9.2.3.12. Huawei
9.2.3.12.1. S5710
Firmware: Generic
Administration Portal > ON CMDB > Network Devices Brand/Model: Huawei/Generic
9.2.3.12.1.1. Radius Global Configuration
Define the RADIUS servers to be used for authentications and their format:
l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
domain on
dot1x enable
dot1x dhcp-trigger
radius-server template openNAC
radius-server shared-key cipher <Radius_Shared_Key>
radius-server authentication <Radius_Server_IP> 1812
radius-server accounting <Radius_Server_IP> 1813
radius-server retransmit 2
radius-server authorization <Radius_Server_IP> shared-key cipher <Radius_Shared_Key>
aaa
authentication-scheme abc
authentication-mode radius
accounting-scheme abc
accounting-mode radius
domain on
authentication-scheme abc
accounting-scheme abc
radius-server openNAC
8021X
interface GigabitEthernet0/0/8
dot1x mac-bypass
dot1x max-user 1
dot1x reauthenticate
dot1x authentication-method eap
MAC Authentication
interface GigabitEthernet0/0/8
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
dot1x max-user 1
dot1x reauthenticate
dot1x authentication-method eap
9.2.3.12.2. S5720
Firmware: Version 5.170 (V200R011C10SPC600)
Administration Portal > ON CMDB > Network Devices Brand/Model: Huawei/S5720
9.2.3.12.2.1. Radius Global Configuration
To configure the NAC of the switch, we must activate the common configuration:
<Switch> system-view
[Switch] undo authentication unified-mode
Define the RADIUS servers to be used for authentications and their format:
<Switch> system-view
[switch] radius scheme opennac
[switch-radius-opennac] primary authentication <Radius_Server_IP>
[switch-radius-opennac] primary accounting <Radius_Server_IP>
[switch-radius-opennac] key authentication simple cipher <Radius_Shared_Key>
[switch-radius-opennac] key accounting simple cipher <Radius_Shared_Key>
[switch-radius-opennac] user-name-format without-domain
We can define secondary RADIUS servers using the command:
[switch-radius-opennac] secondary authentication <Radius_Server_IP> key simple <Radius_Shared_Key>
[switch-radius-opennac] secondary accounting <Radius_Server_IP> key simple <Radius_Shared_Key>
Determine the ISP-domain to use and the RADIUS schemes that you will use:
[switch] domain opennac
[switch-isp-opennac] authentication default radius-scheme opennac
[switch-isp-opennac] authorization default radius-scheme opennac
[switch-isp-opennac] accounting default radius-scheme opennac
Set the format of the Port-Id attribute to use the cisco format, important for toggleport by SNMP compatibility (Only in V200R011C10SPC600 version or higher)
[Switch-radius-opennac] radius-server nas-port-id-format vendor 9
8021X
Global Configuration:
[switch] dot1x enable
[switch] dot1x authentication-method eap
Interface Configuration:
[switch] interface GigabitEthernet x/y/z
[switch-GigabitEthernetx/y/z] port link-type hybrid
[switch-GigabitEthernetx/y/z] port hybrid vlan 5 untagged
[switch-GigabitEthernetx/y/z] port hybrid pvid vlan 5
[switch-GigabitEthernetx/y/z] mac-vlan enable
[switch-GigabitEthernetx/y/z] stp edged-port enable
[switch-GigabitEthernetx/y/z] port-security max-mac-count 1
[switch-GigabitEthernetx/y/z] port-security port-mode userlogin-secure
[switch-GigabitEthernetx/y/z] port-security intrusion-mode blockmac
[switch-GigabitEthernetx/y/z] dot1x re-authenticate
[switch-GigabitEthernetx/y/z] dot1x max-user 1
[switch-GigabitEthernetx/y/z] dot1x guest-vlan 5
[switch-GigabitEthernetx/y/z] undo dot1x handshake
[switch-GigabitEthernetx/y/z] dot1x mandatory-domain packetfence
[switch-GigabitEthernetx/y/z] undo dot1x multicast-trigger
MAC Authentication
Global Configuration:
[switch] mac-authentication
[switch] mac-authentication domain opennac
[switch] mac-authentication timer offline-detect 180
[switch] mac-authentication timer quiet 180
[switch] mac-authentication timer server-timeout 300
Interface Configuration:
[switch] interface GigabitEthernet x/y/z
[switch-GigabitEthernetx/y/z] port link-type hybrid
[switch-GigabitEthernetx/y/z] no port hybrid vlan 1
[switch-GigabitEthernetx/y/z] port hybrid pvid vlan <Default_Vlan>
[switch-GigabitEthernetx/y/z] undo voice-vlan mode auto
[switch-GigabitEthernetx/y/z] voice-vlan <Voice_VLAN> enable
[switch-GigabitEthernetx/y/z] lldp compliance admin-status cdp txrx
[switch-GigabitEthernetx/y/z] mac-vlan enable
[switch-GigabitEthernetx/y/z] poe enable
[switch-GigabitEthernetx/y/z] mac-authentication
[switch-GigabitEthernetx/y/z] mac-authentication critical vlan <Critical_VLAN>
9.2.3.12.2.2. Dot1x Features
Default VLAN
The default VLAN will be the one that will be assigned in case of defining the default VLAN in the OpenNAC Enterprise policy.
