No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for NAC Common Mode

Licensing Requirements and Limitations for NAC Common Mode

Involved Network Elements

Table 3-1  Components involved in NAC networking

Role

Product Model

Description

AAA server

Huawei server or third-party AAA server

Performs authentication, accounting, and authorization for users.

Portal server

Huawei server or third-party Portal server

Receives authentication requests from Portal clients, provides free portal services and the web authentication page, and exchanges client authentication information with access devices.

This component is required only in external Portal authentication mode.

NOTE:

When Huawei's Agile Controller-Campus functions as a server, its version must be V100R001, V100R002, or V100R003.

When a Huawei switch functions as a DHCP server and assigns IP addresses to terminals based on the static MAC-IP bindings delivered by the Agile Controller-Campus, the Agile Controller-Campus must run V100R002 or V100R003.

Licensing Requirements

NAC common mode is a basic feature of a switch and is not under license control.

Version Requirements

Table 3-2  Products and versions supporting NAC common mode

Product Model

Software Version

S600-E

V200R010C00, V200R011C00, V200R011C10, V200R012C00, V200R013C00

NOTE:
For details about software mappings, visit Hardware Query Tool and search for the desired product model.

Feature Limitations

Limitations related to NAC modes:
  • Compared with the common mode, the unified mode uses the modular configuration, making the configuration clearer and configuration model easier to understand. Considering advantages of the unified mode, you are advised to deploy NAC in unified mode.
  • For versions before V200R007C00, after the common mode and unified mode are switched, you must save the configuration file and restart the device manually to make the new configuration mode take effect. For V200R007C00 and later versions, after the common mode and unified mode are switched, the device will automatically save the configuration file and restart.
  • In the unified mode, the commands supported only in the common mode are unavailable; in the common mode, the commands supported only in the unified mode are unavailable. After the configuration mode is switched, the commands supported by both modes still take effect.
The configuration notes about authentication are as follows:
  • In the 802.1X authentication scenario, if there is a Layer 2 switch between the 802.1X-enabled device and users, the function of transparently transmitting 802.1X authentication packets must be enabled on the Layer 2 switch. Otherwise, users cannot be authenticated.
  • In the Portal authentication scenario, users may use spoofed IP addresses for authentication, which brings security risks. It is recommended that you configure attack defense functions such as IPSG and DHCP snooping to avoid the security risks.
  • NAC authentication and authentication-related parameters cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface of the VLAN to which the Layer 2 Ethernet interface belongs.
  • NAC authentication (except HTTP-based or HTTPS-based Portal authentication) can be implemented for users in a VPN, but not for users with the same IP addresses in different VPNs.
  • Terminals using MAC address authentication do not support switching between IPv4 and IPv6. To ensure that a terminal can normally obtain an IP address after passing the authentication, you are advised to enable either IPv4 or IPv6 on the terminal.
The configuration notes about authorization are as follows:
  • If a terminal uses Portal authentication or multi-mode authentication containing Portal authentication, the device cannot assign a VLAN to the terminal.
  • If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP process to request an IP address after VLAN-based authorization is successful or the authorized VLAN is changed through CoA packets.
  • In versions earlier than V200R011C10, if both an ACL, the rate limiting value of upstream packets, and the rate limiting value of downstream packets are authorized to users, only the ACL takes effect. Starting from V200R011C10, the device supports authorization based on the DSCP values of upstream packets and downstream packets. In addition, the authorized ACL, the rate limiting values of upstream packets and downstream packets, and the DSCP values of upstream packets and downstream packets can take effect simultaneously.
Other:
  • The number of NAC users cannot exceed the maximum number of MAC address entries supported by the switch.
  • During LNP negotiation, NAC users cannot go online before the interface link type becomes stable. If the interface link type is negotiated again and the negotiation result changes, the online NAC users are forced to go offline.

  • For the S600-E, ACL-based simplified traffic policy and traffic classification rules in MQC-based traffic policy have higher priorities than rules defined in NAC configuration. If configurations in ACL-based simplified traffic policy or MQC-based traffic policy conflict with the NAC function, the device processes packets based on configurations in ACL-based simplified traffic policy and traffic behaviors in MQC-based traffic policy.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 22761

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next