No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Extended Functions Related to 802.1X Authentication

Configuring Extended Functions Related to 802.1X Authentication

Configuring the Interval for Sending 802.1X Authentication Requests

Context

The device starts the tx-period timer (specifying the interval for sending 802.1X authentication requests) in either of the following situations:
  • When a client initiates authentication, the device sends a unicast Request/Identity packet to the client and starts the tx-period timer. If the client does not respond within the period set by the timer, the device retransmits the authentication request.
  • To authenticate the 802.1X clients that cannot initiate authentication, the device periodically sends multicast Request/Identity packets through the 802.1X-enabled interface to the clients at the interval set by the tx-period timer.
If a request packet has been sent for the maximum number of times (configured using the dot1x retry max-retry-value command) and no response is received from the client, the device stops sending the request packet.

In Figure 4-15, the device sends an authentication failure packet to the client after the EAP-Request/Identity packet times out. Generally, if the client fails to be authenticated, the device starts a backup mechanism (Portal authentication or granting specified access permission), so that the client can continue to access the network. If MAC address bypass authentication is disabled, the value of the timeout timer for EAP-Request/Identity packets is calculated as follows:

Timer value = (max-retry-value + 1) x tx-period-value

NOTE:

If MAC address bypass authentication is enabled, the value of the timeout timer for EAP-Request/Identity packets is configured using the dot1x timer mac-bypass-delay delay-time-value command.

Timer value = delay-time-value

Figure 4-15  802.1X authentication timeout process

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x timer tx-period tx-period-value

    The interval for sending 802.1X authentication requests is configured.

    By default, the device sends 802.1X authentication requests at an interval of 30 seconds.

Configuring the 802.1X Authentication Timeout Timer After Which MAC Address Authentication Is Performed

Context

You can enable MAC address bypass authentication for terminals (such as printers) on which the 802.1X client software cannot be installed or used.

After MAC address bypass authentication is configured, the device performs 802.1X authentication first and starts the timer configured using the dot1x timer mac-bypass-delay delay-time-value command. If 802.1X authentication is not successful before the timer expires, the device performs MAC address authentication on users. You can run the dot1x retry max-retry-value command to set the number of times an authentication request is retransmitted to an 802.1X user. The retransmission interval is the integer part of the value calculated using the following formula: delay-time-value/(max-retry-value + 1)

Figure 4-16  MAC address bypass authentication process

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x timer mac-bypass-delay delay-time-value

    The 802.1X authentication timeout timer after which MAC address authentication is performed is configured.

    By default, the device performs MAC address authentication if 802.1X authentication is not successful within 30 seconds.

Configuring 802.1X-based Fast Deployment

Context

On an 802.1X network, the administrator has a large amount of workload in downloading and upgrading 802.1X client software for each client. The authentication-free network access and URL redirection functions can be configured to implement fast deployment of 802.1X clients.

Before an 802.1X authentication is successful, the client is allowed to access authentication-free resources. After URL redirection is configured and the server providing URL redirection belongs to the authentication-free resources, the device changes the URL address entered by a user to the specified URL (for example, the URL address of the 802.1X client download page). Therefore, the 802.1X client can be quickly configured.

Prerequisite

The server providing the URL redirection service has been configured as authentication-free resource by using the (Optional) Configuring Authentication Event Authorization Information or (Optional) Configuring Authorization Information for Authentication-free Users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x url url-string

    The URL redirection for 802.1X authentication is configured.

    By default, URL redirection for 802.1X authentication is not configured.

Disabling the Pre-connection Function

Context

When a user terminal connects to an NAC-enabled interface on the device, a pre-connection is set up between the terminal and device. If the device is not configured to grant network access rights to users in pre-connection or authentication failure state, users who fail to be authenticated remain in the pre-connection state by default. Because the device allows DHCP packets from pre-connection users to pass through, the users can still obtain IP addresses although they do not have any network access rights, wasting IP addresses and bringing network security risks.

You can run the undo authentication pre-authen-access enable command to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state. This configuration ensures that the users cannot obtain IP addresses.

NOTE:

This function does not take effect for users who use Portal authentication or combined authentication (including Portal authentication).

This function does not take effect for users for whom authorization information is configured based on an authentication event.

If the device connects to some terminals such as a MacBook laptop that is not authenticated after obtaining an IP address, it is recommended that you disable the pre-connection function on the device and then connect the terminal to the network again.

If a user in pre-connection state attempts to go online using DHCP packets containing the Option 82 field but fails to go online, it is recommended that you disable the function of keeping users who fail to be authenticated on the device and do not have any network access rights in the pre-connection state.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run undo authentication pre-authen-access enable

    The pre-connection function is disabled.

    By default, the pre-connection function is enabled, that is, users who are not successfully authenticated and do not have any network access rights are in the pre-connection state.

Configuring the Function of Triggering 802.1X Authentication Through Multicast Packets Immediately After an Interface Goes Up

Context

By default, the device periodically multicasts EAP-Request/Identity packets to clients so that the clients are triggered to send EAPoL-Start packets for 802.1X authentication. If the device interface connecting to a client changes from Down to Up, the client needs to send EAPoL-Start packets again for 802.1X authentication, which takes a long time. You can enable the function of triggering 802.1X authentication through multicast packets immediately after the device interface goes Up, shortening the re-authentication time.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x mc-trigger

    The function of triggering 802.1X authentication through multicast packets is enabled.

    By default, the function of triggering 802.1X authentication through multicast packets is enabled.

  3. Run dot1x mc-trigger port-up-send enable

    The function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up is enabled.

    By default, the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up is disabled.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 117688

Downloads: 55

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next