Got it

The terminal that fails MAC authentication can access the Internet Highlighted

Latest reply: Nov 24, 2021 07:11:08 438 5 5 0 0

Hi everyone,

The traffic policy configured on the device should not conflict with the NAC configuration. Otherwise, faults may occur. The following is a case for your reference.

Problem Description

When the S5730-48C-SI connects to the Agile Controller-Campus for MAC address authentication, terminals that fail MAC authentication can access the internet.

Key configurations:

#

authentication-profile name p1

mac-access-profile mac

authentication mode multi-authen max-user 100

access-domain default force

#

radius-server template radius_shichuang

radius-server shared-key cipher %^%#;=LW0)Z24"[fM=*Kx.g!,X+[Lhs($5$QHV78jK%^%#

radius-server authentication 192.168.xx.245 1812 weight 80

radius-server accounting 192.168.xx.245 1813 weight 80

radius-server authorization 192.168.xx.245 shared-key cipher %^%#ie7TOH!@X8F:jk2Zc|CY-DE-{#4h]>P1zOX2%^%#

#

acl number 3001

rule 5 deny ip source 192.168.xx.0 0.0.0.255 destination 192.168.103.0 0.0.0.255

rule 10 deny ip source 192.168.x.0 0.0.0.255 destination 192.168.200.0 0.0.0.255

rule 15 deny ip source 192.168.xx.0 0.0.0.255 destination 192.168.210.0 0.0.0.255

rule 20 permit ip

#

traffic classifier c_200 operator and

if-match acl 3001

#

traffic behavior b_200

permit

#

traffic policy p_200

classifier c_200 behavior b_200

#

vlan 103

traffic-policy p_200 inbound

#

aaa

authentication-scheme radius

authentication-mode radius

authentication-scheme auth_shichuang

authentication-mode radius

accounting-scheme acco_shichuang

accounting-mode radius

accounting realtime 3

domain default

authentication-scheme auth_shichuang

accounting-scheme acco_shichuang

radius-server radius_shichuang

#

interface Vlanif103

ip address 192.168.xx.254 255.255.255.0

#

interface XGigabitEthernet0/0/7

port link-type trunk

port trunk allow-pass vlan 2 to 4094

authentication-profile p1

#

mac-access-profile name mac

#

Process

1. Check the user status. The user authentication type is No authentication.

 

<HUAWEI> display access-user mac-address 047d-XXXX-6b54

Basic:

User ID: 34

User name: 047dXXXX6b54

Domain-name: -

User MAC: 047d-XXXX-6b54

User IP address: 172.16.xx.248

User vpn-instance: -

User IPv6 address: -

User access Interface: XGigabitEthernet0/0/7

User vlan event: Pre-authen

QinQVlan/UserVlan: 0/98

User vlan source: user request

User access time               : 2020/09/08 13:59:05

Option82 information: -

User access type: None

Terminal Device Type: Data Terminal

 

AAA:

User authentication type: No authentication

Current authentication method: None

Current authorization method: Local

Current accounting method: None

 

  

2. The customer requires that users be allowed to access the Internet but cannot access some intranet resources after being authenticated. Therefore, a traffic policy is configured on the device, and the last rule in the ACL is configured to allow all traffic.

#

acl number 3001

rule 5 deny ip source 192.168.xx.0 0.0.0.255 destination 192.168.yy.0 0.0.0.255

rule 10 deny ip source 192.168.xx.0 0.0.0.255 destination 192.168.zz.0 0.0.0.255

rule 15 deny ip source 192.168.xx.0 0.0.0.255 destination 192.168.kk.0 0.0.0.255

rule 20 permit ip

#

 

3. Check the product documentation: For the S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5700SI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720I-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, ACL-based simplified traffic policy and traffic classification rules in MQC-based traffic policy have higher priorities than rules defined in NAC configuration. If configurations in ACL-based simplified traffic policy or MQC-based traffic policy conflict with the NAC function, the device processes packets based on configurations in ACL-based simplified traffic policy and traffic behaviors in MQC-based traffic policy.

Therefore, even if the user fails to be authenticated, the user can still access the Internet according to the ACL rules in the traffic policy.

 

4. To restrict access rules for authenticated users and prevent users from accessing the Internet after authentication failures, delete the traffic policy configuration on the switch and configure the Agile Controller-Campus to deliver the ACL number in the authorization parameter. Then the switch will control access rules for authenticated users based on the ACL number.

agile controller

Root Cause

The traffic policy configuration conflicts with the NAC configuration. The switch preferentially processes packets based on the traffic behavior in the traffic policy.

Solution

Delete the traffic policy configuration on the switch and configure the Agile Controller-Campus to deliver the ACL number in the authorization parameter. Then the switch will control access rules for authenticated users based on the ACL number.

Good thanks
View more
  • x
  • convention:

Very well explained
View more
  • x
  • convention:

Excellent share! Keep up the good work!
View more
  • x
  • convention:

AL_93
Moderator Created Nov 16, 2021 05:09:11

Helpful post! Thank you for sharing!
View more
  • x
  • convention:

Thanks for sharing this useful post!
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.