Typical NAC Configuration (Unified Mode) (the Agile Controller-Campus as the Authentication Server) (V200R009C00 and Later Versions)

The following provides the configuration for SwitchA, the access switch connecting to the R&D department. The configuration for SwitchB, the access switch connecting to the marketing department, is similar to that for SwitchA.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1    //Interface connected to the R&D department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    //Interface connected to the aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit

1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

   <HUAWEI> system-view
   [HUAWEI] sysname SwitchD
   [SwitchD] vlan batch 103 104
   [SwitchD] interface gigabitethernet 1/0/1    //Interface connected to the aggregation switch
   [SwitchD-GigabitEthernet1/0/1] port link-type trunk
   [SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 103
   [SwitchD-GigabitEthernet1/0/1] quit
   [SwitchD] interface vlanif 103
   [SwitchD-Vlanif103] ip address 172.16.2.2 255.255.255.0
   [SwitchD-Vlanif103] quit
   [SwitchD] interface gigabitethernet 1/0/2    //Interface connected to the server area
   [SwitchD-GigabitEthernet1/0/2] port link-type access
   [SwitchD-GigabitEthernet1/0/2] port default vlan 104
   [SwitchD-GigabitEthernet1/0/2] quit
   [SwitchD] interface vlanif 104
   [SwitchD-Vlanif104] ip address 172.16.1.254 255.255.255.0    //Configure the gateway address for the server area.
   [SwitchD-Vlanif104] quit
   [SwitchD] ip route-static 192.168.0.0 255.255.255.0 172.16.2.1    //Configure routes to the network segment assigned to the R&D department.
   [SwitchD] ip route-static 192.168.1.0 255.255.255.0 172.16.2.1    //Configure routes to the network segment assigned to the marketing department.

2. Configure network access rights for users after successful authentication.

   [SwitchD] acl 3001    //Configure the post-authentication domain for R&D employees.
   [SwitchD-acl-adv-3001] rule 1 permit ip    //Allow R&D employees to access all resources.
   [SwitchD-acl-adv-3001] quit
   [SwitchD] acl 3002    //Configure the post-authentication domain for marketing employees.
   [SwitchD-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0    //Prevent marketing employees from accessing the code library.
   [SwitchD-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0    //Prevent marketing employees from accessing the issue tracking system.
   [SwitchD-acl-adv-3002] rule 3 permit ip    //Allow marketing employees to access other resources.
   [SwitchD-acl-adv-3002] quit

3. Configure parameters for connecting to the RADIUS server.

   [SwitchD] radius-server template policy    //Create the RADIUS server template policy.
   [SwitchD-radius-policy] radius-server authentication 172.16.1.1 1812    //Configure the IP address and port number of the RADIUS authentication server.
   [SwitchD-radius-policy] radius-server accounting 172.16.1.1 1813    //Configure the IP address and port number of the RADIUS accounting server.
   [SwitchD-radius-policy] radius-server shared-key cipher YsHsjx_202206    //Set the authentication key and accounting key to YsHsjx_202206.
   [SwitchD-radius-policy] quit
   [SwitchD] aaa    //Enter the AAA view.
   [SwitchD-aaa] authentication-scheme auth    //Configure the authentication scheme auth.
   [SwitchD-aaa-authen-auth] authentication-mode radius    //Set the authentication mode to RADIUS.
   [SwitchD-aaa-authen-auth] quit
   [SwitchD-aaa] accounting-scheme acco    //Configure the accounting scheme acco.
   [SwitchD-aaa-accounting-acco] accounting-mode radius    //Set the accounting mode to RADIUS.
   [SwitchD-aaa-accounting-acco] accounting realtime 15    //Set the real-time accounting interval to 15 minutes.
   [SwitchD-aaa-accounting-acco] quit
   [SwitchD-aaa] domain portal    //Configure a domain.
   [SwitchD-aaa-domain-portal] authentication-scheme auth    //Bind the authentication scheme auth to the domain.
   [SwitchD-aaa-domain-portal] accounting-scheme acco    //Bind the accounting scheme acco to the domain.
   [SwitchD-aaa-domain-portal] radius-server policy    //Bind the RADIUS server template policy to the domain.
   [SwitchD-aaa-domain-portal] quit
   [SwitchD-aaa] quit
   [SwitchD] domain portal  //Configure portal as the global default domain.

4. Configure parameters for connecting to the Portal server.

   [SwitchD] web-auth-server portal_huawei    //In V200R020C10SPC100 and later versions, you must also run the web-auth-server server-source or server-source command to configure the local gateway address used to receive and respond to the packets sent by the Portal server, so as to implement Portal authentication.
   [SwitchD-web-auth-server-portal_huawei] server-ip 172.16.1.1    //Set the Portal server IP address.
   [SwitchD-web-auth-server-portal_huawei] source-ip 172.16.1.254    //Set the IP address that the switch uses to communicate with the Portal server.
   [SwitchD-web-auth-server-portal_huawei] port 50200    //Set the destination port number in the packets that the switch sends to the Portal server to 50200, which is the same as the port number that the Portal server uses to receive packets. The default destination port number on the switch is 50100, and you must change it to 50200 manually, so that it matches the port number on the Portal server.
   [SwitchD-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206    //Configure the shared key for communication with the Portal server, which must be the same as that configured on the Portal server.
   [SwitchD-web-auth-server-portal_huawei] url http://access.example.com:8080/portal    //Configure the URL for the Portal authentication page, in which access.example.com indicates the host name of the Portal server. The domain name is recommended in the URL so that the Portal authentication page can be pushed to users faster and more securely. To use the domain name in the URL, you must configure the mapping between this domain name access.example.com and Portal server IP address on the DNS server in advance.
   [SwitchD-web-auth-server-portal_huawei] quit
   [SwitchD] web-auth-server listening-port 2000    //Configure the port number that the switch uses to process Portal protocol packets. The default port number is 2000. If the port number is changed on the server, change it accordingly on the switch.
   [SwitchD] portal quiet-period    //Enable the quiet function for Portal authentication users. If the number of times that a Portal authentication user fails to be authenticated within 60 seconds exceeds the specified value, the device discards the user's Portal authentication request packets for a period to prevent impact of frequent authentication failures on the system.
   [SwitchD] portal quiet-times 5    //Configure the maximum number of authentication failures within 60 seconds before the device quiets a Portal authentication user.
   [SwitchD] portal timer quiet-period 240    //Set the quiet period to 240 seconds.

5. Enable Portal authentication.

   # Set the NAC mode to unified.

   [SwitchD] authentication unified-mode    //Set the NAC mode to unified. By default, the switch works in unified mode. After changing the NAC mode from common to unified, save the configuration and restart the switch to make the configuration take effect.

   # Configure a Portal access profile.

   [SwitchD] portal-access-profile name web1
   [SwitchD-portal-acces-profile-web1] web-auth-server portal_huawei layer3
   [SwitchD-portal-acces-profile-web1] quit

   # Configure an authentication-free rule profile and specify resources that users can access without authentication.

   In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by DNS and the DNS server is on the upstream network of the NAS device, you also need to create authentication-free rules and ensure that the DNS server is included in the authentication-free rules. In V200R012C00 and later versions, the NAS device automatically allows DNS packets to pass through and no authentication-free rule is required in Portal authentication.

   [SwitchD] free-rule-template name default_free_rule
   [SwitchD-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255    //Configure authentication-free rules for Portal authentication users, so that these users can access the DNS server before the authentication.
   [SwitchD-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255    //Configure authentication-free rules for Portal authentication users, so that these users can access the web server before the authentication.
   [SwitchD-free-rule-default_free_rule] quit

   # Configure an authentication profile.

   [SwitchD] authentication-profile name p1
   [SwitchD-authen-profile-p1] portal-access-profile web1    //Bind the Portal access profile web1.
   [SwitchD-authen-profile-p1] quit

   # Enable Portal authentication.

   [SwitchD] interface vlanif 103
   [SwitchD-Vlanif103] authentication-profile p1
   [SwitchD-Vlanif103] quit

1. Log in to the Agile Controller-Campus.
   1. Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.
      The following table provides two types of Agile Controller-Campus addresses.

      Address Format	Description
      https://Agile Controller-Campus-IP:8443	In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address.
      Agile Controller-Campus IP address	If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443.

   2. Enter the administrator account and password.

2. Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.
   1. Choose Resource > User > User Management.
   2. Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.

   3. Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.

   4. Click in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password YsHsjx_202207.

   5. On the User tab page, select user A and click Transfer to add user A to the R&D department.

3. Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.
   1. Choose Resource > Device > Device Management.
   2. Click Add.
   3. Configure parameters for the switch.

      Parameter	Value	Description
      Name	SW	-
      IP Address	172.16.1.254	The interface must be able to communicate with the SC.
      Device series	Huawei Quidway Series	-
      Authentication Key	YsHsjx_202206	It must be the same as the shared key of the RADIUS authentication server configured on the switch.
      Charging Key	YsHsjx_202206	It must be the same as the shared key of the RADIUS accounting server configured on the switch.
      Real-time charging interval (minute)	15	It must be the same as the real-time accounting interval configured on the switch.
      Port	2000	This is the port that the switch uses to communicate with the Portal server. Retain the default value.
      Portal Key	YsHsjx_202206	It must be the same as the Portal shared key configured on the switch.
      Allowed IP Addresses	192.168.0.1/24; 192.168.1.1/24	-

   4. Click OK.

4. Configure employee authorization. This example describes how to configure R&D employee authorization. The configuration procedure for marketing employees is the same, except that the network resources the two types of employees can access are different.
   1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.

      Parameter	Value	Description
      Name	R&D employee post-authentication domain	-
      Service Type	Access Service	-
      ACL Number/AAA User Group	3001	The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

   2. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and specify the authorization conditions for R&D employees.

      Parameter	Value	Description
      Name	R&D employee authorization rule	-
      Service Type	Access User	-
      Department	R&D	-
      Authorization Result	R&D employee post-authentication domain	-

The following provides the configuration for SwitchA, the access switch connecting to the R&D department. The configuration for SwitchB, the access switch connecting to the marketing department, is similar.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1    //Interface connected to the R&D department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    //Interface connected to the aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit

1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

   <HUAWEI> system-view
   [HUAWEI] sysname SwitchC
   [SwitchC] dhcp enable    //Enable the DHCP service.
   [SwitchC] vlan batch 101 to 103
   [SwitchC] interface gigabitethernet 1/0/1    //Interface of the access switch connected to the R&D department
   [SwitchC-GigabitEthernet1/0/1] port link-type trunk
   [SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 101
   [SwitchC-GigabitEthernet1/0/1] quit
   [SwitchC] interface vlanif 101
   [SwitchC-Vlanif101] ip address 192.168.0.1 255.255.255.0    //IP address segment assigned to R&D employees
   [SwitchC-Vlanif101] dhcp select interface
   [SwitchC-Vlanif101] dhcp server dns-list 172.16.1.2
   [SwitchC-Vlanif101] quit
   [SwitchC] interface gigabitethernet 1/0/2    //Interface of the access switch connected to the marketing department
   [SwitchC-GigabitEthernet1/0/2] port link-type trunk
   [SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 102
   [SwitchC-GigabitEthernet1/0/2] quit
   [SwitchC] interface vlanif 102
   [SwitchC-Vlanif102] ip address 192.168.1.1 255.255.255.0    //IP address segment assigned to marketing employees.
   [SwitchC-Vlanif102] dhcp select interface
   [SwitchC-Vlanif102] dhcp server dns-list 172.16.1.2
   [SwitchC-Vlanif102] quit
   [SwitchC] interface gigabitethernet 1/0/3    //Interface connected to the server area
   [SwitchC-GigabitEthernet1/0/3] port link-type access
   [SwitchC-GigabitEthernet1/0/3] port default vlan 103
   [SwitchC-GigabitEthernet1/0/3] quit
   [SwitchC] interface vlanif 103
   [SwitchC-Vlanif103] ip address 172.16.1.254 255.255.255.0    //Configure the gateway address for the server area.
   [SwitchC-Vlanif103] quit

2. Configure network access rights for users after successful authentication.

   [SwitchC] acl 3001    //Configure the post-authentication domain for R&D employees.
   [SwitchC-acl-adv-3001] rule 1 permit ip    //Allow R&D employees to access all resources.
   [SwitchC-acl-adv-3001] quit
   [SwitchC] acl 3002    //Configure the post-authentication domain for marketing employees.
   [SwitchC-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0    //Prevent marketing employees from accessing the code library.
   [SwitchC-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0    //Prevent marketing employees from accessing the issue tracking system.
   [SwitchC-acl-adv-3002] rule 3 permit ip    //Allow marketing employees to access other resources.
   [SwitchC-acl-adv-3002] quit

3. Configure parameters for connecting to the RADIUS server.

   [SwitchC] radius-server template policy    //Create the RADIUS server template policy.
   [SwitchC-radius-policy] radius-server authentication 172.16.1.1 1812 source ip-address 172.16.1.254    //Configure the IP address and port number of the RADIUS authentication server.
   [SwitchC-radius-policy] radius-server accounting 172.16.1.1 1813 source ip-address 172.16.1.254    //Configure the IP address and port number of the RADIUS accounting server.
   [SwitchC-radius-policy] radius-server shared-key cipher YsHsjx_202206    //Set the authentication key and accounting key to YsHsjx_202206.
   [SwitchC-radius-policy] quit
   [SwitchC] aaa    //Enter the AAA view.
   [SwitchC-aaa] authentication-scheme auth    //Configure the authentication scheme auth.
   [SwitchC-aaa-authen-auth] authentication-mode radius    //Set the authentication mode to RADIUS.
   [SwitchC-aaa-authen-auth] quit
   [SwitchC-aaa] accounting-scheme acco    //Configure the accounting scheme acco.
   [SwitchC-aaa-accounting-acco] accounting-mode radius    //Set the accounting mode to RADIUS.
   [SwitchC-aaa-accounting-acco] accounting realtime 15    //Set the real-time accounting interval to 15 minutes.
   [SwitchC-aaa-accounting-acco] quit
   [SwitchC-aaa] domain portal    //Configure a domain.
   [SwitchC-aaa-domain-portal] authentication-scheme auth    //Bind the authentication scheme auth to the domain.
   [SwitchC-aaa-domain-portal] accounting-scheme acco    //Bind the accounting scheme acco to the domain.
   [SwitchC-aaa-domain-portal] radius-server policy    //Bind the RADIUS server template policy to the domain.
   [SwitchC-aaa-domain-portal] quit
   [SwitchC-aaa] quit
   [SwitchC] domain portal  //Configure portal as the global default domain.

