No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring External Portal Authentication (Using the HTTPS Protocol)

Example for Configuring External Portal Authentication (Using the HTTPS Protocol)

Networking Requirements

In Figure 2-57, terminals in a company's visitor area are connected to the company's intranet through the switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control users' network access rights to ensure internal network security.

Because visitors move frequently, Portal authentication is configured and the RADIUS server is used to authenticate user identities.

Figure 2-57  Networking diagram for configuring external Portal authentication (using the HTTPS protocol)


  1. Configure AAA.

    # Create and configure the RADIUS server template rd1.

    [Switch] radius-server template rd1
    [Switch-radius-rd1] radius-server authentication 1812
    [Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Switch-radius-rd1] quit

    # Create the AAA authentication scheme abc and set the authentication mode to RADIUS.

    [Switch] aaa
    [Switch-aaa] authentication-scheme abc
    [Switch-aaa-authen-abc] authentication-mode radius
    [Switch-aaa-authen-abc] quit

    # Create the authentication domain, and bind the AAA authentication scheme abc and RADIUS server template rd1 to the domain.

    [Switch-aaa] domain
    [] authentication-scheme abc
    [] radius-server rd1
    [] quit
    [Switch-aaa] quit

    # Check whether a user can pass RADIUS authentication. The test user test and password Huawei2012 have been configured on the RADIUS server.

    [Switch] test-aaa test Huawei2012 radius-template rd1
    Info: Account test succeed.

  2. Configure Portal authentication.

    # Set the NAC mode to unified.

    By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.

    [Switch] authentication unified-mode
    # Enable the Portal interconnection function of the HTTPS protocol.
    [Switch] portal web-authen-server https ssl-policy abcd

    The SSL policy configuration is not mentioned here. For details, see Web System Login Configuration in the S600-E V200R013C00 Configuration Guide - Basic Configuration.

    # Configure the Portal server template abc.
    [Switch] web-auth-server abc
    [Switch-web-auth-server-abc] protocol http password-encrypt uam
    [Switch-web-auth-server-abc] http-method post cmd-key cmd1
    [Switch-web-auth-server-abc] url
    [Switch-web-auth-server-abc] quit

    In this example, only the cmd-key parameter in the http-method post command is configured, and other parameters for parsing POST request packets use the default values. However, the parameter values must be the same as those on the Portal server; otherwise, the device fails to communicate with the Portal server.

    # Configure the Portal access profile web1.
    [Switch] portal-access-profile name web1
    [Switch-portal-acces-profile-web1] web-auth-server abc direct
    [Switch-portal-acces-profile-web1] quit

    # Configure the authentication profile p1, bind the Portal access profile web1 to the authentication profile, specify the domain as the forcible authentication domain in the authentication profile, set the user access mode to multi-authen, and set the maximum number of access users to 100.

    [Switch] authentication-profile name p1
    [Switch-authen-profile-p1] portal-access-profile web1
    [Switch-authen-profile-p1] access-domain force
    [Switch-authen-profile-p1] authentication mode multi-authen max-user 100
    [Switch-authen-profile-p1] quit

    In this example, users use static IP addresses. If users obtain IP addresses using DHCP and the DHCP server is on the upstream network of the switch, configure an authentication-free rule to allow packets from the network segment of the DHCP server to pass through. For details on how to configure an authentication-free rule, see (Optional) Configuring Authorization Information for Authentication-free Users.

    # Bind the authentication profile p1 to GE0/0/1 and enable Portal authentication on the interface.

    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] authentication-profile p1
    [Switch-GigabitEthernet0/0/1] quit

    # (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets. This function does not take effect for users who use Layer 3 Portal authentication.

    [Switch] access-user arp-detect vlan 10 ip-address mac-address 2222-1111-1234

  3. Verify the configuration.

    1. After a user opens the browser and enters any website address, the user will be redirected to the Portal authentication page. The user then can enter the user name and password for authentication.
    2. If the user name and password are correct, an authentication success message is displayed on the Portal authentication page. The user can access the network.
    3. After users go online, you can run the display access-user access-type portal command on the access device to view information about online Portal authentication users.

Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 20812

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next