No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring the Handshake Function to Enable the Device to Clear User Entries Immediately

(Optional) Configuring the Handshake Function to Enable the Device to Clear User Entries Immediately

Context

The device creates entries for pre-connection users, users who fail to be authenticated and are assigned network access rights, and users who are authenticated. After users go offline in normal situations, the system immediately deletes the corresponding user entries. However, if some users go offline due to exceptions such as network disconnections, the system cannot immediately delete the corresponding user entries. If there are too many such invalid user entries, other users may fail to access the network.

To solve this problem, configure the handshake function to enable the device to clear user entries immediately. Then, if a user does not respond to the handshake request from the device within the handshake interval, the device deletes the user entry.

NOTE:

Only MAC address authentication users, Layer 2 Portal authentication users, and 802.1X authentication users support this function.

The handshake interval for MAC address authentication users and 802.1X authentication users is configured using the authentication timer handshake-period command. The handshake interval for Layer 2 Portal authentication users is configured using the portal timer offline-detect command.

This function takes effect only for the users who obtain IP addresses.

If the number of ARP probe packets exceeds the default CAR value, the probe fails and the users are logged out. To resolve the problem, the following methods are recommended:
  • Increase the handshake interval based on the number of users. The default handshake interval is recommended when there are less than 8000 users; the handshake interval should be no less than 600 seconds when there are more than 8000 users.
  • Deploy the port attack defense function on the access device and limit the rate of packets sent to the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run authentication handshake

    The handshake with pre-connection users and authorized users is enabled.

    By default, the handshake with pre-connection users and authorized users is enabled.

  4. (Optional) Run authentication timer handshake-period handshake-period

    The handshake interval of the device with pre-connection users and authorized users is set.

    By default, the handshake interval of the device with pre-connection users and authorized users is 300 seconds.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54887

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next