No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC Fundamentals

NAC Fundamentals


Figure 4-2 shows the basic NAC process.

Figure 4-2  Basic NAC process
  1. The access device works with a security policy server (for example, an AAA server) to authenticate the user when an NAC terminal connects to the network.
  2. The security policy server delivers the authorization information to the access device if the user is authenticated. If the authentication fails, the access device isolates the user.
  3. Based on the authorization information from the security policy server, the access device controls the terminal user's network access rights and establishes a communication channel between the terminal and security policy server.
  4. The NAC terminal directly exchanges information with the security policy server. The terminal reports its status information, including the antivirus database, operating system, and patch versions.
  5. The security policy server checks the terminal status, and redelivers the authorization information to the access device if the NAC terminal does not comply with enterprise security standards.
  6. The access device modifies the terminal user's network access rights according to the authorization information delivered by the security policy server.
  7. Based on the status check result, the NAC terminal connects to the software server to download client software, repair the system, or upgrade the patch or antivirus database until the terminal complies with the enterprise security standards.

User Access Modes

On an NAC network, user access modes are classified into the following types based on the actual network access scenarios:
  • single-terminal: The device interface allows only one data terminal to connect to the network.
  • single-voice-with-data: Only one data terminal is connected to the network on the device interface through the voice terminal, and the device authenticates the data terminal and voice terminal independently.
  • multi-share: The device interface has multiple data terminals connected to the network. The device only authenticates the first user who goes online, and subsequent users share the network access rights. However, after the first user goes offline, other users do not have the network access rights.
  • multi-authen: The device interface has multiple data terminals connected to the network, and the device authenticates each access user independently. After a user goes offline, the network access rights of other users are not affected.

Comparison Between Three Authentication Modes

NAC provides three authentication modes: 802.1X authentication, MAC address authentication, and Portal authentication. Table 4-1 compares the three authentication modes.

Table 4-1  Authentication mode comparisons


802.1X Authentication

MAC Address Authentication

Portal Authentication



Not required

Not required


High security

No client required

Flexible deployment


Inflexible deployment

Complex management and MAC address registration required

Low security


New network with concentrated users and high requirements for security

Authentication of dumb terminals such as printers and fax machines

Scenario with flexible authentication modes and scattered users

On a NAC network, the device supports concurrent deployment of 802.1X authentication, MAC address authentication, and Portal authentication on user access ports, namely, multi-mode authentication, to flexibly meet various authentication requirements. After multi-mode authentication is deployed, the device triggers the corresponding authentication based on received authentication packets.

Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 118900

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next