Configuring Terminal Type Identification
Context
As an increasing number of smart terminals are used, Bring Your Own Device (BYOD), a new working style for enterprises, has become a trend. When an enterprise uses the BYOD solution, the administrator must determine the users and terminals that can connect to the enterprise network, where users can connect to the enterprise network, and access rights of different terminals. All these require terminal type identification.
If the server does not support the terminal type identification function, you can configure the function on the device. The device then sends identified terminal types to the server and the server can deliver corresponding rights based on the terminal types.
After the terminal type identification function is configured, an AC can determine terminal types by analyzing mDNS, MAC addresses, DHCP option information, and user agent (UA) information of terminals. The AC then can control terminal access and grant access rights to terminals accordingly.
Procedure
- Authentication-irrelevant terminal type identification
- Run system-view
The system view is displayed.
- Use any one or more commands to configure terminal type identification as required:
- UA-based terminal type identification
- On the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, run http parse user-agent enable
The UA function is enabled.
By default, the UA function is disabled.
- On other models, the UA function is enabled by default.
- On the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, run http parse user-agent enable
- mDNS-based terminal type identification
Run interface interface-type interface-number
The interface view is displayed.
Or:
Run vlan vlan-id
The VLAN view is displayed.
Run mdns snooping enable
mDNS snooping is enabled.
By default, mDNS snooping is disabled.
- DHCP option-based terminal type identification
Run interfaceinterface-typeinterface-number
The interface view is displayed.
Run dhcp snooping enable
DHCP snooping is enabled.
By default, DHCP snooping is disabled.
- UA-based terminal type identification
- Run system-view
- Terminal type identification during authentication
- Run system-view
The system view is displayed.
- Run device-profileprofile-nameprofile-name
A terminal type identification profile is created and the terminal type identification profile view is displayed.
- Run device-typedevice-name
A terminal type identifier is configured.
By default, no terminal type identifier is configured in the system.
- Use any one or more commands to configure terminal type identification rules as required:
MAC address-based terminal type identification rule
Run rulerule-idmacmac-addressmask { mask-length | mask }
A MAC address-based terminal type identification rule is configured.
By default, no MAC address-based terminal identification rule is configured.
UA-based terminal type identification rule
Run rulerule-iduser-agent { sub-match | all-match } user-agent-text
A UA-based terminal type identification rule is configured.
By default, no UA-based terminal identification rule is configured.
If user-agent is specified in a terminal type identification rule, run the http parse user-agent enable command to enable the UA function.
DHCP option-based terminal type identification rule
Run rulerule-iddhcp-optionoption-id { sub-match | all-match } { asciioption-text | hexoption-hex-string }
A DHCP option-based terminal type identification rule is configured.
By default, no DHCP option-based terminal identification rule is configured.
- Run if-matchrulerule-id [ { and | or } rulerule-id ] &<1-7>
A matching mode is configured for terminal type identification rules.
By default, no matching mode is configured for terminal type identification rules.
- Run enableThe terminal type identification function is enabled.
By default, terminal type identification is disabled.
This function is supported only by the S5730-HI, S5731-H, S5731S-H, S6730-H, S6730S-H, S5732-H, S6720-HI, and S5720-HI and takes effect only for wireless access users.
The AP3010DN-AGN does not support terminal type identification.
- Run system-view
Verifying the Configuration
- Run the display device-profile { all | profile-name profile-name } command to check the configuration of the terminal type identification profile.
Follow-up Procedure
Configure authentication, authorization, and accounting policies so that the device can determine whether an identified terminal type is authorized and deliver rights to the terminal to secure the network. For details about the configuration, see AAA Configuration.
When RADIUS authentication or accounting is used, the terminal type identified by the device is carried by Huawei proprietary attribute 157 HW-Terminal-Type and sent to the RADIUS server. The RADIUS server must identify this attribute so that it can deliver authorization information based on the user terminal type.