No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S1720GFR, S2700, S5700, and S6720 V200R010C00 Web-based Configuration Guide

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Services

Security Services

Security services include ACL Config, ACL Reference, AAA, AAA Service App, and AAA Profile Manage.

NOTE:

Only the S5720HI supports security service management.

This node is only available in the NAC unified mode.

ACL Config

This section describes ACL configurations.

ACL Config

An ACL defines rules based on source IPv4 addresses, destination IPv4 addresses, IPv4 protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

Procedure

  • Query an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Set the search criteria.
    3. Click to display all matching records.
  • Create an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Click Create to open the Create ACL page, as shown in Figure 1-145.

      Figure 1-145  Create ACL

      Table 1-94 describes the parameters on the page.

      Table 1-94  Create ACL

      Parameter

      Description

      ACL name

      Indicates the name of an ACL. The ACL name must be unique.
      NOTE:
      • The value is a string starting with a letter, without spaces.
      • Either an ACL number or an ACL name is required to identify an ACL.
      • When you modify an ACL, the ACL name cannot be changed.

      ACL number

      Indicates the number of an ACL. It identifies an ACL. The value is an integer that ranges from 3000 to 3999.
      NOTE:
      • When you modify an ACL, the ACL number cannot be changed.
      • Either an ACL number or an ACL name is required to identify an ACL.

      ACL description

      Indicates the description of an ACL. It is optional.

    3. Click OK.
  • Modify an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Select an ACL and click Modify.

      NOTE:
      • Table 1-94 describes the parameters on the page.
      • The ACL name and number cannot be changed.

  • Delete an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Select an ACL and click Delete. If the ACL contains rules, the system prompts you that the rules in the ACL will be deleted and asks you whether to delete the ACL.
    3. Click OK. If the operation succeeds, the system returns to the ACL Config page; otherwise, an error message is displayed.
  • Add rules.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Select an ACL and click Add Rule.

      Figure 1-146 shows the Add Rule page.

      Figure 1-146  Add Rule

      Table 1-95 describes the parameters for adding rules.

      Table 1-95  Add Rule

      Parameter

      Description

      Action

      Indicates whether to permit or deny packets. The default action is permit.

      Protocol type

      Indicates the type of the protocol. It is mandatory. The protocol types include:
      • GRE(47)
      • ICMP(1)
      • IGMP(2)
      • IP
      • IPINIP(4)
      • OSPF(89)
      • TCP(6)
      • UDP(17)
      • Customized type
        NOTE:

        The text box is valid only when the protocol type is customized.

      Match IP

      Source IP/Wildcard

      Indicates the IP address and wildcard. By default, all source IP addresses are specified.

      Destination IP/Wildcard

      Indicates the IP address and wildcard. By default, all destination IP addresses are specified.

      Match Packet Priority

      IP precedence

      Indicates that the packets are filtered according to the precedence field.

      TOS

      Indicates that packets are filtered according to the Type of Service (ToS).

      DSCP

      Specifies the Differentiated Services Code Point (DSCP).

      NOTE:
      • If you set the IP precedence or TOS, the DSCP priority cannot be set.
      • If you set the DSCP priority, the IP precedence or TOS cannot be set.

      Matching Interface

      Source port number

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.

      Dest port number

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.

      Set Time

      Time range

      Indicates the time range when the ACL takes effect.
      NOTE:

      The time range name is displayed on the configuration result page.

    3. Click OK.
  • Modify a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Select an ACL and click to expand the ACL rules.
    3. Click of a rule to modify the rule. Table 1-95 describes the parameters on the page.

    NOTE:

    Click and to change the order of the rule, and click Apply to make the new order take effect.

  • Delete a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > ACL Config to open the ACL Config page.
    2. Select an ACL and click to expand the ACL rules.
    3. Click of a rule to delete the rule. In the dialog box that is displayed, click OK.
UCL Config

A UCL matches packets based on source IP addresses or source UCL groups, destination IP addresses or destination UCL groups, IP protocol type, ICMP type, TCP source/destination ports, and UDP source/destination ports.

Procedure

  • Query ACLs.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Set the search criteria.
    3. Click to display all matching records.
  • Create an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Click Create to open the Create ACL page, as shown in Figure 1-147.

      Figure 1-147  Create ACL

      Table 1-96 describes the parameters on the page.

      Table 1-96  Create ACL

      Parameter

      Description

      ACL name

      Indicates the name of an ACL. The ACL name must be unique.
      NOTE:
      • The value is a string starting with a letter, without spaces.
      • Either an ACL number or an ACL name is required to identify an ACL.
      • When you modify an ACL, the ACL name cannot be changed.

      ACL number

      Indicates the number of an ACL. It identifies an ACL. The value is an integer that ranges from 6000 to 9999.
      NOTE:
      • When you modify an ACL, the ACL number cannot be changed.
      • Either an ACL number or an ACL name is required to identify an ACL.

      ACL description

      Indicates the description of an ACL. It is optional.

    3. Click OK.
  • Modify an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Select an ACL and click Modify.

      NOTE:
      • Table 1-96 describes the parameters on the page.
      • The ACL name and number cannot be changed.

  • Delete an ACL.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Select an ACL and click Delete. If the ACL contains rules, the system prompts you that the rules in the ACL will be deleted and asks you whether to delete the ACL.
    3. Click OK. If the operation succeeds, the system returns to the UCL Config page; otherwise, an error message is displayed.
  • Add a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Click Add Rule of an ACL.

      If the ACL is a UCL, the rule page is displayed as shown in Figure 1-148.

      Figure 1-148  Add Rule

      Table 1-97 describes the parameters for adding rules.

      Table 1-97  Add Rule

      Parameter

      Description

      Action

      Indicates whether to permit or deny packets. The default action is permit.

      Protocol type

      Indicates the type of the protocol. It is mandatory. The ACL types include:
      • GRE(47)
      • ICMP(1)
      • IGMP(2)
      • IP
      • IPINIP(4)
      • OSPF(89)
      • TCP(6)
      • UDP(17)
      • Customized type
        NOTE:

        The text box is valid only when the UCL type is customized.

      Source

      Source IP/Wildcard

      Indicates the IP address and wildcard. The source IP address and wildcard are in dotted decimal format.

      NOTE:

      If the source IP address and wildcard are not specified, any source IP address is matched.

      Source user group

      Indicates the source user group of packets. Select the following operations:
      • To specify the source UCL group, click .
      • To create a source UCL group, click .
      • To modify the source UCL group, click .
      • To delete the source UCL group, click .

      Destination

      Destination IP/Wildcard

      Indicates the destination IP address and wildcard in packets.

      The destination IP address and wildcard are in dotted decimal format.

      NOTE:

      If the destination IP address and wildcard are not specified, any destination IP address is matched.

      Dest user group

      Indicates the destination user group of packets. Select the following operations:
      • To specify the destination UCL group, click .
      • To create a destination UCL group, click .
      • To modify the destination UCL group, click .
      • To delete the destination UCL group, click .

      Matching Interface

      Source port number

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.

      Destination port number

      This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.

      Set Time

      Time range

      Indicates the time range when the ACL takes effect.
      NOTE:

      The time range name is displayed on the configuration result page.

    3. Click OK.
  • Modify a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Select an ACL and click to expand the ACL rules.
    3. Click of a rule to modify the rule. Table 1-97 describes the parameters on the page.

    NOTE:

    Click and to change the order of the rule, and click Apply to make the new order take effect.

  • Delete a rule.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > UCL Config to open the UCL Config page.
    2. Select an ACL and click to expand the ACL rules.
    3. Click of a rule to delete the rule. In the dialog box that is displayed, click OK.
Validity Time Range

By configuring the effective period, you can apply an ACL in a certain period of time.

Context

  • A time range specifies a period of time. In practice, users may want certain ACL rules to be valid during a certain period but be invalid out of the period. That is, the ACL rules are used to filter packets based on the time range. In this case, you can set one or multiple time ranges, and apply the time ranges to a created ACL. Then, packets can be filtered based on the set time ranges.
  • An effective period can contain periodic time ranges and valid period. A periodic time range takes effect on a certain day in a week. A validity period contains the start time and the end time.

Procedure

  • Create a time range.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > Validity Time Range to open the Validity Time Range page.
    2. Click Create to open the Create Time Range page, as shown in Figure 1-149.

      Figure 1-149  Create Time Range

      Table 1-98 describes the parameters on the page.

      Table 1-98  Create Time Range

      Parameter

      Description

      Time range name

      Indicates the name of the created time range. It is mandatory.

      Time Range

      Indicates a validity period.

      A validity period contains the start time and the end time. You can configure multiple validity periods by clicking . To delete validity periods, select the records you want to delete and click .
      NOTE:

      If only one validity period is created, the validity period takes effect when the current time is within it.

      Validity Time

      Indicates the periodic time range.

      A periodic time range takes effect on a certain day in a week. You can configure multiple periodic time ranges by clicking . To delete time ranges, select the records you want to delete and click .
      NOTE:

      If only one periodic time range is created, the time range takes effect when the current time is within the periodic time range.

    3. Set the required parameters.

      NOTE:
      • If an effective period contains both time range and validity time, the effective period takes effect only when the current time is within the time range and validity time.
      • The start time and end time of the time range can be earlier than the current time.
      • Either the time range or validity time must be set.

    4. Click OK.
  • Modify a time range.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > Validity Time Range to open the Validity Time Range page.
    2. Click a time range name to open the Modify Time Range page, as shown in Figure 1-150.

      Figure 1-150  Modify Time Range

      NOTE:
      • Table 1-98 describes the parameters on the page.
      • The time range name cannot be modified.
      • The time range and validity time can only be deleted, but cannot be modified.

    3. Set the required parameters.
    4. Click OK.
  • Delete a time range.
    1. Click Configuration in the function area. Choose Security Services > ACL Config > Validity Time Range to open the Validity Time Range page.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the checkbox of the record.
      • To delete records in batches, click the checkboxes of records.

    3. Click OK.

ACL Reference

This section describes how to reference ACLs.

Interface ACL

Context

After creating an ACL, apply it to an interface to filter packets based on interfaces.

Procedure

  1. Choose Configuration > Security Services > ACL Reference and click the Interface ACL tab, as shown in Figure 1-151.

    Figure 1-151  Interface ACL

  2. Select a port to be configured. Perform the following operations as required in the port area:

    • Click a port icon. To deselect the port, click the port icon again.
    • Drag the cursor to select consecutive ports in a batch.
    • Click multiple port icons to select these ports, and click a port icon again to deselect the port.
    • Select a slot where a panel is located. All ports on the panel are selected.

  3. Configure the inbound and outbound ACL numbers.
    1. Click New.
    2. In the dialog box that is displayed, select an ACL number and click OK, as shown in Figure 1-152.

      Figure 1-152  Select ACL

  4. After setting the parameters, click Apply.
VLAN ACL

Context

After creating an ACL, apply it to a VLAN to filter packets based on VLANs.

Procedure

  1. Choose Configuration > Security Services > ACL Reference and click the VLAN ACL tab, as shown in Figure 1-153.

    Figure 1-153  VLAN ACL

  2. Select a VLAN ID.
  3. Configure the inbound and outbound VLAN ACL numbers.
    1. Click .
    2. In the dialog box that is displayed, select an ACL number and click OK, as shown in Figure 1-154.

      Figure 1-154  Select ACL

    3. Click to apply the ACL to a VLAN.
  4. After setting the parameters, click Apply.
WLAN ACL

Context

An ACL applied on a traffic profile allows you to control packets from STAs associated with an AP. An ACL applied on a wired port profile allows you to control packets from wired users associated with an AP.

Procedure

  1. Choose Configuration > Security Services > ACL Reference > WLAN ACL. The WLAN ACL page is displayed.

  2. Set Profile type.
  3. Set Profile name.
  4. Click below IPv4 Packet Filtering to select an egress or ingress ACL.
  5. Click Apply.

AAA

This section describes the AAA configurations.

Authentication Profile

Procedure

  • Create an authentication profile.
    1. Choose Configuration > Security Services > AAA and click the Authentication Profile tab, as shown in Figure 1-155.

      Figure 1-155  Authentication Profile

    2. Click Create. The Create Authentication Profile page is displayed, as shown in Figure 1-156.

      Figure 1-156  Create Authentication Profile

    3. Fill in the profile name.
    4. Click OK. The parameter setting page of the new authentication profile is displayed, as shown in Figure 1-157.

      Figure 1-157  Authentication Profile

      Table 1-99 describes the parameters on the page.
      Table 1-99  Parameters for creating an authentication profile

      Parameter

      Description

      Prevent new auth info from overwriting previous one

      Whether the newly delivered authentication information overwrites all the original authentication information.

      Security string delimiter

      Security character string separator.

    5. Set parameters for authentication profile.
    6. Click Apply. In the dialog box that is displayed, click OK.
  • Modify an authentication profile.
    1. Choose Configuration > Security Services > AAA and click the Authentication Profile tab.
    2. Click the name of the authentication profile you want to modify on the Authentication Profile List page to open the authentication profile configuration page.
    3. Set parameters for modifying the authentication profile. Table 1-99 describes the parameters for modifying an authentication profile.
    4. Click Apply. In the dialog box that is displayed, click OK.
  • Delete an authentication profile.
    1. Choose Configuration > Security Services > AAA and click the Authentication Profile tab.
    2. Select the name of the profile you want to delete on the Authentication Profile List page and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the checkbox of the record.
      • To delete records in batches, click the checkboxes of records.

    3. Click OK.
  • Display the profile reference relationship.
    1. Choose Configuration > Security Services > AAA and click the Authentication Profile tab.
    2. Select the profile of which you want to display the reference relationship and click Display Reference Relationship. The system displays the types and names of the objects that reference the profile.

      NOTE:

      Click Hide Reference Relationship. The system hides the displayed results.

  • Configure a profile referenced in the authentication profile.

    The following profiles can be referenced in the authentication profile: 802.1X profile, Portal profile, MAC access profile, authentication-free rule profile, and domain profile.

    1. Choose Configuration > Security Services > AAA and click the Authentication Profile tab.
    2. Click on the left of Authentication Profile List. The system displays the authentication profile names. Click on the left of an authentication profile name. The profiles referenced by this profile are displayed in the navigation area.
    3. Click any profile referenced by the authentication profile. The configuration page of the referenced profile is displayed on the right. You can select another profile from the drop-down list or click Create to create a profile, and set the profile parameters. For descriptions of the profile parameters, see its configuration page.
    4. Click Apply. In the dialog box that is displayed, click OK.
Authentication/Authorization/Accounting Scheme

Procedure

  • Configure an authentication scheme.

    • Create an authentication scheme.
      1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab, as shown in Figure 1-158.
        Figure 1-158  Authentication/Authorization/Accounting scheme

      2. Click Create in Authentication Scheme List to open the Create Authentication Scheme page, as shown in Figure 1-159.
        Figure 1-159  Create Authentication Scheme

        Table 1-100 describes the parameters on the page.
        Table 1-100  Parameters on the Create Authentication Scheme page

        Item

        Description

        Authentication scheme name

        Specifies the name of an authentication scheme.

        First authentication

        The value can be RADIUS, HWTACACS, Local, or Non-authentication.

        Second authentication

        The value can be a mode except the first authentication mode. When the authentication server of the first authentication mode does not respond, the second authentication mode is triggered.

        When the first authentication mode is no authentication, the second authentication mode cannot be configured.

        Third authentication

        The value can be a mode except the first and second authentication modes. When the authentication servers of the first and second authentication modes do not respond, the third authentication mode is triggered.

        When the second authentication mode is no authentication or not configured, the third authentication mode cannot be configured.

        Fourth authentication

        The value can be no authentication or not configured. When the authentication servers of the first, second, and third authentication modes do not respond, the fourth authentication mode is triggered.

        When the third authentication mode is no authentication or not configured, the fourth authentication mode cannot be configured.

        NOTE:

        If non-authentication is configured, a user passes the authentication using any user name or password. Therefore, to protect the device or network security, you are advised to enable authentication, allowing only the authenticated users to access the device or network.

      3. Set parameters for the authentication scheme.
      4. Click OK.
    • Modify the authentication scheme.
      1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab.
      2. Click the authentication scheme that you want to modify in Authentication Scheme List.
      3. Set parameters for the authentication scheme. Table 1-100 describes the parameters on the page.
      4. Click OK.

  • Configure an authorization scheme.

    • Create an authorization scheme.
      1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab.
      2. Click Create in Authorization Scheme List to open the Create Authorization Scheme page, as shown in Figure 1-160.
        Figure 1-160  Create Authorization Scheme

        Table 1-101 describes the parameters on the page.
        Table 1-101  Parameters on the Create Authorization Scheme page

        Item

        Description

        Authorization scheme name

        Specifies the name of an authorization scheme.

        First authorization

        The value can be HWTACACS, If-authenticated, Local, or Non-authorization.

        Second authorization

        The value can be a mode except the first authorization mode. When the authorization server of the first authorization mode does not respond, the second authorization mode is triggered.

        When the first authorization mode is no authorization, the second authorization mode cannot be configured.

        Third authorization

        The value can be a mode except the first and second authorization modes. When the authorization servers of the first and second authorization modes do not respond, the third authorization mode is triggered.

        When the second authorization mode is no authorization or not configured, the third authorization mode cannot be configured.

        Fourth authorization

        The value can be no authorization or not configured. When the authorization servers of the first, second, and third authorization modes do not respond, the fourth authorization mode is triggered.

        When the third authorization mode is no authorization or not configured, the fourth authorization mode cannot be configured.

      3. Set parameters for the authorization scheme.
      4. Click OK.
    • Modify the authorization scheme.
      1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab.
      2. Click the authorization scheme that you want to modify in Authorization Scheme List.
      3. Modify parameters for the authorization scheme. Table 1-101 describes the parameters on the page.
      4. Click OK.

  • Configure the accounting scheme.

    • Create an accounting scheme.
      1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab.
      2. Click Create in Accounting Scheme List to open the Create Accounting Scheme page, as shown in Figure 1-161.
        Figure 1-161  Create Accounting Scheme

        Table 1-102 describes the parameters on the page.
        Table 1-102  Parameters on the Create Accounting Scheme page

        Item

        Description

        Accounting scheme name

        Specifies the name of an accounting scheme.

        Accounting mode

        Indicates the accounting mode.
        • Non-accounting
        • RADIUS accounting
        • HWTACACS accounting
      3. Set parameters for the accounting scheme.
      4. Click OK.
    • Modify the accounting scheme.
      1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab.
      2. Click the accounting scheme that you want to modify in Accounting Scheme List.
      3. Modify parameters for the accounting scheme. Table 1-102 describes the parameters on the page.
      4. Click OK.

Service Scheme

Context

Access users must obtain authorization information before they can go online. Authorization information about users can be managed by configuring a service scheme.

Procedure

  • Create a service scheme profile.
    1. Choose Configuration > Security Services > AAA and click the Service Scheme tab, as shown in Figure 1-162.

      Figure 1-162  Service Scheme

    2. Click Create to open the Create Service Scheme page, as shown in Figure 1-163.

      Figure 1-163  Create Service Scheme

      Table 1-103 describes the parameters on the page.
      Table 1-103  Service Scheme Creation

      Parameter

      Description

      Server scheme name

      Indicates the name of the service scheme.

      Administrator priority

      Indicates the administrator level.

      Primary DNS server

      Indicates the IP address of the primary DNS server.

      Secondary DNS server

      Indicates the IP address of the secondary DNS server.

      User VLAN

      Specifies the user VLAN.

      UCL group

      Select a UCL group to be bound.

      QoS profile

      Indicates the QoS profile. Select the following operations:
      • To select a QoS profile, click .
      • To set parameters for the QoS profile, click . After the configuration is complete, click OK.
      • To modify a QoS profile, click .
      • To delete a QoS profile, click .

      Idle user disconnection

      Specifies the action taken on a user when the user does not perform any operation within a period of time.
      • Based on uplink traffic: indicates that the action takes effect for only upstream traffic of the user.
      • Based on downlink traffic: indicates that the action takes effect for only downstream traffic of the user.
      • Based on uplink and downlink traffic: indicates that the action takes effect for both upstream and downstream traffic of the user.
      • Close: indicates that the idle-cut function is disabled.

    3. Set parameters for the service scheme profile.
    4. Click OK.
  • Modify a service scheme profile.
    1. Choose Configuration > Security Services > AAA and click the Service Scheme tab.
    2. Click the service scheme profile that you want to modify. The settings of the service scheme profile are displayed.
    3. Set parameters for the service scheme profile. Table 1-103 describes the parameters for modifying a service scheme profile.
    4. Click OK.
  • Delete a service scheme profile.
    1. Choose Configuration > Security Services > AAA and click the Service Scheme tab.
    2. Select the profile that you want to delete and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the checkbox of the record.
      • To delete records in batches, click the checkboxes of records.

    3. Click OK.
External Portal Server

Procedure

  • Set the maximum number of Portal authentication users.
    1. Choose Configuration > Security Services > AAA and click the External Portal Server tab, as shown in Figure 1-164.

      Figure 1-164  External Portal Server

    2. Set the maximum number of concurrent Portal authentication users in Maximum number of STAs.
    3. Click Apply. In the dialog box that is displayed, click OK.
  • Create a Portal authentication server.
    1. Choose Configuration > Security Services > AAA and click the External Portal Server tab.
    2. Click Create. The Create Authentication Server page is displayed, as shown in Figure 1-165.

      Figure 1-165  Create Authentication Server

      Table 1-104 describes the parameters on the page.
      Table 1-104  Parameters for creating a Portal authentication server

      Parameter

      Description

      Server name

      Indicates the name of a Portal authentication server.

      Server IP

      Indicates the IP address of the Portal server.

      Shared key

      Indicates the shared key that the device uses to exchange information with the Portal server.

      Confirm shared key

      Enter the shared key again.

      Packet port number

      Indicates the port number that the device uses to listen on Portal protocol packets.

      URL

      Indicates the URL of the Portal server.

      URL profile

      The following parameters are valid when URL profile is selected.

      URL

      Indicates the redirection URL or pushed URL

      LSW-IP

      Indicates the IP address of the switch carried in the URL.

      LSW-MAC

      Indicates the MAC address of the switch carried in the URL.

      User access URL

      Indicates the original URL that a user accesses carried in the URL.

      User MAC

      Indicates the user MAC address carried in the URL.

      User IP

      Indicates the user IP address carried in the URL.

      System name

      Indicates the device system name carried in the URL.

      AP-IP

      Indicates the AP IP address carried in the URL.

      AP-MAC

      Indicates the AP MAC address carried in the URL.

      SSID

      Indicates the SSID that users associate with.

      MAC address format

      • No separator
      • normal: sets the MAC address format to XXXX-XXXX-XXXX. You can specify a character as the delimiter.
      • compact: sets the MAC address format to XX-XX-XX-XX-XX-XX. You can specify a character as the delimiter.

      Separator

      Indicates the separator, which contains one character.

    3. Set parameters for authentication server.
    4. Click OK.
  • Modify a Portal authentication server.
    1. Choose Configuration > Security Services > AAA and click the External Portal Server tab.
    2. Click the name of the authentication server that you want to modify. The authentication server modification page is displayed.
    3. Modify parameters for authentication server. Table 1-104 describes the parameters for modifying an authentication server.
    4. Click OK.
  • Delete an authentication server.
    1. Choose Configuration > Security Services > AAA and click the External Portal Server tab.
    2. Select the authentication server name and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the checkbox of the record.
      • To delete records in batches, click the checkboxes of records.

    3. Click OK.
Built-In Portal Server

Procedure

  • Create a built-in Portal server.
    1. Choose Configuration > Security Services > AAA and click the Built-In Portal Server tab, as shown in Figure 1-166.

      Figure 1-166  Built-In Portal Server

      Table 1-105 describes the parameters on the page.
      Table 1-105  Built-in Portal server

      Parameter

      Description

      Server IP

      Indicates the IP address of the Portal server. Users are then redirected to the Portal server if they enter URLs that are not located in the free IP subnet.

      NOTE:
      • The IP address assigned to the built-in Portal server must have a reachable route to the user.
      • The built-in Portal server cannot use the gateway IP address of the device interface connected to clients.
      • It is recommended that a loopback interface address be assigned to the built-in Portal server because the loopback interface is stable. Additionally, packets destined for loopback interfaces are not sent to other interfaces on the network; therefore, system performance is not deteriorated even if many users request to go online.

      SSL policy

      SSL policy used by a built-in Portal server. Click and select an SSL policy, Click to delete the selected SSL policy.

      Port number

      Indicates the port that provides the authentication service on the Portal server.

      Authentication mode

      Indicates the authentication mode including PAP and CHAP. You are advised to use the CHAP with high security.

      Page file package

      Indicates the file in .zip format. The file contains web pages that users access during authentication.

    2. Set parameters for authentication server.
    3. Click Apply.
    4. Click OK in the displayed dialog box.
RADIUS

Context

RADIUS protects a network from unauthorized access. It is often used on the networks that require high security and remote user access control.

Procedure

  • Configure a RADIUS server profile.

    • Create a RADIUS server profile.
      1. Choose Configuration > Security Services > AAA and click the RADIUS tab, as shown in Figure 1-167.
        Figure 1-167  RADIUS configuration

      2. Click Create in RADIUS Server Profile to open the Create RADIUS Server Profile page, as shown in Figure 1-168.
        Figure 1-168  Create RADIUS Server Profile

        Table 1-106 describes the parameters on the page.
        Table 1-106  Create RADIUS server profile

        Parameter

        Description

        Profile name

        Indicates the name of a RADIUS server profile.

