No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for Policy Association

Licensing Requirements and Limitations for Policy Association

Involved Network Elements

Table 4-1  Components involved in policy association networking

Role

Product Model

Description

AAA server

Huawei servers or third-party AAA servers

Performs authentication, accounting, and authorization on users.

Portal server

Huawei servers or third-party Portal servers

Receives authentication requests from Portal clients, provides free portal services and an interface based on web authentication, and exchanges authentication information of the authentication clients with access devices.

This component is required only in external Portal authentication mode.

NOTE:

When Huawei's Agile Controller-Campus functions as the server, the version required is V100R001, V100R002, V100R003.

If a Huawei switch needs to function as a DHCP server and assign IP addresses to terminals based on the static MAC-IP binding relationship delivered by the Agile Controller-Campus, the Agile Controller-Campus must run V100R002 or V100R003.

Licensing Requirements

Policy Association is a basic feature of a switch and is not under license control.

Version Requirements

Table 4-2  Products and versions supporting Policy Association

Software Version

Control device

Access device

V200R011C10

  • S12704, S12708, S12710, S12712
  • S7703, S7706, S7712
  • S9703, S9706, S9712
  • S9303, S9306, S9310, S9312
  • S9303E, S9306E, S9312E
  • S9310X
  • S5720HI, S6720SI, S6720S-SI, S6720EI, S6720S-EI
  • S600-E

V200R011C00

  • S5720HI, S6720EI, S6720S-EI
  • S600-E

V200R010C00

  • S12704, S12708, S12710, S12712
  • S7703, S7706, S7712
  • S9703, S9706, S9712
  • S5720HI, S6720EI, S6720S-EI
  • S600-E

Feature Limitations

The information about the network is as follows:

  • A control device and an access device can be directly connected or connected across a pure Layer 2 network, and the user gateway must be located on the control device or the upstream device of the control device.
  • A control device can be a single device or a cluster of two devices or a stack of multiple devices. An access device can be a single device or a stack of multiple devices. The devices in a stack must have the same model and interface type.
  • If the control device and access device both run versions earlier than V200R011C10, they must run the same version in the independent policy association scenario.
  • If the control device and access device both run V200R011C10 or later versions, they can run different versions in the independent policy association scenario.
The information about the basic function of Policy Association is as follows:
  • Only policy association between the control device and access devices is supported, and configuration association is not supported.

  • Policy association is applicable only to wired users. When users are online, MAC address migration is not supported. When users switch from one access device or access interface to another, they may fail to go online. In this case, you can reduce the offline detection interval. The recommended interval is 15 to 30 seconds if no hub is used. In this way, the system can quickly detect that a user goes offline from the original interface and enable the user to go online through the new interface. A configuration example is as follows: Run the link-down offline delay 0 command in the authentication profile of the access device to set the user logout delay to zero when the interface link is faulty. Then, run the user-detect interval 10 retry 2 command in the system view to enable the online detection function so that the user can go online quickly.

  • In policy association, the management VLAN of a CAPWAP tunnel connects access devices to the network. It is not recommended to perform other service configurations except basic configurations in the management VLAN and the corresponding VLANIF interface. If such configurations are performed, access devices may fail to connect to the network.

The information about the control point is as follows:
  • The control point can be configured on a Layer 2 physical interface or VLANIF interface. When the VLANIF interface is configured as the NAC authentication interface, the VLANIF interface and its mapping physical interface must be configured as control points. And NAC authentication cannot be configured on the physical interface.

The information about NAC authentication is as follows:
  • Policy association is supported only in the NAC unified mode.

  • Policy association is not supported on an IPv6 network, in which authentication cannot be triggered through DHCPv6 or ND packets.

  • Only the S7700, S9700, and S12700 series switches support PPPoE authentication. However, the switches do not support PPPoE authentication in the policy association solution.

  • Only the S600-E, S5700, and S6700 series switches support built-in Portal authentication. However, the switches do not support built-in Portal authentication in the policy association solution.

  • Policy association does not support Layer 3 Portal authentication, and access mode multi-share.

  • Policy association cannot be configured on some interfaces of the access device when local authentication is configured on other interfaces of the access device.

  • In policy association, the user authentication method depends on the authentication method and sequence configured on the control device.

  • In policy association, users cannot go online when NAC authentication is configured on the control device, not on the access device. It is recommended that authentication users and non-authentication users be divided into different VLANs in networking and the authentication free rules be configured based on the VLANs to allow the access of authentication-free users.

  • In policy association, to enable users to obtain some network rights before authentication succeeds, perform the following operations: Run the free-rule rule-id destination any source any command on the access device to enable all network access rights for the users. Then run the authentication event action authorize command on the control device to configure the network access rights for the users before authentication succeeds.

  • When a VLAN is authorized in policy association scenarios:
    • The downlink interface on the access device must be a hybrid interface. The uplink interface on the access device connected to the control device can be a trunk or hybrid interface, but must allow packets from the authorized VLAN to pass through. If a transparent transmission device exists between the access device and the control device, the transparent transmission device must also allow packets from the authorized VLAN to pass through.
    • In versions earlier than V200R011C10, the downlink interface on the control device connected to the access device must be a hybrid interface. In V200R011C10 and later versions, the downlink interface on the control device connected to the access device can be a trunk or hybrid interface.
    • The packets received by an authentication-enabled interface on the control device must carry VLAN tags or the VLAN assigned for authorization must be set to the default VLAN (PVID) of the interface. Otherwise, the assigned VLAN does not take effect.
The information about the name of an access device is as follows:
  • The actual name of an access device may differ from the name displayed on the control device (using the display as all command). When an access device goes online, its name is processed as follows:
    • If the access device uses the default name, its name is changed to default name-MAC address of the access device on the control device.
    • If the access device name contains spaces or double quotation masks ("), the spaces are changed to en dashes (-) and the double quotation masks (") are changed to single quotation masks (') on the control device.
  • The name of an access device is case-insensitive. The access device names viewed on the control device are in lowercase letters. If the name of an access device is not changed on the control device when the access device attempts to go online, the access device fails to go online and a name conflict alarm is generated. If the name of an access device is set to be the same as the actual access device name when the access device is properly running, a name conflict alarm is generated and the access device will not go offline.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54306

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next