User Access Control
This node is only available in the NAC common mode.
Authentication Configuration
Context
Authentication configuration includes configurations of the local and RADIUS authentication modes. If the local authentication mode is used, you must create a user account on the switch and set a password. If the RADIUS authentication mode is used, you must configure the IP address, port number, and shared key of the RADIUS server. If the password configured in local user creation or modification is the same as the default password, security risk exists.
Procedure
- Configuring local authentication
Click Configuration page.
to display theChoose User Access Control page.
in the navigation tree to display theClick the Authentication Configuration page.
tab to display theSelect an option from the User domain name drop-down list box in the Authentication Configuration area.
Select Local authentication for Authentication mode, as shown in Figure 5-195.
Click Apply.
Configure the user account information for local authentication in the Account Management area.
Create a user account.
Click Create to display the Create User page, as shown in Figure 5-196.
Table 5-109 describes the parameters for creating a user.
Table 5-109 Create User/Modify UserParameter
Description
User name
Indicates the new user name.
The user name cannot contain \ / : * ? " < > | ' or %, and cannot start with @.
Password
Indicates the user password.
A secure password should contain at least two types of the following: lowercase letters, uppercase letters, numerals, special characters (such as ! $ # %). In addition, the password cannot contain spaces or single quotation marks (').
Confirm password
Indicates the confirm password. The format is the same as that of Password.
Status
Sets the user status.
User status includes active and block. If the status is set to block, the device rejects the user's authentication requests, and the user cannot change the password.
NOTE:This parameter is only displayed on the user modification page.
Access type
Sets the user access type.
Forced offline
Indicates whether a user is forcibly disconnected from the network.
NOTE:This parameter is only displayed on the user modification page.
Set the parameters. Click OK.
Modify a user account.
- Click Modify next to the AAA account to be modified to display the Modify User page, as shown in Figure 5-197.
Set the parameters. Click OK.
Delete a user account.
You can delete a user account using either of the following methods:
Click Delete next to the AAA account to be deleted.
Select the records of the AAA accounts to be deleted, and click Delete next to Create to delete the AAA accounts in batches.
After you click Delete, the system prompts you to confirm the deletion operation. Click OK.
- Configuring RADIUS authentication
Click Configuration page.
to display theChoose User Access Control page.
in the navigation tree to display theClick the Authentication Configuration page.
tab to display theSelect an option from the User domain name drop-down list box in the Authentication Configuration area.
Select RADIUS authentication for Authentication mode, as shown in Figure 5-198.
Table 5-110 describes the parameters for RADIUS authentication.Table 5-110 Parameters for configuring RADIUS authenticationParameter
Description
Server IP address
Indicates the IP address of the RADIUS server, for example, 10.10.10.1.
The server IP address must have reachable routes to the switch.
Port number
Indicates the UDP port number of the RADIUS server.
Shared key
Indicates the shared key used for communication between the switch and RADIUS server.
When communicating with the RADIUS server, the switch uses the shared key to encrypt the user password to ensure password security during data transmission.
The value is a string of 1 to 128 case-sensitive characters without spaces, single quotes ('), and question mask (?).
Confirm shared key
Indicates the confirm shared key.
The format is the same as that of the shared key.
Set the parameters.
Click Apply.
Portal Server
Context
To ensure the communication between the switch and Portal server, you must configure the Portal server IP address and parameters (including the port number and shared key of the Portal server) about information exchange between the switch and Portal server, and bind interfaces to the Portal server.
After configuring Portal authentication, perform the Authentication Configuration. The two functions implement user authentication together.
Procedure
- Configure a Portal server.
- Create a Portal authentication server.
- Modifying a Portal authentication server.
- Click Configuration page is displayed. . The
- Choose User Access Control page is displayed. from the navigation tree. The
- Click the Portal Server tab. The Portal Server tab page is displayed.
- Click
. The Portal Authentication Server List page is displayed.
- Click the name of the authentication server that you want to modify. The authentication server modification page is displayed.
- Modify parameters for the authentication server. Table 5-111 describes the parameters.
- Click OK.
- Delete a Portal authentication server.
Access Configuration
Context
The device supports two configuration modes. By default, the unified mode is used. You can run the undo authentication unified-mode command to switch the configuration mode to common mode.
In the common mode, access configuration includes No-authentication, 802.1X authentication, MAC address authentication, MAC address bypass authentication. The last authentication mode is combinations of 802.1X authentication and MAC address authentication.
No-authentication: Users are allowed to access the network without authentication.
802.1X authentication: a Layer 2 authentication mode based on the 802.1X protocol. In this mode, the 802.1X client software must be installed on user terminals, and user identity authentication is performed between clients and servers using the Extensible Authentication Protocol (EAP).
MAC address authentication: uses MAC addresses of users as identity information. In this mode, the 802.1X client software does not need to be installed on user terminals.
MAC address bypass authentication: In this mode, 802.1X authentication is performed first and the delay timer for MAC address bypass authentication is enabled at the same time. If the 802.1X authentication still fails when the delay time expires, MAC address authentication is triggered.
When performing access configuration, you must enable the authentication function first, and then select the interface to which the access configuration applies and select an authentication mode.
In the unified mode, access configuration includes No-authentication, 802.1X authentication, MAC address authentication, and Portal authentication.
After performing access configuration, perform the Authentication Configuration. The two functions implement user authentication together.
If non-authentication is configured, a user passes the authentication using any user name or password. Therefore, to protect the device or network security, you are advised to enable authentication, allowing only the authenticated users to access the device or network.