authentication-profile (user access profile view)

Usage Scenario

After creating a user access profile, you can bind an authentication profile to the user access profile. When the user access profile is bound to an AS port, the user access authentication mode specified in the authentication profile is automatically configured on the AS port.

NAC provides three user authentication modes: 802.1X authentication, MAC address authentication, and Portal authentication. To implement user access authentication, run the dot1x-access-profile name access-profile-name, mac-access-profile name access-profile-name, and portal-access-profile name access-profile-name commands in the system view to create an access profile, bind one or multiple of the three user authentication modes to the authentication profile, and then bind the authentication profile to the user access profile in an SVF system.

Precautions

• If Portal authentication is deployed in an SVF system, you must run the web-auth-server server-name command to specify the Portal server template used in Portal authentication in the Portal access profile view. Additionally, only one Portal server template can be configured in a Portal access profile.

• If the Portal authentication mode has been set to layer3 in the portal-access-profile bound to the authentication profile, it is not allowed to bind this authentication profile to the user access profile. If an authentication profile has been bound to the user access profile, it is now allowed to set the Portal authentication mode to layer3.

• In versions earlier than V200R019C10, user access profiles must be bound to the same authentication profile at any time. In V200R019C10 and later versions, user access profiles can be bound to different authentication profiles. However, if these user access profiles are bound to ASs on the same cascade port, the authentication profiles must be the same.

• The authentication-profile and mac-limit maximum max-num as well as authentication-profile and traffic-limit inbound { arp | dhcp } cir cir-value commands are mutually exclusive and cannot be configured together in a user access profile.

• If many users are connected to the port to which a user access profile is bound, the authentication configuration in the profile may need to take a certain period of time to complete.

• Before changing the authentication profile on the parent, run the undo authentication-profile command to delete the existing authentication profile and then run the commit as { name as-name | all } command to commit the configuration. You can then create a new authentication profile on the parent.

• After bidirectional flow control is configured in an authentication profile using the authentication control-direction all command, this authentication profile cannot be bound to a user access profile.
• In SVF of a version earlier than V200R019, access authentication is not supported for IPv6 users. In SVF of V200R019 or a later version, access authentication is supported for IPv6 users.
• In V200R019 and later versions, the authentication ipv6-control enable command configured in an authentication profile can be delivered to ASs. This command can take effect only in the following situations:

  • The parent is S6720-EI, S6720S-EI, S6720-SI, or S6720S-SI, and ASs are S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5730-SI, S5730S-EI, S6720-EI, S6720S-EI, S6720-LI, S6720S-LI, S6720-SI, or S6720S-SI.
  • The parent is a modular switch and the parent's port to which the authentication profile is bound is not located on the ES0D0G24SA00, ES0D0G24CA00, LE0MG24CA, LE0MG24SA, LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, or X series cards, and ASs are S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5730-SI, S5730S-EI, S6720-EI, S6720S-EI, S6720-LI, S6720S-LI, S6720-SI, or S6720S-SI.
• In V200R019 and later versions, the authentication single-stack-control enable command configured in an authentication profile can be delivered to ASs. This command can take effect only in the following situations:

  • The parent is S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S6730-S, S6730S-S, S6720-HI, S6730S-H, or S6730-H, and ASs are S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S6730S-H, or S6730-H.
  • The parent is a modular switch and the parent's port to which the authentication profile is bound is located on the LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, or X series cards, and ASs are S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S6730S-H, or S6730-H.

• If an interface needs to be unbound from an authentication profile and there are many users on the interface, it takes a long time to unbind the interface from the authentication profile. To shorten the time, run the authentication speed-limit max-num command to increase the rate at which a specified AS sends user disassociation request messages.