No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Notes

Configuration Notes

Involved Network Elements

Table 3-1  Components involved in NAC networking


Product Model


AAA server

Huawei servers or third-party AAA servers

Performs authentication, accounting, and authorization on users.

Portal server

Huawei servers or third-party Portal servers

Receives authentication requests from Portal clients, provides free portal services and an interface based on web authentication, and exchanges authentication information of the authentication clients with access devices.

This component is required only in external Portal authentication mode.

License Support

NAC common mode is a basic feature of a router and is not under license control.

Feature Dependencies and Limitations

  • When the RADIUS server authorizes an ACL for NAC authentication users, the authorized ACL can support a maximum of 16 ACL rules. If more than 16 ACL rules are configured on the device, only the first 16 rules take effect.

  • You can run the display access-user user-id command to view rate limiting parameter values delivered by the RADIUS server. If only the CIR value for rate limiting is set on the RADIUS server and other rate limiting parameter values (CBS or PBS value) are not set, the access control device obtains other parameter values based on empirical value verification.

    The parameter values obtained by the access control device after it verifies rate limiting parameters delivered by the RADIUS server differ from those obtained by the device after it verifies rate limiting parameters delivered by the QoS profile.

  • If a terminal uses Portal authentication or combined authentication (including Portal authentication), the device cannot grant VLAN-based authorization to the terminal. If a terminal obtains VLAN-based authorization, you need to manually trigger the DHCP process to request an IP address.
  • If a terminal has both IPv4 and IPv6 addresses, only the IPv4 address can be used for user detection and update of the user entry corresponding to the IPv6 address. The IPv6 address cannot be used for update of the user entry corresponding to the IPv4 address.
  • In the Portal authentication scenario, users may use spoofed IP addresses for authentication, which brings security risks. It is recommended that you configure attack defense functions such as IPSG and DHCP snooping to avoid the security risks.
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13539

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next