Sie sind auf Seite 1von 7

Agile POL Solution

Configuration Guide 6 Configuring 802.1X Authentication

6 Configuring 802.1X Authentication

About This Chapter

This topic describes how to configure 802.1X authentication for the ONU in 2 networking
environments.

6.1 ONU Serves as an 802.1X Authentication Device


When the ONU serves as an 802.1X authentication device, 802.1X authentication-related
configurations are delivered through the OLT to the ONU.
6.2 Core Switch Serves as an 802.1X Authentication Device
When the LAN switch serves as an 802.1X authentication device, the OLT is configured to
transparently transmit 802.1X-related protocol packets.

6.1 ONU Serves as an 802.1X Authentication Device


When the ONU serves as an 802.1X authentication device, 802.1X authentication-related
configurations are delivered through the OLT to the ONU.

Prerequisite
l The OLT establishes a connection with the Layer 3 switch.
l The ONU is online and can be managed through the OLT.
l The remote RADIUS server is deployed and network communication is normal.
Figure 6-1 shows the networking for RADIUS authentication.

Issue 02 (2018-10-10) Copyright © Huawei Technologies Co., Ltd. 86


Agile POL Solution
Configuration Guide 6 Configuring 802.1X Authentication

Figure 6-1 Networking for RADIUS authentication

Data Planning
Configuration Item Data

Networking data PON port ID: 0/6/0


Upstream port: 0/10/0
ONU ID: 0
ONU IP address: 10.10.10.20

802.1X authentication Port authentication mode: auto


Authentication method: EAP

VLAN planning l Management WAN port VLAN: 11


l Guest VLAN, SVLAN: 10; CVLAN: 10
l Restricted VLAN, SVLAN: 20;
CVLAN: 20
l Critical VLAN, SVLAN: 30; CVLAN:
30
l Dynamic service VLAN, SVLAN: 40;
CVLAN: 40
NOTE
For the preceding VLANs, GEM port mapping
needs to be completed in line profiles and service
profiles during network planning.

Issue 02 (2018-10-10) Copyright © Huawei Technologies Co., Ltd. 87


Agile POL Solution
Configuration Guide 6 Configuring 802.1X Authentication

Configuration Item Data

RADIUS server l Primary authentication server, IP


address: 10.10.66.66; port ID: 1812
l Secondary authentication server, IP
address: 10.10.66.67; port ID: 1812
l Primary shared key: 0123456789123456
l Secondary shared key:
0123456789123456
l During server authentication, the IP
address and shared key of the authorized
service are the same as those of the
authentication server.

Procedure
Step 1 Create and configure a dot1x (802.1X) profile.
Configure the dot1x parameter on port 1 of the ONU, enable dot1x authentication, set the port
authentication mode to auto, set the authentication method to EAP, and configure the related
VLAN. If port 1 of the ONU needs to be connected to the terminal that does not support
802.1X, MAC authentication bypass (MAB) needs to be enabled.
huawei(config)#ont dot1x-profile profile-id 1
huawei(config-dot1x-profile-1)#port dot1x eth 1 enable
huawei(config-dot1x-profile-1)#port dot1x authentication-method eth 1 eap
huawei(config-dot1x-profile-1)#port dot1x port-control eth 1 auto
huawei(config-dot1x-profile-1)#port dot1x keepalive eth 1 enable
huawei(config-dot1x-profile-1)#port dot1x guest-vlan eth 1 10
huawei(config-dot1x-profile-1)#port dot1x restrict-vlan eth 1 20
huawei(config-dot1x-profile-1)#port dot1x critical-vlan eth 1 30
huawei(config-dot1x-profile-1)#port mac-bypass eth 1 enable

Step 2 Configure a WAN profile.


huawei(config)#ont wan-profile profile-id 9 profile-name wan_prof_hwtest
huawei(config-wan-profile-9)#connection-type route
huawei(config-wan-profile-9)#quit

Step 3 Configure the IP address of the ONU and IP port index of the Internet service, and bind a
WAN profile.
Set the static IP address of the ONU to 10.10.10.20 and the IP port index of the Internet
service to 0.
huawei(config)#gpon ont home-gateway config-method omci
huawei(config)#interface gpon 0/6
huawei(config-if-gpon-0/6)#ont ipconfig 0 0 ip-index 0 static ip-address
10.10.10.20 mask 255.255.255.0 vlan 11 gateway 10.10.10.10
huawei(config-if-gpon-0/6)#ont internet-config 0 0 ip-index 0
huawei(config-if-gpon-0/6)#ont wan-config 0 0 ip-index 0 profile-id 9
huawei(config-if-gpon-0/6)#quit

Step 4 Configure the RADIUS server address and authentication domain.


Set the RADIUS server with the IP address of 10.10.66.66 to be the primary authentication
server, the RADIUS server with the IP address of 10.10.66.67 to be the secondary
authentication server, and the primary and secondary shared keys to 0123456789123456. In

Issue 02 (2018-10-10) Copyright © Huawei Technologies Co., Ltd. 88


Agile POL Solution
Configuration Guide 6 Configuring 802.1X Authentication

addition, set the authentication timeout duration to 20s and the number of retransmission
times to 3.
huawei(config-dot1x-profile-1)#radius-server authentication 10.10.66.66 1812
huawei(config-dot1x-profile-1)#radius-server shared-key 0123456789123456
huawei(config-dot1x-profile-1)#radius-server authentication 10.10.66.67 1812
secondary
huawei(config-dot1x-profile-1)#radius-server shared-key 0123456789123456 secondary
huawei(config-dot1x-profile-1)#radius-server user-name domain-included
huawei(config-dot1x-profile-1)#radius-server timeout 20
huawei(config-dot1x-profile-1)#radius-server retransmit 3
huawei(config-dot1x-profile-1)#quit

Step 5 Bind the ONU to the dot1x profile.


huawei(config)#interface gpon 0/6
huawei(config-if-gpon-0/6)#ont dot1x-config 0 0 profile-id 1
huawei(config-if-gpon-0/6)#quit

Step 6 Configure the service flow for 802.1X authentication.

l Add the service flow (SVLAN: 11; CVLAN: 11) for RADIUS authentication.
huawei(config)#vlan 11 smart
huawei(config)#port vlan 11 0/10 0
huawei(config)#service-port vlan 11 gpon 0/6/0 ont 0 gemport 0 multi-service
user-vlan 11

l Add the service flow (SVLAN: 10; CVLAN: 10) to the guest network.
huawei(config)#vlan 10 smart
huawei(config)#port vlan 10 0/10 0
huawei(config)#service-port vlan 10 gpon 0/6/0 ont 0 gemport 0 multi-service
user-vlan 10

l Add the service flow (SVLAN: 20; CVLAN: 20) to the restricted network.
huawei(config)#vlan 20 smart
huawei(config)#port vlan 20 0/10 0
huawei(config)#service-port vlan 20 gpon 0/6/0 ont 0 gemport 0 multi-service
user-vlan 20

l Add the service flow (SVLAN: 30; CVLAN: 30) to the critical network.
huawei(config)#vlan 30 smart
huawei(config)#port vlan 30 0/10 0
huawei(config)#service-port vlan 30 gpon 0/6/0 ont 0 gemport 0 multi-service
user-vlan 30

l Add the service flow (SVLAN: 40; CVLAN: 40) to the dynamic service network.
huawei(config)#vlan 40 smart
huawei(config)#port vlan 40 0/10 0
huawei(config)#service-port vlan 40 gpon 0/6/0 ont 0 gemport 0 multi-service
user-vlan 40
huawei(config)#save

Step 7 (Optional) Configure online user recording during 802.1X authentication.

Configure the addresses of the primary and secondary accounting servers. (The shared keys of
the accounting servers can be the same as that of the authentication servers or be
independently configured.)
huawei(config)#ont dot1x-profile profile-id 1
huawei(config-dot1x-profile-1)#radius-server accounting 10.10.66.66 1812
huawei(config-dot1x-profile-1)#radius-server accounting 10.10.66.67 1812 secondary
huawei(config-dot1x-profile-1)#quit

Step 8 (Optional) Configure the function of forcing users to go offline during 802.1X authentication.

Configure the address of the RADIUS authentication server.


huawei(config)#ont dot1x-profile profile-id 1
huawei(config-dot1x-profile-1)#radius-server authorization 10.10.66.66 1812

Issue 02 (2018-10-10) Copyright © Huawei Technologies Co., Ltd. 89


Agile POL Solution
Configuration Guide 6 Configuring 802.1X Authentication

shared-key 0123456789123456
huawei(config-dot1x-profile-1)#quit

----End

Result
After the configuration, the ONU can serve as an access point for 802.1X authentication. The
connected terminal can access the LAN by using the user name and password, or by using the
MAC address.

Configuration Script
huawei(config)#ont dot1x-profile profile-id 1
huawei(config-dot1x-profile-1)#port dot1x eth 1 enable
huawei(config-dot1x-profile-1)#port dot1x authentication-method eth 1 eap
huawei(config-dot1x-profile-1)#port dot1x port-control eth 1 auto
huawei(config-dot1x-profile-1)#port dot1x keepalive eth 1 enable
huawei(config-dot1x-profile-1)#port dot1x guest-vlan eth 1 10
huawei(config-dot1x-profile-1)#port dot1x restrict-vlan eth 1 20
huawei(config-dot1x-profile-1)#port dot1x critical-vlan eth 1 30
huawei(config-dot1x-profile-1)#port mac-bypass eth 1 enable
huawei(config)#ont wan-profile profile-id 9 profile-name wan_prof_hwtest
huawei(config-wan-profile-9)#connection-type route
huawei(config-wan-profile-9)#quit
huawei(config)#gpon ont home-gateway config-method omci
huawei(config)#interface gpon 0/6
huawei(config-if-gpon-0/6)#ont ipconfig 0 0 ip-index 0 static gateway 10.10.10.10
ip-address 10.10.10.20 mask 255.255.255.0 vlan 11
huawei(config-if-gpon-0/6)#ont internet-config 0 0 ip-index 0
huawei(config-if-gpon-0/6)#ont wan-config 0 0 ip-index 0 profile-id 9
huawei(config-if-gpon-0/6)#quit
huawei(config-dot1x-profile-1)#radius-server authentication 10.10.66.66 1812
huawei(config-dot1x-profile-1)#radius-server shared-key 0123456789123456
huawei(config-dot1x-profile-1)#radius-server authentication 10.10.66.67 1812
secondary
huawei(config-dot1x-profile-1)#radius-server shared-key 0123456789123456 secondary
huawei(config-dot1x-profile-1)#radius-server user-name domain-included
huawei(config-dot1x-profile-1)#radius-server timeout 20
huawei(config-dot1x-profile-1)#radius-server retransmit 3
huawei(config-dot1x-profile-1)#quit
huawei(config)#interface gpon 0/6
huawei(config-if-gpon-0/6)#ont dot1x-config 0 0 profile-id 1
huawei(config-if-gpon-0/6)#quit
huawei(config)#vlan 11 smart
huawei(config)#port vlan 11 0/10 0
huawei(config)#service-port vlan 11 gpon 0/6/0 ont 0 gemport 0 multi-service user-
vlan 11
huawei(config)#vlan 10 smart
huawei(config)#port vlan 10 0/10 0
huawei(config)#service-port vlan 10 gpon 0/6/0 ont 0 gemport 0 multi-service user-
vlan 10
huawei(config)#vlan 20 smart
huawei(config)#port vlan 20 0/10 0
huawei(config)#service-port vlan 20 gpon 0/6/0 ont 0 gemport 0 multi-service user-
vlan 20
huawei(config)#vlan 30 smart
huawei(config)#port vlan 30 0/10 0
huawei(config)#service-port vlan 30 gpon 0/6/0 ont 0 gemport 0 multi-service user-
vlan 30
huawei(config)#vlan 40 smart
huawei(config)#port vlan 40 0/10 0
huawei(config)#service-port vlan 40 gpon 0/6/0 ont 0 gemport 0 multi-service user-
vlan 40
huawei(config)#save
huawei(config)#ont dot1x-profile profile-id 1
huawei(config-dot1x-profile-1)#radius-server accounting 10.10.66.66 1812

Issue 02 (2018-10-10) Copyright © Huawei Technologies Co., Ltd. 90


Agile POL Solution
Configuration Guide 6 Configuring 802.1X Authentication

huawei(config-dot1x-profile-1)#radius-server accounting 10.10.66.67 1812 secondary


huawei(config-dot1x-profile-1)#quit
huawei(config)#ont dot1x-profile profile-id 1
huawei(config-dot1x-profile-1)#radius-server authorization 10.10.66.66 1812
shared-key 0123456789123456
huawei(config-dot1x-profile-1)#quit

6.2 Core Switch Serves as an 802.1X Authentication Device


When the LAN switch serves as an 802.1X authentication device, the OLT is configured to
transparently transmit 802.1X-related protocol packets.

Prerequisite
l The ONU and OLT are online and in a normal state.
l By default, the ONU supports transparent transmission of Extensible Authentication
Protocol over LAN (EAPoL) and bridge protocol data unit (BPDU) packets.
l The upper-layer device (for example, core switch) serves as an 802.1X authentication
device.
Figure 6-2 shows the networking for RADIUS authentication.

Figure 6-2 Networking for RADIUS authentication

Procedure
l Configure the OLT to transparently transmit EAPoL packets.
huawei(config)#protocol permit-forwarding eapol enable

l Configure the OLT to transparently transmit BPDU packets.


huawei(config)#vlan service-profile profile-id 10
huawei(config-vlan-srvprof-10)#bpdu tunnel enable
huawei(config-vlan-srvprof-10)#commit
huawei(config-vlan-srvprof-10)#quit
huawei(config)#vlan bind service-profile 11 profile-id 10

----End

Issue 02 (2018-10-10) Copyright © Huawei Technologies Co., Ltd. 91


Agile POL Solution
Configuration Guide 6 Configuring 802.1X Authentication

Result
After the configuration, 802.1X-related protocol packets can be transparently transmitted to
the core switch and then the core switch completes 802.1X authentication.

Issue 02 (2018-10-10) Copyright © Huawei Technologies Co., Ltd. 92

Das könnte Ihnen auch gefallen