authentication mode

Function

The authentication mode command configures the user access mode.

The undo authentication mode command restores the default user access mode.

By default, the user access mode is multi-authen.

Format

authentication mode { single-terminal | single-voice-with-data | multi-share | multi-authen [ max-user max-user-number [ dot1x | mac-authen | portal | none ] ^* ] }

undo authentication mode [ multi-authen max-user [ dot1x | mac-authen | portal | none ] ^* ]

Parameters

Parameter	Description	Value
single-terminal	Configures an interface to allow only one user to go online.	-
single-voice-with-data	Configures an interface to allow only one data user and one voice user to go online. This mode applies when a data user connects to a network through a voice terminal.	-
multi-share	Configures an interface to allow multiple users to go online. In this mode, the device authenticates only the first access user. If the first user passes authentication, subsequent users share the same network access rights with the first user. If the first user goes offline, other users also go offline.	-
multi-authen	Configures an interface to allow multiple users to go online. In this mode, the device authenticates each access user. If users pass authentication, the users are given individual network access rights. If a user goes offline, other users will not be affected.	-
max-user max-user-number	Specifies the maximum number of access users on the interface in multi-authen mode.	The value is an integer and the value range varies depending on devices.
dot1x	Specifies the maximum number of 802.1X authenticated users allowed to connect to the interface in multi-authen mode.	-
mac-authen	Specifies the maximum number of MAC authenticated users allowed to connect to the interface in multi-authen mode.	-
portal	Specifies the maximum number of Portal authenticated users allowed to connect to the interface in multi-authen mode.	-
none	Specifies the maximum number of pre-connection users allowed to connect to the interface in multi-authen mode.	-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After NAC authentication is enabled, you can configure the user access mode on an interface based on the user access on the interface.

single-terminal: applies when only one data terminal is connected to the network through the interface.
single-voice-with-data: applies when only one data terminal is connected to the network on the interface through a voice terminal.
multi-share: applies when multiple data terminals are connected to the network on the interface and high security is not required.
multi-authen: applies when multiple data terminals are connected to the network on the interface and high security is required. In this access mode, you can configure the maximum number of access users based on the actual user quantity on the interface. This prevents malicious users from occupying a large amount of device resources and ensures that the users on other interfaces can normally go online.

Precautions

VLANIF interfaces do not support this function.
This function takes effect only for wired users.
If the multi-share mode is configured on an Eth-Trunk of the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI, the upstream rate limit cannot be delivered to users who go online through this Eth-Trunk.
If the first access user fails authentication on a physical interface and sets up a pre-connection after the multi-share mode is configured on the physical interface, new access users will also fail authentication on the interface. Therefore, the following operations are recommended if the first access user may fail authentication after the multi-share mode is configured on a physical interface.
- Disable the pre-connection function using the undo authentication pre-authen-access enable when 802.1X or MAC authentication is used.
- Do not use the multi-share mode with Portal authentication.
In policy association scenarios, the authentication mode multi-authen max-user max-user-number command configured on an AS does not take effect. To set the maximum number of access users on an AS, run the authentication access-point max-user max-user-number command to set the maximum number of access users allowed on the interface of the access device.
When authentication mode is set to multi-authen in the authentication profile, to configure authorized VLANs, set the interface type to hybrid or trunk in policy association scenarios, and to hybrid in other scenarios.
When the user access mode is set to multi-share on the S5720-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5730-HI, and S6720-HI, the following situation may occur before MAC address learning is triggered by user packets: The display access-user command output contains user entries but the display mac-address command output does not contain user MAC address entries. The display mac-address command displays MAC address entries only after MAC address learning is triggered by user packets.
If the user access mode is multi-share, authorization redirection ACLs or authorized voice VLANs are not supported.
If the user access mode is set to multi-share, authorization based on an ISP VLAN is not supported.
If the user access mode is set to multi-share, authorization based on the HW-Forwarding-Interface attribute is not supported.

Example

# In the authentication profile p1, set the user access mode to multi-authen.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication mode multi-authen