NAC Application
Context
After an authentication profile is bound to the interface or VAP profile, NAC is enabled in the interface or VAP profile. The device implements access control on users who go online through the interface or VAP profile.
An authentication profile uniformly manages NAC configuration. The authentication profile is bound to the interface or VAP profile view to enable NAC, implementing access control on the users in the interface or VAP profile. The authentication type of the users in the interface or VAP profile is determined by the access profile bound to the authentication profile. For details about how to configure an access profile, see Configuring an Access Profile.
- VLANIF interfaces, GE interfaces, XGE interfaces, 40GE interfaces, 100GE interfaces, Eth-Trunks, port groups, and VAP profiles support NAC. The support for NAC on different interfaces is as follows:
- 802.1X authentication does not take effect on a VLANIF interface.
- Layer 2 interfaces and VLANIF interfaces support MAC address authentication.
The support for Portal authentication varies depending on different interfaces, routed main interfaces support only Layer 3 Portal authentication, Layer 2 interfaces support only Layer 2 Portal authentication, and VLANIF interfaces support both Layer 2 and Layer 3 Portal authentication.
- The VLANIF interface corresponding to the super VLAN does not support Portal authentication.
- For the access of wireless users through APs, ensure that the APs can be authenticated (for example, adding the APs to static users) when NAC authentication is deployed for users. Otherwise, the wireless users cannot be authenticated.
NAC authentication cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface mapping the VLAN of the Ethernet interface. Otherwise, the users have no network access rights after connecting to the network. (The users who are connected through the X series cards can obtain network access rights; those connected through other cards cannot obtain network access rights.) In addition, NAC authentication cannot be enabled both on WLAN-ESS and VLANIF interfaces in wireless scenarios.
- After enabling NAC on an interface, you cannot run the following commands on the interface. Similarly, after running the following commands on an interface, you cannot enable NAC on the interface.
Command
Function
mac-limit
Sets the maximum number of MAC addresses that can be learned by an interface.
mac-address learning disable
Disables MAC address learning on an interface.
port link-type dot1q-tunnel
Sets the link type of an interface to QinQ.
port vlan-mapping vlan map-vlan
port vlan-mapping vlan inner-vlan
Configures VLAN mapping on an interface.
port vlan-stacking
Configures selective QinQ.
port-security enable
Enables interface security.
mac-vlan enable
Enables MAC address-based VLAN assignment on an interface.
ip-subnet-vlan enable
Enables IP subnet-based VLAN assignment on an interface.
user-bind ip sticky-mac
NOTE:This command conflicts with only 802.1X authentication and MAC address authentication.
Enables the device to generate snooping MAC entries. - After the encapsulation mode of packets allowed to pass a Layer 2 sub-interface is set to default using the encapsulation (Layer 2 sub-interface view) command, NAC cannot be configured on the main interface of the Layer 2 sub-interface.
Prerequisites
An authentication profile has been configured. For details about how to configure an authentication profile, see Configuring an Authentication Profile.
Procedure
- Enable NAC on an interface.
Run system-view
The system view is displayed.
Run interface interface-type interface-number
The interface view is displayed.
Run authentication-profile authentication-profile-name
The authentication profile is applied to the interface.
By default, no authentication profile is applied to an interface.
- Enable NAC in a VAP profile.
Previous
