S1720&S2700&S5700&S6720 Series Ethernet Switches Configuration Guide - User Access and Authentication

S1720&S2700&S5700&S6720 Series Ethernet Switches
Configuration Guide - User Access and Authentication Contents
Contents
About This Document.....................................................................................................................ii

1 User Access and Authentication Features Supported in This Version............................... 1
2 AAA Configuration.......................................................................................................................2
2.1 Overview........................................................................................................................................................................ 3
2.2 Principles........................................................................................................................................................................ 3
2.2.1 Concepts...................................................................................................................................................................... 3
2.2.2 RADIUS Authentication, Authorization, Accounting.................................................................................................5
2.2.2.1 RADIUS Overview...................................................................................................................................................5
2.2.2.2 RADIUS Packet Overview....................................................................................................................................... 6
2.2.2.3 RADIUS Authentication, Authorization, Accounting Process................................................................................ 8
2.2.2.4 RADIUS Attributes.................................................................................................................................................11
2.2.3 HWTACACS Authentication, Authorization, Accounting....................................................................................... 32
2.2.3.1 HWTACACS Overview......................................................................................................................................... 32
2.2.3.2 HWTACACS Packet Overview..............................................................................................................................33
2.2.3.3 HWTACACS Authentication, Authorization, Accounting Process....................................................................... 41
2.2.3.4 HWTACACS Attributes......................................................................................................................................... 43
2.2.4 Domain-based User Management............................................................................................................................. 49
2.3 Use Scenario................................................................................................................................................................. 50
2.4 Configuration Notes..................................................................................................................................................... 51
2.5 Default Configuration...................................................................................................................................................53
2.6 Configuration Tasks......................................................................................................................................................54
2.7 Configuring Local Authentication and Authorization..................................................................................................55
2.7.1 Configuring a Local User.......................................................................................................................................... 56
2.7.2 Configuring Authorization Rules.............................................................................................................................. 62
2.7.3 Configuring AAA Schemes.......................................................................................................................................66
2.7.4 (Optional) Configuring a Service Scheme.................................................................................................................67
2.7.5 Applying AAA Schemes to a Domain...................................................................................................................... 70
2.7.6 Checking the Configuration.......................................................................................................................................74
2.8 Using RADIUS to Perform Authentication and Accounting....................................................................................... 74
2.8.1 Configuring a RADIUS Server..................................................................................................................................75
2.8.3 Configuring a RADIUS Server Template..................................................................................................................79
Issue 03 (2016-07-22) Huawei Proprietary and Confidential vi

Copyright © Huawei Technologies Co., Ltd.
2.8.4 (Optional) Configuring a Service Scheme.................................................................................................................88

