No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
AAA Scheme

AAA Scheme

During AAA implementation, you can define a set of AAA configuration policies using an AAA scheme. An AAA scheme contains a collection of authentication, authorization, and accounting methods defined on an NAS. Such methods can be used in combination depending on access features of users and security requirements.

Authentication Scheme

An authentication scheme is used to define methods for user authentication and the order in which authentication methods take effect. An authentication scheme is applied to a domain. It is combined with the authorization scheme, accounting scheme, and server template in the domain for user authentication, authorization, and accounting.

Authentication Methods Supported by a Device
  • RADIUS authentication: User information is configured on the RADIUS server through which user authentication is performed.
  • HWTACACS authentication: User information is configured on the HWTACACS server through which user authentication is performed.
  • Local authentication: The device functions as an authentication server and user information is configured on the device. This mode features fast processing and low operation costs. However, the information storage capacity is subject to the device hardware.
  • Non-authentication: Users are completely trusted without validity check. This mode is rarely used.
Order in Which Authentication Methods Take Effect
An authentication scheme enables you to designate one or more authentication methods to be used for authentication, thus ensuring a backup system for authentication in case the initial method does not respond. An NAS uses the first method listed in the scheme to authenticate users; if that method does not respond, the NAS selects the next authentication method in the authentication scheme. This process continues until there is successful communication with a listed authentication method or the authentication method list is exhausted, in which case authentication fails.
NOTE:

The NAS attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle — meaning that the AAA server responds by denying the user access — the authentication process stops and no other authentication methods are attempted.

Authorization Scheme

An authorization scheme is used to define methods for user authorization and the order in which authorization methods take effect. An authorization scheme is applied to a domain. It is combined with the authentication scheme, accounting scheme, and server template in the domain for user authentication, authorization, and accounting.

Authorization Methods Supported by a Device
  • HWTACACS authorization: An HWTACACS server is used to authorize users.
  • Local authorization: The device functions as an authorization server to authorize users based on user information configured on the device.
  • Non-authorization: Authenticated users have unrestricted access rights on a network.
  • if-authenticated authorization: If passing authentication, a user passes authorization; otherwise, the user fails authorization. This mode applies to scenarios where users must be authenticated and the authentication process can be separated from the authorization process.
NOTE:

RADIUS authentication is combined with authorization and cannot be separated. If authentication succeeds, authorization also succeeds. When RADIUS authentication is used, you do not need to configure an authorization scheme.

In addition, the "authentication + rights level" method is typically used to control access of the administrators (login users) to the device, improving the device operation security. Authentication restricts the administrators' access to the device and the rights level defines commands that the administrators can enter after logging in to the device. For details about the method, see CLI Login Configuration in S600-E V200R010C00 CLI-based configuration - Basic Configuration Guide.

Order in Which Authorization Methods Take Effect

An authorization scheme enables you to designate one or more authorization methods to be used for authorization, thus ensuring a backup system for authorization in case the initial method does not respond. The first method listed in the scheme is used to authorize users; if that method does not respond, the next authorization method in the authentication scheme is selected. If the initial method responds with an authorization failure message, the AAA server refuses to provide services for the user. In this case, authorization ends and the next listed method is not used.

Authorization Information
Authorization information can be delivered by a server or configured in a domain. Whether a user obtains authorization information delivered by a server or in a domain depends on the authorization method configured in the authorization scheme. For details, see Figure 1-5.
  • If local authorization is used, the user obtains authorization information from the domain.
  • If server-based authorization is used, the user obtains authorization information from the server or domain. Authorization information configured in a domain has lower priority than that delivered by a server. If the two types of authorization information conflicts, authorization information delivered by the server takes effect. If no conflict occurs, the two types of authorization information take effect simultaneously. In this manner, you can increase authorization flexibly by means of domain management, regardless of the authorization attributes provided by the AAA server.
Figure 1-5  Two types of authorization information

Table 1-3 shows authorization information typically used by a server. Table 1-4 shows authorization information that can be configured in a domain.

Table 1-3  Common authorization information of a RADIUS server

Authorization Information

Description

ACL number Is delivered by the server. You need to configure ACL number-related rules on the NAS.
ACL rule Is directly delivered by the server. As defined in the rule, users can access all network resources included in the ACL. You do not need to configure the corresponding ACL on the NAS.
VLAN

If dynamic VLAN delivery is configured on the server, authorization information sent to the NAS includes the VLAN attribute. After the NAS receives the authorization information, it changes the VLAN to which the user belongs to the delivered VLAN.

The delivered VLAN does not change or affect the interface configuration. The delivered VLAN, however, takes precedence over the user-configured VLAN. That is, the delivered VLAN takes effect after the authentication succeeds, and the user-configured VLAN takes effect after the user goes offline.

User group/UCL group The server delivers the user group name, UCL group name, or UCL group ID to the NAS. You need to configure the corresponding group and network resources in the group on the NAS.
CAR The server delivers authorization to control the committed information rate (CIR), peak information rate (PIR), committed burst size (CBS), and peak burst size (PBS) for access between the user and NAS.
Administrator level Priority of an administrator (such as a Telnet user) delivered by the server. The priority ranges from 0 to 15. The value greater than or equal to 16 is invalid.
Service scheme Name of a service scheme delivered by the server. You need to configure the corresponding service scheme and the network authorization and policy in the scheme on the NAS.
Idle-cut Idle-cut time delivered by the server. After a user goes online, if the consecutive non-operation period or the duration when traffic is lower than a specified value exceeds the idle-cut time, the user is disconnected.
Reauthentication or forcible logout Remaining service availability period delivered by the server. If the period expires, reauthentication is performed for the user or the user is forced to go offline according to the server-delivered action.
Table 1-4  Authorization information that can be configured in a domain

Authorization Parameter

Description

VLAN

VLAN-based authorization is easy to deploy and requires low maintenance costs. It applies to scenarios where employees in an office or a department have the same access rights.

In local authorization, you only need to configure VLANs and corresponding network resources in the VLAN on the NAS.

An authorized VLAN cannot be delivered to online Portal users. For MAC address-prioritized Portal authentication, the Agile Controller-Campus V1 delivers the session timeout attribute after Portal authentication succeeds so that users go offline immediately, and then delivers an authorized VLAN to users after the users pass MAC address authentication.

After a user obtains VLAN-based authorization, the user needs to manually request an IP address using DHCP.

Service scheme

A service scheme and corresponding network resources in the scheme need to be configured on the NAS.

User group (common mode)

A user group consists of users (terminals) with the same attributes such as the role and rights. For example, you can divide users on a campus network into the R&D group, finance group, marketing group, and guest group based on the enterprise department structure, and grant different security policies to different departments.

You need to configure a user group and corresponding network resources in the group on the NAS.

Accounting Scheme

An accounting scheme is used to define a user accounting method. An accounting scheme is applied to a domain. It is combined with the authentication scheme, authorization scheme, and server template in the domain for user authentication, authorization, and accounting.

Accounting Methods Supported by a Device
  • RADIUS accounting: A RADIUS server is used to perform user accounting.
  • HWTACACS accounting: An HWTACACS server is used to perform user accounting.
  • Non-accounting: Users can access a network without being charged.
Order in Which Accounting Methods Take Effect

You can only specify an accounting method at one time in an accounting scheme.

RADIUS accounting packets in RADIUS Packets indicate that accounting packets are divided into Accounting-Request and Accounting-Response packets. Accounting succeeds if each Accounting-Request packet sent by a device is responded by the server with an Accounting-Response packet. If no Accounting-Response packet is received from the server, accounting fails.

After the accounting function is enabled, the device sends Accounting-Request packets recording user activities to the AAA server. The AAA server then performs user accounting and auditing based on information in the packets. Take RADIUS accounting as an example. Accounting-Request packets are divided into three types:
  • Accounting-Request (Start) packet: When a user is successfully authenticated and begins to access network resources, the device sends an Accounting-Request (Start) packet to the RADIUS server.
  • Accounting-Request (Stop) packet: When a user is disconnected proactively (or forcibly by the NAS), the device sends an Accounting-Request (Stop) packet to the server.
  • Accounting-Request (Interim-update) packet: To reduce accounting deviation and ensure that the accounting server can receive Accounting-Request (Stop) packets and stop user accounting, you can configure the real-time accounting function on the device. In this case, the device periodically sends an Accounting-Request (Interim-update) packet to the RADIUS server.
Typically, each Accounting-Request packet sent by a device is responded by the server with an Accounting-Response packet. If the device does not receive a corresponding Accounting-Response packet due to network faults, accounting fails. In this case, the device determines whether the user can still be online depending on the type of the Accounting-Request packet as follows:
  • Accounting-start failure: The user goes offline by default.
  • Real-time accounting failure: The user is allowed to be online by default.
  • stop_acct_fail: The device retransmits the Accounting-Request(Stop) packet.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54911

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next