No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Terminal Type Identification

Terminal Type Identification

Bring Your Own Device (BYOD) has become a trend as the Internet develops fast. Many enterprises now allow employees to connect to enterprise networks wirelessly using their own mobile terminals, such as mobile phones, tablets, and laptops. This work style enables employees to use up-to-date technologies, gives them more flexibility in work, and improves their working efficiency. However, employees' own terminals may bring security risks to enterprise networks, and traditional security technology that authenticates and authorizes users based on user roles cannot secure enterprise networks in this scenario. Terminal type identification technology can solve this problem. This technology identifies types of mobile terminals that employees use to connect to an enterprise network to control access from the mobile terminals. Enterprises can use this technology to implement user authentication and authorization based on user information, device type, access time, access location, and device operating environment.

Fundamentals

The device identifies terminal types by analyzing MAC addresses, UA information, and DHCP option information:
  • A terminal's organizationally unique identifier (OUI), the first 24 bits in its MAC address, identifies the manufacturer of the terminal.

  • The UA field in an HTTP packet sent from a terminal identifies the terminal's operating system, operating system version, CPU type, browser, and browser version.

  • The Option 12, Option 55, and Option 60 field in DHCP packets sent from a terminal identifies the host name of the terminal, list of requested parameters, and manufacturer type, respectively.

    • As shown in Figure 4-9, DHCP Option 12 is the Host Name Option. In this option field, 12 indicates the information type, N indicates the length of the following information, and h1 to hN indicate the information content (containing the host name of the STA).
      Figure 4-9  DHCP Option 12 format
    • As shown in Figure 4-10, DHCP Option 55 is the Parameter Request List. In this option field, 55 indicates the information type, N indicates the length of the following information, and c1 to cN indicate the information content (containing the list of parameters requested by a STA). Different STAs may request different parameters.
      Figure 4-10  DHCP Option 55 format
    • As shown in Figure 4-11, DHCP Option 60 is the Vendor Class Identifier. In this option field, 60 indicates the information type, N indicates the length of the following information, and i1 to iN indicate the information content (containing the manufacturer identifier).
      Figure 4-11  DHCP Option 60 format

The device can obtain the MAC address, DHCP option information, and UA information of a terminal during Portal authentication, MAC address authentication, and 802.1X authentication.

During Portal authentication, the device identifies the type of a terminal as follows:
  1. After a user accesses the network, the device obtains the user MAC address.
  2. When the user sends a DHCP Request packet to apply for an IP address, the AP uses the DHCP snooping function to obtain the option information from the DHCP Request packet and sends the option information to the device.
  3. When the user sends an HTTP Get packet to obtain the authentication page, the device analyzes the HTTP Get packet and obtains the UA information from the packet.
  4. The device identifies the terminal type by analyzing the MAC address, UA information, and DHCP option information of the user.
  5. The device encapsulates the terminal type in an authentication request packet and sends the packet to the RADIUS server. The RADIUS server authenticates the user based on the user account and terminal type, and delivers corresponding access rights to the user.
During MAC address authentication and 802.1X authentication, the device identifies the type of a terminal as follows:
  1. After a user accesses the network, the device obtains the user MAC address.
  2. The device identifies the terminal type according to the OUI in the MAC address. If the OUI is an identifiable one, the device encapsulates the terminal type in an authentication request packet and sends the packet to the RADIUS server.
  3. When the user sends a DHCP Request packet to apply for an IP address, the AP uses the DHCP snooping function to obtain the option information from the DHCP Request packet and sends the option information to the device.
  4. The device identifies the terminal type according to the MAC address and DHCP option information, encapsulates the terminal type in an accounting packet, and sends the accounting packet to the AAA server.
  5. When the user sends an HTTP Get packet to obtain the authentication page in the redirection process, the device analyzes the HTTP Get packet and obtains UA information from the packet.
  6. The device identifies the terminal type according to the MAC address, UA information, and DHCP option information, encapsulates the terminal type in an accounting packet, and sends the accounting packet to the RADIUS server.
NOTE:

The terminal type identified by the device is carried by Huawei proprietary attribute 157 HW-Terminal-Type and sent to the RADIUS server. The RADIUS server configures this attribute so that it can deliver authorization information based on the user terminal type.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 117588

Downloads: 55

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next