104
• A host is connected to port Ethernet 1/2 of the device and must pass 802.1X authentication to
access the Internet. Ethernet 1/2 is in VLAN 1.
• Ethernet 1/2 implements port-based access control.
• Ethernet 1/3 is in VLAN 5 and is for accessing the Internet.
• The authentication server runs RADIUS and is in VLAN 2.
• The update server in VLAN 10 is for client software download and upgrade.
If no user performs 802.1X authentication on Ethernet 1/2 within a period of time, the device adds
Ethernet 1/2 to its guest VLAN, VLAN 10. The host and the update server are both in VLAN 10 and
the host can access the update server and download the 802.1X client software.
After the host passes 802.1X authentication, the network access device assigns the host to VLAN 5
where Ethernet 1/3 is. The host can access the Internet.
Figure 44 Network diagram
Configuration procedure
The following configuration procedure covers most AAA/RADIUS configuration commands on the
device. The configuration on the 802.1X client and RADIUS server are not shown. For more
information about AAA/RADIUS configuration commands, see HPE FlexNetwork MSR Router
Series Comware 5 Security Command Reference.
1. Make sure the 802.1X client can update its IP address after the access port is assigned to the
guest VLAN or a server-assigned VLAN. (Details not shown.)
2. Configure the RADIUS server to provide authentication, authorization, and accounting services.
Configure user accounts and server-assigned VLAN, VLAN 5 in this example. (Details not
shown.)
3. Create VLANs, and assign ports to the VLANs:
<Device> system-view
Internet
Update server Authentication server
Host
VLAN 10
Eth1/1
VLAN 10
Eth1/2
VLAN 5
Eth1/3
VLAN 2
Eth1/4
Device
Internet
Update server Authentication server
Host
VLAN 10
Eth1/1
VLAN 1
Eth1/2
VLAN 5
Eth1/3
VLAN 2
Eth1/4
Device
Internet
Update server Authentication server
Host
VLAN 10
Eth1/1
VLAN 5
Eth1/2
VLAN 5
Eth1/3
VLAN 2
Eth1/4
Device
Port added to the
guest VLAN
User gets
online
To Next Page
Loading...
Need help?
General
