< Home

authentication control-direction

Function

The authentication control-direction command configures the direction of traffic controlled by the device.

By default, the device only controls the upstream traffic.

Format

authentication control-direction { all | inbound }

Parameters

Parameter Description Value

all

Configures bidirectional traffic control.

-

inbound

Controls only the upstream traffic.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the access authentication device discards all the traffic sent from the users who fail the 802.1x authentication or MAC address authentication. However, these users can still receive packets broadcast from network devices to successfully authenticated users in the same VLAN. To disable the users who fail the authentication from receiving the broadcast packets, run the authentication control-direction all command to configure bidirectional traffic control. To restore the default situation, run the authentication control-direction inbound command so that the device only controls the traffic sent from the users who fail the authentication.

Precaution

  • This function applies only to 802.1x authentication and MAC address authentication.

  • This function takes effect only when an access switch functions as the authentication device and an interface of the switch is connected to only one IP phone or PC.

  • This function does not take effect when users have pre-connection entries or authentication event entries. You are advised to run the undo authentication pre-authen-access enable command disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state, and do not run the authentication event command to configure the device to assign network access rights to users in each phase before authentication succeeds.

  • When there are both successfully authenticated users and users who fail to be authenticated on the same interface in the same VLAN, bidirectional traffic control does not take effect on this interface.

  • Layer 3 interfaces do not support bidirectional traffic control.

  • You are advised to run the stp edged-port enable command to configure the interface on which the function is applied as an edge port. The interface can be added to a maximum of four VLANs.

  • The SVF and policy association scenarios do not support this function.

  • WLAN scenarios do not support this function.

  • When this function is configured, the recommended STP mode is VBST. If the STP mode is changed after users go online, traffic will be interrupted for a short time. If the STP mode is set to MSTP or STP, run the instance command to map VLANs to different spanning tree instances (MSTIs).
  • A user VLAN cannot be specified as an RRPP or ERPS control VLAN.
  • For the S5720-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5730-HI, and S6720-HI, after bidirectional traffic control is configured using the authentication control-direction all command, authentication can still be triggered even if a loop occurs on the downstream interface.

Example

# Configure bidirectional traffic control in the authentication profile authen1.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication control-direction all
Parent Topic: NAC Configuration Commands (Unified Mode)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >