No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC Application

NAC Application

Context

After an authentication profile is bound to the interface or VAP profile, NAC is enabled in the interface or VAP profile. The device implements access control on users who go online through the interface or VAP profile.

An authentication profile uniformly manages NAC configuration. The authentication profile is bound to the interface or VAP profile view to enable NAC, implementing access control on the users in the interface or VAP profile. The authentication type of the users in the interface or VAP profile is determined by the access profile bound to the authentication profile. For details about how to configure an access profile, see Configuring an Access Profile.

When configuring NAC, pay attention to the following points:
  • VLANIF interfaces, GE interfaces, XGE interfaces, 40GE interfaces, 100GE interfaces, Eth-Trunks, port groups, and VAP profiles support NAC. The support for NAC on different interfaces is as follows:
    • 802.1X authentication does not take effect on a VLANIF interface.
    • Layer 2 interfaces and VLANIF interfaces support MAC address authentication.
    • The support for Portal authentication varies depending on different interfaces, routed main interfaces support only Layer 3 Portal authentication, Layer 2 interfaces support only Layer 2 Portal authentication, and VLANIF interfaces support both Layer 2 and Layer 3 Portal authentication.

    • The VLANIF interface corresponding to the super VLAN does not support Portal authentication.
  • For the access of wireless users through APs, ensure that the APs can be authenticated (for example, adding the APs to static users) when NAC authentication is deployed for users. Otherwise, the wireless users cannot be authenticated.
  • NAC authentication cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface mapping the VLAN of the Ethernet interface. Otherwise, the users have no network access rights after connecting to the network. (The users who are connected through the X series cards can obtain network access rights; those connected through other cards cannot obtain network access rights.) In addition, NAC authentication cannot be enabled both on WLAN-ESS and VLANIF interfaces in wireless scenarios.

  • After enabling NAC on an interface, you cannot run the following commands on the interface. Similarly, after running the following commands on an interface, you cannot enable NAC on the interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port link-type dot1q-tunnel

    Sets the link type of an interface to QinQ.

    port vlan-mapping vlan map-vlan

    port vlan-mapping vlan inner-vlan

    Configures VLAN mapping on an interface.

    port vlan-stacking

    Configures selective QinQ.

    port-security enable

    Enables interface security.

    mac-vlan enable

    Enables MAC address-based VLAN assignment on an interface.

    ip-subnet-vlan enable

    Enables IP subnet-based VLAN assignment on an interface.

    user-bind ip sticky-mac

    NOTE:

    This command conflicts with only 802.1X authentication and MAC address authentication.

    Enables the device to generate snooping MAC entries.
  • After the encapsulation mode of packets allowed to pass a Layer 2 sub-interface is set to default using the encapsulation (Layer 2 sub-interface view) command, NAC cannot be configured on the main interface of the Layer 2 sub-interface.

Prerequisites

An authentication profile has been configured. For details about how to configure an authentication profile, see Configuring an Authentication Profile.

Procedure

  • Enable NAC on an interface.

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run authentication-profile authentication-profile-name

      The authentication profile is applied to the interface.

      By default, no authentication profile is applied to an interface.

  • Enable NAC in a VAP profile.
    1. Run system-view

      The system view is displayed.

    2. Run wlan

      The WLAN view is displayed.

    3. Run vap-profile name profile-name

      The VAP profile view is displayed.

    4. Run authentication-profile authentication-profile-name

      The authentication profile is applied to the VAP profile.

      By default, no authentication profile is applied to a VAP profile.

Verifying the Configuration

Run the display authentication interface interface-type interface-number command to view the configuration of the NAC authentication mode on an interface.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 123089

Downloads: 58

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next