Professional Documents
Culture Documents
01-03 NAC Configuration (Common Mode)
01-03 NAC Configuration (Common Mode)
Ethernet Switches
Configuration Guide - User Access and
Authentication 3 NAC Configuration (Common Mode)
Context
NOTE
● The device supports NAC. NAC controls a user's network access permission that involves
personal communication information collection or storage. Huawei will not collect or save
user communication information independently. You must use the features in compliance
with applicable laws and regulations. Ensure that your customers' privacy is protected when
you are collecting or saving communication information.
With the development of enterprise network, threats increasingly bring risks, such
as viruses, Trojan horses, spyware, and malicious network attacks. On a traditional
enterprise network, the intranet is considered as secure and threats come from
extranet. However, 80% security threats actually come from the intranet. The
intranet threats will cause serious damage in a wide range. Even worse, the
system and network will break down. In addition, when intranet users browse
websites on the external network, the spyware and Trojan horse software may be
automatically installed on users' computers, which cannot be sense by the users.
The malicious software may spread on the internal network.
The traditional security measures cannot meet requirements on border defense
due to increasing security challenges. The security model should be converted into
active mode to solve security problems from the roots (terminals), improving
information security level of the entire enterprise.
The NAC solution integrates terminal security and access control and takes the
check, audit, secure, and isolation measures to improve the proactive protection
capability of terminals. This solution ensures security of each terminal and the
entire enterprise network.
As shown in Figure 3-1, NAC includes three components: NAC terminal, network
access device, and access server.
● NAC terminal: functions as the NAC client and interacts with network access
devices to authenticate access users. If 802.1X authentication is used, users
must install client software.
● Network access device: function as the network access control point that
enforces enterprise security policies. It allows, rejects, isolates, or restricts
users based on the security policies customized for enterprise networks.
● Access server: includes the access control server, management server, antivirus
server, and patch server. It authenticates users, checks terminal security,
repairs and upgrades the system, and monitors and audits user actions.
Purpose
Traditional network security technologies focus on threats from external
computers, but typically neglect threats from internal computers. In addition,
● The client is the entity at an end of the LAN segment and is authenticated by
a device at the other end of the link. The client is usually a user terminal. The
user initiates 802.1X authentication using client software. The client must
support Extensible Authentication Protocol over LAN (EAPoL).
● The device is the entity at an end of the LAN segment, which authenticates
the connected client. The device is usually a network device that supports the
802.1X protocol. The device provides an interface, either physical or logical,
for the client to access the LAN.
● The authentication server is the entity that provides authentication service for
the device. The authentication server carries out authentication, authorization,
and accounting on users, and is usually a RADIUS server.
Basic Concepts
1. Controlled and uncontrolled interfaces
The device provides an interface for LAN access. The interface is classified into two
logical interfaces: the controlled interface and the uncontrolled interface.
The device uses the authentication server to authenticate clients that require LAN
access and controls the authorization state (Authorized or Unauthorized) of a
controlled interface based on the authentication result (Accept or Reject).
Authentication Modes
The 802.1X authentication system exchanges authentication information among
the client, device, and authentication server using the Extensible Authentication
Protocol (EAP). The exchange of EAP packets among the components is described
as follows:
1. The EAP packets transmitted between the client and device are encapsulated
in EAPoL format and transmitted across the LAN.
2. The device and RADIUS server exchange EAP packets in the following modes:
– EAP relay: The device relays EAP packets. The device encapsulates EAP
packets in EAP over RADIUS (EAPoR) format and sends the packets to the
RADIUS server for authentication. This authentication mode simplifies
device processing and supports various EAP authentication methods, such
as MD5-Challenge, EAP-TLS, and PEAP. However, the RADIUS server must
support the corresponding authentication methods.
– EAP termination: The device terminates EAP packets. The device
encapsulates client authentication information into standard RADIUS
packets, which are then authenticated by the RADIUS server using the
Password Authentication Protocol (PAP) or Challenge Handshake
Authentication Protocol (CHAP). This authentication mode is applicable
since the majority of RADIUS servers support PAP and CHAP
authentication and server update is unnecessary. However, device
processing is complex, and the device supports only the MD5-Challenge
EAP authentication method.
NOTE
The device supports the following EAP protocols: EAP-CHAP (EAP-MD5), EAP-PAP, EAP-TLS,
EAP-TTLS, and EAP-PEAP.
1. When a user needs to access an external network, the user starts the 802.1X
client program, enters the applied and registered user name and password,
and initiates a connection request. The client then sends an authentication
request frame (EAPoL-Start) to the device to start the authentication process.
2. After receiving the authentication request frame, the device returns an
identity request frame (EAP-Request/Identity), requesting the client to send
the previously entered user name.
3. In response to the request sent by the device, the client sends an identity
response frame (EAP-Response/Identity) containing the user name to the
device.
4. The device encapsulates the EAP packet in the response frame sent by the
client into a RADIUS packet (RADIUS Access-Request) and sends the RADIUS
packet to the authentication server for processing.
5. After receiving the user name forwarded by the device, the RADIUS server
searches the user name table in the database for the corresponding password,
encrypts the password with a randomly generated MD5 challenge value, and
sends the MD5 challenge value in a RADIUS Access-Challenge packet to the
device.
6. The device forwards the MD5 challenge value sent by the RADIUS server to
the client.
7. After receiving the MD5 challenge value from the device, the client encrypts
the password with the MD5 challenge value, generates an EAP-Response/
MD5-Challenge packet, and sends the packet to the device.
8. The device encapsulates the EAP-Response/MD5-Challenge packet into a
RADIUS packet (RADIUS Access-Request) and sends the RADIUS packet to the
RADIUS server.
9. The RADIUS server compares the received encrypted password and the locally
encrypted password. If the two passwords match, the user is considered
authorized and the RADIUS server sends a packet indicating successful
authentication (RADIUS Access-Accept) to the device.
10. After receiving the RADIUS Access-Accept packet, the device sends a frame
indicating successful authentication (EAP-Success) to the client, changes the
interface state to Authorized, and allows the user to access the network using
the interface.
11. When the user is online, the device periodically sends a handshake packet to
the client to monitor the online user. For details, see the dot1x timer arp-
detect command.
12. After receiving the handshake packet, the client sends a response packet to
the device, indicating that the user is still online. By default, the device
disconnects the user if it receives no response from the client after sending
two handshake packets. The handshake mechanism allows the server to
detect unexpected user disconnections. For details, see the dot1x timer arp-
detect command.
13. If the user wants to go offline, the client sends an EAPoL-Logoff frame to the
device.
14. The device changes the interface state from Authorized to Unauthorized and
sends an EAP-Failure packet to the client.
2. EAP termination authentication
Compared with the EAP relay mode, in EAP termination mode, the device
randomly generates an MD5 challenge value for encrypting the user password in
Step 4, and sends the user name, the MD5 challenge value, and the password
encrypted on the client to the RADIUS server for authentication.
predefined period of time, the user's MAC address is used as the user name and
password, and is sent to an authentication server for authentication.
As shown in Figure 3-6, if the device receives no response after sending multiple
authentication requests, MAC address bypass authentication is used.
3. Critical VLAN
After the Critical VLAN function is enabled, the device adds an interface where the
user resides to the Critical VLAN if the authentication server does not respond, for
example, because the network between the device and authentication server is
disconnected or the authentication server is faulty. In this way, the user can access
resources in the Critical VLAN.
MAC address authentication on the interface use the same fixed user name.
The server only needs to configure one user account to meet the
authentication demands of all users. This applies to a network environment
with reliable clients.
● DHCP option: The device replaces a user's MAC address with the obtained
user DHCP option and a fixed password as identity information for
authentication. In this mode, the device must support MAC authentication
triggering through DHCP packets.
Guest VLAN
When the guest VLAN function is enabled, if the user does not respond to the
MAC address authentication request, the device adds the interface where the user
resides into the guest VLAN, so that the user can access resources in the guest
VLAN. In this manner, the user can access some network resources without being
authenticated.
When an unauthenticated user accesses the Internet, the device forcibly redirects
the user to a specific site. The user then can access resources in the specific site for
free. When the user needs to access resources outside the specific site, the user
must pass authentication on the Portal authentication website first.
A user can access a known Portal authentication website and enter a user name
and password for authentication. This mode is called active authentication. If a
user attempts to access other external networks through HTTP, the device forcibly
redirects the user to the Portal authentication website for Portal authentication.
This mode is called forcible authentication.
NOTE
The device uses Huawei proprietary Portal protocol to perform Portal authentication.
Huawei proprietary Portal protocol is compatible with the Portal 2.0 protocol of China
Mobile Communications Corporation (CMCC), and supports basic functions of the Portal 2.0
protocol.
System Architecture
As shown in Figure 3-7, typical networking of a Portal authentication system
consists of four entities: authentication client, access device, Portal server, and
authentication/accounting server.
Authentication Modes
Different Portal authentication modes can be used in different networking modes.
Portal authentication is classified into Layer 2 and Layer 3 authentication
according to the network layer on which it is implemented.
● Layer 2 authentication
The authentication client and access device are directly connected (or only Layer 2
devices exist between the authentication client and an access device). The device
can learn a user's MAC address, and uses an IP address and a MAC address to
identify the user. Portal authentication is configured as Layer 2 authentication.
Layer 2 authentication is simple and highly secure. However, it requires that the
user reside on the same subnet as the access device, which makes the networking
inflexible.
Figure 3-8 illustrates the packet interaction process when the user goes online
and Layer 2 authentication is used.
NOTE
The device does not support Layer 3 authentication of the built-in Portal server.
The user terminal is a PC with 802.1X client software installed on it. The user can
use the 802.1X client software to initiate an authentication request to the access
device. After exchanging information with the user terminal, the access device
sends the user information to the authentication server for authentication. If the
authentication succeeds, the access device sets the interface connected to the user
to the Up state and allows the user to access the network. If the authentication
fails, the access device rejects the user's access request.
NOTE
802.1X authentication results in the change of the interface state, but does not involve IP
address negotiation or assignment. 802.1X authentication is the simplest authentication
solution. However, the 802.1X client software must be installed on the user terminal.
The 802.1X client cannot be installed on printers. In this case, enable MAC address
authentication on interface1 connected to the printer. Then the access device uses
the printer's MAC address as the user name and password, and reports the MAC
address to the authentication server for authentication. If the authentication
succeeds, the access device sets the interface connected to the printer to the Up
state and allows the printer to access the network. If the authentication fails, the
access device rejects the printer's access request.
NOTE
Apart from MAC address authentication, terminals with simple functions that cannot install
the 802.1X client software and do not require high security (such as printers) can also be
authenticated using 802.1X MAC address bypass authentication.
If the user only requires Portal authentication using a web browser, enable Portal
authentication on the access device.
When an unauthenticated user accesses the Internet, the access device redirects
the user to the Portal authentication website to start Portal authentication. If the
authentication succeeds, the access device sets the interface connected to the user
to the Up state and allows the user to access the network. If the authentication
fails, the access device rejects the user's access request.
NOTE
When Huawei's Agile Controller-Campus functions as a server, its version must be V100R001,
V100R002, V100R003.
When a Huawei switch functions as a DHCP server and assigns IP addresses to terminals based
on the static MAC-IP bindings delivered by the Agile Controller-Campus, the switch must run
V200R009C00 or a later version, and the Agile Controller-Campus must run V100R002,
V100R003.
Licensing Requirements
NAC common mode is a basic feature of a switch and is not under license control.
NOTE
For details about software mappings, visit Info-Finder and search for the desired product
model.
Feature Limitations
Limitations related to NAC modes:
● Compared with the common mode, the unified mode uses the modular
configuration, making the configuration clearer and configuration model
easier to understand. Considering advantages of the unified mode, you are
advised to deploy NAC in unified mode.
● Starting from V200R005C00, the default NAC mode changes from common
mode to unified mode. Therefore, if the system software of a switch is
upgraded from a version earlier than V200R005C00 to V200R005C00 or a
later version, the switch automatically runs the undo authentication unified-
mode command to configure the NAC mode to common mode.
● For versions before V200R007C00, after the common mode and unified mode
are switched, you must save the configuration file and restart the device
manually to make the new configuration mode take effect. For V200R007C00
and later versions, after the common mode and unified mode are switched,
the device will automatically save the configuration file and restart.
● In V200R008C00, some NAC commands do not differentiate the common and
unified modes. Their formats and views remain unchanged after being
switched from one mode to the other. After devices are switched from the
common mode in V200R008C00 or later versions to the unified mode in
V200R009C00 or later versions, these NAC commands are switched to the
unified mode.
● In the unified mode, the commands supported only in the common mode are
unavailable; in the common mode, the commands supported only in the
unified mode are unavailable. After the configuration mode is switched, the
commands supported by both modes still take effect.
● The NAC common mode does not apply to wireless users. To use NAC to
control wireless user access, switch the NAC mode to unified mode.
enabled on physical interfaces configured with Layer 3 services, you must run
the command assign forward-mode ipv4-hardware to enable Layer 3
hardware forwarding for IPv4 packets.
● NAC authentication and authentication-related parameters cannot be enabled
both on a Layer 2 Ethernet interface and the VLANIF interface of the VLAN to
which the Layer 2 Ethernet interface belongs.
● The switch supports 802.1X authentication, MAC address authentication, and
external Portal authentication for users in a VPN (HTTP/HTTPS-based Portal
authentication is supported in V200R013C00 and later versions). Built-in
Portal authentication is not supported, and users in different VPNs but with
the same IP address cannot be authenticated.
● In V200R005, when NAC is configured on the main interface, service functions
on its sub-interface are affected.
● Terminals using MAC address authentication do not support switching
between IPv4 and IPv6. To ensure that a terminal can normally obtain an IP
address after passing the authentication, you are advised to enable either IPv4
or IPv6 on the terminal.
● In versions earlier than V200R013, if authentication triggered by any packet is
not configured, the ARP packets with the source IP address being 0.0.0.0
cannot trigger MAC address authentication. In V200R013 and later versions, if
authentication triggered by any packet is not configured, the ARP packets
with the source IP address being 0.0.0.0 can trigger MAC address
authentication. However, the IP addresses of online users are empty in the
display access-user command output. If the device receives an ARP packet
with the source IP address not being 0.0.0.0 from an online user, it updates
the user's IP address in the user entry to this source IP address. If an online
user has an IP address and sends an ARP packet with the source IP address
being 0.0.0.0, the device does not update the user's IP address in the user
entry.
● When an authentication point is deployed on the X series cards, only the X1E,
X2E, X2H, X5H, and X6H cards support ACL authorization for IPv6 users, and
other X series cards do not support ACL authorization for IPv6 users.
● In V200R020C00 and later versions, the device does not support built-in Portal
authentication. In versions earlier than V200R020C00, built-in Portal
authentication is only a test feature and does not support commercial use.
Limitations related to authorization:
● In V200R012C00 and later versions, if the ACL assigned to users who go
online through S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S,
S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S is not a user-
defined one, the attribute of the source IP address in the ACL rule does not
take effect. In all other cases, the IP address in the ACL rule is replaced with
the user's IP address. In versions earlier than V200R012C00, if an ACL bound
to a service scheme has defined the source IP address, only users with the
same IP address as the source IP address in the ACL can match the ACL in the
service scheme.
● An authorized VLAN cannot be delivered to online Portal users. For MAC
address-prioritized Portal authentication, the Agile Controller-Campus V1
delivers the session timeout attribute after Portal authentication succeeds so
that users go offline immediately, and then delivers an authorized VLAN to
users after the users pass MAC address authentication.
● The device does not support the user VLAN authorization function. Before
configuring other attributes except authorized VLANs for access users, run the
authorization-modify mode modify command on the device to set the
update mode of user authorization information delivered by the authorization
server to modify. Otherwise, access users will go offline.
Other limitations:
● The number of NAC users cannot exceed the maximum number of MAC
address entries supported by the switch.
● During LNP negotiation, NAC users cannot go online before the interface link
type becomes stable. If the interface link type is negotiated again and the
negotiation result changes, the online NAC users are logged out.
● For the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-
X-LI, S5720I-SI, S5720-LI, S2730S-S, S5735-L1,S5735S-L1, S300, S5735-L,
S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S500,
S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S5735S-H, S5736-S, S6720-LI,
S6720S-LI, S6720S-SI, and S6720-SI, ACL-based simplified traffic policy and
traffic classification rules in MQC-based traffic policy have higher priorities
than rules defined in NAC configuration. If configurations in ACL-based
simplified traffic policy or MQC-based traffic policy conflict with the NAC
function, the device processes packets based on configurations in ACL-based
simplified traffic policy and traffic behaviors in MQC-based traffic policy.
Table 3-3 describes the default settings for MAC address authentication.
NOTE
● After the common mode and unified mode are switched, you must restart the device to
make each function in the new configuration mode take effect.
● In the unified mode, only the commands of the common mode are unavailable; in the
common mode, only the commands of the unified mode are unavailable. In addition,
after the configuration mode is switched, the commands supported by both the
common mode and unified mode still take effect.
Procedure
Step 1 Run system-view
NOTE
After SVF is enabled in unified mode, the device cannot switch to common mode.
----End
Pre-configuration Tasks
802.1X only provides a user authentication solution. To implement this solution,
the AAA function must also be configured. Therefore, complete the following tasks
before you configure 802.1X authentication:
● Configure the authentication domain and AAA scheme on the AAA client.
● Configure the user name and password on the RADIUS or HWTACACS server
if RADIUS or HWTACACS authentication is used.
● Configure the user name and password manually on the network access
device if local authentication is used.
If there are online users who log in through 802.1X authentication on the
interface, disabling the 802.1X authentication is prohibited.
Procedure
Step 1 Run system-view
Step 3 Enable 802.1X authentication on the interface in the system or interface view.
● In the system view:
1. Run dot1x enable interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
802.1X authentication of the interface is enabled.
● In the interface view:
1. Run interface interface-type interface-number
----End
Procedure
Step 1 Run system-view
Step 2 Configure the authorization state of an interface in the system or interface view.
● In the system view:
1. Run dot1x port-control { auto | authorized-force | unauthorized-force }
interface { interface-type interface-number1 [ to interface-number2 ] }
&<1-10>
----End
When 802.1X authentication users are online, you cannot change the access control mode
of an interface.
When MAC address-based access control is used in 802.1X authentication, ensure that the
interface type is hybrid when you configure the authorization VLAN.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure the access control mode of an interface in the system or interface view.
● In the system view:
1. Run dot1x port-method { mac | port } interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
The access control mode of the interface is configured.
● In the interface view:
1. Run interface interface-type interface-number
The interface view is displayed.
2. Run dot1x port-method { mac | port }
The access control mode of the interface is configured.
----End
NOTE
● The authentication mode can be set to EAP relay for 802.1X authentication users only
when the RADIUS authentication is used.
● If the 802.1X client uses the MD5 encryption mode, the user authentication mode on
the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication
mode, the authentication mode on the device can be set to EAP.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 You can configure the authentication mode for 802.1X user in the system view or
interface view.
● In the system view:
Run the dot1x authentication-method { chap | eap | pap } command to set
the authentication mode for 802.1X users.
● In the interface view:
a. Run the interface interface-type interface-number command to enter the
interface view.
b. Run the dot1x authentication-method { chap | eap | pap } command to
set the authentication mode for 802.1X users.
By default, the global 802.1X user authentication mode is CHAP authentication
and the 802.1X user authentication mode on interfaces is the same as the mode
globally configured.
----End
NOTE
After MAC address bypass authentication is configured on the interface where 802.1X
authentication is not enabled, 802.1X authentication is enabled on the interface.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Enable MAC address bypass authentication on the interface in the system view or
interface view.
● In the system view:
1. Run dot1x mac-bypass interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
MAC address bypass authentication is enabled on the interface.
By default, MAC address bypass authentication is disabled on an interface.
NOTE
You can run the dot1x mac-bypass access-port all command to enable MAC address
bypass authentication on all downlink interfaces of the device.
2. (Optional) Run dot1x mac-bypass mac-auth-first interface { interface-type
interface-number1 [ to interface-number2 ] } &<1-10>
MAC address authentication is performed first during MAC address bypass
authentication.
By default, MAC address authentication is not performed first during MAC
address bypass authentication.
● In the interface view:
1. Run interface interface-type interface-number
The interface view is displayed.
802.1X authentication is disabled on the interface when MAC address bypass authentication
is disabled on the interface using the undo dot1x mac-bypass command.
The value of the delay timer for MAC address bypass authentication is set.
By default, the value of the delay timer for MAC address bypass authentication is
30s.
NOTE
If MAC address authentication is performed first during MAC address bypass authentication,
the delay timer does not take effect.
----End
Context
The administrator can set the maximum number of concurrent access users for
802.1X authentication on the interface. When the number of access users reaches
the maximum number allowed, new users for 802.1X authentication cannot access
networks through the interface.
NOTE
● If the number of current online users on an interface has exceeded the maximum
number, online users are not affected but new access users are limited.
● This function is effective only when the MAC address-based access mode is configured
on the interface. When the interface-based access mode is configured on the interface,
the maximum number of concurrent access users on the interface is automatically set
to 1. In this case, after one user is authenticated on the interface, other users can go
online without being authenticated.
Procedure
Step 1 Run system-view
Step 2 Set the maximum number of concurrent access users on an interface in the
system or interface view.
● In the system view:
1. Run dot1x max-user user-number interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
----End
Prerequisites
A domain has been created using the domain command.
Context
During authentication, if the user name entered by a user does not contain a
domain name, the user will be authenticated in the default domain; if the user
name contains a domain name, the user will be authenticated in the specified
domain.
If the user names entered by many users do not contain domain names, excess
users are authenticated in the default domain, making the authentication scheme
inflexible. If all users on an interface need to use the same AAA scheme when the
user names entered by some users contain domain name and those entered by
other users do not, the device also cannot meet such requirement. To address this
issue, you can configure a forcible domain. Then all users on the interface will be
authenticated in the forcible domain no matter whether the user names entered
by the users contain domain names.
Procedure
Step 1 Run system-view
----End
Context
The device sends an ARP probe packet to check the user online status. If the user
does not respond within a detection period, the device considers that the user is
offline.
Procedure
Step 1 Run system-view
NOTE
The following source IP addresses used in offline detection packets are listed in descending
order of priority:
1. IP address and MAC address of the VLANIF interface corresponding to the VLAN that users
belong to and on the same network segment as users
2. Source IP address specified using the access-user arp-detect vlan vlan-id ip-address ip-
address mac-address mac-address command for offline detection packets in a specified
VLAN
3. Source IP address calculated based on the IP address specified using the access-user arp-
detect fallback ip-address { mask | mask-length } command
4. Default source IP address specified using the access-user arp-detect default ip-address ip-
address command for offline detection packets.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dot1x timer { client-timeout client-timeout-value | tx-period tx-period-
value }
The 802.1X timers are configured.
NOTE
The client timeout timer, and the authentication request timeout timer are enabled by
default.
----End
Context
After the quiet function is enabled, when the number of times that a user fails
802.1X authentication reaches the maximum number allowed, the device quiets
the user, and during the quiet period, the device discards the 802.1X
authentication requests from the user. This prevents the impact of frequent user
authentications on the system.
NOTE
When the number of quiet entries reaches the maximum number, the device does not allow
new users who are not in the quiet table to access the network.
Procedure
Step 1 Run system-view
By default, an 802.1X user enters the quiet state after ten authentication failures
within 60 seconds.
----End
Context
If the administrator modifies user information on the authentication server,
parameters such as the user access permission and authorization attribute are
changed. If a user has passed 802.1X authentication, you must re-authenticate the
user to ensure user validity.
After the user goes online, the device saves user authentication information. After
re-authentication is enabled for 802.1X authentication users, the device sends the
saved authentication information of the online user to the authentication server
for re-authentication. If the user's authentication information does not change on
the authentication server, the user is kept online. If the authentication information
has been changed, the user is logged out, and then re-authenticated according to
the changed authentication information.
You can configure re-authentication for 802.1X authentication users using either
of the following methods:
● Re-authenticate all online 802.1X authentication users on a specified interface
periodically.
● Re-authenticate an online 802.1X authentication user once with a specified
MAC address.
NOTE
If periodic 802.1X re-authentication is enabled, a large number of 802.1X authentication logs are
generated.
Procedure
● Configure periodic re-authentication for all online 802.1X authentication users
on a specified interface.
a. Run system-view
handshake packet after the maximum number of retransmission times, the device
disconnects the user.
If the 802.1X client cannot exchange the handshake packet with the device, the
device does not receive any handshake response packet within the handshake
period. You must disable the handshake function for online users to prevent the
device from incorrectly disconnecting the users.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dot1x handshake
The handshake function is enabled for 802.1X online users.
By default, the handshake function is disabled for 802.1X online users.
Step 3 (Optional) Run dot1x handshake packet-type { request-identity | srp-sha1-
part2 }
The type of 802.1X authentication handshake packets is set.
By default, the type of 802.1X authentication handshake packets is request-
identity.
Step 4 (Optional) Configure the interval at which the device handshakes with 802.1X
online users.
● Run dot1x timer handshake-period handshake-period-value
The interval at which the device handshakes with 802.1X online users on non-
Eth-Trunk interfaces is set.
By default, the interval for sending handshake packets is 15.
● Run dot1x timer eth-trunk-access handshake-period handshake-period-
value
The interval at which the device handshakes with 802.1X online users on Eth-
Trunk interfaces is set.
By default, the interval for sending handshake packets is 120 seconds.
Step 5 (Optional) Run dot1x retry max-retry-value
The number of times for resending a handshake packet is configured.
By default, a handshake packet can be resent twice.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dot1x eap-notify-packet eap-code code-number data-type type-number
The device is configured to send EAP packets with a code number to 802.1X users.
By default, the device does not send EAP packets with a code number to 802.1X
users.
NOTE
If an H3C iMC functions as the RADIUS server, run the dot1x eap-notify-packet eap-code 10
data-type 25 command on the device.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure the guest VLAN function in the system or interface view.
● In the system view:
1. Run authentication guest-vlan vlan-id interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
The guest VLAN to which the interface is added is configured.
● In the interface view:
1. Run interface interface-type interface-number
The interface view is displayed.
NOTE
● The guest VLAN function can take effect only in 802.1X and MAC address
authentication.
● A super VLAN cannot be configured as a guest VLAN.
● When free IP subnets are configured, the guest VLAN function becomes invalid
immediately.
● The guest VLAN function takes effect only when a user sends untagged packets to the
device.
● Different interfaces can be configured with different guest VLANs. After a guest VLAN is
configured on an interface, the guest VLAN cannot be deleted.
● To make the VLAN authorization function take effect, the link type and access control
mode of the authentication interface must meet the following requirements:
– When the link type is hybrid in untagged mode, the access control mode can be
based on the MAC address or interface.
– When the link type is access or trunk, the access control mode can only be based
on the interface.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure the restrict VLAN function in the system or interface view.
● In the system view:
1. Run authentication restrict-vlan vlan-id interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
NOTE
----End
You can configure the critical VLAN function of 802.1X authentication in the
system or interface view.
Procedure
● In the system view:
a. Run system-view
----End
Context
To grant users rights to access certain network resources during access
authentication, you can configure network access rights for users.
Procedure
Step 1 Run system-view
Step 2 Configure network access rights for users in the system view or interface view.
View Step
Step 3 (Optional) Set the timeout period of the network access rights granted to users in
different authentication stages. The configuration can be performed in the system
view or interface view.
View Step
Step 4 (Optional) Configure the device to return an authentication failure packet when a
user fails in authentication or the authentication server does not respond. The
configuration can be performed in the system view or interface view.
View Step
Step 5 (Optional) Configure the interval for re-authenticating users before the
authentication succeeds.
The device periodically re-authenticates the pre-connection users and the users
who fail to be authenticated so that the users can be authenticated in a timely
manner. You can configure the re-authentication interval according to the actual
networking.
User Procedure
Type
----End
LLDP function on the device and the connected peer device. For details, see
"Enabling LLDP" in "LLDP Configuration" in the S300, S500, S2700, S5700,
and S6700 V200R020C10 Configuration Guide - Network Management
Configuration.
NOTE
The terminal type awareness function takes effect only when the authentication or
accounting mode in the AAA scheme is RADIUS.
The terminal type awareness function only provides a method of obtaining user terminal
types for access device, through which network access policies cannot be assigned to the
terminals. The administrator configures the network access policies for terminals of
different types on the RADIUS server.
Procedure
● In the DHCP option field mode
a. Run the system-view command to enter the system view.
b. Run the device-sensor dhcp option option-code &<1-6> command to
enable the terminal type awareness function based on the DHCP option
field.
By default, the terminal type awareness function based on the DHCP
option field is disabled.
● In the LLDP TLV type mode
a. Run the system-view command to enter the system view.
b. Run the device-sensor lldp tlv tlv-type &<1-4> command to enable the
LLDP-based terminal type awareness function.
By default, the LLDP-based terminal type awareness function is disabled.
----End
The NAC open function allows the users who failed in authentication to access the
network.
Procedure
Step 1 Run system-view
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dot1x dhcp-trigger
802.1X authentication triggered by a DHCP packet is enabled.
By default, 802.1X authentication triggered by a DHCP packet is disabled
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Enable 802.1X authentication triggered by unicast packets in the system or
interface view.
● In the system view:
1. Run dot1x unicast-trigger interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
802.1X authentication triggered by unicast packets is enabled.
● In the interface view:
1. Run interface interface-type interface-number
The interface view is displayed.
2. Run dot1x unicast-trigger
802.1X authentication triggered by unicast packets is enabled.
By default, 802.1X authentication triggered by unicast packets is disabled.
----End
Before a client passes 802.1X authentication, the client can access the network
resources in an authentication-free subnet if the subnet is configured. If a redirect
URL is configured for the 802.1X authentication user and the user accesses a
network with a browser, the device redirects the URL that the user attempts to
access to the configured URL (for example, to the 802.1X client download web
page). In this way, the web page preset by the administrator is displayed when the
user starts the browser. The server that provides the redirect URL must be in the
authentication-free IP subnet of the user.
NOTE
● The 802.1X-based fast deployment function needs to be configured only when the third-
party 802.1X client software is used.
● 802.1X authentication has been enabled globally and on an interface using the dot1x
enable command.
● To ensure that pre-connection users can be aged out normally, you need to run the dot1x
timer free-ip-timeout command to set the aging time of authentication-free user entries.
● After the free-ip function is configured, the guest VLAN, critical VLAN, and restrict VLAN are
no longer effective.
● The free IP subnet takes effect only when the interface authorization state is auto.
● If a user who does not pass 802.1X authentication wants to obtain an IP address dynamically
through the DHCP server, the network segment of the DHCP server needs to be configured
to a free IP subnet so that the user can access the DHCP server.
● After 802.1X users go offline, they are not allowed to access network resources on free IP
subnets within a specified period to prevent malicious attacks.
● After users succeed in 802.1X-based fast deployment, they can only access resources in the IP
free subnets and some resources on the device.
Procedure
Step 1 Run system-view
By default, the value of the aging time for authentication-free user entries is 1380
minutes.
----End
Context
In network deployment, static IP addresses are assigned to dumb terminals such
as printers and servers. These users can be configured as static users for flexible
authentication.
After static users are configured, the device can use static user information such as
their IP addresses as the user names to authenticate the users only if one of the
802.1X authentication, MAC address authentication, and Portal authentication
modes is enabled on the interfaces connected to the static users.
Procedure
Step 1 Run system-view
NOTE
Only Layer 2 Ethernet interfaces and Layer 2 Eth-Trunk interfaces can be configured as static
user interfaces. If an interface is added to an Eth-Trunk or switched to a Layer 3 interface, the
static user function does not take effect.
When the interface (interface interface-type interface-number) mapping static users is
specified, the VLAN (vlan vlan-id) that the interface belongs to must be configured.
The user name for authenticating a static user is set to a MAC address.
By default, the user name for authenticating a static user is not set to a MAC
address.
This command takes priority over the static-user username format-include { ip-
address | mac-address | system-name } command and static-user password
cipher password command.
----End
Procedure
Step 1 Configure the URL template.
1. Run the system-view command to enter the system view.
2. Run the url-template name template-name command to create a URL
template and enter the URL template view.
By default, no URL template exists on the device.
3. Run the url [ push-only ] url-string command to configure the redirect URL
corresponding to the Portal server.
4. Run the url-parameter { redirect-url redirect-url-value | sysname sysname-
value | user-ipaddress user-ipaddress-value | user-mac user-mac-value |
login-url url-key url } * command to set the parameters carried in the URL.
By default, a URL does not carry parameters.
5. Run the url-parameter mac-address format delimiter delimiter { normal |
compact } command to set the MAC address format in the URL.
By default, the MAC address format in a URL is XXXXXXXXXXXX.
NOTE
If web pages are pushed in URL mode, this step can be skipped.
----End
NOTE
When the user group function is enabled on models except the S5731-H, S5731S-H, S5731-
S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI,
ACL rules are delivered to each user and the user group function cannot be used to save
ACL resources.
The priority of the user group authorization information delivered by the authentication
server is higher than that of the user group authorization information applied in the AAA
domain. If the user group authorization information delivered by the authentication server
cannot take effect, the user group authorization information applied in the AAA domain is
used. For example, if only user group B is configured on the device and the group
authorization information is applied in the AAA domain when the authentication server
delivers authorization information about user group A, the authorization information about
user group A cannot take effect and the authorization information about user group B is
used. To make the user group authorization information delivered by the authentication
server take effect, ensure that this user group is configured on the device.
If the authentication server authorizes multiple attributes to the device and the authorized
attributes overlap the existing configurations on the device, the attributes take effect based
on the minimum rule. For example, if the authentication server authorizes a VLAN and user
group to the device and the VLAN parameters are configured in the user group on the
device, the VLAN authorized by the authentication server takes effect.
Procedure
Step 1 Run system-view
NOTE
Before running this command, ensure that the ACL has been created using the acl or acl
name command and ACL rules have been configured using the rule command.
NOTE
Before running this command, ensure that the VLAN has been created using the vlan
command.
NOTE
Only the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
S6730S-S, S6720-EI, and S6720S-EI support this command.
Step 6 Run car { outbound | inbound } cir cir-value [ pir pir-value | cbs cbs-value | pbs
pbs-value ] *
The rate of traffic from users in the user group is limited.
By default, the rate of traffic from users in the user group is not limited.
NOTE
Only the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
S6730S-S, S6720-EI, and S6720S-EI support this command, and the user group CAR can
only be applied in the interface outbound direction (outbound) on the S6720-EI and
S6720S-EI.
----End
Before configuring the device to generate the DHCP snooping binding table for
static IP users, you must have enabled 802.1X authentication and DHCP snooping
globally and on interfaces using the dot1x enable and dhcp snooping enable
commands.
NOTE
● The EAP protocol does not specify a standard attribute to carry IP address information.
Therefore, if the EAP request packet sent by a static IP user does not contain an IP address,
the IP address information in the DHCP snooping binding table is obtained from the user'
first ARP request packet with the same MAC address as the user information table after the
user passes authentication. On a network, unauthorized users may forge authorized users'
MAC addresses to initiate ARP snooping attacks to devices, and the DHCP snooping binding
table generated accordingly may be unreliable. Therefore, the dot1x trigger dhcp-binding
command is not recommended and you are advised to run the user-bind static command to
configure the static binding table.
● For users who are assigned IP addresses using DHCP, you do not need to run the dot1x
trigger dhcp-binding command on the device. The DHCP snooping binding table is
generated through the DHCP snooping function.
Procedure
Step 1 Run system-view
By default, the device does not automatically generate the DHCP snooping
binding table after static IP users pass 802.1X authentication.
----End
Follow-up Procedure
Configure IPSG and DAI after the DHCP snooping binding table is generated,
prevent attacks from unauthorized users.
● In the interface view, run the ip source check user-bind enable command to
enable IPSG.
● In the interface view, run the arp anti-attack check user-bind enable
command to enable DAI.
NOTE
Pre-configuration Tasks
To enable the switches to identify the voice terminals, enable LLDP or configure
OUI for the voice VLAN on the switches. For details, see "Configuring Basic LLDP
Functions" in "LLDP Configuration" in the S300, S500, S2700, S5700, and S6700
V200R020C10 Configuration Guide - Network Management and Monitoring or
"Configuring a Voice VLAN Based on a MAC Address" in "Voice VLAN
Configuration" in the S300, S500, S2700, S5700, and S6700 V200R020C10
Configuration Guide - Ethernet Switching. If a voice device supports only CDP but
does not support LLDP, configure CDP-compatible LLDP on the switch using lldp
compliance cdp receive command.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run authentication device-type voice authorize [ user-group group-name ]
The voice terminals are enabled to go online without authentication.
By default, voice terminals are disabled from going online without authentication.
NOTE
Voice terminals can obtain the corresponding network access rights after they pass
authentication and go online, when user-group group-name is not specified. When user-group
group-name is specified, voice terminals can obtain the network access rights specified by the
user group after they go online. To use a user group to define network access rights for voice
terminals, run the user-group group-name command to create a user group and configure
network authorization information for the users in the group. Note that the user group takes
effect only after it is enabled.
If you run this command repeatedly, the latest configuration overrides the previous ones.
----End
NOTE
● In normal case, enabling MAC address migration is not recommended. It should be enabled
only when users have migration requirements during roaming. This prevents unauthorized
users from forging MAC addresses of online users and sending ARP, 802.1X, or DHCP packets
on other authentication control interfaces to trigger the MAC address migration function and
force authorized user offline.
● Cascading migration through intermediate devices is not supported, because ARP and DHCP
packets are not sent after the cascading migration.
● MAC address migration is not supported for Layer 3 Portal authentication users.
● In the Layer 2 BNG scenario, the device does not support MAC address migration.
● A user is switched from an interface configured with NAC authentication to another
interface not configured with NAC authentication. In this case, the user can access the
network only after the original online entry is aged because the new interface cannot send
authentication packets to trigger MAC migration.
● In common mode, Portal authentication is triggered only after users who go online through
a VLANIF interface send ARP packets and go offline; otherwise, the users can go online again
only after the original user online entries age out. Portal authentication cannot be triggered
after users who go online through physical interfaces migrate. The users can go online again
only after the original user online entries age out.
● After a user who goes online from a VLANIF interface is quieted because of multiple MAC
address migrations, MAC address migration can be performed for the quieted user only after
the quiet period expires and the ARP entry is aged out.
● When an authorized VLAN is specified in the authentication mac-move enable vlan
command, you are advised to enable the function of detecting the user status before user
MAC address migration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } &
<1–10> }
The MAC address migration function is enabled.
By default, MAC address migration is disabled.
VLANs need to be specified for users in MAC address migration. The VLANs before
and after the migration can be specified for the users, and they can be the same
or different.
Step 3 (Optional) Configure the MAC address migration quiet function.
When users frequently switch access interfaces (especially frequent switching due
to loops), the device needs to process a large number of authentication packets
and entries, which results in high CPU usage. To solve this problem, configure the
MAC address migration quiet function. If the number of MAC address migration
times for a user within 60 seconds exceeds the upper limit after the MAC address
migration quiet function is enabled, the device quiets the user for a certain period.
During the quiet period, the device does not allow users to perform MAC address
migration.
In addition, the device can send logs and alarms about MAC address migration to
improve maintainability of the MAC address migration quiet function.
Step 4 (Optional) Enable a device to detect users' online status before user MAC address
migration.
To prevent unauthorized users from spoofing online users to attack a device, run
the authentication mac-move detect enable command to enable the device to
detect users' online status before user MAC address migration. If no users are
online, the device permits MAC address migration and allows users to go online
from a new access interface. If a user is online, the device terminates MAC address
migration and does not allow the user to go online from a new access interface.
By default, a device detects users' online status once. The detection interval is
3 seconds.
----End
Context
When a user fails in authentication or goes offline, the device records a system
log. The system log contains the MAC addresses of access device and access user
and the authentication time.
NOTE
The same system logs refer to the system logs containing the same MAC addresses. For
example, after the device generates a system log for a user failing in authentication, the
device will not generate new system log for this user in the suppression period if the user
fails in authentication again. The system logs for users logging offline are generated in the
same way.
Procedure
Step 1 Run system-view
----End
NOTE
The bandwidth share mode is supported by the S5731-H, S5731S-H, S5731-S, S5731S-S,
S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Enter a domain view.
1. Run aaa
The AAA view is displayed.
2. Run domain domain-name
A domain is displayed.
Step 3 Run band-width share-mode
The bandwidth share mode is enabled.
By default, the bandwidth share mode is disabled.
● If this command is run in the system view, it takes effect for all new online
users who connected to the device. If this command is run in the AAA domain
view, it takes effect only for new online users in the domain.
● If the local or remote RADIUS server does not assign CAR settings to the users
who will go online and the online users, the share mode is invalid to the
users.
● If the bandwidth share mode is enabled and different users use the same
account for authentication, the users going online with no CAR settings
assigned will not be affected when CAR settings are assigned to the users
who go online later.
----End
packets received per second if the CPU or memory usage is high. This function
reduces loads on the device CPU.
Procedure
Step 1 Run system-view
The device is enabled to dynamically adjust the rate at which it processes packets
from NAC users.
----End
Context
By default, the device periodically multicasts EAP-Request/Identity packets to
clients so that the clients are triggered to send EAPoL-Start packets for 802.1X
authentication. If the device interface connecting to a client changes from Down
to Up, the client needs to send EAPoL-Start packets again for 802.1X
authentication, which takes a long time. You can enable the function of triggering
802.1X authentication through multicast packets immediately after the device
interface goes Up, shortening the re-authentication time.
NOTE
When the access control mode on the device interface is based on the MAC address, the
dot1x mc-trigger port-up-send enable command does not take effect.
Procedure
Step 1 Run system-view
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run authentication port-vlan-modify user-online
The function of keeping users online when the port type or VLAN is changed is
enabled.
By default, the function of keeping users online when the port type or VLAN is
changed is disabled.
Step 3 Run display webmng configuration
The configuration of the WEBMNG module is displayed.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
----End
NOTE
● This function takes effect only for wired users who go online on Layer 2 physical interfaces
that have been configured with NAC authentication.
● To make the function take effect, it is recommended that the configured interval be greater
than the time during which the interface is in Up state. If the link frequently flaps within a
short period, it is recommended that the interval be set to unlimited.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run link-down offline delay { delay-value | unlimited }
The user logout delay is configured when an interface link is faulty.
The default user logout delay is 10 seconds when an interface link is faulty.
If the delay is 0, users are logged out immediately when the interface link is faulty.
If the delay is unlimited, users are not logged out when the interface link is faulty.
----End
Procedure
● Run the display dot1x [ statistics ] [ interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10> ] command to check the 802.1X
authentication configuration.
● Run the display mac-address authen [ interface-type interface-number |
vlan vlan-id ] * [ verbose ] command to check the current authen MAC
address entries in the system.
● Run the display user-group [ group-name ] command to check the user
group configuration.
● Run the display access-user command to check information about online
NAC users.
● Run the display aaa statistics access-type-authenreq command to verify the
number of authentication requests.
● Run the display port connection-type access all command to check all
current downlink interfaces on the device.
● Run the display dot1x quiet-user { all | mac-address mac-address }
command to check information about 802.1X authentication users who are
quieted.
● Run the display access-user dot1x-identity statistics command to display
statistics about Identity packets for 802.1X authentication on a switch.
----End
Pre-configuration Tasks
MAC address authentication only provides a user authentication solution. To
implement this solution, the AAA function must also be configured. Therefore,
complete the following tasks before you configure MAC address authentication:
● Configure the authentication domain and AAA scheme on the AAA client.
● Configure the user name and password on the RADIUS or HWTACACS server
if RADIUS or HWTACACS authentication is used.
● Configure the user name and password manually on the network access
device if local authentication is used.
For the configuration of AAA client, see 1 AAA Configuration.
Context
The MAC address authentication configuration takes effect on an interface only
after MAC address authentication is enabled globally and on the interface.
After MAC address authentication is enabled, if there are online users who log in
through MAC address authentication on the interface, disabling MAC address
authentication is prohibited.
For MAC address authentication, ensure that the interface type is hybrid when you
configure the authorization VLAN.
NOTE
Only S5720I-SI, S500, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H, S5731S-
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and
S6720S-EI support configuration of MAC address authentication on VLANIF interfaces.
Procedure
Step 1 Run system-view
----End
Context
MAC address authentication uses the following user name formats:
● MAC address: When the MAC address is used as the user name for MAC
address authentication, the password can be the MAC address or a self-
defined character string.
● Fixed user name: Regardless of users' MAC addresses, all users have a fixed
name and password specified by the administrator as an identity for
authentication. Many users may be authenticated on the same interface. In
this case, all users requiring MAC address authentication on the interface use
the same fixed user name, and the server must only configure one user
account to authenticate all users. This is applicable to a network environment
with reliable access clients.
● DHCP option: The device uses the DHCP option field specified by the user and
a fixed password rather than the MAC address of the user as an identity for
authentication.
NOTE
If fixed user names are configured in the VLANIF interface view, Eth-Trunk interface view or
port group view, the password must be set.
If a MAC address is configured as the user name in the port group view, the password
cannot be set.
If configured in the system view, the user name format is valid for commands on all
interfaces; if configured in the interface view, the user name format is valid for commands
on this interface only. If configured in the interface view and system view at the same time,
the user name format configured in the interface view has higher priority.
Procedure
Step 1 Run system-view
Step 2 Configure the user name format in the system or interface view.
1. Run interface interface-type interface-number
By default, a MAC address without hyphens (-) or colons (:) is used as the
user name and password for MAC address authentication.
NOTE
When the user name format in MAC address authentication is configured, ensure that the
authentication server supports this format.
----End
NOTE
● When the fixed user name is used for MAC address authentication and the
authentication domain is specified in the user name, the user is authenticated in the
specified authentication domain.
● Before configuring an authentication domain for the MAC address authentication user,
ensure that the authentication domain has been created.
Procedure
● In the system view:
a. Run system-view
The system view is displayed.
b. Run mac-authen domain isp-name [ mac-address mac-address mask
mask ]
The authentication domain is configured for the MAC address
authentication user.
By default, MAC address authentication uses the global default domain.
● In the interface view:
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
----End
Context
After MAC address authentication is enabled, the device can trigger MAC address
authentication on users by default when receiving DHCP/ARP/DHCPv6/ND
packets. Based on user information on the actual network, the administrator can
adjust the packet types that can trigger MAC address authentication. For example,
if all users on a network dynamically obtain IPv4 addresses, the device can be
configured to trigger MAC address authentication only through DHCP packets.
This prevents the device from continuously sending ARP packets to trigger MAC
address authentication when static IPv4 addresses are configured for unauthorized
users on the network, and reduces device CPU occupation.
NOTE
There is a situation that you should notice. A device is configured to trigger MAC address
authentication through DHCP packets and DHCP options are used as the user names for MAC
address authentication (for the configuration of user names in MAC address authentication, see
3.8.2 (Optional) Configuring the User Name Format). If the authentication server delivers
Huawei extended RADIUS attribute HW-Forwarding-VLAN (No. 26-161) to the device, the user
packet must carry double VLAN tags and the outer VLAN ID cannot be the same as the ID of
HW-Forwarding-VLAN; otherwise, the delivered attribute cannot take effect.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Configure the packet types that can trigger MAC address authentication.
View Procedure
Step 3 (Optional) Enable the device to send DHCP option information to the
authentication server when triggering MAC address authentication through DHCP
packets.
You can enable this function globally or on interfaces. If the function is enabled
globally, it can be enabled on multiple interfaces. If the function is enabled on
interfaces, it only takes effect on the specified interfaces. If the function is enabled
globally and on interfaces, the function enabled on the interfaces takes
precedence.
By default, the device does not send DHCP option information to the
authentication server when triggering MAC address authentication through DHCP
packets.
Step 4 (Optional) Enable the device to re-authenticate the users when receiving DHCP
lease renewal packets from MAC address authentication users.
You can enable this function globally or on interfaces. If the function is enabled
globally, it can be enabled on multiple interfaces. If the function is enabled on
interfaces, it only takes effect on the specified interfaces.
By default, the device does not re-authenticate the users when receiving DHCP
lease renewal packets from MAC address authentication users.
Step 5 (Optional) Enable the device to clear user entries when receiving DHCP Release
packets from MAC address authentication users.
You can enable this function globally or on interfaces. If the function is enabled
globally, it can be enabled on multiple interfaces. If the function is enabled on
interfaces, it only takes effect on the specified interfaces.
By default, the device does not clear user entries when receiving DHCP Release
packets from MAC address authentication users.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Set the maximum number of concurrent access users on an interface in the
system or interface view.
● In the system view:
1. Run mac-authen max-user user-number interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
The maximum number of access users for MAC address authentication is set
on the interface.
● In the interface view:
1. Run interface interface-type interface-number
The interface view is displayed.
2. Run mac-authen max-user user-number
The maximum number of access users for MAC address authentication is set
on the interface.
----End
Procedure
Step 1 Run system-view
----End
Procedure
Step 1 Run system-view
The following source IP addresses used in offline detection packets are listed in descending
order of priority:
1. IP address and MAC address of the VLANIF interface corresponding to the VLAN that users
belong to and on the same network segment as users
2. Source IP address specified using the access-user arp-detect vlan vlan-id ip-address ip-
address mac-address mac-address command for offline detection packets in a specified
VLAN
3. Source IP address calculated based on the IP address specified using the access-user arp-
detect fallback ip-address { mask | mask-length } command
4. Default source IP address specified using the access-user arp-detect default ip-address ip-
address command for offline detection packets.
NOTE
If the number of offline detection packets (ARP packets) exceeds the default CAR value,
the detection fails and the users are logged out. (The display cpu-defend statistics
command can be run to check whether ARP request and response packets are lost.) To
resolve the problem, the following methods are recommended:
● Increase the detection interval based on the number of users. The default detection
interval is recommended when there are less than 8000 users; the detection interval
should be no less than 600 seconds when there are more than 8000 users.
● Deploy the port attack defense function on the access device and limit the rate of
packets sent to the CPU.
● Quiet timer (quiet-period): The device must enter a quiet period after the
user fails to be authenticated. During the quiet period, the device does not
process authentication requests from the user.
Procedure
Step 1 Run system-view
NOTE
----End
Context
If the administrator modifies user information on the authentication server,
parameters such as the user access permission and authorization attribute are
changed. If a user has passed MAC address authentication, you must re-
authenticate the user to ensure user validity.
After the user goes online, the device saves user authentication information. After
re-authentication is enabled for MAC address authentication users, the device
sends the saved authentication information of the online user to the
authentication server for re-authentication. If the user's authentication
information does not change on the authentication server, the user is kept online.
If the authentication information has been changed, the user is logged out, and
then re-authenticated according to the changed authentication information.
You can configure re-authentication for MAC address authentication users using
either of the following methods:
● Re-authenticate all online MAC address authentication users on a specified
interface at an interval.
● Re-authenticate the online user once with a specified MAC address.
Procedure
● Re-authenticate all online MAC address authentication users on a specified
interface at an interval.
a. Run system-view
The system view is displayed.
b. Enable periodic re-authentication for all online MAC address
authentication users on the specified interface in the system or interface
view.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure the guest VLAN function in the system or interface view.
● In the system view:
1. Run authentication guest-vlan vlan-id interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
The guest VLAN to which the interface is added is configured.
● In the interface view:
1. Run interface interface-type interface-number
The interface view is displayed.
2. Run authentication guest-vlan vlan-id
The guest VLAN to which the interface is added is configured.
NOTE
● The guest VLAN function can take effect only in 802.1X and MAC address
authentication.
● A super VLAN cannot be configured as a guest VLAN.
● When free IP subnets are configured, the guest VLAN function becomes invalid
immediately.
● The guest VLAN function takes effect only when a user sends untagged packets to the
device.
● Different interfaces can be configured with different guest VLANs. After a guest VLAN is
configured on an interface, the guest VLAN cannot be deleted.
● To make the VLAN authorization function take effect, the link type and access control
mode of the authentication interface must meet the following requirements:
– When the link type is hybrid in untagged mode, the access control mode can be
based on the MAC address or interface.
– When the link type is access or trunk, the access control mode can only be based
on the interface.
----End
If a free-ip function is configured, the critical VLAN in MAC address authentication expires
immediately.
The critical VLAN function can take effect only on hybrid interfaces that are added to
VLANs in untagged mode. The critical VLAN function cannot take effect on the interfaces of
other types.
You can configure the critical VLAN function of MAC address authentication in the
system or interface view.
Procedure
● In the system view:
a. Run system-view
The system view is displayed.
b. Run authentication critical-vlan vlan-id interface { interface-type
interface-number1 [ to interface-number2 ] } &<1-10>
The critical VLAN to which the interface is added is configured.
NOTE
For MAC address authentication users, the quiet function takes effect only when the users are
not added to user entries. In the common mode, no user entry is generated when a MAC
address authentication user fails the authentication. In this case, the quiet function takes effect
and a quiet entry is generated. If the network access rights for user pre-connections or
authentication failures are configured, the authorized user enters the pre-connection state, a
user entry is generated, and the quiet function does not take effect.
When the number of quiet entries reaches the maximum number, the device does not allow
new users who are not in the quiet table to access the network.
Procedure
Step 1 Run system-view
----End
Context
In network deployment, static IP addresses are assigned to dumb terminals such
as printers and servers. These users can be configured as static users for flexible
authentication.
After static users are configured, the device can use static user information such as
their IP addresses as the user names to authenticate the users only if one of the
802.1X authentication, MAC address authentication, and Portal authentication
modes is enabled on the interfaces connected to the static users.
Procedure
Step 1 Run system-view
NOTE
Only Layer 2 Ethernet interfaces and Layer 2 Eth-Trunk interfaces can be configured as static
user interfaces. If an interface is added to an Eth-Trunk or switched to a Layer 3 interface, the
static user function does not take effect.
When the interface (interface interface-type interface-number) mapping static users is
specified, the VLAN (vlan vlan-id) that the interface belongs to must be configured.
The user name for authenticating a static user is set to a MAC address.
By default, the user name for authenticating a static user is not set to a MAC
address.
This command takes priority over the static-user username format-include { ip-
address | mac-address | system-name } command and static-user password
cipher password command.
----End
Context
To grant users rights to access certain network resources during access
authentication, you can configure network access rights for users.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure network access rights for users in the system view or interface view.
View Step
Step 3 (Optional) Set the timeout period of the network access rights granted to users in
different authentication stages. The configuration can be performed in the system
view or interface view.
View Step
View Step
Step 4 (Optional) Configure the interval for re-authenticating users before the
authentication succeeds.
The device periodically re-authenticates the pre-connection users and the users
who fail to be authenticated so that the users can be authenticated in a timely
manner. You can configure the re-authentication interval according to the actual
networking.
User Procedure
Type
----End
After enabling any NAC authentication mode, the device can obtain user terminal
types in either of the following modes:
● DHCP option field mode: The device parses the required option field
containing terminal type information from the received DHCP request
packets. The device then sends the option field information to the RADIUS
server through a RADIUS accounting packet. Before selecting the DHCP option
field mode, you must enable the DHCP snooping function on the device. For
details, see Enabling DHCP Snooping in "DHCP Snooping Configuration" in
the S300, S500, S2700, S5700, and S6700 V200R020C10 Configuration Guide -
Security.
● LLDPTLV type mode: The device parses the required TLV type containing
terminal typeinformation from the received LLDPDUs,. The device
encapsulates the TLVtype information into the Huawei proprietary attribute
163 HW-LLDP in RADIUS accounting packets, and sendsthe packets to the
RADIUS server. Before selecting the LLDP TLV type mode, you must enable the
LLDP function on the device and the connected peer device. For details, see
"Enabling LLDP" in "LLDP Configuration" in the S300, S500, S2700, S5700,
and S6700 V200R020C10 Configuration Guide - Network Management
Configuration.
NOTE
The terminal type awareness function takes effect only when the authentication or
accounting mode in the AAA scheme is RADIUS.
The terminal type awareness function only provides a method of obtaining user terminal
types for access device, through which network access policies cannot be assigned to the
terminals. The administrator configures the network access policies for terminals of
different types on the RADIUS server.
Procedure
● In the DHCP option field mode
a. Run the system-view command to enter the system view.
b. Run the device-sensor dhcp option option-code &<1-6> command to
enable the terminal type awareness function based on the DHCP option
field.
By default, the terminal type awareness function based on the DHCP
option field is disabled.
● In the LLDP TLV type mode
a. Run the system-view command to enter the system view.
b. Run the device-sensor lldp tlv tlv-type &<1-4> command to enable the
LLDP-based terminal type awareness function.
By default, the LLDP-based terminal type awareness function is disabled.
----End
Procedure
Step 1 Configure the URL template.
1. Run the system-view command to enter the system view.
2. Run the url-template name template-name command to create a URL
template and enter the URL template view.
By default, no URL template exists on the device.
3. Run the url [ push-only ] url-string command to configure the redirect URL
corresponding to the Portal server.
4. Run the url-parameter { redirect-url redirect-url-value | sysname sysname-
value | user-ipaddress user-ipaddress-value | user-mac user-mac-value |
login-url url-key url } * command to set the parameters carried in the URL.
By default, a URL does not carry parameters.
5. Run the url-parameter mac-address format delimiter delimiter { normal |
compact } command to set the MAC address format in the URL.
By default, the MAC address format in a URL is XXXXXXXXXXXX.
6. Run the parameter { start-mark parameter-value | assignment-mark
parameter-value | isolate-mark parameter-value } * command to set the
characters in the URL.
By default, the start character is ?, assignment character is =, and delimiter is
&.
7. Run the quit command to return to the system view.
NOTE
If web pages are pushed in URL mode, this step can be skipped.
----End
After creating user groups, you can set priorities and VLANs for the user groups, so
that users in different user groups have different priorities and network access
rights. The administrator can then flexibly manage users.
NOTE
When the user group function is enabled on models except the S5731-H, S5731S-H, S5731-
S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI,
ACL rules are delivered to each user and the user group function cannot be used to save
ACL resources.
The priority of the user group authorization information delivered by the authentication
server is higher than that of the user group authorization information applied in the AAA
domain. If the user group authorization information delivered by the authentication server
cannot take effect, the user group authorization information applied in the AAA domain is
used. For example, if only user group B is configured on the device and the group
authorization information is applied in the AAA domain when the authentication server
delivers authorization information about user group A, the authorization information about
user group A cannot take effect and the authorization information about user group B is
used. To make the user group authorization information delivered by the authentication
server take effect, ensure that this user group is configured on the device.
If the authentication server authorizes multiple attributes to the device and the authorized
attributes overlap the existing configurations on the device, the attributes take effect based
on the minimum rule. For example, if the authentication server authorizes a VLAN and user
group to the device and the VLAN parameters are configured in the user group on the
device, the VLAN authorized by the authentication server takes effect.
Procedure
Step 1 Run system-view
NOTE
Before running this command, ensure that the ACL has been created using the acl or acl
name command and ACL rules have been configured using the rule command.
NOTE
Before running this command, ensure that the VLAN has been created using the vlan
command.
NOTE
Only the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
S6730S-S, S6720-EI, and S6720S-EI support this command.
Step 6 Run car { outbound | inbound } cir cir-value [ pir pir-value | cbs cbs-value | pbs
pbs-value ] *
The rate of traffic from users in the user group is limited.
By default, the rate of traffic from users in the user group is not limited.
NOTE
Only the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
S6730S-S, S6720-EI, and S6720S-EI support this command, and the user group CAR can
only be applied in the interface outbound direction (outbound) on the S6720-EI and
S6720S-EI.
The user group configuration takes effect only after the user group function is
enabled.
----End
NOTE
Pre-configuration Tasks
To enable the switches to identify the voice terminals, enable LLDP or configure
OUI for the voice VLAN on the switches. For details, see "Configuring Basic LLDP
Functions" in "LLDP Configuration" in the S300, S500, S2700, S5700, and S6700
V200R020C10 Configuration Guide - Network Management and Monitoring or
"Configuring a Voice VLAN Based on a MAC Address" in "Voice VLAN
Configuration" in the S300, S500, S2700, S5700, and S6700 V200R020C10
Configuration Guide - Ethernet Switching. If a voice device supports only CDP but
does not support LLDP, configure CDP-compatible LLDP on the switch using lldp
compliance cdp receive command.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run authentication device-type voice authorize [ user-group group-name ]
The voice terminals are enabled to go online without authentication.
By default, voice terminals are disabled from going online without authentication.
NOTE
Voice terminals can obtain the corresponding network access rights after they pass
authentication and go online, when user-group group-name is not specified. When user-group
group-name is specified, voice terminals can obtain the network access rights specified by the
user group after they go online. To use a user group to define network access rights for voice
terminals, run the user-group group-name command to create a user group and configure
network authorization information for the users in the group. Note that the user group takes
effect only after it is enabled.
If you run this command repeatedly, the latest configuration overrides the previous ones.
----End
NOTE
● In normal case, enabling MAC address migration is not recommended. It should be enabled
only when users have migration requirements during roaming. This prevents unauthorized
users from forging MAC addresses of online users and sending ARP, 802.1X, or DHCP packets
on other authentication control interfaces to trigger the MAC address migration function and
force authorized user offline.
● Cascading migration through intermediate devices is not supported, because ARP and DHCP
packets are not sent after the cascading migration.
● MAC address migration is not supported for Layer 3 Portal authentication users.
● In the Layer 2 BNG scenario, the device does not support MAC address migration.
● A user is switched from an interface configured with NAC authentication to another
interface not configured with NAC authentication. In this case, the user can access the
network only after the original online entry is aged because the new interface cannot send
authentication packets to trigger MAC migration.
● In common mode, Portal authentication is triggered only after users who go online through
a VLANIF interface send ARP packets and go offline; otherwise, the users can go online again
only after the original user online entries age out. Portal authentication cannot be triggered
after users who go online through physical interfaces migrate. The users can go online again
only after the original user online entries age out.
● After a user who goes online from a VLANIF interface is quieted because of multiple MAC
address migrations, MAC address migration can be performed for the quieted user only after
the quiet period expires and the ARP entry is aged out.
● When an authorized VLAN is specified in the authentication mac-move enable vlan
command, you are advised to enable the function of detecting the user status before user
MAC address migration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } &
<1–10> }
The MAC address migration function is enabled.
By default, MAC address migration is disabled.
VLANs need to be specified for users in MAC address migration. The VLANs before
and after the migration can be specified for the users, and they can be the same
or different.
Step 3 (Optional) Configure the MAC address migration quiet function.
When users frequently switch access interfaces (especially frequent switching due
to loops), the device needs to process a large number of authentication packets
and entries, which results in high CPU usage. To solve this problem, configure the
MAC address migration quiet function. If the number of MAC address migration
times for a user within 60 seconds exceeds the upper limit after the MAC address
migration quiet function is enabled, the device quiets the user for a certain period.
During the quiet period, the device does not allow users to perform MAC address
migration.
In addition, the device can send logs and alarms about MAC address migration to
improve maintainability of the MAC address migration quiet function.
Step 4 (Optional) Enable a device to detect users' online status before user MAC address
migration.
To prevent unauthorized users from spoofing online users to attack a device, run
the authentication mac-move detect enable command to enable the device to
detect users' online status before user MAC address migration. If no users are
online, the device permits MAC address migration and allows users to go online
from a new access interface. If a user is online, the device terminates MAC address
migration and does not allow the user to go online from a new access interface.
By default, a device detects users' online status once. The detection interval is
3 seconds.
----End
Context
When a user fails in authentication or goes offline, the device records a system
log. The system log contains the MAC addresses of access device and access user
and the authentication time.
NOTE
The same system logs refer to the system logs containing the same MAC addresses. For
example, after the device generates a system log for a user failing in authentication, the
device will not generate new system log for this user in the suppression period if the user
fails in authentication again. The system logs for users logging offline are generated in the
same way.
Procedure
Step 1 Run system-view
----End
NOTE
The bandwidth share mode is supported by the S5731-H, S5731S-H, S5731-S, S5731S-S,
S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Enter a domain view.
1. Run aaa
The AAA view is displayed.
2. Run domain domain-name
A domain is displayed.
Step 3 Run band-width share-mode
The bandwidth share mode is enabled.
By default, the bandwidth share mode is disabled.
● If this command is run in the system view, it takes effect for all new online
users who connected to the device. If this command is run in the AAA domain
view, it takes effect only for new online users in the domain.
● If the local or remote RADIUS server does not assign CAR settings to the users
who will go online and the online users, the share mode is invalid to the
users.
● If the bandwidth share mode is enabled and different users use the same
account for authentication, the users going online with no CAR settings
assigned will not be affected when CAR settings are assigned to the users
who go online later.
----End
packets received per second if the CPU or memory usage is high. This function
reduces loads on the device CPU.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run authentication speed-limit auto
The device is enabled to dynamically adjust the rate at which it processes packets
from NAC users.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run authentication port-vlan-modify user-online
The function of keeping users online when the port type or VLAN is changed is
enabled.
By default, the function of keeping users online when the port type or VLAN is
changed is disabled.
Step 3 Run display webmng configuration
The configuration of the WEBMNG module is displayed.
----End
Context
If a link is faulty, the interface is interrupted and users are directly logged out. To
solve this problem, you can configure the user logout delay function. When the
interface link is faulty, the users remain online within the delay. In this case, if the
link is restored, the users do not need to be re-authenticated. If the users are
disconnected after the delay and the link is restored, the users need to be re-
authenticated.
NOTE
● This function takes effect only for wired users who go online on Layer 2 physical interfaces
that have been configured with NAC authentication.
● To make the function take effect, it is recommended that the configured interval be greater
than the time during which the interface is in Up state. If the link frequently flaps within a
short period, it is recommended that the interval be set to unlimited.
Procedure
Step 1 Run system-view
The default user logout delay is 10 seconds when an interface link is faulty.
If the delay is 0, users are logged out immediately when the interface link is faulty.
If the delay is unlimited, users are not logged out when the interface link is faulty.
----End
Context
You can run the commands to check the configured parameters after completing
the MAC address authentication configuration.
Procedure
● Run the display mac-authen [ interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10> ] command to check the configuration of
MAC address authentication.
----End
Pre-configuration Tasks
Portal authentication only provides a user authentication solution. To implement
this solution, the AAA function must also be configured. Therefore, complete the
following tasks before you configure Portal authentication:
● Configure the authentication domain and AAA scheme on the AAA client.
● Configure the user name and password on the RADIUS or HWTACACS server
if RADIUS or HWTACACS authentication is used.
● Configure the user name and password manually on the network access
device if local authentication is used.
Context
During Portal authentication, you must configure parameters for the Portal server
(for example, the IP address for the Portal server) to ensure smooth
communication between the device and the Portal server.
Procedure
● Configuring parameters for the external Portal server (binding URL)
a. Run system-view
The system view is displayed.
b. Run web-auth-server server-name
A Portal server template is created and the Portal server template view is
displayed.
By default, no Portal server template is created.
c. Run server-ip { server-ip-address &<1-10> | ipv6 server-ipv6-address
&<1-3> }
An IP address is configured for the Portal server.
By default, no IP address is configured for the Portal server.
NOTE
The IP address for the Portal server is the IP address for the external Portal server.
d. Run url url-string
A URL is configured for the Portal server.
By default, a Portal server does not have a URL.
e. Run shared-key cipher key-string
The shared key that the device uses to exchange information with the
Portal server is configured.
By default, no shared key is configured.
● Setting parameters of the URL corresponding to an external Portal server
(binding URL template)
a. Configure the URL template.
i. Run the system-view command to enter the system view.
ii. Run the url-template name template-name command to create a
URL template and enter the URL template view.
By default, no URL template exists on the device.
iii. Run the url [ redirect-only ] url-string command to configure the
redirect URL corresponding to the Portal server.
By default, no redirect URL is configured for the Portal server.
iv. Run the url-parameter { redirect-url redirect-url-value | sysname
sysname-value | user-ipaddress user-ipaddress-value | user-mac
user-mac-value } * command to set the parameters carried in the
URL.
By default, a URL does not carry parameters.
v. Run the url-parameter mac-address format delimiter delimiter
{ normal | compact } command to set the MAC address format in
the URL.
By default, the MAC address format in a URL is XXXXXXXXXXXX.
Procedure
● Enable Portal authentication on the device.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
NOTE
NOTE
----End
Context
In Portal authentication network deployment, if the Portal server is an external
Portal server, you can configure parameters for information exchange between the
device and the Portal server to improve communication security.
NOTE
Procedure
Step 1 Run system-view
NOTE
To ensure smooth communication, use the default setting so that the device uses both
versions.
The port number through which the device listens to Portal protocol packets is set.
By default, the device listens to the Portal protocol packets through port 2000.
The destination port number through which the device sends packets to the Portal
server is set.
By default, port 50100 is used as the destination port when the device sends
packets to the Portal server.
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal
server.
The VPN instance used by the device to communicate with the Portal server is
configured.
Step 10 After disconnecting a Portal authentication user, the device sends a user logout
packet (NTF-LOGOUT) to instruct the Portal server to delete the user information.
If the network between the device and Portal server is not stable or packets are
lost, the Portal server may fail to receive the user logout packet from the device
after the Portal authentication user is disconnected. In this case, the user is
displayed as disconnected on the device but still as online on the Portal server. To
enable the Portal server to receive the user logout packet and ensure that the
online user information on the Portal server is correct, the administrator can
enable the user logout packet re-transmission function on the device and
configure the re-transmission times and interval.
The re-transmission times and interval for the Portal authentication user logout
packet are configured.
----End
Procedure
● Set access control parameters for Portal authentication users.
a. Run system-view
The system view is displayed.
b. Set the Portal authentication-free rule using the following command
syntax:
NOTE
NOTE
The command takes effect for only Layer 3 Portal authentication. In Layer 2
Portal authentication, users on all subnets must be authenticated.
g. Run portal domain domain-name
A forcible Portal authentication domain name is set.
By default, no forcible Portal authentication domain name is set.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
The following source IP addresses used in offline detection packets are listed in descending
order of priority:
1. IP address and MAC address of the VLANIF interface corresponding to the VLAN that users
belong to and on the same network segment as users
2. Source IP address specified using the access-user arp-detect vlan vlan-id ip-address ip-
address mac-address mac-address command for offline detection packets in a specified
VLAN
3. Source IP address calculated based on the IP address specified using the access-user arp-
detect fallback ip-address { mask | mask-length } command
4. Default source IP address specified using the access-user arp-detect default ip-address ip-
address command for offline detection packets.
----End
After the offline detection interval is set for Portal authentication users, if a user
does not respond within the interval, the device considers the user offline. The
device and Portal server then delete the user information and release the occupied
resources to ensure efficient resource use.
NOTE
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run portal timer offline-detect time-length
The period for detecting Portal authentication user logout is set.
By default, the interval for detecting Portal authentication user logout is 300s.
When the interval is set to 0, offline detection is not performed.
----End
Procedure
Step 1 Run system-view
----End
For Layer 3 Portal authentication, the device currently can synchronize user information
with the Huawei Agile Controller-Campus or iMaster NCE-Campus server. When the device
is connected to other Portal servers, user information may fail to be synchronized and users
cannot go offline in real time. In this case, you can run the cut access-user command or
use the NMS or RADIUS DM to log out users.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run web-auth-server server-name
The Portal server template view is displayed.
----End
NOTE
When the number of quiet entries reaches the maximum number, the device does not allow
new users who are not in the quiet table to access the network.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run portal quiet-period
The quiet timer is enabled.
By default, the quiet timer is enabled.
Step 3 Run portal quiet-times fail-times
The maximum number of authentication failures within 60s before a Portal
authentication user enters the quiet state is set.
By default, the device allows a maximum of ten authentication failures within 60s
before a Portal authentication user is kept in quiet state.
Step 4 Run portal timer quiet-period quiet-period-value
The quiet period for Portal authentication is set.
By default, the quiet period for Portal authentication is 60s.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run static-user start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-
name ] [ domain-name domain-name | interface interface-type interface-
number [ detect ] | mac-address mac-address | vlan vlan-id | keep-online ] *
The static user is configured.
By default, no static user is configured.
NOTE
Only Layer 2 Ethernet interfaces and Layer 2 Eth-Trunk interfaces can be configured as static
user interfaces. If an interface is added to an Eth-Trunk or switched to a Layer 3 interface, the
static user function does not take effect.
When the interface (interface interface-type interface-number) mapping static users is
specified, the VLAN (vlan vlan-id) that the interface belongs to must be configured.
----End
Procedure
Step 1 Run system-view
Step 2 Configure network access rights for users in the system view, Layer 2 physical
interface view or VLANIF interface view.
View Step
Step 3 (Optional) Set the timeout period of the network access rights granted to users in
different authentication stages. The configuration can be performed in the system
view or interface view.
View Step
Step 4 (Optional) Configure the device to return an authentication failure packet when a
user fails in authentication or the authentication server does not respond. The
configuration can be performed in the system view or interface view.
View Step
----End
NOTE
The terminal type awareness function takes effect only when the authentication or
accounting mode in the AAA scheme is RADIUS.
The terminal type awareness function only provides a method of obtaining user terminal
types for access device, through which network access policies cannot be assigned to the
terminals. The administrator configures the network access policies for terminals of
different types on the RADIUS server.
Procedure
● In the DHCP option field mode
a. Run the system-view command to enter the system view.
b. Run the device-sensor dhcp option option-code &<1-6> command to
enable the terminal type awareness function based on the DHCP option
field.
By default, the terminal type awareness function based on the DHCP
option field is disabled.
Procedure
Step 1 Configure the URL template.
1. Run the system-view command to enter the system view.
2. Run the url-template name template-name command to create a URL
template and enter the URL template view.
By default, no URL template exists on the device.
3. Run the url [ push-only ] url-string command to configure the redirect URL
corresponding to the Portal server.
4. Run the url-parameter { redirect-url redirect-url-value | sysname sysname-
value | user-ipaddress user-ipaddress-value | user-mac user-mac-value |
login-url url-key url } * command to set the parameters carried in the URL.
NOTE
If web pages are pushed in URL mode, this step can be skipped.
----End
NOTE
When the user group function is enabled on models except the S5731-H, S5731S-H, S5731-
S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI,
ACL rules are delivered to each user and the user group function cannot be used to save
ACL resources.
The priority of the user group authorization information delivered by the authentication
server is higher than that of the user group authorization information applied in the AAA
domain. If the user group authorization information delivered by the authentication server
cannot take effect, the user group authorization information applied in the AAA domain is
used. For example, if only user group B is configured on the device and the group
authorization information is applied in the AAA domain when the authentication server
delivers authorization information about user group A, the authorization information about
user group A cannot take effect and the authorization information about user group B is
used. To make the user group authorization information delivered by the authentication
server take effect, ensure that this user group is configured on the device.
If the authentication server authorizes multiple attributes to the device and the authorized
attributes overlap the existing configurations on the device, the attributes take effect based
on the minimum rule. For example, if the authentication server authorizes a VLAN and user
group to the device and the VLAN parameters are configured in the user group on the
device, the VLAN authorized by the authentication server takes effect.
Procedure
Step 1 Run system-view
NOTE
Before running this command, ensure that the ACL has been created using the acl or acl
name command and ACL rules have been configured using the rule command.
NOTE
Only the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
S6730S-S, S6720-EI, and S6720S-EI support this command.
Step 5 Run car { outbound | inbound } cir cir-value [ pir pir-value | cbs cbs-value | pbs
pbs-value ] *
The rate of traffic from users in the user group is limited.
By default, the rate of traffic from users in the user group is not limited.
NOTE
Only the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
S6730S-S, S6720-EI, and S6720S-EI support this command, and the user group CAR can
only be applied in the interface outbound direction (outbound) on the S6720-EI and
S6720S-EI.
The user group configuration takes effect only after the user group function is
enabled.
----End
Context
When both data terminals (such as PCs) and voice terminals (such as IP phones)
are connected to switches, NAC is configured on the switches to manage and
control the data terminals. The voice terminals, however, only need to connect to
the network without being managed and controlled. In this case, you can
configure the voice terminals to go online without authentication on the switches.
Then the voice terminals identified by the switches can go online without
authentication.
NOTE
Pre-configuration Tasks
To enable the switches to identify the voice terminals, enable LLDP or configure
OUI for the voice VLAN on the switches. For details, see "Configuring Basic LLDP
Functions" in "LLDP Configuration" in the S300, S500, S2700, S5700, and S6700
V200R020C10 Configuration Guide - Network Management and Monitoring or
"Configuring a Voice VLAN Based on a MAC Address" in "Voice VLAN
Configuration" in the S300, S500, S2700, S5700, and S6700 V200R020C10
Configuration Guide - Ethernet Switching. If a voice device supports only CDP but
does not support LLDP, configure CDP-compatible LLDP on the switch using lldp
compliance cdp receive command.
Procedure
Step 1 Run system-view
By default, voice terminals are disabled from going online without authentication.
NOTE
Voice terminals can obtain the corresponding network access rights after they pass
authentication and go online, when user-group group-name is not specified. When user-group
group-name is specified, voice terminals can obtain the network access rights specified by the
user group after they go online. To use a user group to define network access rights for voice
terminals, run the user-group group-name command to create a user group and configure
network authorization information for the users in the group. Note that the user group takes
effect only after it is enabled.
If you run this command repeatedly, the latest configuration overrides the previous ones.
----End
Context
To improve web application security, data from untrustworthy sources must be
encoded before being sent to clients. URL encoding is most commonly used in web
applications. After URL encoding and decoding are enabled, some special
characters in redirect URLs are converted to secure formats, preventing clients
from mistaking them for syntax signs or instructions and unexpectedly modifying
the original syntax. In this way, cross-site scripting attacks and injection attacks
are prevented.
Procedure
Step 1 Run system-view
----End
NOTE
● In normal case, enabling MAC address migration is not recommended. It should be enabled
only when users have migration requirements during roaming. This prevents unauthorized
users from forging MAC addresses of online users and sending ARP, 802.1X, or DHCP packets
on other authentication control interfaces to trigger the MAC address migration function and
force authorized user offline.
● Cascading migration through intermediate devices is not supported, because ARP and DHCP
packets are not sent after the cascading migration.
● MAC address migration is not supported for Layer 3 Portal authentication users.
● In the Layer 2 BNG scenario, the device does not support MAC address migration.
● A user is switched from an interface configured with NAC authentication to another
interface not configured with NAC authentication. In this case, the user can access the
network only after the original online entry is aged because the new interface cannot send
authentication packets to trigger MAC migration.
● In common mode, Portal authentication is triggered only after users who go online through
a VLANIF interface send ARP packets and go offline; otherwise, the users can go online again
only after the original user online entries age out. Portal authentication cannot be triggered
after users who go online through physical interfaces migrate. The users can go online again
only after the original user online entries age out.
● After a user who goes online from a VLANIF interface is quieted because of multiple MAC
address migrations, MAC address migration can be performed for the quieted user only after
the quiet period expires and the ARP entry is aged out.
● When an authorized VLAN is specified in the authentication mac-move enable vlan
command, you are advised to enable the function of detecting the user status before user
MAC address migration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } &
<1–10> }
The MAC address migration function is enabled.
By default, MAC address migration is disabled.
VLANs need to be specified for users in MAC address migration. The VLANs before
and after the migration can be specified for the users, and they can be the same
or different.
Step 3 (Optional) Configure the MAC address migration quiet function.
When users frequently switch access interfaces (especially frequent switching due
to loops), the device needs to process a large number of authentication packets
and entries, which results in high CPU usage. To solve this problem, configure the
MAC address migration quiet function. If the number of MAC address migration
times for a user within 60 seconds exceeds the upper limit after the MAC address
migration quiet function is enabled, the device quiets the user for a certain period.
During the quiet period, the device does not allow users to perform MAC address
migration.
In addition, the device can send logs and alarms about MAC address migration to
improve maintainability of the MAC address migration quiet function.
Step 4 (Optional) Enable a device to detect users' online status before user MAC address
migration.
To prevent unauthorized users from spoofing online users to attack a device, run
the authentication mac-move detect enable command to enable the device to
detect users' online status before user MAC address migration. If no users are
online, the device permits MAC address migration and allows users to go online
from a new access interface. If a user is online, the device terminates MAC address
migration and does not allow the user to go online from a new access interface.
By default, a device detects users' online status once. The detection interval is
3 seconds.
----End
Context
When a user fails in authentication or goes offline, the device records a system
log. The system log contains the MAC addresses of access device and access user
and the authentication time.
NOTE
The same system logs refer to the system logs containing the same MAC addresses. For
example, after the device generates a system log for a user failing in authentication, the
device will not generate new system log for this user in the suppression period if the user
fails in authentication again. The system logs for users logging offline are generated in the
same way.
Procedure
Step 1 Run system-view
----End
NOTE
The bandwidth share mode is supported by the S5731-H, S5731S-H, S5731-S, S5731S-S,
S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Enter a domain view.
1. Run aaa
The AAA view is displayed.
2. Run domain domain-name
A domain is displayed.
Step 3 Run band-width share-mode
The bandwidth share mode is enabled.
By default, the bandwidth share mode is disabled.
● If this command is run in the system view, it takes effect for all new online
users who connected to the device. If this command is run in the AAA domain
view, it takes effect only for new online users in the domain.
● If the local or remote RADIUS server does not assign CAR settings to the users
who will go online and the online users, the share mode is invalid to the
users.
● If the bandwidth share mode is enabled and different users use the same
account for authentication, the users going online with no CAR settings
assigned will not be affected when CAR settings are assigned to the users
who go online later.
----End
packets received per second if the CPU or memory usage is high. This function
reduces loads on the device CPU.
Procedure
Step 1 Run system-view
The device is enabled to dynamically adjust the rate at which it processes packets
from NAC users.
----End
Context
If a link is faulty, the interface is interrupted and users are directly logged out. To
solve this problem, you can configure the user logout delay function. When the
interface link is faulty, the users remain online within the delay. In this case, if the
link is restored, the users do not need to be re-authenticated. If the users are
disconnected after the delay and the link is restored, the users need to be re-
authenticated.
NOTE
● This function takes effect only for wired users who go online on Layer 2 physical interfaces
that have been configured with NAC authentication.
● To make the function take effect, it is recommended that the configured interval be greater
than the time during which the interface is in Up state. If the link frequently flaps within a
short period, it is recommended that the interval be set to unlimited.
Procedure
Step 1 Run system-view
The default user logout delay is 10 seconds when an interface link is faulty.
If the delay is 0, users are logged out immediately when the interface link is faulty.
If the delay is unlimited, users are not logged out when the interface link is faulty.
----End
Procedure
● When a Portal server is used, run the following commands to check the
configuration.
– Run the display portal [ interface vlanif interface-number ] command
to check the Portal authentication configuration on the VLANIF interface.
– Run the display web-auth-server configuration command to check the
configuration of the Portal authentication server.
– Run the display server-detect state [ web-auth-server server-name ]
command to check the status of a Portal server.
– Run the display user-group [ group-name ] command to check the user
group configuration.
– Run the display access-user user-group group-name command to check
summary information about online users in a user group.
– Run the display static-user [ domain-name domain-name | interface
interface-type interface-number | ip-address start-ip-address [ end-ip-
address ] | vpn-instance vpn-instance-name ] * command to check the
static user information.
– Run the display portal quiet-user { all | server-ip ip-address | user-ip ip-
address } command to check information about Portal authentication
users in quiet state.
– Run the display portal user-logout [ ip-address ip-address [ vpn-
instance vpn-instance-name ] ] command to check the temporary logout
entries of Portal authentication users.
– Run the display aaa statistics access-type-authenreq command to
display the number of authentication requests.
● Run the display portal free-rule [ rule-id ] command to check
authentication-free rules for Portal authentication users.
● Run the display url-template { all | name template-name } command to
check the configuration of the URL profile.
● Run the display port connection-type access all command to check all
current downlink interfaces on the device.
----End
Procedure
● Configure MAC address authentication according to Configuring MAC
Address Authentication.
● Configure Portal authentication according to Configuring Portal
Authentication
----End
NOTICE
Statistics cannot be restored after being cleared. Exercise caution when you run
the following command.
Procedure
● Run the reset dot1x statistics [ interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10> ] command in the user view to clear the
statistics for 802.1X authentication.
----End
Context
NOTICE
Statistics cannot be restored after being cleared. Exercise caution when you run
the following command.
Procedure
● Run the reset mac-authen statistics [ interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10> ] command in the user view to
clear the statistics for MAC address authentication.
----End
Context
NOTE
This function applies only to S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H,
S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI.
The cleared statistics cannot be restored. Exercise caution when clearing the statistics.
Procedure
● Run the reset access-user traffic-statistics { user-id begin-id [ end-id ] |
mac-address mac-address | ip-address ip-address [ vpn-instance vpn-
instance ] } command in the user view to clear statistics on traffic of users in
a user group.
----End
Context
After a user goes online, if you want to modify the user's network access rights or
detect that the user is unauthorized, run the command to log out the user.
Procedure
● Run the cut access-user command in the AAA view to log out users.
----End
Context
When the number of successfully authenticated NAC users reaches a specified
percentage, the device generates an alarm. You can set the lower and upper alarm
thresholds for the percentage of successfully authenticated NAC users.
Procedure
Step 1 Run system-view
----End
Networking Requirements
On a company network shown in Figure 3-15, many internal users access the
network through GE0/0/1 of the Switch that functions as an access device. After
the network operates for a period of time, attacks are detected. The administrator
must control network access rights of user terminals to ensure network security.
The Switch allows user terminals to access Internet resources only after they are
authenticated.
Configuration Roadmap
To control the network access rights of users, the administrator can configure
802.1X authentication on the Switch when the server with the IP address
192.168.2.30 is used as the RADIUS server.
The configuration roadmap is as follows (configuration on the Switch):
1. Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain. Bind the RADIUS server template and AAA scheme to
the authentication domain. The Switch can then exchange information with
the RADIUS server.
2. Configure 802.1X authentication.
a. Enable 802.1X authentication globally and on an interface.
b. Enable MAC address bypass authentication to authenticate terminals
(such as printers) that cannot install 802.1X authentication client
software.
NOTE
Before performing configuration in this example, ensure that devices can communicate with
each other on the network.
In this example, a LAN switch is deployed between the Switch and users. To ensure that
users can pass 802.1X authentication, you must configure the function of transparently
transmitting EAP packets on the LAN switch. Method 1: This method uses the S5720-LI as
an example. The procedure is as follows:
1. On the LAN switch, run the l2protocol-tunnel user-defined-protocol 802.1X protocol-
mac 0180-c200-0003 group-mac 0100-0000-0002 command in the system view to
configure it to transparently transmit EAP packets.
2. On the LAN switch, run the l2protocol-tunnel user-defined-protocol 802.1X enable
command on the downlink interface connected to users and the uplink interface
connected to the Switch to enable the Layer 2 protocol tunneling function.
Method 2: This method is recommended when a large number of users exist or high
network performance is required. This method is applicable only on the S5731-H, S5731S-H,
S5731-S, S5731S-S, S6730S-H, S5732-H, S6730-H, S6730-S, S6730S-S, S6720-EI, and
S6720S-EI.
1. Run the following commands in the system view:
● undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
● bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
● bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
● bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
● bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run the undo
l2protocol-tunnel user-defined-protocol 802.1X enable command in the interface
view to delete the configuration of transparent transmission of 802.1X protocol packets.
Procedure
Step 1 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Example@2012
[Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS
server template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the
user name in the format of user@isp1, the user is authenticated in the
authentication domain isp1. If the user name does not carry the domain name or
carries a nonexistent domain name, the user is authenticated in the default
domain.
[Switch] domain isp1
NOTE
NOTE
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
undo authentication unified-mode
#
domain isp1
#
dot1x enable
#
radius-server template rd1
radius-server shared-key cipher %^%#t67cDelRvAQg;*"4@P/3~q_31Sn{ST\V8'Ci633)%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet0/0/1
dot1x mac-bypass
#
return
Related Content
Videos
Networking Requirements
On a company network shown in Figure 3-16, many printers are connected to the
network through GE0/0/1 of the Switch that functions as an access device. After
the network operates for a period of time, the administrator controls the network
access rights of the printers to improve network security. The Switch allows
printers to access network resources only after they are authenticated.
Configuration Roadmap
Printers cannot install and use the 802.1X client. The administrator can configure
MAC address authentication on the Switch to control the network access rights of
the printers.
NOTE
Before performing configuration in this example, ensure that devices can communicate with
each other on the network.
Procedure
Step 1 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS
server template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the
user name in the format of user@isp1, the user is authenticated in the
authentication domain isp1. If the user name does not carry the domain name or
carries a nonexistent domain name, the user is authenticated in the default
domain.
[Switch] domain isp1
NOTE
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
undo authentication unified-mode
#
domain isp1
#
mac-authen
#
radius-server template rd1
radius-server shared-key cipher %^%#t67cDelRvAQg;*"4@P/3~q_31Sn{ST\V8'Ci633)%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface GigabitEthernet0/0/12/0/0
mac-authen
#
return
Configuration Roadmap
To control the network access rights of users, the administrator can configure
Portal authentication on the Switch when the server with the IP address
192.168.2.30 is used as the RADIUS server, and configure the IP address
192.168.2.20 as the IP address of the Portal server.
The configuration roadmap is as follows (configuration on the Switch):
1. Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain. Bind the RADIUS server template and AAA scheme to
the authentication domain. The Switch can then exchange information with
the RADIUS server.
2. Configure Portal authentication.
a. Create and configure a Portal server template to ensure normal
information exchange between the device and the Portal server.
b. Enable Portal authentication to authenticate access users.
c. Configure a shared key that the device uses to exchange information with
the Portal server to improve communication security.
NOTE
Before performing configuration in this example, ensure that devices can communicate with
each other on the network.
Procedure
Step 1 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Example@2012
[Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS
server template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the
user name in the format of user@isp1, the user is authenticated in the
authentication domain isp1. If the user name does not carry the domain name or
carries a nonexistent domain name, the user is authenticated in the default
domain.
[Switch] domain isp1
Step 2 Create VLANs and configure the VLANs allowed by interfaces to ensure network
communication.
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 192.168.1.1 24
[Switch-Vlanif10] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 20
[Switch-GigabitEthernet0/0/2] quit
NOTE
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal
server.
# Set the shared key used by the device to exchange information with the Portal
server to Example@123, and display the key in ciphertext.
[Switch] web-auth-server abc
[Switch-web-auth-server-abc] shared-key cipher Example@123
[Switch-web-auth-server-abc] quit
NOTE
In this example, users use static IP addresses. If users obtain IP addresses using DHCP and the
DHCP server is on the upstream network of the Switch, run the portal free-rule command to
create authentication-free rules and ensure that the DHCP server is included in the
authentication-free rules.
4. After the user goes online, you can run the display access-user command on
the device to check the online Portal authentication user information.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
undo authentication unified-mode
#
domain isp1
#
radius-server template rd1
radius-server shared-key cipher %^%#t67cDelRvAQg;*"4@P/3~q_31Sn{ST\V8'Ci633)%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%#
url http://192.168.2.20:8080/webagent
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
web-auth-server abc direct
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
return
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain. Bind the RADIUS server template and AAA scheme to
the authentication domain. The Switch can then exchange information with
the RADIUS server.
2. Configure MAC address authentication on a VLANIF interface.
3. Configure Portal authentication.
NOTE
Before performing configuration in this example, ensure that devices can communicate with
each other on the network.
Procedure
Step 1 Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain.
# Create and configure the RADIUS server template rd1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Example@2012
[Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS
server template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
# Configure the default domain isp1 in the system view. When a user enters the
user name in the format of user@isp1, the user is authenticated in the
authentication domain isp1. If the user name does not carry the domain name or
carries a nonexistent domain name, the user is authenticated in the default
domain.
[Switch] domain isp1
Step 2 Create VLANs and configure the VLANs allowed by interfaces to ensure network
communication.
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 192.168.1.1 24
[Switch-Vlanif10] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 20
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface vlanif 20
[Switch-Vlanif10] ip address 192.168.2.1 24
[Switch-Vlanif10] quit
NOTE
# Enable MAC address authentication in the system and VLANIF interface views
<Switch> system-view
[Switch] mac-authen
[Switch] interface vlanif 10
[Switch-Vlanif10] mac-authen
[Switch-Vlanif10] quit
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal
server.
# Set the shared key used by the device to exchange information with the Portal
server to Example@123, and display the key in ciphertext.
[Switch] web-auth-server abc
[Switch-web-auth-server-abc] shared-key cipher Example@123
[Switch-web-auth-server-abc] quit
# Set the offline detection interval for Portal authentication users to 500s.
[Switch] portal timer offline-detect 500
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
undo authentication unified-mode
#
domain isp1
#
mac-authen
#
radius-server template rd1
radius-server shared-key cipher %^%#t67cDelRvAQg;*"4@P/3~q_31Sn{ST\V8'Ci633)%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%#
url http://192.168.2.30:8080/webagent
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
authentication-scheme abc
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
web-auth-server abc direct
mac-authen
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
portal max-user 100
portal timer offline-detect 500
#
return
Networking Requirements
On a company network shown in Figure 3-19, many internal users access the
network through GE0/0/1 of the Switch that functions as an access device. To
effectively manage access users, the company requires that only authenticated
users can access the network. In addition, users from different departments have
limited network access rights:
● Users in the marketing department can only access network segment
172.16.104.0/24.
● Users in the administration department can only access network segment
172.16.105.0/24.
● Users in the R&D department can only access network segment
172.16.106.0/24.
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
Before performing configuration in this example, ensure that devices can communicate with
each other on the network.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by interfaces to ensure network
communication.
# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 40.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30 40
Step 2 Create and configure a RADIUS server template, an AAA scheme, and
authentication domains.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Example@2012
[Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domains abc11, abc22, and abc33, and bind the AAA
scheme abc and RADIUS server template rd1 to the authentication domains.
[Switch-aaa] domain abc11
[Switch-aaa-domain-abc11] authentication-scheme abc
[Switch-aaa-domain-abc11] radius-server rd1
[Switch-aaa-domain-abc11] quit
[Switch-aaa] domain abc22
[Switch-aaa-domain-abc22] authentication-scheme abc
[Switch-aaa-domain-abc22] radius-server rd1
[Switch-aaa-domain-abc22] quit
[Switch-aaa] domain abc33
[Switch-aaa-domain-abc33] authentication-scheme abc
[Switch-aaa-domain-abc33] radius-server rd1
[Switch-aaa-domain-abc33] quit
[Switch-aaa] quit
NOTE
# Create ACLs.
<Switch> system-view
[Switch] acl 3001
[Switch-acl-adv-3001] rule permit ip source 10.164.1.0 0.0.0.255 destination 172.16.104.0 0.0.0.255
[Switch-acl-adv-3001] rule deny ip source 10.164.1.0 0.0.0.255 destination any
[Switch-acl-adv-3001] quit
[Switch] acl 3002
[Switch-acl-adv-3002] rule permit ip source 10.164.2.0 0.0.0.255 destination 172.16.105.0 0.0.0.255
[Switch-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination any
[Switch-acl-adv-3002] quit
[Switch] acl 3003
[Switch-acl-adv-3003] rule permit ip source 10.164.3.0 0.0.0.255 destination 172.16.106.0 0.0.0.255
[Switch-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination any
[Switch-acl-adv-3003] quit
# Create user groups and bind them to ACLs. Allocate users in the marketing
department to the user group abc1, users in the administration department to the
user group abc2, and users in the R&D department to the user group abc3.
[Switch] user-group abc1
[Switch-user-group-abc1] acl-id 3001
[Switch-user-group-abc1] quit
[Switch] user-group abc2
[Switch-user-group-abc2] acl-id 3002
[Switch-user-group-abc2] quit
[Switch] user-group abc3
[Switch-user-group-abc3] acl-id 3003
[Switch-user-group-abc3] quit
1. Run the display user-group, display domain name, and display dot1x
commands to check the configured user groups, authentication domains, and
802.1X authentication information.
2. When user A (user name userA@abc22) in the administration department
accesses the network, the Switch authenticates the user in the domain abc22
upon receipt of the authentication request. The authentication domain abc22
is bound to the user group abc2, so user A is granted the network access
rights of the user group abc2. After accessing the network, user A can only
access network segment 172.16.105.0/24. Users in the R&D department can
only access 172.16.106.0/24, and users in the marketing department can only
access 172.16.104.0/24.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30 40
undo authentication unified-mode
#
dot1x enable
#
radius-server template rd1
radius-server shared-key cipher %^%#t67cDelRvAQg;*"4@P/3~q_31Sn{ST\V8'Ci633)%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
acl number 3001
rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 172.16.104.0 0.0.0.255
rule 10 deny ip source 10.164.1.0 0.0.0.255
acl number 3002
rule 5 permit ip source 10.164.2.0 0.0.0.255 destination 172.16.105.0 0.0.0.255
rule 10 deny ip source 10.164.2.0 0.0.0.255
acl number 3003
rule 5 permit ip source 10.164.3.0 0.0.0.255 destination 172.16.106.0 0.0.0.255
rule 10 deny ip source 10.164.3.0 0.0.0.255
#
aaa
authentication-scheme abc
authentication-mode radius
domain abc11
authentication-scheme abc
radius-server rd1
user-group abc1
domain abc22
authentication-scheme abc
radius-server rd1
user-group abc2
domain abc33
authentication-scheme abc
radius-server rd1
user-group abc3
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30
dot1x mac-bypass
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 40
#
user-group abc1
acl-id 3001
user-group abc1 enable
#
user-group abc2
acl-id 3002
user-group abc2 enable
#
user-group abc3
acl-id 3003
user-group abc3 enable
#
return
The domain of a user is determined by the user name provided for login. The rules
are as follows:
● If the entered user name contains a domain name and the user name format
is user-name@domain-name, the user domain is domain-name.
● If the entered user name does not contain a domain and the user name
format is user-name, the user belongs to the default system domain. By
default, the global default domain is default.
For example, the user name is test and the user belongs to the domain example.
To ensure that the user can be authenticated in the domain hexample perform
the following operations:
● The user name entered in the client is test@example.
● Run the domain example command in the system view to configure the
global default domain to example.
● (Applicable to all versions) Limit the number of concurrent access users for
802.1X authentication on an interface to limit the number of MAC addresses
that can be learned through the interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x max-user 3
To solve the problem, run the undo dot1x reauthenticate command on the
specified interface to disable periodic 802.1X re-authentication.