Configuring an Authentication Profile

Procedure

1. Run system-view

   The system view is displayed.

2. Run authentication-profile name authentication-profile-name

   The authentication profile view is displayed.

3. Configure the user authentication mode.

   • 802.1X authentication

     Run dot1x-access-profile access-profile-name

     An 802.1X access profile is bound to the authentication profile.

     By default, no 802.1X access profile is bound to an authentication profile.

   • MAC address authentication

     Run mac-access-profile access-profile-name

     A MAC access profile is bound to the authentication profile.

     By default, no MAC access profile is bound to an authentication profile.

   • Portal authentication

     Run portal-access-profile access-profile-name

     A Portal access profile is bound to the authentication profile.

     By default, no Portal access profile is bound to an authentication profile.

   • Multi-mode authentication

     To concurrently configure several authentication modes, you only need to bind corresponding access profiles to an authentication profile. Access profiles can be bound to the authentication profile in any sequence. The device triggers the corresponding authentication based on received authentication packets.

     You can configure MAC address bypass authentication to authenticate terminals such as printers that cannot have the 802.1X client installed. The device performs 802.1X authentication for users. If the user name request times out, the device performs MAC address authentication for these users.

     The following uses MAC address bypass authentication as an example. The configuration procedure is as follows:

     1. Run mac-access-profile access-profile-name

        A MAC access profile is bound to the authentication profile.

        By default, no MAC access profile is bound to an authentication profile.

     2. Run dot1x-access-profile access-profile-name

        An 802.1X access profile is bound to the authentication profile.

        By default, no 802.1X access profile is bound to an authentication profile.

     3. Run authentication dot1x-mac-bypass

        MAC address bypass authentication is enabled.

        By default, MAC address bypass authentication is disabled.

   

   When configuring multi-mode authentication, pay attention to the following points:

   • An authentication profile can be bounded to an 802.1X access profile, a MAC access profile and a Portal access profile at most.

   • After multi-mode authentication is configured, the device by default allows users to use multiple authentication modes. For example, if a user passes MAC address authentication, the user will not be redirected to the Portal authentication page when accessing a web page. However, if the user directly enters the Portal authentication website in the browser, Portal authentication can be performed. After the authentication succeeds, the users can obtain network access rights for Portal authentication users. To authenticate users using only one authentication mode, run the authentication single-access command to configure the device to allow users to pass only one access authentication.

   • MAC address authentication and Portal authentication cannot be performed after 802.1X authentication succeeds.

   • 802.1X + MAC address hybrid authentication is mainly applied to scenarios where dumb terminals exist. When a gateway functions as an authentication device, 802.1X + MAC address hybrid authentication is not recommended because ARP packets sent by terminals trigger MAC address authentication first. This degrades the performance of 802.1X authentication and ARP attacks may occur. In a scenario where dumb terminals exist and a gateway functions as an authentication device, you are advised to use the following configuration mode:

     1. Ensure that dumb terminals use fixed IP addresses. You can manually configure IP addresses or bind IP addresses statically using DHCP snooping.
     2. Do not configure hybrid authentication on the gateway. Configure 802.1X authentication for users who do not use dumb terminals and configure IP address-based authentication-free rules for users who use dumb terminals.
   • In wireless access scenarios, 802.1X + Portal authentication is not supported.

4. (Optional) Run authentication mode { single-terminal | single-voice-with-data | multi-share | multi-authen [ max-user max-user-number [ dot1x | mac-authen | portal | none ] ^* ] }

   The user access mode is configured, or the maximum number of access users allowed on the interface is configured when the user access mode is multi-authen.

   By default, the user access mode is multi-authen.

5. (Optional) Run authentication ip-address in-accounting-start

   The function of carrying users' IP addresses in Accounting-Start packets is enabled.

   By default, the function of carrying users' IP addresses in Accounting-Start packets is disabled.

   This command takes effect only for 802.1X authentication and MAC address authentication users. By default, Accounting-Start packets for Portal authentication carry users' IP addresses.