4. Configure parameters for connecting to the Portal server.

   [SwitchC] web-auth-server portal_huawei    //Configure the Portal server template portal_huawei.In V200R020C10SPC100 and later versions, you must also run the web-auth-server server-source or server-source command to configure the local gateway address used to receive and respond to the packets sent by the Portal server, so as to implement Portal authenticatio
   [SwitchC-web-auth-server-portal_huawei] server-ip 172.16.1.1    //Set the Portal server IP address.
   [SwitchC-web-auth-server-portal_huawei] source-ip 172.16.1.254    //Set the IP address that the switch uses to communicate with the Portal server.
   [SwitchC-web-auth-server-portal_huawei] port 50200    //Set the destination port number in the packets that the switch sends to the Portal server to 50200, which is the same as the port number that the Portal server uses to receive packets. The default destination port number on the switch is 50100, and you must change it to 50200 manually, so that it matches the port number on the Portal server.
   [SwitchC-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206    //Configure the shared key for communication with the Portal server, which must be the same as that configured on the Portal server.
   [SwitchC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal    //Configure the URL for the Portal authentication page, in which access.example.com indicates the host name of the Portal server. The domain name is recommended in the URL so that the Portal authentication page can be pushed to users faster and more securely. To use the domain name in the URL, you must configure the mapping between this domain name access.example.com and Portal server IP address on the DNS server in advance.
   [SwitchC-web-auth-server-portal_huawei] quit
   [SwitchC] web-auth-server listening-port 2000    //Configure the port number that the switch uses to process Portal protocol packets. The default port number is 2000. If the port number is changed on the server, change it accordingly on the switch.
   [SwitchC] portal quiet-period    //Enable the quiet function for Portal authentication users. If the number of times that a Portal authentication user fails to be authenticated within 60 seconds exceeds the specified value, the device discards the user's Portal authentication request packets for a period to prevent impact of frequent authentication failures on the system.
   [SwitchC] portal quiet-times 5    //Configure the maximum number of authentication failures within 60 seconds before the device quiets a Portal authentication user.
   [SwitchC] portal timer quiet-period 240    //Set the quiet period to 240 seconds.

5. Enable Portal authentication and configure network access rights for users in the pre-authentication domain and post-authentication domain.

   # Set the NAC mode to unified.

   [SwitchC] authentication unified-mode    //Set the NAC mode to unified. By default, the switch works in unified mode. After changing the NAC mode from common to unified, save the configuration and restart the switch to make the configuration take effect.

   # Configure a Portal access profile.

   [SwitchC] portal-access-profile name web1
   [SwitchC-portal-acces-profile-web1] web-auth-server portal_huawei direct
   [SwitchC-portal-acces-profile-web1] quit

   # Configure an authentication-free rule profile and specify resources that users can access without authentication.

   In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by DNS and the DNS server is on the upstream network of the NAS device, you also need to create authentication-free rules and ensure that the DNS server is included in the authentication-free rules. In V200R012C00 and later versions, the NAS device automatically allows DNS packets to pass through and no authentication-free rule is required in Portal authentication.

   [SwitchC] free-rule-template name default_free_rule
   [SwitchC-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255    //Configure authentication-free rules for Portal authentication users, so that these users can access the DNS server before the authentication.
   [SwitchC-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255    //Configure authentication-free rules for Portal authentication users, so that these users can access the web server before the authentication.
   [SwitchC-free-rule-default_free_rule] quit

   # Configure an authentication profile.

   [SwitchC] authentication-profile name p1
   [SwitchC-authen-profile-p1] portal-access-profile web1    ///Bind the Portal access profile web1.
   [SwitchC-authen-profile-p1] quit

   # Enable Portal authentication.

   [SwitchC] interface vlanif 101
   [SwitchC-Vlanif101] authentication-profile p1   //Enable Portal authentication on the interface connecting to the R&D department.
   [SwitchC-Vlanif101] quit
   [SwitchC] interface vlanif 102
   [SwitchC-Vlanif102] authentication-profile p1   //Enable Portal authentication on the interface connecting to the marketing department.
   [SwitchC-Vlanif102] quit

   # (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets. This function does not take effect for users who use Layer 3 Portal authentication.

   [SwitchC] access-user arp-detect vlan 101 ip-address 192.168.0.1 mac-address 00e0-fc12-3456
   [SwitchC] access-user arp-detect vlan 102 ip-address 192.168.1.1 mac-address 00e0-fc12-3456

1. Log in to the Agile Controller-Campus.
   1. Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.
      The following table provides two types of Agile Controller-Campus addresses.

      Address Format	Description
      https://Agile Controller-Campus-IP:8443	In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address.
      Agile Controller-Campus IP address	If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443.

   2. Enter the administrator account and password.

2. Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.
   1. Choose Resource > User > User Management.
   2. Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.

   3. Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.

   4. Click in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password YsHsjx_202207.

   5. On the User tab page, select user A and click Transfer to add user A to the R&D department.

3. Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.
   1. Choose Resource > Device > Device Management.
   2. Click Add.
   3. Configure parameters for the switch.

      Parameter	Value	Description
      Name	SW	-
      IP Address	172.16.1.254	The interface must be able to communicate with the SC.
      Device series	Huawei Quidway Series	-
      Authentication Key	YsHsjx_202206	It must be the same as the shared key of the RADIUS authentication server configured on the switch.
      Charging Key	YsHsjx_202206	It must be the same as the shared key of the RADIUS accounting server configured on the switch.
      Real-time charging interval (minute)	15	It must be the same as the real-time accounting interval configured on the switch.
      Port	2000	This is the port that the switch uses to communicate with the Portal server. Retain the default value.
      Portal Key	YsHsjx_202206	It must be the same as the Portal shared key configured on the switch.
      Allowed IP Addresses	192.168.0.1/24; 192.168.1.1/24	-

   4. Click OK.

4. Configure employee authorization. This example describes how to configure R&D employee authorization. The configuration procedure for marketing employees is the same, except that the network resources the two types of employees can access are different.
   1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.

      Parameter	Value	Description
      Name	R&D employee post-authentication domain	-
      Service Type	Access Service	-
      ACL Number/AAA User Group	3001	The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

   2. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and specify the authorization conditions for R&D employees.

      Parameter	Value	Description
      Name	R&D employee authorization rule	-
      Service Type	Access User	-
      Department	R&D	-
      Authorization Result	R&D employee post-authentication domain	-

1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.
   # Create VLAN 200.

   <HUAWEI> system-view
   [HUAWEI] sysname SwitchC
   [SwitchC] vlan batch 200

   # Configure the interface connected to users as an access interface and add the interface to VLAN 200.

   [SwitchC] interface gigabitethernet 0/0/1
   [SwitchC-GigabitEthernet0/0/1] port link-type access
   [SwitchC-GigabitEthernet0/0/1] port default vlan 200 
   [SwitchC-GigabitEthernet0/0/1] quit
   [SwitchC] interface gigabitethernet 0/0/2
   [SwitchC-GigabitEthernet0/0/2] port link-type access
   [SwitchC-GigabitEthernet0/0/2] port default vlan 200
   [SwitchC-GigabitEthernet0/0/2] quit

   # Configure the interface connected to the upstream network as a trunk interface and configure the interface to allow VLAN 200.

   [SwitchC] interface gigabitethernet 0/0/3
   [SwitchC-GigabitEthernet0/0/3] port link-type trunk
   [SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 200
   [SwitchC-GigabitEthernet0/0/3] quit

2. Configure the device to transparently transmit 802.1X packets. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC.

   In this example, SwitchC and SwitchD are deployed between the authentication switch SwitchA and users. 802.1X packet transparent transmission needs to be configured on SwitchC and SwitchD so that SwitchA can perform 802.1X authentication for users.

   • Method 1:

     [SwitchC] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
     [SwitchC] interface gigabitethernet 0/0/1
     [SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1X enable
     [SwitchC-GigabitEthernet0/0/1] bpdu enable
     [SwitchC-GigabitEthernet0/0/1] quit
     [SwitchC] interface gigabitethernet 0/0/2
     [SwitchC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol 802.1X enable
     [SwitchC-GigabitEthernet0/0/2] bpdu enable
     [SwitchC-GigabitEthernet0/0/2] quit
     [SwitchC] interface gigabitethernet 0/0/3
     [SwitchC-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1X enable
     [SwitchC-GigabitEthernet0/0/3] bpdu enable
     [SwitchC-GigabitEthernet0/0/3] quit

   • Method 2: This method is recommended when a large number of users exist or high network performance is required. Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-EI, S6720-HI, S6720S-EI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S support this method.

     [SwitchC] undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
     [SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
     [SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
     [SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
     [SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8

     This following step is mandatory when you switch from method 1 to method 2.

     [SwitchC] interface gigabitethernet 0/0/1
     [SwitchC-GigabitEthernet0/0/1] undo l2protocol-tunnel user-defined-protocol 802.1X enable
     [SwitchC-GigabitEthernet0/0/1] quit
     [SwitchC] interface gigabitethernet 0/0/2
     [SwitchC-GigabitEthernet0/0/2] undo l2protocol-tunnel user-defined-protocol 802.1X enable
     [SwitchC-GigabitEthernet0/0/2] quit
     [SwitchC] interface gigabitethernet 0/0/3
     [SwitchC-GigabitEthernet0/0/3] undo l2protocol-tunnel user-defined-protocol 802.1X enable
     [SwitchC-GigabitEthernet0/0/3] quit

1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

   <HUAWEI> system-view
   [HUAWEI] sysname SwitchA
   [SwitchA] vlan batch 100 200
   [SwitchA] interface gigabitethernet 0/0/1    //Configure the interface connected to SwitchC.
   [SwitchA-GigabitEthernet0/0/1] port link-type trunk
   [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 200
   [SwitchA-GigabitEthernet0/0/1] quit
   [SwitchA] interface gigabitethernet 0/0/2    //Configure the interface connected to SwitchD.
   [SwitchA-GigabitEthernet0/0/2] port link-type trunk
   [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
   [SwitchA-GigabitEthernet0/0/2] quit
   [SwitchA] interface gigabitethernet 0/0/6    //Configure the interface connected to the server.
   [SwitchA-GigabitEthernet0/0/6] port link-type trunk
   [SwitchA-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
   [SwitchA-GigabitEthernet0/0/6] quit
   [SwitchA] interface vlanif 100
   [SwitchA-Vlanif100] ip address 192.168.10.10 24    //Configure the management IP address for SwitchA. This IP address is used when SwitchA is added to Agile Controller-Campus.
   [SwitchA-Vlanif100] quit
   [SwitchA] interface vlanif 200
   [SwitchA-Vlanif200] ip address 192.168.200.1 24    //Configure the gateway address for terminal users.
   [SwitchA-Vlanif200] quit
   [SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.100.100    //Configure a route to the network segment where the pre-authentication domain resides.
   [SwitchA] ip route-static 192.168.102.0 255.255.255.0 192.168.102.100    //Configure a route to the network segment where the post-authentication domain resides.

2. Configure network access rights for users after successful authentication.

   [SwitchA] acl 3002
   [SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0
   [SwitchA-acl-adv-3002] rule 2 deny ip destination any
   [SwitchA-acl-adv-3002] quit

3. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.
   # Create and configure the RADIUS server template rd1.

   [SwitchA] radius-server template rd1
   [SwitchA-radius-rd1] radius-server authentication 192.168.100.100 1812
   [SwitchA-radius-rd1] radius-server accounting 192.168.100.100 1813
   [SwitchA-radius-rd1] radius-server shared-key cipher YsHsjx_202206
   [SwitchA-radius-rd1] quit

   # Create an AAA authentication scheme abc and set the authentication mode to RADIUS.

   [SwitchA] aaa
   [SwitchA-aaa] authentication-scheme abc
   [SwitchA-aaa-authen-abc] authentication-mode radius
   [SwitchA-aaa-authen-abc] quit

   # Configure an accounting scheme acco1. Set the accounting mode to RADIUS so that the RADIUS server can maintain account status, such as login, log-off and forced log-off.

   [SwitchA-aaa] accounting-scheme acco1
   [SwitchA-aaa-accounting-acco1] accounting-mode radius
   [SwitchA-aaa-accounting-acco1] accounting realtime 15    //Set the real-time accounting interval to 15 minutes.
   [SwitchA-aaa-accounting-acco1] quit

   # Create an authentication domain isp, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.

   [SwitchA-aaa] domain isp
   [SwitchA-aaa-domain-isp] authentication-scheme abc
   [SwitchA-aaa-domain-isp] accounting-scheme acco1
   [SwitchA-aaa-domain-isp] radius-server rd1
   [SwitchA-aaa-domain-isp] quit
   [SwitchA-aaa] quit

   # Configure the global default domain isp. During access authentication, enter a user name in the format user@isp to perform AAA authentication in the domain isp. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

   [SwitchA] domain isp

4. Enable 802.1X and MAC address authentication.
   # Set the NAC mode to unified.

   [SwitchA] authentication unified-mode

   By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.

   # Configure an 802.1X access profile.

   By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

   [SwitchA] dot1x-access-profile name d1
   [SwitchA-dot1x-access-profile-d1] dot1x authentication-method eap
   [SwitchA-dot1x-access-profile-d1] dot1x timer client-timeout 30
   [SwitchA-dot1x-access-profile-d1] quit

   # Configure a MAC access profile.

   [SwitchA] mac-access-profile name m1
   [SwitchA-mac-access-profile-m1] mac-authen username fixed A-123 password cipher Huawei123    //Set the user name mode for MAC address authentication to fixed user name. Set the user name to A-123 and password to Huawei123.
   [SwitchA-mac-access-profile-m1] quit

   # Configure an authentication profile.

   [SwitchA] authentication-profile name p1
   [SwitchA-authen-profile-p1] mac-access-profile m1    //Bind the MAC access profile m1.
   [SwitchA-authen-profile-p1] dot1x-access-profile d1    //Bind the 802.1X access profile d1.
   [SwitchA-authen-profile-p1] quit

   # Enable 802.1X authentication and MAC address authentication on GE0/0/1 and GE0/0/2.

   [SwitchA] interface gigabitethernet 0/0/1
   [SwitchA-Gigabitethernet0/0/1] authentication-profile p1    //Bind the authentication profile p1 and enable 802.1X + MAC address combined authentication.
   [SwitchA-Gigabitethernet0/0/1] quit
   [SwitchA] interface gigabitethernet 0/0/2
   [SwitchA-Gigabitethernet0/0/2] authentication-profile p1    //Bind the authentication profile p1 and enable 802.1X + MAC address combined authentication.
   [SwitchA-Gigabitethernet0/0/2] quit

   # (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

   [SwitchA] access-user arp-detect vlan 200 ip-address 192.168.200.1 mac-address 00e0-fc12-3456

1. Log in to the Agile Controller-Campus.
   1. Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.
      The following table provides two types of Agile Controller-Campus addresses.

      Address Format	Description
      https://Agile Controller-Campus-IP:8443	In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address.
      Agile Controller-Campus IP address	If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443.

   2. Enter the administrator account and password.

2. Create a department and an account.
   1. Choose Resource > User > User Management.
   2. Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.

   3. Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.

   4. Click in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password YsHsjx_202207.

   5. On the User tab page, select user A and click Transfer to add user A to the R&D department.

3. Add switches to the Agile Controller-Campus so that the switches can communicate with the Agile Controller-Campus.

   1. Choose Resource > Device > Device Management.

   2. Click Permission Control Device Group in the navigation tree, and click and Add SubGroup to create a device group Switch.

   3. Click the device group in the navigation tree and select ALL Device. Click Add to add network access devices.

   4. Set connection parameters on the Add Device page.

      Parameter	Value	Description
      Name	SwitchA	-
      IP Address	192.168.10.10	The interface on the switch must communicate with the Agile Controller-Campus.
      Device Series	Huawei Quidway series switch	-
      Authentication Key	YsHsjx_202206	It must be the same as the shared key of the RADIUS authentication server configured on the switch.
      Charging Key	YsHsjx_202206	It must be the same as the shared key of the RADIUS accounting server configured on the switch.
      Real-time charging interval (minute)	15	It must be the same as the real-time accounting interval configured on the switch.

   5. Click Permission Control Device Group in the navigation tree, select SwitchC, and click Move to move SwitchA to the Switch group. The configuration on SwitchD is the same as that on SwitchC.

4. Add an authentication rule.

   1. Choose Policy > Permission Control > Authentication and Authorization > Authentication Rule and click Add to create an authentication rule.

   2. Configure basic information for the authentication rule.

      Parameter	Value	Description
      Name	Access authentication rule	-
      Service Type	Access service	-
      Authentication Condition	Device group Switch	Customize authentication rules based on the requirements of your network.
      Please select the allowed authentication protocol	PAP CHAP EAP-MD5 EAP-PEAP-MSCHAPv2 EAP-TLS EAP-PEAP-GTC EAP-TTLS-PAP	-

5. Add an authorization result.

   1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result and click Add to create an authorization result.

   2. Configure basic information for the authorization result.

      Parameter	Value	Description
      Name	Post-authentication domain	-
      Service Type	Access service	-
      ACL Number/AAA User Group	3002	The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

6. Add an authorization rule.

   After a user passes the authentication, authorization phase starts. The Agile Controller-Campus grants the user access rights based on the authorization rule.

   1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule and click Add to create an authorization rule.

   2. Configure basic information for the authorization rule.

      Parameter	Value	Description
      Name	Authorization rule for R&D employees	-
      Service Type	Access service	-
      Access Device Group	Switch	-
      Authorization Result	Post-authentication domain	-

1. Create VLANs and configure the allowed VLANs on interfaces to ensure network connectivity.

   <HUAWEI> system-view
   [HUAWEI] sysname SwitchA
   [SwitchA] vlan batch 10 20
   [SwitchA] interface gigabitethernet 0/0/1    //Configure the interface connecting to employees' terminals.
   [SwitchA-GigabitEthernet0/0/1] port link-type hybrid
   [SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
   [SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10
   [SwitchA-GigabitEthernet0/0/1] quit
   [SwitchA] interface gigabitethernet 0/0/2    //Configure the interface connecting to the laboratory.
   [SwitchA-GigabitEthernet0/0/2] port link-type hybrid
   [SwitchA-GigabitEthernet0/0/2] port hybrid untagged vlan 20
   [SwitchA-GigabitEthernet0/0/2] quit
   [SwitchA] interface gigabitethernet 0/0/3    //Configure the interface connecting to SwitchB.
   [SwitchA-GigabitEthernet0/0/3] port link-type trunk
   [SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20
   [SwitchA-GigabitEthernet0/0/3] quit
   [SwitchA] interface loopback 1
   [SwitchA-LoopBack1] ip address 10.10.10.1 24    //Configure an IP address for communication with the Agile Controller-Campus.
   [SwitchA-LoopBack1] quit
   [SwitchA] interface vlanif 10
   [SwitchA-Vlanif10] ip address 192.168.1.10 24
   [SwitchA-Vlanif10] quit

2. Configure network access rights for users after successful authentication.

   In dynamic ACL mode, this step does not need to be configured on the device.

   [SwitchA] acl 3002
   [SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.30.1 0
   [SwitchA-acl-adv-3002] rule 2 permit ip destination 192.168.50.1 0
   [SwitchA-acl-adv-3002] rule 3 deny ip destination any
   [SwitchA-acl-adv-3002] quit

3. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.
   # Create and configure the RADIUS server template rd1.

   [SwitchA] radius-server template rd1
   [SwitchA-radius-rd1] radius-server authentication 192.168.30.1 1812
   [SwitchA-radius-rd1] radius-server accounting 192.168.30.1 1813
   [SwitchA-radius-rd1] radius-server shared-key cipher YsHsjx_202206
   [SwitchA-radius-rd1] quit

   # Create the AAA authentication scheme abc and set the authentication mode to RADIUS.

   [SwitchA] aaa
   [SwitchA-aaa] authentication-scheme abc
   [SwitchA-aaa-authen-abc] authentication-mode radius
   [SwitchA-aaa-authen-abc] quit

   # Configure the accounting scheme acco1 and set the accounting mode to RADIUS.

   [SwitchA-aaa] accounting-scheme acco1
   [SwitchA-aaa-accounting-acco1] accounting-mode radius
   [SwitchA-aaa-accounting-acco1] accounting realtime 15
   [SwitchA-aaa-accounting-acco1] quit

   # Create the authentication domain huawei, and bind the AAA authentication scheme abc, accounting scheme acco1, and RADIUS server template rd1 to the domain.

   [SwitchA-aaa] domain huawei
   [SwitchA-aaa-domain-huawei] authentication-scheme abc
   [SwitchA-aaa-domain-huawei] accounting-scheme acco1
   [SwitchA-aaa-domain-huawei] radius-server rd1
   [SwitchA-aaa-domain-huawei] quit
   [SwitchA-aaa] quit

4. Enable 802.1X authentication.

   # Set the NAC mode to unified.

   [SwitchA] authentication unified-mode

   By default, the unified mode is enabled. Before changing the NAC mode, you must save the configuration. After the mode is changed and the device is restarted, functions of the newly configured mode take effect.

   # Configure the 802.1X access profile d1.

   [SwitchA] dot1x-access-profile name d1
   [SwitchA-dot1x-access-profile-d1] dot1x timer client-timeout 30
   [SwitchA-dot1x-access-profile-d1] quit

   # Configure an authentication-free rule profile.

   [SwitchA] free-rule-template name default_free_rule
   [SwitchA-free-rule-default_free_rule] free-rule 10 destination ip 192.168.40.0 mask 24
   [SwitchA-free-rule-default_free_rule] quit

   # Configure the authentication profile p1, bind the 802.1X access profile d1 and authentication-free rule profile default_free_rule to the authentication profile, specify the domain huawei as the forcible authentication domain in the authentication profile, and set the user access mode to multi-authen.

