No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for NAC Common Mode

Licensing Requirements and Limitations for NAC Common Mode

Involved Network Elements

Table 5-1  Components involved in NAC networking

Role

Product Model

Description

AAA server

Huawei servers or third-party AAA servers

Performs authentication, accounting, and authorization on users.

Portal server

Huawei servers or third-party Portal servers

Receives authentication requests from Portal clients, provides free portal services and an interface based on web authentication, and exchanges authentication information of the authentication clients with access devices.

This component is required only in Portal authentication mode.

NOTE:

When Huawei's Agile Controller-Campus functions as the server, the version required is V100R001, V100R002, V100R003.

If a Huawei switch needs to function as a DHCP server and assign IP addresses to terminals based on the static MAC-IP binding relationship delivered by the Agile Controller-Campus, the switch must run V200R009C00 or a later version, and the Agile Controller-Campus must run V100R002 or V100R003 version.

Licensing Requirements

NAC common mode is a basic feature of a switch and is not under license control.

Version Requirements

Table 5-2  Products and versions supporting NAC common mode

Product

Product Model

Software Version

S12700

S12708, S12712

V200R005C00, V200R006C00, V200R007C00, V200R007C20, V200R008C00, V200R009C00, V200R010C00, V200R011C10

S12710

V200R010C00, V200R011C10

S12704

V200R008C00, V200R009C00, V200R010C00, V200R011C10

NOTE:
To know details about software mappings, see Hardware Query Tool.

Feature Limitations

NAC mode-related:
  • Compared with the common mode, the unified mode uses the modular configuration, making the configuration clearer and configuration model easier to understand. Considering advantages of the unified mode, you are advised to deploy NAC in unified mode.
  • For versions before V200R007C00, after the common mode and unified mode are switched, you must save the configuration file and restart the device manually to make the new configuration mode take effect. For V200R007C00 and later versions, after the common mode and unified mode are switched, the device will automatically save the configuration file and restart.
  • In V200R008C00, some NAC commands do not differentiate the common and unified modes. Their formats and views remain unchanged after being switched from one mode to the other. After devices are switched from the common mode in V200R008C00 or later versions to the unified mode in V200R009C00 or later versions, these NAC commands can be switched to the unified mode.
  • In the unified mode, only the commands of the common mode are unavailable; in the common mode, only the commands of the unified mode are unavailable. In addition, after the configuration mode is switched, the commands supported by both the common mode and unified mode still take effect.
  • The NAC common mode does not apply to wireless users. To use NAC to control wireless user access, switch the NAC mode to unified mode.
Authentication:
  • In the 802.1x authentication scenario, if there is a Layer 2 switch between the 802.1x-enabled device and users, the 802.1x authentication packet transparent transmission function must be enabled on the Layer 2 switch. Otherwise, the users cannot pass authentication.
  • In the Portal authentication scenario, users may use spoofed IP addresses for authentication, which brings security risks. It is recommended that you configure attack defense functions such as IPSG and DHCP snooping to avoid the security risks.
  • NAC authentication and authentication-related parameters cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface of the VLAN to which the Layer 2 Ethernet interface belongs.
  • NAC authentication (except HTTP-based or HTTPS-based Portal authentication) can be implemented for users in a VPN, but not for users with the same IP addresses in different VPNs.
  • If the DAA function is configured for the users in a domain, the NAC users in the domain cannot go online from the boards that do not support the DAA function.

  • When NAC is configured on the main interface, service functions on its sub-interface are affected.

  • Terminals using MAC address authentication do not support switching between IPv4 and IPv6. To ensure that a terminal can normally obtain an IP address after passing the authentication, you are advised to enable either IPv4 or IPv6 on the terminal.
  • After the encapsulation mode of packets allowed to pass a Layer 2 sub-interface is set to default using the encapsulation (Layer 2 sub-interface view) command, NAC cannot be configured on the main interface of the Layer 2 sub-interface.
  • When an authentication point is deployed on the X series cards, only the X1E, X2E, X2H, and X5H cards support ACL authorization for IPv6 users, and other X series cards do not support ACL authorization for IPv6 users.
Authorization:
  • An authorized VLAN cannot be delivered to online Portal users. For MAC address-prioritized Portal authentication, the Agile Controller-Campus V1 delivers the session timeout attribute after Portal authentication succeeds so that users go offline immediately, and then delivers an authorized VLAN to users after the users pass MAC address authentication.
  • If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP process to request an IP address after VLAN-based authorization is successful or the authorization VLAN changes through CoA packets.
  • In versions earlier than V200R011C10, the DSCP value of upstream packets or downstream packets cannot be authorized to users. In V200R011C10 and later versions, the DSCP value of upstream packets or downstream packets can be authorized to users. In addition, the authorized ACL, the rate limit value of upstream packets, the rate limit value of downstream packets, the DSCP value of upstream packets, and the DSCP value of downstream packets can take effect simultaneously.
In the Layer 2 BNG scenario:
  • The RADIUS server authorizes Huawei extended RADIUS attribute HW-Forwarding-VLAN to the MAC address authentication users who go online through the X series cards. Then the switch replaces the two VLAN tags carried in users' unicast or broadcast packets with an ISP VLAN tag (it cannot be the same as the outer VLAN tag), and forwards these packets from the interfaces on the X series cards.
  • Do not create VLANIF interfaces for the two VLAN tags carried in original packets. Otherwise, packet forwarding may be abnormal.
  • The switch that has MAC address authentication enabled cannot have DHCP snooping and ND snooping configured and does not support MAC address flapping.
  • When working as a DHCPv6 client, the switch can only obtain an IPv6 address using DHCPv6. When working as a DHCPv6 server, the switch can only allocate IPv6 addresses using DHCPv6 to ensure that IPv6 addresses can be managed. You need to set the M bit in RA packets sent by the device to 1, indicating stateful address allocation, that is, clients obtain IPv6 addresses through stateful protocols (for example, DHCPv6).
  • Before configuring other attributes except authorization VLANs for access users, run the authorization-modify mode modify command on the device to set the update mode of user authorization information delivered by the authorization server to modify. Otherwise, access users will go offline.
Other:
  • Configuring user access through an Eth-Trunk improves the reliability. The CSS function of switches is used to implement hot standby and load balancing. Two switches of the same model set up a CSS and have the same number of cards of the same model installed to work in active/standby mode and implement load balancing using an Eth-Trunk.

    Generally, member interfaces of an Eth-Trunk are on cards of the same type. Member interfaces of an Eth-Trunk may be on cards of the following types:

    • Type 1: X series cards
    • Type 2: all the other cards

    When the number of wired users who go online through an Eth-Trunk that includes member interfaces on both types of cards reaches the maximum allowed on the type 2 card, other users cannot go online through this Eth-Trunk. When the type 2 card is restarting, users can go online based on the maximum number of access users allowed on the type 1 card. After the type 2 card restarts, the device logs the number of access users that exceeds the maximum number of access users allowed on the type 2 card, and services of these users will be affected. If a type 1 card is removed, users that exceed the specification of a type 2 card will not go offline. If the user detection function is configured, these excess users will go offline due to detection failures.

  • The number of NAC users cannot exceed the maximum number of MAC address entries supported by the card or switch.
  • During LNP negotiation, NAC users cannot go online before the interface link type becomes stable. If the interface link type is negotiated again and the negotiation result changes, the online NAC users are forced to go offline.

  • When the remark (user group view) and voice-vlan remark commands are used together to modify the user packet priority, if the services conflict:

    • For X series cards, the priority configured using the remark (user group view) command takes effect.
    • For the non-X series cards, the priority configured using the voice-vlan remark command takes effect.
Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 130643

Downloads: 62

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next