB are configured, EAP has priority. EAP is tried first, after unsuccessful MAB is tried
authentication dot1x-mac-bypass
interface Ethernet1/1
description Test-Client
!!!Port will be a hybrid port, not static access port
port link-type hybrid
!!!Assign the guest vlan as pvid
port hybrid pvid vlan 4094
!!!Assign both vlans 246, 247 as hybrid untagged
port hybrid untagged vlan 247 246 4094
!!!Assign the authentication-profile to the interface,
!!!which in turn activates 802.1x over the interface
authentication-profile family.local-auth-profile
Verification
Let's verify the radius settings -
[sw]display domain name family.local
Domain-name : family.local Domain-index : 3
Domain-state : Active
Authentication-scheme-name : family.local-authentication-scheme
Accounting-scheme-name : default
Authorization-scheme-name : -
Service-scheme-name : -
RADIUS-server-template : family.local-radius-server-template
Accounting-copy-RADIUS-template : -
HWTACACS-server-template : -
[sw]display radius-server configuration template family.local-radius-server-template
Server-template-name : family.local-radius-server-template
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : asdasd!"!"#
Group-filter : class
Timeout-interval(in second) : 5
Retransmission : 3
EndPacketSendTime : 3
Dead time(in minute) : 5
Domain-included : NO
NAS-IP-Address : -
Calling-station-id MAC-format : xxxx-xxxx-xxxx
Called-station-id MAC-format : XX-XX-XX-XX-XX-XX
Service-type : -
NAS-IPv6-Address : ::
Server algorithm : master-backup
Detect-interval(in second) : 60
Authentication Server 1 : 172.16.245.11 Port:1812 Weight:80 [UP]
Vrf:- LoopBack:NULL
Source IP: 172.16.250.2
[sw]display radius-server item template family.local-radius-server-template
Type = auth-server
State = state-up
AlarmFlag = false
STUseNum = 1
IPAddress = 172.16.245.11
AlarmTimer = 0xffffffff
Head = 4166
Tail = 4165
ProbeID = 255
<sw>test-aaa user01 passWORD radius-template family.local-radius-server-template pap
<sw>
Info: Account test succeed.
Now we will verify 802.1x settings.
[sw]display authentication-profile configuration name family.local-auth-profile
Profile name : family.local-auth-profile
Dot1x access profile name : family.local-dot1x-access-profile
Default domain : -
Dot1x default domain : family.local
Authentication handshake : Enable
Authentication handshake period : 300s
Auth-fail re-auth period : 60s
Pre-auth re-auth period : 60s
Auth-fail aging time : 82800s
Pre-auth aging time : 82800s
Dot1x-mac-bypass : Disable
Single-access : Disable
Device-type authorize service-scheme : -
Authentication mode : multi-authen
Authen-fail authorize service-scheme : guest.family.local-service-scheme
Authen-server-down authorize service-scheme : down.family.local-service-scheme
Pre-authen authorize service-scheme : pre.family.local-service-scheme
Security-name-delimiter : -
Domain-name-delimiter : -
SVF flag : Disable
Ip-static-user : Disable
Roam-realtime-accounting : Disable
Update-IP-realtime-accounting : Enable
Linkdown offline delay time : 10
[sw]display dot1x-access-profile configuration name family.local-dot1x-access-profile
Profile Name : family.local-dot1x-access-profile
Authentication method : EAP
Port control : Auto
Re-authen : Enable
Client-no-response authorize : service-scheme: guest.family.local-service-scheme
Trigger condition : arp dhcp
Unicast trigger : Disable
Trigger dhcp-bind : Disable
Handshake : Disable
Handshake packet-type : request-identity
Max retry value : 2
Reauthen Period : 3600s
Client Timeout : 5s
Handshake Period : 15s
Eth-trunk handshake period : 120s
Bound authentication profile : family.local-auth-profile
[sw]display service-scheme name guest.family.local-service-scheme
service-scheme-name : guest.family.local-service-scheme
service-scheme-primary-dns : -
service-scheme-secondary-dns : -
service-scheme-adminlevel : -
service-scheme-ippool : -
service-scheme-redirect-acl-id: -
service-scheme-vlan : 247
Let's see what happens when a user connected to the switch port and authenticates successfully.
