No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN Product Interoperation Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring MAC Address Authentication

Configuring MAC Address Authentication

This section describes operations and precautions for configuring MAC address authentication.

Scenario Description

MAC address authentication controls terminal network access permission based on the device interface and terminal MAC address. When a terminal connects to the network, the access control device automatically detects the terminal MAC address and sends the MAC address as the account and password to the RADIUS server for identity authentication. The RADIUS server instructs the access control device to grant network access permission to the end user only after the user identity is verified on the RADIUS server. MAC address authentication applies to scenarios where dumb terminals such as printers and IP phones cannot be authenticated using user names and passwords or scenarios where only terminal MAC addresses but not user names and passwords need to be verified due to special requirements. These terminals cannot trigger identity authentication and need to wait until the access control device sends authentication requests to the RADIUS server to connect to the network.

Task Overview

Procedure

  1. Configure the access control device.

    • Function

      In MAC address authentication, the access control device sends authentication requests to the RADIUS server. Therefore, configurations related to RADIUS authentication must be performed on the access control device.

    • Entrance

      Log in to the CLI of the access control device through the console port or using SSH.

    • Key configuration description

      See configuration examples for MAC address authentication.

  2. Add the access control device on the Agile Controller-Campus.

    • Function

      The Agile Controller-Campus can work with the access control device only after the device is added to the Agile Controller-Campus and interconnection parameters on the Agile Controller-Campus and device are the same.

    • Entrance

      Choose Resource > Device > Device Management.

    • Key configuration description
      • Authentication/Accounting key: The value is the same as the value configured using the radius-server shared-key command in the RADIUS template.
      • Authorization key: The value is the same as the value configured using the radius-server authorization 172.18.1.1 shared-key cipher Admin@123 command in the system view.
      • Real-time accounting interval: The value is the same as the value configured using the accounting realtime command in the accounting template.

  3. Add terminals to be authenticated using MAC address authentication.

    • Function

      In MAC address authentication, the identity of a terminal is verified using the terminal MAC address. The terminal can be authenticated only after it is manually added to the terminal list.

    • Entrance
      1. Choose Resource > Terminal > Terminal List.
      2. In the Device Group list, choose the first node and click Add on the right to add a device group to be authenticated using MAC address authentication.
      3. In the Device Group list, click the created device group and add terminals to be authenticated using MAC address authentication on the right.
        • Add terminals one by one.

          Click the Device List tab to add the terminals one by one.

        • Add terminals in a batch.

          Click the Device Group List tab and click Import to add the terminals in a batch.

    • Key configuration description

      Parameter

      Description

      Terminal Type

      • Unknown type: default value, indicating temporarily un-identified devices. The Agile Controller-Campus needs to continue to identify such devices.
      • Fixed terminal: wired access devices, such as desktop computers.
      • Mobile terminal: wireless access devices, such as tablets.
      • Dumb terminal: devices that provide fewer functions than PCs, do not have processors or disks, and need to connect to hosts to process services, such as printers and VoIP phones.

      Statically Assigned Policy

      • Enable: The Agile Controller-Campus identifies devices using only the policies set in Matched Policy. If you know the device types, you can statically assign policies to enhance the device identification ratio and accuracy.
      • Disable: The Agile Controller-Campus automatically selects policies to identify devices. Disable is the default value and applies when you do not know the device types.

        The Agile Controller-Campus matches the collected device information with the rules in the rule database. If the device matches a rule, the Agile Controller-Campus queries all identification policies that contain this rule and evaluates a score for each policy based on the device information. The highest score is the identification result.

      Matched Policy

      You need to set a name for the policy when Statically Assigned Policy is enabled. Resource > Terminal > Identification Policy displays all policy names.

      User-Defined Device Group

      • Enable: The Agile Controller-Campus adds devices to device groups. If you know the device types, you can set the User-Defined Device Group parameter to accurately add devices to groups.
      • Disable: The Agile Controller-Campus automatically identifies device types and adds the devices to groups. Disable is the default value and applies when you do not know the device types.

      Device Group

      You need to set a name for the group when User-Defined Device Group is enabled. Resource > Terminal > Terminal List displays all group names.

      XMPP server IP

      The three parameters apply in the following scenario: Terminals connect to a network through MAC address authentication, and a switch functions as the DHCP server to allocate IP addresses to the terminals. The administrator requires that the switch allocates a fixed IP address to each authenticated terminal. To achieve this purpose, the administrator creates a binding between MAC addresses and IP addresses on the Agile Controller-Campus, which delivers the binding relationships to the switch through XMPP.

      Specifies the IP address of the gateway to which terminals connect. These parameters are available only when the switch functions as the DHCP server.

      Pool type and Pool name must be the same as those configured on the switch.
      • If Pool type is set to Interface pool, enter vlanifport number.
      • If Pool type is set to Global pool, enter the name of the global address pool.

      For details, see Example for Configuring MAC and IP Address Binding for Dumb Terminals and Deploying Them in Centralized Mode.

      Pool type

      Pool name

  4. Configure an authentication rule.

    • Function

      In MAC address authentication, users do not need to enter their user names and passwords for authentication. The service type used in MAC address authentication differs from that used in common authentication modes. Therefore, the default authentication rule cannot be used and an authentication rule needs to be configured separately.

    • Entrance

      Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule.

    • Key configuration description

      Choose MAC Bypass Authentication Service for Service Type.

  5. Configure an authorization rule.

    • Function

      The Agile Controller-Campus grants network access permission to terminals using an authorization rule. The default authorization rule does not apply to MAC address authentication and an authorization rule needs to be configured separately.

    • Entrance

      Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule.

    • Key configuration description
      • When adding an authorization rule, choose MAC Bypass Authentication Service for Service Type.
      • According to the rule priority, the Agile Controller-Campus matches terminal access information with authorization conditions of the authorization rule. When access information about a terminal matches all authorization conditions of an authorization rule, the Agile Controller-Campus grants permission defined by the authorization result of the authorization rule to the terminal.

  6. A terminal accesses the network.

    After a terminal connects to the network, authentication is performed automatically. After passing the authentication, the terminal can access resources in the post-authentication domain.

    After the terminal is authenticated successfully:
    • Run the display access-user command on the device. Online information about the terminal MAC address is displayed.
    • On the Service Manager, choose Resource > User > Online User Management. Online information about the terminal is displayed.
    • On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS authentication logs of the terminal are displayed.
    If the terminal fails to be authenticated, create a common account on the Agile Controller-Campus, log in to the device, and run the test-aaa user-name user-password radius-template template-name pap command to test whether the account can pass RADIUS authentication.
    • If the system displays the message "Info: Account test succeed", indicating that the account can pass RADIUS authentication, the fault occurs in the access authentication phase. Check the network connection between the terminal and the access control device.
    • If the system displays the message "Error: Account test time out", indicating that the account cannot pass RADIUS authentication, the fault occurs in the RADIUS authentication phase. Check whether interconnection parameter configurations of the RADIUS server on the Agile Controller-Campus are consistent with those on the access control device.

    The test aaa command can only test whether users can pass RADIUS authentication and the interaction process of RADIUS accounting is not involved. Therefore, after running the test aaa command, you can view RADIUS logs but cannot view user online information on the Agile Controller-Campus.

Example

The following example describes how to import MAC address authentication terminals in a batch.
  • How to Fill in the Excel File When You Do Not Know Device Details

    When you do not know the device details, fill in only the MAC address and device group and enter Device Group List in Unknown Device List.



  • How to Fill in the Excel File When You Know Device Details

    When you know the device details, you can manually configure an identification policy to enhance the identification ratio and accuracy. The Agile Controller-Campus identifies the device based on the configured identification policy.

    In this case, specify Endpoint MAC, set Statically Assigned Policy to Enable, enter the name of the identification policy in Matched Policy, and enter Device Group List in Unknown Device List. The Agile Controller-Campus automatically adds the device to a device group.



  • How to Fill in the Excel File When You Manually Add the Device to a Specified Device Group

    By default, the Agile Controller-Campus classifies devices into groups based on the device types. You can also manually add a device to a specified device group.

    In this case, specify Endpoint MAC, set User-Defined Device Group to Enable, and enter the name of a specific device group in Device Group List.



  • How to Fill in the Excel File When You Need to Mark the Device Access Location
  • You can use the IP address and connected interface of a device to rapidly locate the device when a fault occurs.

    In this case, specify Endpoint MAC, Access Device IP Address, and Access Device Port and enter Device Group List in Unknown Device List.



Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000113779

Views: 55845

Downloads: 1757

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next