< Home

Licensing Requirements and Limitations for NAC Common Mode

Involved Network Elements

Table 1 Components involved in NAC networking

Role

Product Model

Description

AAA server

Huawei server or third-party AAA server

Performs authentication, accounting, and authorization for users.

Portal server

Huawei server or third-party Portal server

Receives authentication requests from Portal clients, provides free portal services and the web authentication page, and exchanges client authentication information with access devices.

This component is required only in external Portal authentication mode.

When Huawei's Agile Controller-Campus functions as a server, its version must be V100R001, V100R002, V100R003.

When a Huawei switch functions as a DHCP server and assigns IP addresses to terminals based on the static MAC-IP bindings delivered by the Agile Controller-Campus, the switch must run V200R009C00 or a later version, and the Agile Controller-Campus must run V100R002, V100R003.

Licensing Requirements

NAC common mode is a basic feature of a switch and is not under license control.

Feature Support in V200R019C10

All models of S2720, S5700, and S6700 series switches support NAC common mode.

For details about software mappings, visit Hardware Query Tool and search for the desired product model.

Feature Limitations

Limitations related to NAC modes:
  • Compared with the common mode, the unified mode uses the modular configuration, making the configuration clearer and configuration model easier to understand. Considering advantages of the unified mode, you are advised to deploy NAC in unified mode.
  • Starting from V200R005C00, the default NAC mode changes from common mode to unified mode. Therefore, if the system software of a switch is upgraded from a version earlier than V200R005C00 to V200R005C00 or a later version, the switch automatically runs the undo authentication unified-mode command to configure the NAC mode to common mode.
  • For versions before V200R007C00, after the common mode and unified mode are switched, you must save the configuration file and restart the device manually to make the new configuration mode take effect. For V200R007C00 and later versions, after the common mode and unified mode are switched, the device will automatically save the configuration file and restart.
  • In V200R008C00, some NAC commands do not differentiate the common and unified modes. Their formats and views remain unchanged after being switched from one mode to the other. After devices are switched from the common mode in V200R008C00 or later versions to the unified mode in V200R009C00 or later versions, these NAC commands are switched to the unified mode.
  • In the unified mode, the commands supported only in the common mode are unavailable; in the common mode, the commands supported only in the unified mode are unavailable. After the configuration mode is switched, the commands supported by both modes still take effect.
  • The NAC common mode does not apply to wireless users. To use NAC to control wireless user access, switch the NAC mode to unified mode.
Limitations related to authentication:
  • In the 802.1X authentication scenario, if there is a Layer 2 switch between the 802.1X-enabled device and users, the function of transparently transmitting 802.1X authentication packets must be enabled on the Layer 2 switch. Otherwise, users cannot be authenticated.
  • In the Portal authentication scenario, users may use spoofed IP addresses for authentication, which brings security risks. It is recommended that you configure attack defense functions such as IPSG and DHCP snooping to avoid the security risks.

  • If the S2720-EI (V200R009C00 and V200R010C00), S2750-EI, S5700-10P-LI-AC, or S5700-10P-PWR-LI-AC functions as a Layer 3 gateway and NAC is enabled on physical interfaces configured with Layer 3 services, you must run the command assign forward-mode ipv4-hardware to enable Layer 3 hardware forwarding for IPv4 packets.

  • NAC authentication and authentication-related parameters cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface of the VLAN to which the Layer 2 Ethernet interface belongs.
  • The switch supports 802.1X authentication, MAC address authentication, and external Portal authentication for users in a VPN (HTTP/HTTPS-based Portal authentication is supported in V200R013C00 and later versions). Built-in Portal authentication is not supported, and users in different VPNs but with the same IP address cannot be authenticated.

  • In V200R005, when NAC is configured on the main interface, service functions on its sub-interface are affected.

  • Terminals using MAC address authentication do not support switching between IPv4 and IPv6. To ensure that a terminal can normally obtain an IP address after passing the authentication, you are advised to enable either IPv4 or IPv6 on the terminal.

  • If authentication triggered by any packet is not configured, the ARP packets with the source IP address being 0.0.0.0 cannot trigger MAC address authentication.

  • When an authentication point is deployed on the X series cards, only the X1E, X2E, X2H, X5H, and X6H cards support ACL authorization for IPv6 users, and other X series cards do not support ACL authorization for IPv6 users.
Limitations related to authorization:
  • In V200R012C00 and later versions, if the ACL assigned to users who go online through S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S is not a user-defined one, the attribute of the source IP address in the ACL rule does not take effect. In all other cases, the IP address in the ACL rule is replaced with the user's IP address. In versions earlier than V200R012C00, if an ACL bound to a service scheme has defined the source IP address, only users with the same IP address as the source IP address in the ACL can match the ACL in the service scheme.
  • An authorized VLAN cannot be delivered to online Portal users. For MAC address-prioritized Portal authentication, the Agile Controller-Campus V1 delivers the session timeout attribute after Portal authentication succeeds so that users go offline immediately, and then delivers an authorized VLAN to users after the users pass MAC address authentication.
  • If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP process to request an IP address after VLAN-based authorization is successful or the authorized VLAN is changed through CoA packets. In V200R012C00 and later versions, the device can trigger STAs to re-apply for IP addresses by disconnecting authentication interfaces intermittently. After this function is configured, you need to run the undo radius-server authorization hw-ext-specific command bounce-port disable command on the device to enable the function, and set the value of the RADIUS attribute HW-Ext-Specific (26-238) on the authentication server to user-command=2.
  • In versions earlier than V200R011C10, for the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5700-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI, if both an ACL, the rate limiting value of upstream packets, and the rate limiting value of downstream packets are authorized to users, only the ACL takes effect. Starting from V200R011C10, the device supports authorization based on the DSCP values of upstream packets and downstream packets. In addition, the authorized ACL, the rate limiting values of upstream packets and downstream packets, and the DSCP values of upstream packets and downstream packets can take effect simultaneously.
  • It is not recommended to use the MEth management interface to communicate with an authentication or authorization server. Starting from V200R013C00, for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S, an authorization server cannot be used to authorize users if a switch communicates with the authorization server through the MEth management interface.
  • If the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S, S5720-EI, S6720-EI, or S6720S-EI is upgraded to V200R019C00 or a later version, the DSCP and 802.1p values are modified based on the authorized DSCP and 802.1p values.
Limitations in a Layer 2 BNG scenario:
  • The RADIUS server assigns Huawei extended RADIUS attribute HW-Forwarding-VLAN to MAC address authentication users who go online through the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S X series cards. Then the switch replaces the two VLAN tags carried in users' unicast or broadcast packets with an ISP VLAN tag (it cannot be the same as the outer VLAN tag), and forwards these packets from the interfaces on the X series cards.
  • Do not create VLANIF interfaces for the two VLAN tags carried in original packets. Otherwise, packet forwarding may be abnormal.
  • The switch that has MAC address authentication enabled cannot have DHCP snooping and ND snooping configured and does not support MAC address flapping.
  • When working as a DHCPv6 client, the switch can only obtain an IPv6 address using DHCPv6. When working as a DHCPv6 server, the device can only allocate IPv6 addresses using DHCPv6 to ensure that IPv6 addresses can be managed. You need to set the M bit in RA packets sent by the device to 1, indicating stateful address allocation, that is, clients obtain IPv6 addresses through stateful protocols (for example, DHCPv6).
  • The device does not support the user VLAN authorization function. Before configuring other attributes except authorized VLANs for access users, run the authorization-modify mode modify command on the device to set the update mode of user authorization information delivered by the authorization server to modify. Otherwise, access users will go offline.
Other limitations:
  • The number of NAC users cannot exceed the maximum number of MAC address entries supported by the switch.

  • During LNP negotiation, NAC users cannot go online before the interface link type becomes stable. If the interface link type is negotiated again and the negotiation result changes, the online NAC users are forced to go offline.

  • For the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, ACL-based simplified traffic policy and traffic classification rules in MQC-based traffic policy have higher priorities than rules defined in NAC configuration. If configurations in ACL-based simplified traffic policy or MQC-based traffic policy conflict with the NAC function, the device processes packets based on configurations in ACL-based simplified traffic policy and traffic behaviors in MQC-based traffic policy.
Parent Topic: NAC Configuration (Common Mode)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >