Hi everyone,
The traffic policy configured on the device should not conflict with the NAC configuration. Otherwise, faults may occur. The following is a case for your reference.
Problem Description
When the S5730-48C-SI connects to the Agile Controller-Campus for MAC address authentication, terminals that fail MAC authentication can access the internet.
Key configurations:
#
authentication-profile name p1
mac-access-profile mac
authentication mode multi-authen max-user 100
access-domain default force
#
radius-server template radius_shichuang
radius-server shared-key cipher %^%#;=LW0)Z24"[fM=*Kx.g!,X+[Lhs($5$QHV78jK%^%#
radius-server authentication 192.168.xx.245 1812 weight 80
radius-server accounting 192.168.xx.245 1813 weight 80
radius-server authorization 192.168.xx.245 shared-key cipher %^%#ie7TOH!@X8F:jk2Zc|CY-DE-{#4h]>P1zOX2%^%#
#
acl number 3001
rule 5 deny ip source 192.168.xx.0 0.0.0.255 destination 192.168.103.0 0.0.0.255
rule 10 deny ip source 192.168.x.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
rule 15 deny ip source 192.168.xx.0 0.0.0.255 destination 192.168.210.0 0.0.0.255
rule 20 permit ip
#
traffic classifier c_200 operator and
if-match acl 3001
#
traffic behavior b_200
permit
#
traffic policy p_200
classifier c_200 behavior b_200
#
vlan 103
traffic-policy p_200 inbound
#
aaa
authentication-scheme radius
authentication-mode radius
authentication-scheme auth_shichuang
authentication-mode radius
accounting-scheme acco_shichuang
accounting-mode radius
accounting realtime 3
domain default
authentication-scheme auth_shichuang
accounting-scheme acco_shichuang
radius-server radius_shichuang
#
interface Vlanif103
ip address 192.168.xx.254 255.255.255.0
#
interface XGigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 2 to 4094
authentication-profile p1
#
mac-access-profile name mac
#
Process
1. Check the user status. The user authentication type is No authentication.
<HUAWEI> display access-user mac-address 047d-XXXX-6b54
Basic:
User ID: 34
User name: 047dXXXX6b54
Domain-name: -
User MAC: 047d-XXXX-6b54
User IP address: 172.16.xx.248
User vpn-instance: -
User IPv6 address: -
User access Interface: XGigabitEthernet0/0/7
User vlan event: Pre-authen
QinQVlan/UserVlan: 0/98
User vlan source: user request
User access time : 2020/09/08 13:59:05
Option82 information: -
User access type: None
Terminal Device Type: Data Terminal
AAA:
User authentication type: No authentication
Current authentication method: None
Current authorization method: Local
Current accounting method: None
2. The customer requires that users be allowed to access the Internet but cannot access some intranet resources after being authenticated. Therefore, a traffic policy is configured on the device, and the last rule in the ACL is configured to allow all traffic.
#
acl number 3001
rule 5 deny ip source 192.168.xx.0 0.0.0.255 destination 192.168.yy.0 0.0.0.255
rule 10 deny ip source 192.168.xx.0 0.0.0.255 destination 192.168.zz.0 0.0.0.255
rule 15 deny ip source 192.168.xx.0 0.0.0.255 destination 192.168.kk.0 0.0.0.255
rule 20 permit ip
#
3. Check the product documentation: For the S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5700SI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5720I-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, ACL-based simplified traffic policy and traffic classification rules in MQC-based traffic policy have higher priorities than rules defined in NAC configuration. If configurations in ACL-based simplified traffic policy or MQC-based traffic policy conflict with the NAC function, the device processes packets based on configurations in ACL-based simplified traffic policy and traffic behaviors in MQC-based traffic policy.
Therefore, even if the user fails to be authenticated, the user can still access the Internet according to the ACL rules in the traffic policy.
4. To restrict access rules for authenticated users and prevent users from accessing the Internet after authentication failures, delete the traffic policy configuration on the switch and configure the Agile Controller-Campus to deliver the ACL number in the authorization parameter. Then the switch will control access rules for authenticated users based on the ACL number.
Root Cause
The traffic policy configuration conflicts with the NAC configuration. The switch preferentially processes packets based on the traffic behavior in the traffic policy.
Solution
Delete the traffic policy configuration on the switch and configure the Agile Controller-Campus to deliver the ACL number in the authorization parameter. Then the switch will control access rules for authenticated users based on the ACL number.
