No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Setting the Source Address of Offline Detection Packets

Setting the Source Address of Offline Detection Packets

Context

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

If the VLAN to which the user belongs does not have a VLANIF interface or the VLANIF interface does not have an IP address, the device sends an offline detection packet using 255.255.255.255 as the source IP address. If a user cannot respond to an ARP probe packet with the source IP address 255.255.255.255, you can specify a source IP address for the offline detection packet using either of the following methods:
  • Change the default source IP address of offline detection packets.
  • Specify a source IP address for offline detection packets.
NOTE:
  • This function does not take effect for users who use Layer 3 Portal authentication.

  • In the SVF or policy association scenario, you are advised to run the access-user arp-detect default ip-address command to set the source IP address of offline detection packets to 0.0.0.0. After the AS device sends a received ARP reply packet to the UC device, the UC device discards the packet if the destination IP address of the packet is 0.0.0.0 and the source IP address and source MAC address exist in the user entry. In this way, ARP packets do not occupy too many CPU resources of the device and do not cause authentication failures. In the SVF scenario, the command must be configured on the UC device and takes effect only for UC detection. The default source IP address of offline detection packets for AS detection is 0.0.0.0. In the policy association scenario, you can directly configure the command on the AS device.

  • In normal situations, after a device sends an ARP probe packet with a default source IP address, online clients will immediately respond with ARP reply packets. If online clients do not respond with ARP reply packets, the device logs them out unexpectedly. To resolve this problem, use either of the following methods:
    • Run the access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address command to specify a VLAN ID, source IP address, and source MAC address for ARP probe packets.
    • Run the authentication timer handshake-period handshake-period command to increase the handshake period so that the device can detect gratuitous ARP packets that these clients send at an irregular period. Once the device detects such packets, it does not log them out.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Set the source address of offline detection packets.

    • Run access-user arp-detect default ip-address ip-address

      The default source IP address of offline detection packets is set.

      By default, the default source IP address of offline detection packets is 255.255.255.255.

    • Run access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

      The source IP address and source MAC address are specified for offline detection packets in a VLAN.

      By default, the source IP address and source MAC address are not specified for offline detection packets in a VLAN.

      You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

    NOTE:
    The following source IP addresses used in offline detection packets are listed in descending order of priority:
    1. IP address of the VLANIF interface corresponding to the VLAN that users belong to and on the same network segment as users
    2. Source IP address specified using the access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address command for offline detection packets in a specified VLAN
    3. Default source IP address specified using the access-user arp-detect default ip-address ip-address command for offline detection packets

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54139

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next