No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Limitations for NAC

Configuration Limitations for NAC

  • The configuration notes about authentication are as follows:
    • The EAP relay can be configured for 802.1X users only when RADIUS authentication is used.

    • If AAA local authentication is used, the authentication mode for 802.1X users can only be set to EAP termination.

    • Because mobile phones do not support EAP termination mode (PAP and CHAP), the 802.1X authentication + local authentication mode cannot be configured for mobile phones. Terminals such as laptop computers support EAP termination mode only after having third-party clients installed.

    • If the 802.1X client uses the MD5 encryption mode, the user authentication mode on the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication mode, the authentication mode on the device can be set to EAP.

    • In a wireless access scenario, if WPA or WPA2 authentication mode is configured in the security policy profile, 802.1X authentication does not support pre-authentication domain-based authorization.
    • If 802.1X users on an interface have gone online, changing the user authentication mode in the 802.1X access profile bound to the interface will make the online 802.1X users go offline.
    • If Portal authentication is triggered when a user visits a website using HTTPS, the browser displays a security prompt. The user needs to click Continue to complete Portal authentication.
    • Redirection cannot be performed for browsers or websites using HTTP Strict Transport Security (HSTS).
    • If the destination port in HTTPS request packets sent by users is an unknown port (443), redirection cannot be performed.
    • In Portal authentication, some browsers on phones have compatibility problems. Therefore, authentication cannot be completed for the Portal authentication users who use these browsers.
    • The combined authentication mode is inapplicable when WeChat authentication is used.
    • In the Portal authentication scenario, users may use spoofed IP addresses for authentication, which brings security risks. It is recommended that you configure attack defense functions such as IPSG and DHCP snooping to avoid the security risks.
    • A common authentication-free rule cannot be configured together with an authentication-free rule defined by IPv4 ACL, but can be configured together with an authentication-free rule defined by IPv6 ACL.
    • In a hot standby scenario, if IP addresses of built-in Portal servers are different, and the logout success page cannot be updated because an active/standby switchover occurs after users are successfully authenticated, you need to run the free-rule command on the active and standby built-in Portal servers respectively to configure their IP addresses.

    • The device supports one combined authentication mode: MAC address-prioritized Portal authentication.

  • The configuration notes about authorization are as follows:
    • If a terminal uses Portal authentication or combined authentication (including Portal authentication), the device cannot grant VLAN-based authorization to the terminal. If a terminal obtains VLAN-based authorization, you need to manually trigger the DHCP process to request an IP address.
    • Only authenticated users support remote authorization. If both local authorization and remote authorization are configured, remote authorization takes effect.
    • If authorization information is configured both in the authentication domain and authentication profile, the authorization information in the authentication profile takes effect.

    • If no network access right is configured for users who fail authentication or when the authentication server is Down, the users establish pre-connections with the device after the authentication fails and then have the network access rights mapping pre-connection users.
  • Other:
    • In a configuration synchronization scenario, assume that Portal authentication is configured on the master device and the configuration contains a command that involves an interface. If the interface is occupied on the local/backup-master device, the configuration synchronization may fail. You need to change the interface in the command on the master device to an interface that is not occupied on the local/backup-master device, and run the synchronize-configuration command on the master device to restart the local/backup-master device.
    • The terminal type awareness function takes effect only when the authentication or accounting mode in the AAA scheme is RADIUS.

    • The terminal type awareness function only provides a solution of obtaining user terminal types for access devices. This solution cannot identify terminal types or allocate network access policies to terminals. The administrator configures the terminal type identification function and network access policies for terminals of different types on the RADIUS server.

Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 130270

Downloads: 312

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next