   [SwitchA] authentication-profile name p1
   [SwitchA-authen-profile-p1] dot1x-access-profile d1
   [SwitchA-authen-profile-p1] free-rule-template default_free_rule
   [SwitchA-authen-profile-p1] access-domain huawei force
   [SwitchA-authen-profile-p1] authentication mode multi-authen
   [SwitchA-authen-profile-p1] quit

   # Bind the authentication profile p1 to GE0/0/1 and enable 802.1X authentication on the interface.

   [SwitchA] interface gigabitethernet 0/0/1
   [SwitchA-GigabitEthernet0/0/1] authentication-profile p1
   [SwitchA-GigabitEthernet0/0/1] quit

   # (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

   [SwitchA] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456

1. Log in to the Agile Controller-Campus.
   1. Open the Internet Explorer, enter the Agile Controller-Campus access address in the address bar, and press Enter.
      The following table describes addresses for accessing the Agile Controller-Campus.

      Access Mode	Description
      https://Agile Controller-Campus-IP:8443	Agile Controller-Campus-IP specifies the IP address of the Agile Controller-Campus.
      IP address of the Agile Controller-Campus	If port 80 is enabled during installation, you can access the Agile Controller-Campus by entering its IP address without the port number. The Agile Controller-Campus URL will automatically change to https://Agile Controller-Campus-IP:8443.

   2. Enter the administrator user name and password.

2. Create a department and an account.
   1. Choose Resource > User > User Management.
   2. Click the Department tab in the operation area on the right, and then click Add under the Department tab to add a department R&D.

   3. Click the User tab in the operation area on the right, and then click Add under the User tab to add a user A.

   4. Click next to user A in Operation to access Account Management. Click Add. Create a common account A-123 and set the password to YsHsjx_202207.

   5. In the User tab, select user A. Click Transfer to add user A to the department R&D.

3. Add switches to the Agile Controller-Campus so that the switches can communicate with the Agile Controller-Campus.

   Choose Resource > Device > Device Management. Click Add in the operation area on the right. Set connection parameters on the Add Device page.

4. Add an authorization result.

   Perform this step for ACL number and VLAN delivery.

   1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and click Add to create an authorization result.

   2. Configure basic information for the authorization result.

      Parameter	Value	Description
      Name	Authorization info for authenticated users	-
      Service type	Access service	-
      VLAN	20	The VLAN must be the same as the VLAN configured for R&D employees on the switch.
      ACL number/AAA user group	3002	The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

5. Add an authorization result.

   Perform this step for dynamic ACL and VLAN delivery.

   1. Add a dynamic ACL.
      1. Choose Policy > Permission Control > Policy Element > Dynamic ACL.
      2. Click Add.
      3. Configure basic information for the dynamic ACL and click Add in Rule List.
      4. Configure attributes contained in the dynamic ACL.

   2. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and click Add to create an authorization result.

   3. Configure basic information for the authorization result.

      Parameter	Value	Description
      Name	Authorization information for users who pass authentication	-
      Service type	Access service	-
      VLAN	20	The VLAN ID must be the same as the VLAN ID configured for R&D employees on the switch.
      Dynamic ACL	3002	-

6. Add an authorization rule.

   After a user passes authentication, authorization phase starts. The Agile Controller-Campus grants the user access rights based on the authorization rule.

   1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule and click Add to create an authorization rule.

   2. Configure basic information for the authorization rule.

      Parameter	Value	Description
      Name	Authorization rule for authenticated users	-
      Service type	Access service	-
      Department	R&D department	-
      Authorization result	Authorization info for authenticated users	-

# Configure the core switch to send DHCP option and UA information to the Agile Controller-Campus, which then uses the information as original information to identify terminals.

<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] dhcp enable
[SwitchD] dhcp snooping enable
[SwitchD] device-sensor dhcp option 12 55 60
[SwitchD] http parse user-agent enable

For wireless users, you can configure attributes for APs when the switch works as an AC. In versions earlier than V200R011C10, the configurations are not delivered to APs in real time, and are delivered to APs only after you run the commit command in the WLAN view. In V200R011C10 and later versions, the commit command is deleted, the switch delivers the configurations to APs every 5 seconds.

1. Log in to the Agile Controller-Campus client, AnyOffice Agent, enter the administrator user name and password to open the system homepage.
2. Enable the terminal type identification function.
   1. Choose Resource > Terminal > Parameter Setting.

   2. In Terminal Identification, select Enable. The system automatically identifies terminals based on the probe messages. In Manual Terminal Registration, select Enable. The system allows manual registration of terminals. Retain default values for other parameters, and then click OK.

      Figure 3-214 Enabling the terminal type identification function
      

3. Identify terminals based on the DHCP option and UA information.

   The following uses a terminal, a local account, and Portal authentication as an example (based on UA information).

   1. Open a web browser to access a web server in the post-authentication domain.
   2. Enter the user name and password requested from the administrator.
      Figure 3-215 Entering the user name and password
      

Check terminal type identification results.

1. Choose Resource > Terminal > Registered Device List.

2. Check whether the terminal is in the device list.

   If the terminal is in the device list, its terminal type has been identified.