No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Portal Authentication

Configuring Portal Authentication

In Portal authentication, users do not need a specific client. The Portal server provides users with free portal services and a Portal authentication page. Portal authentication uses an external Portal server and a built-in Portal server.

Prerequisites

Portal authentication only provides a user authentication solution. To implement this solution, the AAA function must also be configured. Therefore, the following tasks must be complete before you configure Portal authentication:

  • Configuring the authentication domain and AAA scheme on the AAA client.
  • Configuring the user name and password on the RADIUS or HWTACACS server if RADIUS or HWTACACS authentication is used.
  • Configuring the user name and password manually on the network access device if local authentication is used.

For the configuration of AAA client, see AAA Configuration in the Huawei AR Series IOT Gateway Configuration Guide - Security.

Configuring Portal Server Parameters

Context

During Portal authentication, you must configure parameters for the Portal server (for example, the IP address for the Portal server) to ensure smooth communication between the device and the Portal server.

The Portal server is classified as either the external Portal server or the built-in Portal server. The external Portal server has independent hardware, while the built-in Portal server is an entity embedded in the access device (that is, functions of the Portal server are implemented by the access device).

Procedure

  • Configuring parameters for the external Portal server (binding URL)
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      web-auth-server server-name

      A Portal server template is created and the Portal server template view is displayed.

      By default, no Portal server template is created.

    3. Run:

      server-ip server-ip-address &<1-4>

      An IP address is configured for the Portal server.

      By default, no IP address is configured for the Portal server.

      NOTE:

      The IP address for the Portal server is the IP address for the external Portal server.

    4. Run:

      url url-string

      A URL is configured for the portal server.

      By default, a Portal server does not have a URL.

    5. Run:

      shared-key cipher key-string

      The shared key that the device uses to exchange information with the Portal server is configured.

      By default, no shared key is configured.

  • Setting parameters of the URL corresponding to an external Portal server (binding URL template)
    1. Configure the URL template.

      1. Run the system-view command to enter the system view.
      2. Run the url-template name template-name command to create a URL template and enter the URL template view.

        By default, no URL template exists on the device.

      3. Run the url [ redirect-only ] url-string [ ssid ssid ] command to configure the redirection URL corresponding to the Portal server.

        By default, no redirection URL is configured for a Portal server.

      4. Run the url-parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-value | ap-mac ap-mac-value | redirect-url redirect-url-value | ssid ssid-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value | user-vlan user-vlan-value } * command to set the parameters carried in the URL.

        By default, a URL does not carry parameters.

      5. Run the url-parameter mac-address format delimiter delimiter { normal | compact } command to set the MAC address format in the URL.

        By default, the MAC address format in URL is XXXXXXXXXXXX.

      6. Run the parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } * command to set the characters in the URL.

        By default, the start character is ?, assignment character is =, and delimiter is &.

      7. Run the quit command to return to the system view.

    2. Set parameters for the external Portal server.

      1. Run the web-auth-server server-name command to create a Portal server template and enter the Portal server template view.

        By default, no Portal server template is created.

      2. Run the server-ip server-ip-address &<1-4> command to set the IP address corresponding to the Portal server.

        By default, no IP address is configured for the Portal server.

      3. Run the url-template url-template command to bind a URL template to the Portal server template.

        By default, no URL template is bound to a Portal server template.

      4. Run the shared-key cipher key-string command to configure the shared key that the device uses to exchange information with the Portal server.

        By default, no shared key is configured.

  • Configuring parameters for the built-in Portal server
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      portal local-server ip ip-address

      The IP address is configured for the built-in Portal server.

      By default, no IP address is configured for a built-in Portal server.

      NOTE:

      The IP address for the built-in Portal server is an IP address of a Layer 3 interface that can be reached by a route between the device and the client.

Enabling Portal Authentication

Context

The device can communicate with the Portal server after the parameters of the Portal server are configured. To enable Portal authentication for access users, you must enable Portal authentication of the device.

To enable Portal authentication on an external Portal server, you must only bind the configured Portal server template to an interface. To enable Portal authentication on a built-in Portal server, you must enable the built-in Portal server and enable Portal authentication on a Layer 2 interface of the device.

Procedure

  • Enable Portal authentication on the device if the authentication server is an external Portal server.
    1. Run:

      system-view

      The system view is displayed.

    2. Enable the Nginx server.

      1. (Optional) Run:

        nginx load { default | file-name }

        The device is configured to load the Nginx configuration file to the Nginx server when the Nginx server is enabled.

      2. Run:

        nginx enable

        The Nginx server is enabled.

        By default, the Nginx server is disabled.

      3. Run:

        nginx proxy port

        The port number of the Nginx proxy server is configured.

        By default, the port number is 81.

      NOTE:

      Only the AR511GW-L-B3, AR511GW-LAV2M3, AR511GW-LM7, AR511CGW-LAV2M3, AR503GW-LcM7, AR503GW-LM7, and AR503GW-LM7 support the Nginx server.

    3. Run:

      interface interface-type interface-number

      The interface view is displayed.

    4. Run:

      web-auth-server server-name [ bak-server-name ] { direct | layer3 }

      The Portal server template is bound to the interface.

      By default, no Portal server template is bound to an interface.

      NOTE:

      This command does not support the parameter direct and the parameter bak-server-name in the WAN interface view.

      For wireless users, the Portal server template can be bound to only the VLANIF interface.

      It is not recommended that you bind a Portal server template to the interface connected to a Portal server.

  • Enable Portal authentication on the device if the authentication server is a built-in Portal server.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      portal local-server https ssl-policy policy-name [ port port-num ]

      The built-in Portal server is enabled on the device.

      By default, the built-in Portal server is disabled on the device.

      NOTE:

      The SSL policy must be configured and the digital certificate must be loaded.

    3. Enable Portal authentication on the interface in the system or interface view.

      NOTE:

      It is recommended that you enable built-in Portal authentication on a VLANIF interface. The VLANIF interface of a super-VLAN does not support built-in Portal authentication.

      Built-in Portal authentication of Layer 3 interfaces cannot be configured using this command in the system view. To enable Portal authentication on VLANIF interfaces, WAN interfaces, or port groups, you can only use the command format in the interface view.

      • In the system view:
        • portal local-server enable interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

          Portal authentication is enabled on the interface.

      • In the interface view:

        1. Run:
          interface interface-type interface-number

          The interface view is displayed.

        2. Run:
          portal local-server enable

          Portal authentication is enabled on the interface.

        3. Run the quit command to return to the system view.

      By default, Portal authentication is disabled on an interface.

    4. (Optional) Customize built-in Portal server login page.

      • Run:
        portal local-server logo load logo-file

        The logo file is loaded to the built-in Portal server login page.

        By default, no logo file is loaded to the built-in Portal server login page.

      • Run:
        portal local-server ad-image load ad-image-file

        The advertisement image file is loaded to the built-in Portal server login page.

        By default, no advertisement image file is loaded to the built-in Portal server login page.

      • Run:
        portal local-server page-text load string

        The advertisement page file is loaded to the built-in Portal server.

        By default, no advertisement page file is loaded to the built-in Portal server.

      • Run:
        portal local-server policy-text load string

        The disclaimer page file is loaded to the built-in Portal server.

        By default, no disclaimer page file is loaded to the built-in Portal server.

      • Run:
        portal local-server background-image load { background-image-file | default-image1 }

        The background image of the built-in Portal server login page is configured.

        By default, the device has two background images default-image0 and default-image1. The built-in Portal server uses default-image0 as the background image by default.

      • Run:
        portal local-server background-color background-color-value

        The background color of the built-in Portal server login page is configured.

        By default, no background color of the built-in Portal server login page is configured.

