All Products
Search
Document Center

Secure Access Service Edge:Network access best practices

Last Updated:Jun 04, 2026

Network admission control balances enterprise security with user convenience.SASE (secure access service edge) integrates RADIUS (remote authentication dial-in user service) and supports the 802.1X protocol and portal access, delivering secure, flexible, and efficient network admission control that ensures compliant device and user access while improving management efficiency and user experience.

Configure wireless network access

SASE uses 802.1X authentication to secure wireless network access with one-click connectivity. Employees use the SASE client to access the corporate network from any area with office network coverage. Configure both the SASE console and the local wireless controller.

Note

The wireless controllers and switches in this topic use H3C devices as examples.

Step 1: Configure the authentication server (RADIUS)

RADIUS provides centralized authentication, authorization, and accounting (AAA). SASE provides a Cloud Authentication Server and supports custom authentication servers.

  1. Log on to the Secure Access Service Edge console.

  2. In the left-side navigation pane, choose Network Access Control > Basic Configurations.

  3. On the Authentication Server tab, view information about the Cloud Authentication Server or click Add Authentication Server.

    • View the Cloud Authentication Server

      1. In the upper-right corner of the page, click Cloud Authentication Server.

        image

      2. In the Cloud Authentication Server panel, view information about the cloud authentication servers provided by SASE.

    • Add an authentication server

      1. Click Add Authentication Server.

      2. In the Add Authentication Server panel, configure the Authentication Server Name and the server IP Address, and then click Save.

        Note

        The default User Wi-Fi Authentication Interface is 1812, and the default User Wi-Fi Billing Interface is 1813.

      3. On the Deployment and Installation tab, view the Recommended Server Specifications and Server Deployment Commands for deploying RADIUS.

      4. Copy the Server Deployment Commands and run them on your server to deploy RADIUS.

      5. After deployment, check the status in the list.

        image

Step 2: Configure network devices

A wireless controller centrally manages wireless access points (APs). Configure your wireless controller.

  1. On the Network Device tab, click Add Network Device.

  2. In the Add Network Device dialog box, configure the following parameters and click OK.

    Parameter

    Description

    Device Name

    Enter a name for the device.

    Device Brand

    Select the brand of your wireless controller.

    Device Type

    Select Wireless Controller.

    IP Address

    Enter the IP address or IP address range of the wireless controller.

    MAC Address

    Enter the MAC address of the wireless controller.

    CoA Port

    Enter the CoA port of the wireless controller.

Step 3: Configure Wi-Fi management

  1. On the Wi-Fi Management tab, click Create Network Instance.

  2. In the Enterprise Wireless Network Configuration dialog box, set the Network SSID and Authentication Mode for user network access. Currently, only EAP-TLS is supported. Then, click OK.

Step 4: Configure certificate management

After you connect to the corporate office network through SASE, the system automatically issues the SASE CA certificate and network access certificate to the SASE App. Only devices with these certificates can access internal applications over the corporate wireless network. Modify the certificate installation scope, validity period, or organization name as needed.

  1. Click the Certificate Management tab.

  2. On the Certificate Management tab, configure the Network Access Certificate Configuration, CA Certificate Configuration, and Global Settings.

Step 5: Configure the on-premises controller

Configure the RADIUS scheme, ISP domain, and 802.1X wireless authentication on your on-premises controller.

Configure RADIUS

  1. Log on to the H3C wireless controller console.

  2. At the bottom of the page, select Network. In the left-side navigation pane, select .

  3. On the RADIUS tab, click image to add a RADIUS scheme.

    image

  4. On the Add RADIUS Scheme page, configure the RADIUS information and click OK.

    Parameter

    Description

    Example

    Scheme Name

    Enter a custom name for the RADIUS scheme.

    sase-r1

    Authentication Server

    Configure the primary authentication server. Add backup servers if needed.

