No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Control Devices

Configuring Control Devices

Context

To ensure policy strengths without increasing complexity of policies on large campus networks, deploy policy association, which allows control devices to authenticate users and control access policies. To implement policy association, configure the policy association function on control devices.

Procedure

  1. Establish CAPWAP tunnels.

    Control devices and access devices use CAPWAP tunnels to establish connections. In addition, control devices and access devices use CAPWAP tunnels to complete user association, transmit messages, deliver user authorization policies, and synchronize user information.

    1. Create a management VLAN.
      NOTE:

      In policy association, the management VLAN of a CAPWAP tunnel connects access devices to the network. It is not recommended to perform other service configurations except basic configurations in the management VLAN and the corresponding VLANIF interface. If such configurations are performed, access devices may fail to connect to the network.

      1. Run the system-view command to enter the system view.

      2. Run the vlan batch vlan-id command to create a management VLAN.

      3. Run the interface vlanif vlan-id command to create a VLANIF interface and enter the VLANIF interface view.

      4. Run the ip address ip-address { mask | mask-length } command to configure an IP address for the VLANIF interface.

      5. Run the quit command to return to the system view.

    2. Specify the source interface of the CAPWAP tunnel.

      NOTE:
      A VLANIF or loopback interface on the device can function as the source interface of the CAPWAP tunnel.
      • VLANIF interface: applies to the scenario where all the access devices that associate with the control device belong to the same management VLAN.
      • Loopback interface: applies to the scenario where all the access devices that associate with the control device belong to different management VLANs. When the access devices belong to multiple management VLANs, the control device must have multiple VLANIF interfaces configured. If one of the VLANIF interfaces is specified as the source interface, all the access devices cannot work properly when the source interface fails. A loopback interface remains Up after being created. When a loopback interface is used as the source interface and a VLANIF interface becomes faulty, only the access device that connects to the VLANIF interface cannot go online.

      If the SVF function is enabled, only one source interface can be configured.

      Configure multiple source interfaces. When the source interfaces are added to different VPN instances, the IP addresses of these interfaces cannot be the same.

      • Specify a VLANIF interface as the source interface of the CAPWAP tunnel.

        Run the capwap source interface vlanif vlan-id command to specify the source interface of the CAPWAP tunnel on the control device.

        By default, no source interface of the CAPWAP tunnel is specified on the control device.

        The VLAN ID mapping the source interface is the management VLAN ID.

      • Specify a loopback interface as the source interface of the CAPWAP tunnel.
        1. Run the interface loopback loopback-number command to create a loopback interface and enter the loopback interface view.

        2. Run the ip address ip-address { mask | mask-length } command to configure an IP address for the loopback interface.

        3. Run the quit command to return to the system view.

        4. Run the capwap source interface loopback loopback-number command to specify the source interface of the CAPWAP tunnel on the control device.

          By default, no source interface of the CAPWAP tunnel is specified on the control device.

      NOTE:

      When the loopback interface functions as the source interface of the CAPWAP tunnel, you must specify the route from the VLANIF interface mapping the management VLAN to the loopback interface.

      If the control device functions as the DHCP server to assign IP addresses to access device, you also need to configure the DHCP server function on the VLANIF interface mapping the management VLAN. For details, see DHCP Configuration in the appropriate Configuration Guide - IP Service based on the control device model.

  2. Configure an interface as the control point.

    The control point can be configured on a Layer 2 physical interface or VLANIF interface. When the VLANIF interface is configured as the NAC authentication interface, the VLANIF interface and its mapping physical interface must be configured as control points. And NAC authentication cannot be configured on the physical interface.

    1. Run the interface interface-type interface-number command to enter the interface view.
    2. Run the authentication control-point [ open ] command to configure the interface as the control point.

      By default, no interface is configured as the control point.

      If the open parameter is configured, the control point directly forwards user traffic. If the open parameter is not configured, the control point manages the forwarding rights for user traffic through NAC authentication.

      NOTE:

      The open parameter cannot be configured for a VLANIF interface.

      When the interface below functions as the control point, it can only directly forward user traffic. That is, only the authentication control-point open command can be configured.
      • An interface on the cards except X series cards
      • An Eth-Trunk interface containing interfaces on the cards except X series
      • An interface on the S6720EI or S6720S-EI
      • An Eth-Trunk interface containing interfaces on the S6720EI or S6720S-EI
    3. Run the quit command to return to the system view.

  3. Configure access authentication for access devices.

    By default, access devices can access a control device only after passing authentication. The control device authenticates access devices using a blacklist and whitelist. Access devices in the blacklist cannot access the control device. Access devices in the whitelist can access the control device. The control device does not authenticate access devices out of the blacklist and whitelist. You need to manually specify allowed access devices. You can also configure no authentication for access devices. In this situation, an access device can connect to the control device regardless of whether the access device is in a blacklist or whitelist.

    The configuration of this function is similar to the AS access authentication on the parent device in the SVF. For details, see "Configuring AS Access Authentication" in SVF Configuration of the appropriate Configuration Guide - Device Management based on the control device model.

  4. Configure user authorization information to be delivered to access devices and control devices.

    1. Run aaa

      The AAA view is displayed.

    2. Run service-scheme service-scheme-name

      A service scheme is created and the service scheme view is displayed.

    3. Run remote-authorize { acl | car | ucl-group } *

      The user authorization information to be delivered to access devices is specified.

      By default, all user authorization information cannot be delivered to access devices.

      NOTE:

      When you authorize the ACL or UCL group, configure the corresponding ACL or UCL group on access devices to ensure that the authorization information takes effect on the access devices.

    4. Run local-authorize { none | { acl | car | priority | ucl-group | vlan } * }

      The user authorization information to be delivered to control devices is specified.

      By default, all user authorization information can be delivered to control devices.

      NOTE:

      When you authorize the ACL or UCL group, configure the corresponding ACL or UCL group on control devices to ensure that the authorization information takes effect on the control devices.

    5. Run quit

      Return to the AAA view.

    6. Run quit

      Return to the system view.

  5. Configure extended functions and optional parameters.

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Perform the following configurations based on network requirements:
      • Run user-sync { interval interval-value | retry retry-value } *

        The device is configured to periodically synchronize online user information to the access device, and the synchronization interval and number of synchronization attempts are configured.

        By default, user synchronization is enabled, the synchronization interval is 60 seconds, and the number of synchronization attempts is 10.

        NOTE:

        The user synchronization function needs to be enabled on both access devices and control devices to ensure that the function works properly. In addition, the user synchronization interval configured on access devices must be shorter than or equal to that configured on control devices, preventing users from being disconnected due to incorrect synchronization.

      • Run control-down offline delay { delay-value | unlimited }

        The user logout delay after a CAPWAP tunnel fault is configured on the control device.

        By default, the users on a control device go offline immediately after a CAPWAP tunnel is faulty.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 57826

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next