No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for 802.1x Authentication

Licensing Requirements and Limitations for 802.1x Authentication

Involved Network Elements

Table 2-2 Components involved in 802.1x authentication networking

Role

Product Model

Description

AAA server

Huawei servers or third-party AAA servers.

Performs authentication, accounting, and authorization on users.

Licensing Requirements

802.1x authentication is a basic feature of the device and is not under license control.

Version Requirements

Table 2-3 Products and minimum version supporting 802.1x authentication

Product Model

Minimum Version Required

CE8860EI

V100R006C00

CE8861EI

V200R005C10

CE8868EI

V200R005C10

CE8850-32CQ-EI

V200R002C50

CE8850-64CQ-EI

V200R005C00

CE7850EI

V100R003C10

CE7855EI

V200R001C00

CE6810EI

V100R003C10

CE6810-48S4Q-LI/CE6810-48S-LI

V100R003C10

CE6810-32T16S4Q-LI/CE6810-24S2Q-LI

V100R005C10

CE6850EI

V100R003C10

CE6850-48S6Q-HI

V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/CE6851HI

V100R005C10

CE6855HI

V200R001C00

CE6856HI

V200R002C50

CE6857EI

V200R005C10

CE6860EI

V200R002C50

CE6865EI

V200R005C00

CE6870-24S6CQ-EI/CE6870-48S6CQ-EI

V200R001C00

CE6870-48T6CQ-EI

V200R002C50

CE6875EI

V200R003C00

CE6880EI

V200R005C00

CE5810EI

V100R003C10

CE5850EI/CE5850HI

V100R003C10

CE5855EI

V100R005C10

CE5880EI

V200R005C10

Feature Limitations

When configuring 802.1x authentication on switch, pay attention to the following points:
  • For CE6870EI and CE6875EI switches, by default, 802.1x and TRILL cannot be used together. To use both of them, run the trill adjacency-check disable command first. The TRILL function has a higher priority than 802.1x. If 802.1x is configured before TRILL, only TRILL takes effect.

  • The 802.1x, MAC limit, and port security functions cannot be configured simultaneously.
  • The 802.1x authentication on the CE6870EI and CE6875EI takes effect only on Layer 2 interfaces.

  • In forcible unauthorization mode, users configured with static MAC addresses can still access the network normally.
  • Users configured with the same MAC address cannot pass 802.1x authentication on two interfaces.
  • 802.1x-enabled interfaces on the CE6870EI and CE6875EI can match MAC addresses on other interfaces. For example, when interface 1 has 802.1x enabled and interface 2 learns the source MAC address MAC1, then interface 1 can forward packets with MAC1 as the source MAC address.
  • Interface-based 802.1x authentication cannot be configured on Eth-Trunk member interfaces.

  • When using the device trigger mode, pay attention to the following points:

    • The CE switches running V100R005C00 and earlier versions do not support the device trigger mode.
    • The CE switches running V100R005C10 support the device multicast trigger mode after they have the patch of V100R005SPH005 or a later version installed.
    • The CE switches running V100R006C00 and later versions support the device multicast trigger mode.
      NOTE:

      In the device multicast trigger mode, a port on the device can connect to only one 802.1x client and send untagged multicast packets.

    • The CE switches running V200R002C50 and later versions support the device unicast trigger mode.
  • When using the EAP relay authentication, pay attention to the following points:

    • The CE switches running V100R003C10 only support MD5-Challenge authentication.
    • The CE switches running V100R005C00 support MD5-Challenge authentication and EAP-TLS authentication without certificate.
    • The CE switches running V100R005C10 support MD5-Challenge authentication, EAP-TLS authentication without certificate, EAP-PEAP authentication, and EAP-TLS authentication with certificate after they have the patch of V100R005SPH003 or a later version installed.
    • The CE switches running V100R006C00 and later versions support MD5-Challenge authentication, EAP-PEAP authentication, and EAP-TLS authentication.
When configuring the Guest VLAN on an Interface, pay attention to the following points:
  • Before creating a guest VLAN, create a VLAN ID.
  • When deleting a VLAN, delete the guest VLAN with the same VLAN ID.
  • A super VLAN cannot be configured as a guest VLAN, and a guest-VLAN cannot be configured as a super VLAN.
  • On an interface, the VLAN ID of a guest VLAN conflicts with the VLAN ID of port default vlan, port trunk allow-pass vlan, port hybrid tagged vlan, or port hybrid untagged vlan.
  • A guest VLAN supports only untagged packets.
  • Eth-Trunk member interfaces and dot1q-tunnel interfaces do not support guest VLANs.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 22410

Downloads: 92

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next