AAA

1. Choose Configuration > Security Services > AAA and click the Authentication Profile tab, as shown in Figure 5-157.
   Figure 5-157 Authentication Profile
   
   

2. Click Create. The Create Authentication Profile page is displayed, as shown in Figure 5-158.
   Figure 5-158 Create Authentication Profile
   
   

3. Fill in the profile name.
4. Click OK. The parameter setting page of the new authentication profile is displayed, as shown in Figure 5-159.
   Figure 5-159 Authentication Profile
   
   
   Table 5-85 describes the parameters on the page.

   Table 5-85 Parameters for creating an authentication profile

   Parameter	Description
   Prevent new auth info from overwriting previous one	Whether the newly delivered authentication information overwrites all the original authentication information.
   Security string delimiter	Security character string separator.

5. Set parameters for authentication profile.
6. Click Apply. In the dialog box that is displayed, click OK.

1. Choose Configuration > Security Services > AAA and click the Authentication Profile tab.
2. Click the name of the authentication profile you want to modify on the Authentication Profile List page to open the authentication profile configuration page.
3. Set parameters for modifying the authentication profile. Table 5-85 describes the parameters for modifying an authentication profile.
4. Click Apply. In the dialog box that is displayed, click OK.

1. Choose Configuration > Security Services > AAA and click the Authentication Profile tab.
2. Select the name of the profile you want to delete on the Authentication Profile List page and click Delete. The system asks you whether to delete the record.
   • To select a record, click the checkbox of the record.
   • To delete records in batches, click the checkboxes of records.

3. Click OK.

1. Choose Configuration > Security Services > AAA and click the Authentication Profile tab.
2. Select the profile of which you want to display the reference relationship and click Display Reference Relationship. The system displays the types and names of the objects that reference the profile.

   Click Hide Reference Relationship. The system hides the displayed results.

The following profiles can be referenced in the authentication profile: 802.1X profile, Portal profile, MAC access profile, authentication-free rule profile, and domain profile.

1. Choose Configuration > Security Services > AAA and click the Authentication Profile tab.
2. Click on the left of Authentication Profile List. The system displays the authentication profile names. Click on the left of an authentication profile name. The profiles referenced by this profile are displayed in the navigation area.
3. Click any profile referenced by the authentication profile. The configuration page of the referenced profile is displayed on the right. You can select another profile from the drop-down list or click Create to create a profile, and set the profile parameters. For descriptions of the profile parameters, see its configuration page.
4. Click Apply. In the dialog box that is displayed, click OK.

• Create an authentication scheme.
  1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab, as shown in Figure 5-160.
     Figure 5-160 Authentication/Authorization/Accounting scheme
     
     
  2. Click Create in Authentication Scheme List to open the Create Authentication Scheme page, as shown in Figure 5-161.
     Figure 5-161 Create Authentication Scheme
     
     
     Table 5-86 describes the parameters on the page.

     Table 5-86 Parameters on the Create Authentication Scheme page

     Item	Description
     Authentication scheme name	Specifies the name of an authentication scheme.
     First authentication	The value can be RADIUS, HWTACACS, Local, or Non-authentication.
     Second authentication	The value can be a mode except the first authentication mode. When the authentication server of the first authentication mode does not respond, the second authentication mode is triggered. When the first authentication mode is no authentication, the second authentication mode cannot be configured.
     Third authentication	The value can be a mode except the first and second authentication modes. When the authentication servers of the first and second authentication modes do not respond, the third authentication mode is triggered. When the second authentication mode is no authentication or not configured, the third authentication mode cannot be configured.
     Fourth authentication	The value can be no authentication or not configured. When the authentication servers of the first, second, and third authentication modes do not respond, the fourth authentication mode is triggered. When the third authentication mode is no authentication or not configured, the fourth authentication mode cannot be configured.
     After authentication is switched to local	Specifies whether to configure the device to send accounting packets after an accounting server is configured but local authentication is triggered because the authentication server does not respond. Typically, a server functions as both the remote accounting server and the authentication server. If the authentication server does not respond, the accounting server also does not respond. When accounting and authentication + local authentication are configured on a device, a user is authenticated using the local authentication mode after the server does not respond to the user's authentication request. Because the accounting server also does not respond, after the user is authenticated using the local authentication mode, the device still sends accounting packets. As a result, the user goes offline because of accounting-start failures. To prevent this issue, the device does not send accounting packets by default when a user is authenticated using the local authentication mode after the server does not respond to the user's authentication request. This configuration item is supported only when local authentication mode is available.

