No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC Application

NAC Application

Context

After an authentication profile is bound to the interface, NAC is enabled in the interface. The device implements access control on users who go online through the interface.

An authentication profile uniformly manages NAC configuration. The authentication profile is bound to the interface view to enable NAC, implementing access control on the users in the interface. The authentication type of the users in the interface is determined by the access profile bound to the authentication profile. For details about how to configure an access profile, see Configuring an Access Profile.

When configuring NAC, pay attention to the following points:
  • VLANIF interfaces, GE interfaces, XGE interfaces, Eth-Trunks, port groups support NAC. The support for NAC on different interfaces is as follows:
    • Only Layer 2 interfaces support 802.1X authentication.
    • Layer 2 interfaces support MAC address authentication.
    • The support for Portal authentication varies depending on different interfaces, Layer 2 interfaces support only Layer 2 Portal authentication, and VLANIF interfaces support both Layer 2 and Layer 3 Portal authentication.

  • NAC authentication cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface mapping the VLAN of the Ethernet interface. Otherwise, the users have no network access rights after connecting to the network.

  • After enabling NAC on an interface, you cannot run the following commands on the interface. Similarly, after running the following commands on an interface, you cannot enable NAC on the interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port link-type dot1q-tunnel

    Sets the link type of an interface to QinQ.

    port vlan-mapping vlan map-vlan

    Configures VLAN mapping on an interface.

    port vlan-stacking

    Configures selective QinQ.

    mac-vlan enable

    Enables MAC address-based VLAN assignment on an interface.

    ip-subnet-vlan enable

    Enables IP subnet-based VLAN assignment on an interface.

    user-bind ip sticky-mac

    NOTE:

    This command conflicts with only 802.1X authentication and MAC address authentication.

    Enables the device to generate snooping MAC entries.

Prerequisites

An authentication profile has been configured. For details about how to configure an authentication profile, see Configuring an Authentication Profile.

Procedure

  • Enable NAC on an interface.

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run authentication-profile authentication-profile-name

      The authentication profile is applied to the interface.

      By default, no authentication profile is applied to an interface.

Verifying the Configuration

Run the display authentication interface interface-type interface-number command to view the configuration of the NAC authentication mode on an interface.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 23316

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next