No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Portal Access Profile (for an External Portal Server-Portal Protocol)

Configuring a Portal Access Profile (for an External Portal Server-Portal Protocol)

The device supports external and built-in Portal servers. An external Portal server has independent hardware. A built-in Portal server is an embedded entity on an access device, that is, the access device functions as the Portal server. After receiving a Portal authentication request from a client, the Portal server initiates a Portal authentication request carrying the user name and password to the access device through the Portal protocol.

After configuring the Portal server, you must bind the Portal server profile to a Portal access profile. When users who use the Portal access profile attempt to access charged network resources, they are forcibly redirected to the authentication page of the Portal server for Portal authentication.

This section describes how to configure the Portal server and Portal access profile when using an external Portal server.

NOTE:

Huawei S series modular switches support only external Portal authentication, but not built-in Portal authentication. Unless otherwise specified, Portal authentication and a Portal server mentioned in this document are external Portal authentication and an external Portal server, respectively.

Configuring a Portal Server

Context

To ensure proper communication between the device and a Portal server for authentication, configure the following information:
  • Portal server template: manages parameters of the Portal server, such as the IP address.
  • Parameters for information exchange with the Portal server: When the device connects to the Portal server, you need to configure information such as the Portal protocol version, to ensure proper communication and security.

Procedure

  • Configure a Portal server template.

    1. Run system-view

      The system view is displayed.

    2. Run web-auth-server server-name

      A Portal server template is created and the Portal server template view is displayed.

      By default, no Portal server template is created.

    3. Run protocol portal

      The protocol used in Portal authentication is set to Portal.

      By default, the Portal protocol is used in Portal authentication.

    4. Run server-ip server-ip-address &<1-10>

      An IP address is configured for the Portal server.

      By default, no IP address is configured for the Portal server.

    5. (Optional) Configure a source IP address for the device to communicate with the Portal server.

      • Run source-ip ip-address

        A source IP address is configured for the device to communicate with the Portal server.

      • Run source-interface interface-type interface-number

        An IP address of the specified interface is configured for the device to communicate with the Portal server.

        By default, no source IP address is configured for the device.

    6. (Optional) Run port port-number [ all ]

      A destination port number is configured for the device to send packets to the Portal server.

      By default, the device uses the destination port number 50100 to send packets to the Portal server.

    7. Run shared-key cipher key-string

      A shared key is configured for the device to exchange information with the Portal server.

      By default, no shared key is configured.

    8. Run vpn-instance vpn-instance-name

      A VPN instance is configured for the device to communicate with the Portal server.

      By default, no VPN instance is configured for the device to communicate with the Portal server.

    9. (Optional) Run web-redirection disable

      The Portal authentication redirection function is disabled.

      By default, the Portal authentication redirection function is enabled.

      The device redirects all unauthenticated users to the Portal authentication page when the users send access requests to external networks. For example, when the user needs to enter the URL of the authentication page manually, the web-redirection disable command can be executed so that unauthorized users are not forcibly redirected to the Portal authentication page.

    10. Configure the URL of the Portal server.

      You can bind a URL or a URL template to a Portal server template. Compared with URL binding, URL template binding allows you to configure the redirection URL of the Portal server and configure the URL to carry parameters related to users or the access device. The Portal server then can obtain user terminal information based on parameters carried in the URL and provide different Portal authentication pages for different users. You can choose URL binding mode or URL template binding mode based on actual requirements.

      • URL binding mode

        Run url url-string

        A URL is configured for the Portal server.

        By default, no URL is configured for the Portal server.

      • URL template binding mode

        1. Create and configure a URL template.

          1. Run quit

            Return to the system view.

          2. Run url-template name template-name

            A URL template is created and the URL template view is displayed.

            By default, no URL template is created on the device.

          3. Run url [ redirect-only ] url-string [ ssid ssid ]

            A redirection URL is configured for the Portal server.

            By default, no redirection URL is configured for the Portal server.

          4. Run url-parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-value | ap-mac ap-mac-value | login-url url-key url | redirect-url redirect-url-value | ssid ssid-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value } *

            Parameters carried in the URL are configured.

            By default, a URL does not carry parameters.

          5. Run url-parameter mac-address format delimiter delimiter { normal | compact }

            The MAC address format in the URL is configured.

            By default, the MAC address format in a URL is XXXXXXXXXXXX.

          6. Run parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } *

            Characters in the URL are configured.

            By default, the start character in a URL is a question mark (?), the assignment character is an equal sign (=), and the delimiter between parameters is an ampersand (&).

          7. Run quit

            Return to the system view.

        2. Run web-auth-server server-name

          The Portal server template view is displayed.

        3. Run url-template url-template [ ciphered-parameter-name ciphered-parameter-name iv-parameter-name iv-parameter-name key cipher key-string ]

          The URL template is bound to the Portal server template.

          By default, no URL template is bound to a Portal server template.

          NOTE:

          The device support encryption of parameter information in the URL template only when it connects to the Huawei Agile Controller-Campus.

  • Configure parameters for information exchange with the Portal server.

    • Run system-view

      The system view is displayed.

    • Run web-auth-server version v2 [ v1 ]

      Portal protocol versions supported by the device are configured.

      By default, the device supports Portal protocol v1 and v2.

      NOTE:

      The default setting is recommended to ensure proper communication; that is, the device supports both versions.

    • Run web-auth-server listening-port port-number

      The number of the port through which the device listens to Portal packets is configured.

      By default, the device listens to Portal packets through port 2000.

    • Run web-auth-server reply-message

      The device is enabled to transparently transmit user authentication information received from the authentication server to the Portal server.

      By default, the device transparently transmits users' authentication responses sent by the authentication server to the Portal server.

    • Run portal https-redirect enable

      HTTPS redirection of Portal authentication is enabled.

      By default, HTTPS redirection is disabled for Portal authentication users.

      NOTE:
      • If Portal authentication is triggered when a user visits a website using HTTPS, the browser displays a security prompt. The user needs to click Continue to complete Portal authentication.
      • Redirection cannot be performed for browsers or websites using HTTP Strict Transport Security (HSTS).
      • If the destination port in HTTPS request packets sent by users is an unknown port (443), redirection cannot be performed.
      • This function takes effect only for new Portal authentication users.
      • This function takes effect only after the Portal server template is created or the IP address of the built-in Portal server is configured.
    • Run portal logout resend times timeout period

      The number of times that the device retransmits offline packets of Portal authentication users and the retransmission interval are configured.

      By default, the device retransmits offline packets of Portal authentication users for three times at an interval of five seconds.

    • Run portal logout different-server enable

      The device is enabled to process user logout requests sent by a Portal server other than the one from which users log in.

      By default, a device does not process user logout requests sent by Portal servers other than the one from which users log in.

(Optional) Configuring the Portal Server Detection Function

Context

In Portal authentication application, if communication between the device and Portal server is interrupted due to a network failure or Portal server failure, new Portal authentication users cannot go online, and online Portal users cannot go offline normally.

The Portal server detection function enables the device to generate logs and alarms for network faults and Portal server faults.

When two Portal servers work in active/standby mode or the Portal escape function is configured, enable the Portal server detection function on the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run web-auth-server server-name

    The Portal server profile view is displayed.

  3. Run server-detect [ interval interval-period | max-times times | critical-num critical-num | action { log | trap } * ] *

    The Portal server detection function is enabled.

    By default, the Portal server detection function is disabled.

(Optional) Configuring Synchronization of Portal Authentication User Information

Context

In Portal authentication application, if communication between the device and Portal server is interrupted due to a network failure or Portal server failure, online Portal users cannot go offline normally. As a result, user information on the device may be different from that on the Portal server, causing inaccurate accounting.

The user information synchronization mechanism ensures user information consistency between the Portal server and the device, so that accounting can be performed accurately.
NOTE:

For Layer 3 Portal authentication, the device currently can synchronize user information with the Huawei Agile Controller-Campus server. If the device connects to other Portal servers, user information may fail to be synchronized and users cannot go offline in real time. You can run the cut access-user command or use the NMS or RADIUS DM to force users to go offline.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run web-auth-server server-name

    The Portal server profile view is displayed.

  3. Run user-sync [ interval interval-period | max-times times ] *

    User information synchronization is enabled.

    By default, user information synchronization is disabled.

Creating a Portal Access Profile

Context

The device uses Portal access profiles to uniformly manage all Portal users access configurations. Before configuring Portal authentication, you need to create a Portal access profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    A Portal access profile is created and the Portal access profile view is displayed.

    By default, the device has the built-in Portal access profile portal_access_profile.

    NOTE:
    • The compatibility profile converted after an upgrade is not counted in the configuration specification. The built-in portal access profile portal_access_profile can be modified and applied, but cannot be deleted.
    • Before deleting a portal access profile, ensure that this profile is not bound to any authentication profile.