    5. (Optional) Run:

      portal local-server keep-alive interval interval-value [ auto ]

      The heartbeat detection interval and mode of the built-in Portal server are configured.

      By default, the heartbeat detection function of the built-in Portal server is not configured.

(Optional) Configuring Parameters for Information Exchange with the Portal server

Context

In Portal authentication network deployment, if the Portal server is an external Portal server, you can configure parameters for information exchange between the device and the Portal server to improve communication security.
NOTE:

This function applies only to external Portal servers.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    web-auth-server version v2 [ v1 ]

    Portal protocol versions supported by the device are configured.

    By default, the device uses Portal of v1 and v2.

    NOTE:

    To ensure smooth communication, use the default setting so that the device uses both versions.

  3. Run:

    web-auth-server listening-port port-number

    The port number through which the device listens to Portal protocol packets is set.

    By default, the device listens to the Portal protocol packets through port 2000.

  4. Run:

    web-auth-server reply-message

    The device is enabled to transparently transmit the authentication responses sent by the authentication server to the Portal server.

    By default, the device transparently transmits the authentication responses sent by the authentication server to the Portal server.

  5. Run:

    web-auth-server server-name

    The Portal server template view is displayed.

  6. Run:

    source-ip ip-address

    The source IP address for communication with a Portal server is configured.

    By default, no source IP address is configured on the device.

  7. Run:

    port port-number [ all ]

    The destination port number through which the device sends packets to the Portal server is set.

    By default, port 50100 is used as the destination port when the device sends packets to the Portal server.

    NOTE:

    Ensure that the port number configured on the device is the same as that used by the Portal server.

  8. Run:

    vpn-instance vpn-instance-name

    The VPN instance used by the device to communicate with the portal server is configured.

    By default, no VPN instance is configured for communication between the device and Portal server.

(Optional) Setting Access Control Parameters for Portal Authentication Users

Context

During deployment of the Portal authentication network, you can set access control parameters for Portal authentication users to flexibly control the user access. For example, you can set authentication-free rules for Portal authentication users so that the users can access specified network resources without being authenticated or when the users fail authentication. You can configure the source authentication subnet to allow the device to authenticate only users in the source authentication subnet, while users in other subnets cannot pass Portal authentication.

Procedure

  • Set access control parameters for Portal authentication users when an external Portal server is used.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } | any } } | source { any | ip { ip-address mask { mask-length | ip-mask } | any } } } * or portal free-rule acl acl-id

      An authentication-free rule is configured for Portal authentication users.

      By default, no authentication-free rule is configured for Portal authentication users.

      NOTE:
      An authentication-free rule defined by rule-id and an authentication-free rule defined by ACL cannot be configured at the same time.

    3. Set the maximum number of Portal authentication users.

      1. Run:

        portal max-user user-number

        The maximum number of Portal authentication users is set.

        By default, the number of Portal authentication users is the maximum number of Portal authentication users supported by the device.

      2. Run:

        portal user-alarm percentage percent-lower-value percent-upper-value

        The alarm threshold for the Portal authentication user count percentage is set.

        By default, the lower alarm threshold for the Portal authentication user count percentage is 50, and the upper alarm threshold for the Portal authentication user count percentage is 100.

    4. Run:

      interface vlanif vlan-id

      The Vlanif interface view is displayed.

    5. Run:

      portal auth-network network-address { mask-length | mask-address }

      The source subnet is set for Portal authentication.

      By default, the source authentication subnet is 0.0.0.0/0, indicating that users in all subnets must pass Portal authentication.

      NOTE:

      The command takes effect for only Layer 3 Portal authentication. In Layer 2 Portal authentication, users on all subnets must be authenticated.

    6. Run:

      portal domain domain-name

      A forcible Portal authentication domain name is set.

      By default, no forcible Portal authentication domain name is set.

  • Set access control parameters for Portal authentication users when a built-in Portal server is used.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      portal local-server authentication-method { chap | pap }

      The authentication mode of the built-in Portal server is set.

      By default, the built-in Portal server uses CHAP to authenticate Portal users.

(Optional) Configuring the Session Timeout Interval for Built-in Portal Authentication Users

Context

When built-in Portal authentication is used for users and the device functions as a built-in Portal server, you can configure the session timeout interval for the users. The users are disconnected after the specified session timeout interval. To connect to the network again, the users need to be re-authenticated.

The session timeout interval for built-in Portal authentication users is calculated based on the device time. For example, if the session timeout interval is 6 hours and the device time is 2014-09-01 02:00:00 when a user was connected, the user should be disconnected at 2014-09-01 08:00:00. Therefore, ensure that the device time is correct after the session timeout interval is configured for users. If the device time is incorrect, users may fail to be connected or disconnected properly. You can run the display clock command to check the device time and the clock datetime HH:MM:SS YYYY-MM-DD command to configure the time.

NOTE:

This function applies only to built-in Portal servers.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    portal local-server timer session-timeout interval

    The session timeout interval is configured for built-in Portal authentication users.

    The default session timeout interval is 8 hours for built-in Portal authentication users.

(Optional) Setting the Offline Detection Interval for Portal Authentication Users

Context

If a Portal authentication user goes offline due to power failure or network interruption, the device and Portal server may still store user information, which leads to incorrect accounting. In addition, a limit number of users can access the device. If a user goes offline improperly but the device still stores user information, other users cannot access the network.

After the offline detection interval is set for Portal authentication users, if a user does not respond within the interval, the device considers the user offline. The device and Portal server then delete the user information and release the occupied resources to ensure efficient resource use.

NOTE:

This function applies only to Layer 2 Portal authentication.

The heartbeat detection function of the authentication server can be used to ensure the normal online status of PC users for whom Layer 3 Portal authentication is used. If the authentication server detects that a user goes offline, it instructs the device to disconnect the user.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    portal timer offline-detect time-length

    The period for detecting Portal authentication user logout is set.

    By default, the interval for detecting Portal authentication user logout is 300s.

(Optional) Configuring the Detection Function for Portal Authentication

Context

In practical networking applications of Portal authentication, if communication is interrupted due to a network failure between the device and the Portal server or because the Portal server fails, new Portal authentication users cannot go online, and online Portal users cannot go offline normally.

With the Portal authentication detection function, even if the network fails or the Portal server cannot work properly, the device still allows the user to use the network and have certain network access rights or forces offline all online users. The device reports failures using logs and traps.

NOTE:

This function applies only to external Portal servers.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    web-auth-server server-name

    The Portal server template view is displayed.

  3. Run:

    server-detect { interval interval-period | max-times times | critical-num critical-num | action { log | trap | { permit-all | offline } } * } *

    The detection function of the Portal server is enabled.

    By default, the detection function of the Portal server is disabled.

(Optional) Configuring User Information Synchronization

Context

If communication is interrupted because the network between the device and Portal server is disconnected or the Portal server is faulty, online Portal authentication users cannot go offline. Therefore, user information on the device and on the Portal server may be inconsistent and accounting may be inaccurate.

The user information synchronization function ensures that user information on the Portal server is the same as that on the device, ensuring accurate accounting.
NOTE:

This function is valid for only external Portal servers.

For Layer 3 Portal authentication, the device currently can synchronize user information with the Huawei Agile Controller-Campus server. When the device is connected to other Portal servers, user information may fail to be synchronized and users cannot go offline in real time. In this case, you can run the cut access-user command or use the NMS or RADIUS DM to force users to go offline.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    web-auth-server server-name

    The Portal server template view is displayed.

  3. Run:

    user-sync [ interval interval-period | max-times times ] *

    User information synchronization is enabled.

    By default, user information synchronization is disabled.

