< Home

Configuring Combined Authentication

Context

On a network with diversified clients, different clients support different access authentication modes. Some clients (such as printers) support only MAC address authentication. Some hosts support 802.1X authentication because they have 802.1X client software installed. Some hosts require Portal authentication using web browsers. If all the preceding authentication modes are used on a network, they all must be configured on user access interfaces so that users can use a proper authentication mode to connect to the network.

Combined authentication is configured in either of the following methods:
  • Enable MAC address authentication and built-in Portal authentication on a Layer 2 interface. To use 802.1X authentication and MAC address authentication together, run the dot1x mac-bypass command to enable MAC address bypass authentication on an interface.
  • Enable MAC address authentication and external Portal authentication on a VLANIF interface.
If MAC address authentication and external Portal authentication are configured simultaneously on a VLANIF interface, a user is authorized in the following way:
  1. MAC address authentication is performed first. If the user passes MAC address authentication, the user is granted the network access rights for MAC address authentication users.
  2. If Portal authentication is triggered and succeeds after a successful MAC address authentication, the user is granted the network access rights for Portal authentication users. If Portal access is terminated by the user or the device, the user's network access rights are restored to those for MAC address authentication users.

    If Portal authentication is performed for a user after a successful MAC address authentication, the user is not redirected to the authentication page and needs to enter the authentication page address.

    If MAC address-prioritized Portal authentication is used, a malicious user may use a bogus MAC address to access the network after an authorized user passes Portal authentication.

Procedure

  • Configure 802.1X authentication according to Configuring 802.1X Authentication.

    • You must configure the MAC address-based access control mode on the interface.
    • If local Portal authentication is used in combined authentication, you cannot configure the guest VLAN, restrict VLAN, or critical VLAN in 802.1X authentication.

  • Configure MAC address authentication according to Configuring MAC Address Authentication.

    • If local Portal authentication is used in combined authentication, you cannot configure the guest VLAN in MAC address authentication.
    • After MAC address authentication is configured in combined authentication, 802.1X-based fast deployment is not supported.

  • Configure Portal authentication according to Configuring Portal Authentication
Parent Topic: NAC Configuration (Common Mode)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >