< Home

Configuring Authentication Access Devices

Context

To ensure policy strengths without increasing complexity of policies on large campus networks, deploy policy association, which allows authentication access devices to only implement user access policies. To implement policy association, configure the policy association function on authentication access devices.

Procedure

  1. Establish CAPWAP tunnels.

    Authentication control devices and authentication access devices use CAPWAP tunnels to establish connections. In addition, authentication control devices and authentication access devices use CAPWAP tunnels to complete user association, transmit messages, deliver user authorization policies, and synchronize user information.

    1. Run system-view

      The system view is displayed.

    2. Create the management VLAN of the CAPWAP tunnels and configure the IP address of the mapping VLANIF interface.

      The management VLAN of the CAPWAP tunnel cannot be the same as the management VLAN or PnP VLAN of the switches managed by iMaster NCE-Campus.

      In policy association, the management VLAN of a CAPWAP tunnel connects authentication access devices to the network. It is not recommended to perform other service configurations except basic configurations in the management VLAN and the corresponding VLANIF interface. If such configurations are performed, authentication access devices may fail to connect to the network.

      1. Run vlan batch vlan-id

        A management VLAN is created.

      2. Run interface vlanif vlan-id

        A VLANIF interface is created and the VLANIF interface view is displayed.

      3. Run ip address ip-address { mask | mask-length } or ip address dhcp-alloc

        The IP address of the VLANIF interface is statically configured or the DHCP client function is enabled on the VLANIF interface.

      4. Run quit

        Return to the system view.

    3. Run as access interface vlanif vlan-id

      The source interface for a CAPWAP tunnel is specified on the authentication access device.

      By default, the source interface is not specified for a CAPWAP tunnel on an authentication access device.

      The management VLAN ID is the VLAN ID mapping the source interface.

    4. Run as access controller ip-address ip-address

      The IP address of the authentication control device is specified on the authentication access device.

      By default, the IP address of the authentication control device is not specified on an authentication access device.

      This step is mandatory when an IP address is statically configured for the VLANIF interface mapping the management VLAN. When a DHCP server assigns an IP address to the VLANIF interface mapping the management VLAN, configure Option 43 to notify the authentication access device of the authentication control device's IP address. For details, see DHCP Configuration in the appropriate Configuration Guide - IP Service based on the authentication access device model.

  2. Configure an interface as the access point.

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Run authentication access-point [ open ]

      The remote access control function is enabled on the interface of the authentication access device.

      By default, the remote access control function is disabled on an interface of an authentication access device.

      To configure right control on an authentication control device instead of an authentication access device, you can disable right control of the access point on the authentication access device (by specifying the open parameter).

      The authentication access-point open and authentication access-point command must be run together; otherwise, the authentication access-point open command cannot take effect.

    3. (Optional) Run authentication access-point max-user max-user-number

      The maximum number of access users allowed on the interface of the authentication access device is set.

      By default, an authentication access device does not limit the maximum number of users who are allowed to log in through its interfaces.

    4. Run quit

      Return to the system view.

  3. If the AS is a stack, run stack timer mac-address switch-delay 0

    The stack is configured not to change the system MAC address.

    If the AS is a stack and changes the system MAC address under some abnormal circumstances, the MAC address in AS authentication entries on the parent differs from the changed system MAC address. As a result, users connected to the AS cannot be authenticated and fail to go online. Therefore, you are advised to run this command to configure the stack not to change the system MAC address.

    If the AS is a stack and is configured to change the system MAC address, the AS may go offline and then go online again upon an active/standby switchover in the stack. Before the AS goes online again, services of the users connected to the AS are unavailable. Therefore, you are advised to run this command to configure the stack not to change the system MAC address.

  4. Configure extended functions and optional parameters.

    • Run authentication speed-limit max-num max-num-value interval interval-value

      The rate limit is configured for user association and disassociation request messages sent from the authentication access device.

      By default, an authentication access device sends a maximum of 60 user association and disassociation request messages within 30 seconds.

    • Run user-detect { interval interval-value | retry retry-value } *

      The online user detection function is enabled, and the detection interval and number of packet retransmission attempts are configured.

      By default, the online user detection function is enabled, the detection interval is 15 seconds, and the number of packet retransmission attempts is 3.

    • Run user-sync interval interval-value

      The device is configured to periodically synchronize online user information to the authentication control device.

      By default, user synchronization is enabled and the synchronization interval is 60 seconds.

      The user synchronization function needs to be enabled on both authentication access devices and authentication control devices to ensure that the function works properly. In addition, the user synchronization interval configured on authentication access devices must be shorter than or equal to that configured on authentication control devices, preventing users from being disconnected due to incorrect synchronization.

    • Run control-down offline delay { delay-value | unlimited }

      The user logout delay after a CAPWAP tunnel fault is configured on the authentication access device.

      By default, the user logout delay after a CAPWAP tunnel fault is not configured on the authentication access device, indicating that the users on an authentication access device go offline immediately after a CAPWAP tunnel is faulty.

    • Configure the alarm function for the access limit on associated users.

      • Run authentication associate alarm-restrain enable

        The authentication access device is enabled to suppress alarms that are generated due to excess associated users.

        By default, an authentication access device is enabled to suppress alarms that are generated due to excess associated users.

      • Run authentication associate alarm-restrain period period-value

        A suppression period is set for alarms that an authentication access device generates due to excess associated users.

        By default, an authentication access device suppresses such alarms for 300 seconds.

Parent Topic: Configuring Policy Association
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >