No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of Policy Association

Overview of Policy Association


Policy association provides a solution to contradiction between policy strengths and complexity on large campus networks. In the solution, user access policies are centrally managed on the gateway devices and enforced by gateway and access devices.


On traditional networks, NAC is configured at the access layer. The access device is the authentication point that controls and manages access users. However, a large-sized network may have the following problems:

  • There are a large number of access devices, which make the configuration complex and O&M difficult.
  • The large number of access devices increase the pressure on the connected servers.
  • Users access the network at fixed positions.

Moving the authentication point from the access layer to the aggregation or core layer can address the preceding problems. The gateway is the control device that authenticates and manages users. This reduces the number of authentication points on the network and simplifies access device configurations. However, moving the authentication point to upper layers may cause the following problems:

  • Access devices cannot transparently transmit BPDUs, so 802.1x authentication cannot be used. The Layer 2 transparent transmission function must be configured.
  • The authentication point cannot control the mutual access between the users in the same VLAN on an access device.
  • The administrator does not know the access positions of users, so fault locating is difficult.
  • The gateway cannot immediately detect user logoff, and the detection process increases workload on the gateway.

The policy association solution is introduced to address these problems. After policy association is configured, access devices can transparently transmit BPDUs and report user logoff and user access positions in real time. In addition, the control device requests access devices to enforce user access policies, thus controlling user access to the network.

Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 123046

Downloads: 58

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next