No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring MAC Address Authentication

Configuring MAC Address Authentication

MAC address authentication controls a user's network access right based on the user's access interface and MAC address. The user does not need to install any client software. The user device MAC address is used as the user name and password. When detecting the user's MAC address the first time, the network access device starts authenticating the user.

NOTE:

The device working in fat AP mode does not support the combination of WEP and MAC address authentication.

Layer 3 Ethernet interfaces (including logical Layer 3 interfaces) do not support MAC address authentication. In this document, MAC address authentication enabled interfaces refer to Layer 2 Ethernet interfaces.

Prerequisites

MAC address authentication only provides a user authentication solution. To implement this solution, the AAA function must also be configured. Therefore, the following tasks must be complete before you configure MAC address authentication:

  • Configuring the authentication domain and AAA scheme on the AAA client.
  • Configuring the user name and password on the RADIUS or HWTACACS server if RADIUS or HWTACACS authentication is used.
  • Configuring the user name and password manually on the network access device if local authentication is used.

For the configuration of AAA client, see AAA Configuration in the Huawei AR Series IOT Gateway Configuration Guide - Security.

Enabling MAC Address Authentication

Context

The MAC address authentication configuration takes effect on an interface only after MAC address authentication is enabled globally and on the interface.

After MAC address authentication is enabled, if there are online users who log in through MAC address authentication on the interface, disabling MAC address authentication is prohibited.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-authen

    Global MAC address authentication is enabled.

    By default, global MAC address authentication is disabled.

  3. Enable MAC address authentication on an interface in the system or interface view.

    In the system view:

    1. Run:

      mac-authen interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> 

      MAC address authentication is enabled on the interface.

    In the interface view:

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      mac-authen

      MAC address authentication is enabled on the interface.

    By default, MAC address authentication is disabled on an interface.

(Optional) Configuring the User Name Format

Context

MAC address authentication uses the following user name formats:
  • MAC address: When the MAC address is used as the user name for MAC address authentication, the password can be the MAC address or a self-defined character string.
  • Fixed user name: Regardless of users' MAC addresses, all users have a fixed name and password specified by the administrator as an identity for authentication. Many users may be authenticated on the same interface. In this case, all users requiring MAC address authentication on the interface use the same fixed user name, and the server must only configure one user account to authenticate all users. This is applicable to a network environment with reliable access clients.
NOTE:

If configured in the system view, the user name format is valid for commands on all interfaces; if configured in the interface view, the user name format is valid for commands on this interface only. If configured in the interface view and system view at the same time, the user name format configured in the interface view has higher priority.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure the user name format in the system or interface view.
    1. Run:

      interface interface-type interface-number

      The interface view is displayed; or configuration is directly performed in the system view.

    2. Run:

      mac-authen username { fixed username [ password cipher password ] | macaddress [ format { with-hyphen | without-hyphen } [ password cipher password ] ]  }

      The user name format is set for MAC address authentication.

      By default, the MAC address without hyphens (-) is used as the user name and password for MAC address authentication.

      NOTE:

      When the user name format in MAC address authentication is configured, ensure that the authentication server supports this format.

(Optional) Configuring the User Authentication Domain

Context

When the MAC address or the fixed user name without a domain name is used as the user name in MAC address authentication, the user is authenticated in a default domain if the administrator does not configure an authentication domain. In this case, many users are authenticated in the default domain, making the authentication scheme inflexible.

The authentication domain for the MAC address authentication user can be configured globally or on an interface.
  • When configured globally, the authentication domain is valid for all interfaces.
  • When configured on an interface, the authentication domain is valid for this interface only. The priority of the user name configured on the interface is higher than that of the user name configured globally. If no authentication domain is configured on the interface, you can use the globally configured authentication domain.
NOTE:
  • When the fixed user name is used for MAC address authentication and the authentication domain is specified in the user name, the user is authenticated in the specified authentication domain.

  • Before configuring an authentication domain for the MAC address authentication user, ensure that the authentication domain has been created.

Procedure

  • In the system view:
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      mac-authen domain isp-name [ mac-address mac-address mask mask ]

      The authentication domain is configured for the MAC address authentication user.

      By default, MAC address authentication uses the global default domain.

  • In the interface view:
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. Run:

      mac-authen domain isp-name

      The authentication domain is configured for the MAC address authentication user.

      By default, MAC address authentication uses the global default domain.

(Optional) Setting the Maximum Number of Access Users for MAC Address Authentication on an Interface

Context

To limit the number of access users for MAC address authentication on an interface, the administrator can set the maximum number of access users. When the number of access users reaches the limit, new users cannot access the network through the interface.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Set the maximum number of concurrent access users on an interface in the system or interface view.

