No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a MAC Access Profile

Configuring a MAC Access Profile

Creating a MAC Access Profile

Context

The device uses MAC access profiles to uniformly manage MAC users access configurations. Before configuring MAC address authentication, you need to create a MAC access profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mac-access-profile name access-profile-name

    A MAC access profile is created and the MAC access profile view is displayed.

    By default, the device has the built-in MAC access profile mac_access_profile.

    NOTE:
    • The compatibility profile converted after an upgrade is not counted in the configuration specification. The built-in MAC access profile mac_access_profile can be modified and applied, but cannot be deleted.
    • Before deleting a MAC access profile, ensure that this profile is not bound to any authentication profile.

Configuring the User Name Format for MAC Address Authentication

Context

The following user name formats are available for MAC address authentication:
  • MAC address: A user uses the MAC address as the user name for authentication, and uses the MAC address or a user-defined character string as the password.
  • Fixed user name: All users use a fixed name and password configured on the device for authentication, regardless of their MAC addresses. Only one user account needs to be configured on the authentication server. This method can be used on a network where access clients are reliable.
  • DHCP option: The device uses obtained user DHCP option field and a fixed password to replace the user MAC address as the identity information for authentication. To use this mode, ensure that the device can trigger MAC address authentication through DHCP packets. For details, see (Optional) Configuring Packet Types That Can Trigger MAC Address Authentication.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mac-access-profile name access-profile-name

    The MAC access profile view is displayed.

  3. Run mac-authen username { fixed username [ password cipher password ] | macaddress [ format { with-hyphen [ normal ] | without-hyphen } [ uppercase ] [ password cipher password ] ] | dhcp-option option-code { circuit-id | remote-id } * [ separate separate ] [ format-hex ] password cipher password }

    The user name format is configured for MAC address authentication.

    By default, a MAC address without hyphens (-) is used as the user name and password for MAC address authentication.

    NOTE:
    • When configuring the user name format for MAC address authentication, ensure that the authentication server supports the user name format.

    • If MAC address authentication is enabled on a VLANIF interface, on an Eth-Trunk, in a port group, and MAC address authentication users use fixed user names, passwords must be configured. If MAC address authentication is enabled in a port group and MAC addresses are used as user names, passwords cannot be configured. If MAC address authentication is enabled on a VLANIF interface, user names for MAC address authentication cannot be set to specified DHCP option information.

    • When the user names for MAC address authentication are in the DHCP option format, the DHCP Option82 cannot be configured in the extend format or a customized format (non character string) by using the dhcp option82 format command.

(Optional) Configuring Packet Types That Can Trigger MAC Address Authentication

Context

After MAC address authentication is enabled, the device can trigger MAC address authentication on users by default when receiving DHCP/ARP/DHCPv6/ND packets. Based on user information on the actual network, the administrator can adjust the packet types that can trigger MAC address authentication. For example, if all users on a network dynamically obtain IPv4 addresses, the device can be configured to trigger MAC address authentication only through DHCP packets. This prevents the device from continuously sending ARP packets to trigger MAC address authentication when static IPv4 addresses are configured for unauthorized users on the network, and reduces device CPU occupation.

When the function of triggering MAC address authentication through DHCP packets is supported, the device can use the DHCP packets to re-authenticate users, clear the MAC address authentication user entries in time, and send user terminal information to the authentication server.

NOTE:
  • This function takes effect only for users who go online after this function is successfully configured.

  • There is a situation that you should notice. A device is configured to trigger MAC address authentication through DHCP packets and DHCP options are used as the user names for MAC address authentication (for the configuration of user names in MAC address authentication, see mac-authen username). If the authentication server delivers Huawei extended RADIUS attribute HW-Forwarding-VLAN (No. 26-161) to the device, the user packet must carry double VLAN tags and the outer VLAN ID cannot be the same as the ID of HW-Forwarding-VLAN; otherwise, the delivered attribute cannot take effect.

  • After the authentication trigger-condition { dhcp | dhcpv6 | nd } * command is run, static users cannot go online.

  • In a policy association scenario, MAC address authentication can only be triggered by DHCP or ARP packets.

  • The function does not take effect when multiple authentication modes are used together.
  • When MAC address authentication and 802.1X authentication are both enabled on an interface, packets that can trigger authentication include all the packet types that can trigger authentication in the MAC access profile and 802.1X access profile. For example, assume that ARP packets in the MAC access profile are unable to trigger authentication and ARP packets in the 802.1X access profile can trigger authentication. If MAC address authentication and 802.1X authentication are both enabled on an interface, ARP packets can trigger MAC address authentication.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mac-access-profile name access-profile-name

    The MAC access profile view is displayed.

  3. Run authentication trigger-condition { dhcp | arp | dhcpv6 | nd } *

    The packet types that can trigger MAC address authentication are configured.

    By default, DHCP/ARP/DHCPv6/ND packets can trigger MAC address authentication.

  4. (Optional) Option 82 records information about DHCP user locations and services (voice and data services). After the following command is run, the device sends Option 82 information to the authentication server when receiving DHCP packets that trigger MAC address authentication. Based on the user information recorded in Option 82, the authentication server grants different network access rights to users with different services in different locations. This configuration implements accurate control on network access rights of each user.

    Run authentication trigger-condition dhcp dhcp-option option-code

    The device is enabled to send DHCP option information to the authentication server when receiving DHCP packets that trigger MAC address authentication.

    By default, the device does not send DHCP option information to the authentication server when receiving DHCP packets that trigger MAC address authentication.

  5. (Optional) After users go online, the administrator may modify the users' authentication parameters or network access rights on the authentication server. You can run the following command to ensure user validity or update users' network access rights in a timely manner.

    Run mac-authen reauthenticate dhcp-renew

    The device is enabled to re-authenticate MAC address authentication users when receiving DHCP lease renewal packets from the users.

    By default, the device does not re-authenticate MAC address authentication users when receiving DHCP lease renewal packets from the users.

  6. (Optional) After MAC address authentication users send DHCP release packets and go offline, the device does not immediately delete the corresponding user entries. These user entries occupy device resources and may prevent users from going online. You can run the following command to enable the device to clear user entries in a timely manner when MAC address authentication users go offline.

    Run mac-authen offline dhcp-release

    The device is enabled to clear user entries when receiving DHCP release packets from MAC address authentication users.

    By default, the device does not clear user entries when receiving DHCP release packets from MAC address authentication users.

(Optional) Configuring Re-authentication for Online MAC Address Authentication Users

Context

If the administrator modifies parameters such as access rights and authorization attributes of an online user on the authentication server, the user must be re-authenticated to ensure user validity.

If re-authentication is configured for online MAC address authentication users, the device sends saved authentication parameters of an online user to the authentication server for re-authentication. The device saves user authentication information after users go online. If the user authentication information on the authentication server remains unchanged, the user keeps online. If the information has been modified, the user is disconnected and needs to be re-authenticated.

NOTE:

MAC address authentication users who go online through a VLANIF interface do not support re-authentication.

If the device is connected to a server for re-authentication and the server replies with a re-authentication deny message that makes an online user go offline, it is recommended that you locate the cause of the re-authentication failure on the server or disable the re-authentication function on the device.

The device re-authenticates MAC address authentication users in the following modes:
  • The device periodically re-authenticates users using a specified MAC access profile.
    NOTE:
    After this function is configured, many MAC address authentication logs will be generated.
  • The device re-authenticates MAC address authentication users when receiving DHCP lease renewal packets from the users. This mode takes effect only after the device is configured to trigger MAC address authentication through DHCP packets.
  • The device is manually configured to re-authenticate a user with a specified MAC address once.

Procedure

  • Configuring periodic re-authentication
    1. Run system-view

      The system view is displayed.

    2. Run mac-access-profile name access-profile-name

      The MAC access profile view is displayed.

    3. Run mac-authen reauthenticate

      Re-authentication is enabled for online MAC address authentication users.

      By default, re-authentication for online MAC address authentication users is disabled.

    4. (Optional) Run mac-authen timer reauthenticate-period reauthenticate-period-value

      The re-authentication interval is configured for online MAC address authentication users.

      By default, the re-authentication interval is 1800 seconds for online MAC address authentication users.

      NOTE:

      It is recommended that the re-authentication interval be set to the default value. If multiple ACLs need to be delivered during user authorization, you are advised to disable the re-authentication function or set a longer re-authentication interval to improve the device's processing performance.

      In remote authentication and authorization, if the re-authentication interval is set to a shorter time, the CPU usage may be higher.

      To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.

  • Configuring re-authentication triggered by DHCP lease renewal packets
    1. Run system-view

      The system view is displayed.

    2. Run mac-access-profile name access-profile-name

      The MAC access profile view is displayed.

    3. Run mac-authen reauthenticate dhcp-renew

      The device is enabled to re-authenticate MAC address authentication users when receiving DHCP lease renewal packets from the users.

      By default, the device does not re-authenticate MAC address authentication users when receiving DHCP lease renewal packets from the users.

  • Configuring single-time re-authentication
    1. Run system-view

      The system view is displayed.

    2. Run mac-authen reauthenticate mac-address mac-address

      The device is manually configured to re-authenticate a user with a specified MAC address once.

Verifying the MAC Access Profile Configuration

Context

After configuring a MAC access profile, run the following command to check the configuration.

Procedure

  • Run the display mac-access-profile configuration [ name access-profile-name ] command to check the configuration of the MAC access profile.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54755

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next