Mac Address Authentication - Huawei AR1200-S Configuration Manual
Enterprise routers
Hide thumbs
Also See for AR1200-S:
- Configuration manual (125 pages) ,
- Hardware description (171 pages)
Table of Contents
Advertisement
Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security
controls access devices connected to an interface of an access control device on a LAN. User
devices connected to the interface can access resources on the LAN only after being
authenticated.
802.1x authentication is classified into:
l
l
Authentication mode
l
l
Guest VLAN
If a user that fails to be authenticated wants to access some network resources, for example, the
user wants to download the 802.1x client program and update the virus library, add the user to
a guest VLAN so that the user can access resources in the guest VLAN.
MAC address bypass authentication
If the 802.1x client software cannot be installed or used on some terminals such as printers,
enable MAC address bypass authentication. After MAC address bypass authentication is
enabled, when the AR1200-S initiates 802.1x authentication but does not receive the response
from the terminal, the AR1200-S sends the MAC address of the user terminal as the user name
and password to the authentication server.
MAC Address Authentication
MAC address authentication controls network access permissions of a user based on the access
interface and MAC address of the user. The user does not need to install any client software.
The user name and password are the MAC address of the user device. After detecting the MAC
address of a user for the first time, the AR1200-S starts authenticating the user.
NAC Applications
All LAN-side Ethernet and GE interfaces of the AR1220 support 802.1x authentication and
MAC address authentication. LAN-side Ethernet and GE interfaces of the SRU on the AR1220
support only 802.1x authentication.
Issue 02 (2012-03-30)
Interface-based authentication: All the other access users can use network resources and
do not need to be authenticated, as long as the first user on an interface is authenticated.
After the first user gets offline, other users cannot use network resources.
MAC address-based authentication: All access users on an interface need to be
authenticated.
Extensible Authentication Protocol (EAP) termination authentication: The AR1200-S
terminates EAP packets from users, parses user names and passwords, encrypts the
passwords, and then sends them to the AAA server for authentication. EAP termination
authentication includes Password Authentication Protocol (PAP) and Challenge
Handshake Authentication Protocol (CHAP).
– PAP is a two-way handshake authentication protocol and transmits passwords in plain
text. It has low security.
– CHAP is a three-way handshake authentication protocol and transmits passwords in
cipher text. It has higher security than PAP.
EAP relay authentication: The AR1200-S encapsulates authentication information about
802.1x users and EAP packets in the attribute fields in RADIUS packets or HWTACACS
packets and sends the packets to the AAA server.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5 NAC Configuration
99
Advertisement
Table of Contents