<sw>display dot1x
Max users: 1024
Current users: 1
Global default domain is family.local
Quiet function is Enabled
Mc-trigger port-up-send is Disabled
Parameter set:Quiet Period 60s Quiet-times 10
Tx Period 10s
dot1x URL: Not configed.
Ethernet1/1 status: UP 802.1x protocol is Enabled
Dot1x access profile is family.local-dot1x-access-profile
Authentication mode is multi-authen
Authentication method is EAP
Reauthentication is enabled
Reauthen period: 3600s
Dot1x retry times: 2
Authenticating users: 0
Maximum users: 1024
Current users: 1
Online user(s) info:
UserId MAC/VLAN AccessTime UserName
--------------------------------------------------------------
664 fc15-b4ec-608e/246 2019/08/07 11:08:47 DST user01
---------------------------------------------------------------
Total: 1, printed: 1
Let's find more information about that user -
Now we have everything in place, we just need to enable 802.1x in the switch port where the client is connected. Again some Huawei terminology comes in our way. We have 3 vlans. If authentication is successful, the switch port will be assigned client-vlan (246) by the radius server. In other cases (no-response, server-down, authentication-failed etc.) the switch port will be placed into guest-vlan (247). And a port starts it's journey for 802.1x in vlan 4094 (dummy) in pre-authen stage. We need to configure our switch port in so called "hybrid" mode and assign all the vlans (246, 247, 4094) as hybrid untagged. And our pvid/native vlan will be the dummy/4094 vlan. Please google about hybrid port and how it works.
interface Ethernet1/1
description Test-Client
!!!Port will be a hybrid port, not static access port
port link-type hybrid
!!!Assign the guest vlan as pvid
port hybrid pvid vlan 4094
!!!Assign both vlans 246, 247 as hybrid untagged
port hybrid untagged vlan 247 246 4094
!!!Assign the authentication-profile to the interface,
!!!which in turn activates 802.1x over the interface
authentication-profile family.local-auth-profile
Verification
Let's verify the radius settings -
[sw]display domain name family.local
Domain-name : family.local Domain-index : 3
Domain-state : Active
Authentication-scheme-name : family.local-authentication-scheme
Accounting-scheme-name : default
Authorization-scheme-name : -
Service-scheme-name : -
RADIUS-server-template : family.local-radius-server-template
Accounting-copy-RADIUS-template : -
HWTACACS-server-template : -
Server-template-name : family.local-radius-server-template
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : asdasd!"!"#
Group-filter : class
Timeout-interval(in second) : 5
Retransmission : 3
EndPacketSendTime : 3
Dead time(in minute) : 5
Domain-included : NO
NAS-IP-Address : -
Calling-station-id MAC-format : xxxx-xxxx-xxxx
Called-station-id MAC-format : XX-XX-XX-XX-XX-XX
Service-type : -
NAS-IPv6-Address : ::
Server algorithm : master-backup
Detect-interval(in second) : 60
Authentication Server 1 : 172.16.245.11 Port:1812 Weight:80 [UP]
Vrf:- LoopBack:NULL
Source IP: 172.16.250.2
[sw]display radius-server item template family.local-radius-server-template
Type = auth-server
State = state-up
AlarmFlag = false
STUseNum = 1
IPAddress = 172.16.245.11
AlarmTimer = 0xffffffff
Head = 4166
Tail = 4165
ProbeID = 255
<sw>test-aaa user01 passWORD radius-template family.local-radius-server-template pap
<sw>
Info: Account test succeed.
Now we will verify 802.1x settings.
[sw]display authentication-profile configuration name family.local-auth-profile
Profile name : family.local-auth-profile
Dot1x access profile name : family.local-dot1x-access-profile
Default domain : -
Dot1x default domain : family.local
Authentication handshake : Enable
Authentication handshake period : 300s
Auth-fail re-auth period : 60s
Pre-auth re-auth period : 60s
Auth-fail aging time : 82800s
Pre-auth aging time : 82800s
Dot1x-mac-bypass : Disable
Single-access : Disable
Device-type authorize service-scheme : -
Authentication mode : multi-authen
Authen-fail authorize service-scheme : guest.family.local-service-scheme
Authen-server-down authorize service-scheme : down.family.local-service-scheme
Pre-authen authorize service-scheme : pre.family.local-service-scheme
Security-name-delimiter : -
Domain-name-delimiter : -
SVF flag : Disable
Ip-static-user : Disable
Roam-realtime-accounting : Disable
Update-IP-realtime-accounting : Enable
Linkdown offline delay time : 10
[sw]display dot1x-access-profile configuration name family.local-dot1x-access-profile
Profile Name : family.local-dot1x-access-profile
Authentication method : EAP
Port control : Auto
Re-authen : Enable
Client-no-response authorize : service-scheme: guest.family.local-service-scheme
Trigger condition : arp dhcp
Unicast trigger : Disable
Trigger dhcp-bind : Disable
Handshake : Disable
Handshake packet-type : request-identity
Max retry value : 2
Reauthen Period : 3600s
Client Timeout : 5s
Handshake Period : 15s
Eth-trunk handshake period : 120s
Bound authentication profile : family.local-auth-profile
[sw]display service-scheme name guest.family.local-service-scheme
service-scheme-name : guest.family.local-service-scheme
service-scheme-primary-dns : -
service-scheme-secondary-dns : -
service-scheme-adminlevel : -
service-scheme-ippool : -
service-scheme-redirect-acl-id: -
service-scheme-vlan : 247
Let's see what happens when a user connected to the switch port and authenticates successfully.
<sw>display dot1x
Max users: 1024
Current users: 1
Global default domain is family.local
Quiet function is Enabled
Mc-trigger port-up-send is Disabled
Parameter set:Quiet Period 60s Quiet-times 10
Tx Period 10s
dot1x URL: Not configed.
Ethernet1/1 status: UP 802.1x protocol is Enabled
Dot1x access profile is family.local-dot1x-access-profile
Authentication mode is multi-authen
Authentication method is EAP
Reauthentication is enabled
Reauthen period: 3600s
Dot1x retry times: 2
Authenticating users: 0
Maximum users: 1024
Current users: 1
Online user(s) info:
UserId MAC/VLAN AccessTime UserName
--------------------------------------------------------------
664 fc15-b4ec-608e/246 2019/08/07 11:08:47 DST user01
---------------------------------------------------------------
Total: 1, printed: 1
From the above output we can see that a client is connected with interface Etherent1/1, has successfully authenticated. The user has the following info mac.address - fc15-b4ec-608e, vlan - 246, userid - 664 and username - user01.
Let's find more information about that user -
<sw>display access-user interface Ethernet 1/1
UserID Username IP address MAC Status
664 user01 172.16.246.101 fc15-b4ec-608e Success
<sw>display access-user user-id 664
Basic:
User ID : 664
User name : user01
Domain-name : family.local
User MAC : fc15-b4ec-608e
User IP address : 172.16.246.101
User access Interface : Ethernet1/1
User vlan event : Success
QinQVlan/UserVlan : 0/246
User vlan source : server vlan
User access time : 2019/08/07 11:08:47 DST
User access type : 802.1x
Terminal Device Type : Data Terminal
Dynamic VLAN ID : 246
Session Timeout : 3600(s)
Termination Action : RE-AUTHENTICATION
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : None
Now we will see what happens when client is connected with switch port who is not running any kind of 802.1x client software.
<sw>display access-user interface Ethernet 1/1
UserID Username IP address MAC Status
666 172.16.247.101 fc15-b4ec-608e Client-no-resp
Total: 1, printed: 1
<sw>display access-user user-id 666
Basic:
User ID : 666
Domain-name : -
User MAC : fc15-b4ec-608e
User IP address : 172.16.247.101
User access Interface : Ethernet1/1
User vlan event : Client-no-resp
QinQVlan/UserVlan : 0/247
User vlan source : local event vlan
User access time : 2019/08/07 11:32:34 DST
User access type : None
Terminal Device Type : Data Terminal
Dynamic VLAN ID : 247
Dynamic service scheme : guest.family.local-service-scheme
AAA:
User authentication type : No authentication
Current authentication method : -
Current authorization method : Local
Current accounting method : None
We can see from the above output that client connected with switch port is no running any 802.1x client and placed into guest vlan - 247.
For debugging purposes we can use the below commands. Please refer to Huawei's documentation for their usage.
<sw>debugging dot1x
<sw>debugging radius
We can clear the dot1x statistics for an interface using below command -
<sw>reset dot1x statistics
We can clear a user session for a dot1x interface using below command -
!!!This command only works under aaa
aaa
cut access-user
Reference
Comments
Post a Comment