No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC Application

NAC Application

Context

After an authentication profile is bound to the interface or VAP profile, NAC is enabled in the interface or VAP profile. The device implements access control on users who go online through the interface or VAP profile.

An authentication profile uniformly manages NAC configuration. The authentication profile is bound to the interface or VAP profile view to enable NAC, implementing access control on the users in the interface or VAP profile. The authentication type of the users in the interface or VAP profile is determined by the access profile bound to the authentication profile. For details about how to configure an access profile, see Configuring an Access Profile.

When configuring NAC, pay attention to the following points:
  • Layer 2 physical interfaces, Layer 3 physical interfaces, routed main interfaces, VLANIF interfaces, WAN-side interfaces, port groups, and VAP profiles support NAC. The support for authentication types on different interfaces is as follows:
    • Layer 2 physical interfaces: 802.1X authentication, MAC address authentication, and Layer 2 Portal authentication
      NOTE:

      The Layer 2 physical interfaces of AR100&AR120&AR150&AR160&AR200 do not support Layer 2 Portal authentication, and support only 802.1X authentication in multicast mode.

    • Layer 3 physical interfaces and routed main interface: Layer 3 Portal authentication
      NOTE:

      In wireless scenarios, it does not support Layer 3 Portal authentication.

    • VLANIF interfaces: Layer 2 Portal authentication, MAC address-prioritized Portal authentication in Fat AP Wi-Fi scenarios, and Layer 3 Portal authentication.
    • WAN-side interfaces: Layer 3 Portal authentication
  • Physical interfaces do not support multi-mode authentication modes containing Portal authentication.
  • For the access of wireless users through APs, ensure that the APs can be authenticated (for example, adding the APs to static users) when NAC authentication is deployed for users. Otherwise, the wireless users cannot be authenticated.
  • NAC authentication cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface mapping the VLAN of the Ethernet interface. Otherwise, the users have no network access rights after connecting to the network. In addition, NAC authentication cannot be enabled both on VAP profiles and VLANIF interfaces in wireless scenarios.

  • After enabling NAC on an interface, you cannot run the following commands on the interface. Similarly, after running the following commands on an interface, you cannot enable NAC on the interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port-security enable

    Enables port security.

Prerequisites

An authentication profile has been configured. For details about how to configure an authentication profile, see Configuring an Authentication Profile.

Procedure

  • Enable NAC on an interface.

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run authentication-profile authentication-profile-name

      The authentication profile is applied to the interface.

      By default, no authentication profile is applied to an interface.

    NOTE:
    In wireless access scenario, pay attention to the following points:
    • When an authentication profile is bound to a portal access profile, the authentication profile can be applied to VLANIF interface or WLAN-BSS interface (FAT-AP mode).
    • When both MAC and portal access profiles are bound to an authentication profile and MAC address-prioritized Portal authentication is enabled, the authentication profile can only be applied to VLANIF interfaces.

  • Enable NAC in a VAP profile.
    1. Run system-view

      The system view is displayed.

    2. Run wlan

      The WLAN view is displayed.

    3. Run wlan ac

      The WLAN view is displayed.

    4. Run vap-profile name profile-name

      The VAP profile view is displayed.

    5. Run authentication-profile authentication-profile-name

      The authentication profile is applied to the VAP profile.

      By default, no authentication profile is applied to a VAP profile.

Verifying the Configuration

Run the display authentication interface interface-type interface-number command to view the configuration of the NAC authentication mode on an interface.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 126249

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next