Network admission control balances enterprise security with user convenience.SASE (secure access service edge) integrates RADIUS (remote authentication dial-in user service) and supports the 802.1X protocol and portal access, delivering secure, flexible, and efficient network admission control that ensures compliant device and user access while improving management efficiency and user experience.
Configure wireless network access
SASE uses 802.1X authentication to secure wireless network access with one-click connectivity. Employees use the SASE client to access the corporate network from any area with office network coverage. Configure both the SASE console and the local wireless controller.
The wireless controllers and switches in this topic use H3C devices as examples.
Step 1: Configure the authentication server (RADIUS)
RADIUS provides centralized authentication, authorization, and accounting (AAA). SASE provides a Cloud Authentication Server and supports custom authentication servers.
-
Log on to the Secure Access Service Edge console.
-
In the left-side navigation pane, choose .
-
On the Authentication Server tab, view information about the Cloud Authentication Server or click Add Authentication Server.
-
View the Cloud Authentication Server
-
In the upper-right corner of the page, click Cloud Authentication Server.

-
In the Cloud Authentication Server panel, view information about the cloud authentication servers provided by SASE.
-
-
Add an authentication server
-
Click Add Authentication Server.
-
In the Add Authentication Server panel, configure the Authentication Server Name and the server IP Address, and then click Save.
NoteThe default User Wi-Fi Authentication Interface is 1812, and the default User Wi-Fi Billing Interface is 1813.
-
On the Deployment and Installation tab, view the Recommended Server Specifications and Server Deployment Commands for deploying RADIUS.
-
Copy the Server Deployment Commands and run them on your server to deploy RADIUS.
-
After deployment, check the status in the list.

-
-
Step 2: Configure network devices
A wireless controller centrally manages wireless access points (APs). Configure your wireless controller.
-
On the Network Device tab, click Add Network Device.
-
In the Add Network Device dialog box, configure the following parameters and click OK.
Parameter
Description
Device Name
Enter a name for the device.
Device Brand
Select the brand of your wireless controller.
Device Type
Select Wireless Controller.
IP Address
Enter the IP address or IP address range of the wireless controller.
MAC Address
Enter the MAC address of the wireless controller.
CoA Port
Enter the CoA port of the wireless controller.
Step 3: Configure Wi-Fi management
-
On the Wi-Fi Management tab, click Create Network Instance.
-
In the Enterprise Wireless Network Configuration dialog box, set the Network SSID and Authentication Mode for user network access. Currently, only EAP-TLS is supported. Then, click OK.
Step 4: Configure certificate management
After you connect to the corporate office network through SASE, the system automatically issues the SASE CA certificate and network access certificate to the SASE App. Only devices with these certificates can access internal applications over the corporate wireless network. Modify the certificate installation scope, validity period, or organization name as needed.
-
Click the Certificate Management tab.
-
On the Certificate Management tab, configure the Network Access Certificate Configuration, CA Certificate Configuration, and Global Settings.
Step 5: Configure the on-premises controller
Configure the RADIUS scheme, ISP domain, and 802.1X wireless authentication on your on-premises controller.
Configure RADIUS
-
Log on to the H3C wireless controller console.
-
At the bottom of the page, select Network. In the left-side navigation pane, select .
-
On the RADIUS tab, click
to add a RADIUS scheme.
-
On the Add RADIUS Scheme page, configure the RADIUS information and click OK.
Parameter
Description
Example
Scheme Name
Enter a custom name for the RADIUS scheme.
sase-r1
Authentication Server
Configure the primary authentication server. Add backup servers if needed.
To find the authentication server information, navigate to the tab in the SASE console. You can view information for the Cloud Authentication Server or an Add Authentication Server that you have added.

-
VRF: Default Public Network
-
Type: Default IP Address
-
IP Address: 121.40.*.*
-
Port: 1812
-
Shared Key: Enter the key.
-
Status: Active
Accounting Server
-
Configure the accounting server. Add backup servers if needed.
-
The accounting server uses the same IP address and shared key as the authentication server, but port 1813.
-
VRF: Default Public Network
-
Type: Default IP Address
-
IP Address: 121.40.*.* (same as the authentication server)
-
Port: 1813
-
Shared Key: Enter the key (same as the authentication server).
-
Status: Active
Advanced Settings
Click Show Advanced Settings and set Real-time Accounting Interval to 60 seconds.

60
-
Configure ISP domains
-
In the left-side navigation pane, select . On the ISP Domains tab, click
to add an ISP domain configuration. -
On the Add ISP Domains page, configure the ISP domain as shown in the following figure, and then click OK.

Configure a wireless network (802.1X authentication)
-
In the left-side navigation pane, select .
-
On the Wireless Network tab, click
to add a wireless network. -
On the Add Wireless Network page, configure the Wireless Service Name, SSID, and Default VLAN, and enable the Wireless Service. Then, click Apply and Configure Advanced Settings.
NoteYou can find the SSID information for your network instance on the tab in the SASE console.
-
On the Link Layer Authentication tab, set the Authentication Mode to 802.1X, and for the Domain Name, select the ISP domain that you configured. Keep the default values for other settings. Then, click OK.

-
On the Binding tab, select the AP you want to bind and click OK.

-
In the left-side navigation pane, select .
-
In the upper-right corner of the page, click
. On the 802.1X page, click the configuration icon next to Authentication Method, select EAP from the drop-down list, and then click OK.
Step 6: Enable dynamic authorization (CoA)
CoA (Change of Authorization) triggers dynamic authorization changes through RADIUS CoA-Request messages. The wireless controller updates session parameters and returns a CoA-ACK or CoA-NAK.
-
Connect to the wireless controller (AC) by using a console cable.
-
Run the following commands to enable CoA:
[AC] radius dynamic-author server [ac-radius-da-server] client ip <radius_server_ip> key simple <shared_key>Here,
{Radius_ip}is the IP address of the Radius server, and{secret}is the shared key for the corresponding device.NoteYou can find the RADIUS Server IP Address and Shared Key on the tab in the SASE console.
Step 7: Configure a network access policy
Configure network access policies in SASE to enforce fine-grained access control for employees or devices.
-
Log on to the Secure Access Service Edge console.
-
In the left-side navigation pane, choose .
-
On the Network Access Permissions tab, click Create Policy.
-
In the Create Policy panel, configure the following parameters and click OK.
Parameter
Description
Policy Name
Enter a name for the policy.
Effective Scope
For Effective Scope, select Applicable User.
Based on your business needs, click Select to refine the scope to All Users, a Specific User Group, a Specific Device, or a Specific Device Tag.
VLAN ID
Specify the VLAN ID defined on your wireless controller. Value range: 1 to 4094.
ACL ID
Specify the ACL ID defined on your wireless controller. The valid range for this value depends on the brand and model of your network device.
Terminal Type
Select the terminal types to which the policy applies.
Network Permissions
Select the wireless network.
Wi-Fi Network Scope
Select All Wi-Fi Networks or Specific Wi-Fi Networks based on your requirements.
Priority
Set the priority of the policy. A smaller number indicates a higher priority.
Policy Status
Enable the policy.
Advanced Settings
Specify the Authentication Server and Network Device for Access Control to which the policy applies.
Step 8: Install and log on to SASE App
On an internet-connected device, install and log on to the SASE App as described in Install and log on to the SASE App.
Step 9: View authentication and access history
After you complete the preceding steps, you can view network access history or user authentication logs in the SASE console.
-
View user authentication logs
-
In the left-side navigation pane, choose .
-
On the tab, view the status of user network authentication.
-
-
View network access history
-
Log on to the Secure Access Service Edge console.
-
In the left-side navigation pane, choose .
-
On the Network Access History tab, view the network access status of users. You can also Disable or Enable access.
-
Use case 2: Configure employee wired network access
Configure 802.1X authentication for wired network access on both the SASE console and your on-premises switch.
Step 1: Configure the authentication server (RADIUS)
RADIUS provides centralized authentication, authorization, and accounting (AAA). SASE provides a Cloud Authentication Server and supports custom authentication servers.
-
Log on to the Secure Access Service Edge console.
-
In the left-side navigation pane, choose .
-
On the Authentication Server tab, view information about the Cloud Authentication Server or click Add Authentication Server.
-
View the Cloud Authentication Server
-
In the upper-right corner of the page, click Cloud Authentication Server.

-
In the Cloud Authentication Server panel, view information about the cloud authentication servers provided by SASE.
-
-
Add an authentication server
-
Click Add Authentication Server.
-
In the Add Authentication Server panel, configure the Authentication Server Name and the server IP Address, and then click Save.
NoteThe default User Wi-Fi Authentication Interface is 1812, and the default User Wi-Fi Billing Interface is 1813.
-
On the Deployment and Installation tab, view the Recommended Server Specifications and Server Deployment Commands for deploying RADIUS.
-
Copy the Server Deployment Commands and run them on your server to deploy RADIUS.
-
After deployment, check the status in the list.

