FAQ- The IPv4 ACL delivered dynamically from the RADIUS server does not take effect for a MAC authenticated user

Publication Date:  2017-05-31 Views:  343 Downloads:  0
Issue Description

The dynamic IPv4 ACL delivered from Radius does not take effect for a MAC authenticated terminal that has IPv6 enabled along with IPv4 even though the authentication is successful . The ACL status is “Ineffective  “ 



Solution

When IPv6 is enabled on the terminal, the MAC authentication process can be triggered by a DHCPv6 request packet in which case  the switch will flag the user as an ipv6 client when creating the access table, hence the IPv4 ACL will not be effectively applied. This can happen because the switch triggers the MAC authentication  when receives a DHCP/ARP/DHCPv6/ND packet by default.

 

To solve the problem we can use the authentication trigger-condition dhcp arpcommand in the system view to only allow arp and dhcp packets to  trigger MAC authentication .

 

Example

# Configure the device to trigger MAC address authentication only through DHCP and ARP packets.

<HUAWEI> system-view

[HUAWEI] authentication trigger-condition dhcp arp

 

END