Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Posture Cisco ISE

Download as pdf or txt
Download as pdf or txt
You are on page 1of 146
At a glance
Powered by AI
The report details testing of interoperability between Huawei S series switches and Cisco Identity Services Engine (ISE) for authentication and other features.

Huawei S12700 and S5720 switches were tested, as detailed in Table 1 on page 3.

Authentication protocols supported included PAP/CHAP, EAP-MD5, PEAP, EAP-TLS, EAP-TTLS, EAP-FAST as shown in Table 2 on page 4.

Huawei S Series Switches with VRP5 Software #216102

Huawei S Series Switches with the Versatile Routing Platform


Software Version 5
Interoperability with the Cisco Identity Services Engine (ISE)

Tolly Report #216161


Commissioned by
Huawei Technologies Co., Ltd

December 2016

Tolly.
© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 1 OF 146
Huawei S Series Switches with VRP5 Software #216102

Executive Summary
Huawei Huawei commissioned Tolly to verify the Huawei S series switches’ interoperability
Technologies with the Cisco Identity Services Engine (ISE) for authentication and more.
Co., Ltd The complete list of devices tested is available in Table 1. Device support for each
individual test case is provided in the test results (Table 2) and further details in the
S Series test case descriptions.
Switches
Interoperability
with the Cisco
Tested
Identity Services October
Engine (ISE) 2016

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 2 OF 146


Huawei S Series Switches with VRP5 Software #216102

Huawei S Series Switches Under Test

Device Under Test S/W Version Platform Version Hardware Model

Huawei Versatile Routing Platform


Software VRP (R) software,
Huawei S12700 12704
VRP (R) software, Version 5.160 Version 5.160
(S12700 V200R010C00SPC300)

Huawei Versatile Routing Platform


Software VRP (R) software,
Huawei S5720 S5720-32C-HI-24S
VRP (R) software, Version 5.160 Version 5.160
(S5720 V200R010C00SPC300)

Cisco Identity Services Engine (ISE)

Product Version

Version 2.0.0.306
Identity Services Engine (ISE)
ADE-OS Version 2.3.0.187

Source: Tolly, October 2016 Table 1

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 3 OF 146


Huawei S Series Switches with VRP5 Software #216102

Huawei S Series Switches Interoperability with the Cisco ISE Test Results
Authentication Protocol Generic RADIUS Attributes
Framed-IP-Address
✔ PAP/CHAP ✔
On-demand DHCP IP address
Framed-Pool
✔ EAP-MD5 ✔
On-demand DHCP Pool
✔ PEAP ✔ NAS-Port
✔ EAP-TLS Others
Post-rejection Authentication
✔ EAP-TTLS ✔
Once a client is rejected by ISE, authenticate certain VLAN to it
✔ EAP-FAST ✔ Time-based Authentication Policy
Authentication Method Change of Authorization (CoA)
✔ Wired MAC Authentication ✔ Session Re-authentication
✔ Wired 802.1X Authentication ✔ Session Termination
CoA Port Customization in ISE
✔ Wireless MAC Authentication ✔ Huawei S switches use port 3799 for CoA. The CoA destination port can be
changed to 3799 in Cisco ISE for interoperability

✔ Wireless 802.1X Authentication Endpoint Profiling


Wired and Wireless Web Portal Authentication with DHCP Packets
✔ ✔ e.g. DHCP Option60: Vendor Class Identifier
Huawei S Switch as the Portal Server
Wired and Wireless Web Portal Authentication with MAC Addresses
✔ ✔
Cisco ISE as the Portal Server e.g. Organizationally Unique Identifier (OUI) in the MAC Address
Wired Mixed Authentication with HTTP Packets
✔ ✔
e.g. MAC and 802.1X Authentication e.g. User-Agent attribute in the HTTP packet
Wireless Mixed Authentication with RADIUS Packets
✔ ✔
e.g. MAC and Web Portal Authentication e.g. CallingStationID attribute in RADIUS
Authentication Policy ✔ Network Scan (NMAP)
Built-in Attributes Other
Dynamic VLAN Posture Assessment with the Cisco ISE and the Cisco NAC Appliance
✔ Assign one existing VLAN to the user with the VLAN number ✔
Agent
Dynamic ACL Guest Management
✔ ✔
Assign one existing ACL to the user with the ACL number Guest self-registration and authentication
BYOD
Huawei Attributes ✔
BYOD device self-registration and authentication
Dynamic ACL Rule

Create a new ACL rule with the HW-Data-Filter attribute
Dynamic UCL Group
✔ Assign one existing UCL group to the user with the HW-UCL-Group attribute
and the UCL group’s name

Dynamic CAR CIR (rate limiting)


✔ create a new CAR CIR rule with the HW-Input-Committed-Information-Rate
attribute or/and the HW-Output-Committed-Information-Rate attribute

Service Scheme
✔ Assign one existing service scheme to the user with Huawei’s HW-Service-
Scheme attribute and the service scheme’s name

Source: Tolly, October 2016 Table 2

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 4 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 1.1 PAP/CHAP Authentication

Verify the 802.1X authentication method with the PAP/CHAP authentication protocol when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as CHAP.
#
dot1x-access-profile name tolly
dot1x authentication-method chap
#

Procedure 4. Enable 802.1X authentication globally and on the interface Port_1.


