No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Authentication-Free Authorization Information

(Optional) Configuring Authentication-Free Authorization Information

(Optional) Configuring Authorization Information for Authentication-free Users

Context

Before being authenticated, users need to obtain some network access rights to meet basic network access requirements such as downloading the 802.1X client and updating antivirus database. The device uses an authentication-free rule profile to uniformly manage authorization information for authentication-free users. You can define some network access rules in the profile to determine network access rights that can be obtained by authentication-free users. You need to bind a configured authentication-free rule profile to an authentication profile. Users using the authentication profile then can obtain authentication-free authorization information.

An authentication-free rule can be a common authentication-free rule or defined by an ACL. A common authentication-free rule is determined by parameters such as IP address, MAC address, interface, and VLAN. An authentication-free rule defined by an ACL is determined by the ACL rule (configured using the rule command). The destination IP address that users can access without authentication can be specified in an authentication-free rule defined by either of the two methods. In addition, the destination domain name that users can access without authentication can be specified in an authentication-free rule defined by an ACL.

Compared with the authentication-free rule defined by IP address, the one defined by domain name is sometimes simple and convenient. For example, some authentication users who do not have an authentication account must first log in to the official website of a carrier and apply for a member account, or log in using the account of a third party such as Twitter or Facebook. This requires that the users can access specified websites before successful authentication. The domain name of a website is easier to remember than the IP address; therefore, the authentication-free rule defined by ACL can be configured to enable the users to access the domain names of websites without authentication.

NOTE:
Pay attention to the following when you use common authentication-free rules:
  • When multiple authentication-free rules are configured simultaneously, the system matches the rules one by one.
  • In a wireless scenario or an SVF system, only the authentication-free rules with IDs in the range of 0 to 127 on the AP or AS can take effect. On the AC or parent, all configured authentication-free rules take effect.
  • In a wireless scenario, the VLAN ID and interface number cannot be specified in authentication-free rules configured on an AP. You are advised to set the authentication-free rule ID to 128 or a larger value when specifying the VLAN ID and interface number.
  • In an SVF system, interface information in an authentication-free rule is invalid.
  • If you specify both the VLAN ID and interface number in an authentication-free rule, the interface must belong to the VLAN. Otherwise, the rule is invalid.
  • If the destination port number is configured in an authentication-free rule, fragments cannot match the rule and packets cannot be forwarded.
  • No authentication-free rule needs to be configured for DHCP, CAPWAP, ARP, and HTTP packets before user authentication, the DHCP, CAPWAP, ARP, and HTTP packets can be directly forwarded. Authentication-free rules must be configured for other packets that need to be forwarded. When the packets need to be processed locally, authentication-free rules need to be configured on only the X series cards.
    • DHCP packet: If authentication and DHCP are enabled on an interface, authentication can be triggered by DHCP packets and the switch acts as the DHCP relay or DHCP server to forward or process DHCP packets. If only authentication is configured on the interface and the DHCP function is not configured, authentication can be triggered by DHCP packets and the switch broadcasts the DHCP packets.
    • CAPWAP packet: CAPWAP packets are classified into control packets and data packets. Generally, NAC is still effective for CAPWAP data packets after they are decapsulated, and the authentication-free rule takes effect (except for ARP and DHCP packets that are encapsulated in CAPWAP data packets). CAPWAP control packets are sent to the CPU for processing (such as SVF and wireless scenarios). If authentication is enabled on the physical interface connected to an AP, you need to configure the authentication-free rule to transmit packets from the management VLAN. In this scenario, the server may be overloaded due to multiple times of re-authentication. Therefore, this scenario is not recommended.
    • ARP packet: No authentication-free rule needs to be configured for ARP packets, which can be directly processed or forwarded.
    • HTTP packet: If Portal authentication is enabled on an interface and the destination URL of HTTP packets is not the URL of the Portal server, the switch redirects HTTP packets to the Portal server for authentication.
Pay attention to the following when you define authentication free rules by ACL:
  • Authentication-free rules based on domain names are valid for only wireless users.
  • When SVF is enabled, authentication-free rules cannot be delivered to an AS.
  • When multiple authentication-free rules are configured at the same time, only the last one takes effect.
  • An authentication-free rule can be dynamically modified. The authentication-free rule does not differentiate the deny or permit action of the ACL rule (configured using the rule command) and uniformly performs the permit action. The ACL rule number ranges from 0 to 127.
  • If multiple domain names correspond to the same IP address and one matches the authentication-free rule, other domain names also match the authentication-free rule.

During Portal authentication configuration, you need to configure the device to allow packets to the DNS server to pass through before Portal authentication succeeds. Assume that the IP address of the DNS server is 10.1.1.1. Configure the free-rule 1 destination ip 10.1.1.1 mask 32 command in the authentication-free rule profile.

Prerequisites

  • To use the authentication-free rule defined by ACL: an ACL rule has been configured using the rule command. This ACL rule can be based on an IP address or a domain name. If the rule is defined by IP address, the source and destination parameters can be configured; if the rule is defined by domain name, only the destination parameter can be configured.
    NOTE:
    If the user ACL is created using a name (specified by acl-name), a name-based ACL has been created and the ACL number (6000-6031) has been specified using the acl name acl-name acl-number command.
  • When configuring authentication on a physical interface, you must run the authentication pre-authen-access enable command to enable the pre-connection function.

Procedure

  1. Configure an authentication-free rule profile.

    1. Run system-view

      The system view is displayed.

    2. Run free-rule-template name free-rule-template-name

      An authentication-free rule profile is created and the authentication-free rule profile view is displayed.

      By default, the device has a built-in authentication-free rule profile named default_free_rule.

      NOTE:

      Currently, the device supports only one authentication-free rule profile, that is, the built-in profile default_free_rule.

    3. Configure an authentication-free rule.

      • Run free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id } * } } *

        A common authentication-free rule is configured.

      • Run free-rule acl { acl-id | acl-name acl-name }

        An authentication-free rule defined by ACL is configured.

      By default, no authentication-free rule is configured for NAC authentication users.

    4. Run quit

      Return to the system view.

  2. Bind the authentication-free rule profile to the authentication profile.

    1. Run authentication-profile name authentication-profile-name

      The authentication profile view is displayed.

    2. Run free-rule-template free-rule-template-name

      Bind the authentication-free rule profile to the authentication profile.

      By default, no authentication-free rule profile is bound to an authentication profile.

    NOTE:

    For wireless users, the configured authentication-free rule in an authentication-free rule profile takes effect only after the profile is bound to an authentication profile using the free-rule-template (authentication profile view) command in the authentication profile view.

    For wired users, an authentication-free rule profile takes effect for all wired users after it is created in the system view. The authentication-free rule profile does not need to be bound to an authentication profile using the free-rule-template (authentication profile view) command in the authentication profile view.

Follow-up Procedure

The domain name specified in an ACL only supports dynamic DNS resolution. Therefore, when you define the authentication-free rule by domain name, configure dynamic DNS resolution on the device and enable users to access the DNS server without authentication. The steps are as follows:
  1. Run the dns resolve command in the system view to enable dynamic DNS resolution.
  2. Run the dns server ip-address command in the system view to specify an IP address for the DNS server.
  3. Run the free-rule rule-id destination ip ip-address mask { mask-length | ip-mask } command in the authentication-free rule profile to enable users to access the DNS server without authentication.

(Optional) Configuring Voice Terminals to Go Online Without Authentication

Context

In a scenario in which both data terminals (such as PCs) and voice terminals (such as IP phones) connect to an access switch, the administrator only requires identity authentication for the data terminals and allows the voice terminals to connect to the network without identity authentication. The administrator can configure authentication-free authorization information for the voice terminals after completing the NAC configuration. The switch then performs identity authentication for only the data terminals and allows the voice terminals to go online without authentication.

NOTE:

If an 802.1X user initiates authentication through a voice terminal, a device preferentially processes the authentication request. If the authentication succeeds, the terminal obtains the corresponding network access rights. If the authentication fails, the device identifies the terminal type and enables the terminal to go online without authentication.

Pre-configuration Tasks

To enable the switches to identify the voice terminals, enable LLDP or configure OUI for the voice VLAN on the switches. For details, see "Configuring Basic LLDP Functions" in "LLDP Configuration" in the S12700 V200R011C10 Configuration Guide - Network Management and Monitoring or "Configuring a Voice VLAN Based on a MAC Address" in "Voice VLAN Configuration" in the S12700 V200R011C10 Configuration Guide - Ethernet Switching. If a voice device supports only CDP but does not support LLDP, configure CDP-compatible LLDP on the switch using lldp compliance cdp receive command.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Run ucl-group { group-index | name group-name }

        A UCL group is bound to the service scheme.

        By default, no UCL group is bound to a service scheme.

        Before running this command, ensure that a UCL group that identifies the user category has been created and configured.

      4. Run user-vlan vlan-id

        A user VLAN is configured in the service scheme.

        By default, no user VLAN is configured in a service scheme.

        Before running this command, ensure that a VLAN has been created using the vlan command.

      5. Run voice-vlan

        The voice VLAN function is enabled in the service scheme.

        By default, the voice VLAN function is disabled in a service scheme.

        For this configuration to take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      6. Run qos-profile profile-name

        A QoS profile is bound to the service scheme.

        NOTE:

        The user-queue command is supported only by the X1E series cards.

        By default, no QoS profile is bound to a service scheme.

        Before running this command, ensure that a QoS profile has been configured. The procedure for configuring a QoS profile is as follows:
        1. In the system view, run qos-profile name profile-name

          A QoS profile is created and the QoS profile view is displayed.

        2. Configure traffic policing, packet processing priority, and user queue in the QoS profile view. (Of all parameters in the QoS profile bound to the service scheme, only those configured using the following commands take effect.)
          • Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { inbound | outbound }

            Traffic policing is configured in the QoS profile.

            By default, traffic policing is not configured in a QoS profile.

          • Run remark dscp dscp-value { inbound | outbound }

            The action of re-marking DSCP priorities of IP packets is configured in the QoS profile.

            By default, the action of re-marking DSCP priorities of IP packets is not configured in a QoS profile.

          • Run remark 8021p 8021p-value

            The action of re-marking 802.1p priorities of VLAN packets is configured in the QoS profile.

            By default, the action of re-marking 802.1p priorities of VLAN packets is not configured in a QoS profile.

          • Run user-queue pir pir-value [ flow-queue-profile flow-queue-profile-name ] [ flow-mapping-profile flow-mapping-profile-name ]

            A user queue is created in the QoS profile to implement HQoS scheduling.

            By default, no user queue is configured in a QoS profile.

      7. Run quit

        The AAA view is displayed.

      8. Run quit

        The system view is displayed.

  3. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  4. Run authentication device-type voice authorize [ service-scheme scheme-name ]

    The device is configured to allow voice terminals to go online without authentication.

    By default, the device does not allow voice terminals to go online without authentication.

    NOTE:

    If you run this command repeatedly, the latest configuration overrides the previous ones.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 120083

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next