No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring the Direction of Traffic Controlled by the Device

(Optional) Configuring the Direction of Traffic Controlled by the Device


By default, the access authentication device discards all the traffic sent from the users who fail the 802.1x authentication or MAC address authentication. However, these users can still receive broadcast packets sent from the successfully authenticated users in the same VLAN. You can configure the bidirectional traffic control function to disable the users who fail the authentication from receiving broadcast packets.

  • This function applies only to 802.1x authentication and MAC address authentication.

  • This function takes effect only when an access switch functions as the authentication device and an interface of the switch is connected to only one IP phone or PC.

  • This function does not take effect when users have pre-connection entries or authentication event entries. You are advised to run the undo authentication pre-authen-access enable command disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state, and do not run the authentication event command to configure the device to assign network access rights to users in each phase before authentication succeeds.

  • If users go online on the same interface in the same VLAN, bidirectional traffic control does not take effect on this interface.

  • Layer 3 interfaces do not support bidirectional traffic control.

  • You are advised to run the stp edged-port enable command to configure the interface on which the function is applied as an edge port. The interface can be added to a maximum of four VLANs.

  • The SVF and policy association scenarios do not support this function.

  • WLAN scenarios do not support this function.

  • When this function is configured, the recommended STP mode is VBST. If the STP mode is changed after users go online, traffic will be interrupted for a short time. If the STP mode is set to MSTP or STP, run the instance command to map VLANs to different spanning tree instances (MSTIs).
  • A user VLAN cannot be specified as an RRPP or ERPS control VLAN.


  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run authentication control-direction { all | inbound }

    The direction of traffic controlled by the device is configured.

    By default, the device only controls the upstream traffic.

Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 130575

Downloads: 62

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next