No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a User Authentication Mode

Configuring a User Authentication Mode

Context

The device supports 802.1X, MAC address, and Portal authentication modes in NAC deployment. The access profile bound to the authentication profile determines the user authentication mode in an interface.

The device allows multiple authentication modes (multi-mode authentication) to be deployed simultaneously in an interface to meet various authentication requirements on the network. In this case, you need to bind multiple access profiles to an authentication profile.

Prerequisites

Access profiles have been configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Configure the user authentication mode.

    • 802.1X authentication

      Run dot1x-access-profile access-profile-name

      An 802.1X access profile is bound to the authentication profile.

      By default, no 802.1X access profile is bound to an authentication profile.

    • MAC address authentication

      Run mac-access-profile access-profile-name

      A MAC access profile is bound to the authentication profile.

      By default, no MAC access profile is bound to an authentication profile.

    • Portal authentication

      Run portal-access-profile access-profile-name

      A Portal access profile is bound to the authentication profile.

      By default, no Portal access profile is bound to an authentication profile.

    • Multi-mode authentication

      To concurrently configure several authentication modes, you only need to bind corresponding access profiles to an authentication profile. Access profiles can be bound to the authentication profile in any sequence. The device triggers the corresponding authentication based on received authentication packets.

      You can configure MAC address bypass authentication to authenticate terminals such as printers that cannot have the 802.1X client installed. The device performs 802.1X authentication for users. If the authentication fails, the device performs MAC address authentication for these users.

      The following uses MAC address bypass authentication as an example. The configuration procedure is as follows:
      1. Run mac-access-profile access-profile-name

        A MAC access profile is bound to the authentication profile.

        By default, no MAC access profile is bound to an authentication profile.

      2. Run dot1x-access-profile access-profile-name

        An 802.1X access profile is bound to the authentication profile.

        By default, no 802.1X access profile is bound to an authentication profile.

      3. Run authentication dot1x-mac-bypass

        MAC address bypass authentication is enabled.

        By default, MAC address bypass authentication is disabled.

    NOTE:

    When configuring multi-mode authentication, pay attention to the following points:

    • An authentication profile can be bounded to an 802.1X access profile, a MAC access profile and a Portal access profile at most.

    • After multi-mode authentication is configured, the device by default allows users to use multiple authentication modes. For example, if a user passes MAC address authentication, the user will not be redirected to the Portal authentication page when accessing a web page. However, if the user directly enters the Portal authentication website in the browser, Portal authentication can be performed. After the authentication succeeds, the users can obtain network access rights for Portal authentication users. To authenticate users using only one authentication mode, run the authentication single-access command to configure the device to allow users to pass only one access authentication.

    • MAC address authentication and Portal authentication cannot be performed after 802.1X authentication succeeds.

    • 802.1X + MAC address authentication is mainly applied to scenarios where dumb terminals exist. When a gateway functions as an authentication device, 802.1X + MAC address authentication is not recommended because ARP packets sent by terminals trigger MAC address authentication first. This degrades the performance of 802.1X authentication and ARP attacks may occur.

      In a scenario where dumb terminals exist and a gateway functions as an authentication device, you are advised to use the following configuration mode:
      1. Ensure that dumb terminals use fixed IP addresses. You can manually configure IP addresses or bind IP addresses statically using DHCP snooping.
      2. Do not configure multi-mode authentication on the gateway. Configure 802.1X authentication for users who do not use dumb terminals and configure IP address-based authentication-free rules for users who use dumb terminals.
    • In MAC address + Portal authentication, the device performs MAC address authentication first for an access terminal. If MAC address authentication fails, the device performs Portal authentication. This is MAC address-prioritized Portal authentication.
    • In wireless access scenarios, either 802.1X + MAC address authentication or 802.1X + Portal authentication is supported.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 58787

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next