Licensing Requirements and Limitations for Policy Association

Involved Network Elements

**Table 1** Components involved in NAC networking
Role	Product Model	Description
AAA server	Huawei server or third-party AAA server	Performs authentication, accounting, and authorization for users.
Portal server	Huawei server or third-party Portal server	Receives authentication requests from Portal clients, provides free portal services and the web authentication page, and exchanges client authentication information with authentication access devices. This component is required only in external Portal authentication mode.

When Huawei's Agile Controller-Campus functions as the server, the version required is V100R001, V100R002, V100R003.

When Huawei's iMaster NCE-Campus functions as a server, its version must be V300R019C10.

If a Huawei switch needs to function as a DHCP server and assign IP addresses to terminals based on the static MAC-IP binding relationship delivered by the Agile Controller-Campus, the switch must run V200R009C00 or a later version, and the Agile Controller-Campus must run V100R002, V100R003.

Licensing Requirements

Policy Association is a basic feature of a switch and is not under license control.

Feature Support in V200R019C10

Prior to V200R011C10, the authentication control device and authentication access device must run the same version.

If the authentication control device and authentication access device both run V200R011C10 or later:

In non-SVF scenarios when policy association is configured, the authentication control device and authentication access device can run different versions. A switch can function as an authentication control or access device in this scenario if the switch can function as an authentication control or access device and the switch runs V200R011C10 or later. For example, if the authentication control device runs V200R011C10, the authentication access device can run V200R011C10, V200R012C00, or later. If the authentication access device runs V200R012C00, the authentication control device can run V200R011C10, V200R012C00, or later.
In SVF scenarios when policy association is configured, for the version mapping between switch models that can function as the authentication control and access devices, see Version Requirements in SVF Configuration of the Configuration Guide - Device Management for your version.

**Table 2** Products and versions supporting policy association
Software Version	Models That Can Function as Authentication Control Devices	Models That Can Function as Authentication Access Devices
V200R011C10 and later	S12700E-4, S12700E-8, S12700E-12 S12704, S12708, S12710, S12712 S7703, S7706, S7712 S7703 PoE, S7706 PoE S9703, S9706, S9712 S9303, S9306, S9310, S9312 S9303E, S9306E, S9312E S9310X S9300X-4, S9300X-8, S9300X-12 S5720-HI, S5730-HI, S5731-H, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H, S5731S-H, S5732-H, S6730-S, S6730S-S	S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5710-X-LI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S5720-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI, S5731-H, S6730-H, S6730S-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-S, S6730S-S, S5730-HI S600-E
V200R011C00	S5720-HI, S6720-EI, S6720S-EI	S2750-EI, S5700-LI, S5700S-LI, S5710-X-LI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720-SI, S5720S-SI, S5720-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI S600-E
V200R010C00	S12704, S12708, S12710, S12712 S7703, S7706, S7712 S9703, S9706, S9712 S5720-HI, S6720-EI, S6720S-EI	S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5710-X-LI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720-EI, S6720-EI, S6720S-EI S600-E
V200R009C00	S12704, S12708, S12712 S7703, S7706, S7712 S9703, S9706, S9712 S5720-HI, S6720-EI, S6720S-EI	S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5710-X-LI, S5720-SI, S5720S-SI, S5720-EI, S6720-EI, S6720S-EI
V200R008C00	S12704, S12708, S12712 S7703, S7706, S7712 S9703, S9706, S9712 S5720-HI	S2750-EI, S5700-LI, S5700S-LI, S5710-X-LI, S5720-SI S5720S-SI, S5720-EI
V200R007C00	S12708, S12712 S7703, S7706, S7712 S9703, S9706, S9712 S5720-HI	S2750-EI, S5700-LI, S5700S-LI, S5720-EI

For details about software mappings, visit Hardware Query Tool and search for the desired product model.

Feature Limitations

The information about the network is as follows:

An authentication control device and an authentication access device can be directly connected or connected across a pure Layer 2 network, and the user gateway must be located on the authentication control device or the upstream device of the authentication control device.
An authentication control device can be a single device or a cluster of two devices or a stack of multiple devices. An authentication access device can be a single device or a stack of multiple devices. The devices in a stack must have the same model and interface type.
By default, the S5730-HI, S5731-H, S5731S-H, S5732-H24S6Q, S5732-H48S6Q, S6730S-H, and S6730-H work in authentication control device mode, and the S5732-H24UM2CC, S5732-H48UM2CC, S6730-S, S6730S-S, S6720-SI, S6720S-SI, S6720-EI, and S6720S-EI work in authentication access device mode. The switch models mentioned above can function as the authentication control device or authentication access device, you can run the [ undo ] as-mode disable command to change their working mode. In addition, for the switch models that support the WLAN function, when they work in authentication access device mode, the WLAN function becomes unavailable.

