Configuration procedure – H3C Technologies H3C S5120 Series Switches User Manual
Page 403
1-25
z
Configure the RADIUS server to assign ACL 3000.
z
Enable 802.1X authentication on port GigabitEthernet 1/0/1 of the switch, and configure ACL 3000.
After the host passes 802.1X authentication, the RADIUS server assigns ACL 3000 to port
GigabitEthernet 1/0/1. As a result, the host can access the Internet but cannot access the FTP server,
whose IP address is 10.0.0.1.
Figure 1-14 Network diagram for ACL assignment
Configuration procedure
# Configure the IP addresses of the interfaces. (Omitted)
# Configure the RADIUS scheme.
[Switch] radius scheme 2000
[Switch-radius-2000] primary authentication 10.1.1.1 1812
[Switch-radius-2000] primary accounting 10.1.1.2 1813
[Switch-radius-2000] key authentication abc
[Switch-radius-2000] key accounting abc
[Switch-radius-2000] user-name-format without-domain
[Switch-radius-2000] quit
# Create an ISP domain and specify the AAA schemes.
[Switch] domain 2000
[Switch-isp-2000] authentication default radius-scheme 2000
[Switch-isp-2000] authorization default radius-scheme 2000
[Switch-isp-2000] accounting default radius-scheme 2000
[Switch-isp-2000] quit
# Configure ACL 3000 to deny packets destined for 10.0.0.1.
[Switch] acl number 3000
[Switch-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
# Enable 802.1X globally.
[Switch] dot1x
# Enable 802.1X for port GigabitEthernet 1/0/1.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] dot1x