No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for NAC Common Mode

Licensing Requirements and Limitations for NAC Common Mode

Involved Network Elements

Table 3-1  Components involved in NAC networking

Role

Product Model

Description

AAA server

Huawei servers or third-party AAA servers

Performs authentication, accounting, and authorization on users.

Portal server

Huawei servers or third-party Portal servers

Receives authentication requests from Portal clients, provides free portal services and an interface based on web authentication, and exchanges authentication information of the authentication clients with access devices.

This component is required only in external Portal authentication mode.

NOTE:

When Huawei's Agile Controller-Campus functions as the server, the version required is V100R001, V100R002, V100R003.

If a Huawei switch needs to function as a DHCP server and assign IP addresses to terminals based on the static MAC-IP binding relationship delivered by the Agile Controller-Campus, the Agile Controller-Campus must run V100R002 or V100R003 version.

Licensing Requirements

NAC common mode is a basic feature of a switch and is not under license control.

Version Requirements

Table 3-2  Products and versions supporting NAC common mode

Product Model

Software Version

S600-E

V200R010C00, V200R011C00, V200R011C10

NOTE:
To know details about software mappings, see Hardware Query Tool.

Feature Limitations

NAC mode-related:
  • Compared with the common mode, the unified mode uses the modular configuration, making the configuration clearer and configuration model easier to understand. Considering advantages of the unified mode, you are advised to deploy NAC in unified mode.
  • For versions before V200R007C00, after the common mode and unified mode are switched, you must save the configuration file and restart the device manually to make the new configuration mode take effect. For V200R007C00 and later versions, after the common mode and unified mode are switched, the device will automatically save the configuration file and restart.
  • In the unified mode, only the commands of the common mode are unavailable; in the common mode, only the commands of the unified mode are unavailable. In addition, after the configuration mode is switched, the commands supported by both the common mode and unified mode still take effect.
Authentication:
  • In the 802.1x authentication scenario, if there is a Layer 2 switch between the 802.1x-enabled device and users, the 802.1x authentication packet transparent transmission function must be enabled on the Layer 2 switch. Otherwise, the users cannot pass authentication.
  • In the Portal authentication scenario, users may use spoofed IP addresses for authentication, which brings security risks. It is recommended that you configure attack defense functions such as IPSG and DHCP snooping to avoid the security risks.
  • NAC authentication and authentication-related parameters cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface of the VLAN to which the Layer 2 Ethernet interface belongs.
  • NAC authentication (except HTTP-based or HTTPS-based Portal authentication) can be implemented for users in a VPN, but not for users with the same IP addresses in different VPNs.
  • Terminals using MAC address authentication do not support switching between IPv4 and IPv6. To ensure that a terminal can normally obtain an IP address after passing the authentication, you are advised to enable either IPv4 or IPv6 on the terminal.
  • When an authentication point is deployed on the X series cards, only the X1E, X2E, X2H, and X5H cards support ACL authorization for IPv6 users, and other X series cards do not support ACL authorization for IPv6 users.
Authorization:
  • An authorized VLAN cannot be delivered to online Portal users. For MAC address-prioritized Portal authentication, the Agile Controller-Campus V1 delivers the session timeout attribute after Portal authentication succeeds so that users go offline immediately, and then delivers an authorized VLAN to users after the users pass MAC address authentication.
  • If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP process to request an IP address after VLAN-based authorization is successful or the authorization VLAN changes through CoA packets.
  • In versions earlier than V200R011C10, the DSCP value of upstream packets or downstream packets cannot be authorized to users. If both an ACL, the rate limit value of upstream packets, and the rate limit value of downstream packets are authorized to users, only the ACL takes effect. In V200R011C10 and later versions, the DSCP value of upstream packets or downstream packets can be authorized to users. In addition, the authorized ACL, the rate limit value of upstream packets, the rate limit value of downstream packets, the DSCP value of upstream packets, and the DSCP value of downstream packets can take effect simultaneously.
Other:
  • The number of NAC users cannot exceed the maximum number of MAC address entries supported by the switch.
  • During LNP negotiation, NAC users cannot go online before the interface link type becomes stable. If the interface link type is negotiated again and the negotiation result changes, the online NAC users are forced to go offline.

  • For the S600-E, ACL-based simplified traffic policy and traffic classification rules in MQC-based traffic policy have higher priorities than rules defined in NAC configuration. If configurations in ACL-based simplified traffic policy or MQC-based traffic policy conflict with the NAC function, the device processes packets based on configurations in ACL-based simplified traffic policy and traffic behaviors in MQC-based traffic policy.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54162

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next