Authentication points should generally be placed on access devices close to the terminals. For wireless users, the AP or WLAN access device is the natural admission point because it directly controls the station’s wireless association and service access. For wired users, the access switch directly connects the endpoint and can enforce 802.1X, MAC-address authentication, VLAN authorization, ACLs, and security-group policies.
Huawei recommends access devices as authentication points for employees and specifically recommends access switches as authentication points for wired dumb terminals using MAC-address authentication. Deploying enforcement close to endpoints prevents unauthenticated or unauthorized traffic from traversing deeper into the campus network. It also improves fault isolation, policy granularity, and scalability because admission processing is distributed across access devices.
Option A is incorrect. A centralized authentication point can simplify configuration and policy management, but it does not inherently provide higher performance. It can create concentrated processing pressure, enlarge the Layer 2 scope, and allow unauthenticated traffic to travel farther before being evaluated. Therefore, the recommended principles are represented by B, C, and D.
==================
Submit