08 WLAN Network Admission Control (NAC).pptx

WLAN Network Admission Control (NAC)

The Network Admission Control (NAC) solution integrates terminal security with access control and takes check, isolation, hardening, and audit measures to improve the proactive protection capabilities of terminals, which thereby ensures security of each terminal and the entire enterprise network. This document describes the Authentication, Authorization, and Accounting (AAA) mechanism and related technologies used in NAC. It also details the commonly used authentication modes (including 802.1X authentication, MAC address authentication, Portal authentication, and multimode authentication), explains user authorization modes, introduces Huawei's NAC solution, and provides an example for configuring NAC .

On completion of this course, you will be able to: Describe basic concepts in NAC. Describe basic concepts and technical implementation of AAA. Describe commonly used authentication solutions and their working mechanisms. Describe Huawei NAC solution and related features. Configure NAC.

Overview of NAC Commonly Used NAC Methods and Their Working Mechanism Huawei NAC Solution Typical NAC Configuration

Overview of NAC NAC is an end-to-end security control technology that authenticates users and terminals that attempt to access the network, ensuring network security. ... ... User terminals Admission devices Admission servers NAC system architecture User terminals: various terminals such as PCs, mobile phones, printers, and cameras that access the network Admission devices: An admission device is an authentication control point that authenticates access users and executes enterprise security policies to implement access control (for example, allowing or denying user access). Admission devices can be switches, routers, WLAN access controllers (WACs), WLAN access points (APs), or other network devices. Admission servers: perform authentication, authorization, and accounting on users. Authentication Authorization Accounting

Overview of AAA AAA provides authentication, authorization, and accounting functions to ensure network security. Authentication: verifies whether users are permitted to access the network. Authorization: authorizes users to use specified services. Accounting: records the network resources used by users. AAA uses the client/server model. An AAA client authenticates user identities and manages user access. An AAA server centrally manages user information. WAC AP Terminals AAA server AAA client Internet

AAA User Management A network access server (NAS) manages users based on domains. A domain is a group of users, and each user belongs to a domain. The AAA schemes, server templates, and authorization information are centrally managed by domain. Accounting Local authentication Used to configure authentication, authorization, and accounting servers. When a server is configured for authorization, users obtain authorization information from both the server and domain. Authorization information configured in a domain Server accounting IP address, port number, and shared key of each server Authorization information Authentication Server authentication Local authorization Server authorization Authorization Domain AAA schemes Server templates Authorization information in a domain

Common Technical Solutions Used in AAA Currently, Huawei devices can use RADIUS, HWTACACS, HACA, LDAP, or AD to implement AAA. Among these solutions, RADIUS is the most widely used one. Technical Solution Interaction Protocol Authentication Authorization Accounting RADIUS UDP √ √ √ HWTACACS TCP √ √ √ HACA HTTP/2 √ √ √ LDAP TCP √ √ × AD TCP √ √ × Local authentication and authorization / √ √ ×

Overview of RADIUS AAA can be implemented using different protocols. RADIUS is the most widely used one in actual applications. RADIUS is a protocol that uses the client/server model in distributed mode and protects a network from unauthorized access. It is typically used on networks that require high security and control remote user access. RADIUS defines the UDP-based RADIUS packet format and transmission mechanism, and specifies UDP ports 1812 and 1813 as the default authentication and accounting ports respectively. RADIUS has the following characteristics: Client/Server model Secure message exchange mechanism Fine scalability WAC AP Exchange RADIUS packets to implement AAA for users Terminals RADIUS client RADIUS server Local AAA RADIUS HACA HWTACACS AD LDAP

RADIUS Architecture Users Clients Dictionary This database stores user information such as user names, passwords, protocols, and IP addresses. This database stores RADIUS client information, such as shared keys and IP addresses. This database stores RADIUS attributes and their value descriptions. As a RADIUS client, a device supports: Standard RADIUS protocol and its extensions, including RFC 2865 and RFC 2866 Extended RADIUS attributes defined by different vendors RADIUS server status detection Retransmission of Accounting-Request(Stop) packets in the local buffer Primary/Secondary and load balancing functions between RADIUS servers RADIUS server: typically runs on a central computer or workstation and needs to maintain three databases. RADIUS client: typically runs on an NAS. Local AAA RADIUS HACA HWTACACS AD LDAP

RADIUS Authentication, Authorization, and Accounting Process User terminal RADIUS client RADIUS server 1. A user enters the user name and password 2. Access-Request 3. Access-Accept or Access-Reject 4. Notify the user of the authentication result 7. Successful authentication 5. Accounting-Request(Start) 6. Accounting-Response(Start) 11. Accounting-Request(Stop) 12. Accounting-Response(Stop) 8. (Optional) Accounting-Request (Interim-update) 10. The user requests for disconnection 13. Notify the user that access ends 9. (Optional) Accounting-Response (Interim-update) Local AAA RADIUS HACA HWTACACS AD LDAP

RADIUS Server Status Detection Server Status Whether the RADIUS Server Is Available Scenario in Which This Status Occurs Up The RADIUS server is available. The device initially marks the RADIUS server status as Up. The device receives packets from the RADIUS server. Down The RADIUS server is unavailable. The conditions for marking the RADIUS server status as Down are met. Force-up When all RADIUS servers are faulty, the device selects the RADIUS server in Force-up state. The timer specified by dead-time expires. A device can mark the RADIUS server status as Up, Down, or Force-up. Server Status Whether Automatic Detection Is Supported Time When an Automatic Detection Packet Is Sent Up Automatic detection can be enabled using the radius-server detect-server up-server interval command. When the automatic detection period expires Down Automatic detection is supported by default. When the automatic detection period expires Force-up Automatic detection is supported by default. Sent immediately The automatic detection function can test the RADIUS server reachability. Local AAA RADIUS HACA HWTACACS AD LDAP

Follow-up Processing After the RADIUS Server Status Is Marked as Down Server status: Up Send an Access-Request packet First detection interval Receive a response from the server? N th detection interval Whether the number of unacknowledged packets reaches maximum? Consecutive M communication interruptions? Record a communication interruption Server status: Up Receive a response from the server? Whether the number of unacknowledged packets reaches maximum? Consecutive M communication interruptions? M indicates the detection cycles. Receive a response from the server? No Yes Yes Yes Clear communication interruption records No No No Yes Yes Yes … No Mark the server status as Down Start server status detection No No Yes Follow-up processing after the RADIUS server status is marked as Down Local AAA RADIUS HACA HWTACACS AD LDAP

RADIUS Packet Retransmission Packet retransmission: During user authentication, a device sends an Access-Request packet to the RADIUS server. If the device does not receive any packet from the server due to a network fault or delay, RADIUS packet retransmission is triggered. The device stops packet retransmission if any of the following conditions is met: The device receives a response packet from the RADIUS server. The device detects that the RADIUS server status is Down. The number of retransmission times reaches the maximum. 802.1X client RADIUS client EAPoL -Start EAP -Request/Identity Send a RADIUS Access-Request packet for the first time RADIUS server EAP -Request/Identity Send a RADIUS Access-Request packet for the second time Send a RADIUS Access-Request packet for the n th time ... Retransmission interval: radius-server timeout time-value Number of retransmission times: radius-server retransmit retry-times Retransmission stops Retransmission process Local AAA RADIUS HACA HWTACACS AD LDAP

RADIUS Server Selection Typically, multiple RADIUS servers are deployed on a large-scale enterprise network. If a server is faulty, user access will not be disrupted. In addition, load balancing is performed between these servers, preventing resources of a single server from being exhausted in the event that a large number of users access the network. If multiple servers are configured in a RADIUS server template and a device needs to send a packet to a server, the device selects a RADIUS server based on the configured server selection algorithm. Users Device Primary RADIUS server Secondary RADIUS server Up Up Users Device RADIUS server 1 RADIUS server 2 Up Up 80% 20% Primary/Secondary algorithm Load balancing algorithm Local AAA RADIUS HACA HWTACACS AD LDAP

RADIUS Dynamic Authorization The device supports the RADIUS Change of Authorization (CoA) and Disconnect Message (DM) functions. CoA allows the administrator to modify the rights of an online user or perform reauthentication for the user through RADIUS after the user passes authentication. The RADIUS server sends a DM packet to the device when a user needs to be logged out. RADIUS server User RADIUS client 1. CoA-Request packet 3. CoA- ACK / NAK packet The user is online. 2. Modify user rights User RADIUS client 1. DM-Request packet RADIUS server 3. DM- ACK / NAK packet 2. Log out the user CoA interaction process DM interaction process Local AAA RADIUS HACA HWTACACS AD LDAP

Overview of HWTACACS User terminal TACACS client TACACS server User login Authentication Start Authentication Reply, requesting the user name Request the user name Enter the user name Login succeeds Authentication Continue, carrying the user name Authentication Reply , requesting the password Request the password Enter the password Authentication Continue, carrying the password Authentication Reply, indicating successful authentication Authorization Request Authorization Response, indicating successful authorization Accounting Request(Start) Accounting Response( Start ) Accounting Request(Stop) Accounting Response( Stop ) User logout Huawei Terminal Access Controller Access Control System ( HWTACACS ) is a security protocol with enhanced functions on basis of TACACS (RFC 1492). It is an information exchange protocol that uses the client/server model to provide centralized validation of users and uses TCP port 49 to transmit data. HWTACACS provides independent authentication, authorization, and accounting, which can be implemented on different servers. HWTACACS is applicable to users who access the Internet through Point-to-Point Protocol (PPP) or Virtual Private Dial-up Network ( VPDN ) and to administrators who log in to devices. Introduction Local AAA RADIUS HACA HWTACACS AD LDAP

Comparison Between HWTACACS and RADIUS Item HWTACACS RADIUS Data transmission Uses TCP, which is more reliable. Uses UDP , which is more efficient. Encryption Uses a shared key to encrypt the entire body of the packet except the standard HWTACACS header. Uses a shared key to encrypt only the password in a packet. Authentication and authorization Separates authentication from authorization so that they can be implemented on different security servers. Combines authentication and authorization. Command line authorization Supported Not supported Application Typically applies to device authentication as it supports command line authorization. Applies to both terminal authentication and device authentication. Local AAA RADIUS HACA HWTACACS AD LDAP

Overview of HACA User terminal Cloud WAC 2. Set up a preconnection 3. Initiate authentication and perform redirection HACA server 6. Send an accounting-start request packet 7. Send an accounting-start response packet HACA supports only MAC address-prioritized Portal authentication. iMaster NCE -Campus deployed on the cloud acts as an external Portal server and an HACA server to provide authentication and accounting services. Currently, only iMaster NCE -Campus can function as an HACA server. In the CloudCampus scenario, when Portal authentication is used, NAT traversal may be required between the device and server because the authentication server is deployed on the Internet. However, Portal protocol packets cannot traverse a NAT device. To address this issue, Huawei Agile Cloud Authentication ( HACA ) is introduced to allow the device and server to establish a connection for Portal authentication. 1. Set up an HACA connection 4. Exchange authentication packets 10. Send a logout request 8. (Optional) Send a real-time accounting request packet 9. (Optional) Send a real-time accounting response packet 11. Send a logout request packet 12. Send a logout response packet 13. Send an accounting-stop request packet 14. Send an accounting-stop response packet 5. Grant network access rights Introduction Application scenario Local AAA RADIUS HACA HWTACACS AD LDAP

CN OU OU Base DN Overview of LDAP The Lightweight Directory Access Protocol (LDAP) uses the client/server model to bind and search directory information. All directory information is stored on an LDAP server. LDAP defines multiple operations to implement various functions. For example, the bind and search operations can be used for user authentication and authorization. Network access devices connect to an LDAP server to implement user authentication and authorization through the bind and search operations of LDAP. CN: common name, which indicates the name of an object. DC: domain component, for example, huawei and com in huawei.com . DN : distinguished name, which indicates the location of an object. It starts from an object, to its upper-layers, until the root node. For example, the DN of User1 is "CN= User1 , OU =R&D, OU =People, DC=HUAWEI, DC=COM". Base DN : DN of the root node. OU : organization unit. It indicates the organization to which an object belongs. DC=HUAWEI DC=COM People User2 HR LDAP directory tree DN Introduction Application scenario User1 User3 User4 R&D R&D HR Equipment Local AAA RADIUS HACA HWTACACS AD LDAP

LDAP Authentication and Authorization Process User terminal LDAP client 1. Enter the user name and password 2. Administrator bind request message 3. Administrator bind response message LDAP server 4. User DN search request message 5. User DN search response message 6. User bind request message 7. User bind response message 8. Authentication response message LDAP search/bind: The bind operation is used to establish a session between an LDAP client and an LDAP server. Through the search and bind operations, an LDAP client connects to an LDAP server anonymously or using a fixed account, and searches for the dedicated name of the to-be-authenticated user. If the dedicated name is found, the LDAP client tries to bind the user again using the user password. User DN search: After receiving a user DN search request message, the LDAP server searches for the DN based on the Base DN , search range, and filter criterion. One or more DNs may be found. For example, if the Base DN is "dc=HUAWEI, dc=COM", two DNs will be returned: "CN=User2, Departments=R&D, OU=People, dc=HUAWEI, dc=COM" and "CN=User2, Departments=R&D, OU=Equipment, dc=HUAWEI, dc=COM". Local AAA RADIUS HACA HWTACACS AD LDAP

Overview of AD Kerberos is a network authentication protocol that securely transmits data on an open network using a cipher key system. It does not require that all devices on a network be secure and assumes that all data may be read and modified during transmission. Kerberos runs over TCP and uses port 88. The Kerberos protocol provides a symmetrical key mechanism to improve password transmission security. Therefore, integrating Kerberos into LDAP authentication can prevent password leak. Such authentication is known as active directory (AD) authentication. An access device connects to an AD server to implement authentication. LDAP server: stores all directory information. Key Distribution Center ( KDC ): Kerberos server, which stores all password and account information of clients. The KDC consists of the following: Authentication Server (AS): provides the tickets used to access the TGS. Ticket Granting Server (TGS): provides the tickets used to access the AD server. AD client Fit AP Terminals KDC AS TGS LDAP server AD server Introduction Application scenario AD server Local AAA RADIUS HACA HWTACACS AD LDAP

AD Authentication and Authorization Process User terminal AD client 1. Enter the user name and password 6. Administrator bind request message 7. Administrator bind response message AD server (Kerberos server) 8. User DN search request message 9. User DN search response message 10. User bind request message 11. User bind response message 12. Authentication response packet 4. TGS- REQ 5. TGS-REP 2. AS- REQ 3. AS-REP Compared with the LDAP authentication and authorization process, the AD authentication and authorization process adds encryption and decryption steps 2 to 5. The AD client sends an AS-REQ message carrying the user name in plain text to the Kerberos server. The AS server returns an AS-REP message carrying a ticket to the client. The ticket is encrypted using the shared key between the AS and TGS, and the encrypted ticket and session key are then encrypted using the client's password. The AD client uses its own password to decrypt the AS-REP message to obtain the session key and encrypted ticket. The Kerberos server decrypts the ticket using the shared key between the AS and TGS to obtain the session key, and then decrypts the authenticator using the session key. If the Kerberos server verifies that the client name and time in the authenticator are the same as those in the ticket, it considers that the client passes the authentication and sends a TGS-REP message to the client. Local AAA RADIUS HACA HWTACACS AD LDAP

Local Authentication and Authorization A device functioning as an AAA server is known as a local AAA server, which performs user authentication and authorization but not user accounting. Use local Extensible Authentication Protocol (EAP) authentication as an example. If mobile phones do not support the Password Authentication Protocol (PAP) or Challenge-Handshake Authentication Protocol (CHAP), they do not support the combination of 802.1X authentication and local authentication. In this case, local EAP authentication can be configured for the mobile phones, so that the device can function as the authentication server and user information database to authenticate STAs locally. Local EAP authentication supports EAP-PEAP, EAP-TLS, and EAP-TTLS, which all require the use of certificates. WAC Fit AP STAs WAC Fit AP STAs Authentication server Local EAP authentication used to implement 802.1X authentication Combination of local EAP authentication and an external authentication server Local AAA RADIUS HACA HWTACACS AD LDAP

Overview of NAC Commonly Used NAC Methods and Their Working Mechanism 802.1X Authentication Portal Authentication MAC Address Authentication Multimode Authentication User Authorization Huawei NAC Solution Typical NAC Configuration

Overview of 802.1X Authentication 802.1X client Access device 802.1X clients are usually user terminals. A user triggers 802.1X authentication using client software. An access device is usually an 802.1X -capable network device that provides physical or logical interfaces for clients to access LANs. An authentication server, which is typically a RADIUS server, carries out authentication, authorization, and accounting on users. 802.1X authentication applies to office users who have high security requirements. 802.1X authentication is a port-based network access control technology. User identities are verified and network access rights are controlled on ports of access devices. 802.1X authentication uses the Extensible Authentication Protocol over LAN ( EAPoL ) to exchange authentication information between the client, access device, and authentication server. Fit AP Authentication server Introduction Networking mode Application scenario

802.1X Authentication Protocol In the 802.1X authentication system, the client, access device, and authentication server exchange information using the EAP protocol. EAPoR EAPoL EAP Code ID Length Data Type Type Data Code ID Length Code=1 or 2 Code=3 or 4 PAE Ethernet Type Protocol Version Type Length Packet Body Code ID Length Attributes Type Length Response Authenticator Value

802.1X Authentication Modes An access device can process EAP packets sent by 802.1X clients in EAP relay or EAP termination mode. 802.1X client Authentication server Access device EAPoL RADIUS 802.1X client Authentication server Access device EAPoL EAPoR The access device directly encapsulates EAP packets sent from the 802.1X client into RADIUS packets without processing data in the EAP packets. This mode poses high requirements on the authentication server. The access device extracts information from EAP packets, encapsulates RADIUS packets with the information, and sends the RADIUS packets to the authentication server. This mode poses high requirements on access devices. EAP termination mode EAP relay mode

802.1X Authentication Process EAP-MD5 authentication in EAP relay mode is used as an example. Triggered by a client : When a user starts the client and enters the user name and password, the client sends an EAP packet to the access device to initiate authentication. Triggered by an access device : When receiving a DHCP or ARP packet from a user terminal, the access device enables the user terminal to display the client page and prompt the user to enter the user name and password. After the user name and password are entered, authentication is started. Port-based access control : allows subsequent users on a port to access the network once a user has been authenticated on the port. When the first user goes offline, all the other users cannot use network resources. MAC address–based access control : requires each user on a port to be authenticated separately before granting them access to the network. When a user goes offline, other users are not affected. User terminal Access device Authentication server 1. EAPoL -Start The user initiates authentication. 2. EAP -Request/Identity What is your user name? 3. EAP -Response/Identity My user name is Hello. 4. RADIUS Access-Request 5. RADIUS Access-Challenge Generate a random number. 6. EAP Request/ MD5 Challenge 7. EAP -Response/ MD5 Challenge Cipher text calculated using the password and random number 8. RADIUS Access-Request 9. RADIUS Access-Accept 10. EAP -Success Port in authorized state Triggering authentication 802.1X access control

802.1X Reauthentication User Authentication Status Configuration Point Configuration Trigger Mode Successful authentication Access device Enable periodic reauthentication for authenticated users. Triggered periodically Manually reauthenticate a user with a specified MAC address once. Triggered manually RADIUS server Enable the RADIUS server to deliver standard RADIUS attributes for users. Triggered if certain conditions are met Abnormal authentication (RADIUS server in Down state) Access device Enable the access device to perform user reauthentication when the RADIUS server status transitions to Up. Triggered if certain conditions are met Ensure validity of online users. Trigger user reauthentication . Send user authentication information to the server. The server compares authentication information. A user is online. The user is logged out. Different user authentication information Same user authentication information Check the user entry. Check whether the user entry aging time expires. Perform reauthentication . A user is in preconnection state or fails authentication. Revoke rights and delete the user entry. Success Failure Reauthenticate users who are in preconnection state or fail the authentication. Yes No The user is authorized. Online user reauthentication Reauthentication of users in abnormal states

Logout of 802.1X-Authenticated Users A client can log out proactively; the access device and server can also log out a user. The access device logs out the user. The server logs out the user. The client logs out. User terminal RADIUS client Send a logout request Accounting stop request Accounting stop response Notify the user that access ends The access device executes the cut access-user command RADIUS server DM-Request message Instruct the user to log out DM- ACK / NAK message Authorization of RADIUS attributes: Session-Timeout and Termination-Action Instruct the user to log out Method 2 Method 1

