No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring a Service Scheme

(Optional) Configuring a Service Scheme

Context

Users must obtain authorization information before going online. You can configure a service scheme to manage authorization information about users.

NOTE:

When the device is switched to the NAC common mode, only the administrator level, number of users who can access the network using the same user name, and redirection ACL can be configured in the service scheme.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run service-scheme service-scheme-name

    A service scheme is created and the service scheme view is displayed.

    By default, no service scheme is configured on the device.

  4. Run admin-user privilege level level

    The user is configured as the administrator and the administrator level for login is specified.

    The value range of level is from 0 to 15. By default, the user level is not specified.

  5. Configure server information.

    Step

    Command

    Remarks

    Configure the IP address of the primary DNS server. dns ip-address

    By default, no primary DNS server is configured in a service scheme.

    Configure the IP address of the secondary DNS server. dns ip-address secondary

    By default, no secondary DNS server is configured in a service scheme.

  6. Run redirect-acl { acl-number | name acl-name }

    The ACL used for redirection is configured in the service scheme.

    By default, no ACL used for redirection is configured in a service scheme.

  7. Run idle-cut idle-time flow-value [ inbound | outbound ]

    The idle-cut function is enabled for domain users and the idle-cut parameters are set.

    By default, the idle-cut function is disabled for domain users.

    NOTE:

    You can only run the idle-cut command in the service scheme view to enable the idle-cut function for common users (wireless users). If you need to perform idle-cut for administrators, run the local-user idle-timeout command in the AAA view during the local authentication, and use RADIUS attribute 28 (Idle-Timeout) during the RADIUS authentication.

  8. Run access-limit user-name max-num number

    The maximum number of users who are allowed to access the network using the same user name is configured.

    By default, the number of users who are allowed to access the network using the same user name is not limited, and is determined by the maximum number of access users supported by the device.

    NOTE:

    Only users who are successfully authenticated support the configurations for limiting the number of access users based on the same user name, and pre-connection users do not support such configurations.

  9. Configure network access control parameters in the service scheme.

    • Run acl-id acl-number

      An ACL is bound to the service scheme.

      By default, no ACL is bound to a service scheme.

      NOTE:

      Before running this command, ensure that an ACL has been created using the acl (system view) or acl name command and ACL rules have been configured using the rule command.

      The priorities of the following access policies are in descending order:

      ACL number delivered by the RADIUS server > ACL number configured on the local device > ACL rule delivered by the RADIUS server through the attribute HW-Data-Filter numbered 26-82 > User group delivered by the RADIUS server > User group configured on the local device > UCL group delivered by the RADIUS server > UCL group configured on the local device

    • Run ucl-group { group-index | name group-name }

      A UCL group is bound to the service scheme.

      By default, no UCL group is bound to a service scheme.

      Before running this command, ensure that a UCL group that identifies the user category has been created and configured.

    • Run user-vlan vlan-id

      A user VLAN is configured in the service scheme.

      By default, no user VLAN is configured in a service scheme.

      Before running this command, ensure that a VLAN has been created using the vlan command.

    • Run voice-vlan

      The voice VLAN function is enabled in the service scheme.

      By default, the voice VLAN function is disabled in a service scheme.

      For this configuration to take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 21115

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next