(Optional) Configuring CNA Bypass for IOS Terminals

Context

The IOS operating system provides the Captive Network Assistant (CNA) function. With the CNA function, the IOS terminals (including iPhone, iPad, and iMAC) automatically detects wireless network connectivity after associating with a wireless network. If the network connection cannot be set up, the IOS terminals ask users to enter user names and passwords. If users do not enter the user names and passwords, the IOS terminals automatically disconnect from the wireless network.

However, Portal authentication allows users to access certain resources before authentication is successful. If the IOS terminals are disconnected, users cannot access the specified resources. The CNA bypass function addresses this problem. If the users do not enter user names and passwords immediately, the CNA bypass function keeps the IOS terminals online before the Portal authentication is successful. Therefore, the IOS users are allowed to access authentication-free resources.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    portal captive-bypass enable

    The CNA bypass function is enabled for IOS terminals.

    By default, the CNA bypass function is disabled for IOS terminals.

(Optional) Configuring the Quiet Timer

Context

After the quiet timer is enabled, if the number of Portal authentication failures exceeds the specified value within 60s, the device keeps the Portal authentication user in quiet state for a period of time. During the quiet period, the device discards Portal authentication requests from the user. This prevents the impact of frequent authentications on the system.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    portal quiet-period

    The quiet timer is enabled.

    By default, the quiet timer is disabled.

  3. Run:

    portal quiet-times fail-times

    The maximum number of authentication failures within 60s before a Portal authentication user enters the quiet state is set.

    By default, the device allows a maximum of three authentication failures within 60s before a Portal authentication user is kept in quiet state.

  4. Run:

    portal timer quiet-period quiet-period-value

    The quiet period for Portal authentication is set.

    By default, the quiet period for Portal authentication is 60s.

(Optional) Configuring Web Push

Context

After a user is successfully authenticated, the device forcibly redirect the user to a web page when receiving the HTTP packet from the user who accesses web pages for the first time. In addition to pushing advertisement pages, the device can obtain user terminal information through the HTTP packets sent by the users, and apply the information to other services. There are two ways to push web pages:
  1. URL: pushes the URL corresponding to the web page.
  2. URL template: pushes the URL template. A URL template must be created. The URL template contains the URL of the pushed web page and URL parameters.

Procedure

  1. Configure the URL template.

    1. Run the system-view command to enter the system view.
    2. Run the url-template name template-name command to create a URL template and enter the URL template view.

      By default, no URL template exists on the device.

    3. Run the url [ push-only ] url-string [ ssid ssid ] command to configure the redirection URL corresponding to the Portal server.

      By default, no pushed URL is configured.

    4. Run the url-parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-value | ap-mac ap-mac-value | redirect-url redirect-url-value | ssid ssid-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value | user-vlan user-vlan-value} * command to set the parameters carried in the URL.

      By default, a URL does not carry parameters.

    5. Run the url-parameter mac-address format delimiter delimiter { normal | compact } command to set the MAC address format in the URL.

      By default, the MAC address format in URL is XXXXXXXXXXXX.

    6. Run the parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } * command to set the characters in the URL.

      By default, the start character is ?, assignment character is =, and delimiter is &.

    7. Run the quit command to return to the system view.
    NOTE:

    If web pages are pushed in URL mode, this step can be skipped.

  2. Configure the Web push function.

    1. Run the aaa command to enter the AAA view.
    2. Run the domain domain-name command to create an AAA domain and enter the AAA domain view.

      The device has two default domains: default and default_admin. The default domain is used by common access users and the default_admin domain is used by administrators.

    3. Run the force-push { url-template template-name | url url-address } command to enable the forcible URL template or URL push function.

(Optional) Configuring the Interval for Pushing Web Pages

Context

When a user requests to access the Internet, the router preferentially uses the MAC address for user authentication and allows the access of the user only after the user is authenticated. After the interval for pushing web pages is configured, a user who is accessing the Internet is forcibly redirected to the specified web page at a fixed interval. The user must manually close the web page to resume Internet access. This function can be used for advertisement.

NOTE:
  • Only the AR510 series and AR503GW-LcM7 support this function.

  • When the HTTPS mode is used, no web page will be pushed.

  • This configuration is supported only when the AAA local authentication mode is none.

Procedure

  • Configure MAC address-prioritized Portal authentication.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface wlan-bss wlan-bss-number

      A WLAN-BSS interface is created and the WLAN-BSS interface view is displayed.

    3. Run:

      port hybrid tagged vlan vlan-id

      The VLAN to which the hybrid interface is added is specified. The frames from this VLAN pass the interface in tagged mode.

      By default, a hybrid interface is added to VLAN1 in untagged mode.

    4. Run:

      web-authentication first-mac

      MAC address-prioritized Portal authentication is enabled.

      By default, MAC address-prioritized Portal authentication is disabled.

    5. Run:

      quit

      Return to the system view.

    6. Run:

      web-service aaa server url authorize-enable

      The URL address of the authentication server is configured and the function of receiving user authority information is enabled.

      By default, an authentication server does not have an URL address configured and the function of receiving user authority information is disabled.

  • Configure the interval for pushing web pages.
    1. Run:

      interface vlanif vlan-id

      The VLANIF interface view is displayed.

      The VLAN ID of a VLANIF interface must correspond to a created VLAN.

    2. Run:

      web-auth-server server-name [ bak-server-name ] direct

      A Portal server profile is bound to an interface and Layer 2 authentication is configured.

      By default, no Portal server profile is bound to an interface.

    3. Run:

      url-template template-name [ interval time ]

      The interval for pushing web pages is set.

      By default, the interval for pushing web pages is 20 minutes.

(Optional) Configuring HTTP-based Authentication and Accounting Functions

Context

In traditional NAC scenarios, Portal and RADIUS authentication modes are often used for carriers and enterprises that require a complete authentication solution. In Internet access scenarios, access control devices need to connect to Internet or cloud servers. Therefore, they need to provide HTTP-based authentication and obtain user authorization information, including online duration, traffic usage, and bandwidth. After users access the Internet, the access control device periodically sends accounting packets to the authentication and accounting server. The server performs accounting for the users based on user traffic statistics. When the online duration or traffic usage exceeds authorization, the device forcibly disconnects the user and sends the disconnection message of the user to the authentication and accounting server.

NOTE:

Only the AR510 series, AR509GW-L-D-H, AR503GW-LM7, AR503GW-LcM7 that can work as a WLAN Fat AP support this configuration.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface wlan-bss wlan-bss-number

    A WLAN-BSS interface is created and the WLAN-BSS interface view is displayed.

  3. Run:

    web-authentication first-mac

    MAC address-prioritized Portal authentication is enabled.

    By default, MAC address-prioritized Portal authentication is disabled.

  4. Run:

    web-service access enable

    Authentication and accounting functions are enabled on the WLAN-BSS interface.

    By default, authentication and accounting functions are disabled on a WLAN-BSS interface.

  5. Run:

    quit

    Return to the system view.

  6. Run:

    web-service aaa server url authorize-enable

    A URL is configured for the authentication and accounting server

    By default, no URL is configured for the authentication and accounting server.

  7. (Optional) Run:

    web-service accounting enable

    The device is enabled to send accounting packets to the authentication and accounting server.

    By default, the device does not send accounting packets to the authentication and accounting server.

    To perform accounting for users based on the volume of traffic destined for the Internet, use this command.

  8. (Optional) Run:

    web-service accounting interval interval

    The interval at which the device sends accounting packets to the authentication and accounting server is configured.

    By default, the device sends accounting packets to the authentication and accounting server at an interval of 30 seconds.

    To enable the device to periodically send accounting packets to the authentication and accounting server, use this command.

    NOTE:

    Before running the preceding command, run the web-service accounting enable command to enable the device to send accounting packets to the authentication and accounting server.

  9. (Optional) Run:

    web-service access auto-logon

    The device is configured to automatically send an authentication request to the authentication server after a user associates with the device.