2.8.5 Applying AAA Schemes to a Domain...................................................................................................................... 90
2.8.6 Checking the Configuration.......................................................................................................................................95
2.9 Using HWTACACS to Perform Authentication, Authorization and Accounting........................................................ 96
2.9.1 Configuring an HWTACACS Server........................................................................................................................ 96
2.9.3 Configuring an HWTACACS Server Template.......................................................................................................101
2.9.4 (Optional) Configuring a Service Scheme...............................................................................................................104
2.9.5 Applying AAA Schemes to a Domain.................................................................................................................... 107
2.9.6 Checking the Configuration.....................................................................................................................................111
2.10 Maintaining AAA..................................................................................................................................................... 112
2.10.1 Forcing Users to Go Offline.................................................................................................................................. 112
2.10.2 Testing Whether a User Can Pass RADIUS Authentication................................................................................. 112
2.10.3 Clearing AAA Statistics.........................................................................................................................................113
2.11 Configuration Examples........................................................................................................................................... 114
2.11.1 Example for Configuring Authentication for Telnet Login Users (AAA Local Authentication)..........................114
2.11.2 Example for Configuring Authentication for Telnet Login Users (RADIUS Authentication)..............................116
2.11.3 Example for Configuring RADIUS Authentication and Accounting.................................................................... 119
2.11.4 Example for Configuring HWTACACS Authentication, Accounting, and Authorization................................... 122
2.11.5 Example for Configuring Domain-based User Management................................................................................ 126
2.12 Common Configuration Errors................................................................................................................................. 131
2.12.1 A User Cannot Log In to the Device Through Telnet When AAA Local Authentication Is Used....................... 131
2.12.2 A User Cannot Enter the System View After Logging In to the Device Through Telnet When AAA Local
Authentication Is Used..................................................................................................................................................... 132
2.12.3 A User Fails to Pass RADIUS Authentication When Entered User Name Does Not Contain Domain Name.....133
2.13 FAQ...........................................................................................................................................................................134
2.13.1 What Should Be Noticed When the Device Connects to an H3C iMC RADIUS Server?....................................134
2.13.2 What Should Be Noticed When the Device Connects to a Ruijie RADIUS Server?............................................134
2.13.3 What Should Be Noticed When the Device Connects to a Leagsoft RADIUS Server?........................................135
2.13.4 What Should Be Noticed When the Device Connects to a Symantec RADIUS Server?......................................135
2.13.5 When a Device Connects to the Agile Controller or Policy Center Server, Users Are Forced to Go Offline or
Online User Information Cannot Be Displayed. Why?.................................................................................................... 135
2.13.6 Does RADIUS Support Traffic-based Accounting?..............................................................................................135
2.13.7 If Both RADIUS Authentication and Local Authentication Are Configured, In Which Situation Does the Device
Perform Local Authentication?........................................................................................................................................ 135
2.13.8 When Both RADIUS Authentication and Local Authentication Are Configured, Why a User Is Disconnected
After More than 10 Seconds?........................................................................................................................................... 136
2.13.9 Why Cannot Local Users Be Deleted?.................................................................................................................. 137
2.13.10 How Can I Restrict Local User Access Type to Telnet?......................................................................................137
2.13.11 Is HWTACACS Compatible with TACACS+?................................................................................................... 137
2.13.12 What Are the Functions of Domain and Global Default Domain?..................................................................... 137
2.13.13 Can I Set a Validity Period for User Passwords?.................................................................................................138
2.13.14 How Can I Change Rights for Online Users?......................................................................................................138
Issue 03 (2016-07-22) Huawei Proprietary and Confidential vii

2.13.15 How Can I Dynamically Assign VLANs or ACLs to Users Through RADIUS?...............................................138
2.13.16 Why the idle-timeout Parameter Configured in the User Interface View Does Not Take Effect?...................... 139
2.13.17 Why a Level-1 User Can Use the Configuration-Level Commands?................................................................. 139
2.14 References................................................................................................................................................................ 139
3 NAC Configuration (Common Mode)...................................................................................141

3.1 Overview.................................................................................................................................................................... 143
3.2 Principles.................................................................................................................................................................... 144
3.2.1 802.1x Authentication............................................................................................................................................. 144
3.2.2 MAC Address Authentication................................................................................................................................. 151
3.2.3 Portal Authentication............................................................................................................................................... 152
3.2.4 Combined Authentication........................................................................................................................................155
3.3 Applications................................................................................................................................................................155
3.3.4 Combined Authentication........................................................................................................................................157
3.4 Configuration Notes................................................................................................................................................... 158
3.5 Default Configuration.................................................................................................................................................162
3.6 Configuring the NAC Common Mode....................................................................................................................... 163
3.7 Configuring 802.1x Authentication............................................................................................................................ 163
3.7.1 Enabling 802.1x Authentication.............................................................................................................................. 164
3.7.2 (Optional) Configuring the Authorization State of an Interface..............................................................................165
3.7.3 (Optional) Configuring the Access Control Mode of an Interface.......................................................................... 166
3.7.4 (Optional) Configuring Methods Used to Process Authentication Packets............................................................ 167
3.7.5 (Optional) Enabling MAC Address Bypass Authentication....................................................................................167
3.7.6 (Optional) Setting the Maximum Number of Concurrent Access Users for 802.1x Authentication on an Interface
.......................................................................................................................................................................................... 169
3.7.7 (Optional) Configuring the Forcible Domain for 802.1x Authentication Users..................................................... 170
3.7.8 (Optional) Setting the Source Address of Offline Detection Packets......................................................................171
3.7.9 (Optional) Configuring Timers for 802.1x Authentication..................................................................................... 172
3.7.10 (Optional) Configuring the Quiet Function in 802.1x Authentication.................................................................. 172
3.7.11 (Optional) Configuring Re-authentication for 802.1x Authentication Users........................................................ 173
3.7.12 (Optional) Configuring the Handshake Function for 802.1x Online Users.......................................................... 175
3.7.13 (Optional) Configuring the Guest VLAN Function.............................................................................................. 176
3.7.14 (Optional) Configuring the Restrict VLAN Function........................................................................................... 177
3.7.15 (Optional) Configuring the Critical VLAN Function............................................................................................178
3.7.16 (Optional) Configuring Network Access Rights for Users in Different Authentication Stages............................180
3.7.17 (Optional) Configuring Terminal Type Awareness................................................................................................182
3.7.18 (Optional) Configuring the NAC Open Function in 802.1x Authentication......................................................... 183
3.7.19 (Optional) Configuring 802.1x Authentication Triggered by a DHCP Packet......................................................184
3.7.20 (Optional) Enabling 802.1x Authentication Triggered by Unicast Packets.......................................................... 184
3.7.21 (Optional) Configuring 802.1x-based Fast Deployment....................................................................................... 185
Issue 03 (2016-07-22) Huawei Proprietary and Confidential viii