-
-
Step 2: Configure network device information
Configure your on-premises switch to enable 802.1X authentication on wired ports.
-
On the Network Device tab, click Add Network Device.
-
In the Add Network Device dialog box, configure the following parameters and click OK.
Parameter
Description
Device Name
Enter a name for the device.
Device Brand
Select the brand of your switch.
Device Type
Select wired switch.
IP Address
Enter the IP address or IP address range of the switch.
MAC Address
Enter the MAC address of the switch.
CoA Port
Enter the CoA port of the switch.
Step 3: Configure certificate management
After connecting to the corporate network, SASE automatically issues a SASE CA certificate and network access certificate to the SASE App. Only devices with these certificates can access internal applications over the wired network. You can modify the installation scope, validity period, or organization name as needed.
-
Click Certificate Management.
-
On the Certificate Management tab, configure Network Access Certificate Configuration, CA Certificate Configuration, and Global Settings.
Step 4: Configure the on-premises switch
Configure the RADIUS scheme, ISP domain, and 802.1X authentication on your on-premises switch console.
Configure RADIUS
-
Log on to the H3C wireless controller console.
-
At the bottom of the page, select Network. In the left-side navigation pane, select .
-
On the RADIUS tab, click
to add a RADIUS scheme.
-
On the Add RADIUS scheme page, configure the RADIUS information and click OK.
Parameter
Description
Example value
Scheme name
Enter a custom name for the RADIUS scheme.
sase-r1
Authentication server
Configure the primary authentication server. Add backups as needed.
This information is available on the tab on the SASE console. You can view information for the Cloud Authentication Server or an Add Authentication Server.

-
VRF: Default Public Network
-
Type: Default IP Address
-
IP address: 121.40.*.*
-
Port: 1812
-
Shared key: Enter the key.
-
Status: Active
Accounting server
-
Configure the accounting server. Add backups as needed.
-
The accounting server uses the same IP address and shared key as the authentication server, but port 1813.
-
VRF: Default Public Network
-
Type: Default IP Address
-
IP address: 121.40.*.* (same as authentication server)
-
Port: 1813
-
Shared key: Enter the key (same as authentication server).
-
Status: Active
Advanced settings
Click Show advanced settings, and set Real-time accounting update interval to 60 seconds.

60
-
Configure ISP domains
-
In the left-side navigation pane, select . On the ISP domain tab, click
to add an ISP domain configuration. -
On the Add ISP domain page, configure the ISP domain as shown in the following figure, and then click OK.

Configure switch ports (802.1X authentication)
-
In the left-side navigation pane, select .
-
On the 802.1X page, select a port for port-based authentication, such as GE1/0/3, and then click OK.

-
Click Advanced settings. On the Advanced settings page, configure the Mandatory ISP domain of the port, and then click OK.

-
In the upper-right corner of the page, click
. On the 802.1X page, click the configuration icon next to Authentication method, select EAP from the drop-down list, and then click OK.
Step 5: Enable dynamic authorization (CoA)
CoA (Change of Authorization) dynamically changes session authorization through RADIUS. When the AC receives a CoA-Request, it updates the user session and returns a CoA-ACK or CoA-NAK.
-
Connect to the wireless controller (AC) by using a console cable.
-
Run the following commands to enable CoA:
[AC] radius dynamic-author server [ac-radius-da-server] client ip <radius_server_ip> key simple <shared_key>In the command, replace
<radius_server_ip>with the IP address of the RADIUS server and<shared_key>with the shared key for the device.NoteYou can find the RADIUS Server IP Address and Shared Key on the tab in the SASE console.
Step 6: Configure network access permission policy
Configure network access policies in SASE to enforce fine-grained access control for employees or devices on the wired network.
-
Log on to the Secure Access Service Edge console.
-
In the left-side navigation pane, choose .
-
On the Network Access Permissions tab, click Create Policy.
-
In the Create Policy panel, configure the following parameters and click OK.
Parameter
Description
Policy Name
Enter a name for the policy.
Effective Scope
For Effective Scope, select Applicable User.
Based on your business needs, click Select to refine the scope to All Users, a Specific User Group, a Specific Device, or a Specific Device Tag.
VLAN ID
Specify the VLAN ID defined on your switch. Value range: 1 to 4094.
ACL ID
Specify the ACL ID defined on your switch. The valid range for this value depends on the brand and model of your network device.
Terminal Type
Select the terminal types to which the policy applies.
Network Permissions
Select Wired Network.
Priority
Set the priority for the policy. A smaller number indicates a higher priority.
Policy Status
Enable the policy.
Advanced Settings
Specify the Authentication Server and Network Device for Access Control to which the policy applies.
Step 7: Install and log on to the SASE App
Install and log on to the SASE App on an internet-connected device. For more information, see Install and log on to the SASE App.
Step 8: View authentication and network access records
You can view network access records or employee authentication logs on the SASE console.
-
View user authentication logs
-
In the left-side navigation pane, choose .
-
On the tab, view the status of user network authentication.
-
-
View network access history
-
Log on to the Secure Access Service Edge console.
-
In the left-side navigation pane, choose .
-
On the Network Access History tab, view the network access status of users. You can also Disable or Enable access.
-
Use case 3: Guest wireless network access
SASE separates employee and visitor SSIDs for secure guest access. Configure different SSIDs and backend policies for each. Currently, the only supported authentication method for visitors connecting to the SASE visitor Wi-Fi is portal page authentication with SMS verification.
Step 1: Configure portal authentication
-
Log on to the Secure Access Service Edge console.
-
In the navigation pane, choose .
-
In the upper-right corner of the page, click Authentication Configuration.
-
On the Authentication Configuration page, configure Authentication Portal Settings and Custom Settings on Authentication Page.
Step 2: Configure authentication server (RADIUS)
RADIUS provides centralized AAA services. SASE supports custom authentication server configurations.
-
Log on to the Secure Access Service Edge console.
-
In the navigation pane, choose .
-
On the Authentication Server tab, click Add Authentication Server.
-
In the Add Authentication Server panel, configure the Authentication Server Name and the server IP Address, and then click Save.
NoteThe default User Wi-Fi Authentication Interface is 1812, and the default User Wi-Fi Billing Interface is 1813.
-
On the Deployment and Installation tab, view the Recommended Server Specifications and Server Deployment Commands for deploying RADIUS.
-
Copy the Server Deployment Commands and run them on your own server to deploy RADIUS.
-
After deployment, check the status in the list.

Step 3: Configure Wi-Fi management
-
On the Wi-Fi Management tab, click Create Network Instance.
-
In the Enterprise Wireless Network Configuration dialog box, configure the Network SSID and Authentication Mode for guest access, and then click OK.
Step 4: Configure local wireless controller (H3C example)
Configure RADIUS
-
Log on to the H3C wireless controller console.
-
At the bottom of the page, select Network, and in the navigation pane, choose .
-
On the RADIUS tab, click
to add a RADIUS scheme.
-
On the Add RADIUS Scheme page, configure the RADIUS information and click OK.
Parameter
Description
Example
Scheme Name
A custom name for the RADIUS scheme.
sase-r1
Authentication Server
Configure the authentication server. Add backup servers if needed.
For information about authentication servers, you can find details about Add Authentication Server on the tab in the SASE console.

-
VRF: Default Public Network
-
Type: Default IP Address
-
IP address: 121.40.*.* (same as the authentication server)
-
Port: 1812
-
Shared Key: Enter the key (same as the authentication server's shared key)
-
Status: Active
Advanced Settings
Click Show Advanced Settings and use the following settings. Keep other settings at their default values.
-
Source IPv4 Address for Sending RADIUS Messages: Configure the IPv4 address of the access device that is specified on the RADIUS server. This is typically the management interface IP address of the AC.
-
Username Format Sent to RADIUS Server: without domain name.

-
Source IPv4 Address for Sending RADIUS Messages: 121.40.*.*
-
Username Format Sent to RADIUS Server: without domain name
-
Configure an ISP domain
-
In the navigation pane, choose . On the ISP Domain tab, click
to add an ISP domain configuration. -
On the Add ISP Domain page, configure the ISP domain as shown in the following figure, and then click OK.

Configure portal authentication server
-
In the navigation pane, choose .
-
On the Portal tab, click Portal Authentication Server.

-
On the Portal page, click
to add a portal authentication server. -
On the Create Portal Authentication Server page, apply the following settings, leave the others at their defaults, and then click OK.
Parameter
Description
Example
Server Name
The name of the portal authentication server.
sase-newptv4
IP Address
The IP address of the RADIUS server.
121.40.*.*
Server Reachability Detection
Enable the detection feature and set the Detection Duration and Action.
-
Detection Duration: 60 seconds
-
Action: Select Log
-
Configure portal web server
-
In the navigation pane, choose .
-
On the Portal tab, click Local Portal Web Server.
-
On the Portal page, click
to add a portal web server. -
On the Create Local Portal Web Server page, use the following settings, and then click OK.
Parameter
Description
Example
Server Name
The name of the server.
sase-newptv4
URL
The address of the server.
121.40.*.*
URL Parameters
-
Select User's IP Address, enter a parameter name in the URL Parameter Name field, and then click Add.
-
Select User's MAC Address, enter a parameter name in the URL Parameter Name field, and then click Add.
-
User's IP Address: userip
-
User's MAC Address: usermac
-
Configure a wireless service
-
In the navigation pane, choose .
-
On the Wireless Network tab, click
to add a wireless network. -
On the Add Wireless Service page, configure the Wireless Service Name, SSID, and Default VLAN, and enable the Wireless Service. After you complete the configuration, click OK and Go to Advanced Settings.
NoteYou can find the SSID for your configured network instance on the tab in the SASE console.
-
On the Link Layer Authentication tab, set the Authentication Mode to IPv4 Portal Authentication, select your configured ISP domain name for Domain Name, select the Web Server Name, and configure the BAS-IP. Keep other settings at their default values. Then, click OK.

-
On the Binding tab, click the AP that you want to bind, and then click OK.

Additional configuration
Connect to the AC with a console cable and run the following commands.
# Enable the wireless portal roaming feature.
[AC] portal roaming enable
# Disable the ARP entry pinning feature for wireless portal clients.
[AC] undo portal refresh arp enable
# Enable the host validity check for wireless portal clients.
[AC] portal host-check enable
# Set the portal authentication server type to CMCC.
[AC] portal server sase-newptv4
[AC-portal-server-newpt] server-type cmcc
[AC-portal-server-newpt] quit
# Configure the portal web server.
[AC] portal web-server sase-newptv4
[AC-portal-websvr-newpt] url http://192.168.XX.XX:8080/portal
# Configure the redirection URL to include the ssid and vlan parameters, which represent the AP SSID and VLAN, respectively.
[AC-portal-websvr-newpt] url-parameter ssid ssid
[AC-portal-websvr-newpt] url-parameter vlan vlan
[AC-portal-websvr-newpt] url-parameter acip value <AC's_actual_IP>
# Set the portal web server type to CMCC.
[AC-portal-websvr-newpt] server-type cmcc
# Configure iOS captive-bypass adaptation.
[AC-portal-websvr-newpt] captive-bypass ios optimize enable
[AC-portal-websvr-newpt] quit
# Enable the RADIUS session control feature.
[AC] radius session-control enable
# Configure the RADIUS CoA feature.
[AC] radius dynamic-author server
[AC-radius-da-server] client ip <RADIUS_server_IP> key simple <SharedSecret>
You can find the RADIUS Server IP Address and Shared Key on the tab in the SASE console.
Step 5: Guest login
After connecting to the guest Wi-Fi, the portal authentication page opens. Enter your phone number, input the SMS verification code, and click Login. You can access internal enterprise applications only after passing verification.
Step 6: View guest logs
-
Log on to the Secure Access Service Edge console.
-
In the navigation pane, choose .
-
On the tab, view the guest network authentication status.
Use case 4: Dumb terminal network access
Add dumb terminals in the SASE console, then configure network access on your local switch.
Step 1: Add dumb terminals
-
Log on to the Secure Access Service Edge console.
-
In the left navigation pane, choose .
-
In the list on the left, select dumb terminal. Then, choose Add Terminal or Import Devices.

-
Add Terminal: In the Add Terminal panel, enter the MAC Address, MAC Address Mask, Device Vendor, Device Name, and Device Type, and then click OK.
-
Import Devices: In the Import Devices dialog box, click Download Import Template. After you enter the device information, click Upload Local File and then click OK.
-
Step 2: Configure network access
Network access configuration for dumb terminals depends on the connection type.
-
For wireless networks: Follow Use case 1: Configure wireless network access for employees.
-
For wired networks: Follow Use case 2: Configure wired network access for employees.
Dumb terminals do not require certificate management or SASE client installation. You can skip these steps.
Step 3: View dumb terminal authentication logs
-
In the left navigation pane, choose .
-
On the tab, view the network authentication status of the dumb terminals.