No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Extended Functions Related to MAC Address Authentication

Configuring Extended Functions Related to MAC Address Authentication

Disabling the Pre-connection Function

Context

When a user terminal connects to an NAC-enabled interface on the device, a pre-connection is set up between the terminal and device. If the device is not configured to grant network access rights to users in pre-connection or authentication failure state, users who fail to be authenticated remain in the pre-connection state by default. Because the device allows DHCP packets from pre-connection users to pass through, the users can still obtain IP addresses although they do not have any network access rights, wasting IP addresses and bringing network security risks.

You can run the undo authentication pre-authen-access enable command to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state. This configuration ensures that the users cannot obtain IP addresses.

NOTE:

This function does not take effect for users who use Portal authentication or combined authentication (including Portal authentication).

This function does not take effect for users for whom authorization information is configured based on an authentication event.

If the device connects to some terminals such as a MacBook laptop that is not authenticated after obtaining an IP address, it is recommended that you disable the pre-connection function on the device and then connect the terminal to the network again.

If a user in pre-connection state attempts to go online using DHCP packets containing the Option 82 field but fails to go online, it is recommended that you disable the function of keeping users who fail to be authenticated on the device and do not have any network access rights in the pre-connection state.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run undo authentication pre-authen-access enable

    The pre-connection function is disabled.

    By default, the pre-connection function is enabled, that is, users who are not successfully authenticated and do not have any network access rights are in the pre-connection state.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 58498

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next