    To find the authentication server information, navigate to the Network Access Control > Basic Configurations > Authentication Server tab in the SASE console. You can view information for the Cloud Authentication Server or an Add Authentication Server that you have added.

    image

    • VRF: Default Public Network

    • Type: Default IP Address

    • IP Address: 121.40.*.*

    • Port: 1812

    • Shared Key: Enter the key.

    • Status: Active

    Accounting Server

    • Configure the accounting server. Add backup servers if needed.

    • The accounting server uses the same IP address and shared key as the authentication server, but port 1813.

    • VRF: Default Public Network

    • Type: Default IP Address

    • IP Address: 121.40.*.* (same as the authentication server)

    • Port: 1813

    • Shared Key: Enter the key (same as the authentication server).

    • Status: Active

    Advanced Settings

    Click Show Advanced Settings and set Real-time Accounting Interval to 60 seconds.

    image

    60

Configure ISP domains

  1. In the left-side navigation pane, select . On the ISP Domains tab, click image to add an ISP domain configuration.

  2. On the Add ISP Domains page, configure the ISP domain as shown in the following figure, and then click OK.

    image

Configure a wireless network (802.1X authentication)

  1. In the left-side navigation pane, select .

  2. On the Wireless Network tab, click image to add a wireless network.

  3. On the Add Wireless Network page, configure the Wireless Service Name, SSID, and Default VLAN, and enable the Wireless Service. Then, click Apply and Configure Advanced Settings.

    image

    Note

    You can find the SSID information for your network instance on the Network Access Control > Basic Configurations > Wi-Fi Management tab in the SASE console.

  4. On the Link Layer Authentication tab, set the Authentication Mode to 802.1X, and for the Domain Name, select the ISP domain that you configured. Keep the default values for other settings. Then, click OK.

    image

  5. On the Binding tab, select the AP you want to bind and click OK.

    image

  6. In the left-side navigation pane, select .

  7. In the upper-right corner of the page, click image. On the 802.1X page, click the configuration icon next to Authentication Method, select EAP from the drop-down list, and then click OK.

    image

Step 6: Enable dynamic authorization (CoA)

CoA (Change of Authorization) triggers dynamic authorization changes through RADIUS CoA-Request messages. The wireless controller updates session parameters and returns a CoA-ACK or CoA-NAK.

  1. Connect to the wireless controller (AC) by using a console cable.

  2. Run the following commands to enable CoA:

    [AC] radius dynamic-author server
    [ac-radius-da-server] client ip <radius_server_ip> key simple <shared_key>

    Here, {Radius_ip} is the IP address of the Radius server, and {secret} is the shared key for the corresponding device.

    Note

    You can find the RADIUS Server IP Address and Shared Key on the Network Access Control > Basic Configurations > Authentication Server tab in the SASE console.

Step 7: Configure a network access policy

Configure network access policies in SASE to enforce fine-grained access control for employees or devices.

  1. Log on to the Secure Access Service Edge console.

  2. In the left-side navigation pane, choose Network Access Control > Office Network.

  3. On the Network Access Permissions tab, click Create Policy.

  4. In the Create Policy panel, configure the following parameters and click OK.

    Parameter

    Description

    Policy Name

    Enter a name for the policy.

    Effective Scope

    For Effective Scope, select Applicable User.

    Based on your business needs, click Select to refine the scope to All Users, a Specific User Group, a Specific Device, or a Specific Device Tag.

    VLAN ID

    Specify the VLAN ID defined on your wireless controller. Value range: 1 to 4094.

    ACL ID

    Specify the ACL ID defined on your wireless controller. The valid range for this value depends on the brand and model of your network device.

    Terminal Type

    Select the terminal types to which the policy applies.

    Network Permissions

    Select the wireless network.

    Wi-Fi Network Scope

    Select All Wi-Fi Networks or Specific Wi-Fi Networks based on your requirements.

    Priority

    Set the priority of the policy. A smaller number indicates a higher priority.

    Policy Status

    Enable the policy.

    Advanced Settings

    Specify the Authentication Server and Network Device for Access Control to which the policy applies.

Step 8: Install and log on to SASE App

On an internet-connected device, install and log on to the SASE App as described in Install and log on to the SASE App.