    • In the system view:

    1. Run:

      mac-authen max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

      The maximum number of access users for MAC address authentication is set on the interface.

    • In the interface view:

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      mac-authen max-user user-number

      The maximum number of access users for MAC address authentication is set on the interface.

    By default, the number of MAC authentication users is the maximum number of MAC authentication users supported by the device.

(Optional) Setting the Source Address of Offline Detection Packets

Context

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

    The source IP address and source MAC address are specified for offline detection packets in a VLAN.

    By default, the source IP address and source MAC address are not specified for offline detection packets in a VLAN.

    You are advised to specify the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

(Optional) Configuring Timers of MAC Address Authentication

Context

During MAC address authentication, multiple timers implement systematic interactions between access users or devices and the authentication server. You can configure the following types of timers in MAC address authentication:
  • Re-authentication timer for users in the guest VLAN (guest-vlan reauthenticate-period): After a user is added to the guest VLAN, the device initiates re-authentication for the user at an interval set by this timer. If re-authentication is successful, the user exits the guest VLAN.
  • Offline detection timer (offline-detect): To make sure that a user is online, the device sends a detection packet to the user. If the user does not respond within a detection period, the device considers the user offline.
  • Quiet timer (quiet-period): The device must enter a quiet period after the user fails to be authenticated. During the quiet period, the device does not process authentication requests from the user.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect offline-detect-value | quiet-period quiet-value }

    The timer parameters are set for MAC address authentication.

    By default, guest-vlan reauthenticate-period is set to 60 seconds, offline-detect is set to 300 seconds, quiet-period is set to 60 seconds.

    NOTE:

    Timers for setting guest-vlan reauthenticate-period, offline-detect, quiet-period are enabled by default.

    When the quiet-period timer is set to 0, the quiet function is disabled.

(Optional) Configuring the Quiet Function for MAC Address Authentication

Context

The quiet function for MAC address authentication is enabled on a device by default. When the maximum number of authentication failures exceeds 1, the device quiets a MAC authentication user and does not process authentication requests from the user, reducing impact on the system caused by attackers.

If a user enters an incorrect user name or password for the first authentication, the user fails the authentication and enters the quiet state because the maximum number of authentication failures is 1. The user cannot immediately initiate reauthentication. To solve this problem, you can run this command to set the maximum number of authentication failures to a value larger than 1.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-authen quiet-times fail-times

    The maximum number of authentication failures within 60 seconds before the device quiets the MAC authentication user is configured.

    By default, the maximum number of authentication failures is 1.

(Optional) Configuring Re-authentication for MAC Address Authentication Users

Context

If the administrator modifies user information on the authentication server, parameters such as the user access permission and authorization attribute are changed. If a user has passed MAC address authentication, you must re-authenticate the user to ensure user validity.

After the user goes online, the device saves user authentication information. After re-authentication is enabled for MAC address authentication users, the device sends the saved authentication information of the online user to the authentication server for re-authentication. If the user's authentication information does not change on the authentication server, the user is kept online. If the authentication information has been changed, the user is forced to go offline, and then re-authenticated according to the changed authentication information.

You can configure re-authentication for MAC address authentication users using either of the following methods:
  • Re-authenticate all online MAC address authentication users on a specified interface at an interval.
  • Re-authenticate the online user once with a specified MAC address.

Procedure

  • Re-authenticate all online MAC address authentication users on a specified interface at an interval.
    1. Run:

      system-view

      The system view is displayed.

    2. Enable periodic re-authentication for all online MAC address authentication users on the specified interface in the system or interface view.

      • In the system view:

      1. Run:
        mac-authen reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

        Periodic re-authentication is enabled for all online MAC address authentication users on the specified interface.

      • In the interface view:

      1. Run:
        interface interface-type interface-number

        The interface view is displayed.

      2. Run:
        mac-authen reauthenticate

        Periodic re-authentication is enabled for all online MAC address authentication users on the specified interface.

      3. Run:
        quit

        Return to the system view.

      By default, periodic re-authentication is enabled for all online MAC address authentication users on the specified interface.

    3. (Optional) Set the re-authentication interval for online MAC address authentication users in the system or interface view.

      • In the system view:

      1. Run the mac-authen timer reauthenticate-period reauthenticate-period-value command to set the re-authentication interval for online MAC address authentication users.

      • In the interface view:

      1. Run the interface interface-type interface-number command to enter the interface view.
      2. Run the mac-authen timer reauthenticate-period reauthenticate-period-value command to set the re-authentication interval for online MAC address authentication users.

      The default re-authentication interval for MAC address authentication users in the system view is 1800 seconds, and the default re-authentication interval in the interface view is the same as the re-authentication interval configured in the system view.

  • Configure re-authentication for an online MAC address authentication user with a specified MAC address.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      mac-authen reauthenticate mac-address mac-address

      Re-authentication is enabled for the online MAC address authentication user with the specified MAC address.

      By default, re-authentication for an online MAC address authentication user with a specified MAC address is disabled.

(Optional) Configuring Web Push

Context

After a user is successfully authenticated, the device forcibly redirect the user to a web page when receiving the HTTP packet from the user who accesses web pages for the first time. In addition to pushing advertisement pages, the device can obtain user terminal information through the HTTP packets sent by the users, and apply the information to other services. There are two ways to push web pages:
  1. URL: pushes the URL corresponding to the web page.
  2. URL template: pushes the URL template. A URL template must be created. The URL template contains the URL of the pushed web page and URL parameters.

Procedure

  1. Configure the URL template.

    1. Run the system-view command to enter the system view.
    2. Run the url-template name template-name command to create a URL template and enter the URL template view.

      By default, no URL template exists on the device.

    3. Run the url [ push-only ] url-string [ ssid ssid ] command to configure the redirection URL corresponding to the Portal server.

      By default, no pushed URL is configured.

    4. Run the url-parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-value | ap-mac ap-mac-value | redirect-url redirect-url-value | ssid ssid-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value | user-vlan user-vlan-value} * command to set the parameters carried in the URL.

      By default, a URL does not carry parameters.

    5. Run the url-parameter mac-address format delimiter delimiter { normal | compact } command to set the MAC address format in the URL.

      By default, the MAC address format in URL is XXXXXXXXXXXX.

    6. Run the parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } * command to set the characters in the URL.

      By default, the start character is ?, assignment character is =, and delimiter is &.

    7. Run the quit command to return to the system view.
    NOTE:

    If web pages are pushed in URL mode, this step can be skipped.

  2. Configure the Web push function.

    1. Run the aaa command to enter the AAA view.
    2. Run the domain domain-name command to create an AAA domain and enter the AAA domain view.

      The device has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators.

    3. Run the force-push { url-template template-name | url url-address } command to enable the forcible URL template or URL push function.

(Optional) Configuring the User Group Function

Context

In NAC applications, there are many access users, but user types are limited. You can create user groups on the device and associate each user group to an ACL. In this way, users in the same group share rules in the ACL.

After creating user groups, you can set priorities and VLANs for the user groups, so that users in different user groups have different priorities and network access rights. The administrator can then flexibly manage users.

NOTE:

The priority of the user group authorization information delivered by the authentication server is higher than that of the user group authorization information applied in the AAA domain. If the user group authorization information delivered by the authentication server cannot take effect, the user group authorization information applied in the AAA domain also cannot be used. For example, if only user group B is configured on the device and the group authorization information is applied in the AAA domain when the authentication server delivers authorization information about user group A, the authorization information about user groups A and B both cannot take effect. To make the user group authorization information delivered by the authentication server take effect, ensure that this user group is configured on the device. To make the user group authorization information applied in the AAA domain take effect, ensure that the authentication server does not deliver any user group attribute.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    user-group group-name

    A user group is created and the user group view is displayed.

  3. Run:

    acl-id acl-number

    An ACL is bound to the user group.

    By default, no ACL is bound to a user group.

    NOTE:
    • Before running this command, ensure that the ACL has been created using the acl (system view) or acl name command and ACL rules have been configured using the rule command.

    • If a user group contains online users, the ACL bound to the user group cannot be modified or deleted in the system view.

  4. Run:

    user-vlan vlan-id

    The user group VLAN is configured.

    By default, no user group VLAN is configured.

    NOTE:

    Before running this command, ensure that the VLAN has been created using the vlan command.

  5. Run:

    remark { 8021p 8021p-value | dscp dscp-value | exp exp-value | lp lp-value }*

    The user group priority is configured.

    By default, no user group priority is configured.

Checking the Configuration

Context

You can run the commands to check the configured parameters after completing the MAC address authentication configuration.

Procedure

  • Run the display mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ] command to check the configuration of MAC address authentication.
  • Run the display mac-address { authen | guest } [ interface-type interface-number | vlan vlan-id ] command to check the current authen or guest MAC address entries in the system.
  • Run the display user-group [ group-name ] command to check the user group configuration.
  • Run the display access-user user-group group-name command to check information about online users in a user group.
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13585

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next