5. Use the PC to initiate the 802.1X authentication in the CHAP mode, and expected result 1 is displayed.

Pass
The PC is authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 5 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template tolly
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
#

3. Configure the aaa scheme on the switch.


#
authentication-scheme tolly
authentication-mode radius
authorization-scheme tolly
Test accounting-scheme tolly
Results
accounting-mode radius
domain tolly
authentication-scheme tolly
accounting-scheme tolly
radius-server tolly
#

4. Configure the 802.1X authentication profile on the device.


#
authentication-profile name tolly
dot1x-access-profile tolly
access-domain tolly dot1x force
#

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 6 OF 146


Huawei S Series Switches with VRP5 Software #216102

5. Configure the DHCP server on the device, and enable dot1x authentication on the correspondent interface.
#
interface Vlanif4090
ip address 192.89.6.202 255.255.255.0
dhcp select interface
interface GigabitEthernet1/1/0
port link-type hybrid
port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly
#

6. The tested device displays 802.1X authentication statistics information, which indicates that the authentication
succeeds.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 7 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 8 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 9 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 10 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 1.2 EAP-MD5

Verify the 802.1X authentication method with the EAP-MD5 authentication protocol when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as EAP.
#
dot1x-access-profile name tolly
dot1x authentication-method eap
#

Procedure 4. Enable 802.1X authentication globally and on the interface Port_1.


5. Use the PC to initiate the 802.1X authentication in the EAP-MD5 mode, and expected result 1 is displayed.

Pass
The PC is authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 11 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 12 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 13 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 14 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 15 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 1.3 PEAP

Verify the 802.1X authentication method with the PEAP authentication protocol when a Huawei S switch works
Objective as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as EAP.
#
dot1x-access-profile name tolly
dot1x authentication-method eap
#

Procedure 4. Enable 802.1X authentication globally and on the interface Port_1.


5. Use the PC to initiate the 802.1X authentication in the PEAP mode, and expected result 1 is displayed.

Pass
The PC is authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 16 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 17 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 18 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 19 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 20 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 1.4 EAP-TLS

Verify the 802.1X authentication method with the EAP-TLS authentication protocol when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as EAP.
#
dot1x-access-profile name tolly
dot1x authentication-method eap
#

Procedure 4. Enable 802.1X authentication globally and on the interface Port_1.


5. Use the PC to initiate the 802.1X authentication in the EAP-TLS mode, and expected result 1 is displayed.

Pass
The PC is authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 21 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 22 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 23 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 24 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 25 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 1.5 EAP-TTLS

Verify the 802.1X authentication method with the EAP-TTLS authentication protocol when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as EAP.
#
dot1x-access-profile name tolly
dot1x authentication-method eap
#

Procedure 4. Enable 802.1X authentication globally and on the interface Port_1.


5. Use the PC to initiate the 802.1X authentication in the EAP-TTLS mode, and expected result 1 is displayed.

Pass
The PC is authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 26 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 27 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 28 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 1.6 EAP-FAST

Verify the 802.1X authentication method with the EAP-FAST authentication protocol when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as EAP.
#
dot1x-access-profile name tolly
dot1x authentication-method eap
#

Procedure 4. Enable 802.1X authentication globally and on the interface Port_1.


5. Use the PC to initiate the 802.1X authentication in the EAP-FAST mode, and expected result 1 is displayed.

Pass
The PC is authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 29 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 30 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 31 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 32 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 33 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 2.1 Wired MAC Authentication

Verify the MAC authentication method for a wired PC when a Huawei S switch works as the access control switch
Objective and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain. Add the PC’s MAC address to the user list.
3. Configure the Huawei switch's MAC authentication profile.
4. Connect the PC to the Huawei S Switch and expected result 1 is displayed.

Procedure

Pass
The PC is authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 34 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the Huawei switch 802.1X authentication mode as EAP.
#
radius-server template tolly_mac
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
radius-attribute set Service-Type 10
#
domain tolly_mac
authentication-scheme tolly
authorization-scheme tolly
radius-server tolly_mac
Test #
Results
3. Configure the aaa scheme.
#
aaa
authentication-scheme tolly
authentication-mode radius
authorization-scheme tolly
accounting-scheme tolly
accounting-mode radius
domain tolly_mac
authentication-scheme tolly
accounting-scheme tolly
radius-server tolly_mac
#

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 35 OF 146


Huawei S Series Switches with VRP5 Software #216102

4. Configure the MAC authentication profile on the device.


#
mac-access-profile name tolly
mac-authen username macaddress format with-hyphen normal uppercase
authentication-profile name tolly_mac
mac-access-profile tolly
access-domain tolly_mac
#

5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
#
interface Vlanif4090
ip address 192.89.11.10 255.255.255.0
dhcp select interface
#
interface XGigabitEthernet1/0/0
Test port link-type hybrid
Results
port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly_mac
#

6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 36 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 37 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 2.2 Wired 802.1X Authentication

Verify the 802.1X authentication method for a wired PC when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain. Add the PC’s MAC address to the user list.
3. Configure the Huawei switch's 802.1X authentication profile.
4. Connect the PC to the Huawei S Switch and expected result 1 is displayed.

Procedure

Pass
The PC is authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 38 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template tolly
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
#

3. Configure the aaa scheme.


#
aaa
authentication-scheme tolly
authentication-mode radius
Test authorization-scheme tolly
Results
accounting-scheme tolly
accounting-mode radius
domain tolly
authentication-scheme tolly
accounting-scheme tolly
radius-server tolly
#

4. Configure the 802.1X authentication profile on the device.


#
dot1x-access-profile name tolly
authentication-method eap
authentication-profile name tolly
dot1x-access-profile tolly
access-domain tolly dot1x force
#

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 39 OF 146


Huawei S Series Switches with VRP5 Software #216102

5. Configure the DHCP server on the device, and enable dot1x authentication on the correspondent interface.
#
interface Vlanif4090
ip address 192.89.6.202 255.255.255.0
dhcp select interface
interface GigabitEthernet1/1/0
port link-type hybrid
port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly
#

6. Enter the correct user name and password on the device for authentication. Check the user address and
authentication information, and expected result 1 is displayed.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 40 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 41 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 2.3 Wireless MAC Authentication

Verify the MAC authentication method for a wireless client when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server profile and aaa profile on the switch.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. In the WLAN view, configure the security and SSID profiles. Bind the security and authentication profiles,
service WLAN, forwarding mode, and SSID profile to the VAP profile. Configure the AP Group and bind it to the
VAP profile.
7. The terminal accesses the wireless network through the SSID. Expected result 1 is displayed.

