No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a MAC Access Profile

Configuring a MAC Access Profile

Creating a MAC Access Profile

Context

The device uses MAC access profiles to uniformly manage MAC users access configurations. Before configuring MAC address authentication, you need to create a MAC access profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mac-access-profile name access-profile-name

    A MAC access profile is created and the MAC access profile view is displayed.

    By default, the device has the built-in MAC access profile mac_access_profile.

    NOTE:
    • The compatibility profile converted after an upgrade is not counted in the configuration specification. The built-in MAC access profile mac_access_profile can be modified and applied, but cannot be deleted.
    • Before deleting a MAC access profile, ensure that this profile is not bound to any authentication profile.

Configuring a MAC Access Profile

Context

After creating a MAC access profile, you need to configure it. You can select a proper authentication mode based on performance of the device and server, as well as security requirements. During MAC address authentication, you do not need to enter the user name and password. However, you need to configure the user name format and password for MAC address authentication on the device in advance.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mac-access-profile name access-profile-name

    The MAC access profile view is displayed.

  3. Run mac-authen authentication-method { chap | pap }

    An authentication mode is configured for MAC address authentication users.

    By default, the authentication mode of MAC address authentication users is PAP.

  4. Run mac-authen username { fixed username [ password cipher password ] | macaddress [ format { with-hyphen [ normal ] [ colon ] | without-hyphen } [ uppercase ] [ password cipher password ] ] | dhcp-option option-code { circuit-id | remote-id } * [ separate separate ] [ format-hex ] password cipher password }

    The user name format is configured for MAC address authentication.

    By default, a MAC address without hyphens (-) or colons (:) is used as the user name and password for MAC address authentication.

    NOTE:
    • When configuring the user name format for MAC address authentication, ensure that the authentication server supports the user name format.

    • If MAC address authentication is enabled on a VLANIF interface, on an Eth-Trunk, in a port group, and MAC address authentication users use fixed user names, passwords must be configured. If MAC address authentication is enabled in a port group and MAC addresses are used as user names, passwords cannot be configured. If MAC address authentication is enabled on a VLANIF interface, user names for MAC address authentication cannot be set to specified DHCP option information.

    • When the user names for MAC address authentication are in the DHCP option format, the DHCP Option82 cannot be configured in the extend format or a customized format (non character string) by using the dhcp option82 format command.

  5. (Optional) Configure the types of packets that can trigger MAC address authentication.

    1. Run authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet } *

      The types of packets that can trigger MAC address authentication are configured.

      By default, DHCP, DHCPv6, ND, and ARP packets can trigger MAC address authentication.

    2. Run authentication trigger-condition dhcp dhcp-option option-code

      The device is configured to send DHCP option information to the authentication server after receiving DHCP packets that trigger MAC address authentication.

      By default, the device does not send DHCP option information to the authentication server after receiving DHCP packets that trigger MAC address authentication.

    3. Run mac-authen offline dhcp-release

      The device is configured to clear user entries after receiving DHCP Release packets from MAC address authentication users.

      By default, the device does not clear user entries after receiving DHCP Release packets from MAC address authentication users.

  6. (Optional) Run mac-authen trigger dhcp-binding

    The device is configured to automatically generate DHCP snooping binding entries after static IP users pass MAC address authentication or when the users are in pre-connection state.

    By default, the device does not automatically generate DHCP snooping binding entries after static IP users pass MAC address authentication or when the users are in pre-connection state.

(Optional) Configuring Re-authentication for Online MAC Address Authentication Users

Context

If the administrator modifies parameters such as access rights and authorization attributes of an online user on the authentication server, the user must be re-authenticated to ensure user validity.

If re-authentication is configured for online MAC address authentication users, the device sends saved authentication parameters of an online user to the authentication server for re-authentication. The device saves user authentication information after users go online. If the user authentication information on the authentication server remains unchanged, the user keeps online. If the information has been modified, the user is disconnected and needs to be re-authenticated.

NOTE:

MAC address authentication users who go online through a VLANIF interface do not support re-authentication.

If the device is connected to a server for re-authentication and the server replies with a re-authentication deny message that makes an online user go offline, it is recommended that you locate the cause of the re-authentication failure on the server or disable the re-authentication function on the device.

The device re-authenticates MAC address authentication users in the following modes:
  • The device periodically re-authenticates users using a specified MAC access profile.
    NOTE:
    After this function is configured, many MAC address authentication logs will be generated.
  • The device re-authenticates MAC address authentication users when receiving DHCP lease renewal packets from the users. This mode takes effect only after the device is configured to trigger MAC address authentication through DHCP packets.
  • The device is manually configured to re-authenticate a user with a specified MAC address once.

Procedure

  • Configuring periodic re-authentication
    1. Run system-view

      The system view is displayed.

    2. Run mac-access-profile name access-profile-name

      The MAC access profile view is displayed.

    3. Run mac-authen reauthenticate

      Re-authentication is enabled for online MAC address authentication users.

      By default, re-authentication for online MAC address authentication users is disabled.

    4. (Optional) Run mac-authen timer reauthenticate-period reauthenticate-period-value

      The re-authentication interval is configured for online MAC address authentication users.

      By default, the re-authentication interval is 1800 seconds for online MAC address authentication users.

      NOTE:

      It is recommended that the re-authentication interval be set to the default value. If multiple ACLs need to be delivered during user authorization, you are advised to disable the re-authentication function or set a longer re-authentication interval to improve the device's processing performance.

      In remote authentication and authorization, if the re-authentication interval is set to a shorter time, the CPU usage may be higher.

      To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.

  • Configuring re-authentication triggered by DHCP lease renewal packets
    1. Run system-view

      The system view is displayed.

    2. Run mac-access-profile name access-profile-name

      The MAC access profile view is displayed.

    3. Run mac-authen reauthenticate dhcp-renew

      The device is enabled to re-authenticate MAC address authentication users when receiving DHCP lease renewal packets from the users.

      By default, the device does not re-authenticate MAC address authentication users when receiving DHCP lease renewal packets from the users.

  • Configuring single-time re-authentication
    1. Run system-view

      The system view is displayed.

    2. Run mac-authen reauthenticate mac-address mac-address

      The device is manually configured to re-authenticate a user with a specified MAC address once.

Verifying the MAC Access Profile Configuration

Context

After configuring a MAC access profile, run the following command to check the configuration.

Procedure

  • Run the display mac-access-profile configuration [ name access-profile-name ] command to check the configuration of the MAC access profile.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 27104

Downloads: 7

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next