In a digital office environment, network admission control is a key component of enterprise network security. Enterprises have growing demands for network security and convenience. Secure Access Service Edge (SASE) integrates the RADIUS (Remote Authentication Dial-In User Service) component to support 802.1X protocol and Portal access methods, delivering secure, flexible, and efficient network admission control, ensuring compliant access for devices and users, and improving overall management efficiency and user experience.
Scenario 1: Employee wireless network access
SASE ensures network access security through 802.1X authentication and improves employee efficiency with a one-click network access. Employees can quickly and securely access the enterprise network in any office network coverage area through the SASE client. You need to complete relevant configurations in both the SASE console and your local wireless controller device.
The wireless controllers and switches mentioned in this document use H3C devices as examples.
Step 1: Configure the authentication server (RADIUS)
RADIUS is a network protocol used to provide centralized authentication, authorization, and accounting (AAA) services. SASE provides you with a Cloud Authentication Server while also supporting flexible configuration of your own authentication server.
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Authentication Server tab, view the Cloud Authentication Server information or Add Authentication Server.
View cloud authentication server
In the upper-right corner of the page, click Cloud Authentication Server.
In the Cloud Authentication Server panel, view the information about the cloud authentication server provided by SASE.
Add authentication server
Click Add Authentication Server.
In the Add Authentication Server panel, configure the Authentication Server Name and the IP Address of the server, and click Save.
NoteThe User Wi-Fi Authentication Interface is 1812 by default, and the User Wi-Fi Billing Interface is 1813 by default.
On the Deployment and Installation tab, view the Recommended Server Specifications and Server Deployment Commands needed to deploy RADIUS.
Copy the Server Deployment Commands and deploy RADIUS on your own server.
After deployment is complete, view the deployment status in the list.
Step 2: Configure network device information
A wireless controller is a network device used for centralized management and control of wireless access points (APs), with the ability to uniformly configure, monitor, and optimize wireless networks. You need to configure the relevant information for your wireless controller.
On the Network Device tab, click Add Network Device.
In the Add Network Device dialog box, configure the following information and click OK.
Parameter
Description
Device Name
Enter the name of the device.
Device Brand
Select the brand of your wireless controller.
Device Type
Select Wireless Controller.
IP Address
Configure the IP or IP range of the wireless controller.
MAC Address
Configure the MAC address of the wireless controller.
CoA Port
Configure the CoA port of the wireless controller.
Step 3: Configure Wi-Fi management
On the Wi-Fi Management tab, click Create Network Instance.
In the Enterprise Wireless Network Configuration dialog box, configure the Network SSID and Authentication Mode (currently only EAP-TLS is supported) for employee network access, and click OK.
Step 4: Configure certificate management
After accessing the enterprise office network through SASE, the system will automatically issue SASE's CA certificate and network access certificate to the SASE App. Only devices with installed certificates can use and access enterprise internal applications through the enterprise wireless network. If the automatically issued certificates do not suit your business scenario, you can modify the certificate installation scope, validity period, or customize the certificate organization name.
Click Certificate Management.
On the Certificate Management tab, configure Network Access Certificate Configuration, CA Certificate Configuration, and Global Settings.
Step 5: Configure the local wireless controller (using H3C as an example)
You need to configure the RADIUS scheme, ISP domain, and wireless 802.1X authentication in the local console.
Configure RADIUS
Log on to the H3C wireless controller device console.
At the bottom of the page, select Network, and in the navigation pane on the left, select .
On the RADIUS tab, click
to add a new RADIUS scheme.
On the Add RADIUS Scheme page, configure the RADIUS information and click OK.
Parameter
Description
Example
Scheme Name
Customize the RADIUS scheme name.
sase-r1
Authentication Server
Configure the authentication server information. If you have multiple authentication servers, you can add them to the backup servers.
For information about the authentication server, you can view the Cloud Authentication Server information or Add Authentication Server information in the SASE console under tab.
VRF: Default Public Network
Type: Default IP Address
IP Address: 121.40.*.*
Port: 1812
Shared Key: Fill in the key
Status: Active
Accounting Server
Configure the authentication server information. If you have multiple accounting servers, you can add them to the backup servers.
The IP address and shared key of the accounting server are the same as those of the authentication server, with a port of 1813.
VRF: Default Public Network
Type: Default IP Address
IP Address: 121.40.*.* (same as the authentication server)
Port: 1813
Shared Key: Fill in the key (same as the authentication server)
Status: Active
Advanced Settings
Click Show Advanced Settings and set the Real-time Accounting Interval to 60 seconds in the parameters.
60
Configure ISP domain
In the navigation pane on the left, select . On the ISP Domains tab, click
to add a new ISP domain configuration.On the Add ISP Domains page, configure the ISP domain as shown in the following figure and click OK.
Configure wireless network (802.1X authentication)
In the navigation pane on the left, select .
On the Wireless Network tab, click
to add a new wireless network.On the Add Wireless Service page, configure Wireless Service Name, SSID, Default VLAN, and enable Wireless Service. After configuration is complete, click Apply and Configure Advanced Settings.
NoteFor SSID-related information, you can obtain the SSID of your configured network instance in the SASE console under tab.
On the Link Layer Authentication tab, select Authentication Mode as 802.1X, and select Domain Name as the ISP domain you configured. Keep other configurations as default. Then click OK.
On the Binding tab, click the AP that needs to be bound and click OK.
In the navigation pane on the left, select .
Click
in the upper-right corner of the page. On the 802.1X page, click the parameter to the right of Authentication Method, then select EAP from the drop-down list, and click OK.
Step 6: Enable dynamic authorization (CoA)
CoA is typically implemented based on the RADIUS protocol by sending RADIUS CoA-Request messages to trigger authorization changes. When the wireless controller receives such requests, it updates the user's session parameters according to the request content and returns a CoA-ACK (acknowledgment) or CoA-NAK (rejection) message to the RADIUS server.
Connect to the wireless controller (AC) using a Console line.
Enable CoA using the following commands.
[AC] radius dynamic-author server [ac-radius-da-server] client ip <Radius Server IP> key simple <Sharesecret>Where
{Radius_ip}needs to be configured as the Radius Server IP address, and{secret}needs to be configured as the shared key for the corresponding device.NoteYou can view the Radius Server IP address and SharedSecret (shared key) in the SASE console under tab.
Step 7: Configure network access permission policy
When accessing the enterprise office network through SASE, configuring network access permission policies can implement fine-grained isolation and control of employee or device network access permissions, enhancing network security and management efficiency.
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Network Access Permissions tab, click Create Policy.
In the Create Policy panel, configure the following settings and click OK.
Parameter
Description
Policy Name
Configure the policy name.
Effective Scope
For Effective Scope, select Applicable User.
Based on actual business needs, click Select and refine the effective range according to All Users, Specific User Group, Specific Device, or Specific Device Tag.
VLAN ID
Set the VLAN ID divided on your wireless controller. Supported input range: 1-4094.
ACL ID
Set the ACL ID divided on your wireless controller. The value range needs to be determined based on the brand and model of the network device used.
Terminal Type
Select the effective terminal type.
Network Permissions
Select wireless network.
Wi-Fi Network Scope
Select All Wi-Fi Networks or select Specific Wi-Fi Networks based on actual conditions.
Priority
Set the policy effective priority. The smaller the number, the higher the priority.
Policy Status
Enable the policy status.
Advanced Settings
Set the Authentication Server and Network Device for Access Control for the policy to take effect.
Step 8: Install and log on to the SASE client
You need to install and log on to the SASE App on a terminal device connected to the Internet. For specific operations after logging on to the client, see Install and Log on to the SASE App.
Step 9: View authentication and network access records
After completing the above steps, you can view network access records or employee authentication logs in the SASE console.
View employee authentication logs
In the navigation pane on the left, choose .
On the tab, view the employee network authentication status.
View network access records
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Network Access History tab, view the employee's network access status, and you can perform Disable and Enable operations.
Scenario 2: Employee wired network access
This scenario describes the configuration of wired network access using 802.1X authentication. You need to configure both the SASE Management Console and the local switch.
Step 1: Configure the authentication server (RADIUS)
RADIUS is a network protocol used to provide centralized authentication, authorization, and accounting (AAA) services. SASE provides you with a Cloud Authentication Server while also supporting flexible configuration of your own authentication server.
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Authentication Server tab, view the Cloud Authentication Server information or Add Authentication Server.
View cloud authentication server
In the upper-right corner of the page, click Cloud Authentication Server.
In the Cloud Authentication Server panel, view the information about the cloud authentication server provided by SASE.
Add authentication server
Click Add Authentication Server.
In the Add Authentication Server panel, configure the Authentication Server Name and the IP Address of the server, and click Save.
NoteThe User Wi-Fi Authentication Interface is 1812 by default, and the User Wi-Fi Billing Interface is 1813 by default.
On the Deployment and Installation tab, view the Recommended Server Specifications and Server Deployment Commands needed to deploy RADIUS.
Copy the Server Deployment Commands and deploy RADIUS on your own server.
After deployment is complete, view the deployment status in the list.
Step 2: Configure network device information
Switches are used to connect different types of network devices, such as computers, servers, printers, and routers, enabling communication and data exchange between these devices. You need to configure the relevant information for your local switch.
On the Network Device tab, click Add Network Device.
In the Add Network Device dialog box, configure the following information, and click OK.
Parameter
Description
Device Name
Configure the device name.
Device Brand
Select the brand of your vSwitch.
Device Type
Select wired vSwitch.
IP Address
Configure the IP address or IP segment of the vSwitch.
MAC Address
Configure the MAC address of the vSwitch.
CoA Port
Configure the coa port of the vSwitch.
Step 3: Configure certificate management
After accessing the enterprise office network through SASE, the system will automatically issue SASE's CA certificate and network access certificate to the SASE App. Only devices with installed certificates can use and access enterprise internal applications through the enterprise wired network. If the automatically issued certificates do not suit your business scenario, you can modify the certificate installation scope, validity period, or customize the certificate organization name.
Click Certificate Management.
On the Certificate Management tab, configure Network Access Certificate Configuration, CA Certificate Configuration, and Global Settings.
Step 4: Configure the local switch (using H3C as an example)
You need to configure the RADIUS scheme, ISP domain, and wired 802.1X authentication in the local console.
Configure RADIUS
Log on to the H3C wireless controller device console.
At the bottom of the page, select Network, and in the navigation pane on the left, select .
On the RADIUS tab, click
to add a new RADIUS scheme.On the Add RADIUS Scheme page, configure the RADIUS information and click OK.
Parameter
Description
Example
Scheme Name
Customize the RADIUS scheme name.
sase-r1
Authentication Server
Configure the authentication server information. If you have multiple authentication servers, you can add them to the backup servers.
For information about the authentication server, you can view the Cloud Authentication Server information or Add Authentication Server information in the SASE console under tab.
VRF: Default Public Network
Type: Default IP Address
IP Address: 121.40.*.*
Port: 1812
Shared Key: Fill in the key
Status: Active
Accounting Server
Configure the authentication server information. If you have multiple accounting servers, you can add them to the backup servers.
The IP address and shared key of the accounting server are the same as those of the authentication server, with a port of 1813.
VRF: Default Public Network
Type: Default IP Address
IP Address: 121.40.*.* (same as the authentication server)
Port: 1813
Shared Key: Fill in the key (same as the authentication server)
Status: Active
Advanced Settings
Click Show Advanced Settings and set the Real-time Accounting Interval to 60 seconds.
60
Configure ISP domain
In the navigation pane on the left, select . On the ISP Domains tab, click
to add a new ISP domain configuration.On the Add ISP Domain page, configure the ISP domain as shown in the following figure and click OK.
Configure switch ports (802.1X authentication)
In the navigation pane on the left, select .
On the 802.1X page, select GE1/0/3 (port-based authentication). Then click OK.
Click Advanced Settings. On the Advanced Settings page, configure the Mandatory ISP Domain of the Port, and click OK.
Click
in the upper-right corner of the page. On the 802.1X page, click the parameter to the right of Authentication Method, then select EAP from the drop-down list, and click OK.
Step 5: Enable dynamic authorization (CoA)
CoA is typically implemented based on the RADIUS protocol by sending RADIUS CoA-Request messages to trigger authorization changes. When the wireless controller receives such requests, it updates the user's session parameters according to the request content and returns a CoA-ACK (acknowledgment) or CoA-NAK (rejection) message to the RADIUS server.
Connect to the wireless controller (AC) using a Console line.
Enable CoA using the following commands.
[AC] radius dynamic-author server [ac-radius-da-server] client ip <Radius Server IP> key simple <Sharesecret>Where
{Radius_ip}needs to be configured as the Radius Server IP address, and{secret}needs to be configured as the shared key for the corresponding device.NoteYou can view the Radius Server IP address and SharedSecret (shared key) in the SASE console under tab.
Step 6: Configure network access permission policy
When accessing the enterprise office network through SASE, configuring network access permission policies can implement fine-grained isolation and control of employee or device network access permissions, enhancing network security and management efficiency.
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Network Access Permissions tab, click Create Policy.
In the Create Policy panel, configure the following settings and click OK.
Parameter
Description
Policy Name
Configure the policy name.
Effective Scope
For Effective Scope, select Applicable User.
Based on actual business needs, click Select and refine the effective range according to All Users, Specific User Group, Specific Device, or Specific Device Tag.
VLAN ID
Set the VLAN ID divided on your switch. Supported input range: 1-4094.
ACL ID
Set the ACL ID divided on your switch. The value range needs to be determined based on the brand and model of the network device used.
Terminal Type
Select the effective terminal type.
Network Permissions
Select wired network.
Priority
Set the policy effective priority. The smaller the number, the higher the priority.
Policy Status
Enable the policy status.
Advanced Settings
Set the Authentication Server and Network Device for Access Control for the policy to take effect.
Step 7: Install and log on to the SASE client
You need to install and log on to the SASE App on a terminal device connected to the Internet. For specific operations after logging on to the client, see Install and Log on to the SASE App.
Step 8: View authentication and network access records
After completing the above steps, you can view network access records or employee authentication logs in the SASE console.
View employee authentication logs
In the navigation pane on the left, choose .
On the tab, view the employee network authentication status.
View network access records
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Network Access History tab, view the employee's network access status, and you can perform Disable and Enable operations.
Scenario 3: Visitor wireless network access
SASE provides enterprises with a secure and convenient visitor network access solution, ensuring network security by distinguishing between employee and visitor SSIDs while optimizing the visitor internet experience. It supports simultaneous configuration of employee and visitor network access, requiring only different SSID settings and backend integration strategies. Currently, visitor access to SASE visitor Wi-Fi only supports Portal page text message verification code authentication.
Step 1: Portal authentication configuration
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
In the upper-right corner of the page, click Authentication Configuration.
On the Authentication Configuration page, configure Authentication Portal Settings and Custom Settings on Authentication Page.
Step 2: Configure the authentication server (RADIUS)
RADIUS (Remote Authentication Dial-In User Service) is a network protocol used to provide centralized authentication, authorization, and accounting (AAA) services. SASE supports flexible configuration of your own authentication server.
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Authentication Server tab, click Add Authentication Server.
In the Add Authentication Server panel, configure the Authentication Server Name and the IP Address of the server, and click Save.
NoteThe User Wi-Fi Authentication Interface is 1812 by default, and the User Wi-Fi Billing Interface is 1813 by default.
On the Deployment and Installation tab, view the Recommended Server Specifications and Server Deployment Commands.
Copy the Server Deployment Commands and deploy RADIUS on your own server.
After deployment is complete, view the deployment status in the list.
Step 3: Configure Wi-Fi management
On the Wi-Fi Management tab, click Create Network Instance.
In the Enterprise Wireless Network Configuration dialog box, configure the Network SSID and Authentication Mode for guest access (only EAP-TLS is supported), and click OK.
Step 4: Configure the local wireless controller (using H3C as an example)
Configure RADIUS
Log on to the H3C wireless controller device console.
At the bottom of the page, select Network, and in the navigation pane on the left, select .
On the RADIUS tab, click
to add a new RADIUS scheme.On the Add RADIUS Scheme page, configure the RADIUS information and click OK.
Parameter
Description
Example
Scheme Name
Customize the RADIUS scheme name.
sase-r1
Authentication Server
Configure the authentication server information. If you have multiple authentication servers, you can add them to the backup servers.
For information about the authentication server, you can view the Add Authentication Server information in the SASE console under tab.
VRF: Default Public Network
Type: Default IP Address
IP Address: 121.40.*.* (same as the authentication server)
Port: 2000
Shared Key: Fill in the key (same as the authentication server)
Status: Active
Advanced Settings
Click Show Advanced Settings and refer to the following configuration, keeping other settings as default.
Source IPv4 Address for Sending RADIUS Messages: Configure the IPv4 address of the access device specified on the RADIUS server (generally the management interface IP of the AC).
Username Format Sent to RADIUS Server: Without domain name.
Source IPv4 Address for Sending RADIUS Messages: 121.40.*.*
Username Format Sent to RADIUS Server: Without domain name.
Configure ISP domain
In the navigation pane on the left, select . On the ISP Domains tab, click
to add a new ISP domain configuration.On the Add ISP Domain page, configure the ISP domain as shown in the following figure and click OK.
Configure Portal authentication server
In the navigation pane on the left, select .
On the Portal tab, click Portal Authentication Server.
On the Portal page, click
to add a new Portal authentication server.On the Create Portal Authentication Server page, refer to the following configuration, keep other settings as default, and click OK.
Parameter
Description
Example
Server Name
Set the Portal authentication server name.
sase-newptv4
IP Address
Set the RADIUS server IP address.