     If non-authentication is configured, a user passes the authentication using any user name or password. Therefore, to protect the device or network security, you are advised to enable authentication, allowing only the authenticated users to access the device or network.

  3. Set parameters for the authentication scheme.
  4. Click OK.
• Modify the authentication scheme.
  1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab.
  2. Click the authentication scheme that you want to modify in Authentication Scheme List.
  3. Set parameters for the authentication scheme. Table 5-86 describes the parameters on the page.
  4. Click OK.

• Create an authorization scheme.
  1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab.
  2. Click Create in Authorization Scheme List to open the Create Authorization Scheme page, as shown in Figure 5-162.
     Figure 5-162 Create Authorization Scheme
     
     
     Table 5-87 describes the parameters on the page.

     Table 5-87 Parameters on the Create Authorization Scheme page

     Item	Description
     Authorization scheme name	Specifies the name of an authorization scheme.
     First authorization	The value can be HWTACACS, If-authenticated, Local, or Non-authorization.
     Second authorization	The value can be a mode except the first authorization mode. When the authorization server of the first authorization mode does not respond, the second authorization mode is triggered. When the first authorization mode is no authorization, the second authorization mode cannot be configured.
     Third authorization	The value can be a mode except the first and second authorization modes. When the authorization servers of the first and second authorization modes do not respond, the third authorization mode is triggered. When the second authorization mode is no authorization or not configured, the third authorization mode cannot be configured.
     Fourth authorization	The value can be no authorization or not configured. When the authorization servers of the first, second, and third authorization modes do not respond, the fourth authorization mode is triggered. When the third authorization mode is no authorization or not configured, the fourth authorization mode cannot be configured.

  3. Set parameters for the authorization scheme.
  4. Click OK.
• Modify the authorization scheme.
  1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab.
  2. Click the authorization scheme that you want to modify in Authorization Scheme List.
  3. Modify parameters for the authorization scheme. Table 5-87 describes the parameters on the page.
  4. Click OK.

• Create an accounting scheme.
  1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab.
  2. Click Create in Accounting Scheme List to open the Create Accounting Scheme page, as shown in Figure 5-163.
     Figure 5-163 Create Accounting Scheme
     
     
     Table 5-88 describes the parameters on the page.

     Table 5-88 Parameters on the Create Accounting Scheme page

     Item	Description
     Accounting scheme name	Specifies the name of an accounting scheme.
     Accounting mode	Indicates the accounting mode. Non-accounting RADIUS accounting HWTACACS accounting

  3. Set parameters for the accounting scheme.
  4. Click OK.
• Modify the accounting scheme.
  1. Choose Configuration > Security Services > AAA and click the Authentication/Authorization/Accounting Scheme tab.
  2. Click the accounting scheme that you want to modify in Accounting Scheme List.
  3. Modify parameters for the accounting scheme. Table 5-88 describes the parameters on the page.
  4. Click OK.

1. Choose Configuration > Security Services > AAA and click the Service Scheme tab, as shown in Figure 5-164.
   Figure 5-164 Service Scheme
   
   

2. Click Create to open the Create Service Scheme page, as shown in Figure 5-165.
   Figure 5-165 Create Service Scheme
   
   
   Table 5-89 describes the parameters on the page.

