No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Authentication Event Authorization Information

(Optional) Configuring Authentication Event Authorization Information

Context

If users establish pre-connections with the device or fail to be authenticated, they have no network access rights.

To meet these users' basic network access requirements such as updating the antivirus database and downloading the client, configure authentication event authorization information. The device will assign network access rights to these users based on the authentication phase.

NOTE:

An authorized VLAN cannot be delivered to online Portal users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    If users are in the pre-connection phase or fail to be authenticated, or the authentication server is Down, the device can use the VLAN, and service scheme to grant network access rights to the users.

    • VLAN

      Configure a VLAN and network resources in the VLAN on the device.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Run user-vlan vlan-id

        A user VLAN is configured in the service scheme.

        By default, no user VLAN is configured in a service scheme.

        Before running this command, ensure that a VLAN has been created using the vlan command.

      4. Run voice-vlan

        The voice VLAN function is enabled in the service scheme.

        By default, the voice VLAN function is disabled in a service scheme.

        For this configuration to take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      5. Run quit

        The AAA view is displayed.

      6. Run quit

        The system view is displayed.

  3. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  4. Configure authorization information.

    • Run authentication event pre-authen action authorize { vlan vlan-id | service-scheme service-scheme-name }

      Network access rights are configured for users who are in the pre-connection phase.

    • Run authentication event authen-fail action authorize { vlan vlan-id | service-scheme service-scheme-name } [ response-fail ]

      Network access rights are configured for users who fail to be authenticated.

    • Run authentication event authen-server-down action authorize { vlan vlan-id | service-scheme service-scheme-name } [ response-fail ]

      Network access rights are configured for users when the authentication server is Down.

    By default, no authentication event authorization information is configured.

    NOTE:

    If no network access right is configured for users who fail authentication or when the authentication server is Down, the users establish pre-connections with the device after the authentication fails and then have the network access rights mapping pre-connection users.

    VLAN-based authorization does not apply to the authentication users who access through VLANIF interfaces.

    In 802.1X authentication for wired users, when the RADIUS server is Down, some new clients do not have escape rights. For example, when a new Windows client receives a Success packet from the device but does not receive the authentication packets exchanged with the RADIUS server, the client will fail the authentication and cannot go online. Currently, the following clients have escape rights when they go online for the first time: H3C iNode clients using EAP-MD5 or PEAP and Cisco AnyConnect clients using EAP-FAST or PEAP.

    If authorization upon an authentication server Down event is configured and the device detects that the authentication server is Down, the device grants corresponding network access rights to users who fail to be authenticated, and add the users to entries of users who fail to be authenticated upon an authentication server Down event. If authorization upon an authentication server Down event is not configured and the device detects that the authentication server is Down, the device grants corresponding network access rights to users who fail to be authenticated, and add the users to entries of users who fail to be authenticated.

    The device assigns network access rights based on the priorities of the configured rights in a network status as follows:

    • If the authentication server is Down: network access right upon an authentication server Down event > network access right for users who fail authentication > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If users fail authentication: network access right for users who fail authentication > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If users are in the pre-connection state: network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If an 802.1X client does not respond: network access right if an 802.1X client does not respond > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled

  5. (Optional) Configure the aging time of user entries.

    • Run authentication timer pre-authen-aging aging-time

      The aging time is configured for entries of pre-connection users.

      By default, the aging time is 23 hours for entries of pre-connection users.

    • Run authentication timer authen-fail-aging aging-time

      The aging time is configured for entries of users who fail to be authenticated.

      By default, the aging time is 23 hours for entries of users who fail to be authenticated.

      NOTE:
      You can run the authentication timer authen-fail-aging aging-time command to configure the aging time for entries of users who fail to be authenticated upon an authentication server Down event and entries of users who fail to be authenticated.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 58486

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next