3.7.22 (Optional) Configuring Static Users......................................................................................................................187

3.7.23 (Optional) Configuring Web Push......................................................................................................................... 188
3.7.24 (Optional) Configuring the User Group Function................................................................................................. 189
3.7.25 (Optional) Configuring the Device to Automatically Generate the DHCP Snooping Binding Table for Static IP
Users................................................................................................................................................................................. 190
3.7.26 (Optional) Configuring Voice Terminals to Go Online Without Authentication.................................................. 192
3.7.27 Checking the Configuration...................................................................................................................................193
3.8 Configuring MAC Address Authentication................................................................................................................193
3.8.1 Enabling MAC Address Authentication..................................................................................................................194
3.8.2 (Optional) Configuring the User Name Format...................................................................................................... 194
3.8.3 (Optional) Configuring the User Authentication Domain....................................................................................... 195
3.8.4 (Optional) Configure Packet Types That Can Trigger MAC Address Authentication............................................196
3.8.5 (Optional) Setting the Maximum Number of Access Users for MAC Address Authentication on an Interface.... 200
3.8.6 (Optional) Specifying the MAC Address Segment Allowed by MAC Address Authentication............................ 201
3.8.8 (Optional) Configuring Timers of MAC Address Authentication...........................................................................202
3.8.9 (Optional) Configuring Re-authentication for MAC Address Authentication Users..............................................203
3.8.10 (Optional) Configuring the Guest VLAN Function.............................................................................................. 205
3.8.11 (Optional) Configuring the Critical VLAN Function............................................................................................ 206
3.8.12 (Optional) Configuring the Quiet Function for MAC Address Authentication.................................................... 208
3.9 Configuring Portal Authentication............................................................................................................................. 217
3.9.1 Configuring Portal Server Parameters..................................................................................................................... 217
3.9.2 Enabling Portal Authentication............................................................................................................................... 219
3.9.3 (Optional) Configuring Parameters for Information Exchange with the Portal server........................................... 222
3.9.4 (Optional) Setting Access Control Parameters for Portal Authentication Users.....................................................224
3.9.6 (Optional) Setting the Offline Detection Interval for Portal Authentication Users.................................................227
3.9.7 (Optional) Configuring the Detection Function for Portal Authentication............................................................. 227
3.9.8 (Optional) Configuring User Information Synchronization.................................................................................... 228
3.9.9 (Optional) Configuring the Quiet Timer..................................................................................................................229
3.9.15 (Optional) Enabling Anonymous Login for Users in Built-in Portal Authentication........................................... 237
Issue 03 (2016-07-22) Huawei Proprietary and Confidential ix

