9.2.3.11. H3C

9.2.3.11.1. S5130

Firmware: Accredited version 7.1.070, Release 6126P10

Administration Portal > ON CMDB > Network Devices Brand/Model: H3C/S5130

9.2.3.11.1.1. RADIUS Global Configuration

Define the RADIUS servers to be used for authentications and their format:

[switch] radius scheme opennac
[switch-radius-opennac] primary authentication <Radius_Server_IP>
[switch-radius-opennac] primary accounting <Radius_Server_IP>
[switch-radius-opennac] key authentication simple <Radius_Shared_Key>
[switch-radius-opennac] key accounting simple <Radius_Shared_Key>
[switch-radius-opennac] user-name-format without-domain

We can define secondary RADIUS servers using the command:

[switch-radius-opennac] secondary authentication <Radius_Server_IP> key simple <Radius_Shared_Key>
[switch-radius-opennac] secondary accounting <Radius_Server_IP> key simple <Radius_Shared_Key>

Determine the ISP-domain to use and the RADIUS schemes that you will use:

[switch] domain opennac
[switch-isp-opennac] authentication default radius-scheme opennac
[switch-isp-opennac] authorization default radius-scheme opennac
[switch-isp-opennac] accounting default radius-scheme opennac

8021X

  • Global Configuration:

[switch] port-security enable
[switch] dot1x authentication-method eap

  • Interface Configuration:

[switch] interface GigabitEthernet x/y/z
[switch-GigabitEthernetx/y/z] port link-type hybrid
[switch-GigabitEthernetx/y/z] port hybrid vlan 5 untagged
[switch-GigabitEthernetx/y/z] port hybrid pvid vlan 5
[switch-GigabitEthernetx/y/z] mac-vlan enable
[switch-GigabitEthernetx/y/z] stp edged-port enable
[switch-GigabitEthernetx/y/z] port-security max-mac-count 1
[switch-GigabitEthernetx/y/z] port-security port-mode userlogin-secure
[switch-GigabitEthernetx/y/z] port-security intrusion-mode blockmac
[switch-GigabitEthernetx/y/z] dot1x re-authenticate
[switch-GigabitEthernetx/y/z] dot1x max-user 1
[switch-GigabitEthernetx/y/z] dot1x guest-vlan 5
[switch-GigabitEthernetx/y/z] undo dot1x handshake
[switch-GigabitEthernetx/y/z] dot1x mandatory-domain packetfence
[switch-GigabitEthernetx/y/z] undo dot1x multicast-trigger

MAC Authentication

  • Global Configuration:

[switch] mac-authentication
[switch] mac-authentication domain opennac
[switch] mac-authentication timer offline-detect 180
[switch] mac-authentication timer quiet 180
[switch] mac-authentication timer server-timeout 300

  • Interface Configuration:

[switch] interface GigabitEthernet x/y/z
[switch-GigabitEthernetx/y/z] port link-type hybrid
[switch-GigabitEthernetx/y/z] no port hybrid vlan 1
[switch-GigabitEthernetx/y/z] port hybrid pvid vlan <Default_Vlan>
[switch-GigabitEthernetx/y/z] undo voice-vlan mode auto
[switch-GigabitEthernetx/y/z] voice-vlan <Voice_VLAN> enable
[switch-GigabitEthernetx/y/z] lldp compliance admin-status cdp txrx
[switch-GigabitEthernetx/y/z] mac-vlan enable
[switch-GigabitEthernetx/y/z] poe enable
[switch-GigabitEthernetx/y/z] mac-authentication
[switch-GigabitEthernetx/y/z] mac-authentication critical vlan <Critical_VLAN>

9.2.3.11.1.2. Dot1x Features

Default VLAN

The default VLAN will be the one that will be assigned in case of defining the default VLAN in the OpenNAC policy.

[switch] interface GigabitEthernet x/y/z
[switch-GigabitEthernetx/y/z] undo port hybrid vlan <vlan_id>
[switch-GigabitEthernetx/y/z] port hybrid pvid vlan <vlan_id>

Guest VLAN

The 802.1X guest VLAN on a port accommodates users that have not performed 802.1X authentication. Users in the guest VLAN can access a limited set of network resources, such as a software server, to download antivirus software and system patches. Once a user in the guest VLAN passes the 802.1X authentication, they are removed from the guest VLAN and can access au-thorized network resources.

  • 8021X

switch] interface GigabitEthernet x/y/z
[switch-GigabitEthernetx/y/z] dot1x guest-vlan <guest-vlan-id>
[switch-GigabitEthernetx/y/z] dot1x guest-vlan-delay { eapol | new-mac }

  • MAB

switch] interface GigabitEthernet x/y/z
[switch-GigabitEthernetx/y/z] mac-authentication guest-vlan <guest-vlan-id>
[switch-GigabitEthernetx/y/z] mac-authentication guest-vlan auth-period period-value

Auth-Fail VLAN

The 802.1X Auth-Fail VLAN on a port accommodates users that have failed 802.1X authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates users with wrong passwords entered. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, downloading antivirus software and system patches.

[switch] interface GigabitEthernet x/y/z
[switch-GigabitEthernetx/y/z] dot1x auth-fail vlan <authfail-vlan-id>

Critical VLAN

The critical VLAN will be the one in which the connections will be established in case the RADIUS servers are not available for authorization. To configure the critical VLAN function, we must configure 802.1x or MAB authentication.

[switch] interface GigabitEthernet x/y/z
[switch-GigabitEthernetx/y/z] port hybrid untagged vlan <VLAN>
[switch-GigabitEthernetx/y/z] authentication critical-vlan <VLAN>
[switch-GigabitEthernetx/y/z] authentication critical eapol-success

For mac-auth:

[switch-GigabitEthernetx/y/z] mac-authentication critical vlan <vlan_id>
[switch-GigabitEthernetx/y/z] mac-authentication critical-voice-vlan

Voice VLAN

The voice VLAN will be used to separate the voice traffic from the data traffic.

  • Global Configuration:

[switch] undo voice vlan security enable
[switch] lldp compliance cdp

  • Interface Configuration:

[switch] interface GigabitEthernet x/y/z
[switch-GigabitEthernetx/y/z] port hybrid vlan 100 tagged
[switch-GigabitEthernetx/y/z] undo voice vlan mode auto
[switch-GigabitEthernetx/y/z] voice vlan 100 enable
[switch-GigabitEthernetx/y/z] lldp compliance admin-status cdp txrx
[switch-GigabitEthernetx/y/z] port-security max-mac-count 3

9.2.3.11.1.3. Security Profiles (ACL’s)

Static

<switch> system-view
[switch] acl name acl-name [ advance | acl-number ]
[switch-acl-acl_name] description  acl-name
[switch-acl-acl_name] rule [ rule-id ] { deny | permit } tcp [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment | logging | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | tcp-flag { ack | fin | psh | rst | syn | urg }*  | time-range time-name | tos tos ]*

9.2.3.11.1.4. SNMP

To perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:

<switch> system-view
[switch] snmp-agent
[switch] snmp-agent sys-info version v2c
[switch] snmp-agent community read cipher <community-name>
[switch] snmp-agent community write cipher <community-name>

9.2.3.11.1.5. CoA

To perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:

[switch] radius dynamic-author server
[switch] client ip <Radius-Server> key simple <CoA-key>

9.2.3.11.1.6. Troubleshooting & Monitoring

  • RADIUS Debug:

<switch> debug radius packet
<switch> terminal monitor
<switch> terminal debug

  • Display connected users:

    • Dot1x:

[switch] display dot1x session interface gigabitethernet x/y/z
[switch] display dot1x interface gigabitethernet x/y/z


- MAC-Authentication (MAB):

[switch] display mac-authentication interface gigabitethernet x/y/z

  • Display maped MAC-VLAN

[switch] disp mac-vlan all

  • Display All Learned MAC Addresses & VLAN which they belong:

[switch] display mac-address