No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Portal Access Profile (for an External Portal Server-Portal Protocol)

Configuring a Portal Access Profile (for an External Portal Server-Portal Protocol)

The device supports external and built-in Portal servers. An external Portal server has independent hardware. A built-in Portal server is an embedded entity on an access device, that is, the access device functions as the Portal server. After receiving a Portal authentication request from a client, the Portal server initiates a Portal authentication request carrying the user name and password to the access device through the Portal protocol.

After configuring the Portal server, you must bind the Portal server profile to a Portal access profile. When users who use the Portal access profile attempt to access charged network resources, they are forcibly redirected to the authentication page of the Portal server for Portal authentication.

This section describes how to configure the Portal server and Portal access profile when using an external Portal server.

Configuring an External Portal Server

Context

To ensure proper communication between the device and an external Portal server for authentication, configure the following information:
  • Portal server template: manages parameters of the Portal server, such as the IP address.
  • Parameters for information exchange with the Portal server: When the device connects to the Portal server, you need to configure information such as the Portal protocol version, to ensure proper communication and security.

Procedure

  • Configure a Portal server template.

    1. Run system-view

      The system view is displayed.

    2. Run web-auth-server server-name

      A Portal server template is created and the Portal server template view is displayed.

      By default, no Portal server template is created.

    3. Run protocol portal

      The protocol used in Portal authentication is set to Portal.

      By default, the Portal protocol is used in Portal authentication.

    4. Run server-ip server-ip-address &<1-10>

      An IP address is configured for the Portal server.

      By default, no IP address is configured for the Portal server.

    5. (Optional) Run source-ip ip-address

      A source IP address is configured for the device to communicate with the Portal server.

      By default, no source IP address is configured for the device.

    6. (Optional) Run port port-number [ all ]

      A destination port number is configured for the device to send packets to the Portal server.

      By default, the device uses the destination port number 50100 to send packets to the Portal server.

    7. Run shared-key cipher key-string

      A shared key is configured for the device to exchange information with the Portal server.

      By default, no shared key is configured.

    8. (Optional) Run web-redirection disable

      The Portal authentication redirection function is disabled.

      By default, the Portal authentication redirection function is enabled.

      The device redirects all unauthenticated users to the Portal authentication page when the users send access requests to external networks. For example, when the user needs to enter the URL of the authentication page manually, the web-redirection disable command can be executed so that unauthorized users are not forcibly redirected to the Portal authentication page.

    9. Configure the URL of the Portal server.

      You can bind a URL or a URL template to a Portal server template. Compared with URL binding, URL template binding allows you to configure the redirection URL of the Portal server and configure the URL to carry parameters related to users or the access device. The Portal server then can obtain user terminal information based on parameters carried in the URL and provide different Portal authentication pages for different users. You can choose URL binding mode or URL template binding mode based on actual requirements.

      • URL binding mode

        Run url url-string

        A URL is configured for the Portal server.

        By default, no URL is configured for the Portal server.

      • URL template binding mode

        1. Create and configure a URL template.

          1. Run quit

            Return to the system view.

          2. Run url-template name template-name

            A URL template is created and the URL template view is displayed.

            By default, no URL template is created on the device.

          3. Run url url-string

            A redirection URL is configured for the Portal server.

            By default, no redirection URL is configured for the Portal server.

          4. Run url-parameter { redirect-url redirect-url-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value } *

            Parameters carried in the URL are configured.

            By default, a URL does not carry parameters.

          5. Run url-parameter mac-address format delimiter delimiter { normal | compact }

            The MAC address format in the URL is configured.

            By default, the MAC address format in a URL is XXXXXXXXXXXX.

          6. Run parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } *

            Characters in the URL are configured.

            By default, the start character in a URL is a question mark (?), the assignment character is an equal sign (=), and the delimiter between parameters is an ampersand (&).

          7. Run quit

            Return to the system view.

        2. Run web-auth-server server-name

          The Portal server template view is displayed.

        3. Run url-template url-template [ ciphered-parameter-name ciphered-parameter-name iv-parameter-name iv-parameter-name key cipher key-string ]

          The URL template is bound to the Portal server template.

          By default, no URL template is bound to a Portal server template.

          NOTE:

          The device support encryption of parameter information in the URL template only when it connects to the Huawei Agile Controller-Campus.

  • Configure parameters for information exchange with the Portal server.

    • Run system-view

      The system view is displayed.

    • Run web-auth-server version v2 [ v1 ]

      Portal protocol versions supported by the device are configured.

      By default, the device supports Portal protocol v1 and v2.

      NOTE:

      The default setting is recommended to ensure proper communication; that is, the device supports both versions.

    • Run web-auth-server listening-port port-number

      The number of the port through which the device listens to Portal packets is configured.

      By default, the device listens to Portal packets through port 2000.

    • Run web-auth-server reply-message

      The device is enabled to transparently transmit user authentication information received from the authentication server to the Portal server.

      By default, the device transparently transmits users' authentication responses sent by the authentication server to the Portal server.

    • Run portal https-redirect enable

      HTTPS redirection of Portal authentication is enabled.

      By default, HTTPS redirection is disabled for Portal authentication users.

      NOTE:
      • If Portal authentication is triggered when a user visits a website using HTTPS, the browser displays a security prompt. The user needs to click Continue to complete Portal authentication.
      • Redirection cannot be performed for browsers or websites using HTTP Strict Transport Security (HSTS).
      • If the destination port in HTTPS request packets sent by users is an unknown port (443), redirection cannot be performed.
      • To enable HTTPS redirection of Portal authentication, run the portal https-redirect enable command, and then run the portal https-redirect wired enable command.

      • This function takes effect only for new Portal authentication users.
    • Run portal logout resend times timeout period

      The number of times that the device retransmits offline packets of Portal authentication users and the retransmission interval are configured.

      By default, the device retransmits offline packets of Portal authentication users for three times at an interval of five seconds.

    • Run portal logout different-server enable

      The device is enabled to process user logout requests sent by a Portal server other than the one from which users log in.

      By default, a device does not process user logout requests sent by Portal servers other than the one from which users log in.

(Optional) Configuring the Portal Server Detection Function

Context

In Portal authentication application, if communication between the device and Portal server is interrupted due to a network failure or Portal server failure, new Portal authentication users cannot go online, and online Portal users cannot go offline normally.

The Portal server detection function enables the device to generate logs and alarms for network faults and Portal server faults.

When two Portal servers work in active/standby mode or the Portal escape function is configured, enable the Portal server detection function on the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run web-auth-server server-name

    The Portal server profile view is displayed.

  3. Run server-detect [ interval interval-period | max-times times | critical-num critical-num | action { log | trap } * ] *

    The Portal server detection function is enabled.

    By default, the Portal server detection function is disabled.

(Optional) Configuring Synchronization of Portal Authentication User Information

Context

In Portal authentication application, if communication between the device and Portal server is interrupted due to a network failure or Portal server failure, online Portal users cannot go offline normally. As a result, user information on the device may be different from that on the Portal server, causing inaccurate accounting.

The user information synchronization mechanism ensures user information consistency between the Portal server and the device, so that accounting can be performed accurately.
NOTE:

For Layer 3 Portal authentication, the device currently can synchronize user information with the Huawei Agile Controller-Campus server. If the device connects to other Portal servers, user information may fail to be synchronized and users cannot go offline in real time. You can run the cut access-user command or use the NMS or RADIUS DM to force users to go offline.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run web-auth-server server-name

    The Portal server profile view is displayed.

  3. Run user-sync [ interval interval-period | max-times times ] *

    User information synchronization is enabled.

    By default, user information synchronization is disabled.

Creating a Portal Access Profile

Context

The device uses Portal access profiles to uniformly manage all Portal users access configurations. Before configuring Portal authentication, you need to create a Portal access profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    A Portal access profile is created and the Portal access profile view is displayed.

    By default, the device has the built-in Portal access profile portal_access_profile.

    NOTE:
    • The compatibility profile converted after an upgrade is not counted in the configuration specification. The built-in portal access profile portal_access_profile can be modified and applied, but cannot be deleted.
    • Before deleting a portal access profile, ensure that this profile is not bound to any authentication profile.

Configuring an External Portal Server for a Portal Access Profile

Context

To use Portal authentication, you must configure Portal server parameters on the device. The device supports external and built-in Portal servers. To use an external Portal server for authentication, you need to configure an external Portal server, and configure a Portal access profile to use the external Portal server. When users who use the Portal access profile attempt to access charged network resources, they are forcibly redirected to the authentication page of the Portal server for Portal authentication.

A Portal server profile defines parameters of the Portal server. You need to configure an external Portal server for the Portal access profile, that is, bind a Portal server profile to the Portal access profile.

To improve Portal authentication reliability, the backup Portal server profile can also be bound to the Portal access profile. When the primary Portal server is disconnected, the users are redirected to the backup Portal server for authentication. This function can take effect only when the Portal server detection function is enabled using the server-detect command and heartbeat detection is enabled on the Portal server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    A Portal access profile is created and the Portal access profile view is displayed.

  3. Run web-auth-server server-name [ bak-server-name ] { direct | layer3 }

    A Portal server profile is bound to the Portal access profile.

    By default, no Portal server profile is bound to a Portal access profile.

    The following Portal authentication modes are available:
    • direct: When there is no Layer 3 forwarding device between the device and a user, the device can learn the user's MAC address. You can configure the Layer 2 authentication mode so that the device can identify the user using the IP address and MAC address.
    • layer3: When there is a Layer 3 forwarding device between the device and a user, the device cannot learn the user's MAC address and can only identify the user using the IP address. You need to configure the Layer 3 authentication mode.

  4. Run portal auth-network network-address { mask-length | mask-address }

    The source subnet is set for Portal authentication.

    By default, the source authentication subnet is 0.0.0.0/0, indicating that users in all subnets must pass Portal authentication.

    The command takes effect only for Layer 3 Portal authentication. In Layer 2 Portal authentication, users on all subnets must be authenticated.

(Optional) Configuring the User Offline Detection Interval

Context

If a Portal authentication user goes offline due to power failure or network interruption, the device and Portal server may still store user information, which leads to incorrect accounting. In addition, a limit number of users can access the device. If a user goes offline improperly but the device still stores user information, other users cannot access the network.

After the offline detection interval is set for Portal authentication users, if a user does not respond within the interval, the device considers the user offline. The device and Portal server then delete the user information and release the occupied resources to ensure efficient resource use.

NOTE:

This function applies only to Layer 2 Portal authentication.

The heartbeat detection function of the authentication server can be used to ensure the normal online status of PC users for whom Layer 3 Portal authentication is used. If the authentication server detects that a user goes offline, it instructs the device to disconnect the user.

If the number of offline detection packets (ARP packets) exceeds the default CAR value, the detection fails and the users are logged out. To resolve the problem, the following methods are recommended:
  • Increase the detection interval based on the number of users. The default detection interval is recommended when there are less than 8000 users; the detection interval should be no less than 600 seconds when there are more than 8000 users.
  • Deploy the port attack defense function on the access device and limit the rate of packets sent to the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    The Portal access profile view is displayed.

  3. Run portal timer offline-detect time-length

    The interval for detecting Portal authentication user logout is set.

    By default, the interval for detecting Portal authentication user logout is 300s. The value 0 indicates that offline detection is not performed.

(Optional) Configuring the Portal Escape Function

Context

If the Portal server is Down, users cannot pass the authentication and thereby have no network access right. The Portal escape function allows the access device to grant specified network access rights to users when it detects that the Portal server is Down, meeting basic network access requirements.

NOTE:

Only HTTP messages-triggered Portal authentication users support this function.

An authorized VLAN cannot be delivered to online Portal users.

The Portal escape function does not take effect when users perform Layer 3 Portal authentication.

Pre-configuration Tasks
Before configuring the Portal escape function, complete the following tasks:
  1. Enable the heartbeat detection function on the Portal server.
  2. Enable the Portal server detection function on the access device. For details about the configuration, see (Optional) Configuring the Portal Server Detection Function.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Run user-vlan vlan-id

        A user VLAN is configured in the service scheme.

        By default, no user VLAN is configured in a service scheme.

        Before running this command, ensure that a VLAN has been created using the vlan command.

      4. Run voice-vlan

        The voice VLAN function is enabled in the service scheme.

        By default, the voice VLAN function is disabled in a service scheme.

        For this configuration to take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      5. Run quit

        The AAA view is displayed.

      6. Run quit

        The system view is displayed.

  3. Run portal-access-profile name access-profile-name

    The Portal access profile view is displayed.

  4. Run authentication event portal-server-down action authorize service-scheme service-scheme-name

    Network access rights are configured for users to use when the Portal server is Down.

    By default, no network access right is configured for users to use when the Portal server is Down.

  5. (Optional) Run authentication event portal-server-up action re-authen

    The device is enabled to re-authenticate users when the Portal server changes from Down to Up.

    By default, the device does not re-authenticate users when the Portal server changes from Down to Up.

    If you perform this step, the access device re-authenticates users when it detects that the Portal server changes from Down to Up. The access device sets the status of users who display web-server-down to pre-connection. The re-authentication process starts when the users visit any web page. If the authentication is successful, the access device grants normal network access rights to the users.

Verifying the Configuration
  • Run the display portal-access-profile configuration [ name access-profile-name ] command to check authorization information configured for the Portal escape function.

Verifying the Portal Server Profile and Portal Access Profile Configuration

Context

After configuring a Portal server profile and a Portal access profile, run the following commands to check the configuration.

Procedure

  • Run the display portal-access-profile configuration [ name access-profile-name ] command to check the configuration of the Portal access profile.
  • Run the display portal [ interface interface-type interface-number ] command to view information about Portal authentication.
  • Run the display portal user-logout [ ip-address ip-address ] command to check the temporary logout entries of Portal authentication users.
  • Run the display web-auth-server configuration command to check the configuration of the Portal server profile.
  • Run the display url-template { all | name template-name } command to check the configuration of the URL profile.
  • Run the display server-detect state [ web-auth-server server-name ] command to view the status of a Portal server.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54836

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next