3.9.16 (Optional) Configuring the Session Timeout Interval for Built-in Portal Authentication Users...........................238
3.9.18 (Optional) Enabling URL Encoding and Decoding.............................................................................................. 239
3.10 Configuring Combined Authentication.................................................................................................................... 241
3.11 Maintaining NAC..................................................................................................................................................... 242
3.11.1 Clearing 802.1x Authentication Statistics............................................................................................................. 242
3.11.2 Clearing MAC Address Authentication Statistics................................................................................................. 242
3.11.3 Clearing Statistics on Traffic of Users in a User Group........................................................................................ 243
3.11.4 Forcing Users Offline............................................................................................................................................ 243
3.12.1 Example for Configuring 802.1x Authentication to Control Internal User Access.............................................. 243
3.12.2 Example for Configuring MAC Address Authentication to Control Internal User Access.................................. 248
3.12.3 Example for Configuring Built-in Portal Authentication to Control Internal User Access.................................. 251
3.12.4 Example for Configuring External Portal Authentication to Control Internal User Access................................. 254
3.12.5 Example for Configuring Combined Authentication on a Layer 2 Interface........................................................ 258
3.12.6 Example for Configuring Combined Authentication on VLANIF Interface.........................................................262
3.12.7 Example for Configuring User Group................................................................................................................... 266
3.13 FAQ...........................................................................................................................................................................270
3.13.1 Why Users Fail Authentication When the Access Device and AAA Server Configurations Are Correct?..........270
3.13.2 Why 802.1x Authentication Users Cannot Pass Authentication When a Layer 2 Switch Exists Between the
802.1x-Enabled Device and Users?..................................................................................................................................270
3.13.3 How Can I Select 802.1x User Authentication Modes for Different 802.1x Client Software?............................ 271
3.13.4 Why There Are a Large Number of 802.1x Authentication Logs?....................................................................... 271
3.13.5 Why an 802.1x User Is Automatically Disconnected After Passing Authentication?.......................................... 271
3.13.6 Why an 802.1x User Cannot Obtain an IP Address After Passing Authentication?............................................. 271
3.13.7 How Are Dumb Terminals such as Printers Authenticated in an 802.1x Network?............................................. 272
3.13.8 Why an 802.1x User Still Fails MAC Address Bypass Authentication After an Authentication Failure?........... 272
3.13.9 Does a Portal Authentication User Need to Obtain an IP Address Before Passing Authentication?....................272
3.14 References................................................................................................................................................................ 272
4 NAC Configuration (Unified Mode)..................................................................................... 273

4.1 Overview.................................................................................................................................................................... 275
4.2 Principles.................................................................................................................................................................... 276
4.2.1 Basic NAC Principles.............................................................................................................................................. 276
4.2.5 Terminal Type Identification................................................................................................................................... 285
4.3 Applications................................................................................................................................................................287
4.3.1 Using NAC to Control Network Access of Enterprise Intranet Users.................................................................... 287
4.5 Default Configuration.................................................................................................................................................292
Issue 03 (2016-07-22) Huawei Proprietary and Confidential x

4.6 Configuration Process.................................................................................................................................................294

