No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Wireless Access Controller (AC and Fit AP) V200R020C10 CLI-based Configuration Guide
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding iConnect

Understanding iConnect

iConnect SSID

After the iConnect function is enabled on an AP, the AP releases an iConnect SSID, through which IoT terminals can access the network. This implements plug-and-play of IoT terminals and enables the terminals to automatically apply for digital certificates.

Figure 23-146 shows the working process of an iConnect SSID.

Figure 23-146 Working process of an iConnect SSID
  1. After the administrator creates an SSID and enables the iConnect function, the SSID serves as the iConnect SSID. Then, the AP emits the signal of the iConnect SSID.
  2. An iConnect terminal scans for the iConnect SSID.
    1. The AP periodically sends Beacon frames that carry the iConnect Version Information Element (IE).
    2. The iConnect terminal broadcasts a Probe Request frame. Upon receiving the frame, the AP responds with a Probe Response frame containing the iConnect Version IE.

    The iConnect Version IE is carried in the Vendor Specific Element field in a Beacon/Probe Response frame. As shown in Figure 23-147, the iConnect Version IE consists of a fixed Element ID (221), length, vendor OUI (Huawei's OUI: 00-E0-FC), and user-defined iConnect information.

    Figure 23-147 iConnect Version IE
  3. Based on the iConnect SSID, the iConnect terminal sends Association and Reassociation frames carrying an iConnect URL through Vendor Specific Element to the AP. The AP then forwards the frames to the AC.

    An iConnect URL is an extension of a Manufacturer Usage Description (MUD) URL. MUD is defined in RFC 8520 and provides a means for terminals to clarify their identities and network functionality they require to function properly. MUD was initially designed for network access control and is being gradually applied to other fields. RFC 8520 also defines an MUD URL, from which an MUD file is available. This file contains the terminal identity and required network functionality, based on which network access rights are granted to terminals.

    Figure 23-148 shows the format of an iConnect URL derived from the MUD URL.

    Figure 23-148 iConnect URL

    Figure 23-149 shows the format of electronic identity information.

    Figure 23-149 Format of electronic identity information
    Table 23-89 Description of fields in the electronic identity information

    Field

    Length

    Description

    IC

    2 characters

    The value is fixed at IC.

    Version number

    1 character

    The value can contain only digits 1 to 9 and uppercase letters A to F.

    Vendor name

    4-8 characters

    The value is case-sensitive and can contain only letters, for example, Huawei.

    Product name

    4-8 characters

    The value is case-sensitive and can contain digits and letters, for example, AR502H.

    Terminal type

    0-16 characters

    The value is case-sensitive and can contain digits and letters, for example, GW.

    SN

    0-32 characters

    This field indicates the serial number of a terminal. The value is case-sensitive and can contain digits and letters.

iConnect Terminal Authentication

After an iConnect terminal associates with an iConnect SSID, the AC identifies the iConnect terminal and determines whether to allow the terminal to go online based on the configured NAC policy.

Local authentication for iConnect terminals

NAC is required for most terminals, but not iConnect terminals. Therefore, you can configure the function of allowing iConnect terminals to go online without authentication.

This function takes effect only for MAC address authentication and Portal authentication users in wireless scenarios. This function cannot be configured in MAC+802.1X authentication scenarios.

This function does not take effect for open users.

RADIUS authentication for iConnect terminals

If the function of allowing iConnect terminals to go online without authentication is disabled on the device, the device sends a RADIUS packet carrying the electronic identity information of an iConnect terminal in Huawei proprietary RADIUS attribute 26-202 to the RADIUS server.

The RADIUS server determines whether a terminal is an iConnect terminal based on the HW-MUD-URL attribute. If the terminal is an iConnect terminal, the RADIUS server searches for the corresponding authorization policy based on the user account and encapsulates an authentication response packet with this policy. For an iConnect terminal, you are advised to configure a redirection-related RADIUS attribute (such as HW-Redirect-ACL or HW-Portal-URL). In this way, the iConnect terminal will be redirected to a URL to download an EAP-TLS certificate after being authenticated successfully. After the certificate is downloaded, EAP-TLS authentication is triggered for the terminal.

The HW-MUD-URL attribute can be used only in wireless scenarios.

The RADIUS server must be iMaster NCE-Campus.

If a client sends an EAPoL-Start packet to trigger authentication, iConnect-URL is not carried during RADIUS authentication of an iConnect terminal.

Translation
简体中文
Download
Updated: 2021-12-20

Document ID: EDOC1100195158

Views: 1069284

Downloads: 680

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :