< Home

(Optional) Configuring Voice Terminals to Go Online Without Authentication

Context

In a scenario in which both data terminals (such as PCs) and voice terminals (such as IP phones) connect to an access switch, the administrator only requires identity authentication for the data terminals and allows the voice terminals to connect to the network without identity authentication. The administrator can configure authentication-free authorization information for the voice terminals after completing the NAC configuration. The switch then performs identity authentication for only the data terminals and allows the voice terminals to go online without authentication.

If an 802.1X user initiates authentication through a voice terminal, a device preferentially processes the authentication request. If the authentication succeeds, the terminal obtains the corresponding network access rights. If the authentication fails, the device identifies the terminal type and enables the terminal to go online without authentication.

Pre-configuration Tasks

To enable the switches to identify the voice terminals, enable LLDP or configure OUI for the voice VLAN on the switches. For details, see "Configuring Basic LLDP Functions" in "LLDP Configuration" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Network Management and Monitoring or "Configuring a Voice VLAN Based on a MAC Address" in "Voice VLAN Configuration" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Ethernet Switching. If a voice device supports only CDP but does not support LLDP, configure CDP-compatible LLDP on the switch using lldp compliance cdp receive command.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Run acl-id [ ipv6 ] acl-number

        An ACL is bound to the service scheme.

        By default, no ACL is bound to a service scheme.

        S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5731-H, S5731S-H, S5731-S, S5731S-S, S5730-HI, S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support the ipv6 parameter.

        Before running this command, ensure that an ACL has been created using the acl or acl name command, and ACL rules have been configured using the rule command.

        The priorities of the following access policies are in descending order:

        ACL number delivered by the RADIUS server > ACL number configured on the local device > ACL rule or DACL group delivered by the RADIUS server through the attribute HW-Data-Filter numbered 26-82 > User group delivered by the RADIUS server > User group configured on the local device > UCL group delivered by the RADIUS server > UCL group configured on the local device

      4. Run ucl-group { group-index | name group-name }

        A UCL group is bound to the service scheme.

        By default, no UCL group is bound to a service scheme.

        Before running this command, ensure that a UCL group that identifies the user category has been created and configured.

      5. Run user-vlan vlan-id

        A user VLAN is configured in the service scheme.

        By default, no user VLAN is configured in a service scheme.

        Before running this command, ensure that a VLAN has been created using the vlan command.

      6. Run voice-vlan

        The voice VLAN function is enabled in the service scheme.

        By default, the voice VLAN function is disabled in a service scheme.

        To make this configuration take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      7. Run sac-profile profile-name

        The SAC profile is bound to the service scheme.

        By default, no SAC profile is bound to a service scheme.

        Layer 3 Portal authentication does not support this command.

        The device supports only local authorization based on an SA profile. In wireless scenarios, the direct forwarding mode does not support local authorization based on an SAC profile.

        When a static UCL group having an IP address with a non-32-bit mask is also configured, this static UCL group does not take effect.

        When the sac-profile profile-name and traffic-remark inbound acl command are configured together, the traffic-remark inbound acl command takes effect.

        Only the S5731-S, S5731S-S, S5731-H, and S5731S-Hsupports this command.

      8. Run qos-profile profile-name

        A QoS profile is bound to the service scheme.

        By default, no QoS profile is bound to a service scheme.

        The QoS profile is supported only by the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI, and the user-queue command is supported only by the S5720-HI.

        Before running this command, ensure that a QoS profile has been configured. The procedure for configuring a QoS profile is as follows:

        1. In the system view, run qos-profile name profile-name

          A QoS profile is created and the QoS profile view is displayed.

        2. Configure traffic policing, packet processing priority, and user queue in the QoS profile view. (Among all parameters in the QoS profile bound to the service scheme, only the parameters configured using the following commands take effect.)
          • Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { inbound | outbound }

            Traffic policing is configured in the QoS profile.

            By default, traffic policing is not configured in a QoS profile.

          • Run remark dscp dscp-value { inbound | outbound }

            The action of re-marking DSCP priorities of IP packets is configured in the QoS profile.

            By default, the action of re-marking DSCP priorities of IP packets is not configured in a QoS profile.

          • Run remark 8021p 8021p-value

            The action of re-marking 802.1p priorities of VLAN packets is configured in the QoS profile.

            By default, the action of re-marking 802.1p priorities of VLAN packets is not configured in a QoS profile.

      9. Run quit

        Return to the AAA view.

      10. Run quit

        Return to the system view.

      11. Run traffic-remark inbound acl ucl-acl local-precedence local-precedence-value

        The device is configured to re-mark packets based on a user ACL.

  3. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  4. Run authentication device-type voice authorize [ service-scheme scheme-name ]

    The device is configured to allow voice terminals to go online without authentication.

    By default, the device does not allow voice terminals to go online without authentication.

    If you run this command repeatedly, the latest configuration overrides the previous ones.

Parent Topic: Configuring an Authentication Profile
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >