No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Combined Authentication

Configuring Combined Authentication

Context

On a network with diversified clients, different clients support different access authentication modes. Some clients (such as printers) support only MAC address authentication. Some hosts support 802.1X authentication because they have 802.1X client software installed. Some hosts require Portal authentication using web browsers. If all the preceding authentication modes are used on a network, they all must be configured on user access interfaces so that users can use a proper authentication mode to connect to the network.

Combined authentication is configured in either of the following methods:
  • Enable any two or all of 802.1X authentication, MAC address authentication, and built-in Portal authentication on a Layer 2 interface.
  • Enable MAC address authentication or external Portal authentication on a VLANIF interface.
If MAC address authentication and external Portal authentication are configured simultaneously on a VLANIF interface, a user is authorized in the following way:
  1. MAC address authentication is performed first. If the user passes MAC address authentication, the user is granted the network access rights for MAC address authentication users.
  2. If Portal authentication is triggered and succeeds after a successful MAC address authentication, the user is granted the network access rights for Portal authentication users. If Portal access is terminated by the user or the device, the user's network access rights are restored to those for MAC address authentication users.
    NOTE:

    If Portal authentication is performed for a user after a successful MAC address authentication, the user is not redirected to the authentication page and needs to enter the authentication page address.

    If MAC address-prioritized Portal authentication is used, a malicious user may use a bogus MAC address to access the network after an authorized user passes Portal authentication.

Procedure

  • Configure 802.1X authentication according to Configuring 802.1X Authentication.

    NOTE:
    • You must configure the MAC address-based access control mode on the interface.
    • If local Portal authentication is used in combined authentication, you cannot configure the guest VLAN, restrict VLAN, or critical VLAN in 802.1X authentication.

  • Configure MAC address authentication according to Configuring MAC Address Authentication.

    NOTE:
    • If local Portal authentication is used in combined authentication, you cannot configure the guest VLAN in MAC address authentication.
    • After MAC address authentication is configured in combined authentication, 802.1X-based fast deployment is not supported.

  • Configure Portal authentication according to Configuring Portal Authentication
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 20948

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next