No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for NAC Unified Mode

Licensing Requirements and Limitations for NAC Unified Mode

Involved Network Elements

Table 4-2  Components involved in NAC networking

Role

Product Model

Description

AAA server

Huawei servers or third-party AAA servers

Performs authentication, accounting, and authorization on users.

Portal server

Huawei servers or third-party Portal servers

Receives authentication requests from Portal clients, provides free portal services and an interface based on web authentication, and exchanges authentication information of the authentication clients with access devices.

This component is required only in Portal authentication mode.

NOTE:

When Huawei's Agile Controller-Campus functions as the server, the version required is V100R001, V100R002, V100R003.

If a Huawei switch needs to function as a DHCP server and assign IP addresses to terminals based on the static MAC-IP binding relationship delivered by the Agile Controller-Campus, the switch must run V200R009C00 or a later version, and the Agile Controller-Campus must run V100R002 or V100R003 version.

Licensing Requirements

NAC unified mode is a basic feature of a switch and is not under license control.

Version Requirements

Table 4-3  Products and versions supporting NAC unified mode

Product

Product Model

Software Version

S12700

S12708, S12712

V200R005C00, V200R006C00, V200R007C00, V200R007C20, V200R008C00, V200R009C00, V200R010C00, V200R011C10

S12710

V200R010C00, V200R011C10

S12704

V200R008C00, V200R009C00, V200R010C00, V200R011C10

NOTE:
To know details about software mappings, see Hardware Query Tool.

Feature Limitations

NAC mode-related:
  • Compared with the common mode, the unified mode uses the modular configuration, making the configuration clearer and configuration model easier to understand. Considering advantages of the unified mode, you are advised to deploy NAC in unified mode.
  • For versions before V200R007C00, after the common mode and unified mode are switched, you must save the configuration file and restart the device manually to make the new configuration mode take effect. For V200R007C00 and later versions, after the common mode and unified mode are switched, the device will automatically save the configuration file and restart.
  • In V200R008C00, some NAC commands do not differentiate the common and unified modes. Their formats and views remain unchanged after being switched from one mode to the other. After devices are switched from the common mode in V200R008C00 or later versions to the unified mode in V200R009C00 or later versions, these NAC commands can be switched to the unified mode.
  • In the unified mode, only the commands of the common mode are unavailable; in the common mode, only the commands of the unified mode are unavailable. In addition, after the configuration mode is switched, the commands supported by both the common mode and unified mode still take effect.
  • The NAC common mode does not apply to wireless users. To use NAC to control wireless user access, switch the NAC mode to unified mode.
Authentication-related:
  • In the 802.1x authentication scenario, if there is a Layer 2 switch between the 802.1x-enabled device and users, the 802.1x authentication packet transparent transmission function must be enabled on the Layer 2 switch. Otherwise, the users cannot pass authentication.
  • In the Portal authentication scenario, users may use spoofed IP addresses for authentication, which brings security risks. It is recommended that you configure attack defense functions such as IPSG and DHCP snooping to avoid the security risks.
  • In versions earlier than V200R012C00, wired MAC address-prioritized portal authentication was not supported.
  • In versions earlier than V200R012C00, Layer 2 portal authentication was not supported on non-gateway devices.
  • NAC authentication (except HTTP-based or HTTPS-based Portal authentication) can be implemented for users in a VPN, but not for users with the same IP addresses in different VPNs.
  • NAC authentication cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface of the VLAN to which the Layer 2 Ethernet interface belongs. In versions earlier than V200R009C00 (that is, before NAC unified mode modular configuration is supported), it is recommended that you do not configure authentication-related parameters on a Layer 2 Ethernet interface and the VLANIF interface of the VLAN to which the Layer 2 Ethernet interface belongs, respectively.
  • If the DAA function is configured for the users in a domain, the NAC users in the domain cannot go online from the boards that do not support the DAA function.

  • When NAC is configured on the main interface, service functions on its sub-interface are affected.

  • In versions earlier than V200R007, the switch can directly process protocol packets sent to it before a user is successfully authenticated, and no authentication-free rule is required. In V200R007 and later versions, an authentication-free rule must be configured only when DNS protocol packets are sent to the X series cards for processing.

  • When a switch has non-Huawei ACs and APs connected (APs and wireless users are associated with the AC) and wired Portal authentication is performed for wireless users, it is recommended that STAs go online on X series cards, and the URL configured using the url-parameter command in template view cannot carry the AC's CAPWAP gateway address (ac-mac ac-mac-value), AC's MAC address (ac-ip ac-ip-value), AP's IP address (ap-ip ap-ip-value), AP's MAC address (ap-mac ap-mac-value), or SSID associated by STAs (ssid ssid-value).
  • In versions earlier than V200R010C00, the switch does not support the wired HTTPS redirection function. That is, when a wired Portal authentication user accesses a website using HTTPS, redirection cannot be triggered and Portal authentication cannot be performed. In V200R010C00 and later versions, the switch supports the wired HTTPS redirection function.
  • Terminals using MAC address authentication do not support switching between IPv4 and IPv6. To ensure that a terminal can normally obtain an IP address after passing the authentication, you are advised to enable either IPv4 or IPv6 on the terminal.
  • If a terminal has both IPv4 and IPv6 addresses, only the IPv4 address can be used for user detection and update of the user entry corresponding to the IPv6 address. The IPv6 address cannot be used for update of the user entry corresponding to the IPv4 address.
  • For IPv6 users and users who have both IPv4 and IPv6 addresses, the switch can only perform MAC address authentication or hybrid authentication containing MAC address authentication for these users. For these users:
    • If Layer 3 Portal authentication or the ip-static-user enable command is configured, the X series cards directly discard IPv6 packets from these users. In other cases, the switch allows IPv6 packets from these users to pass through after they successfully pass authentication using their IPv4 or IPv6 addresses.
    • Cards excluding the X series cards allow IPv6 packets from these users to pass through regardless of whether they pass authentication or not.
  • For a terminal with one MAC address and multiple IP addresses, you must configure the terminal as a static user and enable the function of identifying static users through IP addresses so that the terminal can go online and obtain authorization information.
  • After the encapsulation mode of packets allowed to pass a Layer 2 sub-interface is set to default using the encapsulation (Layer 2 sub-interface view) command, NAC cannot be configured on the main interface of the Layer 2 sub-interface.
  • If authentication triggered by any packet is not configured, the ARP packets with the source IP address being 0.0.0.0 cannot trigger MAC address authentication.
  • When an authentication point is deployed on the X series cards, only the X1E, X2E, X2H, and X5H cards support ACL authorization for IPv6 users, and other X series cards do not support ACL authorization for IPv6 users.
Authorization-related:
  • The authorization priority of the authentication server is higher than that in the authentication domain. If the attribute authorized by the authentication server and that authorized by the authentication domain conflict, the attribute authorized by the authentication server takes effect. If the attribute authorized by the authentication server and that authorized by the authentication domain do not conflict, both attributes take effect.

    One example is that, when a user VLAN 20 is configured in the service scheme A of the switch and the service scheme A is bound to a user authentication domain, but the authentication server authorizes VLAN 10 to authenticated users, the authenticated users are added to VLAN 10.

    Another example is that: when traffic policing is configured in the service scheme B of the switch and the service scheme B is bound to a user authentication domain, but the authentication server authorizes VLAN 10 to authenticated users, the authenticated users are added to VLAN 10 and traffic policing also takes effect for these users.

  • An authorized VLAN cannot be delivered to online Portal users. For MAC address-prioritized Portal authentication, the Agile Controller-Campus V1 delivers the session timeout attribute after Portal authentication succeeds so that users go offline immediately, and then delivers an authorized VLAN to users after the users pass MAC address authentication.
  • If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP process to request an IP address after VLAN-based authorization is successful or the authorization VLAN changes through CoA packets.
  • In versions earlier than V200R011C10, if the direct forwarding mode is used, the device does not support UCL group-based authorization for wireless users.

