< Home

authentication-profile (Interface view or VAP profile view)

Function

The authentication-profile command applies an authentication profile to the interface or VAP profile.

The undo authentication-profile command restores the default setting.

By default, no authentication profile is applied to the interface or VAP profile.

Format

authentication-profile authentication-profile-name

undo authentication-profile

Parameters

Parameter

Description

Value

authentication-profile-name

Specifies the name of an authentication profile.

The value must be an existing authentication profile name.

Views

Interface view, or VAP profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An authentication profile uniformly manages NAC configuration. The authentication profile is bound to the interface or VAP profile view to enable NAC, implementing access control on the users in the interface or VAP profile. The authentication type of the users in the interface or VAP profile is determined by the access profile bound to the authentication profile.

Prerequisites

An authentication profile has been created using the authentication-profile command in the system view.

Precautions

When configuring NAC, pay attention to the following points:
  • VLANIF interfaces, Ethernet interfaces, GE interfaces, MultiGE interfaces, XGE interfaces, 25GE interface, 40GE interfaces, 100GE interfaces, Eth-Trunks, port groups, and VAP profiles support NAC. The support for NAC on different interfaces is as follows:
    • 802.1X authentication does not take effect on a VLANIF interface.
    • Layer 2 interfaces and VLANIF interfaces support MAC address authentication. (Only S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S6720-LI, S6720S-LI, S6720S-SI, S6720-SI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI support configuration of MAC address authentication on VLANIF interfaces.)

    • The support for Portal authentication varies depending on different interfaces, routed main interfaces (Only S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI) support only Layer 3 Portal authentication, Layer 2 interfaces support only Layer 2 Portal authentication, and VLANIF interfaces support both Layer 2 and Layer 3 Portal authentication.

    • The VLANIF interface corresponding to the super VLAN does not support Portal authentication.
  • In NETCONF management mode, the VLAN from which users goes online cannot be changed when the users are online.
  • For the access of wireless users through APs, ensure that the APs can be authenticated (for example, adding the APs to static users) when NAC authentication is deployed for users. Otherwise, the wireless users cannot be authenticated.
  • For S6720-SI, S6720S-SI, S6720-LI, S6720S-LI, S5731-S, S5731S-S, S5720-SI, S5720S-SI, S5720I-SI, S5720-LI, S5720S-LI, and S5720SV2-LI, the priority of a traffic policy is higher than that of an authentication policy. As a result, users may be able to access the network before being authenticated.

  • NAC authentication cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface mapping the VLAN of the Ethernet interface. Otherwise, the users have no network access rights after connecting to the network. In wireless scenarios, NAC authentication cannot be enabled both in VAP profiles and on VLANIF interfaces. In direct forwarding mode, NAC authentication cannot be enabled on VLANIF interfaces.

  • After enabling NAC on an interface, you cannot run the following commands on the interface. Similarly, after running the following commands on an interface, you cannot enable NAC on the interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port link-type dot1q-tunnel

    Sets the link type of an interface to QinQ.

    port vlan-mapping vlan map-vlan

    port vlan-mapping vlan inner-vlan

    Configures VLAN mapping on an interface.

    port vlan-stacking

    Configures selective QinQ.

    mac-vlan enable

    Enables MAC address-based VLAN assignment on an interface.

    ip-subnet-vlan enable

    Enables IP subnet-based VLAN assignment on an interface.

    user-bind ip sticky-mac

    NOTE:

    This command conflicts with only 802.1X authentication and MAC address authentication.

    Enables the device to generate snooping MAC entries.
  • After the encapsulation mode of packets allowed to pass a Layer 2 sub-interface is set to default using the encapsulation command, NAC cannot be configured on the main interface of the Layer 2 sub-interface.
  • After NAC is configured on the main interface, the bridge-domain (Layer 2 sub-interface view) command cannot be executed on its Layer 2 sub-interface to associate with BDs. Similarly, NAC cannot be executed on the main interface if the bridge-domain (Layer 2 sub-interface view) command is configured on its Layer 2 sub-interface to associate with BDs.

Example

# Apply the authentication profile m1 to VLANIF10.

<HUAWEI> system-view
[HUAWEI] authentication-profile name m1
[HUAWEI-authen-profile-m1] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] authentication-profile m1
Parent Topic: NAC Configuration Commands (Unified Mode)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >