< Home

authentication open ucl-policy enable

Function

The authentication open ucl-policy enable command configures a control point where the authentication control-point open command has been configured to filter user traffic based on a user ACL before forwarding the traffic.

The undo authentication open ucl-policy enable command restores a control point where authentication control-point open has been configured to directly forwarding user traffic.

By default, a control point where authentication control-point open has been configured directly forwards user traffic.

Only the S5720-HI, S5730-HI, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5731-H, S5731S-H, LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series cards support this command.

Format

authentication open ucl-policy enable

undo authentication open ucl-policy enable

Parameters

None

Views

GE interface view, MultiGE interface view,XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This command is applicable to the following scenarios:

  • When only independent policy association is used, the authentication control-point open command has been configured on a control point.
  • When policy association is used in an SVF system, the authentication control-point open command is configured on a control point by default.

A control point directly forwards traffic from wired users who go online on an interface of the access device without authentication and the traffic from users who pass NAC authentication but do not obtain the authority granted to the UCL group and the traffic from wireless users in direct forwarding mode. To enable the control point to filter user traffic based on a user ACL, run the authentication open ucl-policy enable command.

Precautions

This command can be executed only on the control device.

  • In versions earlier than V200R012, run the traffic-filter inbound acl { acl-number | name acl-name } command on the control device to configure user ACL-based packet filtering before running the authentication open ucl-policy enable command.
  • In V200R012 and later versions, the authentication open ucl-policy enable command is optional if the traffic-filter inbound acl { acl-number | name acl-name } command has been configured on the control device to configure user ACL-based packet filtering.

    To disable user ACL-based packet filtering, run the undo traffic-filter inbound acl { acl-number | name acl-name } and undo authentication open ucl-policy enable commands.

Example

# Configure the control point GE1/0/1 where the authentication control-point open command has been configured to filter user traffic based on a user ACL before forwarding the traffic.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] authentication control-point open
[HUAWEI-GigabitEthernet1/0/1] authentication open ucl-policy enable
Parent Topic: Policy Association Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >