No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring MAC Address Authentication (AAA Local Authentication Is Used)

Example for Configuring MAC Address Authentication (AAA Local Authentication Is Used)

Networking Requirements

As shown in Figure 2-53, terminals in a company's physical access control department are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control users' network access rights to ensure internal network security.

Because dumb terminals (such as printers) in the physical access control department cannot have the authentication client installed, MAC address authentication needs to be configured on the Switch, and the local authentication mode is configured to authenticate user identities.

Figure 2-53  Networking diagram for configuring MAC address authentication


  1. Configure AAA local authentication.

    # Configure the local authentication scheme a1.

    [Switch] aaa
    [Switch-aaa] authentication-scheme a1
    [Switch-aaa-authen-a1] authentication-mode local
    [Switch-aaa-authen-a1] quit

    # Configure the local authorization scheme b1.

    [Switch-aaa] authorization-scheme b1
    [Switch-aaa-author-b1] authorization-mode local
    [Switch-aaa-author-b1] quit

    # Configure the user name, password, and access type of the local user.


    Configure terminals' MAC addresses as local user names, set the password to Huawei@123, and set the access type to MAC address authentication (8021x). Take printer 1 with the MAC address 000b-09d4-8828 as an example.

    [Switch-aaa] local-user 000b-09d4-8828 password cipher Huawei@123
    [Switch-aaa] local-user 000b-09d4-8828 service-type 8021x
    [Switch-aaa] quit

    # Configure service scheme s1 so that users can access resources on the network segment after being authenticated successfully.

    [Switch] ucl-group 10 name g1
    [Switch] acl 6000
    [Switch-acl-ucl-6000] rule 10 permit ip source ucl-group name g1 destination 0
    [Switch-acl-ucl-6000] quit
    [Switch] traffic-filter inbound acl 6000
    [Switch] aaa
    [Switch-aaa] service-scheme s1
    [Switch-aaa-service-s1] ucl-group name g1
    [Switch-aaa-service-s1] quit

    # Configure the domain, and apply the authentication scheme a1, authorization scheme b1, and service scheme s1 to the domain.

    [Switch-aaa] domain
    [] authentication-scheme a1
    [] authorization-scheme b1
    [] service-scheme s1
    [] quit
    [Switch-aaa] quit

  2. Configure MAC address authentication.

    # Set the NAC mode to unified.
    [Switch] authentication unified-mode
    • By default, the unified mode is used.
    • After changing the NAC mode from common to unified, save the configuration and restart the device to make the configuration take effect.

    # Configure the MAC access profile m1.


    When AAA local authentication and authorization are used, the user name and password for MAC address authentication must be the same as those of the AAA local user. In this example, the user name of the local user is the terminal's MAC address containing hyphens (-) and the password is Huawei@123.

    [Switch] mac-access-profile name m1
    [Switch-mac-access-profile-m1] mac-authen username macaddress format with-hyphen password cipher Huawei@123
    [Switch-mac-access-profile-m1] quit

    # Configure the authentication profile p1, bind the MAC access profile m1 to the authentication profile, and specify the domain as the forcible authentication domain in the authentication profile.

    [Switch] authentication-profile name p1
    [Switch-authen-profile-p1] mac-access-profile m1
    [Switch-authen-profile-p1] access-domain force
    [Switch-authen-profile-p1] quit

    # Bind the authentication profile p1 to GE0/0/1 and enable MAC address authentication on the interface.

    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] authentication-profile p1
    [Switch-GigabitEthernet0/0/1] quit

    # (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

  3. Verify the configuration.

    1. After a user starts a terminal, the device automatically obtains the user terminal's MAC address as the user name and password for authentication.
    2. Users can access the network after being authenticated successfully.
    3. After users go online, you can run the display access-user access-type mac-authen command on the device to view information about online MAC address authentication users.

Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 27438

Downloads: 7

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next