No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Timers of MAC Address Authentication

(Optional) Configuring Timers of MAC Address Authentication

Context

During MAC address authentication, multiple timers implement systematic interactions between access users or devices and the authentication server. You can configure the following types of timers in MAC address authentication:
  • Re-authentication timer for users in the guest VLAN (guest-vlan reauthenticate-period): After a user is added to the guest VLAN, the device initiates re-authentication for the user at an interval set by this timer. If re-authentication is successful, the user exits the guest VLAN.
  • Offline detection timer (offline-detect): To make sure that a user is online, the device sends a detection packet to the user. If the user does not respond within a detection period, the device considers the user offline. The timer takes effect for both MAC address authentication users and static users.
    NOTE:
    If the number of offline detection packets (ARP packets) exceeds the default CAR value, the detection fails and the users are logged out. (The display cpu-defend statistics command can be run to check whether ARP request and response packets are lost.) To resolve the problem, the following methods are recommended:
    • Increase the detection interval based on the number of users. The default detection interval is recommended when there are less than 8000 users; the detection interval should be no less than 600 seconds when there are more than 8000 users.
    • Deploy the port attack defense function on the access device and limit the rate of packets sent to the CPU.
  • Quiet timer (quiet-period): The device must enter a quiet period after the user fails to be authenticated. During the quiet period, the device does not process authentication requests from the user.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect offline-detect-value | quiet-period quiet-value }

    The timer parameters are set for MAC address authentication.

    By default, guest-vlan reauthenticate-period is set to 60 seconds, offline-detect is set to 300 seconds, quiet-period is set to 60 seconds.

    NOTE:

    Timers for setting guest-vlan reauthenticate-period, offline-detect, quiet-period are enabled by default.

    When the quiet-period timer is set to 0, the quiet function is disabled.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 120220

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next