< Home

ip-static-user enable

Function

The ip-static-user enable command enables the function of identifying static users through IP addresses.

The undo ip-static-user enable command restores the default setting.

By default, the function of identifying static users through IP addresses is disabled, and the device identifies static users through MAC addresses.

This command is only supported by the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI.

Format

ip-static-user enable

undo ip-static-user enable

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device identifies static users through MAC addresses. However, a terminal may have one MAC address and multiple IP addresses, for example, a firewall has multiple valid IP addresses that correspond to only one MAC address. The terminal goes online only after the multiple IP addresses pass authentication. If the device identifies terminals through MAC addresses, entry information about IP addresses that are authenticated later continuously overwrites entry information about IP addresses that are authenticated earlier. As a result, the terminal cannot go online. You can run the ip-static-user enable command to enable the function of identifying static users through IP addresses so that terminals with one MAC address and multiple IP addresses can go online.

Prerequisites

A static user has been configured before this function is enabled.
  1. A static user has been configured using the static-user start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ] [ ip-user ] [ domain-name domain-name | interface interface-type interface-number [ detect ] | mac-address mac-address | vlan vlan-id ] * command.
  2. The authentication user name has been configured for the static user using the static-user username format-include { ip-address | mac-address | system-name } command.
  3. The authentication password has been configured for the static user using the static-user password cipher password command.

Precautions

  • For a terminal with one MAC address and multiple IP addresses, you must configure the terminal as a static user and enable the function of identifying static users through IP addresses so that the terminal can pass authentication and go online. If ip-user is not specified when you configure static users, all static users are processed by assuming they have one MAC address and multiple IP addresses. To precisely identify and process static users with one MAC address and multiple IP addresses, specify ip-user when configuring these static users.
  • The device does not support traffic statistics collection for a terminal with one MAC address and multiple IP addresses.

  • Configure wired users before enabling this function.

  • This function takes effect only for users who go online after it is configured. After the configuration on an interface is modified, online users on the interface go offline.

  • The device supports this function only when the user access mode is multi-authen. For details on how to configure the user access mode, see authentication mode.
  • Static users who are identified through IP addresses directly go offline after they fail to pass authentication, and are not kept in the pre-connection state.

  • Static users identified through IP addresses do not support right control during Layer 2 forwarding.

  • Static users identified through IP addresses support only IP address-based upstream authorization services (such as authorization UCL, isolation between Layer 3 groups, CAR, and priority for upstream traffic), and do not support downstream authorization services (such as CAR, re-marking action, dynamic authorization VLAN, and HQoS for downstream traffic).

  • In the policy association scenario, if the control point mode is set to open using the authentication control-point open command, the device does not support the function of identifying static users through IP addresses.

  • For a terminal with one MAC address and multiple IP addresses, only ARP packets can be used to trigger authentication. Therefore, ensure that the device can perform authentication triggered by ARP packets; for example, the types of packets that can trigger authentication must include ARP.
  • For the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, when the ip-static-user enable and authentication trigger-condition any-l2-packet commands are both configured, user authentication cannot be triggered by any Layer 2 packets.

Example

# Enable the function of identifying static users through IP addresses in the authentication profile p1.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] ip-static-user enable
Parent Topic: NAC Configuration Commands (Unified Mode)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >