No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring the Handshake Function to Enable the Device to Clear User Entries Immediately

(Optional) Configuring the Handshake Function to Enable the Device to Clear User Entries Immediately

Context

The device creates entries for pre-connection users, users who fail to be authenticated and are assigned network access rights, and users who are authenticated. After users go offline in normal situations, the system immediately deletes the corresponding user entries. However, if some users go offline due to exceptions such as network disconnections, the system cannot immediately delete the corresponding user entries. If there are too many such invalid user entries, other users may fail to access the network.

To solve this problem, configure the handshake function to enable the device to clear user entries immediately. Then, if a user does not respond to the handshake request from the device within the handshake interval, the device deletes the user entry.

NOTE:

The handshake interval for MAC address authentication users, Layer 3 Portal authentication users, and 802.1X authentication users is configured using the authentication timer handshake-period command. The handshake interval for Layer 2 Portal authentication users is configured using the portal timer offline-detect command.

For Layer 3 Portal authentication users, only those who go online through X series cards support this function.

This function takes effect only for the wired users who obtain IP addresses.

The handshake function can also be implemented by detecting whether there is user traffic on the access device. Assuming that the handshake interval is 3n, the device will detect user traffic at n and 2n. The following uses the 0-n period as an example. The process during the n-2n period is similar to that during 0-n.
  • If user traffic passes the device during the 0-n period, the device considers that the user is online at n, so it will not send a probe packet to the user, but resets the handshake interval.
  • If no user traffic passes the device during the 0-n period, the device cannot determine whether the user is online at n, so it sends a probe packet to the user. If the device receives the reply packet from the user, it considers the user online and resets the handshake interval. If no reply packet is received, it considers the user offline.
  • If user traffic passes the device during the 2n-3n period, the device considers that the user is online at 3n and resets the handshake interval.
  • If no user traffic passes the device during the 2n-3n period, the device cannot determine whether the user is online at 3n and considers that the user is offline.
If the device considers that the user is offline at n, 2n, and 3n, the device deletes all entries related to the user. To prevent the user from going offline unexpectedly when no operation is performed on the PC, do not set a short handshake period.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run authentication handshake

    The handshake with pre-connection users and authorized users is enabled.

    By default, the handshake with pre-connection users and authorized users is enabled.

  4. (Optional) Run authentication timer handshake-period handshake-period

    The handshake interval of the device with pre-connection users and authorized users is set.

    By default, the handshake interval of the device with pre-connection users and authorized users is 300 seconds.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 117579

Downloads: 55

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next