No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring NAC Extended Functions

(Optional) Configuring NAC Extended Functions

Configuring Extended Functions Related to 802.1X Authentication

Configuring the Interval for Sending 802.1X Authentication Requests

Context

The device starts the tx-period timer (specifying the interval for sending 802.1X authentication requests) in either of the following situations:
  • When a client initiates authentication, the device sends a unicast Request/Identity packet to the client and starts the tx-period timer. If the client does not respond within the period set by the timer, the device retransmits the authentication request.
  • To authenticate the 802.1X clients that cannot initiate authentication, the device periodically sends multicast Request/Identity packets through the 802.1X-enabled interface to the clients at the interval set by the tx-period timer.
If a request packet has been sent for the maximum number of times (configured using the dot1x retry max-retry-value command) and no response is received from the client, the device stops sending the request packet.

Generally, if the client fails to be authenticated, the device starts a backup mechanism (Portal authentication or granting specified access permission), so that the client can continue to access the network. If MAC address bypass authentication is disabled, the value of the timeout timer for EAP-Request/Identity packets is calculated as follows:

Timer value = (max-retry-value + 1) x tx-period-value

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x timer tx-period tx-period-value

    The interval for sending 802.1X authentication requests is configured.

    By default, the device sends 802.1X authentication requests at an interval of 30 seconds.

Configuring 802.1X-based Fast Deployment

Context

On an 802.1X network, the administrator has a large amount of workload in downloading and upgrading 802.1X client software for each client. The authentication-free network access and URL redirection functions can be configured to implement fast deployment of 802.1X clients.

Before an 802.1X authentication is successful, the client is allowed to access authentication-free resources. After URL redirection is configured and the server providing URL redirection belongs to the authentication-free resources, the device changes the URL address entered by a user to the specified URL (for example, the URL address of the 802.1X client download page). Therefore, the 802.1X client can be quickly configured.

Prerequisite

The server providing the URL redirection service has been configured as authentication-free resource by using the (Optional) Configuring Authentication Event Authorization Information or (Optional) Configuring Authorization Information for Authentication-free Users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dot1x url url-string

    The URL redirection for 802.1X authentication is configured.

    By default, URL redirection for 802.1X authentication is not configured.

Configuring Extended Functions Related to Portal Authentication

Configuring CNA Bypass for iOS Terminals

Context

The iOS operating system provides the Captive Network Assistant (CNA) function. With the CNA function, the iOS terminals (including iPhone, iPad, and iMAC) automatically detects wireless network connectivity after associating with a wireless network. If the network connection cannot be set up, the iOS terminals ask users to enter user names and passwords. If users do not enter the user names and passwords, the iOS terminals automatically disconnect from the wireless network.

However, Portal authentication allows users to access certain resources before authentication is successful. If the iOS terminals are disconnected, users cannot access the specified resources. The CNA bypass function addresses this problem. If the users do not enter user names and passwords immediately, the CNA bypass function keeps the iOS terminals online before the Portal authentication is successful. Therefore, the iOS users are allowed to access authentication-free resources.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal captive-bypass enable

    The CNA bypass function is enabled for iOS terminals.

    By default, the CNA bypass function is disabled for iOS terminals.

Configuring the CNA Adaptive Function for iOS Terminals

Context

Since WLANs are widely provided, users have a demand for quick and convenient authentication by using applications on mobile terminals, without entering user names and passwords. In such authentication mode, mobile terminals need to automatically display the application-based Portal authentication page and the applications need to communicate with the background server. Therefore, the mobile terminals must be connected to the WLANs during authentication.

iOS terminals such as iPhones, iPads, and iMac computers provide the Captive Network Assistant (CNA) function. This function automatically detects the network connection status after iOS terminals connect to WLANs. If the network is disconnected, the iOS terminals display a page prompting users to enter user names and passwords. If users do not enter the user names and passwords, the iOS terminals automatically disconnect from the WLANs. As a result, users cannot use applications on iOS terminals for authentication.

To solve the problem, enable the CNA adaptive function so that iOS terminals are redirected to the application-based Portal authentication page when they connect to WLANs. Users can click the link on the page to start specified applications to perform Portal authentication. If users do not start applications to perform authentication, they can still access authentication-free resources on the WLANs.

NOTE:

Authentication-free resources accessed by users cannot contain the URL captive.apple.com; otherwise, terminals cannot automatically display the Portal authentication page.

If the Portal authentication page is of the HTTPS type, terminals can automatically display the Portal authentication page only when an HTTPS URL is used and the domain name certificate is valid.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal captive-adaptive enable

    The CNA adaptive function is enabled for iOS terminals.

    By default, the CNA adaptive function is disabled for iOS terminals.

    If you run both the portal captive-adaptive enable and portal captive-bypass enable commands, the command executed later takes effect.

Configuring the Maximum Number of Portal Authentication Users Allowed on the Device

Context

You can perform the following configurations to restrict the maximum number of Portal authentication users allowed on the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal max-user user-number

    The maximum number of Portal authentication users allowed on the device is configured.

    By default, the maximum number of Portal authentication users allowed on the device is not restricted within the device's capacity.

  3. (Optional) Run portal user-alarm percentage percent-lower-value percent-upper-value

    The alarm thresholds for the Portal authentication user count percentage are configured.

    By default, the lower alarm threshold for the Portal authentication user count percentage is 50, and the upper alarm threshold for the Portal authentication user count percentage is 100.

    When the percentage of online Portal authentication users against the maximum number of users allowed on the device exceeds the upper alarm threshold, the device generates an alarm. When the percentage reaches or falls below the lower alarm threshold, the device clears the alarm.

(Optional) Forcing Portal Authentication Users Offline When a 3G/LTE Link Is Disconnected

Context

When the router functioning as a mobile Internet gateway is deployed on a bus or metro, only the users who pass Portal authentication can connect to the vehicle-mounted Wi-Fi network and access external networks using the 3G/LTE interface. After the 3G/LTE link is disconnected, the users are not disconnected in real time while they cannot access any web page immediately. This had a negative effect on user experience.

After you configure Portal authentication users to be forcibly disconnected on a 3G/LTE interface, the device forces the Portal authentication users offline when the 3G/LTE link is disconnected. The disconnected users can still access internal network resources of the router, which improves user experience.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface cellular interface-number

    The cellular interface view is displayed.

  3. Run cut web-authentication-user [ domain domain-name | ssid ssid ]

    The device is configured to force Portal authentication users offline when the 3G/LTE link is disconnected.

    By default, the Portal authentication users are still online when the 3G/LTE link is disconnected.

(Optional) Configuring Redirecting Portal Authentication Users to the Built-in Portal Server After 3G/LTE Links Are Disconnected

Context

When routers are deployed as mobile Internet gateways on buses and subways, users can connect to the vehicle-mounted Wi-Fi network and access the Internet through the 3G/LTE interfaces after they pass Portal authentication. If 3G/LTE links are disconnected, users cannot access any page, degrading user experiences.

You can configure 3G/LTE interfaces to redirect Portal authentication users to the built-in Portal server after 3G/LTE links are disconnected. In this way, users can access server resources, improving user experience.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface cellular interface-number

    The cellular interface view is displayed.

  3. Run redirect web-authentication-user url url-string

    The device is configured to redirect Portal authentication users to the built-in Portal server after 3G/LTE links are disconnected.

    By default, the device does not redirect Portal authentication users to the built-in Portal server after 3G/LTE links are disconnected.

Configuring the Quiet Function

Context

If a user frequently fails NAC authentication within a short period, system performance will be affected, and brute force attacks on the user name and password may occur.

After the quiet function is enabled, if the number of times that a user fails to be authenticated within 60s exceeds the upper limit, the device discards the user's authentication request packets for a period to avoid frequent authentication failures.

NOTE:

When the number of quiet entries reaches the maximum number, the device does not allow new users who are not in the quiet table to access the network.

Procedure

  • Configure the quiet function for 802.1X authentication users.

    1. Run system-view

      The system view is displayed.

    2. Run dot1x quiet-period

      The quiet function is enabled for 802.1X authentication users.

      By default, the quiet function is enabled for 802.1X authentication users.

    3. (Optional) Run dot1x quiet-times fail-times

      The maximum number of authentication failures within 60 seconds before the device quiets an 802.1X authentication user is configured.

      By default, the maximum number of authentication failures is 10.

    4. (Optional) Run dot1x timer quiet-period quiet-period-value

      The quiet period is configured for 802.1X authentication users who fail to be authenticated.

      By default, the quiet period is 60 seconds for 802.1X authentication users who fail to be authenticated.

  • Configure the quiet function for MAC address authentication users.

    NOTE:

    The quiet function for MAC address authentication users takes effect only after the device is disabled from assigning network access rights to users in each phase before authentication succeeds using the undo authentication event action authorize command. In multi-mode authentication of MAC address authentication users, the quiet function for MAC address authentication users does not take effect.

    1. Run system-view

      The system view is displayed.

    2. (Optional) Run mac-authen quiet-times fail-times

      The maximum number of authentication failures within 60 seconds before the device quiets a MAC address authentication user is configured.

      By default, the maximum number of authentication failures is 10.

    3. Run mac-authen timer quiet-period quiet-period-value

      The quiet period is configured for MAC address authentication users who fail to be authenticated.

      By default, the quiet period is 60 seconds for MAC address authentication users who fail to be authenticated. If the value of quiet-period-value is 0, the quiet function is disabled for MAC address authentication users.

  • Configure the quiet function for Portal authentication users.

    1. Run system-view

      The system view is displayed.

    2. Run portal quiet-period

      The quiet function is enabled.

      By default, the quiet function is enabled for Portal authentication users.

    3. (Optional) Run portal quiet-times fail-times

      The maximum number of authentication failures within 60 seconds before the device quiets a Portal authentication user is configured.

      By default, the maximum number of authentication failures is 10.

    4. (Optional) Run portal timer quiet-period quiet-period-value

      The quiet period is configured for Portal authentication users who fail to be authenticated.

      By default, the quiet period is 60 seconds for Portal authentication users who fail to be authenticated.

Configuring the Web Push Function

Context

After a user is successfully authenticated, the device forcibly redirect the user to a web page when receiving the HTTP or HTTPS packet from the user who accesses web pages for the first time. In addition to pushing advertisement pages, the device can obtain user terminal information through the HTTP or HTTPS packets sent by the users, and apply the information to other services. There are two ways to push web pages:
  1. URL: pushes the URL corresponding to the web page.
  2. URL template: pushes the URL template. A URL template must be created. The URL template contains the URL of the pushed web page and URL parameters.

If an application program that actively sends HTTP or HTTPS packets is installed on the user terminal, the terminal has sent the HTTP or HTTPS packet before the user accesses a web page. Therefore, the user is unaware of the web page push process.

For HTTPS packets, the forcible push function takes effect only when a redirection ACL is used. If the user table always contains redirection ACLs, a web page is forcibly pushed when HTTPS packets from users match redirection ACL rules. Usually, you can configure the RADIUS server to authorize the Huawei extended RADIUS attribute HW-Redirect-ACL to users for redirection ACL implementation.

NOTE:
Built-in Portal authentication does not support the web page push function.

When an AR router is connected to Fit APs, the user group priority configuration does not take effect for users who go online from the Fit APs.

Procedure

  • URL mode

    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run domain domain-name

      An AAA domain is created and the AAA domain view is displayed.

      The device has two default domains: default and default_admin. Common access users use the default domain and the administrator uses the default_admin domain.

    4. Run force-push url url-address

      The URL push function is enabled.

      By default, the URL push function is disabled.

  • URL template mode

    1. Create and configure a URL template.
      1. Run system-view

        The system view is displayed.

      2. Run url-template name template-name

        A URL template is created and the URL template view is displayed.

        By default, no URL template is created on the device.

      3. Run url [ push-only ] url-string [ ssid ssid ]

        A pushed URL is configured.

        By default, no pushed URL is configured.

        The SSID that users associate with must be the same as that configured on the device; otherwise, the device cannot push URLs to users.

      4. Run url-parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-value | ap-mac ap-mac-value | redirect-url redirect-url-value | ssid ssid-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value | user-vlan user-vlan-value | esn esn-value } *

        Parameters carried in the URL are configured.

        By default, a URL does not carry parameters.

      5. Run url-parameter mac-address format delimiter delimiter { normal | compact }

        The MAC address format in the URL is configured.

        By default, the MAC address format in a URL is XXXXXXXXXXXX.

      6. Run parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } *

        Characters in the URL are configured.

        By default, the start character in a URL is a question mark (?), the assignment character is an equal sign (=), and the delimiter between parameters is an ampersand (&).

      7. Run quit

        Return to the system view.

    2. Run aaa

      The AAA view is displayed.

    3. Run domain domain-name

      An AAA domain is created and the AAA domain view is displayed.

      The device has two default domains: default and default_admin. Common access users use the default domain and the administrator uses the default_admin domain.

    4. Run force-push url-template template-name

      The URL template push function is enabled.

      By default, the URL template push function is disabled.

(Optional) Configuring HTTP-based Authentication and Accounting Functions

Context

In traditional NAC scenarios, Portal and RADIUS authentication modes are often used for carriers and enterprises that require a complete authentication solution. In Internet access scenarios, access control devices need to connect to Internet or cloud servers. Therefore, they need to provide HTTP-based authentication and obtain user authorization information, including online duration, traffic usage, and bandwidth. After users access the Internet, the access control device periodically sends accounting packets to the authentication and accounting server. The server performs accounting for the users based on user traffic statistics. When the online duration or traffic usage exceeds authorization, the device forcibly disconnects the user and sends the disconnection message of the user to the authentication and accounting server.

NOTE:

Only the AR121W, AR129W, AR129CVW, AR121GW-L, AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W, AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L, AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW, AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L, AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW that can work as a WLAN Fat AP support this configuration.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface wlan-bss wlan-bss-number

    A WLAN-BSS interface is created and the WLAN-BSS interface view is displayed.

  3. Run web-authentication first-mac

    MAC address-prioritized Portal authentication is enabled.

    By default, MAC address-prioritized Portal authentication is disabled.

  4. Run web-service access enable

    Authentication and accounting functions are enabled on the WLAN-BSS interface.

    By default, authentication and accounting functions are disabled on a WLAN-BSS interface.

  5. Run quit

    Return to the system view.

  6. Run web-service aaa server url authorize-enable

    A URL is configured for the authentication and accounting server

    By default, no URL is configured for the authentication and accounting server.

  7. (Optional) Run web-service accounting enable

    The device is enabled to send accounting packets to the authentication and accounting server.

    By default, the device does not send accounting packets to the authentication and accounting server.

    To perform accounting for users based on the volume of traffic destined for the Internet, use this command.

  8. (Optional) Run web-service accounting interval interval

    The interval at which the device sends accounting packets to the authentication and accounting server is configured.

    By default, the device sends accounting packets to the authentication and accounting server at an interval of 30 seconds.

    To enable the device to periodically send accounting packets to the authentication and accounting server, use this command.

    NOTE:

    Before running the preceding command, run the web-service accounting enable command to enable the device to send accounting packets to the authentication and accounting server.

Configuring the Maximum Number of Consecutive Authentication Failures

Context

You can perform the following operations to configure the maximum number of consecutive authentication failures allowed on the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication authen-fail fail-times fail-times

    The maximum number of consecutive authentication failures is configured.

    By default, the maximum number of consecutive authentication failures is 1.

Adjusting the Matching Order of ACL Rules

Context

By default, for NAC users, packets are matched with ACL rules in descending order by rule ID. That is, a larger rule ID indicates a higher priority of an ACL rule. You can adjust the matching order of ACL rules so that an ACL rule with a smaller rule ID has a higher priority.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run access-user acl-priviledge-revert

    The device is configured to match packets with ACL rules in ascending order by rule ID. That is, a smaller rule ID indicates a higher priority of an ACL rule.

    By default, the device matches packets with ACL rules in descending order by rule ID. That is, a larger rule ID indicates a higher priority of a rule.

    The configuration takes effect only after the device is restarted.

Configuring User Isolation

Context

To block mutual access between users of a group or between users of two groups, configure user isolation.

Procedure

  1. Run the system-view command to enter the system view.
  2. Run the user-group group-name command to create a user group and enter the user group view.
  3. Run the user-isolated { inter-group | inner-group } * command to configure intra-group and inter-group isolation.

    By default, inter-group or intra-group isolation is not configured in a user group.

    After users are authenticated and go online, the RADIUS server dynamically delivers user group information. In this situation, the inter-group or intra-group isolation configuration cannot be modified or deleted.

Setting the Source Address of Offline Detection Packets

Context

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

NOTE:
  • This function does not take effect for users who use Layer 3 Portal authentication.

  • In normal situations, after a device sends an ARP probe packet with a default source IP address, online clients will immediately respond with ARP reply packets. If online clients do not respond with ARP reply packets, the device logs them out unexpectedly. To resolve this problem, use either of the following methods:
    • Run the access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address command to specify a VLAN ID, source IP address, and source MAC address for ARP probe packets.
    • Run the authentication timer handshake-period handshake-period command to increase the handshake period so that the device can detect gratuitous ARP packets that these clients send at an irregular period. Once the device detects such packets, it does not log them out.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Set the source address of offline detection packets.

    • Run access-user arp-detect default ip-address ip-address

      The default source IP address of offline detection packets is set.

      By default, the default source IP address of offline detection packets is 0.0.0.0.

    • Run access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

      The source IP address and source MAC address are specified for offline detection packets in a VLAN.

      By default, the source IP address and source MAC address are not specified for offline detection packets in a VLAN.

      You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

    NOTE:
    The following source IP addresses used in offline detection packets are listed in descending order of priority:
    1. IP address of the VLANIF interface corresponding to the VLAN that users belong to and on the same network segment as users
    2. Source IP address specified using the access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address command for offline detection packets in a specified VLAN
    3. Default source IP address specified using the access-user arp-detect default ip-address ip-address command for offline detection packets

Enabling the Device to Dynamically Adjust the Rate at Which It Processes Packets from NAC Users

Context

When a lot of NAC users send authentication or log off requests to the device, the CPU usage may be overloaded especially when the CPU or memory usage is already high (for example, above 80%). After the device is enabled to dynamically adjust the rate of packets from NAC users, the device limits the number of NAC packets received per second if the CPU or memory usage is high. This function reduces loads on the device CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication speed-limit auto

    The device is enabled to dynamically adjust the rate at which it processes packets from NAC users.

Enabling URL Encoding and Decoding

Context

To improve web application security, data from untrustworthy sources must be encoded before being sent to clients. URL encoding is most commonly used in web applications. After URL encoding and decoding are enabled, some special characters in redirected URLs are converted to secure formats, preventing clients from mistaking them for syntax signs or instructions and unexpectedly modifying the original syntax. In this way, cross-site scripting attacks and injection attacks are prevented.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal url-encode enable

    URL encoding and decoding are enabled.

    By default, URL encoding and decoding are enabled.

Check the Configuration

Run the display portal url-encode configuration command to check the configuration of URL encoding and decoding.

Verifying the NAC Extended Functions Configuration

Context

After configuring extended functions, run the following commands to check the configuration.

Procedure

  • Run the display portal quiet-user { all | user-ip ip-address | server-ip ip-address } command to check information about Portal authentication users who are quieted.
  • Run the display mac-authen quiet-user { all | mac-address mac-address } command to check information about MAC address authentication users who are quieted.
  • Run the display dot1x quiet-user { all | mac-address mac-address } command to check information about 802.1X authentication users who are quieted.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 126394

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next