No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC Fundamentals

NAC Fundamentals

Process

Figure 2-2 shows the basic NAC process.

Figure 2-2  Basic NAC process
  1. The access device works with a security policy server (for example, an AAA server) to authenticate the user when an NAC terminal connects to the network.
  2. The security policy server delivers the authorization information to the access device if the user is authenticated. If the authentication fails, the access device isolates the user.
  3. Based on the authorization information from the security policy server, the access device controls the terminal user's network access rights and establishes a communication channel between the terminal and security policy server.
  4. The NAC terminal directly exchanges information with the security policy server. The terminal reports its status information, including the antivirus database, operating system, and patch versions.
  5. The security policy server checks the terminal status, and redelivers the authorization information to the access device if the NAC terminal does not comply with enterprise security standards.
  6. The access device modifies the terminal user's network access rights according to the authorization information delivered by the security policy server.
  7. Based on the status check result, the NAC terminal connects to the software server to download client software, repair the system, or upgrade the patch or antivirus database until the terminal complies with the enterprise security standards.

User Access Modes

On an NAC network, user access modes are classified into the following types based on the actual network access scenarios:
  • single-terminal: The device interface allows only one data terminal to connect to the network.
  • single-voice-with-data: Only one data terminal is connected to the network on the device interface through the voice terminal, and the device authenticates the data terminal and voice terminal independently.
  • multi-share: The device interface has multiple data terminals connected to the network. The device only authenticates the first user who goes online, and subsequent users share the network access rights. However, after the first user goes offline, other users do not have the network access rights.
  • multi-authen: The device interface has multiple data terminals connected to the network, and the device authenticates each access user independently. After a user goes offline, the network access rights of other users are not affected.

Comparison Between Three Authentication Modes

NAC provides three authentication modes: 802.1X authentication, MAC address authentication, and Portal authentication. Table 2-1 compares the three authentication modes.

Table 2-1  Authentication mode comparisons

Item

802.1X Authentication

MAC Address Authentication

Portal Authentication

Client

Required

Not required

Not required

Advantage

High security

No client required

Flexible deployment

Disadvantage

Inflexible deployment

Complex management and MAC address registration required

Low security

Scenario

New network with concentrated users and high requirements for security

Authentication of dumb terminals such as printers and fax machines

Scenario with flexible authentication modes and scattered users

On a NAC network, the device supports concurrent deployment of 802.1X authentication, MAC address authentication, and Portal authentication on user access ports, namely, multi-mode authentication, to flexibly meet various authentication requirements. After multi-mode authentication is deployed, the device triggers the corresponding authentication based on received authentication packets.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54038

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next