No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for NAC

Licensing Requirements and Limitations for NAC

Involved Network Elements

Table 3-2  Components involved in NAC networking


Product Model


AAA server

Huawei servers or third-party AAA servers

Performs authentication, accounting, and authorization on users.

Portal server

Huawei servers or third-party Portal servers

Receives authentication requests from Portal clients, provides free portal services and an interface based on web authentication, and exchanges authentication information of the authentication clients with access devices.

This component is required only in external Portal authentication mode.

Licensing Requirements

NAC is a basic feature of the device and is not under license control.

Feature Limitations

When deploying NAC on the router, pay attention to the following:
  • The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support NAC.

  • When the RADIUS server authorizes an ACL for NAC authentication users, the authorized ACL can support a maximum of 16 ACL rules. If more than 16 ACL rules are configured on the device, only the first 16 rules take effect.

  • You can run the display access-user user-id command to view rate limiting parameter values delivered by the RADIUS server. If only the CIR value for rate limiting is set on the RADIUS server and other rate limiting parameter values (CBS or PBS value) are not set, the access control device obtains other parameter values based on empirical value verification.

    The parameter values obtained by the access control device after it verifies rate limiting parameters delivered by the RADIUS server differ from those obtained by the device after it verifies rate limiting parameters delivered by the QoS profile.

  • If a terminal uses Portal authentication or multi-mode authentication (including Portal authentication), the device cannot grant VLAN-based authorization to the terminal. If a terminal obtains VLAN-based authorization, you need to manually trigger the DHCP process to request an IP address.
  • If a terminal has both IPv4 and IPv6 addresses, only the IPv4 address can be used for user detection and update of the user entry corresponding to the IPv6 address. The IPv6 address cannot be used for update of the user entry corresponding to the IPv4 address.
  • In the Portal authentication scenario, users may use spoofed IP addresses for authentication, which brings security risks. It is recommended that you configure attack defense functions such as IPSG and DHCP snooping to avoid the security risks.
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 128409

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next