802.1X Configuration Example

This section describes a typical 802.1X configuration example.

You need to configure 802.1X to control users who access the Internet through device, using MAC-based 802.1X authentication, and the authentication server is local. If the authentication is passed, system will allow users to access to the network through port ethernet0/0, otherwise prohibit their access. See the topology below:

Take the following steps:

Step 1: Create a user.

1. Select Objects > Local User from the menu bar.
2. In the Local User dialog, select local from the Local server drop-down list, and click New > User.
3. In the User Configuration dialog, configure the options as below:
   • Name: user1
   • Password: password1
   • Confirm password: password1
4. Click OK to save the settings and return to the Local User dialog.

Step 2: Create a role and a role mapping rule.

1. Select Objects > Role from the menu bar.
2. In the Role dialog, click New > Role.
3. In the Role Configuration dialog, type role1 into the Role name box.
4. Click OK to save the settings and return to the Role dialog.
5. Click New > Role Mapping. In the Role Mapping Configuration dialog, configure the options as below:
   • Name: test
   • Member: Select role1, user, and user1 in turn, and then click Add.
6. Click OK to save the settings and return to the Role Mapping Configuration dialog.
7. Click OK in the Role Mapping Configuration dialog.

Step 3: Configure AAA servers.

1. Select Objects > AAA Server from the menu bar.
2. In the AAA Server dialog, select local from the list, and then click Edit.
3. In the Local Server Configuration dialog, select test from the Role mapping rule drop-down list.
4. Click OK to save your changes.
5. In the AAA Server dialog, click OK to save your settings.

Step 4: Configure interfaces and zones.

1. On the Navigation pane, click Configure > Network > Network to visit the Network page.
2. Select ethernet0/0 from the interface list, and click Edit. In the Interface Configuration dialog, configure the options as below:
   • Binding zone: Layer 2 zone
   • Zone: l2-trust
3. Click OK to save the changes and return to the Network page.
4. Select vswitchif1 from the interface list, and click Edit. In the Interface Configuration dialog, configure the options as below:
   • Binding zone: Layer 3 zone
   • Zone: trust
   • Type: Static IP
   • IP address: 192.168.1.1
   • Netmask: 255.255.255.0
5. Click OK to save the changes and return to the Network page.
6. Select ethernet0/1 from the interface list, and click Edit. In the Interface Configuration dialog, configure the options as below:
   • Binding zone: Layer 3 zone
   • Zone: untrust
   • Type: Static IP
   • IP address: 201.10.1.1
   • Netmask: 255.255.255.0
7. Click OK to save the changes and return to the Network page.

Step 5: Configure a 802.1X rule.

1. On the Navigation pane, click Configure > Network > 802.1X to visit the 802.1X page.
2. Click New.
3. In the Configuring 802.1X dialog, configure the options as follows:
   
   • Interface: ethernet0/0
   • AAA server: local
   • Access mode: MAC
   • Port authorized: On the Advanced tab, click Auto
4. Click OK.

Step 6: Configure address entry and policy rules.

1. Select Objects > Address Book from the menu bar.
2. In the Address Book dialog, click New.
3. In the Address Entry Configuration dialog, configure the options as below:
   • Name: vswitchaddr
   • Member: Select and type IP/netmask, 192.168.1.1, 255.255.255.0 in turn, and then click Add

3. Click OK to save your settings, and then close the Address Book dialog.
4. On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
5. Click New. In the Policy Configuration dialog, configure the options as below:
   • Src zone: trust
   • Dst zone: untrust
   • Src address: vswitchaddr
   • Dst address: Any
   • Service: Any
   • Action: Permit
6. Click OK to save your settings.