9.2.3.13. Huawei

9.2.3.13.1. S5700 Series

Firmware: Version 5.170 (V200R011C10SPC600) (V200R022C00SPC500)

Administration Portal > ON CMDB > Network Devices Brand/Model: Huawei/S5720 or Huawei/Generic depending on the model

9.2.3.13.1.1. AAA Configuration

9.2.3.13.1.1.1. AAA Scheme

Define the AAA Configuration:

aaa
  authentication-scheme opennac
    authentication-mode radius
  accounting-scheme opennac
    accounting-mode radius

9.2.3.13.1.1.2. RADIUS Server

Define the RADIUS template to be used for authentications and their format:

radius-server template opennac
        radius-server shared-key cipher <SharedKey>
        radius-server authentication <OpenNAC IP> 1812 weight 80
        radius-server accounting <OpenNAC IP> 1813 weight 80
        radius-server retransmit 2
        radius-server nas-port-id-format vendor 9
        radius-server retransmit 3 timeout 5
        undo radius-server user-name domain-included

RADIUS Server Status Detection Function:

radius-server dead-interval 5
radius-server dead-count 2
radius-server template opennac
        radius-server testuser username <user-name> password cipher <password>
        radius-server detect-server interval <interval(s)>
        radius-server dead-time dead-time <time (default 5m)>

9.2.3.13.1.1.3. Configuring a Domain

Define the Domain Configuration:

aaa
domain opennac
        authentication-scheme opennac
        accounting-scheme opennac
        radius-server opennac

9.2.3.13.1.1.4. CoA

To perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:

radius-server authorization <Radius_Server_IP> server-group <group-name> shared-key cipher <Radius_Shared_Key>
radius-server authorization port <port-id>

Verify configuration:

    display radius-server configuration
display radius-server authorization configuration

9.2.3.13.1.2. NAC Configuration

We can use both unified and common mode to configure the NAC section. The recommended configuration is with unified because it is more understandable and simple, but if you experience any problems you can use the common one.

9.2.3.13.1.2.1. Unified MODE

Auth Mode

display authentication mode
authentication unified-mode

802.1x - Access Profile

dot1x-access-profile name opennac
        dot1x authentication-method eap
        dot1x reauthenticate
        dot1x timer reauthenticate-period { reauth-period(s) (Default 3600) }

MAC-Auth - Access Profile

mac-access-profile name opennac
        mac-authen reauthenticate
        mac-authen timer reauthenticate-period { reauth-period(s) (Default 1800) }

Authentication Profile

authentication-profile name opennac
        dot1x-access-profile opennac
        mac-access-profile opennac
        authentication dot1x-mac-bypass
        authentication update-ip-accounting enable
        access-domain opennac
        link-down offline delay 0 #If available
quit
undo authentication pre-authen-access enable

802.1X + MAC address authentication is mainly applied to scenarios where dumb terminals exist. When a gateway functions as an authentication device, 802.1X + MAC address authentication is not recommended because ARP packets sent by terminals trigger MAC address authentication first. This degrades the performance of 802.1X authentication and ARP attacks may occur.

Authentication Mode (optional)

authentication mode { single-terminal | single-voice-with-data | multi-share | multi-authen [ max-user max-user-number [ dot1x | mac-authen | portal ] * ] }

single-terminal: applies to the scenario in which only one data terminal is connected to the network through the interface.
single-voice-with-data: applies to the scenario in which only one data terminal is connected to the network on the device interface through a voice terminal.
multi-share: applies to the scenario that does not require high security and in which multiple data terminals are connected to the network on the device interface.
multi-authen: applies to the scenario that requires high security and in which multiple data terminals are connected to the network on the device interface. In this access mode, you can configure the maximum number of access users based on the actual user quantity on the interface.

Critical VLAN:

authentication-profile name opennac
            authentication event authen-server-down action authorize { vlan vlan-id }
            authentication timer re-authen authen-fail { re-authen-time }
            uthentication event authen-server-up action re-authen

Control Direction:

authentication-profile name emma
            authentication control-direction { all | inbound }

By default, the device only controls the upstream traffic.

802.1x - Timers

dot1x timer tx-period 5 (default 30)
dot1x timer mac-bypass-delay 15 (default 30)
undo authentication pre-authen-access enable

Interface Configuration:

interface Gigabitethernet x/y/z
        port link-type hybrid
        port hybrid vlan <Default-VLAN>
        undo port hybrid pvid vlan 1
        authentication-profile opennac

Verify configuration:

display dot1x-access-profile configuraton name opennac
display mac-access-profile configuration name opennac
display authentication-profile configuration opennac
display authentication interface Gigabitethernet x/y/z

9.2.3.13.1.2.2. Common MODE

Auth Mode

system-view
undo authentication unified-mode

8021X + MAB

Global Configuration:

dot1x enable
dot1x timer tx-period 5
mac-authen

Interface Configuration:

interface GigabitEthernet X/Y/Z
        port link-type hybrid
        port hybrid vlan <Default-VLAN>
        undo port hybrid pvid vlan 1
        dot1x mac-bypass
        dot1x reauthenticate
        dot1x authentication-method eap
        dot1x domain opennac
        mac-authen domain opennac
        link-down offline delay 0

8021X Re-authentication

interface Gigabitethernet x/y/z
        dot1x reauthenticate
        dot1x timer reauthenticate-period <period-value>

By default, the device re-authenticates online 802.1X authentication users at the interval of 3600 seconds.

MAC-Auth Re-authentication

interface Gigabitethernet x/y/z
            mac-authen reauthenticate
            mac-authen timer reauthenticate-period <period-value>

By default, the device re-authenticates online MAC authentication users at the interval of 3600 seconds.

9.2.3.13.1.3. Security Profiles (ACL’s)

Static

[switch] acl name acl-name [ advance | acl-number ]
[switch-acl-acl_name] description  acl-name
[switch-acl-acl_name] rule [ rule-id ] { deny | permit } tcp [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment | logging | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | tcp-flag { ack | fin | psh | rst | syn | urg }*  | time-range time-name | tos tos ]*

Dynamic

Example ACL format on OpenNAC Enterprise:

$1 permit dst 10.0.239.192/26
$2 permit udp src any 8080
$3 permit icmp echo dst 10.1.1.1/24
$5 deny

The fields are described as follows:
$: Start character of each ACL rule.
- number: Last three digits in an ACL rule number, ranging from 0 to 999. The first two digits of an ACL rule number are fixed to 10. For example, if the value of this field is 12, the ACL rule number is 10012.
- permit/deny: ACL action. permit indicates that the user access is allowed. deny indicates that the user access is denied.
- protocol: Protocol type. The value can be tcp, udp, icmp or igmp. ICMP is classified into echo and echo-reply.
- direction: IP address type. The value can be dst or src. dst indicates a destination IP address and src indicates a source IP address.
- ip-address: IP address. The value can be any, IPv4 address/mask or IPv6 address/mask.
- port: Port number. Currently, only one port is supported.

For more information check the “HW-Data-Filter” attribute on Huawei official documentation <https://support.huawei.com/enterprise/en/doc/EDOC1100276761/35071f9a/radius-aaa>.

9.2.3.13.1.4. SNMP

To perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:

SNMP-v2c:

snmp-agent
snmp-agent sys-info version v2c
snmp-agent community read cipher <community-name>
snmp-agent community write cipher <community-name>

SNMP-v3:

snmp-agent mib-view included isoview iso
snmp-agent group v3 <SNMPGROUP> privacy read-view isoview write-view isoview notify-view isoview
snmp-agent usm-user v3 <SNMPUSER>
snmp-agent usm-user v3 <SNMPUSER> group <SNMPGROUP>
snmp-agent usm-user v3 <SNMPUSER> authentication-mode sha cipher <AUTH-SECRET>
snmp-agent usm-user v3 <SNMPUSER> privacy-mode aes128 cipher <PRIV-SECRET>

SNMP Trap Host

snmp-agent trap enable
snmp-agent target-host trap address udp-domain <opennacIP> params securityname <public> v2c //Configure un host de trap. By default, traps are sent on UDP port 162.

9.2.3.13.1.5. Troubleshooting & Monitoring

RADIUS Debug:

<switch> debug radius packet
<switch> terminal monitor
<switch> terminal debug

Monitoring NAC:

display access-user     -> information about NAC access users.
display dot1x                   -> information about 802.1X authentication.
display mac-authen              -> information about MAC address authentication.
display server-detect state     -> the status of a Portal server.
display mac-address authen              -> MAC address entries of the authen type in the system.
display mac-address pre-authen  -> MAC address entries of the Pre-authen type in the system.