No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Access Devices

Configuring Access Devices

Context

To ensure policy strengths without increasing complexity of policies on large campus networks, deploy policy association, which allows access devices to only implement user access policies. To implement policy association, configure the policy association function on access devices.

Procedure

  1. Establish CAPWAP tunnels.

    Control devices and access devices use CAPWAP tunnels to establish connections. In addition, control devices and access devices use CAPWAP tunnels to complete user association, transmit messages, deliver user authorization policies, and synchronize user information.

    1. Run system-view

      The system view is displayed.

    2. Create the management VLAN of the CAPWAP tunnels and configure the IP address of the mapping VLANIF interface.
      NOTE:

      In policy association, the management VLAN of a CAPWAP tunnel connects access devices to the network. It is not recommended to perform other service configurations except basic configurations in the management VLAN and the corresponding VLANIF interface. If such configurations are performed, access devices may fail to connect to the network.

      1. Run vlan batch vlan-id

        A management VLAN is created.

      2. Run interface vlanif vlan-id

        A VLANIF interface is created and the VLANIF interface view is displayed.

      3. Run ip address ip-address { mask | mask-length } or ip address dhcp-alloc

        The IP address of the VLANIF interface is statically configured or the DHCP client function is enabled on the VLANIF interface.

      4. Run quit

        Return to the system view.

    3. Run as access interface vlanif vlan-id

      The source interface for a CAPWAP tunnel is specified on the access device.

      By default, the source interface is not specified for a CAPWAP tunnel on an access device.

      The management VLAN ID is the VLAN ID mapping the source interface.

    4. Run as access controller ip-address ip-address

      The IP address of the control device is specified on the access device.

      By default, the IP address of the control device is not specified on an access device.

      This step is mandatory when an IP address is statically configured for the VLANIF interface mapping the management VLAN. When a DHCP server assigns an IP address to the VLANIF interface mapping the management VLAN, configure Option 43 to notify the access device of the control device's IP address. For details, see DHCP Configuration in the appropriate Configuration Guide - IP Service based on the access device model.

  2. Configure an interface as the access point.

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Run authentication access-point [ open ]

      The remote access control function is enabled on the interface of the access device.

      By default, the remote access control function is disabled on an interface of an access device.

      NOTE:

      To configure right control on a control device instead of an access device, you can disable right control of the access point on the access device (by specifying the open parameter).

      The authentication access-point open and authentication access-point command must be run together; otherwise, the authentication access-point open command cannot take effect.

    3. (Optional) Run authentication access-point max-user max-user-number

      The maximum number of access users allowed on the interface of the access device is set.

      By default, an access device does not limit the maximum number of users who are allowed to log in through its interfaces.

    4. Run quit

      Return to the system view.

  3. If the AS is a stack, run stack timer mac-address switch-delay 0

    The stack is configured not to change the system MAC address.

    If the AS is a stack and changes the system MAC address under some abnormal circumstances, the MAC address in AS authentication entries on the parent differs from the changed system MAC address. As a result, users connected to the AS cannot be authenticated and fail to go online. Therefore, you are advised to run this command to configure the stack not change the system MAC address.

  4. Configure extended functions and optional parameters.

    • Run authentication speed-limit max-num max-num-value interval interval-value

      The rate limit is configured for user association and disassociation request messages sent from the access device.

      By default, an access device sends a maximum of 60 user association and disassociation request messages within 30 seconds.

    • Run user-detect { interval interval-value | retry retry-value } *

      The online user detection function is enabled, and the detection interval and number of packet retransmission attempts are configured.

      By default, the online user detection function is enabled, the detection interval is 15 seconds, and the number of packet retransmission attempts is 3.

    • Run user-sync interval interval-value

      The device is configured to periodically synchronize online user information to the control device.

      By default, user synchronization is enabled and the synchronization interval is 60 seconds.

      NOTE:

      The user synchronization function needs to be enabled on both access devices and control devices to ensure that the function works properly. In addition, the user synchronization interval configured on access devices must be shorter than or equal to that configured on control devices, preventing users from being disconnected due to incorrect synchronization.

    • Run control-down offline delay { delay-value | unlimited }

      The user logout delay after a CAPWAP tunnel fault is configured on the access device.

      By default, the users on an access device go offline immediately after a CAPWAP tunnel is faulty.

    • Configure the alarm function for the access limit on associated users.

      • Run authentication associate alarm-restrain enable

        The access device is enabled to suppress alarms that are generated due to excess associated users.

        By default, an access device is enabled to suppress alarms that are generated due to excess associated users.

      • Run authentication associate alarm-restrain period period-value

        A suppression period is set for alarms that an access device generates due to excess associated users.

        By default, an access device suppresses such alarms for 300 seconds.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 117691

Downloads: 55

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next