Types of servers that the ISE can act as | - RADIUS authentication, accounting, and authorization servers
- HWTACACS authentication, accounting, and authorization servers
- Portal server
|
User authentication modes | - 802.1X authentication
- MAC address authentication
- HTTP/HTTPS-based Portal authentication
- Combined authentication
|
Authentication protocol that can used by the 802.1X client | - PAP
- CHAP
- EAP-MD5
- EAP-TLS
- EAP-TTLS
- EAP-FAST
- EAP-PEAP
|
Attributes that can be assigned by the ISE to successfully authenticated users | All standard RADIUS attributes and Huawei extended RADIUS attributes. The common authorization attributes include the following:- VLAN
- Static ACL: Only ACL ID is specified.
- Dynamic ACL: Both the ACL ID and rules contained in the ACL are specified.
- Rate limiting on user packets
- AAA service scheme
- UCL group
|
Authorization for users who have not passed authentication successfully, that is, the escape function | Users in the escape state can be assigned the following attributes:- VLAN
- UCL group
- AAA service scheme: Service VLANs, voice VLANs, ACLs, UCL groups, and QoS profiles can be bound to an AAA service scheme.
|
Functions that can be implemented using RADIUS CoA/DM packets | - Using RADIUS CoA packets to reauthenticate users
- Using RADIUS CoA packets to intermittently disconnect the interface to which the authorized users are connected (supported only by switches running V200R012C00 and later versions)
- Using RADIUS CoA packets to shut down the interface to which the authorized users are connected (supported only by switches running V200R012C00 and later versions)
- Using RADIUS DM packets to forcibly log out users
|
Methods for identifying terminal types | - DHCP packet
- User Agent (UA) field in HTTP packets
- RADIUS attribute
- NMAP
- DNS packet
|
Posture Service | Terminal health check: This function ensures that terminals accessing a network satisfy specified conditions, such as running a specific program and updating the patch or antivirus database to the latest version. |
Guest management | - |
BYOD | Bring your own device (BYOD) technology allows employees to connect to enterprise networks using their own mobile terminals, identifies the terminals types, and implements authentication and authorization based on user information, device type, and device operating environment. |
Free mobility | - Single-gateway scenario: Huawei Agile Controller-Campus delivers UCL group policies to switches. The ISE delivers a UCL group to the successfully authenticated users.
- Multi-gateway scenario: Huawei Agile Controller-Campus delivers UCL group policies to switches. The ISE delivers a UCL group to the successfully authenticated users. Virtual Extensible LAN (VXLAN) is configured on switches to transmit UCL group information between multiple gateways.
|