No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
HACA AAA

HACA AAA

Overview of HACA

Small- and medium-sized enterprises usually have small network scales and dispersed network sites. In addition, there are a relatively small number of concurrent users. Huawei provides the Cloud Managed Network Solution, which serves small- and medium-sized enterprises utilizing the public network. This solution supports centralized multi-tenant management, plug-and-play network devices, and batch network service deployment. Compared with the architecture and deployment modes of traditional networks, this solution provides a shorter network deployment period, lower maintenance costs, and better network scalability.

Generally, the CloudCampus Solution uses Portal authentication. The authentication server is located on the cloud, so packets between the device and server must traverse a NAT device. However, Portal protocol packets cannot traverse the NAT device. HACA implements communication between the device and server, and then Portal authentication can be performed. Only a Huawei Agile Controller server can be used as an HACA server.

HACA is based on the mobile Internet protocol HTTP/2.
  • HACA supports Portal authentication or MAC address-prioritized Portal authentication.

  • HACA does not support administrative access, IPsec, SSL VPN, IP session, PPPoE, L2TP, VM, 802.1X, and independent MAC address authentication.

  • HACA does not support wired user access.

HACA Packets

Service packets record messages exchanged between devices and the HACA server. The following table describes service packet types specified by the msgType field.

Table 1-29  HACA service packet type

Service Packet Type

msgType

Description

Registration request packet

1 After setting up an HTTP/2 persistent connection with an HACA server, a device sends this packet to the HACA server to register device information.

Registration response packet

2 The HACA server sends this packet to the device, indicating that a persistent connection has been set up successfully and they can exchange service packets.

Authentication request packet

3

The device sends this packet to the HACA server. The HACA server determines whether to permit the access based on user information carried in this packet.

Authentication response packet

4

The HACA server sends an authentication response packet to the device. If all attributes in the authentication request packet are acceptable, the server considers that the user passes the authentication and sends this packet. After receiving this packet, the device grants network access rights to the user.

Proactive authorization request packet 6 The HACA server sends this packet to the device after the user passes authentication.
Proactive authorization response packet 5

The device sends this packet to the HACA server and modifies user rights.

Accounting-start request packet 7 The device sends this packet to the HACA server when the user starts to access network resources.
Accounting response packet 8 After receiving and recording an accounting-start request packet, the HACA server returns an accounting response packet.
Logout notification packet 9 If the HACA server logs out the user, the device sends a logout notification packet and the HACA server does not need to reply. If accounting has been performed for the user, the packet carries accounting information.
Logout request packet 11 If the device triggers user logout, it sends a logout request packet to the HACA server. If the HACA server triggers user logout, it sends this packet to notify the device that a specified user has logged out.
Logout response packet 12 If the device triggers user logout, the HACA server sends a logout response packet to the device. If the HACA server triggers user logout, the device sends a logout response packet to the HACA server and releases the related authorization entry.
User synchronization request packet 13 User information can be periodically synchronized between the HACA server and device to ensure user information consistency. Either the device or the HACA server sends a user synchronization request packet to trigger user information synchronization.
User synchronization response packet 14 When the device or HACA server triggers user information synchronization, the peer end returns a user synchronization response packet.
CoA-Request packet 16 When an administrator needs to modify the rights of an online user (for example, prohibit the user from accessing a website), the HACA server sends this packet to the device, requesting the device to modify the user rights.
CoA-Response packet 15 If the device successfully modifies the user rights, it sends this packet to the HACA server.

HACA Authentication, Authorization, and Accounting Process

HACA only supports MAC address-prioritized Portal authentication. The Agile Controller server deployed on the cloud acts as an external Portal server and an HACA server to provide authentication and accounting services. A router acts as a Fat AP to provide wireless access. It also acts as an authentication point and works with the HACA server to authenticate STAs. User authorization information is configured on the HACA server. After a user passes authentication, the HACA server authorizes network access rights to the user. Figure 1-24 shows the HACA authentication, authorization, and accounting process.

Figure 1-24  HACA authentication, authorization, and accounting process

  1. An access device sets up a persistent connection and register with the HACA server using HTTP/2.
  2. The client and device set up a pre-connection before authentication.
  3. The client initiates an authentication request using HTTP. The HACA server provides a web page for the client to enter the user name and password for authentication.
  4. The device and HACA server exchange authentication packets.
  5. After the client passes authentication, the HACA server sends an authorization packet to authorize network access rights to the client.
  6. When the client starts to access network resources, the access device sends an accounting-start request packet to the HACA server.
  7. The HACA server sends an accounting response packet to the access device and starts accounting.
  8. (Optional) If real-time accounting is enabled, the access device periodically sends real-time accounting request packets to the HACA server, preventing incorrect accounting results caused by unexpected user disconnection.
  9. (Optional) The HACA server returns real-time accounting response packets and performs real-time accounting.
  10. The client sends a logout request.
  11. The HACA server sends a logout request packet to the access device.
  12. The access device sends a logout response packet to the HACA server.
  13. The access device sends an accounting-stop request packet to the HACA server.
  14. The HACA server sends an accounting-stop response packet to the access device and stops accounting.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112939

Downloads: 208

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next