01-03 NAC Configuration (Common Mode)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - User Access and
Authentication 3 NAC Configuration (Common Mode)
3 NAC Configuration (Common Mode)
Context
NOTE
● The device supports NAC. NAC controls a user's network access permission that involves
personal communication information collection or storage. Huawei will not collect or save
user communication information independently. You must use the features in compliance
with applicable laws and regulations. Ensure that your customers' privacy is protected when
you are collecting or saving communication information.
3.1 Overview of NAC

3.2 Understanding NAC
3.3 Application Scenarios for NAC
3.4 Licensing Requirements and Limitations for NAC Common Mode
3.5 Default Settings for NAC
3.6 Configuring the NAC Common Mode
3.7 Configuring 802.1X Authentication
3.8 Configuring MAC Address Authentication
3.9 Configuring Portal Authentication
3.10 Configuring Combined Authentication
3.11 Maintaining NAC
3.12 Configuration Examples for NAC
3.13 FAQ About NAC
3.1 Overview of NAC

Definition
Network Access Control (NAC) is an end-to-end access security framework and
includes 802.1X authentication, MAC address authentication, and Portal
authentication.
Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 546

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
With the development of enterprise network, threats increasingly bring risks, such
as viruses, Trojan horses, spyware, and malicious network attacks. On a traditional
enterprise network, the intranet is considered as secure and threats come from
extranet. However, 80% security threats actually come from the intranet. The
intranet threats will cause serious damage in a wide range. Even worse, the
system and network will break down. In addition, when intranet users browse
websites on the external network, the spyware and Trojan horse software may be
automatically installed on users' computers, which cannot be sense by the users.
The malicious software may spread on the internal network.
The traditional security measures cannot meet requirements on border defense
due to increasing security challenges. The security model should be converted into
active mode to solve security problems from the roots (terminals), improving
information security level of the entire enterprise.
The NAC solution integrates terminal security and access control and takes the
check, audit, secure, and isolation measures to improve the proactive protection
capability of terminals. This solution ensures security of each terminal and the
entire enterprise network.
As shown in Figure 3-1, NAC includes three components: NAC terminal, network
access device, and access server.
Figure 3-1 Typical NAC networking diagram
● NAC terminal: functions as the NAC client and interacts with network access
devices to authenticate access users. If 802.1X authentication is used, users
must install client software.
● Network access device: function as the network access control point that
enforces enterprise security policies. It allows, rejects, isolates, or restricts
users based on the security policies customized for enterprise networks.
● Access server: includes the access control server, management server, antivirus
server, and patch server. It authenticates users, checks terminal security,
repairs and upgrades the system, and monitors and audits user actions.
Purpose
Traditional network security technologies focus on threats from external
computers, but typically neglect threats from internal computers. In addition,

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
current network devices cannot prevent attacks initiated by devices on internal

networks.
The NAC security framework was developed to ensure the security of network
communication services. The NAC security framework improves internal network
security by focusing on user terminals, and implement security control over access
users to provide end-to-end security.
3.2 Understanding NAC
3.2.1 802.1X Authentication

Overview
To resolve wireless local area network (LAN) security issues, the Institute of
Electrical and Electronics Engineers (IEEE) 802 LAN/wide area network (WAN)
committee developed the 802.1X protocol. Later, the 802.1X protocol was widely
applied as a common access control mechanism on LAN interfaces for
authentication and security on Ethernet networks.
The 802.1X protocol is an interface-based network access control protocol. It
controls users' access to network resources by authenticating the users on access
interfaces.
As shown in Figure 3-2, an 802.1X system uses a standard client/server
architecture with three components: client, device, and server.
Figure 3-2 Diagram of 802.1X authentication system
● The client is the entity at an end of the LAN segment and is authenticated by
a device at the other end of the link. The client is usually a user terminal. The
user initiates 802.1X authentication using client software. The client must
support Extensible Authentication Protocol over LAN (EAPoL).
● The device is the entity at an end of the LAN segment, which authenticates
the connected client. The device is usually a network device that supports the
802.1X protocol. The device provides an interface, either physical or logical,
for the client to access the LAN.
● The authentication server is the entity that provides authentication service for
the device. The authentication server carries out authentication, authorization,
and accounting on users, and is usually a RADIUS server.
Basic Concepts
1. Controlled and uncontrolled interfaces
The device provides an interface for LAN access. The interface is classified into two
logical interfaces: the controlled interface and the uncontrolled interface.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● The uncontrolled interface is mainly used to transmit EAPoL frames in both

directions to ensure that the client consistently sends and receives
authentication packets.
● In Authorized state, the controlled interface transmits service packets in both
directions; in Unauthorized state, the controlled interface cannot receive
packets from the client.
2. Authorized and Unauthorized states
The device uses the authentication server to authenticate clients that require LAN
access and controls the authorization state (Authorized or Unauthorized) of a
controlled interface based on the authentication result (Accept or Reject).
Figure 3-3 shows the impact of a controlled interface's authorization state on

packets capable of passing through the port in two 802.1X authentication systems.
The controlled interface in system 1 is in Unauthorized state; the controlled
interface in system 2 is in Authorized state.
Figure 3-3 Impact of a controlled interface's authorization state in two 802.1X

authentication systems
Authentication Triggering Modes

802.1X authentication can be initiated by either the client or device. The device
supports the following authentication triggering modes:
1. Client trigger: The client sends an EAPoL-Start packet to the device to initiate
authentication.
2. Device trigger: This mode is used when the client cannot send an EAPoL-Start
packet, for example, the built-in 802.1X client in the Windows operating
system.
Authentication Modes
The 802.1X authentication system exchanges authentication information among
the client, device, and authentication server using the Extensible Authentication
Protocol (EAP). The exchange of EAP packets among the components is described
as follows:

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1. The EAP packets transmitted between the client and device are encapsulated
in EAPoL format and transmitted across the LAN.
2. The device and RADIUS server exchange EAP packets in the following modes:
– EAP relay: The device relays EAP packets. The device encapsulates EAP
packets in EAP over RADIUS (EAPoR) format and sends the packets to the
RADIUS server for authentication. This authentication mode simplifies
device processing and supports various EAP authentication methods, such
as MD5-Challenge, EAP-TLS, and PEAP. However, the RADIUS server must
support the corresponding authentication methods.
– EAP termination: The device terminates EAP packets. The device
encapsulates client authentication information into standard RADIUS
packets, which are then authenticated by the RADIUS server using the
Password Authentication Protocol (PAP) or Challenge Handshake
Authentication Protocol (CHAP). This authentication mode is applicable
since the majority of RADIUS servers support PAP and CHAP
authentication and server update is unnecessary. However, device
processing is complex, and the device supports only the MD5-Challenge
EAP authentication method.
NOTE
The device supports the following EAP protocols: EAP-CHAP (EAP-MD5), EAP-PAP, EAP-TLS,
EAP-TTLS, and EAP-PEAP.
The 802.1X authentication system can complete authentication by exchanging

information with the RADIUS server in EAP relay mode and EAP termination
mode. Figure 3-4 and Figure 3-5 demonstrate both of these authentication
modes using the client triggering mode.
1. EAP relay authentication

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 3-4 Service process in EAP relay mode
The EAP relay authentication process is described as follows:
1. When a user needs to access an external network, the user starts the 802.1X
client program, enters the applied and registered user name and password,
and initiates a connection request. The client then sends an authentication
request frame (EAPoL-Start) to the device to start the authentication process.
2. After receiving the authentication request frame, the device returns an
identity request frame (EAP-Request/Identity), requesting the client to send
the previously entered user name.
3. In response to the request sent by the device, the client sends an identity
response frame (EAP-Response/Identity) containing the user name to the
device.
4. The device encapsulates the EAP packet in the response frame sent by the
client into a RADIUS packet (RADIUS Access-Request) and sends the RADIUS
packet to the authentication server for processing.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
5. After receiving the user name forwarded by the device, the RADIUS server
searches the user name table in the database for the corresponding password,
encrypts the password with a randomly generated MD5 challenge value, and
sends the MD5 challenge value in a RADIUS Access-Challenge packet to the
device.
6. The device forwards the MD5 challenge value sent by the RADIUS server to
the client.
7. After receiving the MD5 challenge value from the device, the client encrypts
the password with the MD5 challenge value, generates an EAP-Response/
MD5-Challenge packet, and sends the packet to the device.
8. The device encapsulates the EAP-Response/MD5-Challenge packet into a
RADIUS packet (RADIUS Access-Request) and sends the RADIUS packet to the
RADIUS server.
9. The RADIUS server compares the received encrypted password and the locally
encrypted password. If the two passwords match, the user is considered
authorized and the RADIUS server sends a packet indicating successful
authentication (RADIUS Access-Accept) to the device.
10. After receiving the RADIUS Access-Accept packet, the device sends a frame
indicating successful authentication (EAP-Success) to the client, changes the
interface state to Authorized, and allows the user to access the network using
the interface.
11. When the user is online, the device periodically sends a handshake packet to
the client to monitor the online user. For details, see the dot1x timer arp-
detect command.
12. After receiving the handshake packet, the client sends a response packet to
the device, indicating that the user is still online. By default, the device
disconnects the user if it receives no response from the client after sending
two handshake packets. The handshake mechanism allows the server to
detect unexpected user disconnections. For details, see the dot1x timer arp-
detect command.
13. If the user wants to go offline, the client sends an EAPoL-Logoff frame to the
device.
14. The device changes the interface state from Authorized to Unauthorized and
sends an EAP-Failure packet to the client.
2. EAP termination authentication

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 3-5 Service process in EAP termination mode
Compared with the EAP relay mode, in EAP termination mode, the device
randomly generates an MD5 challenge value for encrypting the user password in
Step 4, and sends the user name, the MD5 challenge value, and the password
encrypted on the client to the RADIUS server for authentication.
MAC Address Bypass Authentication

MAC address bypass authentication enables authentication using the device MAC
address as the user name and password. You cannot install or use 802.1X client
software on some devices, such as the printers, in the 802.1X authentication
system.
During the 802.1X authentication process, a device first triggers the user to use
802.1X authentication. If the user does not perform 802.1X authentication for a

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
predefined period of time, the user's MAC address is used as the user name and
password, and is sent to an authentication server for authentication.
As shown in Figure 3-6, if the device receives no response after sending multiple
authentication requests, MAC address bypass authentication is used.
Figure 3-6 Diagram of MAC address bypass authentication
802.1X Authentication Supports Dynamic VLAN Authorization

1. Guest VLAN
When the Guest VLAN function is enabled, if the user does not respond to the
802.1X request, the device adds the interface where the user resides to the Guest
VLAN. For example, this occurs if no 802.1X client software is installed. In this way,
the user can access resources in the Guest VLAN, enabling unauthorized users to
acquire client software, update client, or perform operations such as user upgrade
programs.
2. Restrict VLAN
When the Restrict VLAN function is enabled, if the user authentication fails, the
device adds the interface where the user resides to the Restrict VLAN. For
example, this occurs if the incorrect user name or password is entered. Similar to
the Guest VLAN function, the Restrict VLAN function allows users to access limited
network resources before being authenticated. The Restrict VLAN typically limits
access to network resources from unauthenticated users more strictly than the
Guest VLAN.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3. Critical VLAN
After the Critical VLAN function is enabled, the device adds an interface where the
user resides to the Critical VLAN if the authentication server does not respond, for
example, because the network between the device and authentication server is
disconnected or the authentication server is faulty. In this way, the user can access
resources in the Critical VLAN.
802.1X-based Fast Deployment

The NAC solution improves a network's overall defense capabilities, but deploying
802.1X clients can be difficult. 802.1X-based fast deployment can expedite the
process. This feature redirects users to the authentication page. The users then can
download the client software and install it. To support 802.1X-based fast
deployment, 802.1X provides the following two mechanisms:
1. Limit on accessible network resources
Before 802.1X authentication, an access control list (ACL) is used to allow
users to access only a specific IP segment or server. Users can download and
upgrade client software or obtain dynamic IP addresses from the specified
server.
2. URL redirection
Before 802.1X authentication, a user using a web browser to access the
network is automatically redirected to a specified URL, for example, the client
software download page.
User Group Authorization

The device can authorize users based on the user group. After users are
authenticated, the authentication server groups users together. Each user group is
bound to an ACL so that users in the same user group share an ACL.
3.2.2 MAC Address Authentication

Overview
MAC address authentication controls a user's network access rights based on the
user's interface and MAC address. The user does not need to install any client
software. After detecting the user's MAC address for the first time on an interface
where MAC address authentication is running, the device begins authenticating
the user. During the authentication, the user does not need to enter a user name
or password.
Based on different user name formats and content that the access device uses to
authenticate users, user name formats used in MAC authentication can be
classified into the following types:
● MAC address: The device uses a user's MAC address as the user name for
authentication. The device can also use the MAC address or a user-defined
character string as the user password.
● Fixed user name: Regardless of users' MAC addresses, all users use a fixed
name and password designated on the access device for authentication. As
multiple users can be authenticated on the same interface, all users requiring

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
MAC address authentication on the interface use the same fixed user name.
The server only needs to configure one user account to meet the
authentication demands of all users. This applies to a network environment
with reliable clients.
● DHCP option: The device replaces a user's MAC address with the obtained
user DHCP option and a fixed password as identity information for
authentication. In this mode, the device must support MAC authentication
triggering through DHCP packets.
Guest VLAN
When the guest VLAN function is enabled, if the user does not respond to the
MAC address authentication request, the device adds the interface where the user
resides into the guest VLAN, so that the user can access resources in the guest
VLAN. In this manner, the user can access some network resources without being
authenticated.

3.2.3 Portal Authentication
Introduction to Portal Authentication

Portal authentication is also called web authentication. Generally, Portal
authentication websites are also called Portal websites.
When an unauthenticated user accesses the Internet, the device forcibly redirects
the user to a specific site. The user then can access resources in the specific site for
free. When the user needs to access resources outside the specific site, the user
must pass authentication on the Portal authentication website first.
A user can access a known Portal authentication website and enter a user name
and password for authentication. This mode is called active authentication. If a
user attempts to access other external networks through HTTP, the device forcibly
redirects the user to the Portal authentication website for Portal authentication.
This mode is called forcible authentication.
NOTE
The device uses Huawei proprietary Portal protocol to perform Portal authentication.
Huawei proprietary Portal protocol is compatible with the Portal 2.0 protocol of China
Mobile Communications Corporation (CMCC), and supports basic functions of the Portal 2.0
protocol.
System Architecture
As shown in Figure 3-7, typical networking of a Portal authentication system
consists of four entities: authentication client, access device, Portal server, and
authentication/accounting server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 3-7 Portal authentication system
1. Authentication client: is a client system installed on a user terminal. The user

terminal can be a browser running HTTP/HTTPS or a host running Portal
client software.
2. Access device: is a broadband access device such as switch or router. It
provides the following functions:
– Redirects all HTTP requests from users on authentication subnets to the
Portal server before authentication.
– Interacts with the Portal server and the authentication/accounting server
to implement identity authentication/accounting during authentication.
– Allows the users to access authorized Internet resources after the
authentication succeeds.
3. Portal server: receives authentication requests from the Portal client. It
provides free Portal services and an interface based on web authentication,
and exchanges authentication information of the authentication client with
the access device.
4. Authentication/accounting server: interacts with the access device to
implement user authentication and accounting.
Authentication Modes
Different Portal authentication modes can be used in different networking modes.
Portal authentication is classified into Layer 2 and Layer 3 authentication
according to the network layer on which it is implemented.
● Layer 2 authentication
The authentication client and access device are directly connected (or only Layer 2
devices exist between the authentication client and an access device). The device
can learn a user's MAC address, and uses an IP address and a MAC address to
identify the user. Portal authentication is configured as Layer 2 authentication.
Layer 2 authentication is simple and highly secure. However, it requires that the
user reside on the same subnet as the access device, which makes the networking
inflexible.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 3-8 illustrates the packet interaction process when the user goes online
and Layer 2 authentication is used.
Figure 3-8 Layer 2 authentication flowchart
1. A Portal user initiates an authentication request through HTTP. The access

device allows an HTTP packet destined for the Portal server or an HTTP
packet destined for the configured authentication-free network resources to
pass. The access device redirects HTTP packets accessing other addresses to
the Portal server. The Portal server provides a web page where the user can
enter a user name and password for authentication.
2. The Portal server exchanges information with the access device to implement
CHAP authentication. If PAP authentication is used, the Portal service directly
performs step 3 without exchanging information with the access device to
implement PAP authentication.
3. The Portal server sends the user name and password entered by the user to
the access device through an authentication request packet, and starts a timer
to wait for an authentication reply packet.
4. The access device exchanges a RADIUS protocol packet with the RADIUS
server.
5. The access device sends an authentication reply packet to the Portal server.
6. The Portal server sends a packet to the client indicating that the
authentication succeeded and notifying the client that the authentication
succeeded.
7. The Portal server sends an authentication reply acknowledgment to the
access server.
● Layer 3 authentication
When the device is deployed at the aggregation or core layer, Layer 3 forwarding
devices exist between the authentication client and device. In this case, the device
may not obtain the MAC address of the authentication client. Therefore, only the
IP address identifies the user. Portal authentication is configured as Layer 3
authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
The Layer 3 authentication process is the same as the Layer 2 authentication

process. Networking of Layer 3 authentication is flexible, which facilitates remote
control. However, only an IP address can be used to identify a user, so Layer 3
authentication has low security.
NOTE
The device does not support Layer 3 authentication of the built-in Portal server.
Detection and Survival

If the Portal server fails or communication is interrupted due to a network failure
between the device and Portal server, new Portal authentication users cannot go
online, and online Portal users cannot go offline normally. User information on the
Portal server and the device may be different, resulting in accounting errors.
With the Portal detection and survival function, even if the network fails or the
Portal server cannot function properly, the device still allows users with certain
access rights to use the network normally, and reports failures using logs and
traps. Meanwhile, the user information synchronization mechanism ensures that
user information on the Portal server matches that on the device, preventing
accounting errors.

