No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Authorization Rules

Configuring Authorization Rules

Context

Table 1-33 describes authorization parameters that can be set locally during local authorization configuration.

Table 1-33  Local authorization parameters

Authorization Parameter

Usage Scenario

Description

VLAN

VLAN-based authorization is easy to deploy and maintenance costs are low. It applies to scenarios where employees in an office or a department have the same access rights.

In local authorization, you only need to configure VLANs and corresponding network resources on the device.

An authorized VLAN cannot be delivered to online Portal users.

After a user is authorized based on a VLAN, the user needs to manually trigger an IP address request using DHCP.

Service scheme

A service scheme and corresponding network resources need to be configured on the device.

You need to configure a service scheme and corresponding network resources on the device.

A service scheme can be applied to a domain, and users in the domain then can obtain authorization information in the service scheme.

User group (common mode)

A user group consists of users (terminals) with the same attributes, such as the role and rights. For example, according to the enterprise department structure, you can divide users on a campus network into different groups, such as R&D group, finance group, marketing group, and guest group, and perform different security policies for these groups.

In local authorization, all you need to do is configure user groups and corresponding network resources on the device.

A user group can be applied to a domain, and users in the domain then can obtain authorization information in the user group.

For details on how to configure a user group, see Configure an authorization user group.

UCL group (unified mode)

A UCL group identifies a user type. The administrator can add the users using the same network access policy to the same UCL group, and configure the network access policy for the group.

In local authorization, you can configure UCL groups and corresponding network resources on the device.

A UCL group can be applied to a domain, and users in the domain can obtain authorization information in the UCL group.

For details on how to configure a UCL group, see Configure an authorization UCL group.

Procedure

  • Configure an authorization VLAN.

    Configure a VLAN and the network resources in the VLAN on the device.

  • Configure a service scheme.

    For details on how to configure a service scheme, see (Optional) Configuring a Service Scheme.

  • Configure an authorization user group.

    Procedure

    Command

    Description

    Enter the system view.

    system-view

    -

    Create a user group and enter the user group view.

    user-group group-name

    When using a user group in a hot standby scenario or a dual-link backup scenario, specify the user group index, and ensure that the user group name and index specified on the active device are the same as those specified on the standby device.

    Bind an ACL to the user group.

    acl-id acl-number

    By default, no ACL is bound to a user group.

    NOTE:

    Before running this command, ensure that the ACL has been created using the acl (system view) or acl name command and ACL rules have been configured using the rule command.

    Bind a VLAN to the user group.

    user-vlan vlan-id

    By default, no VLAN is specified for a user group.

    Return to the system view.

    quit

    Enable the user group function.

    user-group group-name enable

    The settings for a user group are in effect only when the user group function is enabled.

    By default, the user group function is disabled.

  • Configure an authorization UCL group.

    Procedure

    Command

    Description

    Enter the system view.

    system-view

    Create a UCL group.

    ucl-group group-index [ name group-name ]

    By default, no UCL group is created.

    Configure a user ACL.

    For details, see Configuring a User ACL of "ACL Configuration" in the S600-E V200R013C00 Configuration Guide - Security.

    The ACL filters packets based on the UCL group.

    Configure ACL-based packet filtering.

    traffic-filter inbound acl acl-number

    By default, ACL-based packet filtering is not configured.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 23626

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next