No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Authentication Event Authorization Information

(Optional) Configuring Authentication Event Authorization Information

Context

If users establish pre-connections with the device or fail to be authenticated, they have no network access rights.

To meet these users' basic network access requirements such as updating the antivirus database and downloading the client, configure authentication event authorization information. The device will assign network access rights to these users based on the authentication phase.

NOTE:

An authorized VLAN cannot be delivered to online Portal users.

During user authorization, if the switch card does not support the authorization mode, the user is online and the authorization information is ignored or the user cannot go online. For CAR, DSCP, Remark, and pushed authorization, if the switch card does not support the authorization mode, the user can go online normally and the authorization information is ignored. For ACL, redirected ACL, VLAN, ISP VLAN, MAC address limiting rules, no right granted in the pre-connection state, and specified access right for MAC address users that have great impact on basic forwarding rights of users, if the switch card does not support the authorization mode, the user cannot go online.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    If users are in the pre-connection phase or fail to be authenticated, or the authentication server is Down, the device can use the VLAN, UCL group, and service scheme to grant network access rights to the users.

    • VLAN

      Configure a VLAN and network resources in the VLAN on the device.

    • UCL group

      1. Run ucl-group group-index [ name group-name ]

        A UCL group is created.

        By default, no UCL group is created.

      2. (Optional) Run ucl-group ip ip-address { mask-length | ip-mask } { group-index | name group-name }

        A static UCL group is created.

        By default, no static UCL group is configured.

      3. Configure a user ACL to filter packets based on the UCL group. For details, see "Configuring a User ACL" in "ACL Configuration" in the S12700 V200R011C10 Configuration Guide - Security.
      4. Use the following methods to process packets:

        • Run traffic-filter inbound acl { acl-number | name acl-name }

          ACL-based packet filtering is configured.

          By default, ACL-based packet filtering is not configured.

        • Run traffic-redirect inbound acl { acl-number | name acl-name } [ vpn-instance vpn-instance-name ] ip-nexthop nexthop-address

          ACL-based packet redirection is configured.

          By default, ACL-based packet redirection is not configured.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Run ucl-group { group-index | name group-name }

        A UCL group is bound to the service scheme.

        By default, no UCL group is bound to a service scheme.

        Before running this command, ensure that a UCL group that identifies the user category has been created and configured.

      4. Run user-vlan vlan-id

        A user VLAN is configured in the service scheme.

        By default, no user VLAN is configured in a service scheme.

        Before running this command, ensure that a VLAN has been created using the vlan command.

      5. Run voice-vlan

        The voice VLAN function is enabled in the service scheme.

        By default, the voice VLAN function is disabled in a service scheme.

        For this configuration to take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      6. Run qos-profile profile-name

        A QoS profile is bound to the service scheme.

        NOTE:

        The user-queue command is supported only by the X1E series cards.

        By default, no QoS profile is bound to a service scheme.

        Before running this command, ensure that a QoS profile has been configured. The procedure for configuring a QoS profile is as follows:
        1. In the system view, run qos-profile name profile-name

          A QoS profile is created and the QoS profile view is displayed.

        2. Configure traffic policing, packet processing priority, and user queue in the QoS profile view. (Of all parameters in the QoS profile bound to the service scheme, only those configured using the following commands take effect.)
          • Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { inbound | outbound }

            Traffic policing is configured in the QoS profile.

            By default, traffic policing is not configured in a QoS profile.

          • Run remark dscp dscp-value { inbound | outbound }

            The action of re-marking DSCP priorities of IP packets is configured in the QoS profile.

            By default, the action of re-marking DSCP priorities of IP packets is not configured in a QoS profile.

          • Run remark 8021p 8021p-value

            The action of re-marking 802.1p priorities of VLAN packets is configured in the QoS profile.

            By default, the action of re-marking 802.1p priorities of VLAN packets is not configured in a QoS profile.

          • Run user-queue pir pir-value [ flow-queue-profile flow-queue-profile-name ] [ flow-mapping-profile flow-mapping-profile-name ]

            A user queue is created in the QoS profile to implement HQoS scheduling.

            By default, no user queue is configured in a QoS profile.

      7. Run quit

        The AAA view is displayed.

      8. Run quit

        The system view is displayed.

  3. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  4. Configure authorization information.

    • Run authentication event pre-authen action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name }

      Network access rights are configured for users who are in the pre-connection phase.

    • Run authentication event authen-fail action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

      Network access rights are configured for users who fail to be authenticated.

    • Run authentication event authen-server-down action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

      Network access rights are configured for users when the authentication server is Down.

    By default, no authentication event authorization information is configured.

    NOTE:

    If no network access right is configured for users who fail authentication or when the authentication server is Down, the users establish pre-connections with the device after the authentication fails and then have the network access rights mapping pre-connection users.

    VLAN-based authorization does not apply to the authentication users who access through VLANIF interfaces.

    In 802.1X authentication for wired users, when the RADIUS server is Down, some new clients do not have escape rights. For example, when a new Windows client receives a Success packet from the device but does not receive the authentication packets exchanged with the RADIUS server, the client will fail the authentication and cannot go online. Currently, the following clients have escape rights when they go online for the first time: H3C iNode clients using EAP-MD5 or PEAP and Cisco AnyConnect clients using EAP-FAST or PEAP.

    If authorization upon an authentication server Down event is configured and the device detects that the authentication server is Down, the device grants corresponding network access rights to users who fail to be authenticated, and add the users to entries of users who fail to be authenticated upon an authentication server Down event. If authorization upon an authentication server Down event is not configured and the device detects that the authentication server is Down, the device grants corresponding network access rights to users who fail to be authenticated, and add the users to entries of users who fail to be authenticated.

    The device assigns network access rights based on the priorities of the configured rights in a network status as follows:

    • If the authentication server is Down: network access right upon an authentication server Down event > network access right for users who fail authentication > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If users fail authentication: network access right for users who fail authentication > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If users are in the pre-connection state: network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If an 802.1X client does not respond: network access right if an 802.1X client does not respond > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled

  5. (Optional) Configure the aging time of user entries.

    • Run authentication timer pre-authen-aging aging-time

      The aging time is configured for entries of pre-connection users.

      By default, the aging time is 23 hours for entries of pre-connection users.

    • Run authentication timer authen-fail-aging aging-time

      The aging time is configured for entries of users who fail to be authenticated.

      By default, the aging time is 23 hours for entries of users who fail to be authenticated.

      NOTE:
      You can run the authentication timer authen-fail-aging aging-time command to configure the aging time for entries of users who fail to be authenticated upon an authentication server Down event and entries of users who fail to be authenticated.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 123049

Downloads: 58

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next