4.7 Configuring the NAC Unified Mode..........................................................................................................................297
4.8 Configuring an Access Profile....................................................................................................................................298
4.8.1 Configuring an 802.1x Access Profile.....................................................................................................................298
4.8.1.1 Creating an 802.1x Access Profile....................................................................................................................... 298
4.8.1.2 (Optional) Configuring an Authentication Mode for 802.1x Users..................................................................... 299
4.8.1.3 (Optional) Configuring the Packet Types That Can Trigger 802.1x Authentication............................................300
4.8.1.4 (Optional) Configuring the Device to Send EAP Packets with a Code Number to 802.1x Users....................... 301
4.8.1.5 (Optional) Configuring Re-authentication for Online 802.1x Authentication Users........................................... 302
4.8.1.6 (Optional) Configuring the Online User Handshake Function.............................................................................303
4.8.1.7 (Optional) Configuring Network Access Rights for Users When the 802.1x Client Does Not Respond............ 304
4.8.1.8 (Optional) Configuring the Device to Automatically Generate the DHCP Snooping Binding Table for Static IP
Users................................................................................................................................................................................. 307
4.8.1.9 (Optional) Configuring the Maximum Number of Retransmissions of Authentication Request Packets............309
4.8.1.10 (Optional) Configuring the Authentication Timeout Timer for 802.1x Clients................................................. 309
4.8.1.11 (Optional) Configuring the Authorization State of an Interface.........................................................................310
4.8.1.12 Checking the Configuration................................................................................................................................311
4.8.2 Configuring a MAC Access Profile.........................................................................................................................311
4.8.2.1 Creating a MAC Access Profile............................................................................................................................311
4.8.2.2 Configuring the User Name Format for MAC Address Authentication.............................................................. 312
4.8.2.3 (Optional) Configuring the Packet Types That Can Trigger MAC Address Authentication............................... 313
4.8.2.4 (Optional) Configuring a Source MAC Address Segment Allowed by MAC Address Authentication.............. 314
4.8.2.5 (Optional) Configuring Re-authentication for Online MAC Address Authentication Users............................... 315
4.8.2.6 Checking the Configuration..................................................................................................................................317
4.8.3 Configuring a Portal Access Profile (for an External Portal Server).......................................................................317
4.8.3.1 Configuring an External Portal Server................................................................................................................. 317
4.8.3.2 (Optional) Configuring the Portal Server Detection Function............................................................................. 322
4.8.3.3 (Optional) Configuring Synchronization of Portal Authentication User Information..........................................322
4.8.3.4 Creating a Portal Access Profile........................................................................................................................... 323
4.8.3.5 Configuring an External Portal Server for a Portal Access Profile...................................................................... 324
4.8.3.6 (Optional) Configuring the User Offline Detection Interval................................................................................ 325
4.8.3.7 (Optional) Configuring the Portal Escape Function............................................................................................. 326
4.8.4 Configuring a Portal Access Profile (for a Built-in Portal Server)..........................................................................330
4.8.4.1 Configuring a Built-in Portal Server.................................................................................................................... 330
4.8.4.2 (Optional) Customizing the Login Page of the Built-in Portal Server................................................................. 331
4.8.4.3 (Optional) Configuring the Heartbeat Detection Function for the Built-in Portal Server....................................332
4.8.4.4 (Optional) Configuring the Session Timeout Interval for Users Authenticated Through the Built-in Portal Server
.......................................................................................................................................................................................... 333
4.8.4.5 Creating a Portal Access Profile........................................................................................................................... 334
4.8.4.6 Configuring a Built-in Portal Server for a Portal Access Profile......................................................................... 334
4.9 Configuring an Authentication Profile....................................................................................................................... 336
Issue 03 (2016-07-22) Huawei Proprietary and Confidential xi

4.9.1 Creating an Authentication Profile.......................................................................................................................... 336

4.9.2 Configuring a User Authentication Mode............................................................................................................... 336
4.9.3 (Optional) Configuring the User Access Mode....................................................................................................... 339
4.9.4 (Optional) Configuring Authorization Information for Unauthenticated Users......................................................340
4.9.4.1 (Optional) Configuring Authorization Information for Authentication-free Users..............................................344
4.9.4.2 (Optional) Configuring Voice Terminals to Go Online Without Authentication................................................. 347
4.9.5 (Optional) Configuring Re-authentication for Users...............................................................................................350
4.9.6 (Optional) Configuring the Maximum Number of Access Users Allowed on the Device......................................351
4.9.7 (Optional) Configuring the Handshake Function to Enable the Device to Clear User Entries Immediately..........352
4.9.8 (Optional) Configuring a User Authentication Domain.......................................................................................... 353
4.9.9 (Optional) Configuring the Function of Identifying Static Users Through IP Addresses.......................................354
4.9.10 (Optional) Configuring the User Logout Delay Function When an Interface Link Is Faulty............................... 356
4.10 NAC Application...................................................................................................................................................... 357
4.11 (Optional) Configuring NAC Extended Functions...................................................................................................359
4.11.1 Configuring Extended Functions Related to 802.1x Authentication.....................................................................359
4.11.1.1 Configuring the Interval for Sending 802.1x Authentication Request Packets..................................................359
4.11.1.2 Configuring 802.1x-based Fast Deployment...................................................................................................... 360
4.11.1.3 Disabling the Pre-connection Function...............................................................................................................360
4.11.2 Configuring Extended Functions Related to MAC Address Authentication.........................................................361
4.11.2.1 Disabling the Pre-connection Function...............................................................................................................361
4.11.3 Configuring Extended Functions Related to Portal Authentication...................................................................... 362
4.11.3.1 Configuring the CNA Adaptive Function for iOS Terminals.............................................................................362
4.11.3.2 Configuring CNA Bypass for iOS Terminals..................................................................................................... 363
4.11.3.3 Configuring the Maximum Number of Portal Authentication Users Allowed on the Device........................... 363
4.11.4 Configuring Static Users........................................................................................................................................364
4.11.5 Configuring the Quiet Function.............................................................................................................................365
4.11.6 Configuring the Web Push Function......................................................................................................................367
4.11.7 Assigning Network Access Rights to Users Based on User Context Profiles.......................................................369
4.11.8 Configuring Terminal Type Identification............................................................................................................. 371
4.11.9 Configuring Terminal Type Awareness................................................................................................................. 372
4.11.10 Setting the Source Address of Offline Detection Packets................................................................................... 373
4.11.11 Enabling the Device to Dynamically Adjust the Rate at Which It Processes Packets from NAC Users............ 375
4.11.12 Enabling URL Encoding and Decoding.............................................................................................................. 375
4.11.13 Checking the Configuration.................................................................................................................................376
4.12 Maintaining NAC..................................................................................................................................................... 376
4.12.1 Clearing NAC Statistics.........................................................................................................................................376
4.12.2 Monitoring NAC Operation...................................................................................................................................377
4.13.1 Example for Configuring MAC Address Authentication (AAA RADIUS Authentication Is Used)....................377
4.13.2 Example for Configuring MAC Address Authentication (AAA Local Authentication Is Used)..........................381
4.13.3 Example for Configuring 802.1x Authentication.................................................................................................. 385
Issue 03 (2016-07-22) Huawei Proprietary and Confidential xii