3.3 Application Scenarios for NAC
3.3.1 802.1X Authentication

As shown in Figure 3-9, users' network access needs to be controlled to ensure
network security. Only authenticated users are allowed to access network
resources authorized by the administrator.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 3-9 Typical application of 802.1X authentication
The user terminal is a PC with 802.1X client software installed on it. The user can
use the 802.1X client software to initiate an authentication request to the access
device. After exchanging information with the user terminal, the access device
sends the user information to the authentication server for authentication. If the
authentication succeeds, the access device sets the interface connected to the user
to the Up state and allows the user to access the network. If the authentication
fails, the access device rejects the user's access request.
NOTE
802.1X authentication results in the change of the interface state, but does not involve IP
address negotiation or assignment. 802.1X authentication is the simplest authentication
solution. However, the 802.1X client software must be installed on the user terminal.
3.3.2 MAC Address Authentication

As shown in Figure 3-10, user terminals' network access needs to be controlled to
ensure network security. Only authenticated users are allowed to access network

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 3-10 Typical application of MAC address authentication
The 802.1X client cannot be installed on printers. In this case, enable MAC address
authentication on interface1 connected to the printer. Then the access device uses
the printer's MAC address as the user name and password, and reports the MAC
address to the authentication server for authentication. If the authentication
succeeds, the access device sets the interface connected to the printer to the Up
state and allows the printer to access the network. If the authentication fails, the
access device rejects the printer's access request.
NOTE
Apart from MAC address authentication, terminals with simple functions that cannot install
the 802.1X client software and do not require high security (such as printers) can also be
authenticated using 802.1X MAC address bypass authentication.
3.3.3 Portal Authentication

As shown in Figure 3-11, user terminals' network access needs to be controlled to
ensure network security. Only authenticated users are allowed to access network
Figure 3-11 Typical application of Portal authentication

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
If the user only requires Portal authentication using a web browser, enable Portal
authentication on the access device.
When an unauthenticated user accesses the Internet, the access device redirects
the user to the Portal authentication website to start Portal authentication. If the
authentication succeeds, the access device sets the interface connected to the user
to the Up state and allows the user to access the network. If the authentication
fails, the access device rejects the user's access request.
3.4 Licensing Requirements and Limitations for NAC

Common Mode
Involved Network Elements
Table 3-1 Components involved in NAC networking
Role Product Model Description
AAA server Huawei server or third- Performs authentication,

party AAA server accounting, and
authorization for users.
Portal server Huawei server or third- Receives authentication

party Portal server requests from Portal
clients, provides free
portal services and the
web authentication
page, and exchanges
client authentication
information with access
devices.
This component is
required only in external
Portal authentication
mode.
NOTE
When Huawei's Agile Controller-Campus functions as a server, its version must be V100R001,
V100R002, V100R003.
When a Huawei switch functions as a DHCP server and assigns IP addresses to terminals based
on the static MAC-IP bindings delivered by the Agile Controller-Campus, the switch must run
V200R009C00 or a later version, and the Agile Controller-Campus must run V100R002,
V100R003.
Licensing Requirements
NAC common mode is a basic feature of a switch and is not under license control.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Feature Support in V200R020C10

All models of S300, S500, S2700, S5700, and S6700 series switches support NAC
common mode.
NOTE
For details about software mappings, visit Info-Finder and search for the desired product
model.
Feature Limitations
Limitations related to NAC modes:
● Compared with the common mode, the unified mode uses the modular
configuration, making the configuration clearer and configuration model
easier to understand. Considering advantages of the unified mode, you are
advised to deploy NAC in unified mode.
● Starting from V200R005C00, the default NAC mode changes from common
mode to unified mode. Therefore, if the system software of a switch is
upgraded from a version earlier than V200R005C00 to V200R005C00 or a
later version, the switch automatically runs the undo authentication unified-
mode command to configure the NAC mode to common mode.
● For versions before V200R007C00, after the common mode and unified mode
are switched, you must save the configuration file and restart the device
manually to make the new configuration mode take effect. For V200R007C00
and later versions, after the common mode and unified mode are switched,
the device will automatically save the configuration file and restart.
● In V200R008C00, some NAC commands do not differentiate the common and
unified modes. Their formats and views remain unchanged after being
switched from one mode to the other. After devices are switched from the
common mode in V200R008C00 or later versions to the unified mode in
V200R009C00 or later versions, these NAC commands are switched to the
unified mode.
● In the unified mode, the commands supported only in the common mode are
unavailable; in the common mode, the commands supported only in the
unified mode are unavailable. After the configuration mode is switched, the
commands supported by both modes still take effect.
● The NAC common mode does not apply to wireless users. To use NAC to
control wireless user access, switch the NAC mode to unified mode.
Limitations related to authentication:

● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled device and users, the function of transparently transmitting
802.1X authentication packets must be enabled on the Layer 2 switch.
Otherwise, users cannot be authenticated.
● In the Portal authentication scenario, users may use spoofed IP addresses for
authentication, which brings security risks. It is recommended that you
configure attack defense functions such as IPSG and DHCP snooping to avoid
the security risks.
● If the S2720-EI (V200R009C00 and V200R010C00), S2750-EI, S5700-10P-LI-
AC, or S5700-10P-PWR-LI-AC functions as a Layer 3 gateway and NAC is

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
enabled on physical interfaces configured with Layer 3 services, you must run
the command assign forward-mode ipv4-hardware to enable Layer 3
hardware forwarding for IPv4 packets.
● NAC authentication and authentication-related parameters cannot be enabled
both on a Layer 2 Ethernet interface and the VLANIF interface of the VLAN to
which the Layer 2 Ethernet interface belongs.
● The switch supports 802.1X authentication, MAC address authentication, and
external Portal authentication for users in a VPN (HTTP/HTTPS-based Portal
authentication is supported in V200R013C00 and later versions). Built-in
Portal authentication is not supported, and users in different VPNs but with
the same IP address cannot be authenticated.
● In V200R005, when NAC is configured on the main interface, service functions
on its sub-interface are affected.
● Terminals using MAC address authentication do not support switching
between IPv4 and IPv6. To ensure that a terminal can normally obtain an IP
address after passing the authentication, you are advised to enable either IPv4
or IPv6 on the terminal.
● In versions earlier than V200R013, if authentication triggered by any packet is
not configured, the ARP packets with the source IP address being 0.0.0.0
cannot trigger MAC address authentication. In V200R013 and later versions, if
authentication triggered by any packet is not configured, the ARP packets
with the source IP address being 0.0.0.0 can trigger MAC address
authentication. However, the IP addresses of online users are empty in the
display access-user command output. If the device receives an ARP packet
with the source IP address not being 0.0.0.0 from an online user, it updates
the user's IP address in the user entry to this source IP address. If an online
user has an IP address and sends an ARP packet with the source IP address
being 0.0.0.0, the device does not update the user's IP address in the user
entry.
● When an authentication point is deployed on the X series cards, only the X1E,
X2E, X2H, X5H, and X6H cards support ACL authorization for IPv6 users, and
other X series cards do not support ACL authorization for IPv6 users.
● In V200R020C00 and later versions, the device does not support built-in Portal
authentication. In versions earlier than V200R020C00, built-in Portal
authentication is only a test feature and does not support commercial use.
Limitations related to authorization:
● In V200R012C00 and later versions, if the ACL assigned to users who go
online through S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S,
S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S is not a user-
defined one, the attribute of the source IP address in the ACL rule does not
take effect. In all other cases, the IP address in the ACL rule is replaced with
the user's IP address. In versions earlier than V200R012C00, if an ACL bound
to a service scheme has defined the source IP address, only users with the
same IP address as the source IP address in the ACL can match the ACL in the
service scheme.
● An authorized VLAN cannot be delivered to online Portal users. For MAC
address-prioritized Portal authentication, the Agile Controller-Campus V1
delivers the session timeout attribute after Portal authentication succeeds so
that users go offline immediately, and then delivers an authorized VLAN to
users after the users pass MAC address authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● If a terminal obtains an IP address using DHCP, you need to manually trigger

the DHCP process to request an IP address after VLAN-based authorization is
successful or the authorized VLAN is changed through CoA packets. In
V200R012C00 and later versions, the device can trigger STAs to re-apply for IP
addresses by disconnecting authentication interfaces intermittently. After this
function is configured, you need to run the undo radius-server authorization
hw-ext-specific command bounce-port disable command on the device to
enable the function, and set the value of the RADIUS attribute HW-Ext-
Specific (26-238) on the authentication server to user-command=2.
● In versions earlier than V200R011C10, for the S2720-EI, S2750-EI, S5700-LI,
S5700S-LI, S5710-C-LI, S5710-X-LI, S5700-SI, S5720-LI, S5720S-LI, S5720-SI,
S5720S-SI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI, if both an ACL, the
rate limiting value of upstream packets, and the rate limiting value of
downstream packets are authorized to users, only the ACL takes effect.
Starting from V200R011C10, the device supports authorization based on the
DSCP values of upstream packets and downstream packets. In addition, the
authorized ACL, the rate limiting values of upstream packets and downstream
packets, and the DSCP values of upstream packets and downstream packets
can take effect simultaneously.
● It is not recommended to use the MEth management interface to
communicate with an authentication or authorization server. Starting from
V200R013C00, for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S,
S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S, an
authorization server cannot be used to authorize users if a switch
communicates with the authorization server through the MEth management
interface.
● If the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H,
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S, S5720-EI, S6720-EI, or
S6720S-EI is upgraded to V200R019C00 or a later version, the DSCP and
802.1p values are modified based on the authorized DSCP and 802.1p values.
Limitations in a Layer 2 BNG scenario:
● The RADIUS server assigns Huawei extended RADIUS attribute HW-
Forwarding-VLAN to MAC address authentication users who go online
through the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S,
S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S X series
cards. Then the switch replaces the two VLAN tags carried in users' unicast or
broadcast packets with an ISP VLAN tag (it cannot be the same as the outer
VLAN tag).
● Do not create VLANIF interfaces for the two VLAN tags carried in original
packets. Otherwise, packet forwarding may be abnormal.
● The switch that has MAC address authentication enabled cannot have DHCP
snooping and ND snooping configured and does not support MAC address
flapping.
● When working as a DHCPv6 client, the switch can only obtain an IPv6 address
using DHCPv6. When working as a DHCPv6 server, the device can only
allocate IPv6 addresses using DHCPv6 to ensure that IPv6 addresses can be
managed. You need to set the M bit in RA packets sent by the device to 1,
indicating stateful address allocation, that is, clients obtain IPv6 addresses
through stateful protocols (for example, DHCPv6).

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● The device does not support the user VLAN authorization function. Before
configuring other attributes except authorized VLANs for access users, run the
authorization-modify mode modify command on the device to set the
update mode of user authorization information delivered by the authorization
server to modify. Otherwise, access users will go offline.
Other limitations:
● The number of NAC users cannot exceed the maximum number of MAC
address entries supported by the switch.
● During LNP negotiation, NAC users cannot go online before the interface link
type becomes stable. If the interface link type is negotiated again and the
negotiation result changes, the online NAC users are logged out.
● For the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-
X-LI, S5720I-SI, S5720-LI, S2730S-S, S5735-L1,S5735S-L1, S300, S5735-L,
S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S500,
S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S5735S-H, S5736-S, S6720-LI,
S6720S-LI, S6720S-SI, and S6720-SI, ACL-based simplified traffic policy and
traffic classification rules in MQC-based traffic policy have higher priorities
than rules defined in NAC configuration. If configurations in ACL-based
simplified traffic policy or MQC-based traffic policy conflict with the NAC
function, the device processes packets based on configurations in ACL-based
simplified traffic policy and traffic behaviors in MQC-based traffic policy.
3.5 Default Settings for NAC

Table 3-2 describes the default settings for 802.1X authentication.
Table 3-2 Default settings for 802.1X authentication
Parameter Default Setting
802.1X authentication Disabled
Interface authorization status Auto
Access control mode on the interface MAC address-based
User authentication mode CHAP authentication
Table 3-3 describes the default settings for MAC address authentication.
Table 3-3 Default settings for MAC address authentication
MAC address authentication Disabled
User name format User names and passwords in MAC

address authentication are MAC
addresses without hyphens (-).

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
User authentication domain Default
Table 3-4 describes the default settings for Portal authentication.
Table 3-4 Default settings for Portal authentication
Portal authentication Disabled
Portal protocol versions supported by v2, v1

the device
Number of the destination port that 50100

the device uses to send packets to the
Portal server
Number of the port that the device 2000

uses to listen to Portal protocol
packets
Source subnet for Portal 0.0.0.0/0

authentication
Offline detection period 300 seconds
3.6 Configuring the NAC Common Mode

Context
NAC supports the common configuration mode and unified configuration mode.
Before configuring NAC functions in the common mode, you must switch the NAC
configuration mode to common mode.
NOTE
● After the common mode and unified mode are switched, you must restart the device to
make each function in the new configuration mode take effect.
● In the unified mode, only the commands of the common mode are unavailable; in the
common mode, only the commands of the unified mode are unavailable. In addition,
after the configuration mode is switched, the commands supported by both the
common mode and unified mode still take effect.
Procedure
Step 1 Run system-view
The system view is displayed.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 2 Run undo authentication unified-mode
The NAC mode is switched to common mode.
By default, the unified NAC configuration mode is used.
NOTE
After SVF is enabled in unified mode, the device cannot switch to common mode.
----End
Verifying the Configuration

● Run the display authentication mode command to check the current NAC
configuration mode and the mode after restart.
3.7 Configuring 802.1X Authentication

You can configure 802.1X authentication to implement interface-based network
access control. This means you can authenticate and control access users
connected to an access control device interface.
Pre-configuration Tasks
802.1X only provides a user authentication solution. To implement this solution,
the AAA function must also be configured. Therefore, complete the following tasks
before you configure 802.1X authentication:
● Configure the authentication domain and AAA scheme on the AAA client.
● Configure the user name and password on the RADIUS or HWTACACS server
if RADIUS or HWTACACS authentication is used.
● Configure the user name and password manually on the network access
device if local authentication is used.
For the configuration of AAA client, see 1 AAA Configuration.
3.7.1 Enabling 802.1X Authentication

Context
The 802.1X configuration takes effect on an interface only after 802.1X
authentication is enabled globally and on the interface.
If there are online users who log in through 802.1X authentication on the
interface, disabling the 802.1X authentication is prohibited.
Procedure
Step 2 Run dot1x enable

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Global 802.1X authentication is enabled.
By default, global 802.1X authentication is disabled.
Step 3 Enable 802.1X authentication on the interface in the system or interface view.
● In the system view:
1. Run dot1x enable interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
802.1X authentication of the interface is enabled.
● In the interface view:
1. Run interface interface-type interface-number
The interface view is displayed.

2. Run dot1x enable
802.1X authentication of the interface is enabled.
By default, 802.1X authentication of an interface is disabled.
----End
3.7.2 (Optional) Configuring the Authorization State of an

Interface
Context
You can configure the authorization state of an interface to control whether an
access user must be authenticated before accessing network resources. The
interface supports the following authentication states:
● Auto mode: The interface is initially in Unauthorized state and sends and
receives authentication packets only. Users cannot access network resources.
After a user passes the authentication, the interface turns to Authorized state.
Users are allowed to access network resources in this state.
● Authorized-force mode: The interface is always in Authorized state and allows
users to access network resources without authentication.
● Unauthorized-force mode: The interface is always in Unauthorized state and
does not allow users to access network resources.
Procedure
Step 2 Configure the authorization state of an interface in the system or interface view.
1. Run dot1x port-control { auto | authorized-force | unauthorized-force }
interface { interface-type interface-number1 [ to interface-number2 ] }
&<1-10>
The authorization state of the interface is configured.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

2. Run dot1x port-control { auto | authorized-force | unauthorized-force }
The authorization state of the interface is configured.
By default, the authorization state of an interface is auto.
----End
3.7.3 (Optional) Configuring the Access Control Mode of an

Interface
Context
After 802.1X authentication is enabled, the device supports two access control
modes of an interface:
● Interface-based mode: After the first user of the interface passes the
authentication, other access users can access the network without being
authenticated. However, when the authenticated user goes offline, other users
can no longer access the network. The authentication scheme is applicable to
group users.
● MAC address-based mode: All users of the interface must be authenticated.
When a user goes offline, other users can still access the network. The
authentication mode is applicable to individual users.
NOTE
When 802.1X authentication users are online, you cannot change the access control mode
of an interface.
When MAC address-based access control is used in 802.1X authentication, ensure that the
interface type is hybrid when you configure the authorization VLAN.
Procedure
Step 2 Configure the access control mode of an interface in the system or interface view.
1. Run dot1x port-method { mac | port } interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10>
The access control mode of the interface is configured.
2. Run dot1x port-method { mac | port }
The access control mode of the interface is configured.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, an interface uses the MAC address-based mode.
----End
3.7.4 (Optional) Configuring Methods Used to Process

Authentication Packets
Context
In 802.1X authentication, EAP authentication packets can be processed in EAP
termination or EAP relay mode. The PAP or CHAP protocol can also be used in EAP
termination mode. CHAP is more secure than PAP.
If the authentication server has a higher processing capability and can parse a
large number of EAP packets before authentication, the EAP relay mode is
recommended. If the authentication server has a lower processing capability and
cannot parse a large number of EAP packets before authentication, the EAP
termination mode is recommended and the device parses EAP packets for the
authentication server.
When the authentication packet processing method is configured, ensure that the
client and server both support this method; otherwise, the users cannot pass
authentication.
NOTE
● The authentication mode can be set to EAP relay for 802.1X authentication users only
when the RADIUS authentication is used.
● If the 802.1X client uses the MD5 encryption mode, the user authentication mode on
the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication
mode, the authentication mode on the device can be set to EAP.
Procedure
Step 2 You can configure the authentication mode for 802.1X user in the system view or
interface view.
Run the dot1x authentication-method { chap | eap | pap } command to set
the authentication mode for 802.1X users.
a. Run the interface interface-type interface-number command to enter the
interface view.
b. Run the dot1x authentication-method { chap | eap | pap } command to
set the authentication mode for 802.1X users.
By default, the global 802.1X user authentication mode is CHAP authentication
and the 802.1X user authentication mode on interfaces is the same as the mode
globally configured.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.7.5 (Optional) Enabling MAC Address Bypass Authentication

Context
You can enable MAC address bypass authentication for terminals (such as
printers) on which the 802.1X client software cannot be installed or used. After
MAC address bypass authentication is configured, the device performs 802.1X
authentication and starts the delay timer for MAC address bypass authentication.
If 802.1X authentication fails after the value of the delay timer is reached, the
device starts the MAC address authentication process for the users.
On an interface where MAC address bypass authentication is enabled, if the
terminal on which the 802.1X client software cannot be installed or used requires
fast authentication, MAC address authentication is performed first during bypass
authentication. Then the device first starts the MAC address authentication
process for users, and triggers 802.1X authentication only if MAC address
authentication fails.
NOTE
After MAC address bypass authentication is configured on the interface where 802.1X
authentication is not enabled, 802.1X authentication is enabled on the interface.
Procedure
Step 2 Enable MAC address bypass authentication on the interface in the system view or
interface view.
1. Run dot1x mac-bypass interface { interface-type interface-number1 [ to
MAC address bypass authentication is enabled on the interface.
By default, MAC address bypass authentication is disabled on an interface.
NOTE
You can run the dot1x mac-bypass access-port all command to enable MAC address
bypass authentication on all downlink interfaces of the device.
2. (Optional) Run dot1x mac-bypass mac-auth-first interface { interface-type
interface-number1 [ to interface-number2 ] } &<1-10>
MAC address authentication is performed first during MAC address bypass
authentication.
By default, MAC address authentication is not performed first during MAC
address bypass authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
2. Run dot1x mac-bypass
MAC address bypass authentication is enabled on the interface.
By default, MAC address bypass authentication is disabled on an interface.

3. (Optional) Run dot1x mac-bypass mac-auth-first
MAC address authentication is performed first during MAC address bypass

authentication.
By default, MAC address authentication is not performed first during MAC

address bypass authentication.
4. Run quit

NOTE
802.1X authentication is disabled on the interface when MAC address bypass authentication
is disabled on the interface using the undo dot1x mac-bypass command.
Step 3 Run dot1x timer mac-bypass-delay delay-time-value
The value of the delay timer for MAC address bypass authentication is set.
By default, the value of the delay timer for MAC address bypass authentication is
30s.
NOTE
If MAC address authentication is performed first during MAC address bypass authentication,
the delay timer does not take effect.
----End
3.7.6 (Optional) Setting the Maximum Number of Concurrent

Access Users for 802.1X Authentication on an Interface
Context
The administrator can set the maximum number of concurrent access users for
802.1X authentication on the interface. When the number of access users reaches
the maximum number allowed, new users for 802.1X authentication cannot access
networks through the interface.
NOTE
● If the number of current online users on an interface has exceeded the maximum
number, online users are not affected but new access users are limited.
● This function is effective only when the MAC address-based access mode is configured
on the interface. When the interface-based access mode is configured on the interface,
the maximum number of concurrent access users on the interface is automatically set
to 1. In this case, after one user is authenticated on the interface, other users can go
online without being authenticated.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
Step 2 Set the maximum number of concurrent access users on an interface in the
system or interface view.
1. Run dot1x max-user user-number interface { interface-type interface-
The maximum number of concurrent access users is set for 802.1X

authentication on the interface.

2. Run dot1x max-user user-number
The maximum number of concurrent access users is set for 802.1X

authentication on the interface.
By default, the number of 802.1X authentication users is the maximum number of

802.1X authentication users supported by the device.
----End
3.7.7 (Optional) Configuring the Forcible Domain for 802.1X

Authentication Users
Prerequisites
A domain has been created using the domain command.
Context
During authentication, if the user name entered by a user does not contain a
domain name, the user will be authenticated in the default domain; if the user
name contains a domain name, the user will be authenticated in the specified
domain.
If the user names entered by many users do not contain domain names, excess
users are authenticated in the default domain, making the authentication scheme
inflexible. If all users on an interface need to use the same AAA scheme when the
user names entered by some users contain domain name and those entered by
other users do not, the device also cannot meet such requirement. To address this
issue, you can configure a forcible domain. Then all users on the interface will be
authenticated in the forcible domain no matter whether the user names entered
by the users contain domain names.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
Step 2 Run interface interface-type interface-number
Step 3 Run dot1x domain domain-name
The forcible domain for 802.1X authentication users is configured.
By default, no forcible domain is configured for 802.1X authentication users.
----End
3.7.8 (Optional) Setting the Source Address of Offline

Detection Packets
Context
The device sends an ARP probe packet to check the user online status. If the user
does not respond within a detection period, the device considers that the user is
offline.
Procedure
Step 2 Set the source address of offline detection packets.

● Run access-user arp-detect default ip-address ip-address
The default source IP address of offline detection packets is set.
By default, the default source IP address of offline detection packets is 0.0.0.0.
● Run access-user arp-detect vlan vlan-id ip-address ip-address mac-address
mac-address
The source IP address and source MAC address are specified for offline
detection packets in a VLAN.
By default, the source IP address and source MAC address are not specified for
offline detection packets in a VLAN.
You are advised to set the user gateway IP address and its corresponding MAC
address as the source IP address and source MAC address of offline detection
packets.
● Run access-user arp-detect fallback ip-address { mask | mask-length }
The IP address required for calculating the source address of offline detection
packets is configured.
By default, no IP address is configured for the device to calculate the source
address of offline detection packets.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
The following source IP addresses used in offline detection packets are listed in descending
order of priority:
1. IP address and MAC address of the VLANIF interface corresponding to the VLAN that users
belong to and on the same network segment as users
2. Source IP address specified using the access-user arp-detect vlan vlan-id ip-address ip-
address mac-address mac-address command for offline detection packets in a specified
VLAN
3. Source IP address calculated based on the IP address specified using the access-user arp-
detect fallback ip-address { mask | mask-length } command
4. Default source IP address specified using the access-user arp-detect default ip-address ip-
address command for offline detection packets.
Step 3 Run access-user arp-detect delay delay

The delay for sending offline detection packets is configured.
By default, the delay in sending offline detection packets is 10 seconds.
----End
3.7.9 (Optional) Configuring Timers for 802.1X Authentication

Context
During 802.1X authentication, multiple timers implement systematic interactions
between access users, access devices, and the authentication server. You can
change the values of timers by running the dot1x timer command to adjust the
interaction process. This command is necessary in special network environments. It
is recommended that you retain the default settings of the timers. You can
configure the following types of timers in 802.1X authentication:
● Client timeout timer (client-timeout): After sending an EAP-Request/MD5-
Challenge request packet to the client, the device starts this timer. If the client
does not respond within the period set by the timer, the device retransmits
the packet.
● Authentication request timeout timer (tx-period): This timer defines two
intervals. After sending an EAP-Request/Identity request packet to the client,
the device starts the timer. If the client does not respond within the first
interval set by the timer, the device retransmits the authentication request
packet. The device multicasts the EAP-Request/Identity request packet at the
second interval to detect the client that does not actively send the EAPoL-
Start connection request packet for compatibility. The timer defines the
interval for sending the multicast packet.
Procedure
Step 2 Run dot1x timer { client-timeout client-timeout-value | tx-period tx-period-
value }
The 802.1X timers are configured.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, client-timeout is set to 5 seconds; tx-period is set to 30 seconds.
NOTE
The client timeout timer, and the authentication request timeout timer are enabled by
default.
----End
3.7.10 (Optional) Configuring the Quiet Function in 802.1X

Authentication
Context
After the quiet function is enabled, when the number of times that a user fails
802.1X authentication reaches the maximum number allowed, the device quiets
the user, and during the quiet period, the device discards the 802.1X
authentication requests from the user. This prevents the impact of frequent user
authentications on the system.
NOTE
When the number of quiet entries reaches the maximum number, the device does not allow
new users who are not in the quiet table to access the network.
Procedure
Step 2 Run dot1x quiet-period
The quiet function is enabled.
By default, the quiet function is enabled.
Step 3 (Optional) Run dot1x quiet-times fail-times
The maximum number of authentication failures within 60 seconds before the

device quiets the 802.1X authentication user is configured.
By default, an 802.1X user enters the quiet state after ten authentication failures
within 60 seconds.
Step 4 (Optional) Run dot1x timer quiet-period quiet-period-value
The quiet timer is set.
By default, the quiet timer is 60 seconds.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.7.11 (Optional) Configuring Re-authentication for 802.1X

Context
If the administrator modifies user information on the authentication server,
parameters such as the user access permission and authorization attribute are
changed. If a user has passed 802.1X authentication, you must re-authenticate the
user to ensure user validity.
After the user goes online, the device saves user authentication information. After
re-authentication is enabled for 802.1X authentication users, the device sends the
saved authentication information of the online user to the authentication server
for re-authentication. If the user's authentication information does not change on
the authentication server, the user is kept online. If the authentication information
has been changed, the user is logged out, and then re-authenticated according to
the changed authentication information.
You can configure re-authentication for 802.1X authentication users using either
of the following methods:
● Re-authenticate all online 802.1X authentication users on a specified interface
periodically.
● Re-authenticate an online 802.1X authentication user once with a specified
MAC address.
NOTE
If periodic 802.1X re-authentication is enabled, a large number of 802.1X authentication logs are
generated.
Procedure
● Configure periodic re-authentication for all online 802.1X authentication users
on a specified interface.
a. Run system-view

b. Enable periodic re-authentication for all online 802.1X authentication
users on the specified interface in the system or interface view.
▪ In the system view:

i. Run dot1x reauthenticate interface { interface-type interface-
Periodic 802.1X re-authentication is enabled on the interface.
▪ In the interface view:

i. Run interface interface-type interface-number
ii. Run dot1x reauthenticate
Periodic 802.1X re-authentication is enabled on the interface.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
iii. Run quit

By default, periodic 802.1X re-authentication is disabled on an interface.
c. (Optional) Set the re-authentication interval for online 802.1X
authentication users in the system or interface view.
NOTE
Generally, the default re-authentication interval is recommended. If many ACL rules

need to be delivered during user authorization, to improve the device processing
performance, you are advised to disable re-authentication or increase the re-
authentication internal. When remote authentication and authorization are used and
a short re-authentication interval is used, the CPU usage may become high.

i. Run the dot1x timer reauthenticate-period reauthenticate-period-
value command to set the re-authentication interval for online
802.1X authentication users.

i. Run the interface interface-type interface-number command to
enter the interface view.
ii. Run the dot1x timer reauthenticate-period reauthenticate-period-
value command to set the re-authentication interval for online
802.1X authentication users.
iii. Run the quit command to enter the system view.
By default, the device re-authenticates online 802.1X authentication users
at the interval of 3600 seconds.
● Configure re-authentication for an online 802.1X authentication user with a
specified MAC address.
a. Run system-view
b. Run dot1x reauthenticate mac-address mac-address
Re-authentication is enabled for the online 802.1X authentication user
with the specified MAC address.
By default, re-authentication for the online 802.1X authentication user
with a specified MAC address is disabled.
----End
3.7.12 (Optional) Configuring the Handshake Function for

802.1X Online Users
Context
You can configure the handshake function for online users to ensure that the users
are online in real time. The device sends a handshake request packet at intervals
to online users who pass the authentication. If the user does not respond to the

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
handshake packet after the maximum number of retransmission times, the device
disconnects the user.
If the 802.1X client cannot exchange the handshake packet with the device, the
device does not receive any handshake response packet within the handshake
period. You must disable the handshake function for online users to prevent the
device from incorrectly disconnecting the users.
Procedure
Step 2 Run dot1x handshake
The handshake function is enabled for 802.1X online users.
By default, the handshake function is disabled for 802.1X online users.
Step 3 (Optional) Run dot1x handshake packet-type { request-identity | srp-sha1-
part2 }
The type of 802.1X authentication handshake packets is set.
By default, the type of 802.1X authentication handshake packets is request-
identity.
Step 4 (Optional) Configure the interval at which the device handshakes with 802.1X
online users.
● Run dot1x timer handshake-period handshake-period-value
The interval at which the device handshakes with 802.1X online users on non-
Eth-Trunk interfaces is set.
By default, the interval for sending handshake packets is 15.
● Run dot1x timer eth-trunk-access handshake-period handshake-period-
value
The interval at which the device handshakes with 802.1X online users on Eth-
Trunk interfaces is set.
By default, the interval for sending handshake packets is 120 seconds.
Step 5 (Optional) Run dot1x retry max-retry-value
The number of times for resending a handshake packet is configured.
By default, a handshake packet can be resent twice.
----End
3.7.13 (Optional) Configuring the Device to Send EAP Packets

with a Code Number to 802.1X Users
Context
When a non-Huawei device used as the RADIUS server sends RADIUS packets with
attribute 61, EAP packet code number 0xa (hexadecimal notation, 10 in decimal

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
notation), and data type being 0x19 (hexadecimal notation, 25 in decimal

notation) to the device, run the dot1x eap-notify-packet command on the device
so that the device can send EAP packets with code number 0xa and data type
0x19 to users. If the dot1x eap-notify-packet command is not executed, the
device does not process EAP packets of this type and users may be disconnected.
Perform this configuration if the device connects to an H3C iMC RADIUS server.
For other precautions about interoperability between the device and H3C iMC
RADIUS server, see 1.14.1 What Should I Be Aware of When Connecting the
Device to an H3C iMC RADIUS Server?.
Procedure
Step 2 Run dot1x eap-notify-packet eap-code code-number data-type type-number
The device is configured to send EAP packets with a code number to 802.1X users.
By default, the device does not send EAP packets with a code number to 802.1X
users.
NOTE
If an H3C iMC functions as the RADIUS server, run the dot1x eap-notify-packet eap-code 10
data-type 25 command on the device.
----End
3.7.14 (Optional) Configuring the Guest VLAN Function

Context
After the guest VLAN function is enabled, the device allows users to access
resources in the Guest VLAN without 802.1X authentication. For example, the
users can obtain the client software, upgrade the client, or run other upgrade
programs.
Procedure
Step 2 Configure the guest VLAN function in the system or interface view.
1. Run authentication guest-vlan vlan-id interface { interface-type interface-
The guest VLAN to which the interface is added is configured.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
2. Run authentication guest-vlan vlan-id

By default, an interface is not added to the guest VLAN.
NOTE
● The guest VLAN function can take effect only in 802.1X and MAC address
authentication.
● A super VLAN cannot be configured as a guest VLAN.
● When free IP subnets are configured, the guest VLAN function becomes invalid
immediately.
● The guest VLAN function takes effect only when a user sends untagged packets to the
device.
● Different interfaces can be configured with different guest VLANs. After a guest VLAN is
configured on an interface, the guest VLAN cannot be deleted.
● To make the VLAN authorization function take effect, the link type and access control
mode of the authentication interface must meet the following requirements:
– When the link type is hybrid in untagged mode, the access control mode can be
based on the MAC address or interface.
– When the link type is access or trunk, the access control mode can only be based
on the interface.
----End
3.7.15 (Optional) Configuring the Restrict VLAN Function

Context
You can configure the restrict VLAN function on the device interface to enable
users who fail authentication to access some network resources (for example, to
update the virus library). The users are added to the restrict VLAN when failing
authentication and can access resources in the restrict VLAN. The user fails
authentication in this instance because the authentication server rejects the user
for some reasons (for example, the user enters an incorrect password) not because
the authentication times out or the network is disconnected.
Similar to the guest VLAN, the restrict VLAN allows users to access limited
network resources before passing 802.1X authentication. Generally, fewer network
resources are deployed in the restrict VLAN than in the guest VLAN; therefore, the
restrict VLAN limits access to network resources from unauthenticated users more
strictly.
Procedure
Step 2 Configure the restrict VLAN function in the system or interface view.
1. Run authentication restrict-vlan vlan-id interface { interface-type interface-

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
A restrict VLAN where the interface is added is configured.

2. Run authentication restrict-vlan vlan-id
A restrict VLAN where the interface is added is configured.
By default, an interface is not added to the restrict VLAN.
NOTE
● A super VLAN cannot be configured as a restrict VLAN.

● When free IP subnets are configured, the restrict VLAN function becomes invalid
immediately.
● The restrict VLAN function takes effect only when a user sends untagged packets to the
device.
on the interface.
----End
3.7.16 (Optional) Configuring the Critical VLAN Function

Context
During 802.1X authentication, when the access device is disconnected from the
authentication server or the authentication server fails, the authentication process
in the network is interrupted. In this case, the user fails authentication.
Meanwhile, the user cannot be added to and access resources in the guest and
restrict VLANs. After the critical VLAN function is configured, when the access
device is disconnected from the authentication server or the authentication server
fails, the 802.1X authentication users are added to the critical VLAN, and can then
access resources in the critical VLAN.
NOTE
If a free-ip function is configured, the critical VLAN in 802.1X authentication expires

immediately.
The critical VLAN function can take effect only on hybrid or access interfaces that are
added to VLANs in untagged mode. The critical VLAN function cannot take effect on the
interfaces of other types.
You can configure the critical VLAN function of 802.1X authentication in the
Procedure
a. Run system-view

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

b. Run authentication critical-vlan vlan-id interface { interface-type
The critical VLAN to which the interface is added is configured.
By default, an interface is not added to the critical VLAN.

c. Run authentication critical eapol-success interface { interface-type
The function of replying an EAPoL-Success packet to the user after the

user is added to the critical VLAN is configured.
By default, an EAPoL-Fail packet is sent to a user after the user is added

to the critical VLAN.
d. Run authentication max-reauth-req times interface { interface-type
The maximum number of re-authentication attempts for users in the

critical VLAN is set.
By default, the maximum number of re-authentication attempts for users

in the critical VLAN is 20.
a. Run system-view

b. Run interface interface-type interface-number

c. Run authentication critical-vlan vlan-id

d. Run authentication critical eapol-success


e. Run authentication max-reauth-req times


----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.7.17 (Optional) Configuring Network Access Rights for

Users in Different Authentication Stages
Context
To grant users rights to access certain network resources during access
authentication, you can configure network access rights for users.
● pre-authen: specifies the network access rights granted to users before

authentication starts.
● authen-fail: specifies the network access rights granted to users when
● authen-server-down: specifies the network access rights granted to users
when the authentication server does not respond.
● client-no-response: specifies the network access rights granted to users when
the 802.1X client does not respond.
NOTE
The priority of authentication event on the interface is higher than the priority of
authentication event in the system view, and higher than the priority of guest VLAN, restrict
VLAN, or critical VLAN.
Procedure
Step 2 Configure network access rights for users in the system view or interface view.
View Step
System view Run the authentication event { pre-authen | authen-fail |

authen-server-down | client-no-response } { vlan vlan-id |
user-group group-name } command to configure the network
access rights in different authentication stages.
By default, no network access right is granted to users in
different authentication stages.
Interface 1. Run the interface interface-type interface-number command

view to enter the interface view.
2. Run the authentication event { pre-authen | authen-fail |
authen-server-down | client-no-response } { vlan vlan-id |
user-group group-name } command to configure the
network access rights in different authentication stages.
3. Run the quit command to return to the system view.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 3 (Optional) Set the timeout period of the network access rights granted to users in
different authentication stages. The configuration can be performed in the system
view or interface view.
View Step

authen-server-down | client-no-response } session-timeout
session-time command to set the timeout period of the network
access rights granted to users in different authentication stages.
By default, the timeout period of the network access rights
granted to users is 15 minutes.

view to enter the Layer 2 physical interface view.
authen-server-down | client-no-response } session-
timeout session-time command to set the timeout period of
the network access rights granted to users in different
authentication stages.
Step 4 (Optional) Configure the device to return an authentication failure packet when a
user fails in authentication or the authentication server does not respond. The
configuration can be performed in the system view or interface view.
View Step
System view Run the authentication event { authen-fail | authen-server-

down } response-fail command to configure the device to
return an authentication failure packet when a user fails in
authentication or the authentication server does not respond.
By default, the device returns an authentication success packet
when a user fails in authentication or the authentication server
does not respond.

view to enter the Layer 2 physical interface view.
2. Run the authentication event { authen-fail | authen-
server-down } response-fail command to configure the
device to return an authentication failure packet when a user
fails in authentication or the authentication server does not
respond.
does not respond.
Step 5 (Optional) Configure the interval for re-authenticating users before the

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
The device periodically re-authenticates the pre-connection users and the users
who fail to be authenticated so that the users can be authenticated in a timely
manner. You can configure the re-authentication interval according to the actual
networking.
User Procedure
Type
Pre- Run the authentication timer re-authen pre-authen reauth-time

connectio command to configure the interval for re-authenticating pre-
n user connection users.
By default, pre-connection users are re-authenticated at an interval
of 60 seconds.
Users Run the authentication timer re-authen authen-fail reauth-time

who fail command to configure the interval for re-authenticating users who
authentic fail to be authenticated.
ation By default, users who fail to be authenticated are re-authenticated
at an interval of 60 seconds.
----End
3.7.18 (Optional) Configuring Terminal Type Awareness

Context
A device usually connects to many types of terminals. You may need to assign
different network access rights or packet processing priorities to the terminals of
different types. For example, the voice devices, such as IP phones, should be
assigned a high packet processing priority because voice signals require low delay
and jitter.
Using the terminal type awareness function, the device can obtain terminal types
and send them to the authentication server. The authentication server then
controls network access rights and policies such as packet processing priorities
bases on the user terminal types.
After enabling any NAC authentication mode, the device can obtain user terminal
types in either of the following modes:
● DHCP option field mode: The device parses the required option field
containing terminal type information from the received DHCP request
packets. The device then sends the option field information to the RADIUS
server through a RADIUS accounting packet. Before selecting the DHCP option
field mode, you must enable the DHCP snooping function on the device. For
details, see Enabling DHCP Snooping in "DHCP Snooping Configuration" in
the S300, S500, S2700, S5700, and S6700 V200R020C10 Configuration Guide -
Security.
● LLDPTLV type mode: The device parses the required TLV type containing
terminal typeinformation from the received LLDPDUs,. The device
encapsulates the TLVtype information into the Huawei proprietary attribute
163 HW-LLDP in RADIUS accounting packets, and sendsthe packets to the
RADIUS server. Before selecting the LLDP TLV type mode, you must enable the

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
LLDP function on the device and the connected peer device. For details, see
"Enabling LLDP" in "LLDP Configuration" in the S300, S500, S2700, S5700,
and S6700 V200R020C10 Configuration Guide - Network Management
Configuration.
NOTE
The terminal type awareness function takes effect only when the authentication or
accounting mode in the AAA scheme is RADIUS.
The terminal type awareness function only provides a method of obtaining user terminal
types for access device, through which network access policies cannot be assigned to the
terminals. The administrator configures the network access policies for terminals of
different types on the RADIUS server.
Procedure
● In the DHCP option field mode
a. Run the system-view command to enter the system view.
b. Run the device-sensor dhcp option option-code &<1-6> command to
enable the terminal type awareness function based on the DHCP option
field.
By default, the terminal type awareness function based on the DHCP
option field is disabled.
● In the LLDP TLV type mode
b. Run the device-sensor lldp tlv tlv-type &<1-4> command to enable the
LLDP-based terminal type awareness function.
By default, the LLDP-based terminal type awareness function is disabled.
----End
3.7.19 (Optional) Configuring the NAC Open Function in

802.1X Authentication
Context
After a new NAC network is set up, the network administrator should pay
attention to the number of potential access users and authentication method but
does not need to control user access, because the administrator needs to
configure user names, passwords, and authorization information on the
authentication server. After 802.1X or MAC address authentication is configured
on the access device, only authenticated users can access the network, so the
administrator cannot obtain information about the users who do not have user
names and passwords on the authentication server.
The NAC open function allows the users who failed in authentication to access the
network.
Procedure

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Step 2 Enable the NAC open function in the system view or in the interface view.
1. Run authentication open interface { interface-type interface-number1 [ to
The NAC open function is enabled.
2. Run authentication open
The NAC open function is enabled.
By default, the NAC open function is disabled on an interface.
----End
3.7.20 (Optional) Configuring 802.1X Authentication

Triggered by a DHCP Packet
Context
In the 802.1X authentication network, if a user uses a built-in 802.1X client of a PC
operating system (such as Windows), the user cannot enter the user name and
password proactively to trigger authentication.
For such users, the administrator configures 802.1X authentication triggered by a
DHCP packet. After 802.1X authentication triggered by a DHCP packet is enabled,
the device triggers 802.1X authentication for a user upon receiving a DHCP packet
from the user. A built-in 802.1X authentication page of the operating system is
automatically displayed on the user terminal. The user enters the user name and
password for authentication.
Alternatively, 802.1X authentication triggered by a DHCP packet enables the user
to implement authentication using the built-in 802.1X client of the operating
system. After being authenticated, the user accesses an 802.1X client download
web page to download and install the 802.1X client software, which facilitates fast
network deployment.
Procedure
Step 2 Run dot1x dhcp-trigger
802.1X authentication triggered by a DHCP packet is enabled.
By default, 802.1X authentication triggered by a DHCP packet is disabled
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.7.21 (Optional) Enabling 802.1X Authentication Triggered

by Unicast Packets
Context
On a network where 802.1X authentication is used, if a user uses a built-in 802.1X
client of a PC operating system (such as Windows XP), the user cannot enter the
user name and password to trigger authentication.
To solve the problem, enable 802.1X authentication triggered by unicast packets.
This function enables the device to send a unicast packet to respond to the
received ARP or DHCP Request packet. After the user PC receives the unicast
packet from the device, the built-in 802.1X authentication page is displayed. The
user then can enter the user name and password for authentication.
After 802.1X authentication triggered by unicast packets is enabled, users can use
built-in 802.1X clients for authentication. After being authenticated, users can
access 802.1X clients to download and install 802.1X client software, which
facilitates fast network deployment.
Procedure
Step 2 Enable 802.1X authentication triggered by unicast packets in the system or
interface view.
1. Run dot1x unicast-trigger interface { interface-type interface-number1 [ to
802.1X authentication triggered by unicast packets is enabled.
2. Run dot1x unicast-trigger
802.1X authentication triggered by unicast packets is enabled.
By default, 802.1X authentication triggered by unicast packets is disabled.
----End
3.7.22 (Optional) Configuring 802.1X-based Fast Deployment

Context
On an 802.1X network, the administrator has a large amount of workload in
downloading and upgrading 802.1X client software for each client. The
authentication-free network access and URL redirection functions can be
configured to implement fast deployment of 802.1X clients.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Before a client passes 802.1X authentication, the client can access the network
resources in an authentication-free subnet if the subnet is configured. If a redirect
URL is configured for the 802.1X authentication user and the user accesses a
network with a browser, the device redirects the URL that the user attempts to
access to the configured URL (for example, to the 802.1X client download web
page). In this way, the web page preset by the administrator is displayed when the
user starts the browser. The server that provides the redirect URL must be in the
authentication-free IP subnet of the user.
NOTE
● The 802.1X-based fast deployment function needs to be configured only when the third-
party 802.1X client software is used.
● 802.1X authentication has been enabled globally and on an interface using the dot1x
enable command.
● To ensure that pre-connection users can be aged out normally, you need to run the dot1x
timer free-ip-timeout command to set the aging time of authentication-free user entries.
● After the free-ip function is configured, the guest VLAN, critical VLAN, and restrict VLAN are
no longer effective.
● The free IP subnet takes effect only when the interface authorization state is auto.
● If a user who does not pass 802.1X authentication wants to obtain an IP address dynamically
through the DHCP server, the network segment of the DHCP server needs to be configured
to a free IP subnet so that the user can access the DHCP server.
● After 802.1X users go offline, they are not allowed to access network resources on free IP
subnets within a specified period to prevent malicious attacks.
● After users succeed in 802.1X-based fast deployment, they can only access resources in the IP
free subnets and some resources on the device.
Procedure
Step 2 Run dot1x free-ip ip-address { mask-length | mask-address }
An authentication-free IP subnet is configured.
By default, no authentication-free IP subnet is configured.
Step 3 Run dot1x timer free-ip-timeout free-ip-time-value
The aging time of authentication-free user entries is configured.
By default, the value of the aging time for authentication-free user entries is 1380
minutes.
Step 4 Run dot1x url url-string
The redirect URL in 802.1X authentication is configured.
By default, no redirect URL is configured in 802.1X authentication.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.7.23 (Optional) Configuring Static Users
Context
In network deployment, static IP addresses are assigned to dumb terminals such
as printers and servers. These users can be configured as static users for flexible
authentication.
After static users are configured, the device can use static user information such as
their IP addresses as the user names to authenticate the users only if one of the
802.1X authentication, MAC address authentication, and Portal authentication
modes is enabled on the interfaces connected to the static users.
Procedure
Step 2 Run static-user start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-

name ] [ domain-name domain-name | interface interface-type interface-
number [ detect ] | mac-address mac-address | vlan vlan-id | keep-online ] *
The static user is configured.
By default, no static user is configured.
NOTE
Only Layer 2 Ethernet interfaces and Layer 2 Eth-Trunk interfaces can be configured as static
user interfaces. If an interface is added to an Eth-Trunk or switched to a Layer 3 interface, the
static user function does not take effect.
When the interface (interface interface-type interface-number) mapping static users is
specified, the VLAN (vlan vlan-id) that the interface belongs to must be configured.
Step 3 Run static-user username macaddress format { with-hyphen [ normal ]

[ colon ] | without-hyphen } [ uppercase ] [ password-with-macaddress ]
The user name for authenticating a static user is set to a MAC address.
By default, the user name for authenticating a static user is not set to a MAC
address.
This command takes priority over the static-user username format-include { ip-
address | mac-address | system-name } command and static-user password
cipher password command.
Step 4 Run static-user username format-include { ip-address | mac-address | system-

name }
The static user name for authentication is set.
By default, the name of a static user consists of system-name and ip-address.
Step 5 Run static-user password cipher password
The static user password for authentication is set.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, the password for a static user in authentication not set.
----End
3.7.24 (Optional) Configuring Web Push

Context
When a user sends an HTTP/HTTPS packet to access a web page for the first time
after the user is successfully authenticated, the device forcibly redirects the user to
a specified web page. In addition to pushing advertisement pages, the device
obtains user terminal information through the HTTP/HTTPS packets sent by users,
and applies the information to other services. There are two ways to push web
pages:
1. URL: pushes the URL of the specified web page.
2. URL template: pushes a URL template. The URL template must have been
created and contains the URL of the pushed web page and URL parameters.
For the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, and S6730S-S, the forcible web page push function takes effect only for
the first HTTP or HTTPS packet sent from users. If an application that actively
sends HTTP or HTTPS packets is installed on a user terminal and the terminal has
sent HTTP or HTTPS packets before the user accesses a web page, the user is
unaware of the web page push process.
For switches except the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-
H, S6730S-H, S6730-S, and S6730S-S: The forcible web page push function takes
effect only when it is used together with a redirect ACL. If a redirect ACL exists in
the user table, a web page is forcibly pushed when HTTP or HTTPS packets from
users match the redirect ACL rule. Usually, you can configure the RADIUS server to
authorize the Huawei extended RADIUS attribute HW-Redirect-ACL or HW-IPv6-
Redirect-ACL to users for redirect ACL implementation, or run the redirect-acl
command to configure a redirect ACL.
Procedure
Step 1 Configure the URL template.
1. Run the system-view command to enter the system view.
2. Run the url-template name template-name command to create a URL
template and enter the URL template view.
By default, no URL template exists on the device.
3. Run the url [ push-only ] url-string command to configure the redirect URL
corresponding to the Portal server.
4. Run the url-parameter { redirect-url redirect-url-value | sysname sysname-
value | user-ipaddress user-ipaddress-value | user-mac user-mac-value |
login-url url-key url } * command to set the parameters carried in the URL.
By default, a URL does not carry parameters.
5. Run the url-parameter mac-address format delimiter delimiter { normal |
compact } command to set the MAC address format in the URL.
By default, the MAC address format in a URL is XXXXXXXXXXXX.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
6. Run the parameter { start-mark parameter-value | assignment-mark

parameter-value | isolate-mark parameter-value } * command to set the
characters in the URL.
By default, the start character is ?, assignment character is =, and delimiter is
&.
NOTE
If web pages are pushed in URL mode, this step can be skipped.
Step 2 Configure the Web push function.

1. Run the aaa command to enter the AAA view.
2. Run the domain domain-name command to create an AAA domain and enter
the AAA domain view.
The device has two default domains: default and default_admin. The default
domain is used by common access users and the default_admin domain is
used by administrators.
3. Run the force-push { url-template template-name | url url-address }
command to enable the forcible URL template or URL push function.
----End
3.7.25 (Optional) Configuring the User Group Function

Context
In NAC applications, there are many access users, but user types are limited. You
can create user groups on the device and associate each user group to an ACL. In
this way, users in the same group share rules in the ACL.
After creating user groups, you can set priorities and VLANs for the user groups, so
that users in different user groups have different priorities and network access
rights. The administrator can then flexibly manage users.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
When the user group function is enabled on models except the S5731-H, S5731S-H, S5731-
S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI,
ACL rules are delivered to each user and the user group function cannot be used to save
ACL resources.
The priority of the user group authorization information delivered by the authentication
server is higher than that of the user group authorization information applied in the AAA
domain. If the user group authorization information delivered by the authentication server
cannot take effect, the user group authorization information applied in the AAA domain is
used. For example, if only user group B is configured on the device and the group
authorization information is applied in the AAA domain when the authentication server
delivers authorization information about user group A, the authorization information about
user group A cannot take effect and the authorization information about user group B is
used. To make the user group authorization information delivered by the authentication
server take effect, ensure that this user group is configured on the device.
If the authentication server authorizes multiple attributes to the device and the authorized
attributes overlap the existing configurations on the device, the attributes take effect based
on the minimum rule. For example, if the authentication server authorizes a VLAN and user
group to the device and the VLAN parameters are configured in the user group on the
device, the VLAN authorized by the authentication server takes effect.
Procedure
Step 2 Run user-group group-name
A user group is created and the user group view is displayed.
Step 3 Run acl-id acl-number
An ACL is bound to the user group.
By default, no ACL is bound to a user group.
NOTE
Before running this command, ensure that the ACL has been created using the acl or acl
name command and ACL rules have been configured using the rule command.
Step 4 Run user-vlan vlan-id
The user group VLAN is configured.
By default, no user group VLAN is configured.
NOTE
Before running this command, ensure that the VLAN has been created using the vlan
command.
Step 5 Run remark { 8021p 8021p-value | dscp dscp-value }*
The user group priority is configured.
By default, no user group priority is configured.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
Only the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
S6730S-S, S6720-EI, and S6720S-EI support this command.
Step 6 Run car { outbound | inbound } cir cir-value [ pir pir-value | cbs cbs-value | pbs
pbs-value ] *
The rate of traffic from users in the user group is limited.
By default, the rate of traffic from users in the user group is not limited.
NOTE
S6730S-S, S6720-EI, and S6720S-EI support this command, and the user group CAR can
only be applied in the interface outbound direction (outbound) on the S6720-EI and
S6720S-EI.
Step 7 Run quit

Return to the system view.
Step 8 Run user-group group-name enable
The user group function is enabled.
The user group configuration takes effect only after the user group function is
enabled.
By default, the user group function is disabled.
----End
3.7.26 (Optional) Configuring the Device to Automatically

Generate the DHCP Snooping Binding Table for Static IP Users
Context
There are unauthorized users who modify their MAC addresses to those of
authorized users. After authorized users are connected through 802.1X
authentication, the unauthorized users can obtain the same identities as the
authorized users and connect to the network without authentication. This results
in security risks of authentication and accounting. After accessing the network,
unauthorized users can also initiate ARP spoofing attacks by sending bogus ARP
packets. In this case, the device records incorrect ARP entries, greatly affecting
normal communication between authorized users. To prevent the previous attacks,
configure IPSG and DAI. These two functions are implemented based on binding
tables. For static IP users, you can run the user-bind static command to configure
the static binding table. However, if there are many static IP users, it takes more
time to configure static binding entries one by one.
To reduce the workload, you can configure the device to automatically generate
the DHCP snooping binding table for static IP users. After the static IP users who
pass 802.1X authentication send EAP packets to trigger generation of the user
information table, the device automatically generates the DHCP snooping binding
table based on the MAC address, IP address, and interface recorded in the table.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Before configuring the device to generate the DHCP snooping binding table for
static IP users, you must have enabled 802.1X authentication and DHCP snooping
globally and on interfaces using the dot1x enable and dhcp snooping enable
commands.
NOTE
● The EAP protocol does not specify a standard attribute to carry IP address information.
Therefore, if the EAP request packet sent by a static IP user does not contain an IP address,
the IP address information in the DHCP snooping binding table is obtained from the user'
first ARP request packet with the same MAC address as the user information table after the
user passes authentication. On a network, unauthorized users may forge authorized users'
MAC addresses to initiate ARP snooping attacks to devices, and the DHCP snooping binding
table generated accordingly may be unreliable. Therefore, the dot1x trigger dhcp-binding
command is not recommended and you are advised to run the user-bind static command to
configure the static binding table.
● For users who are assigned IP addresses using DHCP, you do not need to run the dot1x
trigger dhcp-binding command on the device. The DHCP snooping binding table is
generated through the DHCP snooping function.
Procedure
Step 3 Run dot1x trigger dhcp-binding
The device is configured to automatically generate the DHCP snooping binding

table after static IP users pass 802.1X authentication.
By default, the device does not automatically generate the DHCP snooping
binding table after static IP users pass 802.1X authentication.
----End

You can run the display dhcp snooping user-bind command to check the DHCP
snooping binding table that is generated by the device for static IP users who pass
802.1X authentication. The DHCP snooping binding table generated using this
function will be deleted after the users are disconnected.
Follow-up Procedure
Configure IPSG and DAI after the DHCP snooping binding table is generated,
prevent attacks from unauthorized users.
● In the interface view, run the ip source check user-bind enable command to
enable IPSG.
● In the interface view, run the arp anti-attack check user-bind enable
command to enable DAI.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.7.27 (Optional) Configuring Voice Terminals to Go Online

Without Authentication
Context
When both data terminals (such as PCs) and voice terminals (such as IP phones)
are connected to switches, NAC is configured on the switches to manage and
control the data terminals. The voice terminals, however, only need to connect to
the network without being managed and controlled. In this case, you can
configure the voice terminals to go online without authentication on the switches.
Then the voice terminals identified by the switches can go online without
authentication.
NOTE
If an 802.1X user initiates authentication through a voice terminal, a switch preferentially

processes the authentication request. If the authentication succeeds, the terminal obtains the
corresponding network access rights. If the authentication fails, the switch identifies the
terminal type and enables the terminal to go online without authentication.
To enable the switches to identify the voice terminals, enable LLDP or configure
OUI for the voice VLAN on the switches. For details, see "Configuring Basic LLDP
Functions" in "LLDP Configuration" in the S300, S500, S2700, S5700, and S6700
V200R020C10 Configuration Guide - Network Management and Monitoring or
"Configuring a Voice VLAN Based on a MAC Address" in "Voice VLAN
Configuration" in the S300, S500, S2700, S5700, and S6700 V200R020C10
Configuration Guide - Ethernet Switching. If a voice device supports only CDP but
does not support LLDP, configure CDP-compatible LLDP on the switch using lldp
compliance cdp receive command.
Procedure
Step 2 Run authentication device-type voice authorize [ user-group group-name ]
The voice terminals are enabled to go online without authentication.
By default, voice terminals are disabled from going online without authentication.
NOTE
Voice terminals can obtain the corresponding network access rights after they pass
authentication and go online, when user-group group-name is not specified. When user-group
group-name is specified, voice terminals can obtain the network access rights specified by the
user group after they go online. To use a user group to define network access rights for voice
terminals, run the user-group group-name command to create a user group and configure
network authorization information for the users in the group. Note that the user group takes
effect only after it is enabled.
If you run this command repeatedly, the latest configuration overrides the previous ones.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.7.28 (Optional) Configuring the MAC Address Migration

Function
Context
The access locations of enterprise users' terminals always change. For example,
employees move to other offices for working or presentation using laptops. By
default, a user cannot immediately initiate authentication and access the network
after being switched to a new interface. The user can initiate authentication on
the current interface only after the user offline detection interval expires or the
authentication interface is manually enabled and shut down to clear user online
entries. To improve user experience, MAC address migration is enabled so that the
user can immediately initiate authentication and access the network after be
switched to another access interface.
MAC address migration allows online NAC authentication users to immediately
initiate authentication and access the network after they are switched to other
access interfaces. If the user is authenticated successfully on the new interface, the
online user entry on the original interface is deleted immediately to ensure that
only one interface records the online user entry.
There are two typical MAC address migration scenarios, as shown in Figure 3-12.
Scenario one: The authentication point is deployed on an access switch, and the
user terminal is migrated from one authentication control point to another on the
same switch. Scenario two: The authentication point is deployed on an
aggregation switch. The authentication control point of the user terminal remains
unchanged, and the user terminal is migrated between different interfaces on the
same access switch or different access switches connected to the aggregation
switch.
Figure 3-12 Typical MAC address migration scenarios

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
● In normal case, enabling MAC address migration is not recommended. It should be enabled
only when users have migration requirements during roaming. This prevents unauthorized
users from forging MAC addresses of online users and sending ARP, 802.1X, or DHCP packets
on other authentication control interfaces to trigger the MAC address migration function and
force authorized user offline.
● Cascading migration through intermediate devices is not supported, because ARP and DHCP
packets are not sent after the cascading migration.
● MAC address migration is not supported for Layer 3 Portal authentication users.
● In the Layer 2 BNG scenario, the device does not support MAC address migration.
● A user is switched from an interface configured with NAC authentication to another
interface not configured with NAC authentication. In this case, the user can access the
network only after the original online entry is aged because the new interface cannot send
authentication packets to trigger MAC migration.
● In common mode, Portal authentication is triggered only after users who go online through
a VLANIF interface send ARP packets and go offline; otherwise, the users can go online again
only after the original user online entries age out. Portal authentication cannot be triggered
after users who go online through physical interfaces migrate. The users can go online again
only after the original user online entries age out.
● After a user who goes online from a VLANIF interface is quieted because of multiple MAC
address migrations, MAC address migration can be performed for the quieted user only after
the quiet period expires and the ARP entry is aged out.
● When an authorized VLAN is specified in the authentication mac-move enable vlan
command, you are advised to enable the function of detecting the user status before user
MAC address migration.
Procedure
Step 2 Run authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } &
<1–10> }
The MAC address migration function is enabled.
By default, MAC address migration is disabled.
VLANs need to be specified for users in MAC address migration. The VLANs before
and after the migration can be specified for the users, and they can be the same
or different.
Step 3 (Optional) Configure the MAC address migration quiet function.
When users frequently switch access interfaces (especially frequent switching due
to loops), the device needs to process a large number of authentication packets
and entries, which results in high CPU usage. To solve this problem, configure the
MAC address migration quiet function. If the number of MAC address migration
times for a user within 60 seconds exceeds the upper limit after the MAC address
migration quiet function is enabled, the device quiets the user for a certain period.
During the quiet period, the device does not allow users to perform MAC address
migration.
In addition, the device can send logs and alarms about MAC address migration to
improve maintainability of the MAC address migration quiet function.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1. Run authentication mac-move { quiet-times times | quiet-period quiet-

value } *
The quiet period and the maximum number of MAC address migration times
within 60 seconds before users enter the quiet state are configured.
The default quiet period is 0 seconds and the maximum number of MAC
address migration times within 60 seconds before users enter the quiet state
is 3.
2. Run authentication mac-move quiet-log enable
The device is enabled to record logs about MAC address migration quiet.
By default, the device is enabled to record logs about MAC address migration
quiet.
After this function is enabled, the device records logs when adding or deleting
MAC address migration quiet entries.
3. Run authentication mac-move quiet-user-alarm percentage lower-
threshold upper-threshold
The upper and lower alarm thresholds for the percentage of MAC address
migration users in quiet state are configured.
By default, the lower alarm threshold is 50 and upper alarm threshold is 100.
4. Run authentication mac-move quiet-user-alarm enable
The device is enabled to send alarms about MAC address migration quiet.
By default, the device is disabled from sending alarms about MAC address
migration quiet.
After this function is enabled, the device sends alarms when the percentage
of the actual user amount in the MAC address migration quiet table against
the maximum number of users exceeds the upper alarm threshold configured.
If the percentage decreases to be equal to or smaller than the lower alarm
threshold, the device sends a clear alarm.
Step 4 (Optional) Enable a device to detect users' online status before user MAC address
migration.
To prevent unauthorized users from spoofing online users to attack a device, run
the authentication mac-move detect enable command to enable the device to
detect users' online status before user MAC address migration. If no users are
online, the device permits MAC address migration and allows users to go online
from a new access interface. If a user is online, the device terminates MAC address
migration and does not allow the user to go online from a new access interface.
1. Run authentication mac-move detect enable

A device is enabled to detect users' online status before user MAC address
migration.
By default, a device is disabled from detecting users' online status before user
2. Run authentication mac-move detect { retry-interval interval | retry-time
times } *
The detection interval and maximum number of detections are set.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, a device detects users' online status once. The detection interval is
3 seconds.
----End

● Run the display authentication mac-move configuration command to view
configurations about the MAC address migration function.
● Run the display authentication mac-move quiet-user { all | mac-address
mac-address } command to view information about MAC address migration
users in quiet state.
3.7.29 (Optional) Enabling System Log Suppression
Context
When a user fails in authentication or goes offline, the device records a system
log. The system log contains the MAC addresses of access device and access user
and the authentication time.
If a user repeatedly attempts to go online after authentication failures or

frequently goes online and offline in a short period, a lot of system logs are
generated, which waste system resources and degrade system performance.
System log suppression can address this problem. After the device generates a
system log, it will not generate the same log within the suppression period.
NOTE
The same system logs refer to the system logs containing the same MAC addresses. For
example, after the device generates a system log for a user failing in authentication, the
device will not generate new system log for this user in the suppression period if the user
fails in authentication again. The system logs for users logging offline are generated in the
same way.
Procedure
Step 2 Run access-user syslog-restrain enable
The system log suppression is enabled.
By default, system log suppression is enabled.
Step 3 Run access-user syslog-restrain period period
A period for system log suppression is set.
By default, the period of system log suppression is 300s.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.7.30 Configuring the Bandwidth Share Mode

Context
On a home network, all family members go online using the same account. To
improve service experience of family members, you can configure the bandwidth
share mode so that all members can share the bandwidth.
NOTE
The bandwidth share mode is supported by the S5731-H, S5731S-H, S5731-S, S5731S-S,
S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S.
Procedure
Step 2 (Optional) Enter a domain view.
1. Run aaa
The AAA view is displayed.
2. Run domain domain-name
A domain is displayed.
Step 3 Run band-width share-mode
The bandwidth share mode is enabled.
By default, the bandwidth share mode is disabled.
● If this command is run in the system view, it takes effect for all new online
users who connected to the device. If this command is run in the AAA domain
view, it takes effect only for new online users in the domain.
● If the local or remote RADIUS server does not assign CAR settings to the users
who will go online and the online users, the share mode is invalid to the
users.
● If the bandwidth share mode is enabled and different users use the same
account for authentication, the users going online with no CAR settings
assigned will not be affected when CAR settings are assigned to the users
who go online later.
----End
3.7.31 Enabling the Device to Dynamically Adjust the Rate at

Which It Processes Packets from NAC Users
Context
When a lot of NAC users send authentication or log off requests to the device, the
CPU usage may be overloaded especially when the CPU or memory usage is
already high (for example, above 80%). After the device is enabled to dynamically
adjust the rate of packets from NAC users, the device limits the number of NAC

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
packets received per second if the CPU or memory usage is high. This function
reduces loads on the device CPU.
Procedure
Step 2 Run authentication speed-limit auto
The device is enabled to dynamically adjust the rate at which it processes packets
from NAC users.
----End
3.7.32 (Optional) Configuring the Function of Triggering

802.1X Authentication Through Multicast Packets
Immediately After an Interface Goes Up
Context
By default, the device periodically multicasts EAP-Request/Identity packets to
clients so that the clients are triggered to send EAPoL-Start packets for 802.1X
authentication. If the device interface connecting to a client changes from Down
to Up, the client needs to send EAPoL-Start packets again for 802.1X
authentication, which takes a long time. You can enable the function of triggering
802.1X authentication through multicast packets immediately after the device
interface goes Up, shortening the re-authentication time.
NOTE
When the access control mode on the device interface is based on the MAC address, the
dot1x mc-trigger port-up-send enable command does not take effect.
Procedure
Step 2 Run dot1x mc-trigger
The function of triggering 802.1X authentication through multicast packets is

enabled.
By default, the function of triggering 802.1X authentication through multicast

packets is enabled.
Step 3 Run dot1x mc-trigger port-up-send enable
The function of triggering 802.1X authentication through multicast packets

immediately after an interface goes Up is enabled.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, the function of triggering 802.1X authentication through multicast

packets immediately after an interface goes Up is disabled.
----End
3.7.33 Configuring the Function of Keeping Users Online

When the Port Type or VLAN Is Changed
Context
After user access authentication succeeds, you can change the VLAN allowed to
access or the access interface type through the RADIUS server. For example, you
can assign VLANs to clients through the server for network planning and
deployment. After the deployment is complete, to reduce the impact of link faults
and device restart on the network and implement rapid network restoration, you
can change the user access VLAN to the authorized VLAN. In this case, you can
enable the function of keeping users online when the port type or VLAN is
changed to modify interface or VLAN configurations.
Procedure
Step 2 Run authentication port-vlan-modify user-online
The function of keeping users online when the port type or VLAN is changed is
enabled.
By default, the function of keeping users online when the port type or VLAN is
changed is disabled.
Step 3 Run display webmng configuration
The configuration of the WEBMNG module is displayed.
----End
3.7.34 (Optional) Configuring the Rate Limit of Identity

Packets for 802.1X Authentication to Be Sent to the CPU
Context
If a large number of Identity packets for 802.1X authentication are sent to the
CPU of a switch, the CPU usage is high and other services are affected. To prevent
this problem, run the access-user dot1x-identity speed-limit command to
configure the rate limit of Identity packets for 802.1X authentication to be sent to
the CPU, so that the switch discards excess Identity packets.
Procedure

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 2 Run access-user dot1x-identity speed-limit value

The rate limit of Identity packets for 802.1X authentication to be sent to the CPU
is configured.
By default, the maximum of Identity packets for 802.1X authentication can be sent
to the CPU every second depends on the device.
----End
3.7.35 (Optional) Configuring the User Logout Delay Function

When an Interface Link Is Faulty
Context
If a link is faulty, the interface is interrupted and users are directly logged out. To
solve this problem, you can configure the user logout delay function. When the
interface link is faulty, the users remain online within the delay. In this case, if the
link is restored, the users do not need to be re-authenticated. If the users are
disconnected after the delay and the link is restored, the users need to be re-
authenticated.
NOTE
● This function takes effect only for wired users who go online on Layer 2 physical interfaces
that have been configured with NAC authentication.
● To make the function take effect, it is recommended that the configured interval be greater
than the time during which the interface is in Up state. If the link frequently flaps within a
short period, it is recommended that the interval be set to unlimited.
Procedure
Step 3 Run link-down offline delay { delay-value | unlimited }
The user logout delay is configured when an interface link is faulty.
The default user logout delay is 10 seconds when an interface link is faulty.
If the delay is 0, users are logged out immediately when the interface link is faulty.
If the delay is unlimited, users are not logged out when the interface link is faulty.
----End
3.7.36 Verifying the 802.1X Authentication Configuration

Context
You can run the commands to check the configured parameters after completing
the 802.1X authentication configuration.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
● Run the display dot1x [ statistics ] [ interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10> ] command to check the 802.1X
authentication configuration.
● Run the display mac-address authen [ interface-type interface-number |
vlan vlan-id ] * [ verbose ] command to check the current authen MAC
address entries in the system.
● Run the display user-group [ group-name ] command to check the user
group configuration.
● Run the display access-user command to check information about online
NAC users.
● Run the display aaa statistics access-type-authenreq command to verify the
number of authentication requests.
● Run the display port connection-type access all command to check all
current downlink interfaces on the device.
● Run the display dot1x quiet-user { all | mac-address mac-address }
command to check information about 802.1X authentication users who are
quieted.
● Run the display access-user dot1x-identity statistics command to display
statistics about Identity packets for 802.1X authentication on a switch.
----End
3.8 Configuring MAC Address Authentication

MAC address authentication controls a user's network access rights based on the
user's interface and MAC address. The user does not need to install any client
software. The user device MAC address is used as the user name and password.
When detecting the user's MAC address the first time, the network access device
starts authenticating the user.
MAC address authentication only provides a user authentication solution. To
implement this solution, the AAA function must also be configured. Therefore,
complete the following tasks before you configure MAC address authentication:

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.8.1 Enabling MAC Address Authentication
Context
The MAC address authentication configuration takes effect on an interface only
after MAC address authentication is enabled globally and on the interface.
After MAC address authentication is enabled, if there are online users who log in
through MAC address authentication on the interface, disabling MAC address
authentication is prohibited.
For MAC address authentication, ensure that the interface type is hybrid when you
configure the authorization VLAN.
NOTE
Only S5720I-SI, S500, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H, S5731S-
H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and
S6720S-EI support configuration of MAC address authentication on VLANIF interfaces.
Procedure
Step 2 Run mac-authen
Global MAC address authentication is enabled.
By default, global MAC address authentication is disabled.
Step 3 Enable MAC address authentication on an interface in the system or interface

view.
In the system view:
1. Run mac-authen interface { interface-type interface-number1 [ to interface-

number2 ] } &<1-10>
MAC address authentication is enabled on the interface.
In the interface view:

2. Run mac-authen
MAC address authentication is enabled on the interface.
By default, MAC address authentication is disabled on an interface.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.8.2 (Optional) Configuring the User Name Format
Context
MAC address authentication uses the following user name formats:
● MAC address: When the MAC address is used as the user name for MAC
address authentication, the password can be the MAC address or a self-
defined character string.
● Fixed user name: Regardless of users' MAC addresses, all users have a fixed
name and password specified by the administrator as an identity for
authentication. Many users may be authenticated on the same interface. In
this case, all users requiring MAC address authentication on the interface use
the same fixed user name, and the server must only configure one user
account to authenticate all users. This is applicable to a network environment
with reliable access clients.
● DHCP option: The device uses the DHCP option field specified by the user and
a fixed password rather than the MAC address of the user as an identity for
authentication.
NOTE
If fixed user names are configured in the VLANIF interface view, Eth-Trunk interface view or
port group view, the password must be set.
If a MAC address is configured as the user name in the port group view, the password
cannot be set.
If configured in the system view, the user name format is valid for commands on all
interfaces; if configured in the interface view, the user name format is valid for commands
on this interface only. If configured in the interface view and system view at the same time,
the user name format configured in the interface view has higher priority.
Procedure
Step 2 Configure the user name format in the system or interface view.
The interface view is displayed; or configuration is directly performed in the

system view.
2. Run mac-authen username { fixed username [ password cipher password ]
| macaddress [ format { with-hyphen [ normal ] [ colon ] | without-
hyphen } [ uppercase ] [ password cipher password ] ] | dhcp-option
option-code { circuit-id | remote-id } * [ separate separate ] [ format-hex ]
password cipher password }
The user name format is set for MAC address authentication.
By default, a MAC address without hyphens (-) or colons (:) is used as the
user name and password for MAC address authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
When the user name format in MAC address authentication is configured, ensure that the
authentication server supports this format.
----End
3.8.3 (Optional) Configuring the User Authentication Domain

Context
When the MAC address or the fixed user name without a domain name is used as
the user name in MAC address authentication, the user is authenticated in a
default domain if the administrator does not configure an authentication domain.
In this case, many users are authenticated in the default domain, making the
authentication scheme inflexible.
The authentication domain for the MAC address authentication user can be
configured globally or on an interface.
● When configured globally, the authentication domain is valid for all
interfaces.
● When configured on an interface, the authentication domain is valid for this
interface only. The priority of the user name configured on the interface is
higher than that of the user name configured globally. If no authentication
domain is configured on the interface, you can use the globally configured
authentication domain.
NOTE
● When the fixed user name is used for MAC address authentication and the
authentication domain is specified in the user name, the user is authenticated in the
specified authentication domain.
● Before configuring an authentication domain for the MAC address authentication user,
ensure that the authentication domain has been created.
Procedure
a. Run system-view
b. Run mac-authen domain isp-name [ mac-address mac-address mask
mask ]
The authentication domain is configured for the MAC address
authentication user.
By default, MAC address authentication uses the global default domain.
a. Run system-view

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
c. Run mac-authen domain isp-name
The authentication domain is configured for the MAC address

authentication user.
By default, MAC address authentication uses the global default domain.
----End
3.8.4 (Optional) Configuring Packet Types That Can Trigger

MAC Address Authentication
Context
After MAC address authentication is enabled, the device can trigger MAC address
authentication on users by default when receiving DHCP/ARP/DHCPv6/ND
packets. Based on user information on the actual network, the administrator can
adjust the packet types that can trigger MAC address authentication. For example,
if all users on a network dynamically obtain IPv4 addresses, the device can be
configured to trigger MAC address authentication only through DHCP packets.
This prevents the device from continuously sending ARP packets to trigger MAC
address authentication when static IPv4 addresses are configured for unauthorized
users on the network, and reduces device CPU occupation.
When the function of triggering MAC address authentication through DHCP

packets is supported, the device can use the DHCP packets to re-authenticate
users, clear the MAC address authentication user entries in time, and send user
terminal information to the authentication server.
NOTE
There is a situation that you should notice. A device is configured to trigger MAC address
authentication through DHCP packets and DHCP options are used as the user names for MAC
address authentication (for the configuration of user names in MAC address authentication, see
3.8.2 (Optional) Configuring the User Name Format). If the authentication server delivers
Huawei extended RADIUS attribute HW-Forwarding-VLAN (No. 26-161) to the device, the user
packet must carry double VLAN tags and the outer VLAN ID cannot be the same as the ID of
HW-Forwarding-VLAN; otherwise, the delivered attribute cannot take effect.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Configure the packet types that can trigger MAC address authentication.
You can configure this function globally or on interfaces. If the function is

configured globally, the configuration takes effect on multiple interfaces. If the
function is configured on interfaces, the configuration only takes effect on the
specified interfaces. If the function is configured globally and on interfaces, the
configuration on the interfaces takes precedence.
By default, DHCP/ARP/DHCPv6/ND packets can trigger MAC address

authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
View Procedure
System Run the mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger

view | nd-trigger } * [ interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10> ] command to configure the packet
types that can trigger MAC address authentication.
Interface 1. Run the interface interface-type interface-number command to

view enter the interface view.
2. Run the mac-authen { dhcp-trigger | arp-trigger | dhcpv6-
trigger | nd-trigger } * command to configure the packet types
that can trigger MAC address authentication.
Step 3 (Optional) Enable the device to send DHCP option information to the
authentication server when triggering MAC address authentication through DHCP
packets.
You can enable this function globally or on interfaces. If the function is enabled
globally, it can be enabled on multiple interfaces. If the function is enabled on
interfaces, it only takes effect on the specified interfaces. If the function is enabled
globally and on interfaces, the function enabled on the interfaces takes
precedence.
By default, the device does not send DHCP option information to the
authentication server when triggering MAC address authentication through DHCP
packets.
View Procedure Scenario
System Run the mac-authen dhcp-trigger dhcp-option Option82

view option-code [ interface { interface-type interface- record
number1 [ to interface-number2 ] } &<1-10> ] information
command to enable the device to send DHCP option about DHCP
information to the authentication server when user locations
triggering MAC address authentication through DHCP and services
packets. (voice and
data services).
After this
command is
run, the
device sends
Option82
information
to the
authenticatio
n server when
triggering
MAC address
authenticatio
n through
DHCP
packets.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Interfa 1. Run the interface interface-type interface-number Based on the

ce view command to enter the interface view. user
2. Run the mac-authen dhcp-trigger dhcp-option information
option-code command to enable the device to recorded in
send DHCP option information to the Option 82,
authentication server when triggering MAC the
address authentication through DHCP packets. authenticatio
n server
grants
different
network
access rights
to users with
different
services in
different
locations. This
implements
accurate
control on the
network
access right of
each user.
Step 4 (Optional) Enable the device to re-authenticate the users when receiving DHCP
lease renewal packets from MAC address authentication users.
interfaces, it only takes effect on the specified interfaces.
By default, the device does not re-authenticate the users when receiving DHCP
lease renewal packets from MAC address authentication users.
System Run the mac-authen reauthenticate dhcp-renew After users go

view interface { interface-type interface-number1 [ to online, the
interface-number2 ] } &<1-10> command to enable administrator
the device to re-authenticate the users when receiving may modify
DHCP lease renewal packets from MAC address the users'
authentication users. authenticatio
n parameters
or network
access rights
on the
authenticatio
n server. To
ensure user
validity or

