96
3.
Assign an IP address to each interface, as shown in
. (Details not shown.)
4.
Configure a RADIUS scheme:
# Create RADIUS scheme
2000
and enter RADIUS scheme view.
<Device> system-view
[Device] radius scheme 2000
# Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication
port to 1812.
[Device-radius-2000] primary authentication 10.11.1.1 1812
# Specify the server at 10.11.1.2 as the primary accounting server, and set the accounting port to
1813.
[Device-radius-2000] primary accounting 10.11.1.2 1813
# Set the shared key to
abc
in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to
abc
in plain text for secure communication between the accounting server
and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain name from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
5.
Configure an ISP domain:
# Create ISP domain
bbb
and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
6.
Configure a time range named
ftp
from 8:00 to 18:00 on weekdays.
[Device] time-range ftp 8:00 to 18:00 working-day
7.
Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 during the specified
time range.
[Device] acl number 3000
[Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 time-range ftp
[Device-acl-adv-3000] quit
8.
Configure 802.1X:
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on Ten-GigabitEthernet 1/0/1.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] dot1x
[Device-Ten-GigabitEthernet1/0/1] quit
Verifying the configuration
# Use the user account to pass authentication. (Details not shown.)