No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an Authentication Profile

Configuring an Authentication Profile

Creating an Authentication Profile

Context

NAC implements access control on users. To facilitate NAC function configuration, the device uses authentication profiles to uniformly manage NAC configuration. You can configure parameters in an authentication profile to provide different access control modes for users. For example, you can configure the access profile bound to the authentication profile to determine the authentication mode for the authentication profile. The device then uses the authentication mode to authenticate users on the interface or VAP profile to which the authentication profile is applied.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    An authentication profile is created and the authentication profile view is displayed.

    By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

    NOTE:
    • The device supports a maximum of 8 authentication profiles. The built-in authentication profile default_authen_profile and the compatibility profile converted after an upgrade are not counted in the configuration specification. The six built-in authentication profiles (default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile) can be modified and applied, but cannot be deleted.
    • Before deleting an authentication profile, ensure that this profile is not bound to any interface or VAP profile. You can run the display authentication-profile configuration command to check whether the authentication profile is bound to interface or VAP profile

Configuring a User Authentication Mode

Context

The device supports 802.1X, MAC address, and Portal authentication modes in NAC deployment. The access profile bound to the authentication profile determines the user authentication mode in a VAP profile. For example, if you want to use MAC address authentication to control and manage users who go online using a VAP profile, bind a MAC access profile to the authentication profile applied to the VAP profile.

The device allows multiple authentication modes (multi-mode authentication) to be deployed simultaneously in a VAP profile to meet various authentication requirements on the network. In this case, you need to bind multiple access profiles to an authentication profile.

Prerequisites
Access profiles have been configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Configure the user authentication mode.

    • 802.1X authentication

      Run dot1x-access-profile access-profile-name

      An 802.1X access profile is bound to the authentication profile.

      By default, no 802.1X access profile is bound to an authentication profile.

    • MAC address authentication

      Run mac-access-profile access-profile-name

      A MAC access profile is bound to the authentication profile.

      By default, no MAC access profile is bound to an authentication profile.

    • Portal authentication

      Run portal-access-profile access-profile-name

      A Portal access profile is bound to the authentication profile.

      By default, no Portal access profile is bound to an authentication profile.

    • Multi-mode authentication

      To concurrently configure several authentication modes, you only need to bind corresponding access profiles to an authentication profile. Access profiles can be bound to the authentication profile in any sequence. The device triggers the corresponding authentication based on received authentication packets.

      You can configure MAC address bypass authentication to authenticate terminals such as printers that cannot have the 802.1X client installed. The device performs 802.1X authentication for users. If the authentication fails, the device performs MAC address authentication for these users.

      The following uses MAC address bypass authentication as an example. The configuration procedure is as follows:
      1. Run mac-access-profile access-profile-name

        A MAC access profile is bound to the authentication profile.

        By default, no MAC access profile is bound to an authentication profile.

      2. Run dot1x-access-profile access-profile-name

        An 802.1X access profile is bound to the authentication profile.

        By default, no 802.1X access profile is bound to an authentication profile.

      3. Run authentication dot1x-mac-bypass

        MAC address bypass authentication is enabled.

        By default, MAC address bypass authentication is disabled.

    NOTE:

    When configuring multi-mode authentication, pay attention to the following points:

    • An authentication profile can be bounded to an 802.1X access profile, a MAC access profile and a Portal access profile at most.

    • After multi-mode authentication is configured, the device by default allows users to use multiple authentication modes. For example, if a user passes MAC address authentication, the user will not be redirected to the Portal authentication page when accessing a web page. However, if the user directly enters the Portal authentication website in the browser, Portal authentication can be performed. After the authentication succeeds, the users can obtain network access rights for Portal authentication users. To authenticate users using only one authentication mode, run the authentication single-access command to configure the device to allow users to pass only one access authentication.

  4. (Optional) Run authentication ip-address in-accounting-start

    The function of carrying users' IP addresses in Accounting-Start packets is enabled.

    By default, the function of carrying users' IP addresses in Accounting-Start packets is disabled.

    This command takes effect only for 802.1X authentication and MAC address authentication users. By default, Accounting-Start packets for Portal authentication carry users' IP addresses.

  5. (Optional) Run authentication roam pre-authen mac-authen enable

    MAC address authentication is enabled for roaming STAs.

    By default, MAC address authentication is disabled for roaming STAs.

(Optional) Configuring the User Access Mode

Context

After enabling NAC authentication, you can configure a user access mode based on the user access on the interface. The user access modes include:
  • single-terminal: applies to the scenario in which only one data terminal is connected to the network through the interface.
  • single-voice-with-data: applies to the scenario in which only one data terminal is connected to the network on the device interface through a voice terminal.
  • multi-share: applies to the scenario that does not require high security and in which multiple data terminals are connected to the network on the device interface.
  • multi-authen: applies to the scenario that requires high security and in which multiple data terminals are connected to the network on the device interface. In this access mode, you can configure the maximum number of access users based on the actual user quantity on the interface. This prevents malicious users from occupying a large amount of device resources and ensures that the users on other device interfaces can normally go online.
NOTE:

AR500&AR530&AR550 series do not support to bind a VLAN in MAC-based mode.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run authentication mode { single-terminal | single-voice-with-data | multi-share | multi-authen [ max-user max-user-number [ dot1x | mac-authen | portal | none ] * ] }

    The maximum number of access users allowed on the interface is configured when the user access mode or interface access authentication mode is multi-authen.

    By default, the access authentication mode is multi-authen.

    NOTE:
    • VLANIF interfaces do not support this function.
    • The authentication mode multi-authen max-user max-user-number command only indicates the maximum number of access users allowed by the interface in multi-authen mode, not the access mode of the specified interface. The interface access mode needs to be modified to multi-authen using the authentication mode multi-authen command.

    • If the first access user fails to be authenticated on a physical interface and sets up a pre-connection after the multi-share mode is configured on the physical interface, new access users will also fail to be authenticated on the interface. Therefore, the following operations are recommended if the first access user may fail to be authenticated after the multi-share mode is configured on a physical interface.
      • Do not use the multi-share mode with Portal authentication.

(Optional) Configuring Authentication Event Authorization Information

Context

If users establish pre-connections with the device or fail to be authenticated, they have no network access rights.

To meet these users' basic network access requirements such as updating the antivirus database and downloading the client, configure authentication event authorization information. The device will assign network access rights to these users based on the authentication phase.

NOTE:

An authorized VLAN cannot be delivered to online Portal users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    If users are in the pre-connection phase or fail to be authenticated, or the authentication server is Down, the device can use the VLAN and service scheme to grant network access rights to the users.

    • VLAN

      Configure a VLAN and network resources in the VLAN on the device.

    • Service scheme

      Configure a service scheme on the device. For configuration details, see (Optional) Configuring a Service Scheme.

  3. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  4. Configure authorization information.

    • Run authentication event pre-authen action authorize { vlan vlan-id | service-scheme service-scheme-name }

      Network access rights are configured for users who are in the pre-connection phase.

    • Run authentication event authen-fail action authorize { vlan vlan-id | service-scheme service-scheme-name } [ response-fail ]

      Network access rights are configured for users who fail to be authenticated.

    • Run authentication event authen-server-down action authorize { vlan vlan-id | service-scheme service-scheme-name } [ response-fail ]

      Network access rights are configured for users when the authentication server is Down.

    By default, no authentication event authorization information is configured.

    NOTE:

    If no network access right is configured for users who fail authentication or when the authentication server is Down, the users establish pre-connections with the device after the authentication fails and then have the network access rights mapping pre-connection users.

    VLAN-based authorization does not apply to the authentication users who access through VLANIF interfaces.

    If authorization upon an authentication server Down event is configured and the device detects that the authentication server is Down, the device grants corresponding network access rights to users who fail to be authenticated, and add the users to entries of users who fail to be authenticated upon an authentication server Down event. If authorization upon an authentication server Down event is not configured and the device detects that the authentication server is Down, the device grants corresponding network access rights to users who fail to be authenticated, and add the users to entries of users who fail to be authenticated.

    The device assigns network access rights based on the priorities of the configured rights in a network status as follows:

    • If the authentication server is Down: network access right upon an authentication server Down event > network access right for users who fail authentication > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If users fail authentication: network access right for users who fail authentication > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If users are in the pre-connection state: network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If an 802.1X client does not respond: network access right if an 802.1X client does not respond > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled

  5. (Optional) Configure the aging time of user entries.

    • Run authentication timer pre-authen-aging aging-time

      The aging time is configured for entries of pre-connection users.

      By default, the aging time is 23 hours for entries of pre-connection users.

    • Run authentication timer authen-fail-aging aging-time

      The aging time is configured for entries of users who fail to be authenticated.

      By default, the aging time is 23 hours for entries of users who fail to be authenticated.

      NOTE:
      You can run the authentication timer authen-fail-aging aging-time command to configure the aging time for entries of users who fail to be authenticated upon an authentication server Down event and entries of users who fail to be authenticated.

(Optional) Configuring Authentication-Free Authorization Information

(Optional) Configuring Authorization Information for Authentication-free Users

Context

Before being authenticated, users need to obtain some network access rights to meet basic network access requirements such as downloading the 802.1X client and updating antivirus database. The device uses an authentication-free rule profile to uniformly manage authorization information for authentication-free users. You can define some network access rules in the profile to determine network access rights that can be obtained by authentication-free users. You need to bind a configured authentication-free rule profile to an authentication profile. Users using the authentication profile then can obtain authentication-free authorization information.

NOTE:

Authentication-free rules can take effect immediately after being configured in an authentication-free profile. It is unnecessary to bind the authentication-free profile to an authentication profile.

Procedure

  1. Configure an authentication-free rule profile.

    1. Run system-view

      The system view is displayed.

    2. Run free-rule-template name free-rule-template-name

      An authentication-free rule profile is created and the authentication-free rule profile view is displayed.

      By default, the device has a built-in authentication-free rule profile named default_free_rule.

      NOTE:

      Currently, the device supports only one authentication-free rule profile, that is, the built-in profile default_free_rule.

    3. Run free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } | any } } | source { any | ip { ip-address mask { mask-length | ip-mask } | any } } } *

      Or run free-rule acl acl-id

      An authentication-free rule is configured.

      By default, no authentication-free rule is configured for NAC authentication users.

    4. Run quit

      Return to the system view.

  2. Bind the authentication-free rule profile to the authentication profile.

    1. Run authentication-profile name authentication-profile-name

      The authentication profile view is displayed.

    2. Run free-rule-template free-rule-template-name

      Bind the authentication-free rule profile to the authentication profile.

      By default, no authentication-free rule profile is bound to an authentication profile.

(Optional) Configuring Re-authentication for Users

Context

The device records entries for pre-connection users and users who fail to be authenticated, and grants corresponding network access rights to the users. For details, see (Optional) Configuring Authentication Event Authorization Information. To ensure that users are successfully authenticated in a timely manner and obtain normal network access rights, you can configure the device to re-authenticate users who fail to be authenticated based on user entries.

If a user fails to be re-authenticated before the aging time expires, the device deletes the corresponding user entry and reclaims the granted network access rights. If a user is successfully re-authenticated, the device adds the user to entries of authenticated users and grants corresponding network access rights to the user.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run authentication timer re-authen { pre-authen re-authen-time | authen-fail re-authen-time }

    A re-authentication interval is configured for pre-connection users and users who fail to be authenticated.

    By default, the device re-authenticates pre-connection users and users who fail to be authenticated at an interval of 60 seconds.

    NOTE:

    The device adds users with the authen-fail authorization and pre-connection users to entries of users who fail to be authenticated or pre-connection users. By default, the device re-authenticates users in the entries. You can perform the preceding operations to change the re-authentication interval.

    To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.

  4. Run authentication event authen-server-up action re-authen

    The device is enabled to re-authenticate users in the survival state when the authentication server changes from Down or forcible Up to Up.

    By default, the device does not re-authenticate users in the survival state when the authentication server changes from Down or forcible Up to UP.

    NOTE:

    After the status of the RADIUS server is set to Down, you can run the radius-server dead-time dead-time command to set the interval for the RADIUS server to return to the active state. When the value of dead-time expires, the status of the RADIUS server is set to forcible Up. When the server successfully transmits and receives packets, the status is set to Up. The device can re-authenticate users when the server changes from Down or forcible Up to Up.

(Optional) Configuring the Handshake Function to Enable the Device to Clear User Entries Immediately

Context

The device creates entries for pre-connection users, users who fail to be authenticated and are assigned network access rights, and users who are authenticated. After users go offline in normal situations, the system immediately deletes the corresponding user entries. However, if some users go offline due to exceptions such as network disconnections, the system cannot immediately delete the corresponding user entries. If there are too many such invalid user entries, other users may fail to access the network.

To solve this problem, configure the handshake function to enable the device to clear user entries immediately. Then, if a user does not respond to the handshake request from the device within the handshake interval, the device deletes the user entry.

NOTE:

All pre-connection users support this function. Among users who fail to be authenticated or pass authentication, only MAC address authentication users, and 802.1X authentication users support this function. The offline detection function for Portal authentication users is configured using the portal timer offline-detect command.

This function takes effect only for the wired users who obtain IP addresses.

If the number of ARP probe packets exceeds the default CAR value, the probe fails and the users are logged out (The display cpu-defend statistics command can be run to check whether ARP request and response packets are lost.). To resolve the problem, the following methods are recommended:
  • Increase the handshake interval based on the number of users. The default handshake interval is recommended when there are less than 8000 users; the handshake interval should be no less than 600 seconds when there are more than 8000 users.
  • Deploy the port attack defense function on the access device and limit the rate of packets sent to the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run authentication handshake

    The handshake with pre-connection users and authorized users is enabled.

    By default, the handshake with pre-connection users and authorized users is enabled.

  4. (Optional) Run authentication timer handshake-period handshake-period

    The handshake interval of the device with pre-connection users and authorized users is set.

    By default, the handshake interval of the device with pre-connection users and authorized users is 300 seconds.

(Optional) Configuring a User Authentication Domain

Context

The device manages users in domains. For example, AAA schemes and authorization information are bound to domains. During user authentication, the device assigns users to specified domains based on the domain names contained in user names. However, user names entered by many users on actual networks do not contain domain names. In this case, you can configure a default domain in an authentication profile. If users using this profile enter user names that do not contain domain names, the device manages the users in the default domain.

On actual networks, user names entered by some users contain domain names and those entered by other users do not. The device uses different domains to manage the users. Because authentication, authorization and accounting (AAA) information in the domains are different, users use different AAA information. To ensure that users using the same authentication profile use the same AAA information, you can configure a forcible domain in the authentication profile for the users. The device then manages the users in the forcible domain regardless of whether entered user names contain domain names or not.

Prerequisites

A domain has been configured using the domain (AAA view) command in the AAA view.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run access-domain domain-name [ dot1x | mac-authen | portal ] * [ force ]

    A default or forcible domain is configured for users.

    By default, no default or forcible domain is configured in an authentication profile, and the global default domain default is used.

    NOTE:
    • If force is not specified, a default domain is configured. If force is specified, a forcible domain is configured. If both a default domain and a forcible domain are configured, the device authenticates users in the forcible domain.

    • If dot1x, mac-authen, or portal is not specified, the configured domain takes effect for all access authentication users using the authentication profile. If dot1x, mac-authen, or portal is specified, the configured domain takes effect only for specified users using the authentication profile.

    • To configure the authentication domain for MAC address authentication users, run the mac-authen domain isp-name mac-address mac-address mask mask command in the system view. When access-domain mac-authen and mac-authen domain are both configured, access-domain mac-authenpreferentially takes effect.

(Optional) Configuring the User Logout Delay Function When an Interface Link Is Faulty

Context

If a link is faulty, the interface is interrupted and users are directly logged out. To solve this problem, you can configure the user logout delay function. When the interface link is faulty, the users remain online within the delay. In this case, if the link is restored, the users do not need to be re-authenticated. If the users are disconnected after the delay and the link is restored, the users need to be re-authenticated.

NOTE:
  • This function takes effect only for wired users who go online on Layer 2 physical interfaces that have been configured with NAC authentication.

  • To make the function take effect, it is recommended that the configured interval be greater than the time during which the interface is in Up state.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run link-down offline delay { delay-value | unlimited }

    The user logout delay is configured when an interface link is faulty.

    The default user logout delay is 10 seconds when an interface link is faulty.

    If the delay is 0, users are logged out immediately when the interface link is faulty. If the delay is unlimited, users are not logged out when the interface link is faulty.

(Optional) Reauthenticating users When the Time Exceeds the Value of Session-Timeout

Context

The RADIUS server uses the Session-Timeout attribute to control the remaining online time of a user, and uses the Termination-Action attribute to determine whether to reauthenticate the user when the timeout interval expires. By default, if the RADIUS server delivers Session-Timeout but no Termination-Action, the device disconnects users when the time exceeds the value of Session-Timeout. To reauthenticate users without modifying the server configuration, you can run this command to configure the device to reauthenticate users when the timeout interval expires.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run authentication termination-action reauthenticate

    The device is configured to reauthenticate users when the time exceeds the value of Session-Timeout delivered by the RADIUS server.

    By default, the device is not configured to reauthenticate users when the time exceeds the value of Session-Timeout delivered by the RADIUS server.

Verifying the Authentication Profile Configuration

Context

After configuring an authentication profile, run the following commands to verify the configuration.

Procedure

  • Run the display authentication-profile configuration [ name authentication-profile-name ] command to check the configuration of the authentication profile.
  • Run the display free-rule-template configuration [ name free-rule-name ] command to check the configuration of the authentication-free rule profile.

Adjusting the Matching Order of ACL Rules

Context

By default, for NAC users, packets are matched with ACL rules in descending order by rule ID. That is, a larger rule ID indicates a higher priority of an ACL rule. You can adjust the matching order of ACL rules so that an ACL rule with a smaller rule ID has a higher priority.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run access-user acl-priviledge-revert

    The device is configured to match packets with ACL rules in ascending order by rule ID. That is, a smaller rule ID indicates a higher priority of an ACL rule.

    By default, the device matches packets with ACL rules in descending order by rule ID. That is, a larger rule ID indicates a higher priority of a rule.

    The configuration takes effect only after the device is restarted.

Configuring User Isolation

Context

To block mutual access between users of a group or between users of two groups, configure user isolation.

Procedure

  1. Run the system-view command to enter the system view.
  2. Run the user-group group-name command to create a user group and enter the user group view.
  3. Run the user-isolated { inter-group | inner-group } * command to configure intra-group and inter-group isolation.

    By default, inter-group or intra-group isolation is not configured in a user group.

    After users are authenticated and go online, the RADIUS server dynamically delivers user group information. In this situation, the inter-group or intra-group isolation configuration cannot be modified or deleted.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95732

Downloads: 58

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next