No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring the User Access Mode

(Optional) Configuring the User Access Mode

Context

After enabling NAC authentication, you can configure a user access mode based on the user access on the interface. The user access modes include:
  • single-terminal: applies to the scenario in which only one data terminal is connected to the network through the interface.
  • single-voice-with-data: applies to the scenario in which only one data terminal is connected to the network on the device interface through a voice terminal.
  • multi-share: applies to the scenario that does not require high security and in which multiple data terminals are connected to the network on the device interface.
  • multi-authen: applies to the scenario that requires high security and in which multiple data terminals are connected to the network on the device interface. In this access mode, you can configure the maximum number of access users based on the actual user quantity on the interface. This prevents malicious users from occupying a large amount of device resources and ensures that the users on other device interfaces can normally go online.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run authentication mode { single-terminal | single-voice-with-data | multi-share | multi-authen [ max-user max-user-number [ dot1x | mac-authen | portal ] * ] }

    The maximum number of access users allowed on the interface is configured when the user access mode or interface access authentication mode is multi-authen.

    By default, the access authentication mode is multi-authen.

    NOTE:
    • VLANIF interfaces do not support this function.
    • Only wired users support this function.
    • If the first access user fails to be authenticated on a physical interface and sets up a pre-connection after the multi-share mode is configured on the physical interface, new access users will also fail to be authenticated on the interface. Therefore, the following operations are recommended if the first access user may fail to be authenticated after the multi-share mode is configured on a physical interface.
      • Configure users to not set up pre-connections when 802.1X authentication or MAC address authentication is used. You can run the undo authentication pre-authen-access enable command to configure the device to not generate entries for users who obtain rights in the pre-connection phase.
      • Do not use the multi-share mode with Portal authentication.
    • In the policy association scenario, the authentication mode multi-authen max-user max-user-number command configured on an access device does not take effect. To configure the number of access users on an access device, run the authentication access-point max-user max-user-number command to set the maximum number of access users allowed on the interface of the access device.

    • When authentication mode is set to multi-authen in the authentication profile, set the interface type to hybrid or trunk in policy association scenarios or to hybrid in other scenarios when you configure the authorization VLAN.

    • In L2 BNG scenarios, the multi-share mode is not supported.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 132017

Downloads: 64

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next