4.13.4 Example for Configuring External Portal Authentication..................................................................................... 390

4.13.5 Example for Configuring Built-in Portal Authentication...................................................................................... 394
4.13.6 Example for Configuring Terminal Type Identification in 802.1x + RADIUS Authentication............................ 398
4.14 References................................................................................................................................................................ 408
5 Policy Association Configuration.......................................................................................... 409

5.1 Overview.................................................................................................................................................................... 410
5.2 Principles.................................................................................................................................................................... 410
5.3 Applications................................................................................................................................................................412
5.5 Configuring Policy Association..................................................................................................................................417
5.5.1 Configuring Access Devices................................................................................................................................... 417
5.5.2 Configuring Control Devices...................................................................................................................................420
5.5.3 Checking the Configuration.....................................................................................................................................424
5.6 Configuration Example...............................................................................................................................................424
5.6.1 Example for Configuring Policy Association..........................................................................................................425
Issue 03 (2016-07-22) Huawei Proprietary and Confidential xiii


S1720&S2700&S5700&S6720 Series Ethernet Switches Configuration Guide - User Access and Authentication

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

S1720&S2700&S5700&S6720 Series Ethernet Switches Configuration Guide - User Access and Authentication

Uploaded by

Copyright:

Available Formats

S1720&S2700&S5700&S6720 Series Ethernet Switches

Configuration Guide - User Access and Authentication Contents

About This Document.....................................................................................................................ii

Issue 03 (2016-07-22) Huawei Proprietary and Confidential vi

2.8.4 (Optional) Configuring a Service Scheme.................................................................................................................88

Issue 03 (2016-07-22) Huawei Proprietary and Confidential vii

3 NAC Configuration (Common Mode)...................................................................................141

Issue 03 (2016-07-22) Huawei Proprietary and Confidential viii

3.7.22 (Optional) Configuring Static Users......................................................................................................................187

Issue 03 (2016-07-22) Huawei Proprietary and Confidential ix

4 NAC Configuration (Unified Mode)..................................................................................... 273

Issue 03 (2016-07-22) Huawei Proprietary and Confidential x

4.6 Configuration Process.................................................................................................................................................294

Issue 03 (2016-07-22) Huawei Proprietary and Confidential xi

4.9.1 Creating an Authentication Profile.......................................................................................................................... 336

Issue 03 (2016-07-22) Huawei Proprietary and Confidential xii

4.13.4 Example for Configuring External Portal Authentication..................................................................................... 390

5 Policy Association Configuration.......................................................................................... 409

Issue 03 (2016-07-22) Huawei Proprietary and Confidential xiii

You might also like