   Table 5-89 Service Scheme Creation

   Parameter	Description
   Server scheme name	Indicates the name of the service scheme.
   Administrator priority	Indicates the administrator level.
   Primary DNS server	Indicates the IP address of the primary DNS server.
   Secondary DNS server	Indicates the IP address of the secondary DNS server.
   User VLAN	Specifies the user VLAN.
   UCL group	Select a UCL group to be bound.
   QoS profile	Indicates the QoS profile. Select the following operations: To select a QoS profile, click . To set parameters for the QoS profile, click . After the configuration is complete, click OK. To modify a QoS profile, click . To delete a QoS profile, click .
   Idle user disconnection	Specifies the action taken on a user when the user does not perform any operation within a period of time. Based on uplink traffic: indicates that the action takes effect for only upstream traffic of the user. Based on downlink traffic: indicates that the action takes effect for only downstream traffic of the user. Based on uplink and downlink traffic: indicates that the action takes effect for both upstream and downstream traffic of the user. Close: indicates that the idle-cut function is disabled.

3. Set parameters for the service scheme profile.
4. Click OK.

1. Choose Configuration > Security Services > AAA and click the Service Scheme tab.
2. Click the service scheme profile that you want to modify. The settings of the service scheme profile are displayed.
3. Set parameters for the service scheme profile. Table 5-89 describes the parameters for modifying a service scheme profile.
4. Click OK.

1. Choose Configuration > Security Services > AAA and click the Service Scheme tab.
2. Select the profile that you want to delete and click Delete. The system asks you whether to delete the record.
   • To select a record, click the checkbox of the record.
   • To delete records in batches, click the checkboxes of records.

3. Click OK.

1. Choose Configuration > Security Services > AAA > Portal Server Global Configuration and click the External Portal tab, as shown in Figure 5-166.
   Figure 5-166 External Portal
   
   

   Table 5-90 describes the parameters on the page.

   Table 5-90 Global settings for the external Portal server

   Parameter	Description
   Maximum number of STAs	Maximum number of Portal authentication users allowed on the device. The value is in the range from 1 to 10000.
   Huawei Portal protocol
   Portal protocol version	Portal protocol version supported by the device. NOTE: The version V2.0 is widely used currently. To ensure smooth communication, use the default setting (V1 and V2) so that the device uses both versions.
   Port number for listening to Portal packets	Port number used by the device to listen to Portal protocol packets. The value is in the range from 1024 to 55535.
   HTTP protocol The following parameters are available only when HTTP protocol is selected.
   HTTP interoperation mode	HTTP or HTTPS protocol for Portal authentication.
   SSL policy	Name of an SSL policy. This parameter can be configured only when HTTP interoperation mode is set to HTTPS-based.
   Port number for listening to HTTP packets	Port number used by the device to listen to HTTP protocol packets. The value is in the range from 1025 to 65535.

2. Click Apply. In the dialog box that is displayed, click OK.

1. Choose Configuration > Security Services > AAA > Portal Server Global Configuration and click the External Portal tab.
2. Click Create under Portal Authentication Server List. The Create Authentication Server page is displayed, as shown in Figure 5-167.
   Figure 5-167 Create Authentication Server
   
   
   Table 5-91 describes the parameters on the page.

   Table 5-91 Parameters for creating a Portal authentication server

   Parameter	Description
   Server name	Portal server name to identify a Portal server.
   Server IP	IP address for the Portal server.
   Shared key	Shared key that the device uses to exchange information with the Portal server.
   Packet port number	Port number that the device uses to listen on Portal protocol packets.
   URL	URL of the Portal server.
   URL Option Settings
   LSW IP address keyword/LSW IP address	IP address of the device carried in the URL, name of the parameter displayed in the URL, and redirection parameter value.
   LSW MAC address keyword	MAC address of the device carried in the URL and the name of the parameter displayed in the URL.
   User MAC address keyword	Access user's MAC address carried in the URL and the name of the parameter displayed in the URL.
   User IP address keyword	Access user's IP address carried in the URL and the name of the parameter displayed in the URL.
   User access URL keyword	Original access URL carried in the URL and the name of the parameter displayed in the URL.
   AP IP address keyword	AP IP address carried in the URL and the name of the parameter displayed in the URL.
   AP MAC address keyword	AP MAC address carried in the URL and the name of the parameter displayed in the URL.
   SSID keyword	SSID with which a user is associated in the URL and the name of the parameter displayed in the URL.
   System name keyword	System name of the access device carried in the URL and the name of the parameter displayed in the URL.
   Login URL keyword/Login URL	Login URL keyword and login URL.
   MAC address format	No separator Normal: sets the MAC address format to XXXX-XXXX-XXXX. You can specify a character as the delimiter. Compact: sets the MAC address format to XX-XX-XX-XX-XX-XX. You can specify a character as the delimiter.
   Separator	Separator, which contains one character.
   Encrypted parameter name	Name of an encrypted parameter in the URL.
   Encryption vector name	Name of an encryption vector.
   Encryption key	Encryption key.
   Server Detection Configuration
   Portal server detection	Whether to enable the Portal server detection function.
   Detection interval	Portal server detection interval.
   Maximum number of detection failures	Maximum number of Portal server detection failures.
   Minimum number of Portal servers in up state	Minimum number of Portal servers in Up state.
   Action after the number of detection failures exceeds the maximum	Action taken when the maximum number of detection failures on the Portal server is exceeded.
   Parameter Parsing Configuration
   Protocol type	Protocol type.
   Password encryption mode	Password encryption mode.
   User name keyword	User name keyword.
   Password keyword	Password keyword.
   Original URL keyword	Original URL keyword.
   Login success response	Login success response mode.
   Login failure response	Login failure response mode.
   Command keyword	Command keyword.
   String identifying the user login command	String for identifying the user login command.
   String identifying the user logout command	String for identifying the user logout command.
   User MAC address keyword	User MAC address keyword.
   User IP address keyword	User IP address keyword.
   Logout success response	Logout success response mode.
   Logout failure response	Logout failure response mode.

3. Set parameters for authentication server.
4. Click OK.

1. Choose Configuration > Security Services > AAA > Portal Server Global Configuration and click the External Portal tab.
2. Click the name of the authentication server that you want to modify. The authentication server modification page is displayed.
3. Modify parameters for authentication server. Table 5-91 describes the parameters for modifying an authentication server.
4. Click OK.

1. Choose Configuration > Security Services > AAA > Portal Server Global Configuration and click the External Portal tab.
2. Select the authentication server name and click Delete. The system asks you whether to delete the record.
3. Click OK.

• Create a RADIUS server profile.
  1. Choose Configuration > Security Services > AAA and click the RADIUS tab, as shown in Figure 5-168.
     Figure 5-168 RADIUS configuration
     
     
  2. Click Create in RADIUS Server Profile to open the Create RADIUS Server Profile page, as shown in Figure 5-169.
     Figure 5-169 Create RADIUS Server Profile page
     
     
     Table 5-92 describes the parameters on the page.

     Table 5-92 Parameters for creating a RADIUS server profile

     Parameter	Description
     Profile name	Name of a RADIUS server profile.
     STA HT Mode	Active/Standby mode: When multiple RADIUS authentication or accounting servers are configured, the server with the highest weight becomes the active server, and the other servers are backup servers. Among the backup servers, the servers with a higher weight have a higher priority. Load balancing mode: When multiple RADIUS authentication or accounting servers are configured, user authentication or accounting requests are sent to the servers based on the weight proportion of each server.
     NAS IP address	NAS-IP-Address attribute of RADIUS packets sent by the device.
     Profile default shared key	RADIUS shared key.
     NAS Identifier mode	Encapsulation format of the NAS-Identifier attribute. Device Host Name: Sets the encapsulation format of NAS-Identifier to a user's host name. User VLAN ID: Sets the encapsulation format of NAS-Identifier to a user's VLAN ID. AP MAC: Sets the encapsulation format of NAS-Identifier to the AP's MAC address.
     User name format in packets	User name format in packets sent from the device to the RADIUS server. Original user name: The device does not modify the user name entered by the user in the packets sent to the RADIUS server. With domain name: The device encapsulates the domain name in the user name when sending RADIUS packets to the RADIUS server. Without domain name: The device does not encapsulate the domain name in the user name when sending RADIUS packets to the RADIUS server.
     MAC address format in Calling-Station-Id	Encapsulation format of the MAC address in the Calling-Station-ID attribute of RADIUS packets.
     Called-Station-ID format	Content encapsulated in the Called-Station-ID attribute of RADIUS packets.
     Separator	Separator before the SSID encapsulated in the Called-Station-ID attribute. This parameter is supported only when Containing the SSID is selected.
     MAC address format in Called-Station-Id	Encapsulation format of the MAC address in the Called-Station-ID attribute of RADIUS packets. This parameter is supported only when Called-Station-ID format is set to AP MAC or AC MAC.

  3. On the Create RADIUS Server Profile page, click Create Server. The Create Server Configuration page is displayed, as shown in Figure 5-170.
     Figure 5-170 Create Server Configuration page
     
     
     Table 5-93 describes the parameters on the page.

     Table 5-93 Parameters for creating a server

     Parameter	Description
     IP address	IP address of a RADIUS server.
     Shared key	Shared key of the RADIUS server.
     Server Settings The following parameters are valid only when Authentication is selected.
     Port number	Port number of the authentication server.
     Weight	Weight of the authentication server.
     Source address of outgoing packets	Source IP address of the RADIUS authentication server.
     Server Settings The following parameters are valid only when Accounting is selected.
     Port number	Port number of the accounting server.
     Weight	Weight of the accounting server.
     Source address of outgoing packets	Source IP address of the accounting server.

  4. Set parameters for the RADIUS server.
  5. Click OK.
• Modify a RADIUS server profile.
  1. Choose Configuration > Security Services > AAA and click the RADIUS tab.
  2. Select a RADIUS server profile in RADIUS Server Profile to open the RADIUS server profile modification page.
  3. Modify the parameters of the RADIUS server profile. Table 5-92 describes the parameters for modifying a spectrum profile.
  4. Click OK.

• Create an authorization server.
  1. Choose Configuration > Security Services > AAA and click the RADIUS tab.
  2. Click Create in Authorization Server to open the Create Authorization Server page, as shown in Figure 5-171.
     Figure 5-171 Create Authorization Server page
     
     
     Table 5-94 describes the parameters on the page.

     Table 5-94 Parameters for creating an authorization server

     Parameter	Description
     Authorization server IP address	IP address of an authorization server.
     Profile name	Name of the created RADIUS server profile.
     Key	Shared key of the RADIUS authorization server.

  3. Set parameters for authorization server.
  4. Click OK.
• Modify an authorization server.
  1. Choose Configuration > Security Services > AAA and click the RADIUS tab.
  2. Select the authentication server in Authorization Server.
  3. Modify parameters for authorization server. Table 5-94 describes the parameters for modifying an authorization server.
  4. Click OK.

1. Choose Configuration > Security Services > AAA and click the HWTACACS tab, as shown in Figure 5-172.
   Figure 5-172 HWTACACS configuration
   

2. Set the HWTACACS function status to ON or OFF.
3. Click Apply. In the dialog box that is displayed, click OK.

• Create an HWTACACS server profile.
  1. Choose Configuration > Security Services > AAA and click the HWTACACS tab.
  2. Click Create in HWTACACS Server Profile to open the Create HWTACACS server profile page, as shown in Figure 5-173.
     Figure 5-173 Create HWTACACS server profile page
     
     
     Table 5-95 describes the parameters on the page.

     Table 5-95 Parameters for creating an HWTACACS server profile

     Parameter	Description
     Profile name	Name of an HWTACACS server profile.
     Key	Shared key for the HWTACACS server.
     User name	User name format in packets sent from the device to the HWTACACS server. Original user name: The device does not modify the user name entered by the user in the packets sent to the HWTACACS server. With domain name: The device encapsulates the domain name in the user name when sending RADIUS packets to the HWTACACS server. Without domain name: The device does not encapsulate the domain name in the user name when sending RADIUS packets to the HWTACACS server.
     Source address of outgoing packets	Source IP address used by a device to communicate with an HWTACACS server.

  3. Set parameters for the HWTACACS server.
  4. Click OK.
• Modify an HWTACACS server profile.
  1. Choose Configuration > Security Services > AAA and click the HWTACACS tab.
  2. Select an HWTACACS server profile in HWTACACS Server Profile to open the HWTACACS server profile modification page.
  3. Modify parameters for the HWTACACS server. Table 5-95 describes the parameters for modifying an HWTACACS server profile.
  4. Click OK.

• Create an Authentication/Accounting server.
  1. Choose Configuration > Security Services > AAA and click the HWTACACS tab.
  2. Click Create in Authentication/Authorization/Accounting Server to open the Create Authentication/Authorization/Accounting Server page, as shown in Figure 5-174.
     Figure 5-174 Create Authentication/Authorization/Accounting Server page
     
     Table 5-96 describes the parameters on the page.

     Table 5-96 Parameters for creating an Authentication/Authorization/Accounting server

     Parameter	Description
     Profile name	Name of an HWTACACS server profile.
     Server type	Server type, which can be an authentication, authorization, or accounting server.
     Primary Server Configuration
     Primary server IPv4 address	IPv4 address of the primary server.
     Primary server IPv4 port number	IPv4 port number of the primary server.
     IPV4 VPN instance name	IPV4 VPN instance of the primary server. Click , create and select a VPN instance.
     Primary server IPv6 address	IPv6 address of the primary server.
     Primary server IPv6 port number	IPv6 port number of the primary server.
     IPV6 VPN instance name	IPV6 VPN instance of the primary server. Click , create and select a VPN instance.
     Secondary Server Configuration
     Secondary server IPv4 address	IPv4 address of the secondary server.
     Secondary server IPv4 port number	IPv4 port number of the secondary server.
     IPV4 VPN instance name	IPV4 VPN instance of the secondary server. Click , create and select a VPN instance.
     Secondary server IPv6 address	IPv6 address of the secondary server.
     Secondary server IPv6 port number	IPv6 port number of the secondary server.
     IPV6 VPN instance name	IPV6 VPN instance of the secondary server. Click , create and select a VPN instance.
     Third Server Configuration
     Third server IPv4 address	IPv4 address of the third server.
     Third server IPv4 port number	IPv4 port number of the third server.
     IPV4 VPN instance name	IPV4 VPN instance of the third server. Click , create and select a VPN instance.
     Third server IPv6 address	IPv6 address of the third server.
     Third server IPv6 port number	IPv6 port number of the third server.
     IPV6 VPN instance name	IPV6 VPN instance of the third server. Click , create and select a VPN instance.
     Fourth Server Configuration
     Fourth server IPv4 address	IPv4 address of the fourth server.
     Fourth server IPv4 port number	IPv4 port number of the fourth server.
     IPV4 VPN instance name	IPV4 VPN instance of the fourth server. Click , create and select a VPN instance.
     Fourth server IPv6 address	IPv6 address of the fourth server.
     Fourth server IPv6 port number	IPv6 port number of the fourth server.
     IPV6 VPN instance name	IPV6 VPN instance of the fourth server. Click , create and select a VPN instance.

  3. Set parameters for the Authentication/Authorization/Accounting server.
  4. Click OK.
• Modify an Authentication/Authorization/Accounting server.
  1. Choose Configuration > Security Services > AAA and click the HWTACACS tab.
  2. Click the profile to modify in Authentication/Authorization/Accounting Server. The page for modifying an Authentication/Authorization/Accounting server is displayed.
  3. Modify parameters of the Authentication/Authorization/Accounting server. For description of the parameters, see Table 5-96.
  4. Click OK.

1. Choose Configuration > Security Services > AAA and click the Local User tab, as shown in Figure 5-175.
   Figure 5-175 Local user
   
   

2. Click Create to open the Create User page, as shown in Figure 5-176.
   Figure 5-176 Create User page
   
   
   Table 5-97 describes the parameters on the page.

   Table 5-97 Parameters for creating a user

   Parameter	Description
   User name	Local user name.
   Password	User password.
   Expiration time	Password validity period.
   User type	User type. Users at different levels have different access rights.
   User status	State of a local user. Activate: The device accepts and processes the authentication request from the user. Block: The device rejects the authentication request from the user. NOTE: If a user has established a connection with the device, when the user is set in blocking state, the connection still takes effect but the device rejects subsequent authentication requests from the user.
   Access mode	Access type. After you specify the access type of a user, only the users of the specified access type can log in.

3. Set parameters for the local user.
4. Click OK.

1. Choose Configuration > Security Services > AAA and click the Local User tab.
2. Click the name of the user that you want to modify.
3. Set parameters for modifying the user. Indicates whether a user is forcibly disconnected from the network. Table 5-97 describes the parameters for modifying a local user.
4. Click OK.

1. Choose Configuration > Security Services > AAA and click the Local User tab.
2. Select a record that you want to delete and click Delete. The system asks you whether to delete the record.
   • To select a record, click the checkbox of the record.
   • To delete records in batches, click the checkboxes of records.

3. Click OK.

1. Choose Configuration > Security Services > AAA and click the Advanced Settings tab, as shown in Figure 5-177.
   Figure 5-177 Advanced Settings
   
   

2. Set parameters in 802.1X Authentication Global Settings. Table 5-98 describes the parameters on this page.
   Table 5-98 Parameters for configuring 802.1X authentication globally

   Parameter	Description
   Quiet timer	Indicates whether to start the quiet timer.
   Maximum authentication failures before the switch quiets a user	Indicates the maximum number of times that a user fails authentication before the quiet function is enabled. When the number of times that a user fails 802.1X authentication within 60s reaches the value set in Maximum authentication failures before the switch quiets a user, the device keeps the user quiet for a period of time.
   Quiet timer value (s)	Indicates the quiet period. During the quiet period of an 802.1X authentication user, the device discards the 802.1X authentication request packets from the user.

3. Click Apply.
4. In the dialog box that is displayed, click OK.

1. Choose Configuration > Security Services > AAA and click the Advanced Settings tab, as shown in Figure 5-177.
2. Set parameters in Portal Authentication Global Settings. Table 5-99 describes the parameters on this page.
   Table 5-99 Parameters for configuring Portal authentication globally

   Parameter	Description
   Quiet timer	Indicates whether to start the quiet timer.
   Maximum authentication failures before the switch quiets a user	Indicates the maximum number of times that a user fails authentication before the quiet function is enabled. When the number of times that a user fails Portal authentication within 60s reaches the value set in Maximum authentication failures before the switch quiets a user, the device keeps the user quiet for a period of time.
   Quiet timer value (s)	Indicates the quiet period. During the quiet period of a Portal authentication user, the device discards the Portal authentication request packets from the user.
   Port number in Portal packets	Indicates the port number used by the device to listen on Portal protocol packets.
   Transparent transmission of authentication information	Indicates whether to enable transparent transmission of authentication information.
   Portal version	Indicates the version of the Portal protocol.
   Upper alarm threshold percentage (%)	Indicates the upper alarm threshold percentage of Portal authentication user quantity, which must be greater than or equal to Lower alarm threshold percentage.
   Lower alarm threshold percentage (%)	Indicates the lower alarm threshold percentage of Portal authentication user quantity.

3. Click Apply.
4. In the dialog box that is displayed, click OK.

1. Choose Configuration > Security Services > AAA and click the Advanced Settings tab, as shown in Figure 5-177.
2. Set parameters in MAC Address Authentication Global Settings. Table 5-100 describes the parameters on this page.
   Table 5-100 Parameters for configuring MAC address authentication globally

   Parameter	Description
   Maximum authentication failures before the switch quiets a user	Indicates the maximum number of times that a user fails authentication before the quiet function is enabled. When the number of times that a user fails MAC address authentication within 60s reaches the value set in Maximum authentication failures before the switch quiets a user, the device keeps the user quiet for a period of time.
   Quiet timer value (s)	Indicates the value of the quiet timer. When a user fails authentication, the device keeps the user quiet for a period before processing the authentication request from the user. During the quiet period, the device does not process authentication requests from the user.

3. Click Apply.
4. In the dialog box that is displayed, click OK.

1. Choose Configuration > Security Services > AAA and click the Advanced Settings tab, as shown in Figure 5-177.
2. Set Enable the CNA bypass function for iOS terminals in Others to ON.
3. Click Apply.
4. In the dialog box that is displayed, click OK.