Procedure

Pass
The wireless laptop is authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 42 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 43 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 2.4 Wireless 802.1X Authentication

Verify the 802.1X authentication method for a wireless client when a Huawei S switch works as the access
Objective control switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server profile and aaa profile on the switch.
4. Configure the aaa scheme.
5. Configure the 802.1X authentication profile on the device.
6. Configure the DHCP server on the device, and enable dot1x authentication on the correspondent interface.
7. In the WLAN view, configure the security and SSID profiles. Bind the security and authentication profiles,
service WLAN, forwarding mode, and SSID profile to the VAP profile. Configure the AP Group and bind it to the
VAP profile.
8. The user accesses the wireless network through the SSID, and enters the user name and password for
authentication. Expected result 1 is displayed.

Procedure

Pass
The wireless laptop is authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 44 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 45 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 46 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 2.5 Wired and Wireless Web Portal Authentication (Huawei S Switch as the Portal Server)

Verify the web portal authentication method for a wired client and a wireless client when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server. The web
portal is hosted on the Huawei S switch.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server profile and aaa profile on the switch.
4. Configure the aaa scheme.
5. Load the ipsec.pem and ipseckey.pem certificates to the security file, and configure the ssl profile.
6. Configure the built-in Portal server on the switch, and obtain the URL address on the ISE server.
7. Configure the Portal authentication profile.
8. Configure the DHCP server on the device.
9. In the WLAN view, configure the security and SSID profiles. Bind the security and authentication profiles,
service WLAN, forwarding mode, and SSID profile to the VAP profile. Configure the AP Group and bind it to the
VAP profile.

Procedure 10. The user accesses the wireless network through the SSID. Open a webpage and enter any address in the
address bar. Expected result 1 is displayed.
11. Configure the Portal authentication profile on the correspondent interface. The user accesses the network in
wired mode. Open a webpage and enter any address in the address bar on the PC. Expected result 1 is
displayed.

Pass
The wired PC and the wireless laptop are both authenticated to have network access.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 47 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 48 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 49 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 2.6 Wired and Wireless Web Portal Authentication (Cisco ISE Server as the Portal Server)

Verify the web portal authentication method for a wired client and a wireless client when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server. The web
portal is hosted on the Cisco ISE server.

1. All devices are working properly. The test environment has been set up according to the networking diagram.
2. Related configuration has been completed on the ISE authentication server.
3. Configure the switch's IP address so that the switch can communicate with the ISE server.
4. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
5. Configure the RADIUS server on the switch.
6. Configure the aaa profile.
7. Configure the MAC authentication profile.
8. Configure the CoA authorization server.
9. Configure the ACL redirection on the switch.
10. Users access the network in wired mode for MAC authentication. Expected result 1 is displayed.
11. Open a web page and access any website. Enter the user name and password for authentication. Expected
Procedure result 2 is displayed.

1. When the user accesses the network for MAC authentication, the server delivers URL and redirection ACL.
Open a browser and enter any IP address in the address bar, the page is redirected to the Portal authentication
Pass
page.
Criteria
2. After entering the user name and password, the user passes the Portal authentication successfully.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 50 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 51 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 52 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 53 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 54 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 2.7 Wired Mixed Authentication

Verify the mixed MAC and 802.1X authentication methods for a wired client when a Huawei S switch works as
Objective the access control switch and the Cisco ISE server works as the authentication (RADIUS) server. The web portal is
hosted on the Cisco ISE server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the MAC authentication and dot1x authentication profiles on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. Use the tester interface as the user terminal to connect to the DUT and enable the MAC-authenticated and
802.1X-authenticated ports. Expected result 1 is displayed

Procedure

Simulated by Spirent TestCenter

Create two device users on the Spirent TestCenter interface for MAC authentication and 802.1X authentication
Pass
respectively. After passing the authentication, the user obtains the IP address. The device shows that the
Criteria authentication succeeds.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 55 OF 146


Huawei S Series Switches with VRP5 Software #216102

Configuration Steps:
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template tolly
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
#
radius-server template tolly_mac
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80

Test undo radius-server user-name domain-included


Results calling-station-id mac-format hyphen-split mode2
radius-attribute set Service-Type 10
#
domain tolly_mac
authentication-scheme tolly
authorization-scheme tolly
radius-server tolly_mac
#

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 56 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. Configure the aaa scheme.


#
aaa
authentication-scheme tolly
authentication-mode radius
authorization-scheme tolly
accounting-scheme tolly
accounting-mode radius
domain tolly_mac
authentication-scheme tolly
accounting-scheme tolly
radius-server tolly_mac
domain tolly
authentication-scheme tolly
accounting-scheme tolly
radius-server tolly
Test
Results #

4. Configure the MAC authentication and dot1x authentication profiles on the device.
#
mac-access-profile name tolly
mac-authen username macaddress format with-hyphen normal uppercase
dot1x-access-profile name tolly
authentication-method eap
dot1x-access-profile tolly
mac-access-profile tolly
access-domain tolly dot1x force
access-domain tolly_mac mac-authen force
access-domain tolly force
#

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 57 OF 146


Huawei S Series Switches with VRP5 Software #216102

5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
#
interface Vlanif4090
ip address 192.89.11.10 255.255.255.0
dhcp select interface
#
interface XGigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly
#

6. Use the tester interface as the user terminal to connect to the DUT and enable the MAC-authenticated and
802.1X-authenticated ports. Expected result 1 is displayed

Results:
Test Create two device users on the tester interface for MAC authentication and 802.1X authentication respectively.
Results After passing the authentication, the user obtains the IP address. The device shows that the authentication
succeeds.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 58 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 59 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 2.7 Wireless Mixed Authentication

Verify the mixed MAC and Web Portal authentication methods for a wired client when a Huawei S switch works
Objective as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server. The web portal
is hosted on the Cisco ISE server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server profile and aaa profile on the switch.
4. Configure the MAC authentication and Portal authentication profiles on the device.
5. Configure the DHCP server on the device, and enable combined MAC authentication and Portal authentication
on the correspondent interface.
6. In the WLAN view, configure the security and SSID profiles. Bind the security and authentication profiles,
service WLAN, forwarding mode, and SSID profile to the VAP profile. Configure the AP Group and bind it to the
VAP profile.
7. The wireless terminal accesses the network through the SSID for MAC authentication. Expected result 1 is
displayed.
8. For users who fail to pass the MAC authentication, allow them to perform the Portal authentication. Expected
Procedure result 2 is displayed.

Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
shows that the authentication succeeds.
Pass
Criteria Result 2: The user opens the browser and enters any IP address for Portal authentication. Enter the user name
and password, and the device shows that the authentication succeeds.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 60 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. The user goes online for MAC authentication, and obtains the correspondent VLAN address.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 61 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. The user goes online for Portal authentication, and obtains the correspondent VLAN address.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 62 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 3.1 Built-in Authentication Attribute: Dynamic VLAN

Verify the built-in authentication attribute Dynamic VLAN when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Configure the authorization policy on the ISE server: Deliver the dynamic VLAN11. Create VLAN11 on the
device, and configure VLANIF11 as the DHCP IP address pool.
5. Use the PC to initiate the 802.1X authentication, and expected result 1 is displayed.

Procedure

Pass The tested device displays 802.1X authentication statistics information, which indicates that the authentication
Criteria succeeds. Dynamic VLAN11 and IP address can be obtained.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 63 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Configure the dynamic VLAN11 authorization in the ISE server authorization policy.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 64 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. Create VLAN11 on the device. The device goes online after passing the authentication successfully, and obtains
the dynamic VLAN11.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 65 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 3.2 Built-in Authentication Attribute: Dynamic ACL

Verify the built-in authentication attribute Dynamic ACL when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Configure the ACL 3000 authorization on the ISE server, and configure the correspondent ACL 3000 description
3000.in on the device.
5. Use the PC to initiate the 802.1X authentication, and expected result 1 is displayed.
6. Use the tester to send packets to the destination address 100.1.1.10, and expected result 2 is displayed.

Procedure

Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the
Pass authentication succeeds.
Criteria
Result 2: The tester sends packets to the destination address 100.1.1.10, and the traffic is denied.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 66 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Configure the ACL 3000 dynamic authorization in the ISE server authorization policy.

2. Configure the ACL 3000 on the device.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 67 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. The device goes online after passing the authentication successfully, and obtains the dynamic ACL.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 68 OF 146


Huawei S Series Switches with VRP5 Software #216102

4. The tester sends packets to the destination address 100.1.1.10, and the traffic is denied.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 69 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 3.3 Huawei Authentication Attribute: Dynamic ACL Rule

Verify the Huawei authentication attribute Dynamic ACL Rule when a Huawei S switch works as the access
Objective control switch and the Cisco ISE server works as the authentication (RADIUS) server. Huawei attributes can be
imported to the Cisco ISE server.

1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Configure the DACL authorization on the ISE server.
5. Use the PC to initiate the 802.1X authentication, and expected result 1 is displayed.
6. Use the tester to send packets to the destination address 100.1.1.10, and expected result 2 is displayed.

Procedure

Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the
Pass authentication succeeds.
Criteria
Result 2: The tester sends packets to the destination address 100.1.1.10, and the traffic is denied.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 70 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Configure the DACL dynamic authorization in the ISE server authorization policy.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 71 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. The device goes online after passing the authentication successfully, and obtains the dynamic DACL.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 72 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. The tester sends packets to the destination address 100.1.1.10, and the traffic is denied.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 73 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 3.4 Huawei Authentication Attribute: Dynamic UCL Group

Verify the Huawei authentication attribute Dynamic UCL Group when a Huawei S switch works as the access
Objective control switch and the Cisco ISE server works as the authentication (RADIUS) server. Huawei attributes can be
imported to the Cisco ISE server.

1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Configure the UCL-group 10 authorization on the ISE server, and create UCL-group 10 on the device. Create
and bind ACL 6000 to UCL-group 10.
5. Use the tester as a host to initiate the 802.1X authentication, and expected result 1 is displayed.
6. Use the tester to send traffic that matches ACL6000, and expected result 2 is displayed.

Procedure

Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the
Pass authentication succeeds. The device can obtain the UCL-group 10.
Criteria
Result 2: The tester sends traffic that matches ACL6000, and the traffic is denied.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 74 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Configure the UCL-group 10 dynamic authorization in the ISE server authorization policy.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 75 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. Configure UCL-group 10 on the device. Create ACL 6000, bind it to UCL-group 10, and apply it.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 76 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. The user goes online after passing the authentication, and obtains the UCL-group successfully.

Test
Results

4. The tester sends traffic that matches ACL6000, and the traffic is denied.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 77 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 3.5 Huawei Authentication Attribute: Dynamic CAR CIR (Rate Limiting)

Verify the Huawei authentication attribute Dynamic CAR CIR when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server. Huawei attributes can be imported
to the Cisco ISE server.

1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Configure the upstream and downstream CAR authorization on the ISE server.
5. Use the PC to initiate the 802.1X authentication, and expected result 1 is displayed.
6. Use the tester to send upstream and downstream test traffic, and expected result 2 is displayed.

Procedure

Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the
Pass authentication succeeds.
Criteria
Result 2: The tester sends upstream and downstream traffic that is limited to a certain rate.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 78 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Configure upstream and downstream CAR dynamic authorization in the ISE server authorization policy; the
CAR is limited to 300 Mbit/s.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 79 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. The device goes online after passing the authentication successfully, and obtains the authorized CAR.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 80 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. The tester sends upstream and downstream test traffic at a rate of 1000 Mbit/s, and the traffic is limited to
300 Mbit/s.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 81 OF 146


Huawei S Series Switches with VRP5 Software #216102

Huawei Authentication Attribute: Service Scheme;


Test 3.6 Generic RADIUS Attribute: Framed-IP-Address (On-demand DHCP IP Address)
Generic RADIUS Attribute: Framed-Pool (On-demand DHCP Pool)
Verify the Huawei authentication attribute HW-Service-Scheme, the generic RADIUS attribute Framed-IP-
Address and the generic RADIUS attribute Framed-Pool when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server. Huawei attributes can be imported
to the Cisco ISE server.