Step 9: View authentication and access history

After you complete the preceding steps, you can view network access history or user authentication logs in the SASE console.

  • View user authentication logs

    1. In the left-side navigation pane, choose Log Analysis > Log Audit.

    2. On the Access Logs > User Authentication Logs tab, view the status of user network authentication.

  • View network access history

    1. Log on to the Secure Access Service Edge console.

    2. In the left-side navigation pane, choose Network Access Control > Office Network.

    3. On the Network Access History tab, view the network access status of users. You can also Disable or Enable access.

Use case 2: Configure employee wired network access

Configure 802.1X authentication for wired network access on both the SASE console and your on-premises switch.

Step 1: Configure the authentication server (RADIUS)

RADIUS provides centralized authentication, authorization, and accounting (AAA). SASE provides a Cloud Authentication Server and supports custom authentication servers.

  1. Log on to the Secure Access Service Edge console.

  2. In the left-side navigation pane, choose Network Access Control > Basic Configurations.

  3. On the Authentication Server tab, view information about the Cloud Authentication Server or click Add Authentication Server.

    • View the Cloud Authentication Server

      1. In the upper-right corner of the page, click Cloud Authentication Server.

        image

      2. In the Cloud Authentication Server panel, view information about the cloud authentication servers provided by SASE.

    • Add an authentication server

      1. Click Add Authentication Server.

      2. In the Add Authentication Server panel, configure the Authentication Server Name and the server IP Address, and then click Save.

        Note

        The default User Wi-Fi Authentication Interface is 1812, and the default User Wi-Fi Billing Interface is 1813.

      3. On the Deployment and Installation tab, view the Recommended Server Specifications and Server Deployment Commands for deploying RADIUS.

      4. Copy the Server Deployment Commands and run them on your server to deploy RADIUS.

      5. After deployment, check the status in the list.

        image

Step 2: Configure network device information

Configure your on-premises switch to enable 802.1X authentication on wired ports.

  1. On the Network Device tab, click Add Network Device.

  2. In the Add Network Device dialog box, configure the following parameters and click OK.

    Parameter

    Description

    Device Name

    Enter a name for the device.

    Device Brand

    Select the brand of your switch.

    Device Type

    Select wired switch.

    IP Address

    Enter the IP address or IP address range of the switch.

    MAC Address

    Enter the MAC address of the switch.

    CoA Port

    Enter the CoA port of the switch.

Step 3: Configure certificate management

After connecting to the corporate network, SASE automatically issues a SASE CA certificate and network access certificate to the SASE App. Only devices with these certificates can access internal applications over the wired network. You can modify the installation scope, validity period, or organization name as needed.

  1. Click Certificate Management.

  2. On the Certificate Management tab, configure Network Access Certificate Configuration, CA Certificate Configuration, and Global Settings.

Step 4: Configure the on-premises switch

Configure the RADIUS scheme, ISP domain, and 802.1X authentication on your on-premises switch console.

Configure RADIUS

  1. Log on to the H3C wireless controller console.

  2. At the bottom of the page, select Network. In the left-side navigation pane, select .

  3. On the RADIUS tab, click image to add a RADIUS scheme.

    image

  4. On the Add RADIUS scheme page, configure the RADIUS information and click OK.

    Parameter

    Description

    Example value

    Scheme name

    Enter a custom name for the RADIUS scheme.

    sase-r1

    Authentication server

    Configure the primary authentication server. Add backups as needed.

    This information is available on the Network Access Control > Basic Configurations > Authentication Server tab on the SASE console. You can view information for the Cloud Authentication Server or an Add Authentication Server.

    image

    • VRF: Default Public Network

    • Type: Default IP Address

    • IP address: 121.40.*.*

    • Port: 1812

    • Shared key: Enter the key.

    • Status: Active

    Accounting server

    • Configure the accounting server. Add backups as needed.

    • The accounting server uses the same IP address and shared key as the authentication server, but port 1813.

    • VRF: Default Public Network

    • Type: Default IP Address

    • IP address: 121.40.*.* (same as authentication server)

    • Port: 1813

    • Shared key: Enter the key (same as authentication server).

    • Status: Active

    Advanced settings

    Click Show advanced settings, and set Real-time accounting update interval to 60 seconds.

    image

    60

Configure ISP domains

  1. In the left-side navigation pane, select . On the ISP domain tab, click image to add an ISP domain configuration.

  2. On the Add ISP domain page, configure the ISP domain as shown in the following figure, and then click OK.

    image

Configure switch ports (802.1X authentication)

  1. In the left-side navigation pane, select .

  2. On the 802.1X page, select a port for port-based authentication, such as GE1/0/3, and then click OK.

    image

  3. Click Advanced settings. On the Advanced settings page, configure the Mandatory ISP domain of the port, and then click OK.

    image

  4. In the upper-right corner of the page, click image. On the 802.1X page, click the configuration icon next to Authentication method, select EAP from the drop-down list, and then click OK.

    image

Step 5: Enable dynamic authorization (CoA)

CoA (Change of Authorization) dynamically changes session authorization through RADIUS. When the AC receives a CoA-Request, it updates the user session and returns a CoA-ACK or CoA-NAK.

  1. Connect to the wireless controller (AC) by using a console cable.

  2. Run the following commands to enable CoA:

    [AC] radius dynamic-author server
    [ac-radius-da-server] client ip <radius_server_ip> key simple <shared_key>

    In the command, replace <radius_server_ip> with the IP address of the RADIUS server and <shared_key> with the shared key for the device.

    Note

    You can find the RADIUS Server IP Address and Shared Key on the Network Access Control > Basic Configurations > Authentication Server tab in the SASE console.

Step 6: Configure network access permission policy

Configure network access policies in SASE to enforce fine-grained access control for employees or devices on the wired network.

  1. Log on to the Secure Access Service Edge console.

  2. In the left-side navigation pane, choose Network Access Control > Office Network.

  3. On the Network Access Permissions tab, click Create Policy.

  4. In the Create Policy panel, configure the following parameters and click OK.

    Parameter

    Description

    Policy Name

    Enter a name for the policy.

    Effective Scope

    For Effective Scope, select Applicable User.

    Based on your business needs, click Select to refine the scope to All Users, a Specific User Group, a Specific Device, or a Specific Device Tag.

    VLAN ID

    Specify the VLAN ID defined on your switch. Value range: 1 to 4094.

    ACL ID

    Specify the ACL ID defined on your switch. The valid range for this value depends on the brand and model of your network device.

    Terminal Type

    Select the terminal types to which the policy applies.

    Network Permissions

    Select Wired Network.

    Priority

    Set the priority for the policy. A smaller number indicates a higher priority.

    Policy Status

    Enable the policy.

    Advanced Settings

    Specify the Authentication Server and Network Device for Access Control to which the policy applies.

Step 7: Install and log on to the SASE App

Install and log on to the SASE App on an internet-connected device. For more information, see Install and log on to the SASE App.

Step 8: View authentication and network access records

You can view network access records or employee authentication logs on the SASE console.

  • View user authentication logs

    1. In the left-side navigation pane, choose Log Analysis > Log Audit.

    2. On the Access Logs > User Authentication Logs tab, view the status of user network authentication.

  • View network access history

    1. Log on to the Secure Access Service Edge console.

    2. In the left-side navigation pane, choose Network Access Control > Office Network.

    3. On the Network Access History tab, view the network access status of users. You can also Disable or Enable access.

Use case 3: Guest wireless network access

SASE separates employee and visitor SSIDs for secure guest access. Configure different SSIDs and backend policies for each. Currently, the only supported authentication method for visitors connecting to the SASE visitor Wi-Fi is portal page authentication with SMS verification.

Step 1: Configure portal authentication

  1. Log on to the Secure Access Service Edge console.

  2. In the navigation pane, choose Network Access Control > Guest Network.

  3. In the upper-right corner of the page, click Authentication Configuration.

  4. On the Authentication Configuration page, configure Authentication Portal Settings and Custom Settings on Authentication Page.