        Key

        Indicates the shared key for the RADIUS server.

        Confirm key

        Indicates the confirmed shared key of the RADIUS server.

        User name

        Indicates whether the device encapsulates the domain name in the user name when sending RADIUS packets to a RADIUS server.

        Original user name configures the device not to modify the user name entered by the user in the packets sent to the RADIUS server.

        Mode

        • Active/Standby mode: The server with the largest weight value functions as the active server, other servers function as standby servers. A standby server with a larger weight value has a higher priority.
        • Load balancing mode: When configuring authentication or accounting servers, distribute authentication or accounting requests to servers according to weights of the servers.
      3. Set parameters for the RADIUS server.
      4. Click OK.
    • Modify a RADIUS server profile.
      1. Choose Configuration > Security Services > AAA and click the RADIUS tab.
      2. Select a RADIUS server profile in RADIUS Server Profile to open the RADIUS server profile modification page.
      3. Modify the parameters of the RADIUS server profile. Table 1-106 describes the parameters for modifying a spectrum profile.
      4. Click OK.

  • Configure an authentication/accounting server.

    • Create an authentication/accounting server.
      1. Choose Configuration > Security Services > AAA and click the RADIUS tab.
      2. Click Create in Authentication/Accounting Server to open the Create Authentication/Accounting Server page, as shown in Figure 1-169.
        Figure 1-169  Create Authentication/Accounting Server

        Table 1-107 describes the parameters on the page.
        Table 1-107  Create Authentication/Accounting Server

        Parameter

        Description

        Profile name

        Indicates the name of the created RADIUS server profile.

        Server type

        Indicates the RADIUS server type: Authentication Server or Accounting Server.

        IP address/port number

        Indicates the IP address and port number of the authentication or accounting server.

        Source IP address

        Indicates the source IP address of the authentication/accounting server.

        Weight

        Indicates the weight of the authentication or accounting server.

      3. Set parameters for the authentication/accounting server.
      4. Click OK.
    • Modify an authentication/accounting server.
      1. Choose Configuration > Security Services > AAA and click the RADIUS tab.
      2. Select the authentication/accounting server in Authentication/Accounting Server.
      3. Modify parameters for the authentication/accounting server. Table 1-107 describes the parameters for modifying a spectrum profile.
      4. Click OK.

  • Configure an authorization server.

    • Create an authorization server.
      1. Choose Configuration > Security Services > AAA and click the RADIUS tab.
      2. Click Create in Authorization Server to open the Create Authorization Server page, as shown in Figure 1-170.
        Figure 1-170  Create Authorization Server

        Table 1-108 describes the parameters on the page.
        Table 1-108  Create authorization server

        Parameter

        Description

        Authorization server IP address

        Indicates the IP address of an authorization server.

        Profile name

        Indicates the name of the created RADIUS server profile.

        key

        Indicates the shared key of the RADIUS authorization server.

        Confirm key

        Indicates the confirmed shared key of the RADIUS authorization server.

      3. Set parameters for authorization server.
      4. Click OK.
    • Modify an authorization server.
      1. Choose Configuration > Security Services > AAA and click the RADIUS tab.
      2. Select the authentication server in Authorization Server.
      3. Modify parameters for authorization server. Table 1-108 describes the parameters for modifying an authorization server.
      4. Click OK.

HWTACACS

Context

HWTACACS prevents unauthorized users from attacking a network and supports command-line authorization. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control.

Procedure

  • Enable or disable HWTACACS.
    1. Choose Configuration > Security Services > AAA and click the HWTACACS tab, as shown in Figure 1-171.

      Figure 1-171  HWTACACS configuration

    2. Set the HWTACACS function status of ON or OFF.
    3. Click Apply. In the dialog box that is displayed, click OK.
  • Configure an HWTACACS server profile.

    • Create an HWTACACS server profile.
      1. Choose Configuration > Security Services > AAA and click the HWTACACS tab.
      2. Click Create in HWTACACS Server Profile to open the Create HWTACACS server profile page, as shown in Figure 1-172.
        Figure 1-172  Create HWTACACS server profile

        Table 1-109 describes the parameters on the page.
        Table 1-109  Create HWTACACS server profile

        Parameter

        Description

        Profile name

        Indicates the name of an HWTACACS server profile.

        key

        Indicates the shared key for the HWTACACS server.

        Confirm key

        Indicates the confirmed shared key of the HWTACACS server.

        User name

        Indicates whether the device encapsulates the domain name in the user name when sending HWTACACS packets to an HWTACACS server.

        Original user name configures the device not to modify the user name entered by the user in the packets sent to the HWTACACS server.

      3. Set parameters for the HWTACACS server.
      4. Click OK.
    • Modify an HWTACACS server profile.
      1. Choose Configuration > Security Services > AAA and click the HWTACACS tab.
      2. Select an HWTACACS server profile in HWTACACS Server Profile to open the HWTACACS server profile modification page.
      3. Modify parameters for the HWTACACS server. Table 1-109 describes the parameters for modifying an HWTACACS server profile.
      4. Click OK.

  • Configure an authentication/authorization/accounting server.

    • Create an authentication/authorization/accounting server.
      1. Choose Configuration > Security Services > AAA and click the HWTACACS tab.
      2. Click Create in Authentication/Authorization/Accounting Server to open the Create Authentication/Authorization/Accounting Server page, as shown in Figure 1-173.
        Figure 1-173  Create Authentication/Authorization/Accounting Server

        Table 1-110 describes the parameters on the page.
        Table 1-110  Parameters for creating an authentication/authorization/accounting server

        Parameter

        Description

        Profile name

        Indicates the name of the created HWTACACS server profile.

        Server type

        Indicates the HWTACACS server type: Authentication/Authorization/Accounting server.

        Primary server IP address

        Indicates the IP address of the primary authentication/authorization/accounting server.

        Primary server port number

        Indicates the port number of the primary authentication/authorization/accounting server.

        Secondary server IP address

        Indicates the IP address of the secondary authentication/authorization/accounting server.

        Secondary server port number

        Indicates the port number of the secondary authentication/authorization/accounting server.

      3. Set parameters for the authentication/authorization/accounting server.
      4. Click OK.
    • Modify an authentication/authorization/accounting server.
      1. Choose Configuration > Security Services > AAA and click the HWTACACS tab.
      2. Select the authentication/authorization/accounting server in Authentication/Authorization/Accounting Server.
      3. Modify parameters for the authentication/authorization/accounting server. Table 1-110 describes the parameters for modifying an authentication/authorization/accounting server.
      4. Click OK.

Local User

Procedure

  • Create a local user.
    1. Choose Configuration > Security Services > AAA and click the Local User tab, as shown in Figure 1-174.

      Figure 1-174  Local user

    2. Click Create to open the Create User page, as shown in Figure 1-175.

      Figure 1-175  Create User

      Table 1-111 describes the parameters on the page.
      Table 1-111  Create user

      Parameter

      Description

      User name

      Indicates a new user name.

      Password

      Indicates a new password.

      Confirm password

      Confirms the password. The format of this parameter is the same as that of Password.

      User type

      Indicates the user level. Users at different levels have different access rights.

      User status

      Indicates the state of a local user.
      • Activate: the device accepts and processes the authentication request from the user.
      • Block: the device rejects the authentication request from the user.
      NOTE:

      If a user has established a connection with the device, when the user is set in blocking state, the connection still takes effect but the device rejects subsequent authentication requests from the user.

      Forcible logout

      Indicates whether to forcibly disconnect users.
      NOTE:

      This option is available when you modify a user.

      Access mode

      Indicates the access type. After you specify the access type of a user, only the users of the specified access type can log in.

    3. Set parameters for the local user.
    4. Click OK.
  • Modify a local user.
    1. Choose Configuration > Security Services > AAA and click the Local User tab.
    2. Click the name of the user that you want to modify.
    3. Set parameters for modifying the user. Table 1-111 describes the parameters for modifying a local user.
    4. Click OK.
  • Delete a local user.
    1. Choose Configuration > Security Services > AAA and click the Local User tab.
    2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.

      NOTE:
      • To select a record, click the checkbox of the record.
      • To delete records in batches, click the checkboxes of records.

    3. Click OK.
Advanced Settings

Procedure

  • Configure 802.1X authentication globally.
    1. Choose Configuration > Security Services > AAA and click the Advanced Settings tab, as shown in Figure 1-176.

      Figure 1-176  Advanced Settings

    2. Set parameters in 802.1X Authentication Global Settings. Table 1-112 describes the parameters on this page.

      Table 1-112  Parameters for configuring 802.1X authentication globally

      Parameter

      Description

      Quiet timer

      Indicates whether to start the quiet timer.

      Maximum authentication failures before the switch quiets a user

      Indicates the maximum number of times that a user fails authentication before the quiet function is enabled. When the number of times that a user fails 802.1X authentication within 60s reaches the value set in Maximum authentication failures before the switch quiets a user, the device keeps the user quiet for a period of time.

      Quiet timer value (s)

      Indicates the quiet period. During the quiet period of an 802.1X authentication user, the device discards the 802.1X authentication request packets from the user.

    3. Click Apply.
    4. In the dialog box that is displayed, click OK.
  • Configure Portal authentication globally.
    1. Choose Configuration > Security Services > AAA and click the Advanced Settings tab, as shown in Figure 1-176.
    2. Set parameters in Portal Authentication Global Settings. Table 1-113 describes the parameters on this page.

      Table 1-113  Parameters for configuring Portal authentication globally

      Parameter

      Description

      Quiet timer

      Indicates whether to start the quiet timer.

      Maximum authentication failures before the switch quiets a user

      Indicates the maximum number of times that a user fails authentication before the quiet function is enabled. When the number of times that a user fails Portal authentication within 60s reaches the value set in Maximum authentication failures before the switch quiets a user, the device keeps the user quiet for a period of time.

      Quiet timer value (s)

      Indicates the quiet period. During the quiet period of a Portal authentication user, the device discards the Portal authentication request packets from the user.

      Port number in Portal packets

      Indicates the port number used by the device to listen on Portal protocol packets.

      Transparent transmission of authentication information

      Indicates whether to enable transparent transmission of authentication information.

      Portal version

      Indicates the version of the Portal protocol.

      Upper alarm threshold percentage (%)

      Indicates the upper alarm threshold percentage of Portal authentication user quantity, which must be greater than or equal to Lower alarm threshold percentage.

      Lower alarm threshold percentage (%)

      Indicates the lower alarm threshold percentage of Portal authentication user quantity.

    3. Click Apply.
    4. In the dialog box that is displayed, click OK.
  • Configure MAC address authentication globally.
    1. Choose Configuration > Security Services > AAA and click the Advanced Settings tab, as shown in Figure 1-176.
    2. Set parameters in MAC Address Authentication Global Settings. Table 1-114 describes the parameters on this page.

      Table 1-114  Parameters for configuring MAC address authentication globally

      Parameter

      Description

      Maximum authentication failures before the switch quiets a user

      Indicates the maximum number of times that a user fails authentication before the quiet function is enabled. When the number of times that a user fails MAC address authentication within 60s reaches the value set in Maximum authentication failures before the switch quiets a user, the device keeps the user quiet for a period of time.

      Quiet timer value (s)

      Indicates the value of the quiet timer. When a user fails authentication, the device keeps the user quiet for a period before processing the authentication request from the user. During the quiet period, the device does not process authentication requests from the user.

    3. Click Apply.
    4. In the dialog box that is displayed, click OK.
  • Enable the CNA bypass function for iOS terminals.
    1. Choose Configuration > Security Services > AAA and click the Advanced Settings tab, as shown in Figure 1-176.
    2. Set Enable the CNA bypass function for iOS terminals in Others to ON.
    3. Click Apply.
    4. In the dialog box that is displayed, click OK.
Free Mobility

Procedure

  1. Choose Configuration > Security Services > AAA and click the Free Mobility tab.
  2. Set Free mobility status to ON to open the Free Mobility page, as shown in Figure 1-177.

    Figure 1-177  Enable Free Mobility

    Table 1-115 describes the parameters on the page.
    Table 1-115  Parameters for enabling Free Mobility

    Item

    Description

    Free mobility status

    Enables Free mobility:
    • ON
    • OFF

    Controller server IP

    Configures an IP address for the primary controller.

    Backup controller server IP

    Configures an IP address for the backup controller.

    Connection password

    Configures the password used by the device to set up a connection with the controller.

    The value is a string of 8 to 32 characters.

    Confirm connection password

    Confirms the password used by the device to set up a connection with the controller.

    Source IP address

    Specifies the source IP address for the communication between switch and controller.

  3. Configure the parameters.
  4. Click Apply.
  5. In the dialog box that is displayed, click OK.

AAA Service App

This section describes the AAA configurations.

Wired Interface Authentication

This section describes how to apply an authentication profile to interfaces.

Procedure

  • Physical Interface Authentication
    1. Choose Configuration > Security Services > AAA Service App and click the Wired Interface Authentication tab, as shown in Figure 1-178.

      Figure 1-178  Wired Interface Authentication

    2. Select an interface.
    3. Select an authentication profile from Authentication profile to bind to an interface.
    4. Click Apply.
  • VLAN Authentication
    1. Choose Configuration > Security Services > AAA Service App and click the Wired Interface Authentication tab, as shown in Figure 1-178.
    2. Click to select VLAN ID.
    3. Select an authentication profile from Authentication profile to bind to a vlan.
    4. Click Apply.
Wireless Interface Authentication

Procedure

  1. Choose Configuration > Security Services > AAA Service App. Click the Wireless Interface Authentication tab, as shown in Figure 1-179.

    Figure 1-179  Wireless Interface Authentication tab

  2. Select an AP group.
  3. Select a VAP.
  4. Select an authentication profile.
  5. Click Apply.

AAA Profile Mgmt

802.1X Profile

Context

You can configure 802.1X authentication to implement interface-based network access control, that is, to authenticate and control users connected to an interface of an access control device.

Procedure

  • Create an 802.1X profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > 802.1X Profile. The 802.1X Profile List page is displayed.
    2. Click Create. The Create 802.1X Profile page is displayed.
    3. Enter the name of the new 802.1X profile in Profile name.
    4. Click OK. The parameter setting page for creating an 802.1X profile is displayed, as shown in Figure 1-180.

      Figure 1-180  The parameter setting page for creating an 802.1X profile

    5. Set parameters for creating an 802.1X profile. Table 1-116 describes the parameters for creating an 802.1X profile.

      Table 1-116  802.1X profile parameters

      Parameter

      Description

      802.1X Profile

      Name of the new 802.1X profile, which cannot be modified.

      User authentication mode

      User authentication mode. The options are as follows:

      • CHAP: Challenge Handshake Authentication Protocol
      • PAP: Password Authentication Protocol
      • EAP: Extensible Authentication Protocol

      Reauthentication

      Whether to enable the periodical re-authentication function.

      Reauthentication interval (s)

      802.1X re-authentication interval.

      This option is available when Reauthentication is enabled.

      Maximum authentication requests

      Maximum number of 802.1X authentication requests. The default value is recommended.

      Authentication timeout interval (s)

      802.1X authentication timeout interval.

      Authentication request interval (s)

      Interval for sending 802.1X authentication requests.

      EAP packet code number

      Code number in EAP packets sent in response to user requests.

      EAP packet data type

      Data type in EAP packets sent in response to user requests.

    6. Click Apply. In the Info dialog box that is displayed, click OK.
  • Modify an 802.X profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > 802.1X Profile. The 802.1X Profile List page is displayed.
    2. Click the 802.1X profile to modify. The 802.1X profile configuration page is displayed.
    3. Set parameters for modifying an 802.1X profile. Table 1-116 describes the parameters for modifying an 802.1X profile.
    4. Click Apply. In the Info dialog box that is displayed, click OK.
  • Delete an 802.1 X profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > 802.1X Profile. The 802.1X Profile List page is displayed.
    2. Select the profile that you want to delete and click Delete. In the Confirm dialog box that is displayed, click OK.
  • Display the profile reference relationship.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > 802.1X Profile. The 802.1X Profile List page is displayed.
    2. Select the profile of which you want to display the reference relationship and click Display Reference Relationship. The system displays the types and names of the objects that reference the profile.

      NOTE:

      Click Hide Reference Relationship. The system hides the displayed results.

Portal Profile

Context

In Portal authentication, users do not need a specific client. The Portal server provides users with free Portal services and a Portal authentication page.

Procedure

  • Create a Portal profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Portal Profile. The Portal Profile List page is displayed.
    2. Click Create. The Create Portal Profile page is displayed.
    3. Enter the name of the new Portal profile in Profile name.
    4. Click OK. The parameter setting page for creating a Portal profile is displayed, as shown in Figure 1-181.

      Figure 1-181  The parameter setting page for creating a Portal profile

    5. Set parameters for creating a Portal profile. Table 1-117 describes the parameters for creating a Portal profile.

      Table 1-117  Portal profile parameters

      Parameter

      Description

      Portal Profile

      Name of the Portal profile, which cannot be modified.

      Portal authentication

      Portal authentication mode.

      Built-in portal server anonymous login

      Whether to enable the anonymous login function for users authenticated through the built-in Portal server.

      Built-in portal server

      Whether to enable the built-in Portal server.

      Active server

      External active Portal server.

      Standby server

      External standby Portal server.

      Authentication mode

      Authentication mode of the external Portal server.

      Source authentication network segment/mask

      Enter the source authentication network segment and mask of the external Portal server and click . To delete the source authentication network segment and mask, select the source authentication network segment and mask that you want to delete and click .

      This parameter is available when Authentication mode is set to Layer 3 authentication.

      User reauth when Portal server goes Up

      Whether to reauthenticate users going online when the external Portal server is Down after the Portal server recovers. After the reauthentication function is enabled, the device assigns normal network access rights to the users passing the reauthentication.

    6. Click Apply. In the Info dialog box that is displayed, click OK.
  • Modify a Portal profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Portal Profile. The Portal Profile List page is displayed.
    2. Click the Portal profile to modify. The Portal profile configuration page is displayed.
    3. Set parameters for modifying a Portal profile. Table 1-117 describes the parameters for modifying a Portal profile.
    4. Click Apply. In the Info dialog box that is displayed, click OK.
  • Delete a Portal profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Portal Profile. The Portal Profile List page is displayed.
    2. Select the profile that you want to delete and click Delete. In the Confirm dialog box that is displayed, click OK.
  • Display the profile reference relationship.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Portal Profile. The Portal Profile List page is displayed.
    2. Select the profile of which you want to display the reference relationship and click Display Reference Relationship. The system displays the types and names of the objects that reference the profile.

      NOTE:

      Click Hide Reference Relationship. The system hides the displayed results.

MAC Authentication Profile

Context

MAC address authentication controls network access permissions of a user based on the access interface and MAC address of the user. The user does not need to install any client software. The user name and password are the MAC address of the user device. After detecting the MAC address of a user for the first time, a network device starts authenticating the user.