[Switch] interface GigabitEthernet0/0/2
[Switch-GigabitEthernet0/0/2] port hybrid pvid vlan <defaultVLAN_id>
Switch-GigabitEthernet0/0/2] undo port hybrid vlan 1
Critical VLAN
The critical VLAN will be the one in which the connections will be established in case the RADIUS servers are not available for authorization. To configure the critical VLAN function we must configure 802.1x or MAB authentication.
[Switch] interface GigabitEthernet0/0/2
[Switch-GigabitEthernet0/0/2] port hybrid untagged vlan <VLAN>
[Switch-GigabitEthernet0/0/2] authentication critical-vlan <VLAN>
[Switch-GigabitEthernet0/0/2] authentication critical eapol-success
Automatic detection RADIUS Status:
[Switch] radius-server dead-interval 5
[Switch] radius-server dead-count 1
[Switch] radius-server template <template_name>
[Switch-radius-opennac] radius-server retransmit 3 timeout 5
[Switch-radius-opennac] radius-server testuser username <user-name> password cipher <password>
[Switch-radius-opennac] radius-server detect-server interval <interval>
[Switch-radius-opennac] quit
Voice VLAN
The voice VLAN will be used to separate the voice traffic from the data traffic.
[Switch] interface GigabitEthernet0/0/2
[Switch-GigabitEthernet0/0/2] voice-vlan <vlan-id> enable [include untagged]
[Switch-GigabitEthernet0/0/2] quit
9.2.3.12.2.3. Re-authentication
8021X
Termination Action
<Switch> system-view
[Switch] dot1x reauthenticate interface <interface-number>
[Switch] interface <interface-number>
[Switch-<interface-number>] dot1x reauthenticate
Session Timeout
By default, the device re-authenticates online 802.1X authentication users at the interval of 3600 seconds.
#General Config
<Switch> system-view
[Switch] dot1x timer reauthenticate-period <period-value>
#Interface Config
[Switch] interface <interface-number>
[Switch-<interface-number>] dot1x timer reauthenticate-period <period-value>
MAB
Termination Action
<Switch> system-view
[Switch] mac-authen reauthenticate interface <interface-number>
[Switch] interface <interface-number>
[Switch-<interface-number>] mac-authen reauthenticate
Session Timeout
By default, the device re-authenticates online 802.1X authentication users at the interval of 3600 seconds.
#General Config
<Switch> system-view
[Switch] mac-authen timer reauthenticate-period <period-value>
#Interface Config
[Switch] interface <interface-number>
[Switch-<interface-number>] mac-authen timer reauthenticate-period <period-value>
9.2.3.12.2.4. Security Profiles (ACL’s)
Static
<switch> system-view
[switch] acl name acl-name [ advance | acl-number ]
[switch-acl-acl_name] description acl-name
[switch-acl-acl_name] rule [ rule-id ] { deny | permit } tcp [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment | logging | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | tcp-flag { ack | fin | psh | rst | syn | urg }* | time-range time-name | tos tos ]*
Dynamic
Example ACL format on OpenNAC Enterprise:
$1 permit dst 10.0.239.192/26
$2 permit udp src any 8080
$3 permit icmp echo dst 10.1.1.1/24
$5 deny
- The fields are described as follows:
$: Start character of each ACL rule. number: Last three digits in an ACL rule number, ranging from 0 to 999. The first two digits of an ACL rule number are fixed to 10. For example, if the value of this field is 12, the ACL rule number is 10012. permit/deny: ACL action. permit indicates that the user access is allowed. deny indicates that the user access is denied. protocol: Protocol type. The value can be tcp, udp, icmp or igmp. ICMP is classified into echo and echo-reply. direction: IP address type. The value can be dst or src. dst indicates a destination IP address and src indicates a source IP address. ip-address: IP address. The value can be any, IPv4 address/mask or IPv6 address/mask. port: Port number. Currently, only one port is supported.
9.2.3.12.2.5. SNMP
To perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:
<switch> system-view
[switch] snmp-agent
[switch] snmp-agent sys-info version v2c
[switch] snmp-agent community read cipher <community-name>
[switch] snmp-agent community write cipher <community-name>
SNMP Trap Host
[Switch] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:Y
[Switch] snmp-agent target-host trap address udp-domain <opennacIP> params securityname <public> v2c //Configure un host de trap. By default, traps are sent on UDP port 162.
9.2.3.12.2.6. CoA
To perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:
<Switch> system-view
[Switch] radius-server authorization <Radius_Server_IP> server-group <group-name> shared-key cipher <Radius_Shared_Key>
[Switch] radius-server authorization port <port-id>
9.2.3.12.2.7. Troubleshooting & Monitoring
RADIUS Debug:
<switch> debug radius packet
<switch> terminal monitor
<switch> terminal debug
Display connected users:
Dot1x:
[switch] display dot1x session interface gigabitethernet x/y/z
[switch] display dot1x interface gigabitethernet x/y/z
- MAC-Authentication (MAB):
[switch] display mac-authentication interface gigabitethernet x/y/z
Display maped MAC-VLAN
[switch] disp mac-vlan all
Display All Learned MAC Addresses & VLAN which they belong:
[switch] display mac-address