1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Configure PPP authentication on the device so that the host can access the network after passing PPPoE
authentication.
4. Configure HW-Service-Scheme: pppoe authorization on the ISE server. Create Service-Scheme: pppoe in the
AAA view. Bind Service-Scheme to the address pool vlan44.
5. After the PC dials in through PPPoE authentication, expected result 1 is displayed.
6. Add the service scheme pppoe in the default domain. Configure the frame-ip-address attribute in the ISE
Procedure authorization policy, and assign fixed IP addresses to users. Expected result 2 is displayed.
7. Add the service scheme pppoe in the default domain. Configure the frame-pool attribute in the ISE
authorization policy, and assign the IP address pool to users. Expected result 3 is displayed.

Result 1: The tested device displays authentication statistics information, which indicates that the PPP
authentication succeeds. The device can obtain addresses from the VLAN44 IP address pool.

Pass Result 2: The PC goes online after passing authentication successfully, and obtains the fixed IP address assigned
Criteria by the ISE server.

Result 3: The PC goes online after passing authentication successfully, and obtains the IP address from the IP
address pool delivered by the ISE server.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 82 OF 146


Huawei S Series Switches with VRP5 Software #216102

Configuration:
1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Configure PPP authentication on the device so that the host can access the network after passing PPPoE
authentication.
#
interface Virtual-Template1
ppp keepalive retransmit 4
ppp mru 1400
ppp authentication-mode pap
ppp timer negotiate 5
ip address 44.4.4.1 255.255.255.0
#
#
Test interface Vlanif44
Results
pppoe-server bind virtual-template 1
#
#
ip pool vlan44
gateway-list 44.4.4.1
network 44.4.4.0 mask 255.255.255.0
#

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 83 OF 146


Huawei S Series Switches with VRP5 Software #216102

4. Configure HW-Service-Scheme: pppoe authorization on the ISE server. Create Service-Scheme: pppoe in the
AAA view. Bind Service-Scheme to the address pool vlan44.
#
ip pool vlan44
gateway-list 44.4.4.1
network 44.4.4.0 mask 255.255.255.0
#
#
aaa
service-scheme pppoe
ip-pool vlan44
domain default
authentication-scheme radius
radius-server tolly
#

5. After the PC dials in through PPPoE authentication, expected result 1 is displayed.


Test
6. Add the service scheme pppoe in the default domain. Configure the frame-ip-address attribute in the ISE
Results authorization policy, and assign fixed IP addresses to users. Expected result 2 is displayed.
#
aaa
service-scheme pppoe
ip-pool vlan44
domain default
authentication-scheme radius
radius-server tolly
service-scheme pppoe
#

7. Add the service scheme pppoe in the default domain. Configure the frame-pool attribute in the ISE
authorization policy, and assign the IP address pool to users. Expected result 3 is displayed.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 84 OF 146


Huawei S Series Switches with VRP5 Software #216102

Results:
1. Configure HW-Service-Scheme: pppoe authorization on the ISE server.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 85 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. Configure the service scheme pppoe in the AAA view, and bind vlan44 IP address pool to pppoe. The user goes
online after passing authentication successfully, and obtains the pppoe service scheme and IP address.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 86 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 87 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. Configure the frame-ip-address attribute in the ISE authorization policy, and users can obtain fixed IP
addresses.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 88 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 89 OF 146


Huawei S Series Switches with VRP5 Software #216102

4. Configure the frame-pool attribute in the ISE authorization policy, and users can obtain IP addresses from the
assigned IP address pool.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 90 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 91 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 3.7 Generic RADIUS Attribute: NAS-Port

Verify the generic RADIUS attribute NAS-Port when a Huawei S switch works as the access control switch and the
Objective Cisco ISE server works as the authentication (RADIUS) server.

1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Use the PC to initiate the 802.1X authentication, and expected result 1 is displayed.

Procedure

Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the PC
Pass
passes authentication successfully. The access user's physical port number can be viewed on the ISE server
Criteria through the NAS-Port attribute.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 92 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. The tested device displays 802.1X authentication statistics information, which indicates that the PC passes
authentication successfully. The access user's physical port number can be viewed on the ISE server through
the NAS-Port attribute.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 93 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 94 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 95 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 96 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 3.8 Post-rejection Authentication

Verify the post-rejection authentication when a Huawei S switch works as the access control switch and the
Objective Cisco ISE server works as the authentication (RADIUS) server.

1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Enter the correct user name and password on the PC to initiate 802.1X authentication. Expected result 1 is
displayed.
5. Configure the event on the device that if authentication fails, authorize VLAN10 to users. Configure VLANIF10
IP address pool.
6. Enter the wrong password for authentication on the PC. Expected result 2 is displayed.

Procedure

Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the
Pass authentication succeeds.
Criteria
Result 2: The PC authentication fails, and the PC obtains the VLANIF10 IP address.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 97 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Enter the correct user name and password, and the PC can go online after passing the authentication
successfully.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 98 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. Configure the event on the device that if authentication fails, authorize VLAN10.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 99 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. The PC authentication fails, and the PC obtains the VLANIF10 IP address.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 100 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 3.9 Time-based Authentication Policy

Verify the time-based authentication when a Huawei S switch works as the access control switch and the Cisco
Objective ISE server works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the 802.1X authentication profile on the device.
5. Configure the DHCP server on the device, and enable dot1x authentication on the correspondent port.
6. Enter the correct user name and password on the device for authentication. Check the user address and
authentication information, and expected result 1 is displayed.
7. Configure time ranges on the ISE server. Authorization policies vary with different time periods.

Procedure

Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
Pass shows that the authentication succeeds.
Criteria
Result 2: Users obtain different authorization policies based on time periods.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 101 OF 146


Huawei S Series Switches with VRP5 Software #216102

Configuration
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template tolly
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
#

3. Configure the aaa scheme.


#
aaa
authentication-scheme tolly
authentication-mode radius
Test
authorization-scheme tolly
Results
accounting-scheme tolly
accounting-mode radius
domain tolly
authentication-scheme tolly
accounting-scheme tolly
radius-server tolly
#

4. Configure the 802.1X authentication profile on the device.


#
dot1x-access-profile name tolly
authentication-method eap
authentication-profile name tolly
dot1x-access-profile tolly
access-domain tolly dot1x force
#

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 102 OF 146


Huawei S Series Switches with VRP5 Software #216102

5. Configure the DHCP server on the device, and enable dot1x authentication on the correspondent port.
#
interface Vlanif4090
ip address 192.89.6.202 255.255.255.0
dhcp select interface
interface GigabitEthernet1/1/0
port link-type hybrid
port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly
#

6. Enter the correct user name and password on the device for authentication. Check the user address and
authentication information, and expected result 1 is displayed.
7. Configure time ranges on the ISE server. Authorization policies vary with different time periods.

Test Results:
Test 1. Configure different time ranges and two dot1x authorization policies on the ISE server. Users obtain different
Results authorization policies based on their login time periods.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 103 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 104 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. A user goes online after passing the dot1x authentication, and obtains the correspondent authorization policy
based on the login time period.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 105 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 4.1 Change of Authorization (CoA): Session Re-authentication

Verify session re-authentication when a Huawei S switch works as the access control switch and the Cisco ISE
Objective server works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server on the switch.
4. Configure the aaa profile.
5. Configure the MAC authentication profile.
6. Configure the CoA authorization server.
7. Configure the redirection ACL on the switch.
8. Users access the network in wired mode for MAC authentication. Expected result 1 is displayed.
9. Open a web page and access any website. Enter the user name and password for authentication. Expected
result 2 is displayed.

Procedure

Result 1: When the user accesses the network for MAC authentication, the server delivers URL and redirection
ACL. Open a browser and enter any IP address in the address bar, the page is redirected to the guest
Pass
management page.
Criteria
Result 2: After entering the user name and password, the user passes the Portal authentication successfully.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 106 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Configure the RADIUS authorization server, and enable the device to respond to and process ISE CoA packets.
On the ISE server, change the CoA port number of the access device to 3799 (change the destination port
number in the 1.6.3 case).
#
radius-server authorization 192.89.11.188 shared-key cipher huawei123
#

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 107 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. When a new user accesses the network, he must pass the MAC authentication first. After the authentication
succeeds, the page is redirected to the guest management page. A user can log in to the system using a
registered account or a new user can register an account first.

Test
Results 3. After a user registers an account, the system disconnect the user through CoA. The user should log in again
using the new account.
4. After new users log in to the system, the server authorizes new policies to users so that they can obtain new
permissions.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 108 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 109 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 110 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 4.2 CoA: Session Termination

Verify session termination when a Huawei S switch works as the access control switch and the Cisco ISE server
Objective works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the MAC authentication profile on the device.
4. Configure the DHCP server on the device, and enable MAC authentication on the correspondent port.
5. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
6. Configure the RADIUS authorization server on the device and use the ISE server to disconnect online users.
Expected result 2 is displayed.

Procedure

Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
shows that the authentication succeeds.
Pass
Criteria Result 2: Online users are disconnected from the network by the ISE server, and online user entries are deleted
from the device.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 111 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. The user goes online after passing the MAC authentication successfully, and obtains the correspondent IP
address.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 112 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. Online users are disconnected from the network by the ISE server, and online user entries are deleted from the
device.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 113 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 4.3 CoA Port Customization in ISE

Verify CoA port customization when a Huawei S switch works as the access control switch and the Cisco ISE
Objective server works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the MAC authentication profile on the device.
4. Configure the DHCP server on the device, and enable MAC authentication on the correspondent port.
5. Connect the user terminal to the DUT and enable the MAC-authenticated port.
6. Change the CoA port number of the access device to 3799 on the ISE server.
7. Configure the RADIUS authorization server on the device and use the ISE server to disconnect online users.
Expected result 1 is displayed.

Procedure

Pass
Result 1: The CoA port number is changed to 3799, and online users are disconnected.
Criteria

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 114 OF 146


Huawei S Series Switches with VRP5 Software #216102

Configuration:
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template mac_auth
radius-server shared-key cipher Huawei@123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
radius-attribute set Service-Type 10
#

3. Configure the MAC authentication profile on the device.


#
mac-access-profile name mac_access_profile
authentication-profile name mac_auth
Test
mac-access-profile mac_access_profile
Results
access-domain mac_auth force
#

4. Configure the DHCP server on the device, and enable MAC authentication on the correspondent port.
#
interface Vlanif12
ip address 12.1.1.1 255.255.255.0
dhcp select interface
interface GigabitEthernet0/0/2
port link-type access
port default vlan 130
authentication-profile mac_auth
#

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 115 OF 146


Huawei S Series Switches with VRP5 Software #216102

5. Connect the user terminal to the DUT and enable the MAC-authenticated port.
6. Change the CoA port number of the access device to 3799 on the ISE server.
7. Configure the RADIUS authorization server on the device and use the ISE server to disconnect online users.
Expected result 1 is displayed.
#
radius-server authorization 192.89.11.188 shared-key cipher huawei123
#

Results:

1. Change the CoA port number of the access device to 3799 on the ISE server.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 116 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. The online user is disconnected from the network by the ISE server. The CoA port number of the disconnection
packet sent by the RADIUS server is changed to 3799.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 117 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 5.1 Endpoint Profiling with DHCP Packets

Verify endpoint profiling with DHCP packets when a Huawei S switch works as the access control switch and the
Objective Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. Configure terminal identification through DHCP on the ISE server. Expected result 2 is displayed.

Procedure

Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
Pass shows that the authentication succeeds.
Criteria
Result 2: The ISE server can identify terminals through DHCP.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 118 OF 146


Huawei S Series Switches with VRP5 Software #216102

Configuration:
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template tolly_mac
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
radius-attribute set Service-Type 10
#
domain tolly_mac
authentication-scheme tolly
authorization-scheme tolly
radius-server tolly_mac
Test
#
Results
3. Configure the aaa scheme.
#
aaa
authentication-scheme tolly
authentication-mode radius
authorization-scheme tolly
accounting-scheme tolly
accounting-mode radius
domain tolly_mac
authentication-scheme tolly
accounting-scheme tolly
radius-server tolly_mac
#

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 119 OF 146


Huawei S Series Switches with VRP5 Software #216102

4. Configure the MAC authentication profile on the device.


#
mac-access-profile name tolly
mac-authen username macaddress format with-hyphen normal uppercase
authentication-profile name tolly_mac
mac-access-profile tolly
access-domain tolly_mac
#

5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
#
interface Vlanif4090
ip address 192.89.11.10 255.255.255.0
dhcp select interface
#
interface XGigabitEthernet1/0/0
port link-type hybrid
Test
Results port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly_mac
#

6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. Configure terminal identification through DHCP on the ISE server. Expected result 2 is displayed.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 120 OF 146


Huawei S Series Switches with VRP5 Software #216102

Results:
1. Configure the DHCP attribute to identify the option field in the DHCP packets that match certain conditions.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 121 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. Configure identification policies to invoke attribute identification conditions.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 122 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. Users go online and identify terminal devices based on identification policies on the ISE server.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 123 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 5.2 Endpoint Profiling with MAC Addresses

Verify endpoint profiling with MAC addresses when a Huawei S switch works as the access control switch and
Objective the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa profile on the switch.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent port.
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. Configure terminal identification through MAC address on the ISE server. Expected result 2 is displayed.

Procedure

Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
Pass shows that the authentication succeeds.
Criteria
Result 2: The ISE server can identify terminals through MAC addresses.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 124 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Configure the MAC address segment identification and specify the MAC address OUI provided by the ISE as the
matching condition.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 125 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. Configure identification policies to invoke attribute identification conditions.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 126 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. Users go online and identify terminal devices based on identification policies on the ISE server.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 127 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 5.3 Endpoint Profiling with HTTP Packets

Verify endpoint profiling with HTTP packets when a Huawei S switch works as the access control switch and the
Objective Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. When a user goes online after passing the MAC authentication, push the guest management page to him and
allow him to exchange HTTP packets with the ISE server.

Procedure

Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
Pass shows that the authentication succeeds.
Criteria
Result 2: The ISE server can identify terminals through HTTP.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 128 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Set the HTTP identification: User-Agent is the HTTP identifier of a device.

2. Configure identification policies to invoke attribute identification conditions.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 129 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. Users go online and identify terminal devices based on identification policies on the ISE server.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 130 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 5.4 Endpoint Profiling with RADIUS Packets

Verify endpoint profiling with RADIUS packets when a Huawei S switch works as the access control switch and
Objective the Cisco ISE server works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. Configure terminal identification through RADIUS on the ISE server. Expected result 2 is displayed.

Procedure

Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
Pass shows that the authentication succeeds.
Criteria
Result 2: The ISE server can identify terminals through RADIUS.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 131 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. Set the RADIUS identification: callingStationID is the MAC address of the device.

2. Configure identification policies to invoke attribute identification conditions.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 132 OF 146


Huawei S Series Switches with VRP5 Software #216102

3. Users go online and identify terminal devices based on identification policies on the ISE server.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 133 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 5.5 Network Scan (NMAP)

Verify network scan (NMAP) when a Huawei S switch works as the access control switch and the Cisco ISE server
Objective works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. Set the SNMP write community password as huawei123, which matches configuration on the ISE. Configure
Nmap scanning on the ISE server. Expected result 2 is displayed.

Procedure

Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
shows that the authentication succeeds.
Pass
Criteria Result 2: The ISE server identifies the device's IP address and MAC address, and identifies the terminal type based
on the OUI.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 134 OF 146


Huawei S Series Switches with VRP5 Software #216102

Configuration:
1. Configure the Huawei S switch.

Configure the Cisco ISE server

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 135 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 2. Check the scanning result, and the device's IP address and MAC address are displayed. The terminal type is
Results identified based on the OUI.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 136 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 6.1 Posture Assessment with the Cisco ISE and the Cisco NAC Appliance Agent

Verify posture assessment with a Huawei S switch works as the access control switch, the Cisco ISE server works
Objective as the authentication (RADIUS) server, and the Cisco NAC appliance agent.

1. User terminals without the NAC-agent access the DUT in wired mode. Expected result 1 is displayed.
2. After the NAC-agent is installed, the agent checks the user terminals and sends the result to the ISE server.
Expected result 2 is displayed.
3. The ISE server sends the CoA re-authentication to terminal devices that have passed the check. Expected result
3 is displayed.

Procedure

Result 1: The ISE server detects the lack of the NAC-agent on the device through MAC authentication, and
delivers the redirection URL to the NAC-agent download page. The user terminal then downloads and installs the
NAC-agent through the redirection URL.
Pass
Result 2: When a terminal fails the check, the ISE server redirects the terminal to an URL for software repairing.
Criteria The terminal check will not be ended until the terminal passes the check.

Result 2: The device responds to CoA re-authentication, and the user's interface is authorized so that the user is
granted the network access permission.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 137 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. After the user goes online, the server redirects the user to the URL of the cpp page.

Test
Results

2. After opening the page, the user is redirected to the cpp page to check whether the NAC agent exists.
3. The NAC agent is installed successfully.
4. Start the NAC agent for terminal status check. Check whether the command is running. The check result shows
that the command process has not been started, which indicates that the check fails.
5. Click Repair to invoke the command process and check the NAC agent again. The result shows that the check
succeeds and network permissions are granted to the user.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 138 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 6.2 Guest Management (Guest self-registration and authentication)

Verify guest management when a Huawei S switch works as the access control switch and the Cisco ISE server
Objective works as the authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server on the switch.
4. Configure the aaa profile.
5. Configure the MAC authentication profile.
6. Configure the CoA authorization server.
7. Configure the ACL redirection on the switch.
8. Users access the network in wired mode for MAC authentication. Expected result 1 is displayed.
9. Open a web page and access any website. Enter the user name and password for authentication. Expected
result 2 is displayed.

Procedure

Result 1: When the user accesses the network for MAC authentication, the server delivers URL and redirection
ACL. Open a browser and enter any IP address in the address bar, the page is redirected to the Portal
Pass
authentication page.
Criteria
Result 2: After entering the user name and password, the user passes the Portal authentication successfully.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 139 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. When a new user accesses the network, he must pass the MAC authentication first. After the authentication
succeeds, the page is redirected to the guest management page. A user can log in to the system using a
registered account or a new user can register an account first.

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 140 OF 146


Huawei S Series Switches with VRP5 Software #216102

2. After a user registers an account, the system disconnect the user through CoA. The user should log in again
using the new account.
3. After new users log in to the system, the server authorizes new policies to users so that they can obtain new
Test permissions.
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 141 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 142 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test
Results

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 143 OF 146


Huawei S Series Switches with VRP5 Software #216102

Test 6.3 BYOD (BYOD device self-registration and authentication)

Verify BYOD when a Huawei S switch works as the access control switch and the Cisco ISE server works as the
Objective authentication (RADIUS) server.

1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server on the switch.
4. Configure the aaa profile.
5. Configure the MAC authentication profile.
6. Configure the CoA authorization server.
7. Configure the ACL redirection on the switch.
8. Register users on the ISE server. Expected result 1 is displayed.
9. Users access the network in wireless mode. Expected result 2 is displayed.

Procedure

Result 1: The user registers the access device on the ISE server successfully.
Pass
Criteria Result 2: After entering the user name and password, the user passes the Portal authentication successfully.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 144 OF 146


Huawei S Series Switches with VRP5 Software #216102

1. All internal employees must go to the specified website page (My Devices Portal) to register their own BYOD
devices.

Test
Results

2. Enter an employee account.


3. Click Adding a Device.
4. Add a device, and the device ID must be the mobile phone's MAC address.
5. The user has registered the BYOD device successfully, and has to register again on the BYOD device when he
uses the device to log in.
6. The mobile phone connects to the wireless network. After the user enters any website in the address bar of a
browser, the webpage will be redirected to the ISE server's BYOD page.
7. Click Start to enter the registered user name. The ISE obtains the mobile phone's MAC address.
8. Click Continue to download the TLS certificate and configuration files from the ISE server for login.
9. After the certificate is installed, the ISE server disconnects the user through CoA. The mobile phone goes online
after re-authentication and obtains the network access permission based on configuration files and the TLS
certificate.

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 145 OF 146


Huawei S Series Switches with VRP5 Software #216102

About Tolly…

The Tolly Group companies have been delivering world-class IT services for over 25 years. Tolly is a leading global provider of
third-party validation services for vendors of IT products, components and services.
You can reach the company by email at sales@tolly.com, or by telephone at
+1 561.391.5610.
Visit Tolly on the Internet at:
http://www.tolly.com

Terms of Usage
This document is provided, free-of-charge, to help you understand whether a given product, technology or service merits additional
investigation for your particular needs. Any decision to purchase a product must be based on your own assessment of suitability
based on your needs. The document should never be used as a substitute for advice from a qualified IT or business professional.
This evaluation was focused on illustrating specific features and/or performance of the product(s) and was conducted under
controlled, laboratory conditions. Certain tests may have been tailored to reflect performance under ideal conditions; performance
may vary under real-world conditions. Users should run tests based on their own real-world scenarios to validate performance for
their own networks.
Reasonable efforts were made to ensure the accuracy of the data contained herein but errors and/or oversights can occur. The test/
audit documented herein may also rely on various test tools the accuracy of which is beyond our control. Furthermore, the
document relies on certain representations by the sponsor that are beyond our control to verify. Among these is that the software/
hardware tested is production or production track and is, or will be, available in equivalent or better form to commercial customers.
Accordingly, this document is provided "as is", and Tolly Enterprises, LLC (Tolly) gives no warranty, representation or undertaking,
whether express or implied, and accepts no legal responsibility, whether direct or indirect, for the accuracy, completeness,
usefulness or suitability of any information contained herein. By reviewing this document, you agree that your use of any
information contained herein is at your own risk, and you accept all risks and responsibility for losses, damages, costs and other
consequences resulting directly or indirectly from any information or material available on it. Tolly is not responsible for, and you
agree to hold Tolly and its related affiliates harmless from any loss, harm, injury or damage resulting from or arising out of your use
of or reliance on any of the information provided herein.
Tolly makes no claim as to whether any product or company described herein is suitable for investment. You should obtain your
own independent professional advice, whether legal, accounting or otherwise, before proceeding with any investment or project
related to any information, products or companies described herein. When foreign translations exist, the English document is
considered authoritative. To assure accuracy, only use documents downloaded directly from Tolly.com.
No part of any document may be reproduced, in whole or in part, without the specific written permission of Tolly. All trademarks
used in the document are owned by their respective owners. You agree not to use any trademark in or as the whole or part of your
own trademarks in connection with any activities, products or services which are not ours, or in a manner which may be confusing,
misleading or deceptive or in a manner that disparages us or our information, projects or developments.

216161-ivcofs15-yx-2017-02-14-VerA

© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 146 OF 146

You might also like