    By default, the device does not automatically send an authentication request to the authentication server.

  10. (Optional) Run:

    web-service access listening-port port-number

    The device is configured to listening port number for user login requests.

    By default, the listening port number for user login requests is 2000.

(Optional) Configuring the User Group Function

Context

In NAC applications, there are many access users, but user types are limited. You can create user groups on the device and associate each user group to an ACL. In this way, users in the same group share rules in the ACL.

After creating user groups, you can set priorities and VLANs for the user groups, so that users in different user groups have different priorities and network access rights. The administrator can then flexibly manage users.

NOTE:

The priority of the user group authorization information delivered by the authentication server is higher than that of the user group authorization information applied in the AAA domain. If the user group authorization information delivered by the authentication server cannot take effect, the user group authorization information applied in the AAA domain also cannot be used. For example, if only user group B is configured on the device and the group authorization information is applied in the AAA domain when the authentication server delivers authorization information about user group A, the authorization information about user groups A and B both cannot take effect. To make the user group authorization information delivered by the authentication server take effect, ensure that this user group is configured on the device. To make the user group authorization information applied in the AAA domain take effect, ensure that the authentication server does not deliver any user group attribute.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    user-group group-name

    A user group is created and the user group view is displayed.

  3. Run:

    acl-id acl-number

    An ACL is bound to the user group.

    By default, no ACL is bound to a user group.

    NOTE:
    • Before running this command, ensure that the ACL has been created using the acl (system view) or acl name command and ACL rules have been configured using the rule command.

    • If a user group contains online users, the ACL bound to the user group cannot be modified or deleted in the system view.

  4. Run:

    remark { 8021p 8021p-value | dscp dscp-value | exp exp-value | lp lp-value }*

    The user group priority is configured.

    By default, no user group priority is configured.

(Optional) Configuring the User Logout Delay Function When an Interface Link Is Faulty

Context

If a link is faulty, the interface is interrupted and users are directly logged out. To solve this problem, you can configure the user logout delay function. When the interface link is faulty, the users remain online within the delay. In this case, if the link is restored, the users do not need to be re-authenticated. If the users are disconnected after the delay and the link is restored, the users need to be re-authenticated.

NOTE:
  • This function takes effect only for wired users who go online on Layer 2 physical interfaces that have been configured with NAC authentication.

  • To make the function take effect, it is recommended that the configured interval be greater than the time during which the interface is in Up state.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    link-down offline delay { delay-value | unlimited }

    The user logout delay is configured when an interface link is faulty.

    The default user logout delay is 10 seconds when an interface link is faulty.

    If the delay is 0, users are logged out immediately when the interface link is faulty. If the delay is unlimited, users are not logged out when the interface link is faulty.

Checking the Configuration

Context

You can run the commands to check the configured parameters after completing the Portal authentication configuration.

Procedure

  • When an external Portal server is used, run the following commands to check the configuration.

    • Run the display portal [ interface interface-type interface-number ] command to check the Portal authentication configuration.
    • Run the display web-auth-server configuration command to check the configuration of the Portal authentication server.
    • Run the display server-detect state [ web-auth-server server-name ] command to check the status of a Portal server.
    • Run the display user-group [ group-name ] command to check the user group configuration.
    • Run the display access-user user-group group-name command to check summary information about online users in a user group.
    • Run the display portal quiet-user { all | server-ip ip-address | user-ip ip-address } command to check information about Portal authentication users in quiet state.

  • When a built-in Portal server is used, run the following commands to check the configuration.

    • Run the display portal local-server command to check the configuration of a built-in Portal server.
    • Run the display portal local-server connect [ user-ip ip-address ] command to check the connection status of Portal authentication users on the built-in Portal server.
    • Run the display portal quiet-user { all | server-ip ip-address | user-ip ip-address } command to check information about Portal authentication users in quiet state.

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13501

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next