< Home

Configuring Authentication Control Devices

Context

To ensure policy strengths without increasing complexity of policies on large campus networks, deploy policy association, which allows authentication control devices to authenticate users and control access policies. To implement policy association, configure the policy association function on authentication control devices.

Procedure

  1. Establish CAPWAP tunnels.

    Authentication control devices and authentication access devices use CAPWAP tunnels to establish connections. In addition, authentication control devices and authentication access devices use CAPWAP tunnels to complete user association, transmit messages, deliver user authorization policies, and synchronize user information.

    1. Create a management VLAN.

      The management VLAN of the CAPWAP tunnel cannot be the same as the management VLAN or PnP VLAN of the switches managed by iMaster NCE-Campus.

      In policy association, the management VLAN of a CAPWAP tunnel connects authentication access devices to the network. It is not recommended to perform other service configurations except basic configurations in the management VLAN and the corresponding VLANIF interface. If such configurations are performed, authentication access devices may fail to connect to the network.

      1. Run the system-view command to enter the system view.

      2. Run the vlan batch vlan-id command to create a management VLAN.

      3. Run the interface vlanif vlan-id command to create a VLANIF interface and enter the VLANIF interface view.

      4. Run the ip address ip-address { mask | mask-length } command to configure an IP address for the VLANIF interface.

      5. Run the quit command to return to the system view.

    2. Specify the source interface of the CAPWAP tunnel.

      A VLANIF or loopback interface on the device can function as the source interface of the CAPWAP tunnel.
      • VLANIF interface: applies to the scenario where all the authentication access devices that associate with the authentication control device belong to the same management VLAN.
      • Loopback interface: applies to the scenario where all the authentication access devices that associate with the authentication control device belong to different management VLANs. When the authentication access devices belong to multiple management VLANs, the authentication control device must have multiple VLANIF interfaces configured. If one of the VLANIF interfaces is specified as the source interface, all the authentication access devices cannot work properly when the source interface fails. A loopback interface remains Up after being created. When a loopback interface is used as the source interface and a VLANIF interface becomes faulty, only the authentication access device that connects to the VLANIF interface cannot go online.

      If the SVF function is enabled, only one source interface can be configured.

      Configure multiple source interfaces. When the source interfaces are added to different VPN instances, the IP addresses of these interfaces cannot be the same.

      • Specify a VLANIF interface as the source interface of the CAPWAP tunnel.

        Run the capwap source interface vlanif vlan-id command to specify the source interface of the CAPWAP tunnel on the authentication control device.

        By default, no source interface of the CAPWAP tunnel is specified on the authentication control device.

        The VLAN ID mapping the source interface is the management VLAN ID.

      • Specify a loopback interface as the source interface of the CAPWAP tunnel.

        1. Run the interface loopback loopback-number command to create a loopback interface and enter the loopback interface view.

        2. Run the ip address ip-address { mask | mask-length } command to configure an IP address for the loopback interface.

        3. Run the quit command to return to the system view.

        4. Run the capwap source interface loopback loopback-number command to specify the source interface of the CAPWAP tunnel on the authentication control device.

          By default, no source interface of the CAPWAP tunnel is specified on the authentication control device.

      When the loopback interface functions as the source interface of the CAPWAP tunnel, you must specify the route from the VLANIF interface mapping the management VLAN to the loopback interface.

      If the authentication control device functions as the DHCP server to assign IP addresses to authentication access device, you also need to configure the DHCP server function on the VLANIF interface mapping the management VLAN. For details, see DHCP Configuration in the appropriate Configuration Guide - IP Service based on the authentication control device model.

  2. Configure an interface as the control point.

    The control point can be configured on a Layer 2 physical interface or VLANIF interface. When the VLANIF interface is configured as the NAC authentication interface, the VLANIF interface and its mapping physical interface must be configured as control points. And NAC authentication cannot be configured on the physical interface.

    1. Run the interface interface-type interface-number command to enter the interface view.

    2. Run the authentication control-point [ open ] command to configure the interface as the control point.

      By default, no interface is configured as the control point.

      If the open parameter is configured, the control point directly forwards user traffic. If the open parameter is not configured, the control point manages the forwarding rights for user traffic through NAC authentication.

      The open parameter cannot be configured for a VLANIF interface.

      When the interface below functions as the control point, it can only directly forward user traffic. That is, only the authentication control-point open command can be configured.
      • An interface on the cards except LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series cards
      • An Eth-Trunk interface containing interfaces on the cards except LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series
      • An interface on the S6720-SI, S6720S-SI, S6720-EI or S6720S-EI
      • An Eth-Trunk interface containing interfaces on the S6720-SI, S6720S-SI, S6720-EI or S6720S-EI

    3. (Optional) Run the authentication open ucl-policy enable command to configure a control point where the authentication control-point open command has been configured to filter user traffic based on a user ACL before forwarding the traffic.

      By default, a control point where authentication control-point open has been configured directly forwards user traffic.

      Only the S5720-HI, S5730-HI, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5731-H, S5731S-H, LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series cards support this command.

    4. Run the quit command to return to the system view.

  3. Configure access authentication for authentication access devices.

    By default, authentication access devices can access an authentication control device only after passing authentication. The authentication control device authenticates access devices using a blacklist and whitelist. Authentication access devices in the blacklist cannot access the authentication control device. Authentication access devices in the whitelist can access the authentication control device. The authentication control device does not authenticate authentication access devices out of the blacklist and whitelist. You need to manually specify allowed authentication access devices. You can also configure no authentication for authentication access devices. In this situation, an authentication access device can connect to the authentication control device regardless of whether the authentication access device is in a blacklist or whitelist.

    The configuration of this function is similar to the AS access authentication on the parent device in the SVF. For details, see "Configuring AS Access Authentication" in SVF Configuration of the appropriate Configuration Guide - Device Management based on the authentication control device model.

  4. Configure user authorization information to be delivered to authentication access devices and authentication control devices.

    1. Run aaa

      The AAA view is displayed.

    2. Run service-scheme service-scheme-name

      A service scheme is created and the service scheme view is displayed.

    3. Run remote-authorize { acl | car | ucl-group } *

      The user authorization information to be delivered to authentication access devices is specified.

      By default, all user authorization information cannot be delivered to authentication access devices.

      When you authorize the ACL or UCL group, configure the corresponding ACL or UCL group on authentication access devices to ensure that the authorization information takes effect on the authentication access devices.

    4. Run local-authorize { none | { acl | car | priority | ucl-group | vlan } * }

      The user authorization information to be delivered to authentication control devices is specified.

      By default, all user authorization information can be delivered to authentication control devices.

      When you authorize the ACL or UCL group, configure the corresponding ACL or UCL group on authentication control devices to ensure that the authorization information takes effect on the authentication control devices.

    5. Run quit

      Return to the AAA view.

    6. Run quit

      Return to the system view.

  5. Configure extended functions and optional parameters.

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Perform the following configurations based on network requirements:

      • Run user-sync { interval interval-value | retry retry-value } *

        The device is configured to periodically synchronize online user information to the authentication access device, and the synchronization interval and number of synchronization attempts are configured.

        By default, user synchronization is enabled, the synchronization interval is 60 seconds, and the number of synchronization attempts is 10.

        The user synchronization function needs to be enabled on both authentication access devices and authentication control devices to ensure that the function works properly. In addition, the user synchronization interval configured on authentication access devices must be shorter than or equal to that configured on authentication control devices, preventing users from being disconnected due to incorrect synchronization.

      • Run control-down offline delay { delay-value | unlimited }

        The user logout delay after a CAPWAP tunnel fault is configured on the authentication control device.

        By default, the user logout delay after a CAPWAP tunnel fault is not configured on the authentication control device, indicating that the users on an authentication control device go offline immediately after a CAPWAP tunnel is faulty.

      • Run access-user arp-detect control-point mac-ip enable

        The source IP address and source MAC address of detection packets sent by an AS are configured to be the same as those used by an authentication control device for detection.

        By default, the source IP address and source MAC address of detection packets sent by an AS are not configured to be the same as those used by an authentication control device for detection.

Parent Topic: Configuring Policy Association
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >