< Home

authentication trigger-condition (MAC address authentication)

Function

The authentication trigger-condition command configures the packet types that can trigger MAC address authentication.

The undo authentication trigger-condition command restores the default configuration.

By default, DHCP/ARP/DHCPv6/ND packets can trigger MAC address authentication.

Format

authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet } *

undo authentication trigger-condition [ dhcp | arp | dhcpv6 | nd | any-l2-packet ] *

Parameters

Parameter Description Value

dhcp

Triggers MAC address authentication through DHCP packets.

-

arp

Triggers MAC address authentication through ARP packets.

-

dhcpv6

Triggers MAC address authentication through DHCPv6 packets.

-

nd

Triggers MAC address authentication through ND packets.

-

any-l2-packet

Triggers MAC address authentication through any packets. For multicast packets, the corresponding protocol needs to be enabled, otherwise MAC authentication cannot be triggered.

-

Views

MAC access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After MAC address authentication is enabled, the device can trigger MAC address authentication on users by default when receiving DHCP/ARP/DHCPv6/ND packets. Based on user information on the actual network, the administrator can adjust the packet types that can trigger MAC address authentication. For example, if all users on a network dynamically obtain IPv4 addresses, the device can be configured to trigger MAC address authentication only through DHCP packets. This prevents the device from continuously sending ARP packets to trigger MAC address authentication when static IPv4 addresses are configured for unauthorized users on the network, and reduces device CPU occupation.

If a static IPv4 address is configured for a client, MAC address authentication cannot be triggered because they do not exchange DHCP or ARP packets. You can run the authentication trigger-condition any-l2-packet command to trigger MAC address authentication through any packets. To prevent unauthorized users from occupying user entries on the device maliciously, you are advised to configure the function of triggering MAC address authentication through any packets on the access device, and run the authentication mode max-user max-user-number command in the authentication profile view to configure the maximum number of access users allowed on an interface. The recommended value is 10.

Precautions

  • MAC address authentication configured on a VLANIF interface can be triggered by ARP or ND packets.

  • This function takes effect only for users who go online after this function is successfully configured.

  • There is a situation that you should notice. A device is configured to trigger MAC address authentication through DHCP packets and DHCP options are used as the user names for MAC address authentication (for the configuration of user names in MAC address authentication, see mac-authen username). If the authentication server delivers Huawei extended RADIUS attribute HW-Forwarding-VLAN (No. 26-161) to the device, the user packet must carry double VLAN tags and the outer VLAN ID cannot be the same as the ID of HW-Forwarding-VLAN; otherwise, the delivered attribute cannot take effect.

  • Only wired users support MAC address authentication triggered by DHCP/ARP/DHCPv6/ND/any packets. For wireless users, MAC address authentication is triggered by association packets.

  • After the authentication trigger-condition { dhcp | dhcpv6 | nd } * command is run, static users cannot go online.

  • To allow BPDUs to trigger MAC address authentication, you must enable the function corresponding to the BPDUs globally. For example, to allow LLDPDUs to trigger MAC address authentication, run the lldp enable command to enable LLDP globally.

  • In a policy association scenario, MAC address authentication can only be triggered by DHCP or ARP or DHCPv6 or ND packets.

  • When MAC address authentication is performed for IP phones and the voice VLAN service is deployed, if the authentication trigger-condition any-l2-packet command is run to configure the device to trigger MAC address authentication through any packets, you need to run the authentication mac-move enable command to configure MAC address migration and run the authentication mac-move detect enable command to configure the device to detect users' online status before MAC address migration.
  • When any-l2-packet is configured and 802.1X authentication is enabled on an interface, EAP packets sent from a client trigger 802.1X authentication first.
  • When MAC address authentication and 802.1X authentication are both enabled on an interface, packets that can trigger authentication include all the packet types that can trigger authentication in the MAC access profile and 802.1X access profile. For example, assume that ARP packets in the MAC access profile are unable to trigger authentication and ARP packets in the 802.1X access profile can trigger authentication. If MAC address authentication and 802.1X authentication are both enabled on an interface, ARP packets can trigger MAC address authentication.
  • For the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, when the ip-static-user enable and authentication trigger-condition any-l2-packet commands are both configured, user authentication cannot be triggered by any packets.

Example

# In the MAC access profile m1, configure the device to trigger MAC address authentication only through ARP packets.

<HUAWEI> system-view
[HUAWEI] mac-access-profile name m1
[HUAWEI-mac-access-profile-m1] authentication trigger-condition arp
Parent Topic: NAC Configuration Commands (Unified Mode)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >