No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Authentication Event Authorization Information

(Optional) Configuring Authentication Event Authorization Information

Context

If users establish pre-connections with the device or fail to be authenticated, they have no network access rights.

To meet these users' basic network access requirements such as updating the antivirus database and downloading the client, configure authentication event authorization information. The device will assign network access rights to these users based on the authentication phase.

NOTE:

If a user uses Portal authentication or multi-mode authentication (including Portal authentication), the device cannot authorize a VLAN to the user. After the user is authorized with a VLAN, DHCP needs to be manually triggered to apply for an IP address.

If a user uses Portal authentication, the function that allows online users to retain the original network access rights is not supported.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    If users are in the pre-connection phase or fail to be authenticated, or the authentication server is Down, the device can use the VLAN, UCL group, and service scheme to grant network access rights to the users.

    • VLAN

      Configure a VLAN and network resources in the VLAN on the device.

    • UCL group

      1. Run ucl-group group-index [ name group-name ]

        A UCL group is created.

        By default, no UCL group is created.

      2. Configure a user ACL to filter packets based on the UCL group. For details, see Configuring a User ACL in "ACL Configuration" in the S600-E V200R013C00 Configuration Guide - Security.
      3. Use the following methods to process packets:

        • Run traffic-filter inbound acl { acl-number | name acl-name }

          ACL-based packet filtering is configured.

          By default, ACL-based packet filtering is not configured.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Configure network access control parameters in the service scheme. The administrator can configure the parameters based on actual network requirements.

        • Run acl-id acl-number

          An ACL is bound to the service scheme.

          By default, no ACL is bound to a service scheme.

          NOTE:

          Before running this command, ensure that an ACL has been created using the acl (system view) or acl name command and ACL rules have been configured using the rule command.

          The priorities of the following access policies are in descending order:

          ACL number delivered by the RADIUS server > ACL number configured on the local device > ACL rule delivered by the RADIUS server through the attribute HW-Data-Filter numbered 26-82 > User group delivered by the RADIUS server > User group configured on the local device > UCL group delivered by the RADIUS server > UCL group configured on the local device

        • Run ucl-group { group-index | name group-name }

          A UCL group is bound to the service scheme.

          By default, no UCL group is bound to a service scheme.

          Before running this command, ensure that a UCL group that identifies the user category has been created and configured.

        • Run user-vlan vlan-id

          A user VLAN is configured in the service scheme.

          By default, no user VLAN is configured in a service scheme.

          Before running this command, ensure that a VLAN has been created using the vlan command.

        • Run voice-vlan

          The voice VLAN function is enabled in the service scheme.

          By default, the voice VLAN function is disabled in a service scheme.

          For this configuration to take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      4. Run quit

        The AAA view is displayed.

      5. Run quit

        The system view is displayed.

  3. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  4. Configure authorization information.

    • Run authentication event pre-authen action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name }

      Network access rights are configured for users who are in the pre-connection phase.

    • Run authentication event authen-fail action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

      Network access rights are configured for users who fail to be authenticated.

    • Run authentication event authen-server-down action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

      Network access rights are configured for users when the authentication server is Down.

    • Run authentication event authen-server-down action authorize keep [ no-response | response-fail ]

      Users are configured to retain the original network access rights when the authentication server is Down.

    • Run authentication event authen-server-noreply action authorize keep [ no-response | response-fail ]

      Users are configured to retain the original network access rights when the authentication server does not respond.

    By default, no authentication event authorization information is configured.

    NOTE:

    If no network access right is configured for users who fail authentication or when the authentication server is Down, the users establish pre-connections with the device after the authentication fails and then have the network access rights mapping pre-connection users.

    VLAN-based authorization does not apply to the authentication users who access through VLANIF interfaces.

    If authorization upon an authentication server Down event is configured and the device detects that the authentication server is Down, the device grants corresponding network access rights to users who fail to be authenticated, and add the users to entries of users who fail to be authenticated upon an authentication server Down event. If authorization upon an authentication server Down event is not configured and the device detects that the authentication server is Down, the device grants corresponding network access rights to users who fail to be authenticated, and add the users to entries of users who fail to be authenticated.

    The device assigns network access rights based on the priorities of the configured rights in a network status as follows:

    • If the authentication server is Down: network access right upon an authentication server Down event > network access right for users who fail authentication > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If users fail authentication: network access right for users who fail authentication > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If users are in the pre-connection state: network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If an 802.1X client does not respond: network access right if an 802.1X client does not respond > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled

  5. (Optional) Configure the aging time of user entries.

    • Run authentication timer pre-authen-aging aging-time

      The aging time is configured for entries of pre-connection users.

      By default, the aging time is 23 hours for entries of pre-connection users.

    • Run authentication timer authen-fail-aging aging-time

      The aging time is configured for entries of users who fail to be authenticated.

      By default, the aging time is 23 hours for entries of users who fail to be authenticated.

      NOTE:
      You can run the authentication timer authen-fail-aging aging-time command to configure the aging time for entries of users who fail to be authenticated upon an authentication server Down event and entries of users who fail to be authenticated.
    • Run authentication timer authorize-keep-aging aging-time

      The aging time is configured for entries of online users who retain the original network access rights.

      By default, the aging time is 0 for entries of online users who retain the original network access rights. That is, these entries are not aged out by default.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 23545

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next