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Interfa 1. Run the interface interface-type interface-number update the

ce view command to enter the interface view. users'
2. Run the mac-authen reauthenticate dhcp-renew network
command to enable the device to re-authenticate access rights
the users when receiving DHCP lease renewal in real time,
packets from MAC address authentication users. you can run
this command
to enable the
device to re-
authenticate
the users
when
receiving
DHCP lease
renewal
packets from
MAC address
authenticatio
n users.
Step 5 (Optional) Enable the device to clear user entries when receiving DHCP Release
packets from MAC address authentication users.
interfaces, it only takes effect on the specified interfaces.
By default, the device does not clear user entries when receiving DHCP Release
packets from MAC address authentication users.
System Run the mac-authen offline dhcp-release interface After MAC

view { interface-type interface-number1 [ to interface- address
number2 ] } &<1-10> command to enable the device authenticatio
to clear user entries when receiving DHCP Release n users who
packets from MAC address authentication users. send DHCP
Release
packets go
offline, the
corresponding
user entries
on the device
cannot be
deleted
immediately.
This occupies
device
resources and
possibly

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Interfa 1. Run the interface interface-type interface-number prevents

ce view command to enter the interface view. other users
2. Run the mac-authen offline dhcp-release from going
command to enable the device to clear user online. You
entries when receiving DHCP Release packets from can run this
MAC address authentication users. command to
enable the
device to
clear the user
entries in real
time when
MAC address
authenticatio
n users go
offline.
----End
3.8.5 (Optional) Setting the Maximum Number of Access

Users for MAC Address Authentication on an Interface
Context
To limit the number of access users for MAC address authentication on an
interface, the administrator can set the maximum number of access users. When
the number of access users reaches the limit, new users cannot access the
network through the interface.
Procedure
Step 2 Set the maximum number of concurrent access users on an interface in the
1. Run mac-authen max-user user-number interface { interface-type interface-
The maximum number of access users for MAC address authentication is set
on the interface.
2. Run mac-authen max-user user-number
The maximum number of access users for MAC address authentication is set
on the interface.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, the number of MAC authentication users is the maximum number of

MAC authentication users supported by the device.
----End
3.8.6 (Optional) Specifying the MAC Address Segment

Allowed by MAC Address Authentication
Context
After MAC address authentication is configured on a VLANIF interface, MAC
address authentication will be performed for every new MAC address entry
generated on the device. To restrict the users for whom MAC address
authentication can be performed on the VLANIF interface, you can specify a MAC
address segment allowed by MAC address authentication.
Procedure
Step 3 Run mac-authen permit mac-address mac-address mask { mask | mask-length }
The MAC address segment allowed by MAC address authentication is specified.
By default, no MAC address range is specified for MAC address authentication.
----End

Detection Packets
Context
offline.
Procedure


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

mac-address
packets.
NOTE
order of priority:
VLAN

----End
3.8.8 (Optional) Configuring Timers of MAC Address

Authentication
Context
During MAC address authentication, multiple timers implement systematic
interactions between access users or devices and the authentication server. You
can configure the following types of timers in MAC address authentication:
● Re-authentication timer for users in the guest VLAN (guest-vlan
reauthenticate-period): After a user is added to the guest VLAN, the device
initiates re-authentication for the user at an interval set by this timer. If re-
authentication is successful, the user exits the guest VLAN.
● Offline detection timer (offline-detect): To make sure that a user is online,
the device sends a detection packet to the user. If the user does not respond
within a detection period, the device considers the user offline. The timer
takes effect for both MAC address authentication users and static users.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
If the number of offline detection packets (ARP packets) exceeds the default CAR value,
the detection fails and the users are logged out. (The display cpu-defend statistics
command can be run to check whether ARP request and response packets are lost.) To
resolve the problem, the following methods are recommended:
● Increase the detection interval based on the number of users. The default detection
interval is recommended when there are less than 8000 users; the detection interval
should be no less than 600 seconds when there are more than 8000 users.
● Deploy the port attack defense function on the access device and limit the rate of
packets sent to the CPU.
● Quiet timer (quiet-period): The device must enter a quiet period after the
user fails to be authenticated. During the quiet period, the device does not
process authentication requests from the user.
Procedure
Step 2 Run mac-authen timer { guest-vlan reauthenticate-period interval | offline-

detect offline-detect-value | quiet-period quiet-value }
The timer parameters are set for MAC address authentication.
By default, guest-vlan reauthenticate-period is set to 60 seconds, offline-detect

is set to 300 seconds, quiet-period is set to 60 seconds.
NOTE
Timers for setting guest-vlan reauthenticate-period, offline-detect, quiet-period are

enabled by default.
When the quiet-period timer is set to 0, the quiet function is disabled.
----End
3.8.9 (Optional) Configuring Re-authentication for MAC

Address Authentication Users
Context
If the administrator modifies user information on the authentication server,
parameters such as the user access permission and authorization attribute are
changed. If a user has passed MAC address authentication, you must re-
authenticate the user to ensure user validity.
After the user goes online, the device saves user authentication information. After
re-authentication is enabled for MAC address authentication users, the device
sends the saved authentication information of the online user to the
authentication server for re-authentication. If the user's authentication
information does not change on the authentication server, the user is kept online.
If the authentication information has been changed, the user is logged out, and
then re-authenticated according to the changed authentication information.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
You can configure re-authentication for MAC address authentication users using
either of the following methods:
● Re-authenticate all online MAC address authentication users on a specified
interface at an interval.
● Re-authenticate the online user once with a specified MAC address.
Procedure
● Re-authenticate all online MAC address authentication users on a specified
interface at an interval.
a. Run system-view
b. Enable periodic re-authentication for all online MAC address
authentication users on the specified interface in the system or interface
view.

i. Run mac-authen reauthenticate interface { interface-type
Periodic re-authentication is enabled for all online MAC address
authentication users on the specified interface.

i. Run interface interface-type interface-number
ii. Run mac-authen reauthenticate
Periodic re-authentication is enabled for all online MAC address
authentication users on the specified interface.
iii. Run quit
By default, periodic re-authentication is enabled for all online MAC
address authentication users on the specified interface.
c. (Optional) Set the re-authentication interval for online MAC address
authentication users in the system or interface view.
NOTE
Generally, the default re-authentication interval is recommended. If many ACL rules

need to be delivered during user authorization, to improve the device processing
performance, you are advised to disable re-authentication or increase the re-
authentication internal. When remote authentication and authorization are used and
a short re-authentication interval is used, the CPU usage may become high.

i. Run the mac-authen timer reauthenticate-period reauthenticate-
period-value command to set the re-authentication interval for
online MAC address authentication users.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
i. Run the interface interface-type interface-number command to

enter the interface view.
ii. Run the mac-authen timer reauthenticate-period reauthenticate-
period-value command to set the re-authentication interval for
online MAC address authentication users.
The default re-authentication interval for MAC address authentication
users in the system view is 1800 seconds, and the re-authentication
interval in the interface view is the same as the re-authentication interval
configured in the system view.
● Configure re-authentication for an online MAC address authentication user
with a specified MAC address.
a. Run system-view
b. Run mac-authen reauthenticate mac-address mac-address
Re-authentication is enabled for the online MAC address authentication
user with the specified MAC address.
By default, re-authentication for an online MAC address authentication
user with a specified MAC address is disabled.
----End
3.8.10 (Optional) Configuring the Guest VLAN Function

Context
You can configure a guest VLAN on a device interface so that users can access
some network resources without being authenticated. The user is added to the
guest VLAN before being authenticated to access resources in the guest VLAN.
However, the users still must be authenticated before accessing network resources
outside the guest VLAN.
Procedure
Step 2 Configure the guest VLAN function in the system or interface view.
1. Run authentication guest-vlan vlan-id interface { interface-type interface-
2. Run authentication guest-vlan vlan-id

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
By default, an interface is not added to the guest VLAN.
NOTE
● The guest VLAN function can take effect only in 802.1X and MAC address
authentication.
● A super VLAN cannot be configured as a guest VLAN.
● When free IP subnets are configured, the guest VLAN function becomes invalid
immediately.
● The guest VLAN function takes effect only when a user sends untagged packets to the
device.
● Different interfaces can be configured with different guest VLANs. After a guest VLAN is
configured on an interface, the guest VLAN cannot be deleted.
on the interface.
----End
3.8.11 (Optional) Configuring the Critical VLAN Function

Context
During MAC address authentication, when the access device is disconnected from
the authentication server or the authentication server fails, the authentication
process in the network is interrupted. In this case, the user fails authentication.
Meanwhile, the user cannot be added to and access resources in the guest and
restrict VLANs. After the critical VLAN function is configured, when the access
device is disconnected from the authentication server or the authentication server
fails, the MAC address authentication users are added to the critical VLAN, and
can then access resources in the critical VLAN.
NOTE
If a free-ip function is configured, the critical VLAN in MAC address authentication expires
immediately.
The critical VLAN function can take effect only on hybrid interfaces that are added to
VLANs in untagged mode. The critical VLAN function cannot take effect on the interfaces of
other types.
You can configure the critical VLAN function of MAC address authentication in the
Procedure
a. Run system-view
b. Run authentication critical-vlan vlan-id interface { interface-type

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

c. Run authentication critical eapol-success interface { interface-type
d. Run authentication max-reauth-req times interface { interface-type
a. Run system-view
c. Run authentication critical-vlan vlan-id
d. Run authentication critical eapol-success
e. Run authentication max-reauth-req times
----End
3.8.12 (Optional) Configuring the Quiet Function for MAC

Address Authentication
Context
The quiet function for MAC address authentication is enabled on a device by
default. When the maximum number of authentication failures exceeds 10, the
device quiets a MAC authentication user and does not process authentication
requests from the user, reducing impact on the system caused by attackers.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
For MAC address authentication users, the quiet function takes effect only when the users are
not added to user entries. In the common mode, no user entry is generated when a MAC
address authentication user fails the authentication. In this case, the quiet function takes effect
and a quiet entry is generated. If the network access rights for user pre-connections or
authentication failures are configured, the authorized user enters the pre-connection state, a
user entry is generated, and the quiet function does not take effect.
Procedure
Step 2 Run mac-authen quiet-times fail-times
The maximum number of authentication failures within 60 seconds before the

device quiets the MAC authentication user is configured.
By default, the maximum number of authentication failures is 10.
----End
Context
authentication.
Procedure


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE

address.

name }
----End

Context

NOTE

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
Step 2 Configure network access rights for users in the system view or interface view.
View Step

authen-server-down } { vlan vlan-id | user-group group-
name } command to configure the network access rights in
different authentication stages. By default, no network access
right is granted to users in different authentication stages.

2. Configure the network access rights granted to users in
different authentication stages. The command has different
syntax when it is executed in the Layer 2 physical interface
view and VLANIF interface view.
– Layer 2 physical interface view: authentication event
{ pre-authen | authen-fail | authen-server-down } { vlan
vlan-id | user-group group-name }
– VLANIF interface view: authentication event { authen-
fail | authen-server-down } user-group group-name
View Step

authen-server-down } session-timeout session-time command
to set the timeout period of the network access rights granted
to users in different authentication stages.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
View Step

authen-server-down } session-timeout session-time
command to set the timeout period of the network access
rights granted to users in different authentication stages.
Step 4 (Optional) Configure the interval for re-authenticating users before the
The device periodically re-authenticates the pre-connection users and the users
who fail to be authenticated so that the users can be authenticated in a timely
manner. You can configure the re-authentication interval according to the actual
networking.
User Procedure
Type
Pre- Run the authentication timer re-authen pre-authen reauth-time

connectio command to configure the interval for re-authenticating pre-
n user connection users.
By default, pre-connection users are re-authenticated at an interval
of 60 seconds.
Users Run the authentication timer re-authen authen-fail reauth-time

who fail command to configure the interval for re-authenticating users who
authentic fail to be authenticated.
ation By default, users who fail to be authenticated are re-authenticated
at an interval of 60 seconds.
----End

Context
and jitter.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Security.
Configuration.
NOTE
Procedure
field.
----End

Context

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

pages:
Procedure
&.
NOTE

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

----End

Context
NOTE
ACL resources.
Procedure

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
Step 4 Run user-vlan vlan-id
The user group VLAN is configured.
By default, no user group VLAN is configured.
NOTE
Before running this command, ensure that the VLAN has been created using the vlan
command.
NOTE
pbs-value ] *
NOTE
S6720S-EI.
Step 7 Run quit
enabled.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Context
authentication.
NOTE

Procedure
NOTE
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Function
Context
switch.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
Procedure
<1–10> }
or different.
migration.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

value } *
is 3.
quiet.
migration quiet.
migration.

migration.
times } *

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3 seconds.
----End

Context

NOTE
same way.
Procedure
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Context
NOTE
Procedure
1. Run aaa
users.
----End

Context

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
from NAC users.
----End
3.8.23 Configuring the Function of Keeping Users Online

When the Port Type or VLAN Is Changed
Context
After user access authentication succeeds, you can change the VLAN allowed to
access or the access interface type through the RADIUS server. For example, you
can assign VLANs to clients through the server for network planning and
deployment. After the deployment is complete, to reduce the impact of link faults
and device restart on the network and implement rapid network restoration, you
can change the user access VLAN to the authorized VLAN. In this case, you can
enable the function of keeping users online when the port type or VLAN is
changed to modify interface or VLAN configurations.
Procedure
Step 2 Run authentication port-vlan-modify user-online
The function of keeping users online when the port type or VLAN is changed is
enabled.
By default, the function of keeping users online when the port type or VLAN is
changed is disabled.
Step 3 Run display webmng configuration
The configuration of the WEBMNG module is displayed.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Context
authenticated.
NOTE
Procedure
----End
3.8.25 Verifying the MAC Address Authentication

Configuration
Context
the MAC address authentication configuration.
Procedure
● Run the display mac-authen [ interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10> ] command to check the configuration of
MAC address authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● Run the display mac-address authen [ interface-type interface-number |

vlan vlan-id ] * [ verbose ] command to check the current authen MAC
● Run the display user-group [ group-name ] command to check the user
● Run the display access-user command to check information about online
NAC users.
● Run the display aaa statistics access-type-authenreq command to verify the
number of authentication requests.
● Run the display mac-authen quiet-user { all | mac-address mac-address }
command to view information about MAC address authentication users who
are quieted.
● Run the display mac-address pre-authen [ interface-type interface-number |
vlan vlan-id ] * [ verbose ] command to view the current pre-authen MAC
----End
3.9 Configuring Portal Authentication

In Portal authentication, users do not need a specific client. The Portal server
provides users with free portal services and a Portal authentication page. Portal
authentication uses an external Portal server and a built-in Portal server.
Portal authentication only provides a user authentication solution. To implement
this solution, the AAA function must also be configured. Therefore, complete the
following tasks before you configure Portal authentication:
3.9.1 Configuring Portal Server Parameters
Context
During Portal authentication, you must configure parameters for the Portal server
(for example, the IP address for the Portal server) to ensure smooth
communication between the device and the Portal server.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
● Configuring parameters for the external Portal server (binding URL)
a. Run system-view
b. Run web-auth-server server-name
A Portal server template is created and the Portal server template view is
displayed.
By default, no Portal server template is created.
c. Run server-ip { server-ip-address &<1-10> | ipv6 server-ipv6-address
&<1-3> }
An IP address is configured for the Portal server.
By default, no IP address is configured for the Portal server.
NOTE
The IP address for the Portal server is the IP address for the external Portal server.
d. Run url url-string
A URL is configured for the Portal server.
By default, a Portal server does not have a URL.
e. Run shared-key cipher key-string
The shared key that the device uses to exchange information with the
Portal server is configured.
By default, no shared key is configured.
● Setting parameters of the URL corresponding to an external Portal server
(binding URL template)
a. Configure the URL template.
i. Run the system-view command to enter the system view.
ii. Run the url-template name template-name command to create a
URL template and enter the URL template view.
iii. Run the url [ redirect-only ] url-string command to configure the
redirect URL corresponding to the Portal server.
By default, no redirect URL is configured for the Portal server.
iv. Run the url-parameter { redirect-url redirect-url-value | sysname
sysname-value | user-ipaddress user-ipaddress-value | user-mac
user-mac-value } * command to set the parameters carried in the
URL.
v. Run the url-parameter mac-address format delimiter delimiter
{ normal | compact } command to set the MAC address format in
the URL.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
vi. Run the parameter { start-mark parameter-value | assignment-

mark parameter-value | isolate-mark parameter-value } * command
to set the characters in the URL.
By default, the start character is ?, assignment character is =, and
delimiter is &.
vii. Run the quit command to return to the system view.
b. Set parameters for the external Portal server.
i. Run the web-auth-server server-name command to create a Portal
server template and enter the Portal server template view.
By default, no Portal server template is created.
ii. Run the server-ip { server-ip-address &<1-10> | ipv6 server-ipv6-
address &<1-3> } command to set the IP address corresponding to
the Portal server.
By default, no IP address is configured for the Portal server.
iii. Run the url-template url-template [ ciphered-parameter-name
ciphered-parameter-name iv-parameter-name iv-parameter-name
key cipher key-string ] command to bind a URL template to the
Portal server template.
By default, no URL template is bound to a Portal server template.
NOTE
The device support encryption of parameter information in the URL template

only when it connects to the Huawei Agile Controller-Campus or iMaster NCE-
Campus.
iv. Run the shared-key cipher key-string command to configure the
shared key that the device uses to exchange information with the
Portal server.
By default, no shared key is configured.
----End
3.9.2 Enabling Portal Authentication

Context
The device can communicate with the Portal server after the parameters of the
Portal server are configured. To enable Portal authentication for access users, you
must enable Portal authentication of the device.
To enable Portal authentication on, you must only bind the configured Portal
server template to an interface.
Procedure
● Enable Portal authentication on the device.
a. Run system-view

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
In common mode, Layer 2 Ethernet interfaces do not support Portal authentication.

c. (Optional) On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.
By default, an Ethernet interface works in Layer 2 mode.
NOTE
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720S-EI,

S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2
and Layer 3 modes.
d. Run web-auth-server server-name [ bak-server-name ] { direct | layer3 }
The Portal server template is bound to the interface.
By default, no Portal server template is bound to an interface.
----End
3.9.3 (Optional) Configuring Parameters for Information

Exchange with the Portal server
Context
In Portal authentication network deployment, if the Portal server is an external
Portal server, you can configure parameters for information exchange between the
device and the Portal server to improve communication security.
NOTE
This function applies only to external Portal servers.
Procedure
Step 2 Run web-auth-server version v2 [ v1 ]
Portal protocol versions supported by the device are configured.
By default, the device uses Portal of v1 and v2.
NOTE
To ensure smooth communication, use the default setting so that the device uses both
versions.
Step 3 Run web-auth-server listening-port port-number
The port number through which the device listens to Portal protocol packets is set.
By default, the device listens to the Portal protocol packets through port 2000.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 4 Run web-auth-server reply-message
The device is enabled to transparently transmit the authentication responses sent

by the authentication server to the Portal server.
By default, the device transparently transmits the authentication responses sent by

the authentication server to the Portal server.
Step 5 Run web-auth-server server-name
The Portal server template view is displayed.
Step 6 Run source-ip ip-address
The source IP address for communication with a Portal server is configured.
By default, no source IP address is configured for the device.
Step 7 Run port port-number [ all ]
The destination port number through which the device sends packets to the Portal
server is set.
By default, port 50100 is used as the destination port when the device sends
packets to the Portal server.
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal
server.
Step 8 Run vpn-instance vpn-instance-name
The VPN instance used by the device to communicate with the Portal server is
configured.
By default, no VPN instance is configured for communication between the device

and Portal server.
Step 9 Run the quit command to return to the system view.
Step 10 After disconnecting a Portal authentication user, the device sends a user logout
packet (NTF-LOGOUT) to instruct the Portal server to delete the user information.
If the network between the device and Portal server is not stable or packets are
lost, the Portal server may fail to receive the user logout packet from the device
after the Portal authentication user is disconnected. In this case, the user is
displayed as disconnected on the device but still as online on the Portal server. To
enable the Portal server to receive the user logout packet and ensure that the
online user information on the Portal server is correct, the administrator can
enable the user logout packet re-transmission function on the device and
configure the re-transmission times and interval.
Run portal logout resend times timeout period
The re-transmission times and interval for the Portal authentication user logout
packet are configured.
By default, the Portal authentication user logout packet can be re-transmitted

three times within five seconds.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 11 Run portal logout different-server enable

The device is enabled to process user logout requests sent by a Portal server other
than the one from which users log in.
By default, a device does not process user logout requests sent by Portal servers
other than the one from which users log in.
----End
3.9.4 (Optional) Setting Access Control Parameters for Portal

Context
During deployment of the Portal authentication network, you can set access
control parameters for Portal authentication users to flexibly control the user
access. For example, you can set authentication-free rules for Portal
authentication users so that the users can access specified network resources
without being authenticated or when the users fail authentication. You can
configure the source authentication subnet to allow the device to authenticate
only users in the source authentication subnet, while users in other subnets cannot
pass Portal authentication.
Procedure
● Set access control parameters for Portal authentication users.
a. Run system-view
b. Set the Portal authentication-free rule using the following command
syntax:
▪ Run portal free-rule rule-id { destination { any | ip { ip-address

mask { mask-length | ip-mask } [ tcp destination-port port | udp
destination-port port ] | any } } | source { any | { interface
interface-type interface-number | ip { ip-address mask { mask-length
| ip-mask } | any } | vlan vlan-id }* } }*
The Portal authentication-free rule is set.
▪ Run portal free-rule rule-id source ip ip-address mask { mask-

length | ip-mask } [ mac mac-address ] [ interface interface-type
interface-number ] destination user-group group-name
The Portal authentication-free rule is set.
By default, no Portal authentication-free rule is set.
c. Set the maximum number of Portal authentication users.
i. Run portal max-user user-number
The maximum number of Portal authentication users is set.
By default, the number of Portal authentication users is the
maximum number of Portal authentication users supported by the
device.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
ii. Run portal user-alarm percentage percent-lower-value percent-

upper-value
The alarm threshold for the Portal authentication user count
percentage is set.
By default, the lower alarm threshold for the Portal authentication
user count percentage is 50, and the upper alarm threshold for the
Portal authentication user count percentage is 100.
d. Run interface interface-type interface-number
e. (Optional) On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.
By default, an Ethernet interface works in Layer 2 mode.
NOTE
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720S-EI,

S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2
and Layer 3 modes.
f. Run portal auth-network network-address { mask-length | mask-
address }
The source subnet is set for Portal authentication.
By default, the source authentication subnet is 0.0.0.0/0, indicating that
users in all subnets must pass Portal authentication.
NOTE
The command takes effect for only Layer 3 Portal authentication. In Layer 2
Portal authentication, users on all subnets must be authenticated.
g. Run portal domain domain-name
A forcible Portal authentication domain name is set.
By default, no forcible Portal authentication domain name is set.
----End

Detection Packets
Context
offline.
Procedure

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

mac-address
packets.
NOTE
order of priority:
VLAN
----End
3.9.6 (Optional) Setting the Offline Detection Interval for

Portal Authentication Users
Context
If a Portal authentication user goes offline due to power failure or network
interruption, the device and Portal server may still store user information, which
leads to incorrect accounting. In addition, a limit number of users can access the
device. If a user goes offline improperly but the device still stores user information,
other users cannot access the network.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
After the offline detection interval is set for Portal authentication users, if a user
does not respond within the interval, the device considers the user offline. The
device and Portal server then delete the user information and release the occupied
resources to ensure efficient resource use.
NOTE
This function applies only to Layer 2 Portal authentication.

The heartbeat detection function of the authentication server can be used to ensure the
normal online status of PC users for whom Layer 3 Portal authentication is used. If the
authentication server detects that a user goes offline, it instructs the device to disconnect
the user.
If the number of offline detection packets (ARP packets) exceeds the default CAR value, the
detection fails and the users are logged out. (The display cpu-defend statistics command
can be run to check whether ARP request and response packets are lost.) To resolve the
problem, the following methods are recommended:
● Increase the detection interval based on the number of users. The default detection
interval is recommended when there are less than 8000 users; the detection interval
should be no less than 600 seconds when there are more than 8000 users.
● Deploy the port attack defense function on the access device and limit the rate of
packets sent to the CPU.
Procedure
Step 2 Run portal timer offline-detect time-length
The period for detecting Portal authentication user logout is set.
By default, the interval for detecting Portal authentication user logout is 300s.
When the interval is set to 0, offline detection is not performed.
----End
3.9.7 (Optional) Configuring the Detection Function for Portal

Authentication
Context
In practical networking applications of Portal authentication, if communication is
interrupted due to a network failure between the device and the Portal server or
because the Portal server fails, new Portal authentication users cannot go online,
and online Portal users cannot go offline normally.
With the Portal authentication detection function, even if the network fails or the
Portal server cannot work properly, the device still allows the user to use the
network and have certain network access rights. The device reports failures using
logs and traps.
Procedure

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Step 3 Run server-detect type { portal | http }
The Portal server detection mode is configured.
By default, the Portal-based Portal server detection mode is configured.
Step 4 Run server-detect [ interval interval-period | max-times times | critical-num
critical-num | action { log | trap | permit-all } * ] *
The detection function of the Portal server is enabled.
By default, the detection function of the Portal server is disabled.
----End
3.9.8 (Optional) Configuring User Information

Synchronization
Context
If communication is interrupted because the network between the device and
Portal server is disconnected or the Portal server is faulty, online Portal
authentication users cannot go offline. Therefore, user information on the device
and on the Portal server may be inconsistent and accounting may be inaccurate.
The user information synchronization function ensures that user information on
the Portal server is the same as that on the device, ensuring accurate accounting.
NOTE
For Layer 3 Portal authentication, the device currently can synchronize user information
with the Huawei Agile Controller-Campus or iMaster NCE-Campus server. When the device
is connected to other Portal servers, user information may fail to be synchronized and users
cannot go offline in real time. In this case, you can run the cut access-user command or
use the NMS or RADIUS DM to log out users.
Procedure
Step 3 Run user-sync [ interval interval-period | max-times times ] *
User information synchronization is enabled.

By default, user information synchronization is disabled.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.9.9 (Optional) Configuring the Quiet Function in Portal

Authentication
Context
After the quiet timer is enabled, if the number of Portal authentication failures
exceeds the specified value within 60s, the device keeps the Portal authentication
user in quiet state for a period of time. During the quiet period, the device
discards Portal authentication requests from the user. This prevents the impact of
frequent authentications on the system.
NOTE
Procedure
Step 2 Run portal quiet-period
The quiet timer is enabled.
By default, the quiet timer is enabled.
Step 3 Run portal quiet-times fail-times
The maximum number of authentication failures within 60s before a Portal
authentication user enters the quiet state is set.
By default, the device allows a maximum of ten authentication failures within 60s
before a Portal authentication user is kept in quiet state.
Step 4 Run portal timer quiet-period quiet-period-value
The quiet period for Portal authentication is set.
By default, the quiet period for Portal authentication is 60s.
----End

Context
authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
NOTE

address.
name }
----End

Context

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

NOTE
Procedure
Step 2 Configure network access rights for users in the system view, Layer 2 physical
interface view or VLANIF interface view.
View Step
System view Run the authentication event { pre-authen |authen-fail |

authen-server-down } { vlan vlan-id | user-group group-
name } command to configure the network access rights in
NOTE
The VLAN parameter is valid for built-in Portal authentication.

2. Configure the network access rights granted to users in
different authentication stages. The command has different
syntax when it is executed in the Layer 2 physical interface
view and VLANIF interface view.
– Layer 2 physical interface view: Run the authentication
event { pre-authen |authen-fail | authen-server-down }
{ vlan vlan-id | user-group group-name } command to
configure the network access rights in different
authentication stages.
– VLANIF interface view: authentication event { authen-
fail | authen-server-down } user-group group-name

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
View Step

authen-server-down } session-timeout session-time command
to set the timeout period of the network access rights granted
to users in different authentication stages.

authen-server-down } session-timeout session-time
command to set the timeout period of the network access
rights granted to users in different authentication stages.
Step 4 (Optional) Configure the device to return an authentication failure packet when a
user fails in authentication or the authentication server does not respond. The
configuration can be performed in the system view or interface view.
View Step
System view Run the authentication event { authen-fail | authen-server-

down } response-fail command to configure the device to
return an authentication failure packet when a user fails in
authentication or the authentication server does not respond.
does not respond.

2. Run the authentication event { authen-fail | authen-
server-down } response-fail command to configure the
device to return an authentication failure packet when a user
fails in authentication or the authentication server does not
respond.
does not respond.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Context
and jitter.
Security.
Configuration.
NOTE
Procedure
field.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

----End

Context
pages:
Procedure

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

&.
NOTE

----End

Context

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
ACL resources.
Procedure
NOTE
NOTE
pbs-value ] *

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
S6720S-EI.
Step 6 Run quit
enabled.
----End

Context
authentication.
NOTE


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
NOTE
----End
3.9.16 (Optional) Enabling URL Encoding and Decoding
Context
To improve web application security, data from untrustworthy sources must be
encoded before being sent to clients. URL encoding is most commonly used in web
applications. After URL encoding and decoding are enabled, some special
characters in redirect URLs are converted to secure formats, preventing clients
from mistaking them for syntax signs or instructions and unexpectedly modifying
the original syntax. In this way, cross-site scripting attacks and injection attacks
are prevented.
Procedure
Step 2 Run portal url-encode enable
URL encoding and decoding are enabled.
By default, URL encoding and decoding are enabled.
----End
Check the Configuration

Run the display portal url-encode configuration command to check the
configuration of URL encoding and decoding.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Function
Context
switch.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
Procedure
<1–10> }
or different.
migration.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

value } *
is 3.
quiet.
migration quiet.
migration.

migration.
times } *

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3 seconds.
----End

Context

NOTE
same way.
Procedure
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Context
NOTE
Procedure
1. Run aaa
users.
----End

Context

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
from NAC users.
----End

Context
authenticated.
NOTE
Procedure
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.9.22 Verifying the Portal Authentication Configuration

Context
the Portal authentication configuration.
Procedure
● When a Portal server is used, run the following commands to check the
configuration.
– Run the display portal [ interface vlanif interface-number ] command
to check the Portal authentication configuration on the VLANIF interface.
– Run the display web-auth-server configuration command to check the
configuration of the Portal authentication server.
– Run the display server-detect state [ web-auth-server server-name ]
command to check the status of a Portal server.
– Run the display user-group [ group-name ] command to check the user
– Run the display access-user user-group group-name command to check
summary information about online users in a user group.
– Run the display static-user [ domain-name domain-name | interface
interface-type interface-number | ip-address start-ip-address [ end-ip-
address ] | vpn-instance vpn-instance-name ] * command to check the
static user information.
– Run the display portal quiet-user { all | server-ip ip-address | user-ip ip-
address } command to check information about Portal authentication
– Run the display portal user-logout [ ip-address ip-address [ vpn-
instance vpn-instance-name ] ] command to check the temporary logout
entries of Portal authentication users.
– Run the display aaa statistics access-type-authenreq command to
display the number of authentication requests.
● Run the display portal free-rule [ rule-id ] command to check
authentication-free rules for Portal authentication users.
● Run the display url-template { all | name template-name } command to
check the configuration of the URL profile.
----End
3.10 Configuring Combined Authentication

Context
On a network with diversified clients, different clients support different access
authentication modes. Some clients (such as printers) support only MAC address

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
authentication. Some hosts support 802.1X authentication because they have

802.1X client software installed. Some hosts require Portal authentication using
web browsers. If all the preceding authentication modes are used on a network,
they all must be configured on user access interfaces so that users can use a
proper authentication mode to connect to the network.
If MAC address authentication and Portal authentication are configured
simultaneously on a VLANIF interface, a user is authorized in the following way:
1. MAC address authentication is performed first. If the user passes MAC address
authentication, the user is granted the network access rights for MAC address
authentication users.
2. If Portal authentication is triggered and succeeds after a successful MAC
address authentication, the user is granted the network access rights for
Portal authentication users. If Portal access is terminated by the user or the
device, the user's network access rights are restored to those for MAC address
authentication users.
NOTE
If Portal authentication is performed for a user after a successful MAC address

authentication, the user is not redirected to the authentication page and needs to enter the
authentication page address.
If MAC address-prioritized Portal authentication is used, a malicious user may use a bogus
MAC address to access the network after an authorized user passes Portal authentication.
Procedure
● Configure MAC address authentication according to Configuring MAC
Address Authentication.
● Configure Portal authentication according to Configuring Portal
Authentication
----End
3.11 Maintaining NAC
3.11.1 Clearing 802.1X Authentication Statistics

Context
NOTICE
Statistics cannot be restored after being cleared. Exercise caution when you run
the following command.
Procedure
● Run the reset dot1x statistics [ interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10> ] command in the user view to clear the
statistics for 802.1X authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● Run the reset access-user dot1x-identity statistics command in the system

view to clear statistics about Identity packets for 802.1X authentication on a
switch.
----End
3.11.2 Clearing MAC Address Authentication Statistics
Context
NOTICE
Statistics cannot be restored after being cleared. Exercise caution when you run
the following command.
Procedure
● Run the reset mac-authen statistics [ interface { interface-type interface-
number1 [ to interface-number2 ] } &<1-10> ] command in the user view to
clear the statistics for MAC address authentication.
----End
3.11.3 Clearing Statistics on Traffic of Users in a User Group
Context
NOTE
This function applies only to S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H,
S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI.
The cleared statistics cannot be restored. Exercise caution when clearing the statistics.
Procedure
● Run the reset access-user traffic-statistics { user-id begin-id [ end-id ] |
mac-address mac-address | ip-address ip-address [ vpn-instance vpn-
instance ] } command in the user view to clear statistics on traffic of users in
a user group.
----End
3.11.4 Forcing Users Offline
Context
After a user goes online, if you want to modify the user's network access rights or
detect that the user is unauthorized, run the command to log out the user.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
● Run the cut access-user command in the AAA view to log out users.
----End
3.11.5 (Optional) Setting the Alarm Thresholds for the

Percentage of Successfully Authenticated NAC Users
Context
When the number of successfully authenticated NAC users reaches a specified
percentage, the device generates an alarm. You can set the lower and upper alarm
thresholds for the percentage of successfully authenticated NAC users.
Procedure
Step 2 Run authentication user-alarm percentage percent-lower-value percent-upper-

value
The alarm thresholds for the percentage of successfully authenticated NAC users
are configured.
By default, the lower alarm threshold for the percentage of successfully

authenticated NAC users is 50, and the upper alarm threshold is 100.
----End

Run the display authentication user-alarm configuration command to check
the alarm thresholds for the percentage of successfully authenticated NAC users.
3.12 Configuration Examples for NAC
3.12.1 Example for Configuring 802.1X Authentication to

Control Internal User Access
Networking Requirements
On a company network shown in Figure 3-15, many internal users access the
network through GE0/0/1 of the Switch that functions as an access device. After
the network operates for a period of time, attacks are detected. The administrator
must control network access rights of user terminals to ensure network security.
The Switch allows user terminals to access Internet resources only after they are
authenticated.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 3-15 Networking diagram for configuring 802.1X authentication
Configuration Roadmap
To control the network access rights of users, the administrator can configure
802.1X authentication on the Switch when the server with the IP address
192.168.2.30 is used as the RADIUS server.
The configuration roadmap is as follows (configuration on the Switch):
1. Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain. Bind the RADIUS server template and AAA scheme to
the authentication domain. The Switch can then exchange information with
the RADIUS server.
2. Configure 802.1X authentication.
a. Enable 802.1X authentication globally and on an interface.
b. Enable MAC address bypass authentication to authenticate terminals
(such as printers) that cannot install 802.1X authentication client
software.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
Before performing configuration in this example, ensure that devices can communicate with
each other on the network.
In this example, a LAN switch is deployed between the Switch and users. To ensure that
users can pass 802.1X authentication, you must configure the function of transparently
transmitting EAP packets on the LAN switch. Method 1: This method uses the S5720-LI as
an example. The procedure is as follows:
1. On the LAN switch, run the l2protocol-tunnel user-defined-protocol 802.1X protocol-
mac 0180-c200-0003 group-mac 0100-0000-0002 command in the system view to
configure it to transparently transmit EAP packets.
2. On the LAN switch, run the l2protocol-tunnel user-defined-protocol 802.1X enable
command on the downlink interface connected to users and the uplink interface
connected to the Switch to enable the Layer 2 protocol tunneling function.
Method 2: This method is recommended when a large number of users exist or high
network performance is required. This method is applicable only on the S5731-H, S5731S-H,
S5731-S, S5731S-S, S6730S-H, S5732-H, S6730-H, S6730-S, S6730S-S, S6720-EI, and
S6720S-EI.
1. Run the following commands in the system view:
● undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
● bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
● bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
● bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
● bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run the undo
l2protocol-tunnel user-defined-protocol 802.1X enable command in the interface
view to delete the configuration of transparent transmission of 802.1X protocol packets.
Procedure
Step 1 Create and configure a RADIUS server template, an AAA scheme, and an
# Create and configure the RADIUS server template rd1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher Example@2012
[Switch-radius-rd1] quit
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS
server template rd1 to authentication domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the
user name in the format of user@isp1, the user is authenticated in the

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
authentication domain isp1. If the user name does not carry the domain name or
carries a nonexistent domain name, the user is authenticated in the default
domain.
[Switch] domain isp1
# Check whether a user can be authenticated through RADIUS authentication.

(The test user test@example.com and password Example2012 have been
configured on the RADIUS server.)
[Switch] test-aaa test@example.com Example2012 radius-template rd1
Info: Account test succeeded.
Step 2 Configure 802.1X authentication.

# Change the NAC mode to common.
[Switch] undo authentication unified-mode
Warning: Switching the authentication mode will take effect after system restart
. Some configurations are invalid after the mode is switched. For the invalid co
mmands, see the user manual. Save the configuration file and reboot now? [Y/N] y
NOTE
● By default, the NAC unified mode is used.

● After the NAC unified mode is changed to common mode, you must save the configuration
and restart the device to make each function in the new configuration mode take effect.
# Enable 802.1X authentication globally and on an interface.

<Switch> system-view
[Switch] dot1x enable
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] dot1x enable
NOTE
By default, 802.1X authentication can be triggered by ARP packets. To allow 802.1X

authentication to be triggered by DHCP packets, run the dot1x dhcp-trigger command in the
system view.
# Configure MAC address bypass authentication.

[Switch-GigabitEthernet0/0/1] dot1x mac-bypass
Step 3 Verify the configuration.