Procedure

  • Create a MAC authentication profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > MAC Authentication Profile. The MAC Authentication Profile List page is displayed.
    2. Click Create. The Create MAC Authentication Profile page is displayed.
    3. Enter the name of the new MAC authentication profile in Profile name.
    4. Click OK. The parameter setting page for creating a MAC authentication profile is displayed, as shown in Figure 1-182.

      Figure 1-182  The parameter setting page for creating a MAC authentication profile

    5. Set parameters for creating a MAC authentication profile. Table 1-118 describes the parameters for creating a MAC authentication profile.

      Table 1-118  MAC authentication profile parameters

      Parameter

      Description

      MAC Authentication Profile

      Name of the MAC authentication profile, which cannot be modified.

      Reauthentication

      Whether to enable reauthentication.

      Reauthentication interval (s)

      Interval of MAC address reauthentication.

      This option is available when Reauthentication is enabled.

      User name mode

      The MAC address or fixed user name is used for authentication.

      MAC address

      Whether the MAC address contains the hyphen (-).

      This option is available when User name mode is set to MAC address.

      User name

      User name for MAC address authentication.

      This option is available when User name mode is set to Fixed user name.

      Configure password

      Password in MAC address authentication.

      Confirm password

      Confirm password in MAC address authentication.

    6. Click Apply. In the Info dialog box that is displayed, click OK.
  • Modify a MAC authentication profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > MAC Authentication Profile. The MAC Authentication Profile List page is displayed.
    2. Click the MAC authentication profile to modify. The MAC authentication profile page is displayed.
    3. Set parameters for modifying a MAC authentication profile. Table 1-118 describes the parameters for modifying a MAC authentication profile.
    4. Click Apply. In the Info dialog box that is displayed, click OK.
  • Delete a MAC authentication profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > MAC Authentication Profile. The MAC Authentication Profile List page is displayed.
    2. Select the profile that you want to delete and click Delete. In the Confirm dialog box that is displayed, click OK.
  • Display the profile reference relationship.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > MAC Authentication Profile. The MAC Authentication Profile List page is displayed.
    2. Select the profile of which you want to display the reference relationship and click Display Reference Relationship. The system displays the types and names of the objects that reference the profile.

      NOTE:

      Click Hide Reference Relationship. The system hides the displayed results.

Authentication-free Rule Profile

Procedure

  • Create an authentication-free rule profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication-free Rule Profile. The Authentication-free Rule Profile List page is displayed.
    2. Click the authentication-free rule profile default_free_rule. The Authentication-free Rule page is displayed.
    3. Click Create. The Create Authentication-free Rule page is displayed, as shown in Figure 1-183.

      Figure 1-183  The Create Authentication-free Rule page

    4. Set parameters for creating an authentication-free rule profile. Table 1-119 describes the parameters for creating an authentication-free rule profile.

      Table 1-119  Authentication-free rule profile parameters

      Parameter

      Description

      Rule ID

      ID of the authentication-free rule.

      Source IP

      If packets from Portal authentication users match the following parameters under Source IP, Portal authentication users do not need to pass authentication, and can access network resources configured under Destination IP.

      Authentication-free

      Whether authentication-free is performed for the source IP address. If this parameter is selected, any condition is matched.

      IP address

      Source IP address in the authentication-free rule. If Specified is specified, the IP address and mask need to be configured.

      Mask

      The mask and IP address specify a network segment.

      Destination IP

      Network resource range that authentication-free users can access.

      Authentication-free

      Whether authentication-free is performed for the destination IP address. If this parameter is selected, any condition is matched.

      IP address

      Destination IP address in the authentication-free rule. If Specified is specified, the IP address and mask need to be configured.

      Mask

      The mask and IP address specify a network segment.

      Protocol type

      Type of the protocol that users are allowed to access.

      Destination port number

      Destination port number that users are allowed to access.

    5. Click OK.
  • Delete an authentication-free rule profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication-free Rule Profile > default_free_rule. The Authentication-free Rule List page is displayed.
    2. Select the profile that you want to delete and click Delete. In the Confirm dialog box that is displayed, click OK.
  • Display the profile reference relationship.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication-free Rule Profile. The Authentication-free Rule Profile List page is displayed.
    2. Select the profile of which you want to display the reference relationship and click Display Reference Relationship. The system displays the types and names of the objects that reference the profile.

      NOTE:

      Click Hide Reference Relationship. The system hides the displayed results.

Domain Profile

Context

The created authentication and authorization schemes take effect only after being applied to a domain.

Procedure

  • Create a domain profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Domain Profile. The Domain Profile List page is displayed.
    2. Click Create. The Create Domain Profile page is displayed.
    3. Enter the name of the new domain profile in Profile name.
    4. Click OK. The parameter setting page for creating a domain profile is displayed, as shown in Figure 1-184.

      Figure 1-184  The parameter setting page for creating a domain profile

    5. Set parameters for creating a domain profile. Table 1-120 describes the parameters for creating a domain profile.

      Table 1-120  Domain profile parameters

      Parameter

      Description

      Authentication scheme

      Selects a created authentication scheme.

      Authorization scheme

      Selects a created authorization scheme.

      Accounting scheme

      Selects a created accounting scheme.

      Service scheme

      Selects a created service scheme.

      RADIUS server profile

      Selects a created RADIUS profile.

      HWTACACS server profile

      Selects a created HWTACACS profile.

    6. Click Apply. In the Info dialog box that is displayed, click OK.
  • Modify a domain profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Domain Profile. The Domain Profile List page is displayed.
    2. Click the domain profile to modify. The domain profile page is displayed.
    3. Set parameters for modifying a domain profile. Table 1-120 describes the parameters for modifying a domain profile.
    4. Click Apply. In the Info dialog box that is displayed, click OK.
  • Delete a domain profile.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Domain Profile. The Domain Profile List page is displayed.
    2. Select the profile that you want to delete and click Delete. In the Confirm dialog box that is displayed, click OK.
  • Display the profile reference relationship.
    1. Choose Configuration > Security Services > AAA Profile Mgmt > Domain Profile. The Domain Profile List page is displayed.
    2. Select the profile of which you want to display the reference relationship and click Display Reference Relationship. The system displays the types and names of the objects that reference the profile.

      NOTE:

      Click Hide Reference Relationship. The system hides the displayed results.

Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000114003

Views: 36808

Downloads: 990

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next