Step 2: Configure authentication server (RADIUS)

RADIUS provides centralized AAA services. SASE supports custom authentication server configurations.

  1. Log on to the Secure Access Service Edge console.

  2. In the navigation pane, choose Network Access Control > Basic Configurations.

  3. On the Authentication Server tab, click Add Authentication Server.

  4. In the Add Authentication Server panel, configure the Authentication Server Name and the server IP Address, and then click Save.

    Note

    The default User Wi-Fi Authentication Interface is 1812, and the default User Wi-Fi Billing Interface is 1813.

  5. On the Deployment and Installation tab, view the Recommended Server Specifications and Server Deployment Commands for deploying RADIUS.

  6. Copy the Server Deployment Commands and run them on your own server to deploy RADIUS.

  7. After deployment, check the status in the list.

    image

Step 3: Configure Wi-Fi management

  1. On the Wi-Fi Management tab, click Create Network Instance.

  2. In the Enterprise Wireless Network Configuration dialog box, configure the Network SSID and Authentication Mode for guest access, and then click OK.

Step 4: Configure local wireless controller (H3C example)

Configure RADIUS

  1. Log on to the H3C wireless controller console.

  2. At the bottom of the page, select Network, and in the navigation pane, choose .

  3. On the RADIUS tab, click image to add a RADIUS scheme.

    image

  4. On the Add RADIUS Scheme page, configure the RADIUS information and click OK.

    Parameter

    Description

    Example

    Scheme Name

    A custom name for the RADIUS scheme.

    sase-r1

    Authentication Server

    Configure the authentication server. Add backup servers if needed.

    For information about authentication servers, you can find details about Add Authentication Server on the Network Access Control > Basic Configurations > Authentication Server tab in the SASE console.

    image

    • VRF: Default Public Network

    • Type: Default IP Address

    • IP address: 121.40.*.* (same as the authentication server)

    • Port: 1812

    • Shared Key: Enter the key (same as the authentication server's shared key)

    • Status: Active

    Advanced Settings

    Click Show Advanced Settings and use the following settings. Keep other settings at their default values.

    • Source IPv4 Address for Sending RADIUS Messages: Configure the IPv4 address of the access device that is specified on the RADIUS server. This is typically the management interface IP address of the AC.

    • Username Format Sent to RADIUS Server: without domain name.

    image

    • Source IPv4 Address for Sending RADIUS Messages: 121.40.*.*

    • Username Format Sent to RADIUS Server: without domain name

Configure an ISP domain

  1. In the navigation pane, choose . On the ISP Domain tab, click image to add an ISP domain configuration.

  2. On the Add ISP Domain page, configure the ISP domain as shown in the following figure, and then click OK.

    image

Configure portal authentication server

  1. In the navigation pane, choose .

  2. On the Portal tab, click Portal Authentication Server.

    image

  3. On the Portal page, click image to add a portal authentication server.

  4. On the Create Portal Authentication Server page, apply the following settings, leave the others at their defaults, and then click OK.

    Parameter

    Description

    Example

    Server Name

    The name of the portal authentication server.

    sase-newptv4

    IP Address

    The IP address of the RADIUS server.

    121.40.*.*

    Server Reachability Detection

    Enable the detection feature and set the Detection Duration and Action.

    • Detection Duration: 60 seconds

    • Action: Select Log

Configure portal web server

  1. In the navigation pane, choose .

  2. On the Portal tab, click Local Portal Web Server.

  3. On the Portal page, click image to add a portal web server.

  4. On the Create Local Portal Web Server page, use the following settings, and then click OK.

    Parameter

    Description

    Example

    Server Name

    The name of the server.

    sase-newptv4

    URL

    The address of the server.

    121.40.*.*

    URL Parameters

    1. Select User's IP Address, enter a parameter name in the URL Parameter Name field, and then click Add.

    2. Select User's MAC Address, enter a parameter name in the URL Parameter Name field, and then click Add.

    • User's IP Address: userip

    • User's MAC Address: usermac

Configure a wireless service

  1. In the navigation pane, choose .

  2. On the Wireless Network tab, click image to add a wireless network.

  3. On the Add Wireless Service page, configure the Wireless Service Name, SSID, and Default VLAN, and enable the Wireless Service. After you complete the configuration, click OK and Go to Advanced Settings.

    image

    Note

    You can find the SSID for your configured network instance on the Network Access Control > Basic Configurations > Wi-Fi Management tab in the SASE console.

  4. On the Link Layer Authentication tab, set the Authentication Mode to IPv4 Portal Authentication, select your configured ISP domain name for Domain Name, select the Web Server Name, and configure the BAS-IP. Keep other settings at their default values. Then, click OK.

    image

  5. On the Binding tab, click the AP that you want to bind, and then click OK.

    image

Additional configuration

Connect to the AC with a console cable and run the following commands.

# Enable the wireless portal roaming feature.
[AC] portal roaming enable
# Disable the ARP entry pinning feature for wireless portal clients.
[AC] undo portal refresh arp enable
# Enable the host validity check for wireless portal clients.
[AC] portal host-check enable
# Set the portal authentication server type to CMCC.
[AC] portal server sase-newptv4
[AC-portal-server-newpt] server-type cmcc
[AC-portal-server-newpt] quit
# Configure the portal web server.
[AC] portal web-server sase-newptv4
[AC-portal-websvr-newpt] url http://192.168.XX.XX:8080/portal
# Configure the redirection URL to include the ssid and vlan parameters, which represent the AP SSID and VLAN, respectively.
[AC-portal-websvr-newpt] url-parameter ssid ssid
[AC-portal-websvr-newpt] url-parameter vlan vlan
[AC-portal-websvr-newpt]  url-parameter acip value  <AC's_actual_IP> 
# Set the portal web server type to CMCC.
[AC-portal-websvr-newpt] server-type cmcc
# Configure iOS captive-bypass adaptation.
[AC-portal-websvr-newpt] captive-bypass ios optimize enable
[AC-portal-websvr-newpt] quit
# Enable the RADIUS session control feature.
[AC] radius session-control enable
# Configure the RADIUS CoA feature.
[AC] radius dynamic-author server
[AC-radius-da-server] client ip <RADIUS_server_IP> key simple <SharedSecret> 
Note

You can find the RADIUS Server IP Address and Shared Key on the Network Access Control > Basic Configurations > Authentication Server tab in the SASE console.

Step 5: Guest login

After connecting to the guest Wi-Fi, the portal authentication page opens. Enter your phone number, input the SMS verification code, and click Login. You can access internal enterprise applications only after passing verification.

Step 6: View guest logs

  1. Log on to the Secure Access Service Edge console.

  2. In the navigation pane, choose Log Analysis > Log Audit.

  3. On the Access Logs > Guest Authentication Logs tab, view the guest network authentication status.

Use case 4: Dumb terminal network access

Add dumb terminals in the SASE console, then configure network access on your local switch.

Step 1: Add dumb terminals

  1. Log on to the Secure Access Service Edge console.

  2. In the left navigation pane, choose Endpoint Management > Terminals.

  3. In the list on the left, select dumb terminal. Then, choose Add Terminal or Import Devices.

    image

    • Add Terminal: In the Add Terminal panel, enter the MAC Address, MAC Address Mask, Device Vendor, Device Name, and Device Type, and then click OK.

    • Import Devices: In the Import Devices dialog box, click Download Import Template. After you enter the device information, click Upload Local File and then click OK.

Step 2: Configure network access

Network access configuration for dumb terminals depends on the connection type.

Note

Dumb terminals do not require certificate management or SASE client installation. You can skip these steps.

Step 3: View dumb terminal authentication logs

  1. In the left navigation pane, choose Log Analysis > Log Audit.

  2. On the Access Logs > Dumb Terminal Authentication Logs tab, view the network authentication status of the dumb terminals.