  • In versions earlier than V200R011C10, the DSCP value of upstream packets or downstream packets cannot be authorized to users. In V200R011C10 and later versions, the DSCP value of upstream packets or downstream packets can be authorized to users. In addition, the authorized ACL, the rate limit value of upstream packets, the rate limit value of downstream packets, the DSCP value of upstream packets, and the DSCP value of downstream packets can take effect simultaneously.
  • Access interfaces do not support dynamic authorization, and deleting a VLAN will delete online users in this VLAN. Hybrid interfaces support dynamic authorization, and deleting a VLAN will not delete online users in this VLAN.
Layer 2 BNG scenario:
  • The RADIUS server authorizes Huawei extended RADIUS attribute HW-Forwarding-VLAN to the MAC address authentication users who go online through the X series cards. Then the switch replaces the two VLAN tags carried in users' unicast or broadcast packets with an ISP VLAN tag (it cannot be the same as the outer VLAN tag), and forwards these packets from the interfaces on the X series cards.
  • Do not create VLANIF interfaces for the two VLAN tags carried in original packets. Otherwise, packet forwarding may be abnormal.
  • The switch that has MAC address authentication enabled cannot have DHCP snooping and ND snooping configured, does not support MAC address flapping, and needs to have the pre-connection function disabled using the undo authentication pre-authen-access enable command.
  • When working as a DHCPv6 client, the switch can only obtain an IPv6 address using DHCPv6. When working as a DHCPv6 server, the switch can only allocate IPv6 addresses using DHCPv6 to ensure that IPv6 addresses can be managed. You need to set the M bit in RA packets sent by the device to 1, indicating stateful address allocation, that is, clients obtain IPv6 addresses through stateful protocols (for example, DHCPv6).
  • Before configuring other attributes except authorization VLANs for access users, run the authorization-modify mode modify command on the device to set the update mode of user authorization information delivered by the authorization server to modify. Otherwise, access users will go offline.
  • In L2 BNG scenarios, the multi-share mode is not supported.
Other:
  • Configuring user access through an Eth-Trunk improves the reliability. The CSS function of switches is used to implement hot standby and load balancing. Two switches of the same model set up a CSS and have the same number of cards of the same model installed to work in active/standby mode and implement load balancing using an Eth-Trunk.

    Generally, member interfaces of an Eth-Trunk are on cards of the same type. Member interfaces of an Eth-Trunk may be on cards of the following types:

    • Type 1: X series cards
    • Type 2: all the other cards

    When the number of wired users who go online through an Eth-Trunk that includes member interfaces on both types of cards reaches the maximum allowed on the type 2 card, other users cannot go online through this Eth-Trunk. When the type 2 card is restarting, users can go online based on the maximum number of access users allowed on the type 1 card. After the type 2 card restarts, the device logs the number of access users that exceeds the maximum number of access users allowed on the type 2 card, and services of these users will be affected. If a type 1 card is removed, users that exceed the specification of a type 2 card will not go offline. If the user detection function is configured, these excess users will go offline due to detection failures.

  • The number of NAC users cannot exceed the maximum number of MAC address entries supported by the card or switch.
  • In an inter-AC roaming scenario, the NAC configurations of the two ACs must be the same.
  • For wireless users, you can configure attributes for APs when the device works as an AC. In versions earlier than V200R011C10, the configurations are not delivered to APs in real time, and are delivered to APs only after you run the commit command in the WLAN view. In V200R011C10 and later versions, the switch delivers the configurations to APs every 5 seconds.

  • During LNP negotiation, NAC users cannot go online before the interface link type becomes stable. If the interface link type is negotiated again and the negotiation result changes, the online NAC users are forced to go offline.

  • If the user ACL specified in the traffic-filter inbound acl acl-number command or the user ACL delivered by the authentication server is incorrectly configured to block all user traffic, the switch cannot be connected and network-side protocols such as OSPF and BGP are interrupted.
Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 120026

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next