121.40.*.*
Server Reachability Detection
Enable the detection function and set Detection Duration and Action.
Detection Duration: 60 seconds
Action: Select Log
Configure Portal Web server
In the navigation pane on the left, select .
On the Portal tab, click Local Portal Web Server.
On the Portal page, click
to add a new Portal Web server.On the Create Local Portal Web Server page, refer to the following configuration and click OK.
Parameter
Description
Example
Server Name
Configure the server name.
sase-newptv4
URL
Configure the server address.
121.40.*.*
URL Parameters
Select User's IP Address, configure the parameter name in URL Parameter Name, and click Add.
Select User's MAC Address, configure the parameter name in URL Parameter Name, and click Add.
User's IP Address: userip
User's MAC Address: usermac
Configure wireless service
In the navigation pane on the left, select .
On the Wireless Network tab, click
to add a new wireless network.On the Add Wireless Service page, configure Wireless Service Name, SSID, Default VLAN, and enable Wireless Service. After configuration is complete, click Apply and Configure Advanced Settings.
NoteFor SSID-related information, you can obtain the SSID of your configured network instance in the SASE console under tab.
On the Link Layer Authentication tab, select Authentication Mode as IPv4 Portal Authentication, and select Domain Name as the ISP domain name you configured, select Web Server Name, configure BAS-IP, and keep other configurations as default. Then click OK.
On the Binding tab, click the AP that needs to be bound and click OK.
Additional configuration
Connect to the AC using a Console line for configuration.
# Enable wireless Portal roaming function.
[AC] portal roaming enable
# Disable wireless Portal client ARP entry solidification function.
[AC] undo portal refresh arp enable
# Enable wireless Portal client legitimacy check function.
[AC] portal host-check enable
# Configure Portal authentication server type as CMCC
[AC] portal server sase-newptv4
[AC-portal-server-newpt] server-type cmcc
[AC-portal-server-newpt] quit
# Configure Portal Web server
[AC] portal web-server sase-newptv4
[AC-portal-websvr-newpt] url http://192.168.XX.XX:8080/portal
# Configure the device to include ssid and wlan parameters in the URL redirected to users' Portal Web server, with values being the AP's SSID and vlan respectively
[AC-portal-websvr-newpt] url-parameter ssid ssid
[AC-portal-websvr-newpt] url-parameter vlan vlan
[AC-portal-websvr-newpt] url-parameter acip value <AC's originating IP>
# Configure Portal Web server type as CMCC.
[AC-portal-websvr-newpt] server-type cmcc
# Configure ios captive-bypass adaptation
[AC-portal-websvr-newpt] captive-bypass ios optimize enable
[AC-portal-websvr-newpt] quit
# Enable RADIUS session control function.
[AC] radius session-control enable
# Configure Radius CoA function
[AC] radius dynamic-author server
[AC-radius-da-server] client ip <Radius Server IP> key simple <SharedSecret> You can view the Radius Server IP address and SharedSecret (shared key) in the SASE console under tab.
Step 5: Visitor login
After connecting to the visitor Wi-Fi on a terminal device, you will be automatically redirected to the Portal authentication page. You need to enter your phone number, obtain and enter the verification code from the text message, and then log on. Only after verification is successful can you access enterprise internal applications.
Step 6: View visitor logs
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the tab, view the visitor network authentication status.
Scenario 4: Dumb terminal network access
Dumb terminals can access the enterprise office environment through either wired or wireless networks. You need to first add the dumb terminal in the SASE console, and then configure network access in the local switch.
Step 1: Add dumb terminals
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
In the list on the left, select Dumb Terminal. Based on your business needs, you can choose Add Terminal or Import Devices.
Add Terminal: In the Add Terminal panel, enter the terminal's MAC Address, MAC Address Mask, Device Vendor, Device Name, Device Type, and other information, and click OK.
Import Devices: In the Import Devices dialog box, click Download Import Template, fill in the device information, click Upload Local File, and after the upload is complete, click OK.
Step 2: Access configuration
Depending on the type of dumb terminal device, the network access configuration methods for dumb terminal devices supporting wireless networks and wired networks are different.
Supporting wireless networks: You can refer to the configuration process in Scenario 1: Employee wireless network access.
Supporting wired networks: You can refer to the configuration process in Scenario 2: Employee wired network access.
Dumb terminal devices do not require certificate management and SASE client installation, so these steps can be skipped.
Step 3: View dumb terminal authentication logs
In the navigation pane on the left, choose .
On the tab, view the network authentication status of dumb terminal devices.