Licensing Requirements and Limitations for NAC Unified Mode

Involved Network Element

**Table 1** Components involved in NAC networking
Role	Product Model	Description
AAA server	Huawei server or third-party AAA server	Performs authentication, accounting, and authorization for users.
Portal server	Huawei server or third-party Portal server	Receives authentication requests from Portal clients, provides free portal services and the web authentication page, and exchanges client authentication information with access devices. This component is required only in external Portal authentication mode.

When Huawei's Agile Controller-Campus functions as a server, its version must be V100R001, V100R002, V100R003.

When Huawei's iMaster NCE-Campus functions as a server, its version must be V300R019C10.

When a Huawei switch functions as a DHCP server and assigns IP addresses to terminals based on the static MAC-IP bindings delivered by the Agile Controller-Campus, the switch must run V200R009C00 or a later version, and the Agile Controller-Campus must run V100R002, V100R003.

Licensing Requirements

NAC unified mode is a basic feature of a switch and is not under license control.

Feature Support in V200R019C10

All models of S2720, S5700, and S6700 series switches support NAC unified mode.

For details about software mappings, visit Hardware Query Tool and search for the desired product model.

Feature Limitations

Limitations related to NAC modes:

Compared with the common mode, the unified mode uses the modular configuration, making the configuration clearer and configuration model easier to understand. Considering advantages of the unified mode, you are advised to deploy NAC in unified mode.
Starting from V200R005C00, the default NAC mode changes from common mode to unified mode. Therefore, if the system software of a switch is upgraded from a version earlier than V200R005C00 to V200R005C00 or a later version, the switch automatically runs the undo authentication unified-mode command to configure the NAC mode to common mode.
For versions before V200R007C00, after the common mode and unified mode are switched, you must save the configuration file and restart the device manually to make the new configuration mode take effect. For V200R007C00 and later versions, after the common mode and unified mode are switched, the device will automatically save the configuration file and restart.
In V200R008C00, some NAC commands do not differentiate the common and unified modes. Their formats and views remain unchanged after being switched from one mode to the other. After devices are switched from the common mode in V200R008C00 or later versions to the unified mode in V200R009C00 or later versions, these NAC commands are switched to the unified mode.
In the unified mode, the commands supported only in the common mode are unavailable; in the common mode, the commands supported only in the unified mode are unavailable. After the configuration mode is switched, the commands supported by both modes still take effect.
The NAC common mode does not apply to wireless users. To use NAC to control wireless user access, switch the NAC mode to unified mode.

Limitations related to authentication:

In the 802.1X authentication scenario, if there is a Layer 2 switch between the 802.1X-enabled device and users, the function of transparently transmitting 802.1X authentication packets must be enabled on the Layer 2 switch. Otherwise, users cannot be authenticated.
In the Portal authentication scenario, users may use spoofed IP addresses for authentication, which brings security risks. It is recommended that you configure attack defense functions such as IPSG and DHCP snooping to avoid the security risks.
In versions earlier than V200R012C00, wired MAC address-prioritized Portal authentication was not supported.
In versions earlier than V200R012C00, Layer 2 Portal authentication was not supported on non-gateway devices.
If the S2720-EI (V200R009C00 and V200R010C00), S2750-EI, S5700-10P-LI-AC, or S5700-10P-PWR-LI-AC functions as a Layer 3 gateway and NAC is enabled on physical interfaces configured with Layer 3 services, you must run the command assign forward-mode ipv4-hardware to enable Layer 3 hardware forwarding for IPv4 packets.
The switch supports 802.1X authentication, MAC address authentication, and external Portal authentication for users in a VPN (HTTP/HTTPS-based Portal authentication is supported in V200R013C00 and later versions). Built-in Portal authentication is not supported, and users in different VPNs but with the same IP address cannot be authenticated.
NAC authentication cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface of the VLAN to which the Layer 2 Ethernet interface belongs. In versions earlier than V200R009C00 (that is, before NAC unified mode modular configuration is supported), it is recommended that you do not configure authentication-related parameters on a Layer 2 Ethernet interface and the VLANIF interface of the VLAN to which the Layer 2 Ethernet interface belongs, respectively.
After a switch that originally runs a version earlier than V200R19C00SPC500 and works in cloud-based management mode is upgraded to V200R19C00SPC500 or a later version, the VLAN to which online users belong cannot be changed.
In V200R005, when NAC is configured on the main interface, service functions on its sub-interface are affected.
In versions earlier than V200R007C00, the switch can directly process protocol packets sent to it before a user is successfully authenticated, and no authentication-free rule is required. In versions ranging from V200R007C00 to V200R011C10, an authentication-free rule must be configured when DNS protocol packets are sent to the S5720-HI for processing.
Static MAC address entries have a higher priority than authentication. If a static MAC address entry is configured for a user, the user can obtain network access rights without authentication. In this case, you need to delete the static MAC address entry of the user.
To enable an unauthenticated user to manage the lower-layer devices of the authentication device, run the free-rule command to configure an authentication-free rule for the management VLAN.
When a switch has non-Huawei ACs and APs connected (APs and wireless users are associated with the AC) and wired Portal authentication is performed for wireless users, it is recommended that STAs go online on S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S, and the URL configured using the url-parameter command in template view cannot carry the AC's CAPWAP gateway address (ac-mac ac-mac-value), AC's MAC address (ac-ip ac-ip-value), AP's IP address (ap-ip ap-ip-value), AP's MAC address (ap-mac ap-mac-value), or SSID associated by STAs (ssid ssid-value).
In versions earlier than V200R010C00, the switch does not support the wired HTTPS redirection function. That is, when a wired Portal authentication user accesses a website using HTTPS, redirection cannot be triggered and Portal authentication cannot be performed. In V200R010C00 and later versions, the switch supports the wired HTTPS redirection function.
Terminals using MAC address authentication do not support switching between IPv4 and IPv6. To ensure that a terminal can normally obtain an IP address after passing the authentication, you are advised to enable either IPv4 or IPv6 on the terminal.
If a terminal has both IPv4 and IPv6 addresses, only the IPv4 address can be used for user detection and update of the user entry corresponding to the IPv6 address. The IPv6 address cannot be used for update of the user entry corresponding to the IPv4 address.
On the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S, you must configure a terminal with one MAC address and multiple IP addresses as a static user and enable the function of identifying static users through IP addresses so that the terminal can go online and obtain authorization information. Models excluding the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S do not support authentication for terminals with one MAC address and multiple IP addresses.
When a switch functions as an AC and a large number of APs and STAs are connected to the switch, you are advised to configure the interface (through which STAs are brought online) connecting the switch to APs as an Eth-Trunk and ensure that the Eth-Trunk has multiple member interfaces.
In V200R013 and earlier versions, authentication of IPv6 users is not supported in the policy association or SVF scenario.
If authentication triggered by any packet is not configured, the ARP packets with the source IP address being 0.0.0.0 cannot trigger MAC address authentication.
When an authentication point is deployed on the X series cards, only the X1E, X2E, X2H, X5H, and X6H cards support ACL authorization for IPv6 users, and other X series cards do not support ACL authorization for IPv6 users.
When the device connects to a ClearPass or ISE server for MAC address authentication, set service-type to 10 and calling-station-id to a value in the format XX-XX-XX-XX-XX-XX-XX in the RADIUS server template on the device.
In the centralized SVF scenario, in versions earlier than V200R019C10, user access profiles must be bound to the same authentication profile at any time. In V200R019C10 and later versions, user access profiles can be bound to different authentication profiles. However, if these user access profiles are bound to ASs on the same cascade port, the authentication profiles must be the same.

Limitations related to authorization:

In V200R012C00 and later versions, if the ACL assigned to users who go online through S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S is not a user-defined one, the attribute of the source IP address in the ACL rule does not take effect. In all other cases, the IP address in the ACL rule is replaced with the user's IP address. In versions earlier than V200R012C00, if an ACL bound to a service scheme has defined the source IP address, only users with the same IP address as the source IP address in the ACL can match the ACL in the service scheme.
Authorization by the authentication server prior to authorization by an authentication domain. If the attribute authorized by the authentication server and that authorized by the authentication domain conflict, the attribute authorized by the authentication server takes effect. If the attribute authorized by the authentication server and that authorized by the authentication domain do not conflict, both attributes take effect.

One example is that, when user VLAN 20 is configured in service scheme A on the switch and service scheme A is bound to a user authentication domain, but the authentication server assigns VLAN 10 to authenticated users, the authenticated users are added to VLAN 10.

Another example is that, when traffic policing is configured in service scheme B on the switch and service scheme B is bound to a user authentication domain, but the authentication server assigns VLAN 10 to authenticated users, the authenticated users are added to VLAN 10 and traffic policing also takes effect for these users.
It is recommended that VLAN-based authorization be configured on access devices. If VLAN-based authorization is configured on the aggregation or core device, the lower-layer devices cannot dynamically detect the authorized VLAN change and grant permissions to users in the new VLAN.
VLAN-based authorization is not recommended for MAC address authentication because static users (such as dumb terminals) cannot obtain IP addresses after the authorized VLAN is changed.
An authorized VLAN cannot be delivered to online Portal users. For MAC address-prioritized Portal authentication, the Agile Controller-Campus V1 delivers the session timeout attribute after Portal authentication succeeds so that users go offline immediately, and then delivers an authorized VLAN to users after the users pass MAC address authentication.
If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP process to request an IP address after VLAN-based authorization is successful or the authorized VLAN is changed through CoA packets. In V200R012C00 and later versions, the device can trigger STAs to re-apply for IP addresses by disconnecting authentication interfaces intermittently. After this function is configured, you need to run the undo radius-server authorization hw-ext-specific command bounce-port disable command on the device to enable the function, and set the value of the RADIUS attribute HW-Ext-Specific (26-238) on the authentication server to user-command=2.
In versions earlier than V200R011C10, if the direct forwarding mode is used, the device does not support UCL group-based authorization for wireless users.
In versions earlier than V200R011C10, for the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5700-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI, if both an ACL, the rate limiting value of upstream packets, and the rate limiting value of downstream packets are authorized to users, only the ACL takes effect. Starting from V200R011C10, the device supports authorization based on the DSCP values of upstream packets and downstream packets. In addition, the authorized ACL, the rate limiting values of upstream packets and downstream packets, and the DSCP values of upstream packets and downstream packets can take effect simultaneously.
Access interfaces do not support dynamic authorization, and deleting a VLAN will delete online users in this VLAN. Hybrid interfaces support dynamic authorization, and deleting a VLAN will not delete online users in this VLAN.
In V200R011C10 and later versions, authorization VLANs are supported in SVF scenarios. When authorizing VLANs, you need to run the as service-vlan authorization command on the control device to create service VLANs on an access device.
When a VLAN is authorized in policy association scenarios:
- The downlink interface on the authentication access device must be a hybrid interface. The uplink interface on the authentication access device connected to the authentication control device can be a trunk or hybrid interface, but must allow packets from the authorized VLAN to pass through. If a transparent transmission device exists between the authentication access device and the authentication control device, the transparent transmission device must also allow packets from the authorized VLAN to pass through.
- In versions earlier than V200R011C10, the downlink interface on the authentication control device connected to the authentication access device must be a hybrid interface. In V200R011C10 and later versions, the downlink interface on the authentication control device connected to the authentication access device can be a trunk or hybrid interface.
- The packets received by an authentication-enabled interface on the authentication control device must carry VLAN tags or the VLAN assigned for authorization must be set to the default VLAN (PVID) of the interface. Otherwise, the assigned VLAN does not take effect.
When a user packet arriving at an interface carries a VLAN tag, the VLAN ID must be the same as the PVID of the interface, so that the server can dynamically assign a VLAN to the user.
In V200R013, only IPv4 ACL or IPv6 ACL authorization is supported. Therefore, after a user passes authentication and updates or switches its IP address (switching between IPv4 and IPv6), authorization may fail if only IPv4 ACLs or IPv6 ACLs are configured. Therefore, you are advised to configure both IPv4 and IPv6 ACLs to ensure that users can successfully authorize ACLs.
It is not recommended to use the MEth management interface to communicate with an authentication or authorization server. Starting from V200R013C00, for the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S, an authorization server cannot be used to authorize users if a switch communicates with the authorization server through the MEth management interface.
If the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S, S5720-EI, S6720-EI, or S6720S-EI is upgraded to V200R019C00 or a later version, the DSCP and 802.1p values are modified based on the authorized DSCP and 802.1p values.

Limitations in a Layer 2 BNG scenario:

The RADIUS server assigns Huawei extended RADIUS attribute HW-Forwarding-VLAN to MAC address authentication users who go online through the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S X series cards. Then the switch replaces the two VLAN tags carried in users' unicast or broadcast packets with an ISP VLAN tag (it cannot be the same as the outer VLAN tag), and forwards these packets from the interfaces on the X series cards.
Do not create VLANIF interfaces for the two VLAN tags carried in original packets. Otherwise, packet forwarding may be abnormal.
The switch that has MAC address authentication enabled cannot have DHCP snooping and ND snooping configured, does not support MAC address flapping, and needs to have the pre-connection function disabled using the undo authentication pre-authen-access enable command.
When working as a DHCPv6 client, the switch can only obtain an IPv6 address using DHCPv6. When working as a DHCPv6 server, the device can only allocate IPv6 addresses using DHCPv6 to ensure that IPv6 addresses can be managed. You need to set the M bit in RA packets sent by the device to 1, indicating stateful address allocation, that is, clients obtain IPv6 addresses through stateful protocols (for example, DHCPv6).
The device does not support the user VLAN authorization function. Before configuring other attributes except authorized VLANs for access users, run the authorization-modify mode modify command on the device to set the update mode of user authorization information delivered by the authorization server to modify. Otherwise, access users will go offline.
In L2 BNG scenarios, the multi-share mode is not supported.

Deployment suggestions:

The number of NAC users cannot exceed the maximum number of MAC address entries supported by the switch.
When Portal authentication or MAC authentication is configured on a VLANIF interface, it is not recommended that the authentication server and the terminal are on the same network segment.

Limitations related to IPv6 authentication:

IPv6 MAC address authentication is supported.
IPv6 802.1X authentication is supported.
For the Portal protocol, external Layer 2 IPv6 Portal authentication and MAC address-prioritized IPv6 Portal authentication are supported, and external Layer 3 IPv6 Portal authentication is not supported.
HTTP and HTTPS do not support IPv6 Portal authentication.
Huawei Agile Cloud Authentication (HACA) supports Layer 2 IPv6 Portal authentication, Layer 2 MAC address-prioritized IPv6 Portal authentication, and IPv6 ACL authorization but does not support Layer 3 IPv6 Portal authentication.
Built-in IPv6 Portal authentication is not supported.
Intra-VPN IPv6 Portal authentication is supported.
Interconnection with a Cisco ISE server through Central Web Authentication (CWA) is not supported.
The IPv6 HTTP or HTTPS redirection function is supported.
The IPv6 forcible URL template or URL push function is supported. In case of HTTPS packets, the IPv6 forcible URL template or URL push function must be used together with redirect ACLs.
IPv6 authentication-free rules are supported.
An IPv6 address can be configured for the Portal server, and an IPv4 address must also be specified because the device cannot exchange IPv6 Portal packets with the Portal server.
The IPv6 traffic statistic collection function is supported. IPv6 traffic statistics and IPv4 traffic statistics can be collected separately or together.
The IPv6 rate limiting function is supported.
The IPv6 ND detection function is supported.
IPv6 static users are not supported.
IPv6 free mobility is not supported.

S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5720-LI, S5720S-LI, S5700-SI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support IPv6 Portal authentication.

Other limitations:

In an inter-AC roaming scenario, the NAC configurations of the two ACs must be the same.
For wireless users, you can configure attributes for APs when the device works as an AC. In versions earlier than V200R011C10, the configurations are not delivered to APs in real time, and are delivered to APs only after you run the commit command in the WLAN view. In V200R011C10 and later versions, the switch delivers the configurations to APs every 5 seconds.
During LNP negotiation, NAC users cannot go online before the interface link type becomes stable. If the interface link type is negotiated again and the negotiation result changes, the online NAC users are forced to go offline.
For the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, ACL-based simplified traffic policy and traffic classification rules in MQC-based traffic policy have higher priorities than rules defined in NAC configuration. If configurations in ACL-based simplified traffic policy or MQC-based traffic policy conflict with the NAC function, the device processes packets based on configurations in ACL-based simplified traffic policy and traffic behaviors in MQC-based traffic policy.
When an inter-card Eth-Trunk user goes online or is re-authenticated or roaming, resetting one of the cards may cause the user to go offline.
When a switch connects to the Agile Controller-Campus V1, MAC address-prioritized Portal authentication can still be performed after the user clicks Deregister on the login page. The user goes offline after the MAC address expires on the Agile Controller-Campus V1.

When a switch connects to the Agile Controller-Campus V3 and MAC address-prioritized Portal authentication is performed, a user logs out after clicking Deregister on the login page. If MAC address-prioritized Portal authentication needs to be performed again, the user needs to reconnect to the network through Portal authentication.