85
# Specify the IP addresses of the primary authentication and accounting RADIUS servers.
[Device-radius-radius1] primary authentication 10.1.1.1
[Device-radius-radius1] primary accounting 10.1.1.1
# Configure the IP addresses of the secondary authentication and accounting RADIUS servers.
[Device-radius-radius1] secondary authentication 10.1.1.2
[Device-radius-radius1] secondary accounting 10.1.1.2
# Specify the shared key between the access device and the authentication server.
[Device-radius-radius1] key authentication name
# Specify the shared key between the access device and the accounting server.
[Device-radius-radius1] key accounting money
# Exclude the ISP domain name from the username sent to the RADIUS servers.
NOTE:
The access device must use the same username format as the RADIUS server. If the RADIUS server
includes the ISP domain name in the username, so must the access device.
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
6.
Configure the ISP domain.
# Create the ISP domain
aabbcc.net
and enter its view.
[Device] domain aabbcc.net
# Apply the RADIUS scheme
radius1
to the ISP domain, and specify local authentication as the
secondary authentication method.
[Device-isp-aabbcc.net] authentication lan-access radius-scheme radius1 local
[Device-isp-aabbcc.net] authorization lan-access radius-scheme radius1 local
[Device-isp-aabbcc.net] accounting lan-access radius-scheme radius1 local
# Set the maximum number of concurrent users in the domain to 30.
[Device-isp-aabbcc.net] access-limit enable 30
# Configure the idle cut function to log off any online domain user who has been idle for 20 minutes.
[Device-isp-aabbcc.net] idle-cut enable 20
[Device-isp-aabbcc.net] quit
# Specify
aabbcc.net
as the default ISP domain. If a user does not provide any ISP domain name, the
user is assigned to the default ISP domain.
[Device] domain default enable aabbcc.net
7.
Configure 802.1X.
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on port GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
[Device-GigabitEthernet1/0/1] quit
# Enable MAC-based access control on the port. (Optional. MAC-based access control is the default
setting.)
[Device] dot1x port-method macbased interface gigabitethernet 1/0/1