No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring the Device to Automatically Generate the DHCP Snooping Binding Table for Static IP Users

(Optional) Configuring the Device to Automatically Generate the DHCP Snooping Binding Table for Static IP Users

Context

There are unauthorized users who modify their MAC addresses to those of authorized users. After authorized users are connected through 802.1X authentication, the unauthorized users can obtain the same identities as the authorized users and connect to the network without authentication. This results in security risks of authentication and accounting. After accessing the network, unauthorized users can also initiate ARP spoofing attacks by sending bogus ARP packets. In this case, the device records incorrect ARP entries, greatly affecting normal communication between authorized users. To prevent the previous attacks, configure IPSG and DAI. These two functions are implemented based on binding tables. For static IP users, you can run the user-bind static command to configure the static binding table. However, if there are many static IP users, it takes more time to configure static binding entries one by one.

To reduce the workload, you can configure the device to automatically generate the DHCP snooping binding table for static IP users. After the static IP users who pass 802.1X authentication send EAP packets to trigger generation of the user information table, the device automatically generates the DHCP snooping binding table based on the MAC address, IP address, and interface recorded in the table.

Before configuring the device to generate the DHCP snooping binding table for static IP users, you must have enabled 802.1X authentication and DHCP snooping globally and on interfaces using the dot1x enable and dhcp snooping enable commands.

NOTE:
  • The EAP protocol does not specify a standard attribute to carry IP address information. Therefore, if the EAP request packet sent by a static IP user does not contain an IP address, the IP address information in the DHCP snooping binding table is obtained from the user' first ARP request packet with the same MAC address as the user information table after the user passes authentication. On a network, unauthorized users may forge authorized users' MAC addresses to initiate ARP snooping attacks to devices, and the DHCP snooping binding table generated accordingly may be unreliable. Therefore, the dot1x trigger dhcp-binding command is not recommended and you are advised to run the user-bind static command to configure the static binding table.

  • For users who are assigned IP addresses using DHCP, you do not need to run the dot1x trigger dhcp-binding command on the device. The DHCP snooping binding table is generated through the DHCP snooping function.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run dot1x trigger dhcp-binding

    The device is configured to automatically generate the DHCP snooping binding table after static IP users pass 802.1X authentication.

    By default, the device does not automatically generate the DHCP snooping binding table after static IP users pass 802.1X authentication.

Verifying the Configuration

You can run the display dhcp snooping user-bind command to check the DHCP snooping binding table that is generated by the device for static IP users who pass 802.1X authentication. The DHCP snooping binding table generated using this function will be deleted after the users are disconnected.

Follow-up Procedure

Configure IPSG and DAI after the DHCP snooping binding table is generated, prevent attacks from unauthorized users.
  • In the interface view, run the ip source check user-bind enable command to enable IPSG.

  • In the interface view, run the arp anti-attack check user-bind enable command to enable DAI.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 20331

Downloads: 6

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next