Overview of NAC Commonly Used NAC Methods and Their Working Mechanism 802.1X Authentication Portal Authentication MAC Address Authentication Multimode Authentication User Authorization Huawei NAC Solution Typical NAC Configuration

Overview of Portal Authentication Portal authentication does not require dedicated client software. Therefore, it is primarily used in access scenarios without client software or guest access scenarios. Portal authentication is also known as web authentication. Users enter their user names and passwords on the web authentication page for identity authentication. Users can access the authentication page in either of the following ways: Proactive authentication: Users proactively access the Portal authentication website through browsers. Redirect authentication: When the access address entered by a user is not the address of the Portal authentication website, the access device redirects the user to the Portal authentication website. Client Portal server Access device Authentication server Fit AP Introduction Application scenario

Portal Authentication Modes Two Portal authentication modes are available based on the network layer where it is used: Layer 2 authentication: When the client and access device are either directly connected or have only Layer 2 devices between them, configure Layer 2 authentication. In this mode, the device can learn users' MAC addresses and identify the users based on their MAC addresses and IP addresses. Layer 3 authentication: When the device is deployed at the aggregation or core layer and there are Layer 3 forwarding devices between the client and device, configure Layer 3 authentication. In this mode, the device cannot obtain the MAC address of a client and uses only the IP address of the client to identify the user. Built-in Portal authentication is also supported. That is, the Portal authentication server is deployed on the access device. Client Portal server Access device 1. Establish a preconnection. 2. Initiate authentication. Authentication server The Layer 3 authentication process is similar to the Layer 2 authentication process, except that no preconnection is established between the client and access device in Layer 3 authentication. Built-in Portal authentication

5. Return the Portal page. Portal Authentication Protocols Client Portal server Access device Authentication server 1. Establish a preconnection (required only for Layer 2 networking). 2. Send an HTTP connection request. 3. Return the redirect URL of the Portal server. 4. Send an HTTP connection request. 6. Send a Portal authentication request. Portal-based Portal authentication HTTP/HTTPS-based Portal authentication 7. Perform authentication using either protocol. Portal protocol: used between the Portal server and access device. HTTP/HTTPS protocol: used between the client and access device . Portal authentication protocols

Portal Authentication Process: Using the Portal Protocol The Portal protocol adopts the client/server model and runs based on UDP . CHAP authentication (more secure) and PAP authentication are supported. Packets are encapsulated in TLV format with attribute information such as the user name, password, and MAC address. If the built-in Portal server function of an access device is used for Portal authentication, only the Portal protocol is supported. Generally, the Portal protocol is recommended to transmit parameters such as the user name and password. Portal-based Portal authentication 7. Send a Portal challenge request. 8. Return a Portal challenge response. 9. Send a Portal authentication request. 10. Exchange RADIUS authentication and accounting information. 11. Send the Portal authentication result. 12. Notify the user of the authentication result. 13. Acknowledge the authentication result. Client Portal server Access device Authentication server 6. Send a Portal authentication request. Authentication protocol: Portal

HTTP/HTTPS-based Portal authentication 8. Send an HTTP or HTTPS authentication request. https:// Portal.example.com / login? userName = test&password = Huawei@123 9. Exchange RADIUS authentication and accounting information. 10. Return the Portal authentication result. Portal Authentication Process: Using the HTTP Protocol Client Portal server Access device Authentication server 6. Send a Portal authentication request. 7. Instruct the client to send an authentication request to the access device. If the Portal server does not support the Portal protocol, use HTTP/HTTPS as the authentication protocol. The client directly sends user information to the access device in HTTP request mode. Currently, the POST and GET request methods are supported. POST (supported by default): The requested data is stored in the body of an HTTP request packet and is not a part of a URL. As such, the data is not easy to intercept and has high security. GET: The requested data is appended to a URL and separated from the URL by a question mark (?). The data is a part of the URL and is visible to all users. As such, the data is easy to intercept and has poor security. Authentication protocol: HTTP/HTTPS

Logout of Portal Authentication Users: A Client Logs Out A user proactively initiates logout. For example, when the user clicks the logout button, the client sends a logout request to the Portal server. The logout process in Portal authentication using the Portal protocol is different from that using the HTTP/HTTPS protocol. Client Access device User logout request User logout response RADIUS server Portal server User logout notification User logout response Accounting stop request Accounting stop response Client Access device User logout request Instruct the client to send a user logout request to the access device User logout notification User logout response Accounting stop request Accounting stop response Portal server RADIUS server Portal-based user logout process HTTP/HTTPS-based user logout process

User logout response User logout notification The Server Logs Out a User Portal authentication involves two types of servers: authentication server and Portal server. Both types of servers can log out users. User terminal Access device Portal server Accounting stop request RADIUS server User logout response User logout notification Accounting stop response Not required if HTTP/HTTPS is used User terminal Access device Portal server User logout response and accounting stop request User logout request RADIUS server Accounting stop response Not required if HTTP/HTTPS is used The authentication server logs out a user. The Portal server logs out a user.

Portal Authentication Timer: Quiet Timer During Portal authentication, if the number of a user's authentication failures within 60 seconds reaches the specified value, the access device waits for a period of time controlled by the quiet timer. During this period, the access device discards the Portal authentication requests sent from the user. Client Portal server Access device Authentication server RADIUS Access-Reject ... RADIUS Access-Reject mac- authen timer quiet-period quiet-period = quiet-period Number of authentication failures within 60s = fail-times mac- authen quiet-times fail-times Portal authentication request RADIUS authentication request RADIUS authentication response Portal authentication request

Portal Server Detection Timer The Portal server detection timer controls the interval at which the Portal server status is detected. There are two Portal server detection modes: Portal-based and HTTP-based. Portal server Access device server-detect interval interval-period = interval-period Interval for sending heartbeat packets = Ts Recommendation: interval-period > Ts Portal heartbeat packets Detection success server-detect max-times max- times Change the Portal server status to Down = max-times First detection failure Second detection failure Third detection failure Portal server Access device server-detect interval interval-period = interval-period HTTP response Detection success server-detect max-times max- times Change the Portal server status to Down = max-times First detection failure Second detection failure Third detection failure HTTP detection Portal-based Portal server detection process HTTP-based Portal server detection process

Portal Authentication Timer: User Logout Retransmission Timer When a Portal authentication user goes offline, the access device sends an NTF-LOGOUT message to instruct the Portal server to delete the user information. The access device waits for a period of time defined by the user logout retransmission timer, and sends another NTF-LOGOUT message if no response is received from the Portal server. The timer and the number of times it retransmits the NTF-LOGOUT messages are configured using the portal logout resend times timeout period command. Portal server Access device portal logout resend times timeout period = period = times First retransmission due to no response Second retransmission due to no response Third retransmission due to no response NTF -LOGOUT Stop retransmission Start the timer upon user logout

Portal Authentication Timer: User Heartbeat Detection Timer After a user is authenticated, the Portal server pushes a connection holding page that has a heartbeat program embedded to the user. The user client then periodically sends heartbeat packets to the access device, indicating that the user is online. If the access device does not receive any heartbeat or authentication packet from the client before the user heartbeat detection timer expires, the access device considers the user offline and logs out the user. Access device with a built-in Portal server User terminal Heartbeat packet portal local-server keep-alive interval interval-value = interval-value Response packet Consider the user offline if no packet is received before the timer expires Reset the timer Start the timer when user authentication is successful

Overview of NAC Commonly Used NAC Methods and Their Working Mechanism 802.1X Authentication Portal Authentication MAC Address Authentication Multimode Authentication User Authorization Huawei NAC Solution Typical NAC Configuration

Overview of MAC Address Authentication MAC address authentication involves the following roles: Terminal: refers to a terminal that attempts to access the network. Access device: functions as the network access control point that enforces security policies. It allows, rejects, isolates, or restricts network access of users based on the security policies customized for customer networks. Authentication server: checks whether the identities of users who attempt to access the network are valid and assigns network access rights to users who have valid identities. User terminals do not require any client software. MAC address authentication applies to dumb terminals such as IP phones and printers. MAC address authentication controls network access rights of users based on interfaces and user MAC addresses. User terminals are authenticated by the authentication server based on their MAC addresses. By default, the device triggers MAC address authentication on users after receiving DHCP , ARP, DHCPv6 , or ND packets. You can also configure the device to trigger MAC address authentication after receiving any data frame. User terminal Access device Fit AP Authentication server Application scenario Introduction

MAC Address Authentication Process The access device and RADIUS server exchange RADIUS packets. Passwords of MAC address authentication users can be processed using PAP or CHAP. PAP: The device uses a randomly generated MD5 challenge to encrypt the password of a MAC address authentication user only once. CHAP: The device uses a randomly generated MD5 challenge to encrypt the password of a MAC address authentication user twice. 1. ARP/ DHCP /ND/ DHCPv6 packet, triggering MAC address authentication 2. RADIUS Access-Request 3. RADIUS Access-Accept Dumb terminal Port in authorized state Access device Authentication server 1. ARP/ DHCP /ND/ DHCPv6 packet, triggering MAC address authentication 3. RADIUS Access-Accept Dumb terminal Port in authorized state Access device Authentication server 2. RADIUS Access-Request (carrying the password encrypted twice and MD5 challenge) MAC address authentication process using PAP MAC address authentication process using CHAP

MAC Address Reauthentication Ensure validity of online users. Trigger user reauthentication . Send user authentication information to the server. The server compares authentication information. A user is online. The user is logged out. Different user authentication information Same user authentication information Check the user entry. Check whether the user entry aging time expires. Perform reauthentication . A user is in preconnection state or fails authentication. Revoke rights and delete the user entry. Success Failure Yes No The user is authorized. User Authentication Status Configuration Point Configuration Trigger Mode Successful authentication Access device Enable periodic reauthentication for authenticated users. Triggered periodically Manually reauthenticate a user with a specified MAC address once. Triggered manually RADIUS server Enable the RADIUS server to deliver standard RADIUS attributes for users. Triggered if certain conditions are met Abnormal authentication (RADIUS server in Down state) Access device Enable the access device to perform user reauthentication when the RADIUS server status transitions to Up. Triggered if certain conditions are met Online user reauthentication Reauthentication of users in abnormal states Reauthenticate users who are in preconnection state or fail the authentication.

Logout of MAC Address Authentication Users Both the access device and server can log out a MAC address authentication user. The access device logs out the user. The server logs out the user. User terminal Client The access device runs a command Server DM-Request message Notify the user that access ends DM- ACK / NAK message Authorization of RADIUS attributes: Session-Timeout and Termination-Action Instruct the user to log out Method 2 Method 1

MAC Address Authentication Timer: Quiet Timer During MAC address authentication, if the number of a user's authentication failures within 60 seconds reaches the specified value, the access device waits for a period of time controlled by the quiet timer. During this period, the access device discards the MAC address authentication requests sent from the user. User terminal Access device RADIUS server RADIUS Access-Reject ... RADIUS Access-Reject mac- authen timer quiet-period quiet-period = quiet-period Number of authentication failures within 60s = fail-times mac- authen quiet-times fail-times Trigger MAC address authentication MAC address authentication request MAC address authentication result

Overview of NAC Commonly Used NAC Methods and Their Working Mechanism 802.1X Authentication Portal Authentication MAC Address Authentication Multimode Authentication User Authorization Huawei NAC Solution Typical NAC Configuration

MAC Address-Prioritized Portal Authentication Access device Portal server Terminal RADIUS server If a user who has passed Portal authentication disconnects from the network, the user needs to enter the user name and password again to reconnect to the network. This results in low user experience. MAC address-prioritized Portal authentication is introduced to resolve this problem. With this function, users no longer need to enter their user names and passwords again to reconnect to the network within the validity period of terminal MAC addresses. To use this function, configure MAC address authentication and Portal authentication on the access device, and enable MAC address-prioritized Portal authentication and set the MAC address validity period on the authentication server. 1. Send HTTP traffic when a user browses a web page. 2. Perform MAC address authentication, which fails. 3. Redirect the user's HTTP request to the Portal authentication page. 4. Perform Portal authentication, which succeeds. 5. The user logs out. 6. The user continues to access the network within the validity period of the MAC address. 7. Perform MAC address authentication, which succeeds because the user's MAC address has been cached on the RADIUS server. 8. The user accesses the network without the need of reauthentication . Background MAC address-prioritized Portal authentication

MAC Address Bypass Authentication 802.1X authentication, MAC address authentication, and Portal authentication have their own characteristics. You can use multimode authentication to meet authentication requirements in different scenarios. Access device Authentication server Terminals 1. Send traffic. 3. Perform 802.1X authentication. 4. Perform MAC address authentication. 802.1X authentication times out, and MAC address authentication is triggered. Dumb terminals such as printers and fax machines do not support 802.1X authentication. When both PCs and dumb terminals are connected to an interface of an access device, you can configure MAC address bypass authentication to allow the dumb terminals to access the network using MAC address authentication. MAC address bypass authentication takes a longer period of time than MAC address authentication because it has an 802.1X authentication stage additionally. 2. Trigger 802.1X authentication.

