No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Assigning Network Access Rights to Users Based on User Context Profiles

Assigning Network Access Rights to Users Based on User Context Profiles

Context

User context refers to association information of a user, such as the user name, user VLAN, and access interface.

To simplify the authentication server configuration, the administrator can add the users with the same network access rights to the same user context profile based on the user context, and configure the network access rights for the users based on the user context profile. When a user goes online after the user context identification function is enabled, the device can identify the user context information and add the user to the corresponding context profile based on the identification result.
  • If the user is authenticated successfully, the authentication server can assign the network access rights mapping the user context profile to the user based on the user context reported by the device.
  • If the user fails to be authenticated, the device assigns the user the network access rights in each phase before authentication success, which are bound to the context profile in the user authentication event authorization policy.

For example, on some enterprise networks, VLANs are used to divide the entire network into different areas with various security levels. The administrator requires that a user should obtain different network access rights when the user connects to the network from different areas. In this case, the user context identification function can be enabled on access devices, and a group of VLANs that belong to the same area are added to the same user context profile. The administrator then assigns the mapping network access rights to different user context profiles based on the security level of each area. When a user connects to the network from different areas, the user is added to different user context profiles matching their access VLANs and therefore obtains different network access rights.

NOTE:

The device can only identify user VLANs.

During 802.1X authentication, if the client does not respond, even if the user context profile is matched, 802.1X authentication cannot be triggered. In this case, the configured user context profile does not take effect.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run access-context profile enable

    The user context identification function is enabled.

    By default, the user context identification function is disabled.

  3. Create a user context profile and configure an identification policy.

    1. Run access-context profile name profile-name

      The user context profile is created and the user context profile view is displayed.

      By default, no user context profile is created.

    2. Run if-match vlan-id { start-vlan-id [ to end-vlan-id ] } &<1-10>

      The VLAN ID-based user identification policy is configured.

      By default, no VLAN ID-based user identification policy is configured.

    3. Run quit

      Return to the system view.

  4. Assign network access rights to users based on user context profiles.

    1. Run access-author policy name policy-name

      The user authentication event authorization policy is created and the user authentication event authorization policy view is displayed.

      By default, no user authentication event authorization policy is created.

    2. Run match access-context-profile profile-name action { authen-fail service-scheme service-scheme-name | authen-server-down service-scheme service-scheme-name | authen-server-up re-authen | client-no-response service-scheme service-scheme-name | portal-server-down service-scheme service-scheme-name | portal-server-up re-authen | pre-authen service-scheme service-scheme-name } *

      The network access rights are configured based on the user context profile for specified users in each phase before authentication success.

      By default, no network access right is configured for specified users in each phase before authentication success.

      NOTE:

      The network access rights for users in each phase before authentication success are assigned using a service scheme. Therefore, before performing this operation, run the service-scheme command in the AAA view to create a service scheme.

    3. Run match access-context-profile profile-name action access-domain domain-name [ dot1x | mac-authen | portal ] * [ force ], an access user's authentication domain is configured based on the user context profile.

      By default, no access user's authentication domain is configured based on the user context profile.

      NOTE:

      Before performing this operation, run the domain (AAA view) command in the AAA view to create a domain.

    4. Run quit

      Return to the system view.

    5. Run access-author policy policy-name global

      The user authentication event authorization policy is applied.

      By default, no user authentication event authorization policy is applied.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 54128

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next