No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Authentication-Free Authorization Information

(Optional) Configuring Authentication-Free Authorization Information

(Optional) Configuring Authorization Information for Authentication-free Users

Context

Before being authenticated, users need to obtain some network access rights to meet basic network access requirements such as downloading the 802.1X client and updating antivirus database. The device uses an authentication-free rule profile to uniformly manage authorization information for authentication-free users. You can define some network access rules in the profile to determine network access rights that can be obtained by authentication-free users. You need to bind a configured authentication-free rule profile to an authentication profile. Users using the authentication profile then can obtain authentication-free authorization information.

NOTE:
  • When multiple authentication-free rules are configured simultaneously, the system matches the rules one by one.
  • If you specify both the VLAN ID and interface number in an authentication-free rule, the interface must belong to the VLAN. Otherwise, the rule is invalid.
  • If the destination port number is configured in an authentication-free rule, fragments cannot match the rule and packets cannot be forwarded.
  • An authentication-free rule can only be added or deleted, but cannot be dynamically modified. Before modifying a specified rule, you must run the undo free-rule command to delete the current rule and then reconfigure the rule.
  • No authentication-free rule needs to be configured for DHCP, CAPWAP, ARP, and HTTP packets before user authentication, the DHCP, CAPWAP, ARP, and HTTP packets can be directly forwarded. Authentication-free rules must be configured for other packets that need to be forwarded. When the packets need to be processed locally, authentication-free rules do not need to be configured.
    • DHCP packet: If authentication and DHCP are enabled on an interface, authentication can be triggered by DHCP packets and the switch acts as the DHCP relay or DHCP server to forward or process DHCP packets. If only authentication is configured on the interface and the DHCP function is not configured, authentication can be triggered by DHCP packets and the switch broadcasts the DHCP packets.
    • CAPWAP packet: CAPWAP packets are classified into control packets and data packets. Generally, NAC is still effective for CAPWAP data packets after they are decapsulated, and the authentication-free rule takes effect (except for ARP and DHCP packets that are encapsulated in CAPWAP data packets). CAPWAP control packets are sent to the CPU for processing (such as SVF and wireless scenarios). If authentication is enabled on the physical interface connected to an AP, you need to configure the authentication-free rule to transmit packets from the management VLAN. In this scenario, the server may be overloaded due to multiple times of re-authentication. Therefore, this scenario is not recommended.
    • ARP packet: No authentication-free rule needs to be configured for ARP packets, which can be directly processed or forwarded.
    • HTTP packet: If Portal authentication is enabled on an interface and the destination URL of HTTP packets is not the URL of the Portal server, the switch redirects HTTP packets to the Portal server for authentication.

During Portal authentication configuration, you need to configure the device to allow packets to the DNS server to pass through before Portal authentication succeeds. Assume that the IP address of the DNS server is 10.1.1.1. Configure the free-rule 1 destination ip 10.1.1.1 mask 32 command in the authentication-free rule profile.

Prerequisites

When configuring authentication on a physical interface, you must run the authentication pre-authen-access enable command to enable the pre-connection function.

Procedure

  1. Configure an authentication-free rule profile.

    1. Run system-view

      The system view is displayed.

    2. Run free-rule-template name free-rule-template-name

      An authentication-free rule profile is created and the authentication-free rule profile view is displayed.

      By default, the device has a built-in authentication-free rule profile named default_free_rule.

      NOTE:

      Currently, the device supports only one authentication-free rule profile, that is, the built-in profile default_free_rule.

    3. Run free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id } * } } *

      A common authentication-free rule is configured.

      By default, no authentication-free rule is configured for NAC authentication users.

    4. Run quit

      Return to the system view.

  2. The authentication-free rule profile takes effect for all users after it is created in the system view.

(Optional) Configuring Voice Terminals to Go Online Without Authentication

Context

In a scenario in which both data terminals (such as PCs) and voice terminals (such as IP phones) connect to an access switch, the administrator only requires identity authentication for the data terminals and allows the voice terminals to connect to the network without identity authentication. The administrator can configure authentication-free authorization information for the voice terminals after completing the NAC configuration. The switch then performs identity authentication for only the data terminals and allows the voice terminals to go online without authentication.

NOTE:

If an 802.1X user initiates authentication through a voice terminal, a device preferentially processes the authentication request. If the authentication succeeds, the terminal obtains the corresponding network access rights. If the authentication fails, the device identifies the terminal type and enables the terminal to go online without authentication.

Pre-configuration Tasks

To enable the switches to identify the voice terminals, enable LLDP or configure OUI for the voice VLAN on the switches. For details, see "Configuring Basic LLDP Functions" in "LLDP Configuration" in the S600-E V200R010C00 Configuration Guide - Network Management and Monitoring or "Configuring a Voice VLAN Based on a MAC Address" in "Voice VLAN Configuration" in the S600-E V200R010C00 Configuration Guide - Ethernet Switching. If a voice device supports only CDP but does not support LLDP, configure CDP-compatible LLDP on the switch using lldp compliance cdp receive command.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Run user-vlan vlan-id

        A user VLAN is configured in the service scheme.

        By default, no user VLAN is configured in a service scheme.

        Before running this command, ensure that a VLAN has been created using the vlan command.

      4. Run voice-vlan

        The voice VLAN function is enabled in the service scheme.

        By default, the voice VLAN function is disabled in a service scheme.

        For this configuration to take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      5. Run quit

        The AAA view is displayed.

      6. Run quit

        The system view is displayed.

  3. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  4. Run authentication device-type voice authorize [ service-scheme scheme-name ]

    The device is configured to allow voice terminals to go online without authentication.

    By default, the device does not allow voice terminals to go online without authentication.

    NOTE:

    If you run this command repeatedly, the latest configuration overrides the previous ones.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54965

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next