Overview of NAC Commonly Used NAC Methods and Their Working Mechanism 802.1X Authentication Portal Authentication MAC Address Authentication Multimode Authentication User Authorization Huawei NAC Solution Typical NAC Configuration

User Authorization Using RADIUS server authorization as an example, the typical authorization information includes: VLAN: To prevent unauthenticated users from accessing restricted network resources, the restricted network resources and unauthenticated users are divided into different VLANs. After a user is authenticated, the RADIUS server delivers an authorized VLAN to the user. ACL: After a user is authenticated, the RADIUS server assigns an authorized ACL to the user. Then, the access device controls the user packets according to the ACL. UCL group: A User Control List (UCL) group is a collection of network terminals such as PCs and mobile phones. The administrator can add users who have the same network access requirements to one UCL group, and configure network access policies for the UCL group. Compared with the solution in which access control policies are deployed for each user, the UCL group–based access control solution greatly reduces the administrator's workload. Authorization Mode 802.1X Authentication MAC Address Authentication Portal Authentication MAC Address-Prioritized Portal Authentication Dynamic VLAN √ √ × × Dynamic ACL √ √ √ √ UCL √ √ √ √

Able to access 192.168.1.1 when authentication fails Authentication Exemption and Authentication Event Authorization Authorization parameters Service scheme: Parameters such as the UCL group, VLAN , and QoS profile can be bound to a service scheme. VLAN : Users are granted the permission to access resources in a specified VLAN . Users are allowed to access 192.168.1.1 to download client software before being authenticated User terminal Access device Software server 192.168.1.1 Able to access 192.168.1.1 without authentication Users require certain rights when encountering different events (such as pre-authentication, authentication failure, and authentication server failure) during authentication. Authentication-free rule profile (free-rule-template) Method 1: ordinary authentication-free rule, which is specified by configuring parameters such as IP address, MAC address, source interface, and VLAN. Method 2: ACL-defined authentication-free rule, which is specified based on ACL rules. User group ( UCL group): Network access rights are assigned to a user group with members having the same network access requirements. Users are allowed to access 192.168.1.1 to update the virus signature database even when authentication fails. User terminal Access device Virus signature database server 192.168.1.1 Authentication-free (free-rule) Authentication event authorization Before being authenticated, users need to obtain some network access rights to meet basic network access requirements such as downloading the 802.1X client and updating the virus signature database.

Security Group A security group is a collection of users or resources that have the same network access policy. Security groups are related only to user identities and are completely decoupled from network information such as user VLANs and IP addresses. Security groups can be authorized to users based on 5W1H conditions in one of the following modes: Users meeting certain 5W1H conditions are bound to a specified security group, which is called a dynamic security group. User IP addresses are statically bound to security groups, which are called static security groups. Campus network Sales security group Guest security group Server resource group You can bind static IP addresses of servers to security groups. However, service resources with overlapping IP addresses cannot be differentiated using security groups. Resource groups are introduced to address the problem. IP addresses specified in resource groups can overlap, and resource groups can be configured as destination groups of inter-group access control policies. Server Host1 802.1X Host2 MAC Host3 Portal Security group Resource group

Policy Control After security groups and resource groups are defined, administrators can define inter-group policies on the entire network. A policy matrix is used to configure inter-group policies to control access from source groups to destination groups.

Security Group – based Policy Control Security group-based policy control ensures that users can obtain consistent network access rights and corresponding user policies are enforced , regardless of the users' locations and IP addresses. Campus network Sales security group R&D security group Server resource group User A User B User C NAC NAC NAC Permission control policies are defined based on security groups and are delivered to network devices. Users obtain authorized security groups after they are successfully authenticated. After user traffic enters a network, network devices enforce policies based on the source and destination security groups of the traffic. Deliver security groups and policies 1 2 3

Security Group – based Permission Control User A User A Move Free mobility User permission control based on security groups Mutual access permission control for users Control mutual access between users authenticated at the same point. Control mutual access between users authenticated at different points. Resource access permission control Control access to intranet and extranet resources. Security group (R&D) Security group (R&D) User permission control: free mobility

Overview of NAC Commonly Used NAC Methods and Their Working Mechanism Huawei NAC Solution Typical NAC Configuration

Huawei NAC Solution Firewall Router Switch WLAN VPN gateway Internet R&D data Office data Marketing data DHCP DNS Patch server Access Policies: Permission/Application/ Bandwidth/ QoS /Security Post-authentication domain Pre-authentication domain Authentication and policy controller Access before authentication ... ... PC Wired user Guest Network management personnel Laptop Mobile terminal Printer Camera Wireless user VPN remote user Network infrastructure User terminals Service resources Intranet Access after authentication Policy enforcement devices

User terminals Authentication devices Huawei NAC Solution Architecture Authentication modes: Portal authentication: user name and password authentication, anonymous authentication, SMS authentication, Facebook authentication, Twitter authentication, and passcode authentication. MAC address authentication. 802.1X authentication. Transmission protocols: HTTP/2 and RADIUS for authentication data transmission. NETCONF for configuration data transmission. Open authentication: Interconnection with third-party Portal servers Interconnection with social media such as WeChat , Facebook, and Twitter. NETCONF configuration HTTP/2 authentication RADIUS authentication User mgmt Portal page customization Portal server RADIUS server Social media authentication QQ, Weibo , WeChat , Facebook, Twitter Third party RADIUS server Third party Portal server

Policy Control in Huawei NAC Solution Rights Bandwidth QoS Application Security When Who Where Whose How What Condition: 5W1H -based policy Result: fine-grained permission control User/User group/Role Site, region, device group, device type, device, SSID , IP address Day/Hour PC/iOS/Android, etc. Company-issued/BYOD terminal Wired/Wireless Portal/MAC address/ 802.1X authentication VLAN /ACL/Security group, VIP user... Uplink/Downlink bandwidth, DSCP value High/Medium/Low Traffic duration control ( only for Portal authentication) Application group/Application URL filtering Intelligent policy engine iMaster NCE-Campus

User Authentication Configuration Procedure Configure authentication rules Configure authorization rules Configure authorization results Configure online control policies Device onboarding and management Automated network deployment Automatic configuration delivery by iMaster NCE -Campus

Multiple User Authentication Sources, Meeting Unified User Management Requirements User Identity Source Description Usage Locally created accounts User name/Password, MAC address, and guest self-registered account Enterprise employees, guests, and O&M personnel Interconnection with social media WeChat, QQ , Sina Weibo, Facebook, Twitter Guests Interconnection with an AD or LDAP server Microsoft AD, Novell eDirectory , IBM Tivoli, Sun ONE, JIT Galaxy, OpenLDAP Enterprise employees and guests Interconnection with third-party databases SQL Server database, Oracle database Enterprise employees and guests Interconnection with a third-party HTTP server Configuring authentication URLs Enterprise employees and guests Interconnection with a third-party RADIUS server RADIUS relay agent Enterprise employees Interconnection with a token server RSA SecurID , DaVinci password-based dynamic identity authentication system, etc. Enterprise employees Certificate authentication Interconnection with a certificate server ( X509 certificates are supported) Enterprise employees

Terminal Identification and Policy Automation Difficult to locate bogus terminals 10+ authentication faults reported per day 50+ types of smart terminals Smart terminal data collected by level-2 departments Difficult and error-prone MAC address collection Automatic authorization Identified as a camera Automatically added to a video surveillance group Be configured as a VIP user Automatic authentication Identified as a printer Automatic MAC address authentication, without the need to manually enter MAC addresses Bogus terminal detection Identified as an IP phone first and then a PC Report a bogus terminal alarm Terminal fingerprint database > Requirements and challenges Introduction to terminal identification and policy automation Example: an enterprise Example: a higher education institution Information reporting Proactive scanning Terminal type-based Terminal type-based Terminal type-based

Terminal Identification: Proactive and Passive Detection Terminal visibility: collects terminal type statistics (by vendor and OS), displays the relationship between terminals and access ports, queries access policies (covering VLAN, QoS , and authentication mode), and exports reports. Terminal policy automation: Supports automatic terminal access based on terminal types, thereby achieving automatic MAC address authentication of dumb terminals. Authorizes policies (covering VLAN, security group, access permission, and QoS ) on a per-terminal group basis; supports IPv4/IPv6 dual-stack terminals. Passive detection Proactive detection Scan-and-detect Feedback 1 2 4 3 Display identification result Administrator 5 Deliver configurations and policies 4 Display identification result Administrator 1 Send traffic Collect fingerprints 2 3 Report fingerprints Deliver configurations and policies

Terminal Identification: Numerous Identification Methods Type Identification Method Description Application Scenario Information reporting MAC OUI The first three bytes of a MAC address indicate a manufacturer. Identify the device manufacturer only HTTP UserAgent A browser's UserAgent string contains the manufacturer, terminal type, operating system, browser type, and other information. Mobile phones, tablets, PCs, workstations, intelligent voice and video terminals DHCP Option Some options in a terminal's DHCP packets can be used to classify terminals, for example, DHCP Options 55, 60, and 12. Mobile phones, tablets, PCs, workstations, IP cameras, IP phones, printers, etc. LLDP LLDPDUs carry device model information. IP phones, IP cameras, network devices, etc. mDNS mDNS packets contain terminal model and service information. Apple devices, printers, IP cameras, etc. Proactive scanning SNMP Query Identification information is obtained by querying device information-related SNMP MIB objects. Network devices, printers, etc. Nmap The OS and services of terminals are scanned to obtain the terminal model and OS information. PCs, workstations, printers, phones, IP cameras, etc.

Terminal Identification: Automatic Policy Delivery Process Based on Terminal Types On the iMaster NCE -Campus web UI, an administrator enables the terminal identification function, selects terminal types, and specifies the corresponding policies. iMaster NCE -Campus delivers terminal identification configurations to network devices. When terminals access the network, network devices collect the fingerprint information of the terminals and report the information to iMaster NCE -Campus. iMaster NCE -Campus matches the terminals' fingerprint information against the fingerprint database and identifies the terminal types. iMaster NCE -Campus delivers admission and authorization policies for the terminals based on the policies defined by the administrator. The administrator enables terminal identification and configures terminal policies. 1 3 The network device reports terminal fingerprint information. 2 iMaster NCE -Campus delivers configurations to the network device. 4 iMaster NCE -Campus matches the terminal's fingerprint information against the fingerprint database and identifies the terminal type. 5 iMaster NCE -Campus delivers admission and authorization policies for the terminal to the network device.

Portal Page Templates Multiple Portal templates (for mobile phones and PCs) : flexible selection based on scenarios. Multiple languages : Simplified Chinese, English, German, Spanish, and other languages. User name and password authentication template Anonymous authentication template SMS authentication template Facebook authentication template WeChat authentication template Passcode authentication template Templates for PCs Templates for mobile phones

Set parameters Add controls Complete set of pages: Authentication page, authentication success page, user notice page, registration page, registration success page, password change page, user name verification page, and password reset page Various controls: Title, image, text, background, and language link Flexible style editing: Drag-and-drop operations: You can adjust the sequence of rows, and modify the row height and column width. Area style settings: include the background image, background color, border size and color, border radius, and inner and outer margins. Portal Page Customization

Free Mobility Define a security group policy and deliver it to network-wide devices. User access authentication is triggered. Map users to security groups based on 5W1H conditions and deliver the mappings to devices. Implement policy control, covering permission, bandwidth, priority, application, and security. DC/Internet 1 3 2 4 WAN/Internet User Name User Group Access Mode Access Location Access Time Permission Bandwidth Priority Mark Department of physics Wired Dormitory 08:00-22:00 Scientific research, Internet, and material sharing 2 Mbps Medium Joy Department of economic research Wired Office Any time Scientific research, Internet, OA, management, and documentation 4 Mbps Relatively high Terry Student from another university Wired/Wireless Any place 08:00-18:00 Public documentation sharing 500 kbps Low Jim Principal Wired/Wireless Administrative building Any time All resources 4 Mbps Highest

Implementation of Free Mobility (1) Core Firewall User1 192.168.1.1/24 User2 192.168.2.1/24 Server 10.1.1.1/24 Security group information: Define permission control policies (inter-group communication policies). Create security groups, bind the server IP address to the security group Server , configure authorization rules and results, and bind User1 and User2 to security groups Group1 and Group2 respectively. Destination group Source group Group1 Group2 Server Group1 √ × √ Group2 × √ √ Server √ √ √ Group Name Group ID Address Segment Group1 1 Dynamic Group2 2 Dynamic Server 3 10.1.1.1/32 Push security group information and policies to the policy enforcement point. Policy enforcement point

Implementation of Free Mobility (2) Core Firewall User1 192.168.1.1/24 MAC-X User2 192.168.2.1/24 Server 10.1.1.1/24 Authentication point Policy enforcement point Access from User1 is used as an example. The device Core functions as the authentication point to exchange user authentication information with iMaster NCE -Campus. Core establishes policy association with access switches. iMaster NCE -Campus verifies the user's login information and associates the user with the security group Group1 bound in the authorization policy. When User1 is successfully authenticated, iMaster NCE -Campus notifies the authentication point of the security group to which User1 belongs. iMaster NCE -Campus associates the IP address of the terminal with Group1 and records the association in the IP-security group table. Additionally, the authentication point (Core) generates an online user entry. Traffic Authorization result: Security group Group1 * Online user: 1 2 3 4 * The online user table on Core contains user information such as UserID and Username. MAC IP Security Group MAC-X 192.168.1.1 Group1

NAC Escape Mechanism Authentication Mode Trigger Mode Escape Solution Configuration Command Portal authentication The Portal server is Down. New users can access the network without authentication. authentication event portal-server-down action authorize The authentication server is Down. authentication event authen -server-down action authorize Authentication fails. authentication event authen -fail action authorize Users are in preconnection state. authentication event pre- authen action authorize MAC address authentication and 802.1X authentication The authentication server is Down. For new users: 802.1X authentication: Authenticated using the locally configured user names and passwords. Authenticated using pre-shared keys (PSKs). MAC address authentication: Authenticated using the locally configured MAC addresses. Authentication-free access. authentication event authen -server-down action authorize Authentication fails. authentication event authen -fail action authorize Users are in preconnection state. authentication event pre- authen action authorize

