Typical User Access and Authentication Configuration

If NAC authentication is enabled on an interface, the following commands cannot be used on the same interface. If the following commands are configured on an interface, NAC authentication cannot be used on the same interface.

Command	Function
mac-limit	Sets the maximum number of MAC addresses that can be learned by an interface.
mac-address learning disable	Disables MAC address learning on an interface.
port link-type dot1q-tunnel	Sets the link type of an interface to QinQ.
port vlan-mapping vlan map-vlan port vlan-mapping vlan inner-vlan	Configures VLAN mapping on an interface.
port vlan-stacking	Configures selective QinQ.
port-security enable NOTE: The restriction applies only to devices of versions earlier than V200R012C00. For devices running V200R012C00 or a later version, you can run this command on an interface even if NAC authentication is enabled on the interface, or enable NAC authentication on an interface even if this command is run.	Enables interface security.
mac-vlan enable	Enables MAC address-based VLAN assignment on an interface.
ip-subnet-vlan enable	Enables IP subnet-based VLAN assignment on an interface.
user-bind ip sticky-mac NOTE: This command conflicts with only 802.1X authentication and MAC address authentication.	Enables the device to generate snooping MAC entries.

Typical AAA Configuration

Typical NAC Configuration (Unified Mode) (the Agile Controller-Campus as the Authentication Server) (V200R009C00 and Later Versions)

Typical NAC Configuration (Unified Mode) (V200R009C00 and Later Versions)

Typical NAC Configuration (Unified Mode) (the Agile Controller-Campus as the Authentication Server) (V200R005C00 to V200R008C00)

Typical NAC Configuration (Unified Mode) (V200R005C00 to V200R008C00)

Typical NAC Configuration (Common Mode)

Parent Topic: Typical Configuration Examples

Copyright © Huawei Technologies Co., Ltd.

Copyright © Huawei Technologies Co., Ltd.

< Previous topic Next topic >