No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Portal Authentication (Using the HTTPS Protocol)

Example for Configuring Portal Authentication (Using the HTTPS Protocol)

Networking Requirements

In Figure 4-24, terminals in a company's visitor area are connected to the company's intranet through the switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control users' network access rights to ensure internal network security.

Because visitors move frequently, Portal authentication is configured and the RADIUS server is used to authenticate user identities.

Figure 4-24  Networking diagram for configuring Portal authentication (using the HTTPS protocol)


  1. Configure AAA.

    # Create and configure the RADIUS server template rd1.

    [Switch] radius-server template rd1
    [Switch-radius-rd1] radius-server authentication 1812
    [Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Switch-radius-rd1] quit

    # Create the AAA authentication scheme abc and set the authentication mode to RADIUS.

    [Switch] aaa
    [Switch-aaa] authentication-scheme abc
    [Switch-aaa-authen-abc] authentication-mode radius
    [Switch-aaa-authen-abc] quit

    # Create the authentication domain, and bind the AAA authentication scheme abc and RADIUS server template rd1 to the domain.

    [Switch-aaa] domain
    [] authentication-scheme abc
    [] radius-server rd1
    [] quit
    [Switch-aaa] quit

    # Check whether a user can pass RADIUS authentication. The test user test and password Huawei2012 have been configured on the RADIUS server.

    [Switch] test-aaa test Huawei2012 radius-template rd1
    Info: Account test succeed.

  2. Configure Portal authentication.

    # Set the NAC mode to unified.

    By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.

    [Switch] authentication unified-mode
    # Configure the SSL policy.
    [Switch] ssl policy abcd
    [Switch-ssl-policy-abcd] certificate load pem-cert cert_rsa_cert.pem key-pair rsa key-file cert_rsa_key.pem auth-code cipher huawei
    [Switch-ssl-policy-abcd] ssl minimum version tls1.0
    [Switch-ssl-policy-abcd] quit

    Before loading a certificate for the SSL policy, ensure that the certificate file and key pair file have been stored on the switch; otherwise, certificate loading will fail. In addition, the certificate file and key pair file must be saved in the subdirectory security under the system root directory. If the subdirectory security does not exist, create it.

    # Enable the Portal interconnection function of the HTTPS protocol.
    [Switch] portal web-authen-server https ssl-policy abcd
    # Configure the Portal server template abc.
    [Switch] web-auth-server abc
    [Switch-web-auth-server-abc] protocol http password-encrypt uam
    [Switch-web-auth-server-abc] http-method post cmd-key cmd1
    [Switch-web-auth-server-abc] url
    [Switch-web-auth-server-abc] quit

    In this example, only the cmd-key parameter in the http-method post command is configured, and other parameters for parsing POST request packets use the default values. However, the parameter values must be the same as those on the Portal server; otherwise, the device fails to communicate with the Portal server.

    # Configure the Portal access profile web1.
    [Switch] portal-access-profile name web1
    [Switch-portal-acces-profile-web1] web-auth-server abc direct
    [Switch-portal-acces-profile-web1] quit

    # Configure the authentication profile p1, bind the Portal access profile web1 to the authentication profile, specify the domain as the forcible authentication domain in the authentication profile, set the user access mode to multi-authen, and set the maximum number of access users to 100.

    [Switch] authentication-profile name p1
    [Switch-authen-profile-p1] portal-access-profile web1
    [Switch-authen-profile-p1] access-domain force
    [Switch-authen-profile-p1] authentication mode multi-authen max-user 100
    [Switch-authen-profile-p1] quit

    In this example, users use static IP addresses. If users obtain IP addresses using DHCP and the DHCP server is on the upstream network of the switch, configure an authentication-free rule to allow packets from the network segment of the DHCP server to pass through. For details on how to configure an authentication-free rule, see (Optional) Configuring Authorization Information for Authentication-free Users.

    In addition, if the URL to the Portal server needs to be resolved by the DNS server and the DNS server is on the upstream network of the Switch, configure an authentication-free rule to allow packets from the network segment of the DNS server to pass through.

    # Bind the authentication profile p1 to GE1/0/1 and enable Portal authentication on the interface.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] authentication-profile p1
    [Switch-GigabitEthernet1/0/1] quit

    # (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets. This function does not take effect for users who use Layer 3 Portal authentication.

    [Switch] access-user arp-detect vlan 10 ip-address mac-address 2222-1111-1234

  3. Verify the configuration.

    1. After a user opens the browser and enters any website address, the user will be redirected to the Portal authentication page. The user then can enter the user name and password for authentication.
    2. If the user name and password are correct, an authentication success message is displayed on the Portal authentication page. The user can access the network.
    3. After users go online, you can run the display access-user access-type portal command on the access device to view information about online Portal authentication users.

Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 118408

Downloads: 55

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next