Authentication; Mac Address Authentication; Mac Address Bypass Authentication - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
The Portal protocol enables Web servers to communicate with other devices. The portal protocol
is based on client/server model and uses the User Datagram Protocol (UDP) as the transmission
protocol. In Web authentication, the Web authentication server and the S3700 communicate
with each other through the portal protocol. In this case, the S3700 functions as the client. When
obtaining the user name and password entered by the user on the authentication page, the Web
authentication server transfers them to the S3700 through the portal protocol.
2.1.2 802.1x Authentication
The IEEE 802.1x standard (hereinafter referred to as 802.1x), is an interface-based network
access control protocol. Interface-based network access control is used to authenticate and
control access devices on an interface of a LAN access control device. User devices connected
to the interface can access the sources on the LAN only after they pass the authentication.
802.1x focuses on the status of the access interface only. When an authorized user accesses the
network by sending the user name and password, the interface is open. When an unauthorized
user or no user accesses the network, the interface is closed. The authentication result is reflected
by the status of the interface. The IP address negotiation and allocation that are considered in
common authentication technologies are not involved. Therefore, 802.1x authentication is the
simplest implementation scheme among the authentication technologies.
802.1x supports the authentication mode based on the access interface and the MAC address.
l
l
802.1x supports the following authentication modes:
l
l

2.1.3 MAC Address Authentication

MAC address authentication is an authentication method that controls the network access
authority of a user based on the interface and MAC address. No client software needs to be
installed. The user name and password are the MAC address of the user device. After detecting
the MAC address of a user for the first time, the device starts authenticating the user.

2.1.4 MAC address bypass authentication

MAC address bypass authentication: The S3700 triggers 802.1X authentication for a user. If the
user does not respond within 30 seconds, the S3700 sends the MAC address of the user to the
RADIUS server, and then the RADIUS server uses the MAC address as the user name and
password to authenticate the user.
Issue 01 (2011-07-15)
Authentication mode based on the access interface: Other users can access network
resources without authentication when the first user under the interface is successfully
authenticated. But other users are disconnected when the first user goes offline.
Authentication mode based on the MAC address: Access users under this interface need
be authenticated.
EAP termination mode: The network access device terminates EAP packets, obtains the
user name and password from the packets, encrypts the password, and sends the user name
and password to the RADIUS server for authentication.
EAP transparent transmission authentication: Also called EAP relay authentication. The
network access device directly encapsulates authentication information about 802.1x users
and EAP packets into the attribute field of RADIUS packets and sends them to the RADIUS
server. Therefore, the EAP packets do not need to be converted to the RADIUS packets
before they are sent to the RADIUS server.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 NAC Configuration
49