Posture Cisco ISE
Posture Cisco ISE
Posture Cisco ISE
December 2016
Tolly.
© 2016 TOLLY ENTERPRISES, LLC Tolly.com PAGE 1 OF 146
Huawei S Series Switches with VRP5 Software #216102
Executive Summary
Huawei Huawei commissioned Tolly to verify the Huawei S series switches’ interoperability
Technologies with the Cisco Identity Services Engine (ISE) for authentication and more.
Co., Ltd The complete list of devices tested is available in Table 1. Device support for each
individual test case is provided in the test results (Table 2) and further details in the
S Series test case descriptions.
Switches
Interoperability
with the Cisco
Tested
Identity Services October
Engine (ISE) 2016
Product Version
Version 2.0.0.306
Identity Services Engine (ISE)
ADE-OS Version 2.3.0.187
Huawei S Series Switches Interoperability with the Cisco ISE Test Results
Authentication Protocol Generic RADIUS Attributes
Framed-IP-Address
✔ PAP/CHAP ✔
On-demand DHCP IP address
Framed-Pool
✔ EAP-MD5 ✔
On-demand DHCP Pool
✔ PEAP ✔ NAS-Port
✔ EAP-TLS Others
Post-rejection Authentication
✔ EAP-TTLS ✔
Once a client is rejected by ISE, authenticate certain VLAN to it
✔ EAP-FAST ✔ Time-based Authentication Policy
Authentication Method Change of Authorization (CoA)
✔ Wired MAC Authentication ✔ Session Re-authentication
✔ Wired 802.1X Authentication ✔ Session Termination
CoA Port Customization in ISE
✔ Wireless MAC Authentication ✔ Huawei S switches use port 3799 for CoA. The CoA destination port can be
changed to 3799 in Cisco ISE for interoperability
Service Scheme
✔ Assign one existing service scheme to the user with Huawei’s HW-Service-
Scheme attribute and the service scheme’s name
Verify the 802.1X authentication method with the PAP/CHAP authentication protocol when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as CHAP.
#
dot1x-access-profile name tolly
dot1x authentication-method chap
#
Pass
The PC is authenticated to have network access.
Criteria
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template tolly
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
#
5. Configure the DHCP server on the device, and enable dot1x authentication on the correspondent interface.
#
interface Vlanif4090
ip address 192.89.6.202 255.255.255.0
dhcp select interface
interface GigabitEthernet1/1/0
port link-type hybrid
port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly
#
6. The tested device displays 802.1X authentication statistics information, which indicates that the authentication
succeeds.
Test
Results
Test
Results
Test
Results
Test
Results
Verify the 802.1X authentication method with the EAP-MD5 authentication protocol when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as EAP.
#
dot1x-access-profile name tolly
dot1x authentication-method eap
#
Pass
The PC is authenticated to have network access.
Criteria
Test
Results
Test
Results
Test
Results
Test
Results
Verify the 802.1X authentication method with the PEAP authentication protocol when a Huawei S switch works
Objective as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as EAP.
#
dot1x-access-profile name tolly
dot1x authentication-method eap
#
Pass
The PC is authenticated to have network access.
Criteria
Test
Results
Test
Results
Test
Results
Test
Results
Verify the 802.1X authentication method with the EAP-TLS authentication protocol when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as EAP.
#
dot1x-access-profile name tolly
dot1x authentication-method eap
#
Pass
The PC is authenticated to have network access.
Criteria
Test
Results
Test
Results
Test
Results
Test
Results
Verify the 802.1X authentication method with the EAP-TTLS authentication protocol when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as EAP.
#
dot1x-access-profile name tolly
dot1x authentication-method eap
#
Pass
The PC is authenticated to have network access.
Criteria
Test
Results
Test
Results
Verify the 802.1X authentication method with the EAP-FAST authentication protocol when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain.
3. Configure the Huawei switch 802.1X authentication mode as EAP.
#
dot1x-access-profile name tolly
dot1x authentication-method eap
#
Pass
The PC is authenticated to have network access.
Criteria
Test
Results
Test
Results
Test
Results
Test
Results
Verify the MAC authentication method for a wired PC when a Huawei S switch works as the access control switch
Objective and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain. Add the PC’s MAC address to the user list.
3. Configure the Huawei switch's MAC authentication profile.
4. Connect the PC to the Huawei S Switch and expected result 1 is displayed.
Procedure
Pass
The PC is authenticated to have network access.
Criteria
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the Huawei switch 802.1X authentication mode as EAP.
#
radius-server template tolly_mac
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
radius-attribute set Service-Type 10
#
domain tolly_mac
authentication-scheme tolly
authorization-scheme tolly
radius-server tolly_mac
Test #
Results
3. Configure the aaa scheme.
#
aaa
authentication-scheme tolly
authentication-mode radius
authorization-scheme tolly
accounting-scheme tolly
accounting-mode radius
domain tolly_mac
authentication-scheme tolly
accounting-scheme tolly
radius-server tolly_mac
#
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
#
interface Vlanif4090
ip address 192.89.11.10 255.255.255.0
dhcp select interface
#
interface XGigabitEthernet1/0/0
Test port link-type hybrid
Results
port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly_mac
#
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
Test
Results
Verify the 802.1X authentication method for a wired PC when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the Huawei S switch to ensure that the Huawei switch and the Cisco ISE server communicate with
each other at Layer 3.
2. Create the Cisco ISE server profile and configure the related parameters, including IP address of the
authentication server, port number, the RADIUS server key, and the retransmission time. Create an
authentication scheme, and configure the authentication mode as RADIUS. Configure a domain name, and
apply the authentication scheme to the domain. Add the PC’s MAC address to the user list.
3. Configure the Huawei switch's 802.1X authentication profile.
4. Connect the PC to the Huawei S Switch and expected result 1 is displayed.
Procedure
Pass
The PC is authenticated to have network access.
Criteria
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template tolly
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
#
5. Configure the DHCP server on the device, and enable dot1x authentication on the correspondent interface.
#
interface Vlanif4090
ip address 192.89.6.202 255.255.255.0
dhcp select interface
interface GigabitEthernet1/1/0
port link-type hybrid
port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly
#
6. Enter the correct user name and password on the device for authentication. Check the user address and
authentication information, and expected result 1 is displayed.
Test
Results
Test
Results
Verify the MAC authentication method for a wireless client when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server profile and aaa profile on the switch.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. In the WLAN view, configure the security and SSID profiles. Bind the security and authentication profiles,
service WLAN, forwarding mode, and SSID profile to the VAP profile. Configure the AP Group and bind it to the
VAP profile.
7. The terminal accesses the wireless network through the SSID. Expected result 1 is displayed.
Procedure
Pass
The wireless laptop is authenticated to have network access.
Criteria
Test
Results
Verify the 802.1X authentication method for a wireless client when a Huawei S switch works as the access
Objective control switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server profile and aaa profile on the switch.
4. Configure the aaa scheme.
5. Configure the 802.1X authentication profile on the device.
6. Configure the DHCP server on the device, and enable dot1x authentication on the correspondent interface.
7. In the WLAN view, configure the security and SSID profiles. Bind the security and authentication profiles,
service WLAN, forwarding mode, and SSID profile to the VAP profile. Configure the AP Group and bind it to the
VAP profile.
8. The user accesses the wireless network through the SSID, and enters the user name and password for
authentication. Expected result 1 is displayed.
Procedure
Pass
The wireless laptop is authenticated to have network access.
Criteria
Test
Results
Test
Results
Test 2.5 Wired and Wireless Web Portal Authentication (Huawei S Switch as the Portal Server)
Verify the web portal authentication method for a wired client and a wireless client when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server. The web
portal is hosted on the Huawei S switch.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server profile and aaa profile on the switch.
4. Configure the aaa scheme.
5. Load the ipsec.pem and ipseckey.pem certificates to the security file, and configure the ssl profile.
6. Configure the built-in Portal server on the switch, and obtain the URL address on the ISE server.
7. Configure the Portal authentication profile.
8. Configure the DHCP server on the device.
9. In the WLAN view, configure the security and SSID profiles. Bind the security and authentication profiles,
service WLAN, forwarding mode, and SSID profile to the VAP profile. Configure the AP Group and bind it to the
VAP profile.
Procedure 10. The user accesses the wireless network through the SSID. Open a webpage and enter any address in the
address bar. Expected result 1 is displayed.
11. Configure the Portal authentication profile on the correspondent interface. The user accesses the network in
wired mode. Open a webpage and enter any address in the address bar on the PC. Expected result 1 is
displayed.
Pass
The wired PC and the wireless laptop are both authenticated to have network access.
Criteria
Test
Results
Test
Results
Test 2.6 Wired and Wireless Web Portal Authentication (Cisco ISE Server as the Portal Server)
Verify the web portal authentication method for a wired client and a wireless client when a Huawei S switch
Objective works as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server. The web
portal is hosted on the Cisco ISE server.
1. All devices are working properly. The test environment has been set up according to the networking diagram.
2. Related configuration has been completed on the ISE authentication server.
3. Configure the switch's IP address so that the switch can communicate with the ISE server.
4. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
5. Configure the RADIUS server on the switch.
6. Configure the aaa profile.
7. Configure the MAC authentication profile.
8. Configure the CoA authorization server.
9. Configure the ACL redirection on the switch.
10. Users access the network in wired mode for MAC authentication. Expected result 1 is displayed.
11. Open a web page and access any website. Enter the user name and password for authentication. Expected
Procedure result 2 is displayed.
1. When the user accesses the network for MAC authentication, the server delivers URL and redirection ACL.
Open a browser and enter any IP address in the address bar, the page is redirected to the Portal authentication
Pass
page.
Criteria
2. After entering the user name and password, the user passes the Portal authentication successfully.
Test
Results
Test
Results
Test
Results
Test
Results
Verify the mixed MAC and 802.1X authentication methods for a wired client when a Huawei S switch works as
Objective the access control switch and the Cisco ISE server works as the authentication (RADIUS) server. The web portal is
hosted on the Cisco ISE server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the MAC authentication and dot1x authentication profiles on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. Use the tester interface as the user terminal to connect to the DUT and enable the MAC-authenticated and
802.1X-authenticated ports. Expected result 1 is displayed
Procedure
Create two device users on the Spirent TestCenter interface for MAC authentication and 802.1X authentication
Pass
respectively. After passing the authentication, the user obtains the IP address. The device shows that the
Criteria authentication succeeds.
Configuration Steps:
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template tolly
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
#
radius-server template tolly_mac
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
4. Configure the MAC authentication and dot1x authentication profiles on the device.
#
mac-access-profile name tolly
mac-authen username macaddress format with-hyphen normal uppercase
dot1x-access-profile name tolly
authentication-method eap
dot1x-access-profile tolly
mac-access-profile tolly
access-domain tolly dot1x force
access-domain tolly_mac mac-authen force
access-domain tolly force
#
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
#
interface Vlanif4090
ip address 192.89.11.10 255.255.255.0
dhcp select interface
#
interface XGigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly
#
6. Use the tester interface as the user terminal to connect to the DUT and enable the MAC-authenticated and
802.1X-authenticated ports. Expected result 1 is displayed
Results:
Test Create two device users on the tester interface for MAC authentication and 802.1X authentication respectively.
Results After passing the authentication, the user obtains the IP address. The device shows that the authentication
succeeds.
Test
Results
Verify the mixed MAC and Web Portal authentication methods for a wired client when a Huawei S switch works
Objective as the access control switch and the Cisco ISE server works as the authentication (RADIUS) server. The web portal
is hosted on the Cisco ISE server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server profile and aaa profile on the switch.
4. Configure the MAC authentication and Portal authentication profiles on the device.
5. Configure the DHCP server on the device, and enable combined MAC authentication and Portal authentication
on the correspondent interface.
6. In the WLAN view, configure the security and SSID profiles. Bind the security and authentication profiles,
service WLAN, forwarding mode, and SSID profile to the VAP profile. Configure the AP Group and bind it to the
VAP profile.
7. The wireless terminal accesses the network through the SSID for MAC authentication. Expected result 1 is
displayed.
8. For users who fail to pass the MAC authentication, allow them to perform the Portal authentication. Expected
Procedure result 2 is displayed.
Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
shows that the authentication succeeds.
Pass
Criteria Result 2: The user opens the browser and enters any IP address for Portal authentication. Enter the user name
and password, and the device shows that the authentication succeeds.
1. The user goes online for MAC authentication, and obtains the correspondent VLAN address.
Test
Results
2. The user goes online for Portal authentication, and obtains the correspondent VLAN address.
Test
Results
Verify the built-in authentication attribute Dynamic VLAN when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Configure the authorization policy on the ISE server: Deliver the dynamic VLAN11. Create VLAN11 on the
device, and configure VLANIF11 as the DHCP IP address pool.
5. Use the PC to initiate the 802.1X authentication, and expected result 1 is displayed.
Procedure
Pass The tested device displays 802.1X authentication statistics information, which indicates that the authentication
Criteria succeeds. Dynamic VLAN11 and IP address can be obtained.
1. Configure the dynamic VLAN11 authorization in the ISE server authorization policy.
Test
Results
2. Create VLAN11 on the device. The device goes online after passing the authentication successfully, and obtains
the dynamic VLAN11.
Test
Results
Verify the built-in authentication attribute Dynamic ACL when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Configure the ACL 3000 authorization on the ISE server, and configure the correspondent ACL 3000 description
3000.in on the device.
5. Use the PC to initiate the 802.1X authentication, and expected result 1 is displayed.
6. Use the tester to send packets to the destination address 100.1.1.10, and expected result 2 is displayed.
Procedure
Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the
Pass authentication succeeds.
Criteria
Result 2: The tester sends packets to the destination address 100.1.1.10, and the traffic is denied.
1. Configure the ACL 3000 dynamic authorization in the ISE server authorization policy.
Test
Results
3. The device goes online after passing the authentication successfully, and obtains the dynamic ACL.
Test
Results
4. The tester sends packets to the destination address 100.1.1.10, and the traffic is denied.
Test
Results
Verify the Huawei authentication attribute Dynamic ACL Rule when a Huawei S switch works as the access
Objective control switch and the Cisco ISE server works as the authentication (RADIUS) server. Huawei attributes can be
imported to the Cisco ISE server.
1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Configure the DACL authorization on the ISE server.
5. Use the PC to initiate the 802.1X authentication, and expected result 1 is displayed.
6. Use the tester to send packets to the destination address 100.1.1.10, and expected result 2 is displayed.
Procedure
Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the
Pass authentication succeeds.
Criteria
Result 2: The tester sends packets to the destination address 100.1.1.10, and the traffic is denied.
1. Configure the DACL dynamic authorization in the ISE server authorization policy.
Test
Results
2. The device goes online after passing the authentication successfully, and obtains the dynamic DACL.
Test
Results
3. The tester sends packets to the destination address 100.1.1.10, and the traffic is denied.
Test
Results
Verify the Huawei authentication attribute Dynamic UCL Group when a Huawei S switch works as the access
Objective control switch and the Cisco ISE server works as the authentication (RADIUS) server. Huawei attributes can be
imported to the Cisco ISE server.
1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Configure the UCL-group 10 authorization on the ISE server, and create UCL-group 10 on the device. Create
and bind ACL 6000 to UCL-group 10.
5. Use the tester as a host to initiate the 802.1X authentication, and expected result 1 is displayed.
6. Use the tester to send traffic that matches ACL6000, and expected result 2 is displayed.
Procedure
Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the
Pass authentication succeeds. The device can obtain the UCL-group 10.
Criteria
Result 2: The tester sends traffic that matches ACL6000, and the traffic is denied.
1. Configure the UCL-group 10 dynamic authorization in the ISE server authorization policy.
Test
Results
2. Configure UCL-group 10 on the device. Create ACL 6000, bind it to UCL-group 10, and apply it.
Test
Results
3. The user goes online after passing the authentication, and obtains the UCL-group successfully.
Test
Results
4. The tester sends traffic that matches ACL6000, and the traffic is denied.
Test 3.5 Huawei Authentication Attribute: Dynamic CAR CIR (Rate Limiting)
Verify the Huawei authentication attribute Dynamic CAR CIR when a Huawei S switch works as the access control
Objective switch and the Cisco ISE server works as the authentication (RADIUS) server. Huawei attributes can be imported
to the Cisco ISE server.
1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Configure the upstream and downstream CAR authorization on the ISE server.
5. Use the PC to initiate the 802.1X authentication, and expected result 1 is displayed.
6. Use the tester to send upstream and downstream test traffic, and expected result 2 is displayed.
Procedure
Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the
Pass authentication succeeds.
Criteria
Result 2: The tester sends upstream and downstream traffic that is limited to a certain rate.
1. Configure upstream and downstream CAR dynamic authorization in the ISE server authorization policy; the
CAR is limited to 300 Mbit/s.
Test
Results
2. The device goes online after passing the authentication successfully, and obtains the authorized CAR.
Test
Results
3. The tester sends upstream and downstream test traffic at a rate of 1000 Mbit/s, and the traffic is limited to
300 Mbit/s.
Test
Results
1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Configure PPP authentication on the device so that the host can access the network after passing PPPoE
authentication.
4. Configure HW-Service-Scheme: pppoe authorization on the ISE server. Create Service-Scheme: pppoe in the
AAA view. Bind Service-Scheme to the address pool vlan44.
5. After the PC dials in through PPPoE authentication, expected result 1 is displayed.
6. Add the service scheme pppoe in the default domain. Configure the frame-ip-address attribute in the ISE
Procedure authorization policy, and assign fixed IP addresses to users. Expected result 2 is displayed.
7. Add the service scheme pppoe in the default domain. Configure the frame-pool attribute in the ISE
authorization policy, and assign the IP address pool to users. Expected result 3 is displayed.
Result 1: The tested device displays authentication statistics information, which indicates that the PPP
authentication succeeds. The device can obtain addresses from the VLAN44 IP address pool.
Pass Result 2: The PC goes online after passing authentication successfully, and obtains the fixed IP address assigned
Criteria by the ISE server.
Result 3: The PC goes online after passing authentication successfully, and obtains the IP address from the IP
address pool delivered by the ISE server.
Configuration:
1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Configure PPP authentication on the device so that the host can access the network after passing PPPoE
authentication.
#
interface Virtual-Template1
ppp keepalive retransmit 4
ppp mru 1400
ppp authentication-mode pap
ppp timer negotiate 5
ip address 44.4.4.1 255.255.255.0
#
#
Test interface Vlanif44
Results
pppoe-server bind virtual-template 1
#
#
ip pool vlan44
gateway-list 44.4.4.1
network 44.4.4.0 mask 255.255.255.0
#
4. Configure HW-Service-Scheme: pppoe authorization on the ISE server. Create Service-Scheme: pppoe in the
AAA view. Bind Service-Scheme to the address pool vlan44.
#
ip pool vlan44
gateway-list 44.4.4.1
network 44.4.4.0 mask 255.255.255.0
#
#
aaa
service-scheme pppoe
ip-pool vlan44
domain default
authentication-scheme radius
radius-server tolly
#
7. Add the service scheme pppoe in the default domain. Configure the frame-pool attribute in the ISE
authorization policy, and assign the IP address pool to users. Expected result 3 is displayed.
Results:
1. Configure HW-Service-Scheme: pppoe authorization on the ISE server.
Test
Results
2. Configure the service scheme pppoe in the AAA view, and bind vlan44 IP address pool to pppoe. The user goes
online after passing authentication successfully, and obtains the pppoe service scheme and IP address.
Test
Results
Test
Results
3. Configure the frame-ip-address attribute in the ISE authorization policy, and users can obtain fixed IP
addresses.
Test
Results
Test
Results
4. Configure the frame-pool attribute in the ISE authorization policy, and users can obtain IP addresses from the
assigned IP address pool.
Test
Results
Test
Results
Verify the generic RADIUS attribute NAS-Port when a Huawei S switch works as the access control switch and the
Objective Cisco ISE server works as the authentication (RADIUS) server.
1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Use the PC to initiate the 802.1X authentication, and expected result 1 is displayed.
Procedure
Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the PC
Pass
passes authentication successfully. The access user's physical port number can be viewed on the ISE server
Criteria through the NAS-Port attribute.
1. The tested device displays 802.1X authentication statistics information, which indicates that the PC passes
authentication successfully. The access user's physical port number can be viewed on the ISE server through
the NAS-Port attribute.
Test
Results
Test
Results
Test
Results
Test
Results
Verify the post-rejection authentication when a Huawei S switch works as the access control switch and the
Objective Cisco ISE server works as the authentication (RADIUS) server.
1. Configure DUT to ensure that DUT and RADIUS server communicate with each other at Layer 3.
2. Create a RADIUS server profile and configure the related parameters, including IP address of the authentication
server, port number, the RADIUS server key, and the retransmission time. Create an authentication scheme,
and configure the authentication mode as RADIUS. Configure a domain name, and apply the authentication
scheme to the domain.
3. Enable 802.1X authentication globally and on the interface Port_1.
4. Enter the correct user name and password on the PC to initiate 802.1X authentication. Expected result 1 is
displayed.
5. Configure the event on the device that if authentication fails, authorize VLAN10 to users. Configure VLANIF10
IP address pool.
6. Enter the wrong password for authentication on the PC. Expected result 2 is displayed.
Procedure
Result 1: The tested device displays 802.1X authentication statistics information, which indicates that the
Pass authentication succeeds.
Criteria
Result 2: The PC authentication fails, and the PC obtains the VLANIF10 IP address.
1. Enter the correct user name and password, and the PC can go online after passing the authentication
successfully.
Test
Results
2. Configure the event on the device that if authentication fails, authorize VLAN10.
Test
Results
Test
Results
Verify the time-based authentication when a Huawei S switch works as the access control switch and the Cisco
Objective ISE server works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the 802.1X authentication profile on the device.
5. Configure the DHCP server on the device, and enable dot1x authentication on the correspondent port.
6. Enter the correct user name and password on the device for authentication. Check the user address and
authentication information, and expected result 1 is displayed.
7. Configure time ranges on the ISE server. Authorization policies vary with different time periods.
Procedure
Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
Pass shows that the authentication succeeds.
Criteria
Result 2: Users obtain different authorization policies based on time periods.
Configuration
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template tolly
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
#
5. Configure the DHCP server on the device, and enable dot1x authentication on the correspondent port.
#
interface Vlanif4090
ip address 192.89.6.202 255.255.255.0
dhcp select interface
interface GigabitEthernet1/1/0
port link-type hybrid
port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly
#
6. Enter the correct user name and password on the device for authentication. Check the user address and
authentication information, and expected result 1 is displayed.
7. Configure time ranges on the ISE server. Authorization policies vary with different time periods.
Test Results:
Test 1. Configure different time ranges and two dot1x authorization policies on the ISE server. Users obtain different
Results authorization policies based on their login time periods.
Test
Results
2. A user goes online after passing the dot1x authentication, and obtains the correspondent authorization policy
based on the login time period.
Test
Results
Verify session re-authentication when a Huawei S switch works as the access control switch and the Cisco ISE
Objective server works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server on the switch.
4. Configure the aaa profile.
5. Configure the MAC authentication profile.
6. Configure the CoA authorization server.
7. Configure the redirection ACL on the switch.
8. Users access the network in wired mode for MAC authentication. Expected result 1 is displayed.
9. Open a web page and access any website. Enter the user name and password for authentication. Expected
result 2 is displayed.
Procedure
Result 1: When the user accesses the network for MAC authentication, the server delivers URL and redirection
ACL. Open a browser and enter any IP address in the address bar, the page is redirected to the guest
Pass
management page.
Criteria
Result 2: After entering the user name and password, the user passes the Portal authentication successfully.
1. Configure the RADIUS authorization server, and enable the device to respond to and process ISE CoA packets.
On the ISE server, change the CoA port number of the access device to 3799 (change the destination port
number in the 1.6.3 case).
#
radius-server authorization 192.89.11.188 shared-key cipher huawei123
#
Test
Results
2. When a new user accesses the network, he must pass the MAC authentication first. After the authentication
succeeds, the page is redirected to the guest management page. A user can log in to the system using a
registered account or a new user can register an account first.
Test
Results 3. After a user registers an account, the system disconnect the user through CoA. The user should log in again
using the new account.
4. After new users log in to the system, the server authorizes new policies to users so that they can obtain new
permissions.
Test
Results
Test
Results
Verify session termination when a Huawei S switch works as the access control switch and the Cisco ISE server
Objective works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the MAC authentication profile on the device.
4. Configure the DHCP server on the device, and enable MAC authentication on the correspondent port.
5. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
6. Configure the RADIUS authorization server on the device and use the ISE server to disconnect online users.
Expected result 2 is displayed.
Procedure
Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
shows that the authentication succeeds.
Pass
Criteria Result 2: Online users are disconnected from the network by the ISE server, and online user entries are deleted
from the device.
1. The user goes online after passing the MAC authentication successfully, and obtains the correspondent IP
address.
Test
Results
2. Online users are disconnected from the network by the ISE server, and online user entries are deleted from the
device.
Test
Results
Verify CoA port customization when a Huawei S switch works as the access control switch and the Cisco ISE
Objective server works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the MAC authentication profile on the device.
4. Configure the DHCP server on the device, and enable MAC authentication on the correspondent port.
5. Connect the user terminal to the DUT and enable the MAC-authenticated port.
6. Change the CoA port number of the access device to 3799 on the ISE server.
7. Configure the RADIUS authorization server on the device and use the ISE server to disconnect online users.
Expected result 1 is displayed.
Procedure
Pass
Result 1: The CoA port number is changed to 3799, and online users are disconnected.
Criteria
Configuration:
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template mac_auth
radius-server shared-key cipher Huawei@123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
radius-attribute set Service-Type 10
#
4. Configure the DHCP server on the device, and enable MAC authentication on the correspondent port.
#
interface Vlanif12
ip address 12.1.1.1 255.255.255.0
dhcp select interface
interface GigabitEthernet0/0/2
port link-type access
port default vlan 130
authentication-profile mac_auth
#
5. Connect the user terminal to the DUT and enable the MAC-authenticated port.
6. Change the CoA port number of the access device to 3799 on the ISE server.
7. Configure the RADIUS authorization server on the device and use the ISE server to disconnect online users.
Expected result 1 is displayed.
#
radius-server authorization 192.89.11.188 shared-key cipher huawei123
#
Results:
1. Change the CoA port number of the access device to 3799 on the ISE server.
Test
Results
2. The online user is disconnected from the network by the ISE server. The CoA port number of the disconnection
packet sent by the RADIUS server is changed to 3799.
Test
Results
Verify endpoint profiling with DHCP packets when a Huawei S switch works as the access control switch and the
Objective Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. Configure terminal identification through DHCP on the ISE server. Expected result 2 is displayed.
Procedure
Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
Pass shows that the authentication succeeds.
Criteria
Result 2: The ISE server can identify terminals through DHCP.
Configuration:
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
#
radius-server template tolly_mac
radius-server shared-key cipher huawei123
radius-server authentication 192.89.11.188 1812 weight 80
radius-server accounting 192.89.11.188 1813 weight 80
undo radius-server user-name domain-included
calling-station-id mac-format hyphen-split mode2
radius-attribute set Service-Type 10
#
domain tolly_mac
authentication-scheme tolly
authorization-scheme tolly
radius-server tolly_mac
Test
#
Results
3. Configure the aaa scheme.
#
aaa
authentication-scheme tolly
authentication-mode radius
authorization-scheme tolly
accounting-scheme tolly
accounting-mode radius
domain tolly_mac
authentication-scheme tolly
accounting-scheme tolly
radius-server tolly_mac
#
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
#
interface Vlanif4090
ip address 192.89.11.10 255.255.255.0
dhcp select interface
#
interface XGigabitEthernet1/0/0
port link-type hybrid
Test
Results port hybrid pvid vlan 4090
port hybrid untagged vlan 4090
authentication-profile tolly_mac
#
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. Configure terminal identification through DHCP on the ISE server. Expected result 2 is displayed.
Results:
1. Configure the DHCP attribute to identify the option field in the DHCP packets that match certain conditions.
Test
Results
Test
Results
3. Users go online and identify terminal devices based on identification policies on the ISE server.
Test
Results
Verify endpoint profiling with MAC addresses when a Huawei S switch works as the access control switch and
Objective the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa profile on the switch.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent port.
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. Configure terminal identification through MAC address on the ISE server. Expected result 2 is displayed.
Procedure
Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
Pass shows that the authentication succeeds.
Criteria
Result 2: The ISE server can identify terminals through MAC addresses.
1. Configure the MAC address segment identification and specify the MAC address OUI provided by the ISE as the
matching condition.
Test
Results
Test
Results
3. Users go online and identify terminal devices based on identification policies on the ISE server.
Test
Results
Verify endpoint profiling with HTTP packets when a Huawei S switch works as the access control switch and the
Objective Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. When a user goes online after passing the MAC authentication, push the guest management page to him and
allow him to exchange HTTP packets with the ISE server.
Procedure
Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
Pass shows that the authentication succeeds.
Criteria
Result 2: The ISE server can identify terminals through HTTP.
Test
Results
3. Users go online and identify terminal devices based on identification policies on the ISE server.
Test
Results
Verify endpoint profiling with RADIUS packets when a Huawei S switch works as the access control switch and
Objective the Cisco ISE server works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. Configure terminal identification through RADIUS on the ISE server. Expected result 2 is displayed.
Procedure
Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
Pass shows that the authentication succeeds.
Criteria
Result 2: The ISE server can identify terminals through RADIUS.
1. Set the RADIUS identification: callingStationID is the MAC address of the device.
Test
Results
3. Users go online and identify terminal devices based on identification policies on the ISE server.
Test
Results
Verify network scan (NMAP) when a Huawei S switch works as the access control switch and the Cisco ISE server
Objective works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the RADIUS server profile and aaa profile on the switch.
3. Configure the aaa scheme.
4. Configure the MAC authentication profile on the device.
5. Configure the DHCP server on the device, and enable MAC authentication on the correspondent interface.
6. Connect the user terminal to the DUT and enable the MAC-authenticated port. Expected result 1 is displayed.
7. Set the SNMP write community password as huawei123, which matches configuration on the ISE. Configure
Nmap scanning on the ISE server. Expected result 2 is displayed.
Procedure
Result 1: The user passes the authentication successfully and obtains the correspondent IP address. The device
shows that the authentication succeeds.
Pass
Criteria Result 2: The ISE server identifies the device's IP address and MAC address, and identifies the terminal type based
on the OUI.
Configuration:
1. Configure the Huawei S switch.
Test
Results
Test 2. Check the scanning result, and the device's IP address and MAC address are displayed. The terminal type is
Results identified based on the OUI.
Test 6.1 Posture Assessment with the Cisco ISE and the Cisco NAC Appliance Agent
Verify posture assessment with a Huawei S switch works as the access control switch, the Cisco ISE server works
Objective as the authentication (RADIUS) server, and the Cisco NAC appliance agent.
1. User terminals without the NAC-agent access the DUT in wired mode. Expected result 1 is displayed.
2. After the NAC-agent is installed, the agent checks the user terminals and sends the result to the ISE server.
Expected result 2 is displayed.
3. The ISE server sends the CoA re-authentication to terminal devices that have passed the check. Expected result
3 is displayed.
Procedure
Result 1: The ISE server detects the lack of the NAC-agent on the device through MAC authentication, and
delivers the redirection URL to the NAC-agent download page. The user terminal then downloads and installs the
NAC-agent through the redirection URL.
Pass
Result 2: When a terminal fails the check, the ISE server redirects the terminal to an URL for software repairing.
Criteria The terminal check will not be ended until the terminal passes the check.
Result 2: The device responds to CoA re-authentication, and the user's interface is authorized so that the user is
granted the network access permission.
1. After the user goes online, the server redirects the user to the URL of the cpp page.
Test
Results
2. After opening the page, the user is redirected to the cpp page to check whether the NAC agent exists.
3. The NAC agent is installed successfully.
4. Start the NAC agent for terminal status check. Check whether the command is running. The check result shows
that the command process has not been started, which indicates that the check fails.
5. Click Repair to invoke the command process and check the NAC agent again. The result shows that the check
succeeds and network permissions are granted to the user.
Verify guest management when a Huawei S switch works as the access control switch and the Cisco ISE server
Objective works as the authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server on the switch.
4. Configure the aaa profile.
5. Configure the MAC authentication profile.
6. Configure the CoA authorization server.
7. Configure the ACL redirection on the switch.
8. Users access the network in wired mode for MAC authentication. Expected result 1 is displayed.
9. Open a web page and access any website. Enter the user name and password for authentication. Expected
result 2 is displayed.
Procedure
Result 1: When the user accesses the network for MAC authentication, the server delivers URL and redirection
ACL. Open a browser and enter any IP address in the address bar, the page is redirected to the Portal
Pass
authentication page.
Criteria
Result 2: After entering the user name and password, the user passes the Portal authentication successfully.
1. When a new user accesses the network, he must pass the MAC authentication first. After the authentication
succeeds, the page is redirected to the guest management page. A user can log in to the system using a
registered account or a new user can register an account first.
Test
Results
2. After a user registers an account, the system disconnect the user through CoA. The user should log in again
using the new account.
3. After new users log in to the system, the server authorizes new policies to users so that they can obtain new
Test permissions.
Results
Test
Results
Test
Results
Verify BYOD when a Huawei S switch works as the access control switch and the Cisco ISE server works as the
Objective authentication (RADIUS) server.
1. Configure the switch's IP address so that the switch can communicate with the ISE server.
2. Configure the management VLAN10, and assign IP addresses to APs. Configure network access for APs.
3. Configure the RADIUS server on the switch.
4. Configure the aaa profile.
5. Configure the MAC authentication profile.
6. Configure the CoA authorization server.
7. Configure the ACL redirection on the switch.
8. Register users on the ISE server. Expected result 1 is displayed.
9. Users access the network in wireless mode. Expected result 2 is displayed.
Procedure
Result 1: The user registers the access device on the ISE server successfully.
Pass
Criteria Result 2: After entering the user name and password, the user passes the Portal authentication successfully.
1. All internal employees must go to the specified website page (My Devices Portal) to register their own BYOD
devices.
Test
Results
About Tolly…
The Tolly Group companies have been delivering world-class IT services for over 25 years. Tolly is a leading global provider of
third-party validation services for vendors of IT products, components and services.
You can reach the company by email at sales@tolly.com, or by telephone at
+1 561.391.5610.
Visit Tolly on the Internet at:
http://www.tolly.com
Terms of Usage
This document is provided, free-of-charge, to help you understand whether a given product, technology or service merits additional
investigation for your particular needs. Any decision to purchase a product must be based on your own assessment of suitability
based on your needs. The document should never be used as a substitute for advice from a qualified IT or business professional.
This evaluation was focused on illustrating specific features and/or performance of the product(s) and was conducted under
controlled, laboratory conditions. Certain tests may have been tailored to reflect performance under ideal conditions; performance
may vary under real-world conditions. Users should run tests based on their own real-world scenarios to validate performance for
their own networks.
Reasonable efforts were made to ensure the accuracy of the data contained herein but errors and/or oversights can occur. The test/
audit documented herein may also rely on various test tools the accuracy of which is beyond our control. Furthermore, the
document relies on certain representations by the sponsor that are beyond our control to verify. Among these is that the software/
hardware tested is production or production track and is, or will be, available in equivalent or better form to commercial customers.
Accordingly, this document is provided "as is", and Tolly Enterprises, LLC (Tolly) gives no warranty, representation or undertaking,
whether express or implied, and accepts no legal responsibility, whether direct or indirect, for the accuracy, completeness,
usefulness or suitability of any information contained herein. By reviewing this document, you agree that your use of any
information contained herein is at your own risk, and you accept all risks and responsibility for losses, damages, costs and other
consequences resulting directly or indirectly from any information or material available on it. Tolly is not responsible for, and you
agree to hold Tolly and its related affiliates harmless from any loss, harm, injury or damage resulting from or arising out of your use
of or reliance on any of the information provided herein.
Tolly makes no claim as to whether any product or company described herein is suitable for investment. You should obtain your
own independent professional advice, whether legal, accounting or otherwise, before proceeding with any investment or project
related to any information, products or companies described herein. When foreign translations exist, the English document is
considered authoritative. To assure accuracy, only use documents downloaded directly from Tolly.com.
No part of any document may be reproduced, in whole or in part, without the specific written permission of Tolly. All trademarks
used in the document are owned by their respective owners. You agree not to use any trademark in or as the whole or part of your
own trademarks in connection with any activities, products or services which are not ours, or in a manner which may be confusing,
misleading or deceptive or in a manner that disparages us or our information, projects or developments.
216161-ivcofs15-yx-2017-02-14-VerA