No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding MAC Address Authentication

Understanding MAC Address Authentication

Overview of MAC Address Authentication

Definition

MAC address authentication controls network access rights of users based on interfaces and MAC addresses of terminals.

Benefits
  • No client software needs to be installed on terminals.
  • During MAC address authentication, users do not need to enter a user name or password.
  • Dumb terminals that do not support 802.1X authentication, such as printers and fax machines, can be authenticated.
Authentication System

As shown in Figure 2-13, the MAC address authentication system is a typical client/server structure which consists of three types of entities: terminal, access device, and authentication server.

Figure 2-13  MAC address authentication system
  • Terminal: refers to a terminal that attempts to access the network.
  • Access device: functions as the network access control point that enforces enterprise security policies. It allows, rejects, isolates, or restricts network access of users based on the security policies customized for enterprise networks.
  • Authentication server: checks whether the identities of users who attempt to access the network are valid and assigns network access rights to users who have valid identities.
User Name Format

The user name and password used by a terminal for MAC address authentication must be configured on the access device in a format listed in the following table. By default, the user name and password are both the MAC address of a terminal.

User Name for MAC Address Authentication Password Application Scenario
MAC address of a terminal Either the MAC address of the terminal or a specified password Application to a network with a small number of terminals whose MAC addresses are easy to obtain, for example, when a few printers need to access the network.
Specified user name Specified password Applicable to a network with reliable terminals. Multiple terminals connected to an interface use the same user name and password for MAC address authentication. In this case, only one account needs to be configured on the authentication server to meet the authentication requirements of all the terminals.
Either of the following DHCP option formats can be used:
  • circuit-id suboption
  • remote-id suboption
  • Combination of the circuit-id suboption and remote-id suboption
Specified password In scenarios where this user name format is used, terminals need to obtain IP addresses through DHCP and DHCP packets must be able to trigger MAC address authentication.

MAC Address Authentication Process

The access device exchanges RADIUS packets with the RADIUS server and encrypts passwords of MAC address authentication users in Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) mode.
  • PAP: The access device generates a random MD5 challenge and uses it to encrypt passwords of MAC address authentication users once.
  • CHAP: The access device generates a random MD5 challenge and uses it to encrypt passwords of MAC address authentication users twice.
Figure 2-14 and Figure 2-15 show MAC address authentication processes in PAP and CHAP modes, separately.
Figure 2-14  MAC address authentication process (PAP mode)
  1. After detecting the MAC address of a terminal for the first time, the access device learns this MAC address and triggers MAC address authentication.
  2. The access device generates a random MD5 challenge and uses the challenge to encrypt the password of the user once. The access device then encapsulates the user name, encrypted password, and MD5 challenge into a RADIUS Access-Request packet, and sends this packet to the RADIUS server, requesting MAC address authentication on the user.
  3. The RADIUS server uses the received MD5 challenge to encrypt the password of the user stored in the local database once. If the password is the same as the password sent by the access device, the RADIUS server returns a RADIUS Access-Accept packet, indicating that the MAC address authentication succeeds and the terminal is allowed to access the network.
Figure 2-15  MAC address authentication process (CHAP mode)

The MAC address authentication process in CHAP mode is similar to that in PAP mode, except that the password is encrypted twice.

MAC Authorization

Authentication checks whether the identity of the user who attempts to access the network is valid. Authorization specifies the network access rights that an authorized user can have, that is, the resources that the authorized user can access. VLANs, ACLs, and UCLs are often used for authorization. RADIUS authorization is used as an example. For details about other authorization methods and more authorization parameters, see Authorization Scheme.

VLAN
To prevent unauthenticated users from accessing restricted network resources, the restricted network resources and unauthenticated users are allocated to different VLANs. After a user is authenticated, the authentication server returns an authorized VLAN to the user. The access device then changes the VLAN to which the user belongs to the authorized VLAN, with the interface configuration remaining unchanged. The authorized VLAN takes precedence over the VLAN configured on the interface. That is, the authorized VLAN takes effect after the authentication succeeds, and the configured VLAN takes effect after the user goes offline. When the RADIUS server assigns an authorized VLAN, the following standard RADIUS attributes must be used together:
  • Tunnel-Type: This attribute must be set to VLAN or 13.
  • Tunnel-Medium-Type: This attribute must be set to 802 or 6.
  • Tunnel-Private-Group-ID: The value can be a VLAN ID or VLAN description.
ACL
After a user is authenticated, the authentication server assigns an ACL to the user. Then, the access device controls the user packets according to the ACL.
  • If the user packets match the permit rule in the ACL, the packets are allowed to pass through.
  • If the user packets match the deny rule in the ACL, the packets are discarded.
The RADIUS server can assign an ACL to a user in either of the following modes:
  • Static ACL assignment: The RADIUS server uses the standard RADIUS attribute Filter-Id to assign an ACL ID to the user. In this mode, the ACL and corresponding rules are configured on the access device in advance.
  • Dynamic ACL assignment: The RADIUS server uses the RADIUS attribute HW-Data-Filter extended by Huawei to assign an ACL ID and corresponding rules to the user. In this mode, the ACL ID and ACL rules are configured on the RADIUS server.
UCL
A User Control List (UCL) is a collection of network terminals such as PCs and smartphones. The administrator can add users having the same network access requirements to a UCL, and configure a network access policy for the UCL, greatly reducing the administrator's workload. The RADIUS server assigns a UCL to a specified user in either of the following modes:
  • Assigns the UCL name through the standard RADIUS attribute Filter-Id.
  • Assigns the UCL ID through the RADIUS attribute HW-UCL-Group extended by Huawei.
You must configure the UCL and its network access policy on the access device in advance regardless of the UCL authorization mode used.
Free Rule

A free rule allows users to obtain certain network access rights before they are authenticated, to meet basic network access requirements.

MAC Address Re-authentication

Users Who Have Passed MAC Address Authentication

If the administrator modifies parameters such as access rights and authorization attributes of an online user on the authentication server, the user must be re-authenticated to ensure user validity. Table 2-8 describes the re-authentication mode for users who have passed MAC address authentication.

Table 2-8  Re-authentication mode for users who have passed MAC address authentication
Configuration Completed On To Configuration Command
Access device Perform periodic re-authentication for users who have passed MAC address authentication. After receiving a RADIUS Access-Accept packet from the authentication server, the access device starts the re-authentication timer specified by reauthenticate-period-value. When the timer expires, the access device requests the RADIUS server to perform MAC address re-authentication for the user.

mac-authen reauthenticate

mac-authen timer reauthenticate-period reauthenticate-period-value

Re-authenticate MAC address authentication users after receiving DHCP lease renewal packets from them. mac-authen reauthenticate dhcp-renew
Perform one-time re-authentication for a user with the specified MAC address. mac-authen reauthenticate mac-address mac-address
RADIUS server Deliver the standard RADIUS attributes Session-Timeout and Termination-Action. The Session-Timeout attribute specifies the online duration timer of a user. The value of Termination-Action is set to 1, indicating that the user is re-authenticated when the online duration timer expires. N/A
Users in Abnormal Authentication State

According to Logical Process of MAC Address Authentication, exceptions may occur during MAC address authentication. For example, the RADIUS server may go Down or user authentication may fail. By default, users in abnormal authentication state have no network access rights. Generally, the users are granted with some network access rights. When the online period of a user reaches the user entry aging time, the device deletes the user entry and reclaims the network access rights granted to the user. You can configure the access device to re-authenticate these users based on user entries, so that they can obtain normal network access rights in a timely manner. Table 2-9 describes the method of configuring re-authentication for users in abnormal authentication state.

Table 2-9  Method of configuring re-authentication for users in abnormal authentication state
User State Configuration Command
RADIUS server in Down state authentication event authen-server-up action re-authen: Enables user re-authentication when the RADIUS server is Up.
Authentication failure authentication timer re-authen authen-fail re-authen-time: Enables periodic re-authentication for users who fail to be authenticated.
Pre-connection authentication timer re-authen pre-authen re-authen-time: Enables periodic re-authentication for users in pre-connection state.

Logout of MAC Address Authentication Users

When users go offline but the access device and RADIUS server do not detect that the offline events, the following problems may occur:
  • The RADIUS server still performs accounting for the users, causing incorrect accounting.
  • Unauthorized users may spoof IP addresses and MAC addresses of authorized users to access the network.
  • If there are many offline users, these users are still counted as access users of the device. As a result, other users may fail to access the network.
The access device needs to detect user logout immediately, delete the user entry, and notify the RADIUS server to stop accounting.
The Access Device Controls User Logout
The access device controls user logout in either of the following ways:
  • Run the cut access-user command to force a user to go offline.
  • Configure user detection to check whether a user is online. If the user does not respond within a specified period, the access device considers the user to be offline and deletes the user entry.
If an administrator detects that an unauthorized user is online or wants a user to go offline and then go online again during a test, the administrator can run the cut access-user command on the access device to force the user to go offline. For a user in normal access state, the access device checks the online status of the user through ARP probing. If the access device detects that the user goes offline, it logs the user out and deletes the user entry.
Figure 2-16  User logout detection process

Assume that the handshake period of a user is 3T, which can be set by running the authentication timer handshake-period handshake-period command. Here, T=handshake-period/3.
  1. The user sends any packet to trigger MAC address authentication, and the detection timer starts.
  2. Within several T periods, the access device receives traffic from the client and the user keeps online.
  3. The user sends the last packet. When the current T period expires, the access device determines that the user is online because traffic is still received from the client and resets the detection timer.
  4. The access device does not receive traffic from the client within a T period, and sends the first ARP request packet. The client does not respond.
  5. The access device does not receive traffic from the client within another T period, and sends the second ARP request packet. The client does not respond.
  6. The access device does not receive traffic from the client within a third T period. The access device determines that ARP probing fails and deletes the user entry.
The RADIUS Server Forces a User to Log Out

The RADIUS server controls user logout in either of the following methods:

  • Sends a Disconnect Message (DM) to an access device to force a user to go offline.
  • Uses the standard RADIUS attributes Session-Timeout and Termination-Action. The Session-Timeout attribute specifies the online duration timer of user. The value of Termination-Action is set to 0, indicating that the user is disconnected by the RADIUS server when the online duration timer expires.

Quiet Timer for MAC Address Authentication

This section discusses the timer that controls when MAC address authentication restarts after the number of failed MAC address authentication attempts within 60 seconds reaches the value specified by the mac-authen quiet-timers fail-times command.

If a user fails MAC address authentication, the access device waits for a period of time specified by the mac-authen timer quite-period quiet value command. During this period, the access device discards the MAC address authentication requests sent from the user. The quiet timer effectively prevents system resource wastes and brute force attacks on the user name and password. Figure 2-17 shows the operation of the quiet timer for MAC address authentication.

Figure 2-17  Quiet timer function for MAC address authentication
NOTE:
The quiet timer for MAC address authentication does not take effect in the following scenarios:
  • The pre-connection function has been enabled using the authentication pre-authen-access enable command.
  • Network access rights have been configured for users in abnormal authentication state using the authentication event action authorize command.
  • Multi-mode authentication containing MAC address authentication is used.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 20840

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next