No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Packet Types That Can Trigger MAC Address Authentication

(Optional) Configuring Packet Types That Can Trigger MAC Address Authentication

Context

After MAC address authentication is enabled, the device can trigger MAC address authentication on users by default when receiving DHCP/ARP/DHCPv6/ND packets. Based on user information on the actual network, the administrator can adjust the packet types that can trigger MAC address authentication. For example, if all users on a network dynamically obtain IPv4 addresses, the device can be configured to trigger MAC address authentication only through DHCP packets. This prevents the device from continuously sending ARP packets to trigger MAC address authentication when static IPv4 addresses are configured for unauthorized users on the network, and reduces device CPU occupation.

When the function of triggering MAC address authentication through DHCP packets is supported, the device can use the DHCP packets to re-authenticate users, clear the MAC address authentication user entries in time, and send user terminal information to the authentication server.

NOTE:

There is a situation that you should notice. A device is configured to trigger MAC address authentication through DHCP packets and DHCP options are used as the user names for MAC address authentication (for the configuration of user names in MAC address authentication, see (Optional) Configuring the User Name Format). If the authentication server delivers Huawei extended RADIUS attribute HW-Forwarding-VLAN (No. 26-161) to the device, the user packet must carry double VLAN tags and the outer VLAN ID cannot be the same as the ID of HW-Forwarding-VLAN; otherwise, the delivered attribute cannot take effect.

Procedure

  1. Run the system-view command to enter the system view.
  2. Configure the packet types that can trigger MAC address authentication.

    You can configure this function globally or on interfaces. If the function is configured globally, the configuration takes effect on multiple interfaces. If the function is configured on interfaces, the configuration only takes effect on the specified interfaces. If the function is configured globally and on interfaces, the configuration on the interfaces takes precedence.

    By default, DHCP/ARP/DHCPv6/ND packets can trigger MAC address authentication.

    View Procedure
    System view

    Run the mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger | nd-trigger } * [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ] command to configure the packet types that can trigger MAC address authentication.

    Interface view
    1. Run the interface interface-type interface-number command to enter the interface view.

    2. Run the mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger | nd-trigger } * command to configure the packet types that can trigger MAC address authentication.

  3. (Optional) Enable the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

    You can enable this function globally or on interfaces. If the function is enabled globally, it can be enabled on multiple interfaces. If the function is enabled on interfaces, it only takes effect on the specified interfaces. If the function is enabled globally and on interfaces, the function enabled on the interfaces takes precedence.

    By default, the device does not send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

    View Procedure Scenario
    System view

    Run the mac-authen dhcp-trigger dhcp-option option-code [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ] command to enable the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

    Option82 record information about DHCP user locations and services (voice and data services). After this command is run, the device sends Option82 information to the authentication server when triggering MAC address authentication through DHCP packets. Based on the user information recorded in Option 82, the authentication server grants different network access rights to users with different services in different locations. This implements accurate control on the network access right of each user.

    Interface view
    1. Run the interface interface-type interface-number command to enter the interface view.

    2. Run the mac-authen dhcp-trigger dhcp-option option-code command to enable the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

  4. (Optional) Enable the device to re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users.

    You can enable this function globally or on interfaces. If the function is enabled globally, it can be enabled on multiple interfaces. If the function is enabled on interfaces, it only takes effect on the specified interfaces.

    By default, the device does not re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users.

    View Procedure Scenario
    System view

    Run the mac-authen reauthenticate dhcp-renew interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> command to enable the device to re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users.

    After users go online, the administrator may modify the users' authentication parameters or network access rights on the authentication server. To ensure user validity or update the users' network access rights in real time, you can run this command to enable the device to re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users.

    Interface view
    1. Run the interface interface-type interface-number command to enter the interface view.

    2. Run the mac-authen reauthenticate dhcp-renew command to enable the device to re-authenticate the users when receiving DHCP lease renewal packets from MAC address authentication users.

  5. (Optional) Enable the device to clear user entries when receiving DHCP Release packets from MAC address authentication users.

    You can enable this function globally or on interfaces. If the function is enabled globally, it can be enabled on multiple interfaces. If the function is enabled on interfaces, it only takes effect on the specified interfaces.

    By default, the device does not clear user entries when receiving DHCP Release packets from MAC address authentication users.

    View Procedure Scenario
    System view

    Run the mac-authen offline dhcp-release interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> command to enable the device to clear user entries when receiving DHCP Release packets from MAC address authentication users.

    After MAC address authentication users who send DHCP Release packets go offline, the corresponding user entries on the device cannot be deleted immediately. This occupies device resources and possibly prevents other users from going online. You can run this command to enable the device to clear the user entries in real time when MAC address authentication users go offline.

    Interface view
    1. Run the interface interface-type interface-number command to enter the interface view.

    2. Run the mac-authen offline dhcp-release command to enable the device to clear user entries when receiving DHCP Release packets from MAC address authentication users.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54958

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next