H3C WX Series AC + Fit AP 802.1X Authentication by iMC
Configuration Example
Keywords: 802.1X, RADIUS, EAPOL
Abstract: This document presents a configuration example of using H3C WX Series ACs and Fit APs for
802.1X authentication through an iMC server.
Acronyms:
Acronym
Full spelling
AC
Access control
AP
Access point
ESS
Extended Service Set
WLAN
Wireless Local Area Network
SSID
Service set identifier
AAA
Authentication, Authorization, and Accounting
iMC
Intelligent Management Center
EAP
Extensible Authentication Protocol
EAPOL
Extensible Authentication Protocol over LAN
RADIUS
Remote Authentication Dial-In User Service
Table of Contents
Feature Overview ···················································································································· 3
Application Scenarios ············································································································· 3
Configuration Guidelines ········································································································· 3
802.1X Authentication by iMC Configuration Example·································································· 3
Network Requirements ········································································································ 3
Configuration Considerations ································································································ 4
Software Version Used ········································································································ 4
Configuration Procedures ····································································································· 4
Configuring the AC ······································································································· 4
Configuring the iMC System ··························································································· 8
Verification ······················································································································ 11
References ··························································································································· 13
Protocols and Standards ···································································································· 13
Related Documentation ····································································································· 13
Feature Overview
802.1X is a port-based network access control protocol defined by IEEE. It controls packet forwarding
by setting the status of ports
Application Scenarios
802.1X provides only a method for user access authentication. It implements user access
authentication by simply opening/closing the access ports. Its simplicity makes it applicable to WLANs
and point-to-point physical and logical ports for access authentication. However, for IP-based
Metropolitan Area Networks (MANs), which feature broad bandwidth, 802.1X is quite limited.
Configuration Guidelines

In this example, 802.1X is configured on the wireless interface.

The parameters of the primary authentication and accounting servers, the server type, and the
shared keys configured for the RADIUS scheme must be identical to those configured on the
RADIUS servers respectively. If an iMC server is used, be sure to set the server type to extended
so that the WX5002 can identify the proprietary settings on the iMC server.

When configuring the domain, be sure to associate a RADIUS scheme to the domain.

Use the dot1x authentication-method command to specify the 802.1x authentication method to
be used globally. In WLANs, if the Windows client is used for 802.1X authentication, the 802.1x
authentication method must be EAP. This is because the Windows client supports only EAP.
802.1X Authentication by iMC Configuration Example
Network Requirements
This configuration example uses WX5002 access controllers and WA2100 wireless LAN access
points.
With the prevalence of network applications, more and more core services depend on network
platforms. However, the traditional shared networks are facing more and more security problems. In
this configuration example, access control is deployed at the access layer of the network to prevent
access of illegal users. This not only solves the security problems, but also saves the precious
bandwidth.
In this example, configure 802.1X authentication on port WLAN-ESS 10 of the AC to control access of
clients connected through the AP.
Figure 1 Network diagram for 802.1X authentication by iMC
20.1.1.200
8.1.1.1
8.1.1.16
AP
AC
Radius server
Client
Configuration Considerations
To configure remote 802.1X authentication, complete these tasks:

Create the RADIUS scheme for 802.1X authentication.

Create the domain for 802.1X authentication and reference the RADIUS scheme in the domain.

Enable 802.1X authentication in system view.

Enable 802.1X on the port that requires authentication.
Software Version Used
<AC> display version
H3C Comware Platform Software
Comware Software, Version 5.00, 0001
Copyright (c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
H3C WX5002-128 uptime is 0 week, 2 days, 17 hours, 3 minutes
CPU type: BCM MIPS 1250 700MHz
512M bytes DDR SDRAM Memory
32M bytes Flash Memory
Pcb
Version:
Logic
Version: 1.0
Basic BootROM
A
Version:
1.13
Extend BootROM Version:
1.14
[SLOT 1]CON
(Hardware)A,
(Driver)1.0,
(Cpld)1.0
[SLOT 1]GE1/0/1
(Hardware)A,
(Driver)1.0,
(Cpld)1.0
[SLOT 1]GE1/0/2
(Hardware)A,
(Driver)1.0,
(Cpld)1.0
[SLOT 1]M-E1/0/1
(Hardware)A,
(Driver)1.0,
(Cpld)1.0.
Configuration Procedures
Configuring the AC
Configuration on the AC
<AC> display current-configuration
#
version 5.00, 0001
#
sysname AC
#
domain default enable imc
#
port-security enable
#
dot1x authentication-method eap
#
vlan 1
#
vlan 2
#
radius scheme h3c
server-type extended
primary authentication 8.1.1.16
primary accounting 8.1.1.16
key authentication h3c
key accounting h3c
#
domain imc
authentication default radius-scheme h3c
authorization default radius-scheme h3c
accounting default radius-scheme h3c
access-limit disable
state active
#
wlan service-template 10 crypto
ssid joe_dot1x
bind WLAN-ESS 10
authentication-method open-system
cipher-suite tkip
security-ie wpa
service-template enable
#
wlan rrm
11a mandatory-rate 6 12 24
11a supported-rate 9 18 36 48 54
11b mandatory-rate 1 2
11b supported-rate 5.5 11
11g mandatory-rate 1 2 5.5 11
11g supported-rate 6 9 12 18 24 36 48 54
#
interface NULL0
#
interface LoopBack0
#
interface Vlan-interface1
ip address 20.1.1.200 255.255.255.0
#
interface Vlan-interface2
ip address 8.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
port access vlan 2
#
interface M-Ethernet1/0/1
#
interface WLAN-ESS10
port-security port-mode userlogin-secure-ext
port-security tx-key-type 11key
undo dot1x multicast-trigger
#
wlan ap ap1 model WA2100
serial-id h3c000fe258e820
radio 1 type 11g
channel 1
max-power 3
service-template 10
radio enable
#
dhcp enable
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
#
return
<AC>
Configuration procedures
1)
Create the RADIUS scheme.
# Create RADIUS scheme h3c and enter its view.
[AC] radius scheme h3c
# Specify the IP address of the primary authentication server as 8.1.1.16.
[AC-radius-h3c] primary authentication 8.1.1.16
# Specify the IP address of the primary accounting server as 8.1.1.16.
[AC-radius-h3c] primary accounting 8.1.1.16
# Specify the shared key for authentication exchange as h3c.
[AC-radius-h3c] key authentication h3c
# Specify the shared key for accounting exchange as h3c.
[AC-radius-h3c] key accounting h3c
# Set the RADIUS server type to extended.
[AC-radius-h3c] server-type extended
2)
Create the domain.
# Create domain imc and enter its view.
[AC] domain imc
# Specify to use RADIUS scheme h3c for authentication of LAN users.
[AC-isp-imc] authentication lan-access radius-scheme h3c
# Specify to use RADIUS scheme h3c for authorization of LAN users.
[AC-isp-imc] authorization lan-access radius-scheme h3c
# Specify to use RADIUS scheme h3c for accounting of LAN users.
[AC-isp-imc] accounting lan-access radius-scheme h3c
3)
Enable 802.1X globally.
[AC] port-security enable
4)
Set the authentication method for 802.!X users to EAP.
[AC] dot1x authentication-method eap
5)
Configure port WLAN-ESS 10.
# Create port WLAN-ESS 10 and enter its view.
[AC] interface WLAN-ESS 10
# Set the port security mode to userLoginSecureExt.
[AC-WLAN-ESS10] port-security port-mode userlogin-secure-ext
# Enable key negotiation of the 11key type.
[AC-WLAN-ESS10] port-security tx-key-type 11key
6)
Configure the WLAN service template.
# Create a WLAN service template of the crypto type and enter its view.
[AC] wlan service-template 10 crypto
# Set the SSID of the service template to joe_dot1x.
[AC-wlan-st-10] ssid joe_dot1x
# Bind port WLAN-ESS 10 with service template 10.
[AC-wlan-st-10] bind WLAN-ESS 10
# Enable open system authentication.
[AC-wlan-st-10] authentication-method open-system
# Specify to use the TKIP encryption suite.
[AC-wlan-st-10] cipher-suite tkip
# Enable the WPA IE in the beacon and probe responses.
[AC-wlan-st-10] security-ie wpa
# Enable the service template.
[AC-wlan-st-10] service-template enable
Configuring the iMC System
iMC version:
Follow these steps to configure the access device:
1)
On the Service tab of the iMC web interface, select Access Service > Access Device from the
navigation tree and then click Add, as shown in the following figure:
2)
On the Add Access Device page, click Add Manually.
3)
In the pop-up window, configure the IP address range of the access device (setting both the start
IP address and end IP address to the IP address of the access device in this example) and then
click OK.
4)
Perform configurations as shown in the following figure and click OK.
5)
The access device is added successfully, as shown in the following figure:
Follow these steps to configure the service policy:
1)
On the Service tab of the iMC web interface, select Access Service > Service Configuration
from the navigation tree and then click Add, as shown in the following figure:
2)
On the Add Service Configuration page, perform the configurations shown in the following
figure:
Follow these steps to configure an account user:
1)
On the User tab of the iMC web interface, select User Management > Add User from the
navigation tree and then add a user as shown in the following figure:
2)
Name the user joe-peap and configure the identity number as required. Then click OK.
3)
On the Add User Result page that appears, select Add Access User and perform the
configurations shown in the following figure:
Verification

Before passing 802.1X authentication, you cannot use PC1 to access the Internet.

Run the 802.!X client on PC1. After passing 802.1X authentication, you can use PC1 to access
the Internet. The wireless client needs to be configured properly according to the authentication
method used (PEAP or TLS).
1)
Add the SSID.
2)
Configure the wireless network attributes, add the SSID, and select the encryption method and
authentication method.
3)
In the Authentication dialog box, select PEAP as the EAP type and click Properties. Uncheck
Validate server certificate, and click Configure. Then, uncheck Automatically use my
Windows logon name and password (and domain if any) and click OK.
References
Protocols and Standards

RFC 2284, PPP Extensible Authentication Protocol (EAP)

IEEE 802.1X, Port-Based Network Access Control
Related Documentation

802.1X Configuration and MAC Authentication Configuration in the Security Volume of H3C WX
Series Access Controllers

802.1X Commands and MAC Authentication Commands in the Security Volume of H3C WX
Series Access Controllers

User Manual
User Manual
WLAN Security Configuration in the WLAN Volume of H3C WX Series Access Controllers
User
Manual

WLAN Security Commands in the WLAN Volume of H3C WX Series Access Controllers
Manual
User