The information about the basic function of Policy Association is as follows:

Only policy association between the authentication control device and authentication access devices is supported, and configuration association is not supported.
Policy association is applicable only to wired users. When users are online, MAC address migration is not supported. When users switch from one authentication access device or access interface to another, they may fail to go online. In this case, you can reduce the offline detection interval. The recommended interval is 15 to 30 seconds if no hub is used. In this way, the system can quickly detect that a user goes offline from the original interface and enable the user to go online through the new interface. A configuration example is as follows: Run the link-down offline delay 0 command in the authentication profile of the authentication access device to set the user logout delay to zero when the interface link is faulty. Then, run the user-detect interval 10 retry 2 command in the system view to enable the online detection function so that the user can go online quickly.

The information about the control point is as follows:

The control point can be configured on a Layer 2 physical interface or VLANIF interface. When the VLANIF interface is configured as the NAC authentication interface, the VLANIF interface and its mapping physical interface must be configured as control points. And NAC authentication cannot be configured on the physical interface.

The information about NAC authentication is as follows:

Policy association is supported only in the NAC unified mode.
Policy association is not supported on an IPv6 network in V200R013 and earlier versions, in which authentication cannot be triggered through DHCPv6 or ND packets.
Only the S7700, S9700, S12700, and S12700E series switches support PPPoE authentication. However, the switches do not support PPPoE authentication in the policy association solution.
Only the S600-E, S2700, S5700, and S6700 series switches support built-in Portal authentication. However, the switches do not support built-in Portal authentication in the policy association solution.
Policy association does not support Layer 3 Portal authentication, and access mode multi-share.
It is recommended that either all interfaces of the authentication access device have policy association configured or all the interfaces have local authentication configured.
In policy association, the user authentication method depends on the authentication method and sequence configured on the authentication control device.
In policy association, users cannot go online when NAC authentication is configured on the authentication control device, not on the authentication access device. It is recommended that authentication users and non-authentication users be divided into different VLANs in networking and the authentication free rules be configured based on the VLANs to allow the access of authentication-free users.
In policy association, to enable users to obtain some network rights before authentication succeeds, perform the following operations: Run the free-rule rule-id destination any source any command on the authentication access device to enable all network access rights for the users. Then run the authentication event action authorize command on the authentication control device to configure the network access rights for the users before authentication succeeds.
When a VLAN is authorized in policy association scenarios:
- The downlink interface on the authentication access device must be a hybrid interface. The uplink interface on the authentication access device connected to the authentication control device can be a trunk or hybrid interface, but must allow packets from the authorized VLAN to pass through. If a transparent transmission device exists between the authentication access device and the authentication control device, the transparent transmission device must also allow packets from the authorized VLAN to pass through.
- In versions earlier than V200R011C10, the downlink interface on the authentication control device connected to the authentication access device must be a hybrid interface. In V200R011C10 and later versions, the downlink interface on the authentication control device connected to the authentication access device can be a trunk or hybrid interface.
- The packets received by an authentication-enabled interface on the authentication control device must carry VLAN tags or the VLAN assigned for authorization must be set to the default VLAN (PVID) of the interface. Otherwise, the assigned VLAN does not take effect.

The information about the name of an authentication access device is as follows:

The actual name of an authentication access device may differ from the name displayed on the authentication control device (using the display as all command). When an authentication access device goes online, its name is processed as follows:
- If the authentication access device uses the default name, its name is changed to default name-MAC address of the authentication access device on the authentication control device.
- If the authentication access device name contains spaces or double quotation masks ("), the spaces are changed to hyphens (-) and the double quotation masks (") are changed to single quotation masks (') on the authentication control device.
The name of an authentication access device is case-insensitive. The authentication access device names viewed on the authentication control device are in lowercase letters. If the name of an authentication access device is not changed on the authentication control device when the authentication access device attempts to go online, the authentication access device fails to go online and a name conflict alarm is generated. If the name of an authentication access device is set to be the same as the actual authentication access device name when the authentication access device is properly running, a name conflict alarm is generated and the authentication access device will not go offline.