1. Run the display dot1x command to check the 802.1X authentication
configuration. The command output (802.1X protocol is Enabled) shows that
802.1X authentication has been enabled on the interface GE0/0/1.
2. The user starts the 802.1X client on the terminal, and enters the user name
and password for authentication.
3. If the user name and password are correct, an authentication success
message is displayed on the client page. The user can access the network.
4. After the user goes online, you can run the display access-user command on
the device to check the online 802.1X user information.
----End
Configuration Files
Switch configuration file

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
#
sysname Switch
#
undo authentication unified-mode
#
domain isp1
#
dot1x enable
#
radius-server template rd1
radius-server shared-key cipher %^%#t67cDelRvAQg;*"4@P/3~q_31Sn{ST\V8'Ci633)%^%#
radius-server authentication 192.168.2.30 1812 weight 80
#
aaa
authentication-scheme abc
authentication-mode radius
domain isp1
radius-server rd1
#
interface GigabitEthernet0/0/1
dot1x mac-bypass
#
return
Related Content
Videos
Configure 802.1x Authentication
3.12.2 Example for Configuring MAC Address Authentication

to Control Dumb Terminal Access
On a company network shown in Figure 3-16, many printers are connected to the
network through GE0/0/1 of the Switch that functions as an access device. After
the network operates for a period of time, the administrator controls the network
access rights of the printers to improve network security. The Switch allows
printers to access network resources only after they are authenticated.
Figure 3-16 Networking diagram for configuring MAC address authentication

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Printers cannot install and use the 802.1X client. The administrator can configure
MAC address authentication on the Switch to control the network access rights of
the printers.

the RADIUS server.
2. Enable MAC address authentication so that the Switch can control network
access rights of the dumb terminals in the physical access control department.
NOTE
Procedure

[Switch] aaa
[Switch-aaa] quit
domain.


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Step 2 Configure MAC address authentication.

NOTE

# Enable MAC address authentication globally and on an interface.

[Switch] mac-authen
[Switch-GigabitEthernet0/0/1] mac-authen
[Switch-GigabitEthernet0/0/1] quit

1. Run the display mac-authen command to check the MAC address
authentication configuration. The command output (MAC address
authentication is enabled) shows that MAC address authentication has been
enabled on the interface GE0/0/1.
2. After the user starts the terminal, the device automatically obtains the
terminal MAC address and uses it as the user name and password for
authentication.
3. The terminal can access the network after the authentication succeeds.
4. After the terminal goes online, you can run the display access-user command
on the device to check the online MAC address authentication user
information.
----End
Configuration Files
#
sysname Switch
#
#
domain isp1
#
mac-authen
#
#
aaa
domain isp1

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
radius-server rd1
#
interface GigabitEthernet0/0/12/0/0
mac-authen
#
return
3.12.3 Example for Configuring External Portal Authentication

to Control Internal User Access
network through GE0/0/1 that functions as an access device. After the network
operates for a period of time, attacks are detected. The administrator must control
network access rights of user terminals to ensure network security. The Switch
allows user terminals to access Internet resources only after they are
authenticated.
Figure 3-17 Networking diagram for configuring Portal authentication
To control the network access rights of users, the administrator can configure
Portal authentication on the Switch when the server with the IP address
192.168.2.30 is used as the RADIUS server, and configure the IP address
192.168.2.20 as the IP address of the Portal server.
the RADIUS server.
2. Configure Portal authentication.
a. Create and configure a Portal server template to ensure normal
information exchange between the device and the Portal server.
b. Enable Portal authentication to authenticate access users.
c. Configure a shared key that the device uses to exchange information with
the Portal server to improve communication security.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
Procedure
[Switch] aaa
[Switch-aaa] quit
domain.

Step 2 Create VLANs and configure the VLANs allowed by interfaces to ensure network
communication.
[Switch] vlan batch 10 20
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 192.168.1.1 24
[Switch-Vlanif10] quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Step 3 Configure Portal authentication.

NOTE

# Create and configure Portal server template abc.

[Switch] web-auth-server abc
[Switch-web-auth-server-abc] server-ip 192.168.2.20
[Switch-web-auth-server-abc] port 50200
[Switch-web-auth-server-abc] url http://192.168.2.20:8080/webagent
[Switch-web-auth-server-abc] quit
NOTE
server.
# Enable Portal authentication.

[Switch-Vlanif10] web-auth-server abc direct
# Set the shared key used by the device to exchange information with the Portal
server to Example@123, and display the key in ciphertext.
[Switch-web-auth-server-abc] shared-key cipher Example@123
NOTE
In this example, users use static IP addresses. If users obtain IP addresses using DHCP and the
DHCP server is on the upstream network of the Switch, run the portal free-rule command to
create authentication-free rules and ensure that the DHCP server is included in the
authentication-free rules.

1. Run the display portal and display web-auth-server configuration
commands to check the external Portal authentication configuration. The
command output (web-auth-server layer2(direct)) shows that the Portal
server template has been bound to the interface VLANIF 10.
2. After a user opens a browser and enters any website address, the user is
redirected to the Portal authentication page. The user then enters the user
name and password for authentication.
3. If the user name and password are correct, an authentication success
message is displayed on the Portal authentication page. The user can access
the network.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
the device to check the online Portal authentication user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%#
url http://192.168.2.20:8080/webagent
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
web-auth-server abc direct
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
port link-type access
port default vlan 10
#
#
return
3.12.4 Example for Configuring Multi-mode Authentication on

a VLANIF Interface
network through GE0/0/1 of the Switch that functions as an access device. To
effectively manage access users, the company requires that only authenticated
users can access the network. Considering that access users use various types of
terminals and some terminals do not have authentication clients installed, the
administrator needs to configure multi-mode authentication on a VLANIF
interface.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 3-18 Networking diagram for configuring multi-mode authentication
The configuration roadmap is as follows:
the RADIUS server.
2. Configure MAC address authentication on a VLANIF interface.
3. Configure Portal authentication.
NOTE
Procedure
[Switch] aaa

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

[Switch-aaa] quit
domain.

communication.
[Switch] vlan batch 10 20
Step 3 Configure MAC address authentication.

NOTE

# Enable MAC address authentication in the system and VLANIF interface views
[Switch] mac-authen
[Switch-Vlanif10] mac-authen
Step 4 Configure Portal authentication.

# Create and configure Portal server template abc.
[Switch-web-auth-server-abc] server-ip 192.168.2.20

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
[Switch-web-auth-server-abc] port 50200

[Switch-web-auth-server-abc] url http://192.168.2.30:8080/webagent
NOTE
server.
# Enable Portal authentication.

[Switch-Vlanif10] web-auth-server abc direct
# Set the shared key used by the device to exchange information with the Portal
server to Example@123, and display the key in ciphertext.
[Switch-web-auth-server-abc] shared-key cipher Example@123
# Set the maximum number of concurrent Portal authentication users to 100.

[Switch] portal max-user 100
# Set the offline detection interval for Portal authentication users to 500s.
[Switch] portal timer offline-detect 500

1. Run the display mac-authen, display portal, and display web-auth-server
configuration commands. The command outputs show that MAC address
authentication and Portal authentication have been enabled on the interface
VLANIF 10.
2. The user can access the network after passing MAC address authentication or
Portal authentication.
the device to check all online user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
mac-authen
#
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%#
url http://192.168.2.30:8080/webagent

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
web-auth-server abc direct
mac-authen
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
#
#
portal max-user 100
portal timer offline-detect 500
#
return
3.12.5 Example for Configuring User Groups
network through GE0/0/1 of the Switch that functions as an access device. To
effectively manage access users, the company requires that only authenticated
users can access the network. In addition, users from different departments have
limited network access rights:
● Users in the marketing department can only access network segment
172.16.104.0/24.
● Users in the administration department can only access network segment
172.16.105.0/24.
● Users in the R&D department can only access network segment
172.16.106.0/24.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 3-19 Networking diagram for configuring user groups
The configuration roadmap is as follows:
1. Create and configure a RADIUS server template, an AAA scheme, and

authentication domains. Bind the RADIUS server template and AAA scheme to
the authentication domains. The Switch can then exchange information with
the RADIUS server.
2. Configure user groups to differentially manage the network access rights of
users.
a. Create ACLs.
b. Create user groups and bind them to ACLs.
c. Enable the user group function.
3. Configure 802.1X authentication for users. Only authenticated users can
access the network.
a. Enable 802.1X authentication globally and on an interface.
b. Enable MAC address bypass authentication to authenticate the terminals
(such as printers) that cannot install 802.1X authentication client
software.
NOTE
Procedure
communication.
# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 40.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
[Switch] vlan batch 10 20 30 40
# On the Switch, configure GE0/0/1 connected to users as a trunk interface, and

add this interface to VLANs 10, 20, and 30.
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 30
# On the Switch, configure GE0/0/2 connected to the RADIUS server as an access

interface, and add this interface to VLAN 40.
Step 2 Create and configure a RADIUS server template, an AAA scheme, and
authentication domains.
[Switch] aaa
# Create authentication domains abc11, abc22, and abc33, and bind the AAA
scheme abc and RADIUS server template rd1 to the authentication domains.
[Switch-aaa] domain abc11
[Switch-aaa-domain-abc11] authentication-scheme abc
[Switch-aaa-domain-abc11] radius-server rd1
[Switch-aaa-domain-abc11] quit
[Switch-aaa] quit
Step 3 Configure user groups.

NOTE


S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
# Create ACLs.
[Switch] acl 3001
[Switch-acl-adv-3001] rule permit ip source 10.164.1.0 0.0.0.255 destination 172.16.104.0 0.0.0.255
[Switch-acl-adv-3001] rule deny ip source 10.164.1.0 0.0.0.255 destination any
[Switch-acl-adv-3001] quit
[Switch] acl 3002
[Switch] acl 3003
# Create user groups and bind them to ACLs. Allocate users in the marketing
department to the user group abc1, users in the administration department to the
user group abc2, and users in the R&D department to the user group abc3.
[Switch] user-group abc1
[Switch-user-group-abc1] acl-id 3001
[Switch-user-group-abc1] quit
# Enable the user group function.

[Switch] user-group abc1 enable
# Bind user groups to authentication domains. Users in the marketing department

are authenticated in the authentication domain abc11, users in the administration
department in the authentication domain abc22, and users in the R&D
department in the authentication domain abc33.
[Switch] aaa
[Switch-aaa-domain-abc11] user-group abc1
[Switch-aaa] quit
Step 4 Configure 802.1X authentication.
# Enable 802.1X authentication globally and on an interface.

[Switch] dot1x enable
[Switch-GigabitEthernet0/0/1] dot1x enable
# Enable MAC address bypass authentication.

[Switch-GigabitEthernet0/0/1] dot1x mac-bypass
[Switch] quit

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1. Run the display user-group, display domain name, and display dot1x
commands to check the configured user groups, authentication domains, and
802.1X authentication information.
2. When user A (user name userA@abc22) in the administration department
accesses the network, the Switch authenticates the user in the domain abc22
upon receipt of the authentication request. The authentication domain abc22
is bound to the user group abc2, so user A is granted the network access
rights of the user group abc2. After accessing the network, user A can only
access network segment 172.16.105.0/24. Users in the R&D department can
only access 172.16.106.0/24, and users in the marketing department can only
access 172.16.104.0/24.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30 40
#
dot1x enable
#
#
acl number 3001
rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 172.16.104.0 0.0.0.255
rule 10 deny ip source 10.164.1.0 0.0.0.255
acl number 3002
acl number 3003
#
aaa
domain abc11
radius-server rd1
user-group abc1
domain abc22
radius-server rd1
user-group abc2
domain abc33
radius-server rd1
user-group abc3
#
port link-type trunk
port trunk allow-pass vlan 10 20 30
dot1x mac-bypass
#
#

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
user-group abc1
acl-id 3001
user-group abc1 enable
#
user-group abc2
acl-id 3002
#
user-group abc3
acl-id 3003
#
return
3.13 FAQ About NAC
3.13.1 Why Users Fail Authentication When the Access Device

and AAA Server Configurations Are Correct?
The access device manages users based on domains. A user must belong to a
domain. During user access authentication, the device sends user information to
the specified AAA server for authentication according to the parameters such as
authentication mode and authentication server IP address configured in the user
domain. When the domain name provided for user login is different from the
actual user domain, the users cannot pass authentication even if the access device
and AAA server configurations are correct.
The domain of a user is determined by the user name provided for login. The rules
are as follows:
● If the entered user name contains a domain name and the user name format
is user-name@domain-name, the user domain is domain-name.
● If the entered user name does not contain a domain and the user name
format is user-name, the user belongs to the default system domain. By
default, the global default domain is default.
For example, the user name is test and the user belongs to the domain example.
To ensure that the user can be authenticated in the domain hexample perform
the following operations:
● The user name entered in the client is test@example.
● Run the domain example command in the system view to configure the
global default domain to example.
3.13.2 How to limit the Number of MAC Addresses That Can

Be Learned Through an 802.1X Authentication Interface
The 802.1X authentication function conflicts with the mac-limit command
(configuring the maximum number of MAC addresses that can be learned through
an interface) and the mac-address learning disable command (disabling MAC
address learning on an interface). Therefore, after 802.1X authentication is
enabled on an interface, you cannot run the mac-limit and mac-address learning
disable commands to limit the number of MAC addresses that can be learned
through the interface. The following describes some alternative methods.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● (Applicable to all versions) Limit the number of concurrent access users for
802.1X authentication on an interface to limit the number of MAC addresses
that can be learned through the interface.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x max-user 3
● (Applicable to V200R012 and later versions) Configure port security on an

interface and limit the number of MAC addresses that can be learned through
the interface.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 3
3.13.3 Why 802.1X Authentication Users Cannot Pass

Authentication When a Layer 2 Switch Exists Between the
802.1X-Enabled Device and Users?
The EAP packet in 802.1X authentication is a bridge protocol data unit (BPDU). By
default, Huawei switches do not perform Layer 2 forwarding for BPDUs. If a Layer
switch still exists between the 802.1X-enabled device and a user, Layer 2
transparent transmission must be configured on the switch. Otherwise, the EAP
packet sent by the user cannot reach the authentication device and the user
cannot pass authentication.
To configure Layer 2 transparent transmission of 802.1X authentication packets,

perform the following operations:
1. Run the l2protocol-tunnel user-defined-protocol dot1x protocol-mac
0180-c200-0003 group-mac 0100-0000-0002 command in the global view of
the Layer 2 switch.
2. Run the l2protocol-tunnel user-defined-protocol dot1x enable and bpdu
enable commands on the interface connecting the Layer 2 switch to the
uplink network and all downlink interfaces connected to users.
3.13.4 How Can I Select 802.1X User Authentication Modes for

Different 802.1X Client Software?
If the 802.1X client uses the MD5 encryption mode, the user authentication mode
on the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP
authentication mode, the authentication mode on the device can be set to EAP.
3.13.5 Why There Are a Large Number of 802.1X

Authentication Logs?
If periodic 802.1X re-authentication is enabled, a large number of 802.1X
authentication logs are generated.
To solve the problem, run the undo dot1x reauthenticate command on the
specified interface to disable periodic 802.1X re-authentication.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.13.6 Why an 802.1X User Is Automatically Disconnected

After Passing Authentication?
If the handshake function for online users is enabled on the device and the 802.1X
client cannot exchange handshake packets with the device, the device will not
receive the handshake response packets within the handshake period and then
disconnect the users.
To solve the problem, run the undo dot1x reauthenticate command to disable
periodic 802.1X re-authentication.
3.13.7 Why an 802.1X User Cannot Obtain an IP Address After

Passing Authentication?
If VLAN authorization is configured on the authentication server and the VLAN
that the DHCP server belongs to is an authorization VLAN, the type of the
interface that the 802.1X user connects to must be hybrid. Otherwise, the user
cannot obtain an IP address after passing the authentication.
To modify the interface type to hybrid, perform the following configurations
(using GE0/0/1 as an example):
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port link-type
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
3.13.8 How Are Dumb Terminals such as Printers

Authenticated in an 802.1X Network?
Enable MAC address bypass authentication.
You can enable MAC address bypass authentication for terminals (such as
printers) on which the 802.1X client software cannot be installed or used. After
MAC address bypass authentication is configured on the interface, the device
performs 802.1X authentication and starts the delay timer for MAC address bypass
authentication. If 802.1X authentication still fails after the delay of MAC address
bypass authentication, the device performs MAC address authentication.
3.13.9 Why an 802.1X User Still Fails MAC Address Bypass

Authentication After an Authentication Failure?
After MAC address bypass authentication is enabled, the device performs MAC
address bypass authentication on the user who fails 802.1X authentication. In this
case, the access device actually starts the MAC address authentication process for
the user, and the user name is determined by the mac-authen username
command. To ensure that the user can pass MAC address bypass authentication,
configure a MAC address authentication account for the user on the
authentication server, and ensure that the account name format is the same as
that configured in the mac-authen username command.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
3.13.10 Does a Portal Authentication User Need to Obtain an

IP Address Before Passing Authentication?
Yes.
In 802.1X authentication and MAC address authentication, a user is authenticated
and then obtains an IP address after passing the authentication. In Portal
authentication, the user first obtains an IP address and then is authenticated.

01-03 NAC Configuration (Common Mode)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-03 NAC Configuration (Common Mode)

Uploaded by

Copyright:

Available Formats

S300, S500, S2700, S5700, and S6700 Series

3 NAC Configuration (Common Mode)

3.1 Overview of NAC

3.1 Overview of NAC

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 546

Figure 3-1 Typical NAC networking diagram

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 547

current network devices cannot prevent attacks initiated by devices on internal

3.2 Understanding NAC

3.2.1 802.1X Authentication

Figure 3-2 Diagram of 802.1X authentication system

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 548

● The uncontrolled interface is mainly used to transmit EAPoL frames in both

2. Authorized and Unauthorized states

Figure 3-3 shows the impact of a controlled interface's authorization state on

Figure 3-3 Impact of a controlled interface's authorization state in two 802.1X

Authentication Triggering Modes

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 549

The 802.1X authentication system can complete authentication by exchanging

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 550

Figure 3-4 Service process in EAP relay mode

The EAP relay authentication process is described as follows:

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 551

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 552

Figure 3-5 Service process in EAP termination mode

MAC Address Bypass Authentication

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 553

Figure 3-6 Diagram of MAC address bypass authentication

802.1X Authentication Supports Dynamic VLAN Authorization

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 554

802.1X-based Fast Deployment

User Group Authorization

3.2.2 MAC Address Authentication

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 555

User Group Authorization

3.2.3 Portal Authentication

Introduction to Portal Authentication

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 556

Figure 3-7 Portal authentication system

1. Authentication client: is a client system installed on a user terminal. The user

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 557

Figure 3-8 Layer 2 authentication flowchart

1. A Portal user initiates an authentication request through HTTP. The access

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 558

The Layer 3 authentication process is the same as the Layer 2 authentication

Detection and Survival

User Group Authorization

3.3 Application Scenarios for NAC

3.3.1 802.1X Authentication

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 559

Figure 3-9 Typical application of 802.1X authentication

3.3.2 MAC Address Authentication

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 560

Figure 3-10 Typical application of MAC address authentication

3.3.3 Portal Authentication

Figure 3-11 Typical application of Portal authentication

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 561

3.4 Licensing Requirements and Limitations for NAC

Table 3-1 Components involved in NAC networking

Role Product Model Description

AAA server Huawei server or third- Performs authentication,

Portal server Huawei server or third- Receives authentication

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 562

Feature Support in V200R020C10