No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Multi-mode Authentication

Multi-mode Authentication

MAC Address Bypass Authentication

The combination of 802.1X authentication and its fallback mechanism MAC address authentication is called MAC address bypass authentication. With this feature, dumb terminals such as printers and fax machines can connect to the network through MAC address authentication. Figure 2-38 shows the MAC address bypass authentication process.

Authentication Process
Figure 2-38  MAC address bypass authentication process
  1. When an interface of the access device where MAC address bypass authentication is enabled receives a packet from the terminal, 802.1X authentication is first performed for the terminal.
  2. The access device sends an EAP-Request/Identity packet to request the user's client program to send the entered user name.
  3. If the access device does not receive any response packet within the retransmission interval, it resends EAP-Request/Identity packets until the configured retransmission count is reached.
  4. If all requests go unanswered, the access device sends an EAP Failure packet to the terminal.
  5. In this case, 802.1X authentication times out. The access device sends the user name and password to the RADIUS server for MAC address authentication.
  6. The RADIUS server compares the received user name and password with the locally saved user name and password. If they are the same, MAC address authentication succeeds and the RADIUS server sends a RADIUS Access-Accept packet to the device.

MAC Address-Prioritized Portal Authentication

After passing Portal authentication, STAs may be disconnected from a wireless network frequently when they move from one wireless signal coverage area to another or when wireless signals are unstable. MAC address-prioritized Portal authentication allows these STAs to access the WLAN again, without the need to enter the user name and password.

Authentication Process

On the network shown in Figure 2-39, when a client is to be authenticated for the first time, the access device sends the client's MAC address to the RADIUS server. However, authentication fails because the RADIUS server does not find the client's MAC address. Then Portal authentication is triggered for the client. After successful Portal authentication, the RADIUS server saves the client's MAC address. When the client attempts to connect to the wireless network after unexpected logout due to unstable wireless signals or switching between different signal coverage areas, the access device sends the client's MAC address to the RADIUS server for identity authentication.

  • If the client's MAC address is stored on the RADIUS server, the RADIUS server verifies the user name and password (both are the client's MAC address) and authorizes the client. Then the client can access the network without entering the user name and password.
  • If the client's MAC address has expired on the RADIUS server and the RADIUS server has deleted the client's MAC address, MAC address authentication fails. The access device then pushes the Portal authentication page to the client. The client user needs to enter the user name and password to pass identity authentication.
Figure 2-39  MAC address-prioritized Portal authentication process

MAC Address Authentication in the Scenario Where a Portal Server Is Deployed

Only MAC address authentication needs to be configured on an access device when it is connected to a Cisco ISE server in Central Web Authentication (CWA) mode or an Aruba ClearPass server in Server-Initiated mode and this third-party server acts as the Portal server. The RADIUS server and Portal server work together to display the Portal authentication page. When the Portal server receives an authentication request from a client, the Portal server does not initiate Portal authentication. Instead, the Portal server notifies the RADIUS server of authenticating the client's MAC address again.

Authentication Process

Figure 2-40 shows packet exchange in the MAC address authentication process in the scenario where a Portal server is deployed.

Figure 2-40  MAC address authentication in the scenario where a Portal server is deployed
  1. After a client connects to a wireless network, the access device sends an Access-Request packet to the RADIUS server for MAC address authentication.
  2. The RADIUS server checks for the client's MAC address in its cache. If the client's MAC address is not found (in the case of initial authentication or cache timeout), the RADIUS server sends a reply indicating authentication success and delivers initial authorization information, redirection ACL, and redirection URL to the access device. The initial authorization allows access only to the Portal server, DNS server, and DHCP server. The redirection URL allows the access device to redirect HTTP requests from the client to the Portal server login page. If the client's MAC address is found in the cache, the RADIUS server grants complete access permissions to the client.
  3. The client obtains an IP address. If the user attempts to access an unauthorized web page through a browser, the access device redirects the HTTP request of the client to the Portal server login page (that is, the redirection URL).
  4. The user enters the user name and password on the Portal authentication page to initiate an authentication request to the Portal server.
  5. The Portal server checks the user name and password. If they are correct, the Portal server instructs the RADIUS server to perform MAC address reauthentication for the client. If the user name or password is incorrect, MAC address reauthentication is not performed.
  6. The RADIUS server sends a DM or CoA message to the access device so that the access device performs MAC address reauthentication for the client.
  7. The access device sends the MAC address authentication request to the RADIUS server.
  8. The RADIUS server checks whether the client has been authenticated. If so, the RADIUS server grants the client complete network access permissions in the Access-Accept packet. The client then can access the Internet. If authentication fails, the client is redirected to the authentication failure page.
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 22800

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next