Configuring a Portal Server for a Portal Access Profile

Context

To use Portal authentication, you need to configure the Portal server function and the Portal server used in the Portal access profile. When users who use the Portal access profile attempt to access charged network resources, they are forcibly redirected to the authentication page of the Portal server for Portal authentication.

A Portal server profile defines parameters of the Portal server. You need to configure a Portal server for the Portal access profile, that is, bind a Portal server profile to the Portal access profile.

To improve Portal authentication reliability, the backup Portal server profile can also be bound to the Portal access profile. When the primary Portal server is disconnected, the users are redirected to the backup Portal server for authentication. This function can take effect only when the Portal server detection function is enabled using the server-detect command and heartbeat detection is enabled on the Portal server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    A Portal access profile is created and the Portal access profile view is displayed.

  3. Run web-auth-server server-name [ bak-server-name ] { direct | layer3 }

    A Portal server profile is bound to the Portal access profile.

    By default, no Portal server profile is bound to a Portal access profile.

    The following Portal authentication modes are available:
    • direct: When there is no Layer 3 forwarding device between the device and a user, the device can learn the user's MAC address. You can configure the Layer 2 authentication mode so that the device can identify the user using the IP address and MAC address.
    • layer3: When there is a Layer 3 forwarding device between the device and a user, the device cannot learn the user's MAC address and can only identify the user using the IP address. You need to configure the Layer 3 authentication mode.

  4. Run portal auth-network network-address { mask-length | mask-address }

    The source subnet is set for Portal authentication.

    By default, the source authentication subnet is 0.0.0.0/0, indicating that users in all subnets must pass Portal authentication.

    The command takes effect only for Layer 3 Portal authentication. In Layer 2 Portal authentication, users on all subnets must be authenticated.

(Optional) Configuring the User Offline Detection Interval

Context

If a Portal authentication user goes offline due to power failure or network interruption, the device and Portal server may still store user information, which leads to incorrect accounting. In addition, a limit number of users can access the device. If a user goes offline improperly but the device still stores user information, other users cannot access the network.

After the offline detection interval is set for Portal authentication users, if a user does not respond within the interval, the device considers the user offline. The device and Portal server then delete the user information and release the occupied resources to ensure efficient resource use.

NOTE:

This function applies only to Layer 2 Portal authentication.

The heartbeat detection function of the authentication server can be used to ensure the normal online status of PC users for whom Layer 3 Portal authentication is used. If the authentication server detects that a user goes offline, it instructs the device to disconnect the user.

If the number of offline detection packets (ARP packets) exceeds the default CAR value, the detection fails and the users are logged out (The display cpu-defend statistics command can be run to check whether ARP request and response packets are lost.). To resolve the problem, the following methods are recommended:
  • Increase the detection interval based on the number of users. The default detection interval is recommended when there are less than 8000 users; the detection interval should be no less than 600 seconds when there are more than 8000 users.
  • Deploy the port attack defense function on the access device and limit the rate of packets sent to the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    The Portal access profile view is displayed.

  3. Run portal timer offline-detect time-length

    The interval for detecting Portal authentication user logout is set.

    By default, the interval for detecting Portal authentication user logout is 300s. The value 0 indicates that offline detection is not performed.

(Optional) Configuring the Portal Escape Function

Context

If the Portal server is Down, users cannot pass the authentication and thereby have no network access right. The Portal escape function allows the access device to grant specified network access rights to users when it detects that the Portal server is Down, meeting basic network access requirements.

NOTE:

If the device functions as an AC, the Portal escape function for wireless users takes effect only when Fit APs running V200R007C00 and later versions are used.

Only HTTP messages-triggered Portal authentication users support this function.

An authorized VLAN cannot be delivered to online Portal users.

The Portal escape function does not take effect when wired users perform Layer 3 Portal authentication.

Pre-configuration Tasks

Before configuring the Portal escape function, complete the following tasks:
  1. Enable the heartbeat detection function on the Portal server.
  2. Enable the Portal server detection function on the access device. For details about the configuration, see (Optional) Configuring the Portal Server Detection Function.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    • UCL group

      1. Run ucl-group group-index [ name group-name ]

        A UCL group is created.

        By default, no UCL group is created.

      2. (Optional) Run ucl-group ip ip-address { mask-length | ip-mask } { group-index | name group-name }

        A static UCL group is created.

        By default, no static UCL group is configured.

      3. Configure a user ACL to filter packets based on the UCL group. For details, see "Configuring a User ACL" in "ACL Configuration" in the S12700 V200R011C10 Configuration Guide - Security.
      4. Use the following methods to process packets:

        • Run traffic-filter inbound acl { acl-number | name acl-name }

          ACL-based packet filtering is configured.

          By default, ACL-based packet filtering is not configured.

        • Run traffic-redirect inbound acl { acl-number | name acl-name } [ vpn-instance vpn-instance-name ] ip-nexthop nexthop-address

          ACL-based packet redirection is configured.

          By default, ACL-based packet redirection is not configured.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Run ucl-group { group-index | name group-name }

        A UCL group is bound to the service scheme.

        By default, no UCL group is bound to a service scheme.

        Before running this command, ensure that a UCL group that identifies the user category has been created and configured.

      4. Run user-vlan vlan-id

        A user VLAN is configured in the service scheme.

        By default, no user VLAN is configured in a service scheme.

        Before running this command, ensure that a VLAN has been created using the vlan command.

      5. Run voice-vlan

        The voice VLAN function is enabled in the service scheme.

        By default, the voice VLAN function is disabled in a service scheme.

        For this configuration to take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      6. Run qos-profile profile-name

        A QoS profile is bound to the service scheme.

        NOTE:

        The user-queue command is supported only by the X1E series cards.

        By default, no QoS profile is bound to a service scheme.

        Before running this command, ensure that a QoS profile has been configured. The procedure for configuring a QoS profile is as follows:
        1. In the system view, run qos-profile name profile-name

          A QoS profile is created and the QoS profile view is displayed.

        2. Configure traffic policing, packet processing priority, and user queue in the QoS profile view. (Of all parameters in the QoS profile bound to the service scheme, only those configured using the following commands take effect.)
          • Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { inbound | outbound }

            Traffic policing is configured in the QoS profile.

            By default, traffic policing is not configured in a QoS profile.

          • Run remark dscp dscp-value { inbound | outbound }

            The action of re-marking DSCP priorities of IP packets is configured in the QoS profile.

            By default, the action of re-marking DSCP priorities of IP packets is not configured in a QoS profile.

          • Run remark 8021p 8021p-value

            The action of re-marking 802.1p priorities of VLAN packets is configured in the QoS profile.

            By default, the action of re-marking 802.1p priorities of VLAN packets is not configured in a QoS profile.

          • Run user-queue pir pir-value [ flow-queue-profile flow-queue-profile-name ] [ flow-mapping-profile flow-mapping-profile-name ]

            A user queue is created in the QoS profile to implement HQoS scheduling.

            By default, no user queue is configured in a QoS profile.

      7. Run quit

        The AAA view is displayed.

      8. Run quit

        The system view is displayed.

  3. Run portal-access-profile name access-profile-name

    The Portal access profile view is displayed.

  4. Run authentication event portal-server-down action authorize { service-scheme service-scheme-name | ucl-group ucl-group-name }

    Network access rights are configured for users to use when the Portal server is Down.

    By default, no network access right is configured for users to use when the Portal server is Down.

  5. (Optional) Run authentication event portal-server-up action re-authen

    The device is enabled to re-authenticate users when the Portal server changes from Down to Up.

    By default, the device does not re-authenticate users when the Portal server changes from Down to Up.

    If you perform this step, the access device re-authenticates users when it detects that the Portal server changes from Down to Up. The access device sets the status of users who display web-server-down to pre-connection. The re-authentication process starts when the users visit any web page. If the authentication is successful, the access device grants normal network access rights to the users.

Verifying the Configuration

  • Run the display portal-access-profile configuration [ name access-profile-name ] command to check authorization information configured for the Portal escape function.

Verifying the Portal Server Profile and Portal Access Profile Configuration

Context

After configuring a Portal server profile and a Portal access profile, run the following commands to check the configuration.

Procedure

  • Run the display portal-access-profile configuration [ name access-profile-name ] command to check the configuration of the Portal access profile.
  • Run the display portal [ interface interface-type interface-number ] command to view information about Portal authentication.
  • Run the display portal user-logout [ ip-address ip-address [ vpn-instance vpn-instance-name ] ] command to check the temporary logout entries of Portal authentication users.
  • Run the display web-auth-server configuration command to check the configuration of the Portal server profile.
  • Run the display url-template { all | name template-name } command to check the configuration of the URL profile.
  • Run the display server-detect state [ web-auth-server server-name ] command to view the status of a Portal server.
Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 118865

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next