No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring the Function of Identifying Static Users Through IP Addresses

(Optional) Configuring the Function of Identifying Static Users Through IP Addresses

Context

By default, the device identifies static users through MAC addresses. However, a terminal may have one MAC address and multiple IP addresses, for example, a firewall has multiple valid IP addresses that correspond to only one MAC address. The terminal goes online only after the multiple IP addresses pass authentication. If the device identifies terminals through MAC addresses, entry information about IP addresses that are authenticated later continuously overwrites entry information about IP addresses that are authenticated earlier. As a result, the terminal cannot go online. You can run the ip-static-user enable command to enable the function of identifying static users through IP addresses so that terminals with one MAC address and multiple IP addresses can go online.

NOTE:
  • For a terminal with one MAC address and multiple IP addresses, you must configure the terminal as a static user and enable the function of identifying static users through IP addresses so that the terminal can pass authentication and go online. If ip-user is not specified when you configure static users, all static users are processed by assuming they have one MAC address and multiple IP addresses. To precisely identify and process static users with one MAC address and multiple IP addresses, specify ip-user when configuring these static users.
  • The device does not support traffic statistics collection for a terminal with one MAC address and multiple IP addresses.
  • Configure wired users before enabling this function.

  • For physical interfaces, only static users on the X series cards support this function. For VLANIF interfaces, all static users support this function.

  • This function takes effect only for users who go online after it is configured. After the configuration on an interface is modified, online users on the interface go offline.

  • The device supports this function only when the user access mode is multi-authen. For details on how to configure the user access mode, see authentication mode.
  • Static users who are identified through IP addresses directly go offline after they fail to pass authentication, and are not kept in the pre-connection state.
  • Static users identified through IP addresses do not support right control during Layer 2 forwarding.

  • Static users identified through IP addresses support only IP address-based upstream authorization services (such as authorization UCL, isolation between Layer 3 groups, CAR, and priority for upstream traffic), and do not support downstream authorization services (such as CAR, re-marking action, dynamic authorization VLAN, DAA, and HQoS for downstream traffic).

  • In the policy association scenario, if the control point mode is set to open using the authentication control-point open command, the device does not support the function of identifying static users through IP addresses.

  • For a terminal with one MAC address and multiple IP addresses, only ARP packets can be used to trigger authentication. Therefore, ensure that the device can perform authentication triggered by ARP packets; for example, the types of packets that can trigger authentication must include ARP.

Pre-configuration Tasks

Before enabling this function, configure static users.
  1. A static user has been configured using the static-user start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ] [ ip-user ] [ domain-name domain-name | interface interface-type interface-number [ detect ] | mac-address mac-address | vlan vlan-id ] * command.
  2. The authentication user name has been configured for the static user using the static-user username format-include { ip-address | mac-address | system-name } command.
  3. The authentication password has been configured for the static user using the static-user password cipher password command.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run ip-static-user enable

    The function of identifying static users through IP addresses is enabled.

    By default, the function of identifying static users through IP addresses is disabled, and the device identifies static users through MAC addresses.

Verifying the Configuration

Run the display authentication-profile configuration [ name authentication-profile-name ] command to check whether the function of identifying static users through IP addresses is enabled in the corresponding authentication profile.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 131690

Downloads: 64

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next