Overview of NAC Commonly Used NAC Methods and Their Working Mechanism Huawei NAC Solution Typical NAC Configuration

NAC Configuration Example: Configuring MAC Address-Prioritized Portal Authentication Configuration roadmap Configure WLAN service parameters for STAs to access the WLAN. Configure basic WLAN services so that the WAC can communicate with upstream and downstream devices and APs can go online. Configure RADIUS authentication parameters. Configure a Portal server template. Configure a Portal access profile to manage access control parameters for Portal authentication users. Configure a MAC access profile for MAC address-prioritized Portal authentication. Configure an authentication-free rule profile so that the AC permits packets destined for the DNS server. Configure an ACL to allow authenticated users to access the issue tracking system. Configure an authentication profile to manage NAC configurations. WAC SW2 SW1 Router Server zone (Portal, RADIUS, DNS, etc.) AP 4 AP 3 AP 2 AP 1

MAC Address-Prioritized Portal Authentication: Configuring RADIUS (1) Configure a RADIUS server template. [ W AC] radius-server template radius_huawei [ W AC-radius- radius_huawei ] radius-server authentication 172.16.1.1 1812 [ W AC-radius- radius_huawei ] radius-server accounting 172.16.1.1 1813 [ W AC-radius- radius_huawei ] radius-server shared-key cipher Huawei@123 [ W AC-radius- radius_huawei ] quit WAC SW2 SW1 Router Server zone (Portal, RADIUS, DNS, etc.) AP 4 AP 3 AP 2 AP 1

Configure a RADIUS authentication scheme. [ W AC] aaa [ W AC- aaa ] authentication-scheme radius_huawei [ W AC- aaa - authen-radius_huawei ] authentication-mode radius [ W AC- aaa - authen-radius_huawei ] quit [ W AC- aaa ] quit Configure a RADIUS accounting scheme. [ W AC- aaa ] accounting-scheme scheme1 [ W AC-aaa-accounting-scheme1] accounting-mode radius [ W AC-aaa-accounting-scheme1] accounting realtime 15 [ W AC-aaa-accounting-scheme1] quit [ W AC- aaa ] quit MAC Address-Prioritized Portal Authentication: Configuring RADIUS (1) WAC SW2 SW1 Router Server zone (Portal, RADIUS, DNS, etc.) AP 4 AP 3 AP 2 AP 1

MAC Address-Prioritized Portal Authentication: Portal Configuration Configure a Portal server template. [ W AC] web- auth -server abc [ W AC-web- auth -server- abc ] server- ip 172.16.1.1 [ W AC-web- auth -server- abc ] shared-key cipher Admin@123 [ W AC-web- auth -server- abc ] port 50200 [ W AC-web- auth -server- abc ] url https://172.16.1.1:8445/portal [ W AC-web- auth -server- abc ] server-detect [ W AC-web- auth -server- abc ] quit WAC SW2 SW1 Router Server zone (Portal, RADIUS, DNS, etc.) AP 4 AP 3 AP 2 AP 1

MAC Address-Prioritized Portal Authentication : Configuring Access Profile s (1) Configure a Portal access profile named portal1 . [ W AC] portal-access-profile name portal1 [ W AC-portal-access-profile-portal1] web- auth -server abc direct [ W AC-portal-access-profile-portal1] quit Configure a MAC access profile for MAC address-prioritized Portal authentication. [ W AC] mac-access-profile name mac1 [ W AC-mac-access-profile-mac1] quit WAC SW2 SW1 Router Server zone (Portal, RADIUS, DNS, etc.) AP 4 AP 3 AP 2 AP 1

MAC Address-Prioritized Portal Authentication: Configuring Access Profiles (2) Configure an authentication profile named p1 , and enable MAC address-prioritized Portal authentication. [ W AC] authentication-profile name p1 [ W AC-authentication-profile-p1] portal-access-profile portal1 [ W AC-authentication-profile-p1] mac-access-profile mac1 [ W AC-authentication-profile-p1] free-rule-template default_free_rule [ W AC-authentication-profile-p1] authentication-scheme radius_huawei [ W AC-authentication-profile-p1] radius-server radius_huawei [ W AC-authentication-profile-p1] quit WAC SW2 SW1 Router Server zone (Portal, RADIUS, DNS, etc.) AP 4 AP 3 AP 2 AP 1

MAC Address-Prioritized Portal Authentication: Binding the Authentication Profile to a VAP Profile Create a VAP profile named guest , configure the data forwarding mode and service VLAN, and bind the security profile and SSID profile to the VAP profile. [AC- wlan -view] vap -profile name guest [AC- wlan - vap -prof-guest] forward-mode tunnel Warning: This action may cause service interruption. Continue?[Y/N] y [AC- wlan - vap -prof-guest] service- vlan vlan -pool sta -pool [AC- wlan - vap -prof-guest] security-profile wlan -security [AC- wlan - vap -prof-guest] ssid -profile guest [AC- wlan - vap -prof-guest] authentication-profile p1 Create an AP group, bind the VAP profile to the AP group, and apply the VAP profile to radios 0 and 1 of the APs. [AC- wlan -view] ap -group name guest [AC- wlan - ap -group-guest] vap -profile guest wlan 1 radio all [ AC- wlan - ap -group-guest] quit WAC SW2 SW1 Router Server zone (Portal, RADIUS, DNS, etc.) AP 4 AP 3 AP 2 AP 1

Common NAC Maintenance Commands To... Run... View information about NAC users. display access-user View the roaming table of roaming users. display access-user roam-table View 802.1X authentication information. display dot1x View MAC address authentication information. display mac-authen View Portal authentication information. display portal View the connection status of Portal authentication users on the built-in Portal server. display portal local-server connect View the Portal server status. display server-detect state View information about Portal authentication users in quiet state. display portal quiet-user { all | user-ip { ip-address | ipv6-address } | server-ip ip-address } View information about MAC address authentication users in quiet state. display mac-authen quiet-user { all | mac-address mac-address } View the number of online users on a VAP. display access-user- num [ interface wlan-dbss wlan - dbss -interface-id ]

If server authorization is used, users obtain authorization information from the server and domain. If the two types of authorization information conflict, then ( ) Authorization information obtained from the server takes effect. Authorization information obtained from the domain takes effect. All the authorization information obtained from the server and domain takes effect. An error message is displayed, indicating that both types of authorization information do not take effect.

This course has illustrated NAC principles, Huawei's NAC solution, and typical NAC configuration.

H12-35X WLAN V200R020C10 1.0 Wang Bo/00584288 2020.09.17 New WLAN Team New Yao Xianbin/wx1033643 2021.03.20 New WLAN Team Update

08 WLAN Network Admission Control (NAC).pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

08 WLAN Network Admission Control (NAC).pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77