Configuring 802.1x Remote Authentication

Topology

Specification

Applicable to all versions and forms of AR routers.

Network Requirements

The PC accesses the network through the Router. To ensure network security, 802.1x authentication is required when users access the network. The authentication servers are two Radius servers. The server with IP address 10.10.10.1/24 is the primary authentication server, and the server with IP address 10.10.10.2/24 is the backup authentication server. When the primary server is unavailable, the Router can switch to the backup server within 3 seconds at the fastest.

Procedure

1. Configuration on the Router

 V200R007 and earlier versions:
 #
 vlan batch 10
 #
 dot1x enable
 #
 radius-server template shiva //Configure RADIUS server template shiva
 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
 radius-server authentication 10.10.10.1 1812 //Configure the primary RADIUS authentication server
 radius-server authentication 10.10.10.2 1812 secondary //Configure the RADIUS secondary authentication server
 #
 aaa
 authentication-scheme scheme0 //Create an authentication scheme named scheme0
 authentication-mode radius
 domain huawei //Configure the domain named huawei
  authentication-scheme scheme0
 radius-server shiva
 #
 interface Vlanif10
 IP address 192.168.1.2 255.255.255.0
 #
 interface Ethernet2/0/0
 port link-type access
 port default vlan 10
 dot1x enable
 #
 V200R008 and later versions:
 #
 vlan batch 10
 #
 authentication-profile name p1
 dot1x-access-profile d1 //Bind 802.1x access profile d1 to authentication profile p1
 #
 radius-server template shiva //Configure RADIUS server template shiva
 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
 radius-server authentication 10.10.10.1 1812 //Configure the primary RADIUS authentication server
 radius-server authentication 10.10.10.2 1812 secondary //Configure the RADIUS secondary authentication server
 #
 aaa
 authentication-scheme scheme0 //Create an authentication scheme named scheme0
 authentication-mode radius
 domain huawei //Configure the domain named huawei
  authentication-scheme scheme0
 radius-server shiva
 #
 interface Vlanif10
 IP address 192.168.1.2 255.255.255.0
 #
 interface Ethernet2/0/0
 port link-type access
 port default vlan 10
 authentication-profile p1 //Bind authentication profile p1 to the interface
 #
 dot1x-access-profile name d1

2. Verifying the configuration

Add user user1@huawei to the RADIUS server, with password Huawei@2012. The shared key is the same as that of the router and is configured as radius. After the client is authenticated successfully, run the display access-user command to view that the Username field contains the user name user1@huawei, and the corresponding Status field displays Success.

Configuration Notes

• The authentication port value on the router and RADIUS server must be consistent.
• The shared key on the router and RADIUS server must be consistent.
• The router and RADIUS server must have a reachable route.