6. (Optional) Run authentication ipv6-control enable

   The network admission control function is enabled for IPv6 users.

   By default, the network admission control function is disabled for IPv6 users.

7. (Optional) Run authentication single-stack-control { ipv4 | ipv6 } enable

   The single-stack authentication function is enabled.

   By default, the single-stack authentication function is disabled.

8. (Optional) Run authentication mac-authen-first force

   The forcible MAC address authentication is configured before 802.1X authentication.

   By default, the forcible MAC address authentication is not configured before 802.1X authentication.

9. (Optional) Run authentication no-ip-check

   The device is disabled from creating an IP hash table for client IP addresses.

   By default, the device creates an IP hash table for client IP addresses.

10. (Optional) Run authentication ip-conflict-check enable

    The client IP address conflict detection function is enabled.

    By default, the device detects whether client IP addresses conflict with each other.

11. (Optional) Run authentication roam pre-authen mac-authen enable

    MAC address authentication is enabled for roaming STAs.

    By default, MAC address authentication is disabled for roaming STAs.

12. (Optional) Run authentication no-replace dot1x [ device-type voice ]

    The device is configured not to respond to the EAP start packets sent from users who have successfully passed MAC address authentication or Portal authentication.

    By default, the device responds to the EAP start packets sent from users who have successfully passed MAC address authentication or Portal authentication.

13. (Optional) Configure the device to handshake with users in pre-connection state and authorized users.

    1. Run authentication handshake

       The device is configured to handshake with users in pre-connection state and authorized users is enabled.

       By default, the device handshakes with users in pre-connection state and authorized users.

    2. Run authentication timer handshake-period handshake-period

       The interval at which the device handshakes with users in pre-connection state and authorized users is configured.

       By default, the interval for sending handshake packets to users in pre-connection state and authorized users is 300 seconds.

14. (Optional) Run access-domain domain-name [ dot1x | mac-authen | portal ] ^* [ force ]

    A default or forcible domain is configured for users.

    By default, no default or forcible domain is configured in an authentication profile, and the global default domain default is used.

    

    • If force is not specified, a default domain is configured. If force is specified, a forcible domain is configured. If both a default domain and a forcible domain are configured, the device authenticates users in the forcible domain.

    • If dot1x, mac-authen, or portal is not specified, the configured domain takes effect for all access authentication users using the authentication profile. If dot1x, mac-authen, or portal is specified, the configured domain takes effect only for specified users using the authentication profile.

15. (Optional) Run link-down offline delay { delay-value | unlimited }

    The user logout delay is configured when an interface link is faulty.

    By default, the user logout delay is 10 seconds when an interface link is faulty.

    When the user logout delay is set to 0, users are logged out immediately upon an interface link fault. When the user logout delay is set to unlimited, users are not logged out when an interface link is faulty.

16. (Optional) Run authentication termination-action reauthenticate

    The device is configured to re-authenticate users when the time exceeds the value of Session-Timeout delivered by the RADIUS server.

    By default, the device does not re-authenticate users when the time exceeds the value of Session-Timeout delivered by the RADIUS server.

17. (Optional) Run authentication control-direction { all | inbound }

    The direction of traffic controlled by the device is configured.

    By default, the device controls only the upstream traffic.

18. (Optional) Run authentication order mac dot1x

    MAC address authentication is configured to take precedence over 802.1X authentication when the device receives EAP-Start packets.

    By default, the sequence of authentication modes triggered by EAP-Start packets is not configured.

19. (Optional) Run authentication arp-reply trigger

    The function of triggering authentication by ARP response packets is enabled.

    By default, the function of triggering authentication by ARP response packets is enabled.

20. (Optional) Run authentication { update-info-accounting | update-ip-accounting } ^* enable

    The device is configured to send accounting packets upon terminal information updating and address updating.

    By default, the device sends accounting packets upon terminal information updating and address updating.