No relevant resource is found in the selected language.
MENU
Support Documentation
S7700 V200R019C10 Web-based Configuration Guide

This document describes how to configure and maintain devices through the web NMS client, including device status statistics, SVF, interface, Ethernet switching, IP service, IP routing, security, ACL, AAA, system management, QoS, WLAN, diagnosis service, and EasyDeploy.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
User Access Control

User Access Control

This node is only available in the NAC common mode.

Authentication Configuration

Context

Authentication configuration includes configurations of the local and RADIUS authentication modes. If the local authentication mode is used, you must create a user account on the switch and set a password. If the RADIUS authentication mode is used, you must configure the IP address, port number, and shared key of the RADIUS server. If the password configured in local user creation or modification is the same as the default password, security risk exists.

Procedure

  • Configuring local authentication

    1. Click Configuration to display the Configuration page.

    2. Choose Security Services > User Access Control in the navigation tree to display the User Access Control page.

    3. Click the Authentication Configuration tab to display the Authentication Configuration page.

    4. Select an option from the User domain name drop-down list box in the Authentication Configuration area.

    5. Select Local authentication for Authentication mode, as shown in Figure 5-195.

      Figure 5-195 Configuring local authentication

    6. Click Apply.

    7. Configure the user account information for local authentication in the Account Management area.

      • Create a user account.

        1. Click Create to display the Create User page, as shown in Figure 5-196.

          Figure 5-196 Create User

          Table 5-109 describes the parameters for creating a user.

          Table 5-109 Create User/Modify User

          Parameter

          Description

          User name

          Indicates the new user name.

          The user name cannot contain \ / : * ? " < > | ' or %, and cannot start with @.

          Password

          Indicates the user password.

          A secure password should contain at least two types of the following: lowercase letters, uppercase letters, numerals, special characters (such as ! $ # %). In addition, the password cannot contain spaces or single quotation marks (').

          Confirm password

          Indicates the confirm password. The format is the same as that of Password.

          Status

          Sets the user status.

          User status includes active and block. If the status is set to block, the device rejects the user's authentication requests, and the user cannot change the password.

          NOTE:

          This parameter is only displayed on the user modification page.

          Access type

          Sets the user access type.

          Forced offline

          Indicates whether a user is forcibly disconnected from the network.

          NOTE:

          This parameter is only displayed on the user modification page.

        2. Set the parameters. Click OK.

      • Modify a user account.

        1. Click Modify next to the AAA account to be modified to display the Modify User page, as shown in Figure 5-197.
          Figure 5-197 Modify User

          • For parameter description, see Table 5-109.

          • The user name is fixed and cannot be changed.

        2. Set the parameters. Click OK.

      • Delete a user account.

        1. You can delete a user account using either of the following methods:

          • Click Delete next to the AAA account to be deleted.

          • Select the records of the AAA accounts to be deleted, and click Delete next to Create to delete the AAA accounts in batches.

        2. After you click Delete, the system prompts you to confirm the deletion operation. Click OK.

  • Configuring RADIUS authentication

    1. Click Configuration to display the Configuration page.

    2. Choose Security Services > User Access Control in the navigation tree to display the User Access Control page.

    3. Click the Authentication Configuration tab to display the Authentication Configuration page.

    4. Select an option from the User domain name drop-down list box in the Authentication Configuration area.

    5. Select RADIUS authentication for Authentication mode, as shown in Figure 5-198.

      Figure 5-198 Configuring RADIUS authentication
      Table 5-110 describes the parameters for RADIUS authentication.
      Table 5-110 Parameters for configuring RADIUS authentication

      Parameter

      Description

      Server IP address

      Indicates the IP address of the RADIUS server, for example, 10.10.10.1.

      The server IP address must have reachable routes to the switch.

      Port number

      Indicates the UDP port number of the RADIUS server.

      Shared key

      Indicates the shared key used for communication between the switch and RADIUS server.

      When communicating with the RADIUS server, the switch uses the shared key to encrypt the user password to ensure password security during data transmission.

      The value is a string of 1 to 128 case-sensitive characters without spaces, single quotes ('), and question mask (?).

      Confirm shared key

      Indicates the confirm shared key.

      The format is the same as that of the shared key.

    6. Set the parameters.

    7. Click Apply.

Portal Server

Context

To ensure the communication between the switch and Portal server, you must configure the Portal server IP address and parameters (including the port number and shared key of the Portal server) about information exchange between the switch and Portal server, and bind interfaces to the Portal server.

After configuring Portal authentication, perform the Authentication Configuration. The two functions implement user authentication together.

Procedure

  • Configure a Portal server.
    1. Click Configuration. The Configuration page is displayed.
    2. Choose Security Services > User Access Control from the navigation tree. The User Access Control page is displayed.
    3. Click the Portal Server tab. The Portal Server tab page is displayed, as shown in Figure 5-199.

      Figure 5-199 Portal server configuration

    4. Click and select a server name.
    5. Click Apply.
  • Create a Portal authentication server.
    1. Click Configuration. The Configuration page is displayed.
    2. Choose Security Services > User Access Control from the navigation tree. The User Access Control page is displayed.
    3. Click the Portal Server tab. The Portal Server tab page is displayed.
    4. Click . The Portal Authentication Server List page is displayed.
    5. Click Create. The Portal Authentication Server List page is displayed, as shown in Figure 5-200.

      Figure 5-200 Creating a Portal authentication server

      Table 5-111 describes the parameters for creating a Portal authentication server

      Table 5-111 Parameters for creating a Portal authentication server

      Parameter

      Description

      Server name

      Indicates the name of a Portal authentication server.

      Server IP

      Indicates the IP address of the Portal server.

      Source IP

      Indicates the source IP address for the device to communicate with a Portal server.

      Shared key

      Indicates the shared key that the device uses to exchange information with the Portal server.

      Confirm shared key

      Enter the shared key again.

      Packet port number

      Indicates the port number that the device uses to listen on Portal protocol packets.

      URL

      Indicates the URL of the Portal server.

      URL profile

      The following parameters are valid when URL profile is selected.

      URL

      Indicates the redirection URL or pushed URL

      User access URL

      Indicates the original URL that a user accesses carried in the URL.

      User MAC

      Indicates the user MAC address carried in the URL.

      User IP

      Indicates the user IP address carried in the URL.

      System name

      Indicates the device system name carried in the URL.

      MAC address format
      • No separator
      • normal: sets the MAC address format to XXXX-XXXX-XXXX. You can specify a character as the delimiter.
      • compact: sets the MAC address format to XX-XX-XX-XX-XX-XX. You can specify a character as the delimiter.

      Separator

      Indicates the separator, which contains one character.

    6. Click OK.
  • Modifying a Portal authentication server.
    1. Click Configuration. The Configuration page is displayed.
    2. Choose Security Services > User Access Control from the navigation tree. The User Access Control page is displayed.
    3. Click the Portal Server tab. The Portal Server tab page is displayed.
    4. Click . The Portal Authentication Server List page is displayed.
    5. Click the name of the authentication server that you want to modify. The authentication server modification page is displayed.
    6. Modify parameters for the authentication server. Table 5-111 describes the parameters.
    7. Click OK.
  • Delete a Portal authentication server.
    1. Click Configuration. The Configuration page is displayed.
    2. Choose Security Services > User Access Control from the navigation tree. The User Access Control page is displayed.
    3. Click the Portal Server tab. The Portal Server tab page is displayed.
    4. Click . The Portal Authentication Server List page is displayed.
    5. Select the authentication server name and click Delete. The system asks you whether to delete the record.

      • To select a record, click the check box of the record.
      • To delete records in batches, click the check boxes of records.

    6. Click OK.

Access Configuration

Context

The device supports two configuration modes. By default, the unified mode is used. You can run the undo authentication unified-mode command to switch the configuration mode to common mode.

  • In the common mode, access configuration includes No-authentication, 802.1X authentication, MAC address authentication, MAC address bypass authentication. The last authentication mode is combinations of 802.1X authentication and MAC address authentication.

    • No-authentication: Users are allowed to access the network without authentication.

    • 802.1X authentication: a Layer 2 authentication mode based on the 802.1X protocol. In this mode, the 802.1X client software must be installed on user terminals, and user identity authentication is performed between clients and servers using the Extensible Authentication Protocol (EAP).

    • MAC address authentication: uses MAC addresses of users as identity information. In this mode, the 802.1X client software does not need to be installed on user terminals.

    • MAC address bypass authentication: In this mode, 802.1X authentication is performed first and the delay timer for MAC address bypass authentication is enabled at the same time. If the 802.1X authentication still fails when the delay time expires, MAC address authentication is triggered.

    When performing access configuration, you must enable the authentication function first, and then select the interface to which the access configuration applies and select an authentication mode.

  • In the unified mode, access configuration includes No-authentication, 802.1X authentication, MAC address authentication, and Portal authentication.

After performing access configuration, perform the Authentication Configuration. The two functions implement user authentication together.

If non-authentication is configured, a user passes the authentication using any user name or password. Therefore, to protect the device or network security, you are advised to enable authentication, allowing only the authenticated users to access the device or network.

Procedure

  • Common mode:
    1. Click Configuration to display the Configuration page.
    2. Choose Security Services > User Access Control in the navigation tree to display the User Access Control page.
    3. Click the Access Configuration tab to display the Access Configuration page, as shown in Figure 5-201.

      Figure 5-201 Access configuration

    4. Set Authentication function to ON and click OK.
    5. Select interfaces for which the authentication function needs to be enabled. You can perform the following operations as required:

      • Click the icon of a single interface or icons of multiple interfaces.
      • Drag the mouse to select multiple neighboring interfaces.
      • Click an LPU name and select all interfaces on the LPU.

    6. Select an interface authentication method, as shown in Figure 5-202.

      Figure 5-202 Interface authentication mode

    7. Click Apply.

      If authentication on any interface fails, an error page is displayed, as shown in Figure 5-203.

      Figure 5-203 Interface authentication enabling result

      In the dialog box, Execution succeeded indicates the number of interfaces for which the interface authentication function is successfully applied; Execution failed indicates the number of interfaces for which the interface authentication function fails to be applied.

  • Unified mode.
    1. Click Configuration to display the Configuration page.
    2. Choose Security Services > User Access Control in the navigation tree to display the User Access Control page.
    3. Click the Access Configuration tab to display the Access Configuration page, as shown in Figure 5-204.

      Figure 5-204 Access configuration

    4. Select interfaces for which the authentication function needs to be enabled. You can perform the following operations as required:

      • Click the icon of a single interface or icons of multiple interfaces.
      • Drag the mouse to select multiple neighboring interfaces.
      • Click an LPU name and select all interfaces on the LPU.

    5. Select interface authentication modes, including MAC address authentication, 802.1X authentication, and Portal authentication. Click Apply.

      If 802.1X authentication is configured as authentication mode 1 and MAC address authentication as authentication mode 2, the MAC address bypass authentication function is enabled.

      If MAC address authentication is configured as authentication mode 1 and 802.1X authentication as authentication mode 2, the MAC address authentication is performed first during MAC address bypass authentication.

    6. In the VLAN Authentication area, click to add interfaces, select interface authentication modes, and click Apply.
Translation
简体中文
Download
Updated: 2021-03-03

Document ID: EDOC1100126882

Views: 32250

Downloads: 76

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Enterprise APP

Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :