No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an Authentication Profile

Configuring an Authentication Profile

Context

The device supports 802.1X, MAC address, and Portal authentication modes in NAC deployment. The access profile bound to the authentication profile determines the user authentication mode in an interface.

The device allows multiple authentication modes (multi-mode authentication) to be deployed simultaneously in an interface to meet various authentication requirements on the network. In this case, you need to bind multiple access profiles to an authentication profile.

Prerequisites

Access profiles have been configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Configure the user authentication mode.

    • 802.1X authentication

      Run dot1x-access-profile access-profile-name

      An 802.1X access profile is bound to the authentication profile.

      By default, no 802.1X access profile is bound to an authentication profile.

    • MAC address authentication

      Run mac-access-profile access-profile-name

      A MAC access profile is bound to the authentication profile.

      By default, no MAC access profile is bound to an authentication profile.

    • Portal authentication

      Run portal-access-profile access-profile-name

      A Portal access profile is bound to the authentication profile.

      By default, no Portal access profile is bound to an authentication profile.

    • Multi-mode authentication

      To concurrently configure several authentication modes, you only need to bind corresponding access profiles to an authentication profile. Access profiles can be bound to the authentication profile in any sequence. The device triggers the corresponding authentication based on received authentication packets.

      You can configure MAC address bypass authentication to authenticate terminals such as printers that cannot have the 802.1X client installed. The device performs 802.1X authentication for users. If the user name request times out, the device performs MAC address authentication for these users.

      The following uses MAC address bypass authentication as an example. The configuration procedure is as follows:
      1. Run mac-access-profile access-profile-name

        A MAC access profile is bound to the authentication profile.

        By default, no MAC access profile is bound to an authentication profile.

      2. Run dot1x-access-profile access-profile-name

        An 802.1X access profile is bound to the authentication profile.

        By default, no 802.1X access profile is bound to an authentication profile.

      3. Run authentication dot1x-mac-bypass

        MAC address bypass authentication is enabled.

        By default, MAC address bypass authentication is disabled.

    NOTE:

    When configuring multi-mode authentication, pay attention to the following points:

    • An authentication profile can be bounded to an 802.1X access profile, a MAC access profile and a Portal access profile at most.

    • After multi-mode authentication is configured, the device by default allows users to use multiple authentication modes. For example, if a user passes MAC address authentication, the user will not be redirected to the Portal authentication page when accessing a web page. However, if the user directly enters the Portal authentication website in the browser, Portal authentication can be performed. After the authentication succeeds, the users can obtain network access rights for Portal authentication users. To authenticate users using only one authentication mode, run the authentication single-access command to configure the device to allow users to pass only one access authentication.

    • MAC address authentication and Portal authentication cannot be performed after 802.1X authentication succeeds.

    • 802.1X + MAC address hybrid authentication is mainly applied to scenarios where dumb terminals exist. When a gateway functions as an authentication device, 802.1X + MAC address hybrid authentication is not recommended because ARP packets sent by terminals trigger MAC address authentication first. This degrades the performance of 802.1X authentication and ARP attacks may occur. In a scenario where dumb terminals exist and a gateway functions as an authentication device, you are advised to use the following configuration mode:

      1. Ensure that dumb terminals use fixed IP addresses. You can manually configure IP addresses or bind IP addresses statically using DHCP snooping.
      2. Do not configure hybrid authentication on the gateway. Configure 802.1X authentication for users who do not use dumb terminals and configure IP address-based authentication-free rules for users who use dumb terminals.
    • In MAC address + Portal hybrid authentication, the device performs MAC address authentication first for an access terminal. If MAC address authentication fails, the device performs Portal authentication. This is MAC address-prioritized Portal authentication.
    • In wireless access scenarios, 802.1X + Portal authentication is not supported.

  4. (Optional) Run authentication mode { single-terminal | single-voice-with-data | multi-share | multi-authen [ max-user max-user-number [ dot1x | mac-authen | portal | none ] * ] }

    The user access mode is configured, or the maximum number of access users allowed on the interface is configured when the user access mode is multi-authen.

    By default, the user access mode is multi-authen.

  5. (Optional) Run authentication ip-address in-accounting-start

    The function of carrying users' IP addresses in Accounting-Start packets is enabled.

    By default, the function of carrying users' IP addresses in Accounting-Start packets is disabled.

    This command takes effect only for 802.1X authentication and MAC address authentication users. By default, Accounting-Start packets for Portal authentication carry users' IP addresses.

  6. (Optional) Run authentication ipv6-control enable

    The network admission control function is enabled for IPv6 users.

    By default, the network admission control function is disabled for IPv6 users.

  7. (Optional) Run authentication no-ip-check

    The device is disabled from creating an IP hash table for client IP addresses.

    By default, the device creates an IP hash table for client IP addresses.

  8. (Optional) Run authentication ip-conflict-check enable

    The client IP address conflict detection function is enabled.

    By default, the device detects whether client IP addresses conflict with each other.

  9. (Optional) Run authentication no-replace dot1x [ device-type voice ]

    The device is configured not to respond to the EAP start packets sent from users who have successfully passed MAC address authentication or Portal authentication.

    By default, the device responds to the EAP start packets sent from users who have successfully passed MAC address authentication or Portal authentication.

  10. (Optional) Configure the device to handshake with users in pre-connection state and authorized users.

    1. Run authentication handshake

      The device is configured to handshake with users in pre-connection state and authorized users is enabled.

      By default, the device handshakes with users in pre-connection state and authorized users.

    2. Run authentication timer handshake-period handshake-period

      The interval at which the device handshakes with users in pre-connection state and authorized users is configured.

      By default, the interval for sending handshake packets to users in pre-connection state and authorized users is 300 seconds.

  11. (Optional) Run access-domain domain-name [ dot1x | mac-authen | portal ] * [ force ]

    A default or forcible domain is configured for users.

    By default, no default or forcible domain is configured in an authentication profile, and the global default domain default is used.

    NOTE:
    • If force is not specified, a default domain is configured. If force is specified, a forcible domain is configured. If both a default domain and a forcible domain are configured, the device authenticates users in the forcible domain.

    • If dot1x, mac-authen, or portal is not specified, the configured domain takes effect for all access authentication users using the authentication profile. If dot1x, mac-authen, or portal is specified, the configured domain takes effect only for specified users using the authentication profile.

  12. (Optional) Run link-down offline delay { delay-value | unlimited }

    The user logout delay is configured when an interface link is faulty.

    By default, the user logout delay is 10 seconds when an interface link is faulty.

    When the user logout delay is set to 0, users are logged out immediately upon an interface link fault. When the user logout delay is set to unlimited, users are not logged out when an interface link is faulty.

  13. (Optional) Run authentication termination-action reauthenticate

    The device is configured to re-authenticate users when the time exceeds the value of Session-Timeout delivered by the RADIUS server.

    By default, the device does not re-authenticate users when the time exceeds the value of Session-Timeout delivered by the RADIUS server.

  14. (Optional) Run authentication control-direction { all | inbound }

    The direction of traffic controlled by the device is configured.

    By default, the device controls only the upstream traffic.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 22741

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next