No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Portal Access Profile (for an External Portal Server-HTTP/HTTPS Protocol)

Configuring a Portal Access Profile (for an External Portal Server-HTTP/HTTPS Protocol)

The device supports external and built-in Portal servers. An external Portal server has independent hardware. A built-in Portal server is an embedded entity on an access device, that is, the access device functions as the Portal server. After receiving a Portal authentication request from a client, the Portal server instructs the client to initiate a Portal authentication request to the access device through the HTTP or HTTPS protocol. The client then initiates a Portal authentication request carrying the user name and password to the access device through the HTTP or HTTPS protocol.

After configuring the Portal server, you must bind the Portal server profile to a Portal access profile. When users who use the Portal access profile attempt to access charged network resources, they are forcibly redirected to the authentication page of the Portal server for Portal authentication.

This section describes how to configure the Portal server and Portal access profile when using an external Portal server.

Configuring an External Portal Server

Context

If an External Portal server is used for authentication, you need to configure related parameters in the Portal server template, for example, the authentication protocol, to ensure that the device and Portal server can communicate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal web-authen-server { http | https ssl-policy policy-name } [ port port-number ]

    The Portal interconnection function of the HTTP or HTTPS protocol is enabled.

    By default, the Portal interconnection function of the HTTP or HTTPS protocol is disabled.

  3. Run web-auth-server server-name

    A Portal server template is created and the Portal server template view is displayed.

    By default, no Portal server template is created.

  4. Run protocol http [ password-encrypt { none | uam } ]

    The protocol used in Portal authentication is set to HTTP or HTTPS.

    By default, the Portal protocol is used in Portal authentication.

  5. (Optional) Run http get-method enable

    The device is configured to allow users to submit user name and password information to the device in GET mode during Portal authentication.

    By default, the device does not allow users to submit user name and password information to the device in GET mode during Portal authentication.

  6. Run http-method post { cmd-key cmd-key [ login login-key | logout logout-key ] * | init-url-key init-url-key | login-fail response { err-msg { authenserve-reply-message | msg msg } | redirect-login-url | redirect-url redirect-url [ append-reply-message msgkey ] } | login-success response { msg msg | redirect-init-url | redirect-url redirect-url } | logout-fail response { msg msg | redirect-url redirect-url } | logout-success response { msg msg | redirect-url redirect-url } | password-key password-key | user-mac-key user-mac-key | userip-key userip-key | username-key username-key } *

    Parameters for parsing and replying to POST or GET request packets of the HTTP or HTTPS protocol are configured.

    By default, the system has configured parameters for parsing and replying to POST or GET request packets of the HTTP or HTTPS protocol. For details, see the "Parameters" table in the http-method post command.

  7. Configure a URL for the Portal server.

    You can bind a URL or a URL template to a Portal server template. Compared with URL binding, URL template binding allows you to configure the redirection URL of the Portal server and configure the URL to carry parameters related to users or the access device. The Portal server then can obtain user terminal information based on parameters carried in the URL and provide different Portal authentication pages for different users. You can choose URL binding mode or URL template binding mode based on actual requirements.

    • URL binding mode

      Run url url-string

      A URL is configured for the Portal server.

      By default, no URL is configured for the Portal server.

    • URL template binding mode

      1. Create and configure a URL template.

        1. Run quit

          Return to the system view.

        2. Run url-template name template-name

          A URL template is created and the URL template view is displayed.

          By default, no URL template is created on the device.

        3. Run url url-string

          A redirection URL is configured for the Portal server.

          By default, no redirection URL is configured for the Portal server.

        4. Run url-parameter { redirect-url redirect-url-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value } *

          Parameters carried in the URL are configured.

          By default, a URL does not carry parameters.

        5. Run url-parameter mac-address format delimiter delimiter { normal | compact }

          The MAC address format in the URL is configured.

          By default, the MAC address format in a URL is XXXXXXXXXXXX.

        6. Run parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } *

          Characters in the URL are configured.

          By default, the start character in a URL is a question mark (?), the assignment character is an equal sign (=), and the delimiter between parameters is an ampersand (&).

        7. Run quit

          Return to the system view.

      2. Run web-auth-server server-name

        The Portal server template view is displayed.

      3. Run url-template url-template

        The URL template is bound to the Portal server template.

        By default, no URL template is bound to a Portal server template.

      4. Run quit

        Return to the system view.

Creating a Portal Access Profile

Context

The device uses Portal access profiles to uniformly manage all Portal users access configurations. Before configuring Portal authentication, you need to create a Portal access profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    A Portal access profile is created and the Portal access profile view is displayed.

    By default, the device has the built-in Portal access profile portal_access_profile.

    NOTE:
    • The compatibility profile converted after an upgrade is not counted in the configuration specification. The built-in portal access profile portal_access_profile can be modified and applied, but cannot be deleted.
    • Before deleting a portal access profile, ensure that this profile is not bound to any authentication profile.

Configuring an External Portal Server for a Portal Access Profile

Context

To use Portal authentication, you must configure Portal server parameters on the device. The device supports external and built-in Portal servers. To use an external Portal server for authentication, you need to configure an external Portal server, and configure a Portal access profile to use the external Portal server. When users who use the Portal access profile attempt to access charged network resources, they are forcibly redirected to the authentication page of the Portal server for Portal authentication.

A Portal server profile defines parameters of the Portal server. You need to configure an external Portal server for the Portal access profile, that is, bind a Portal server profile to the Portal access profile.

To improve Portal authentication reliability, the backup Portal server profile can also be bound to the Portal access profile. When the primary Portal server is disconnected, the users are redirected to the backup Portal server for authentication. This function can take effect only when the Portal server detection function is enabled using the server-detect command and heartbeat detection is enabled on the Portal server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    A Portal access profile is created and the Portal access profile view is displayed.

  3. Run web-auth-server server-name [ bak-server-name ] { direct | layer3 }

    A Portal server profile is bound to the Portal access profile.

    By default, no Portal server profile is bound to a Portal access profile.

    The following Portal authentication modes are available:
    • direct: When there is no Layer 3 forwarding device between the device and a user, the device can learn the user's MAC address. You can configure the Layer 2 authentication mode so that the device can identify the user using the IP address and MAC address.
    • layer3: When there is a Layer 3 forwarding device between the device and a user, the device cannot learn the user's MAC address and can only identify the user using the IP address. You need to configure the Layer 3 authentication mode.

  4. Run portal auth-network network-address { mask-length | mask-address }

    The source subnet is set for Portal authentication.

    By default, the source authentication subnet is 0.0.0.0/0, indicating that users in all subnets must pass Portal authentication.

    The command takes effect only for Layer 3 Portal authentication. In Layer 2 Portal authentication, users on all subnets must be authenticated.

(Optional) Configuring the User Offline Detection Interval

Context

If a Portal authentication user goes offline due to power failure or network interruption, the device and Portal server may still store user information, which leads to incorrect accounting. In addition, a limit number of users can access the device. If a user goes offline improperly but the device still stores user information, other users cannot access the network.

After the offline detection interval is set for Portal authentication users, if a user does not respond within the interval, the device considers the user offline. The device and Portal server then delete the user information and release the occupied resources to ensure efficient resource use.

NOTE:

This function applies only to Layer 2 Portal authentication.

The heartbeat detection function of the authentication server can be used to ensure the normal online status of PC users for whom Layer 3 Portal authentication is used. If the authentication server detects that a user goes offline, it instructs the device to disconnect the user.

If the number of offline detection packets (ARP packets) exceeds the default CAR value, the detection fails and the users are logged out. To resolve the problem, the following methods are recommended:
  • Increase the detection interval based on the number of users. The default detection interval is recommended when there are less than 8000 users; the detection interval should be no less than 600 seconds when there are more than 8000 users.
  • Deploy the port attack defense function on the access device and limit the rate of packets sent to the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    The Portal access profile view is displayed.

  3. Run portal timer offline-detect time-length

    The interval for detecting Portal authentication user logout is set.

    By default, the interval for detecting Portal authentication user logout is 300s. The value 0 indicates that offline detection is not performed.

Verifying the Portal Server Profile and Portal Access Profile Configuration

Context

After configuring a Portal server profile and a Portal access profile, run the following commands to check the configuration.

Procedure

  • Run the display portal-access-profile configuration [ name access-profile-name ] command to check the configuration of the Portal access profile.
  • Run the display portal [ interface interface-type interface-number ] command to view information about Portal authentication.
  • Run the display portal user-logout [ ip-address ip-address ] command to check the temporary logout entries of Portal authentication users.
  • Run the display web-auth-server configuration command to check the configuration of the Portal server profile.
  • Run the display url-template { all | name template-name } command to check the configuration of the URL profile.
  • Run the display server-detect state [ web-auth-server server-name ] command to view the status of a Portal server.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 53871

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next