No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudCampus Solution V100R019C10 Deployment Guide for Large- and Medium-Sized Campus Networks (Virtualization Scenario)
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Admission Configuration

Admission Configuration

Authentication and Authorization Management

Configuration Guide in Typical Scenarios

Context

The admission configuration process and operations vary according to the networking type, access point, and authentication mode. Access points in different networking types may vary. You can select a suitable authentication mode and access points based on the actual networking type.

Table 5-85 Mapping between common networking types and access points

Networking Type

Access Point

Authentication Mode

Single AP

Routers and APs

Firewalls, routers, and APs

Firewalls, central APs, and RUs

AP

iMaster NCE-Campus as a portal server

iMaster NCE-Campus as a RADIUS server

iMaster NCE-Campus as a relay agent

Interconnection with a third-party portal server

Interconnection with a third-party RADIUS server

Switches, ARs, and firewalls

Switch

Single firewall

Firewall

Single router

Router

Switches and WACs

WAC

Configuring User Access Without Authentication

Context

If you do not want to authenticate access terminals, do not configure functions related to access control when configuring devices at a site.

Configuration Procedure

  1. Select a site.

    1. Choose Provision > Physical Network > Site Configuration from the main menu.
    2. In the displayed window, select a site from the Site drop-down list in the upper left corner.
    3. Choose the Site Configuration tab.

  2. Configure authentication points based on the device type.

    Authentication Point

    Configuration Procedure

    AP
    1. Choose AP > SSID from the navigation pane, click Create, and configure basic information about an SSID.
    2. On the Security Authentication page, set Authentication mode to Open network and Push pages to OFF.

    AR
    1. Choose AR > SSID from the navigation pane, click Create, and configure the basic information about an SSID.
    2. On the Security authentication page, set Authentication mode to OPEN and Push pages (Portal authentication) to OFF.

    Firewall
    1. Choose Firewall > SSID from the navigation pane, click Create, and configure basic information about an SSID.
    2. On the Security authentication page, set Authentication mode to OPEN.

    Switch or WAC

    N/A

Password Authentication

Configuring PSK Authentication

Context

If you do not want to deploy an authentication server but want to secure your network, you can choose PSK authentication. All users accessing the Internet use the same preconfigured password. Therefore, administrators are advised to change the password periodically.

Configuration Procedure
  1. Select a site.

    1. Choose Provision > Physical Network > Site Configuration from the main menu.
    2. In the displayed window, select a site from the Site drop-down list in the upper left corner.
    3. Choose the Site Configuration tab.

  2. Configure authentication points based on the device type.

    Authentication Point

    Configuration Procedure

    AP
    1. Choose AP > SSID from the navigation pane, click Create, and configure basic information about an SSID.
    2. On the Security Authentication page, set Authentication mode to Semi-open network, select PSK/PPSK, and set Key type to PSK. Then, set Encryption mode, Encryption algorithm and an SSID access password. The options of Encryption algorithm are as follows:
      • AES: Configures AES encryption.
      • AES-TKIP: Configures AES-TKIP encryption. After passing the authentication, user terminals can use the AES or TKIP algorithm for data encryption.
      • TKIP: Configures TKIP encryption.

    AR
    1. Choose AR > SSID from the navigation pane, click Create, and configure basic information about an SSID.
    2. On the Security authentication page, set Authentication mode to PSK, select Encryption mode, and click Set to set an access password for the SSID.
    3. On the Policy control page, configure traffic rate limiting policies as required.

    Firewall
    1. Choose Firewall > SSID from the navigation pane, click Create, and configure basic information about an SSID.
    2. On the Security authentication page, set Authentication mode to PSK, select Encryption mode, and click Set to set an access password for the SSID.

    Switch or WAC

    NA

Configuring PPSK Authentication

Context

If you do not want to deploy an authentication server but want to secure your network, you can choose PPSK authentication. Different Wi-Fi passwords can be set for different accounts.

Configuration Procedure
  1. Select a site.

    1. Choose Provision > Physical Network > Site Configuration from the main menu.
    2. In the displayed window, select a site from the Site drop-down list in the upper left corner.
    3. Choose the Site Configuration tab.

  2. Configure authentication points based on the device type.

    Authentication Point

    Configuration Procedure

    AP
    1. Choose AP > SSID from the navigation pane, click Create, and configure basic information about an SSID.
    2. On the Security Authentication page, set Authentication mode to Semi-open network, select PSK/PPSK/SAE/SAE-PSK, and set Key type to PPSK. Then, set Encryption mode, Encryption algorithm and Escape policy. If automatic MAC address binding is enabled, when a device accesses the SSID for the first time, the device's MAC address and PPSK account will be automatically bound.

      When a terminal accesses an SSID, if the PPSK account used by the terminal is bound to the MAC address of another terminal, the terminal cannot access the SSID.

    AR, Firewall, Switch, WAC

    NA

  3. Choose Admission > Admission Resources > User Management > User Management > PPSK from the main menu.

    • Click Create to create a PPSK account.

    • Click Import to import PPSK accounts in batches using an Excel template.

      On HUAWEI CLOUD, a maximum of 10,000 sites can be configured under a tenant, and a maximum of 16 SSIDs can be configured for a site because a maximum of 16 SSIDs can be configured for a single AP under a site. In PPSK authentication mode, one SSID can be associated with multiple PPSK accounts, and a maximum of 1024 PPSK accounts can be configured for a site.

Parameter Description
Table 5-86 Creating a PPSK user account

Parameter

Description

Account

Name of a PPSK user account.

Wi-Fi key

Password used by a PPSK user account to connect to a cloud-managed device.

Confirm the Wi-Fi key

Max. number of terminals

Maximum number of terminals that can use the same account to connect to the network simultaneously.

MAC Addresses

Terminal's MAC address bound to the PPSK user account if the account allows only one terminal to access the network. You can bind the terminal MAC address to the PPSK user account when creating the account, or enable automatic MAC address binding when configuring an AP SSID.

When a terminal accesses an SSID using a PPSK user account used which is bound to the MAC address of another terminal, the terminal cannot access the SSID.

VLAN

ID of the VLAN to which the PPSK user account belongs.

SSID

Name of an AP SSID.

Portal Authentication

Configuration Task Overview

Context

Portal authentication supports multiple authentication modes, and different authentication modes require different configurations. You need to choose an appropriate network authentication mode based on actual requirements. The following table lists the configuration tasks for each authentication mode.

If you want to authenticate access users but not to restrict their access permissions, you do not need to configure an authorization result or an authorization rule.

Table 5-87 Overview of portal authentication configuration tasks

Scenario

HACA-Related Task

Portal 2.0-Related Task

Anonymous authentication
  1. (Optional) Customizing a Portal Page Pushed to End Users
  2. (Optional) Configuring Portal Page Pushing Rules
  3. (Optional) Configuring an Online Duration or Data Allowance Policy
  4. Configuring Advanced Parameters
    NOTE:
    1. Choose Admission > Admission Policy > Admission Settings from the main menu. Click the Advanced Parameters tab, toggle Enable anonymous authentication on, and set the network areas in which anonymous authentication is allowed.
    2. The firewall does not support the accounting function.
  5. Configuring an Authentication Rule
  6. Configuring an Authorization Result
  7. Configuring an Authorization Rule
  8. Configuring an Authentication Point
  1. (Optional) Customizing a Portal Page Pushed to End Users
  2. (Optional) Configuring Portal Page Pushing Rules
  3. (Optional) Configuring an Online Duration or Data Allowance Policy
  4. Configuring Advanced Parameters
    NOTE:
    1. Choose Admission > Admission Policy > Admission Settings from the main menu. Click the Advanced Parameters tab, toggle Enable anonymous authentication on, and set the network areas in which anonymous authentication is allowed.
    2. The firewall does not support the accounting function.
  5. Configuring an Authentication Rule
  6. Configuring an Authorization Result
  7. Configuring an Authorization Rule
  8. Configuring a Portal Template
  9. Configuring a RADIUS Template
  10. Configuring an Authentication Point

User name and password authentication
  1. (Optional) Configuring an Account for an End User (User name and password are mandatory for users but not required for guests.)
  2. (Optional) Customizing a Portal Page Pushed to End Users
  3. Configuring a Portal Page Pushing Policy
  4. (Optional) Configuring an Online Duration or Data Allowance Policy
  5. Configuring an Authentication Rule
  6. Configuring an Authorization Result
  7. Configuring an Authorization Rule
  8. Configuring an Authentication Point
  1. (Optional) Configuring an Account for an End User (User name and password are mandatory for users but not required for guests.)
  2. Guest Management
  3. (Optional) Customizing a Portal Page Pushed to End Users
  4. Configuring a Portal Page Pushing Policy
  5. (Optional) Configuring an Online Duration or Data Allowance Policy
  6. Configuring an Authentication Rule
  7. Configuring an Authorization Result
  8. Configuring an Authorization Rule
  9. Configuring a Portal Template
  10. Configuring a RADIUS Template
  11. Configuring an Authentication Point

Passcode authentication
  1. (Optional) Configuring an Account for an End User
  2. (Optional) Customizing a Portal Page Pushed to End Users
  3. Configuring a Portal Page Pushing Policy
  4. (Optional) Configuring an Online Duration or Data Allowance Policy
  5. Configuring an Authentication Rule
  6. Configuring an Authorization Result
  7. Configuring an Authorization Rule
  8. Configuring an Authentication Point
  1. (Optional) Configuring an Account for an End User
  2. (Optional) Customizing a Portal Page Pushed to End Users
  3. Configuring a Portal Page Pushing Policy
  4. (Optional) Configuring an Online Duration or Data Allowance Policy
  5. Configuring an Authentication Rule
  6. Configuring an Authorization Result
  7. Configuring an Authorization Rule
  8. Configuring a Portal Template
  9. Configuring a RADIUS Template
  10. Configuring an Authentication Point

SMS authentication
  1. (Optional) Configuring a User Group
  2. (Optional) Configuring a Guest Account Policy
  3. (Optional) Customizing a Portal Page Pushed to End Users
  4. Configuring a Portal Page Pushing Policy
  5. (Optional) Configuring an Online Duration or Data Allowance Policy
  6. Configuring an SMS Server
  7. Configuring an Authentication Rule
  8. Configuring an Authorization Result
  9. Configuring an Authorization Rule
  10. Configuring an Authentication Point
  1. (Optional) Configuring a User Group
  2. (Optional) Configuring a Guest Account Policy
  3. (Optional) Customizing a Portal Page Pushed to End Users
  4. Configuring a Portal Page Pushing Policy
  5. (Optional) Configuring an Online Duration or Data Allowance Policy
  6. Configuring an SMS Server
  7. Configuring an Authentication Rule
  8. Configuring an Authorization Result
  9. Configuring an Authorization Rule
  10. Configuring a Portal Template
  11. Configuring a RADIUS Template
  12. Configuring an Authentication Point

Other guest authentication scenarios

(Optional) Configuring an Account for an End User

Configuring a User and User Group

Context

In the enterprise employee access scenario, user name, and password authentication can be used to implement end user access. During portal authentication or 802.1X authentication, end users need to enter the following account information.

Authentication Mode

Account Type

Description

User name and password authentication

User

A user name and the password are required for authentication, and need to be preconfigured by tenant administrators on iMaster NCE-Campus. Users need to obtain user names and passwords from tenant administrators.

NOTE:

iMaster NCE-Campus predefines the ~anonymous account (without a password) for anonymous authentication. This account cannot be deleted or modified.

In the guest access scenario, the following methods are recommended to implement portal authentication for end users.

Authentication Mode

Account Type

Description

User name and password authentication

Common guest

A user name and the password are required for authentication, need to be preconfigured by tenant administrators on iMaster NCE-Campus, or registered by end users on the pushed portal page.

Passcode authentication

Passcode

An access code, a string of 6 to 12 letters and digits, is required for authentication, need to be preconfigured by tenant administrators on iMaster NCE-Campus. Users need to obtain access codes from tenant administrators.

If tenant administrators have certain requirements on authentication security but do not want to configure 802.1X authentication, they are advised to use the following method to allow end users to access networks.

Authentication Mode

Account Type

Description

Password authentication

PPSK

An account and the Wi-Fi password are required for authentication, need to be preconfigured by tenant administrators on iMaster NCE-Campus. Users need to obtain accounts and Wi-Fi passwords from tenant administrators.

If dumb terminals such as printers and phones are connected to a network, MAC address authentication is recommended for end users.

Authentication Mode

Account Type

Description

MAC address authentication

MAC

The MAC address list is required and is provisioned by tenant administrators on iMaster NCE-Campus in advance.
Procedure
  1. Choose Admission > Admission Resources > User Management > User Management > User from the main menu.

    • Click to create a user. You can create users one by one.

    • Select a user group and click Create to create a user. You can create users one by one.

      When creating a user, you are advised to bind an email address or phone number to the user to facilitate password change.

    • Click to import users and user groups. You can use an Excel template to import users and user groups in batches.
    • Click to export users and user groups. After the export task is created, click OK and choose Maintenance > File Management > File Management > Download Task Management > Export File to view and download the task.

  2. (Optional) Choose Admission > Admission Policy > Online User Control > User Control Policy from the main menu.

    1. Click the Maximum Number Of Access Terminals tab, and then click Create to create a user control policy.

    2. After the parameters are set, click to apply the created user control policy to a specific user group or user.

      When creating a user, you can also set the maximum number of access terminals. The maximum number of access terminals configured on different pages takes effect in the following sequence in descending order: Maximum number of access terminals when a user is created > Number of access terminals allocated to the user > Number of access terminals allocated to the user group. If the Maximum number of terminals parameter is disabled when a user is created, the maximum number of access terminals is subject to the configuration in the user control policy. If the Maximum number of terminals parameter is enabled and no restrictions is selected, there will be no limit on the number of access terminals.

  3. Choose Admission > Admission Resources > User Management > User Management > PPSK from the main menu.

    • Click Create to create a PPSK account.

    • Click Import to import PPSK accounts in batches using an Excel template.

  4. Choose Admission > Admission Resources > User Management > User Management > MAC Account from the main menu.

    • Click Create to create a MAC account.

Parameter Description
Table 5-88 Creating a user

Parameter

Description

User name

Username and password used by an end user during authentication to connect to a cloud-managed device.

Password

Confirm password

Role

Role attached to the user.

Email

Email address and phone number of a user. When resetting passwords, a user receives a verification code via an email or an SMS message and sets a new password based on the verification code.

Phone number

Max. number of terminals

Maximum number of terminals that can use the same account to connect to the network simultaneously. This parameter does not take effect for HWTACACS authentication access users.

Expiration time

Time when the user account expires. If this parameter is left empty, the account is valid permanently.

Change password upon next login

Whether to change the account password upon next login. If this parameter is enabled, users need to change the initial passwords upon next login. This parameter is valid only for portal authentication. This parameter does not take effect for HWTACACS authentication access users.

Device administrator

Whether the device administrator can use the user name and password set when the account is created to remotely log in to devices for management. This parameter takes effect only for HWTACACS authentication.

Terminals Bound to an Access Device

Terminal IP address

Terminal IP address bound to the user account.

Terminal MAC address

Terminal MAC address bound to the user account. The value must be in the format **-**-**-**-**-**, such as 11-11-11-11-11-11.

Bound terminal ESN

Terminal ESN bound to the user account. The value is a string of 20 characters consisting of uppercase letters (A to Z) and digits, such as 2102310WYGG6EC914846.

SIM/USIM's IMSI

International mobile subscriber identity (IMSI) or SIM card number bound to the user account. The value is a string of 1 to 15 digits. IMSIs are sensitive data. Exercise caution when using IMSIs in case of data leakage.

Binding an Access Device

Access device IP address

IP address of the access device to which a user connects.

Port

Port number of the access device to which a user connects.

VLAN

VLAN of the access device to which a user connects.
Table 5-89 Creating a user group

Parameter

Description

User group name

Name of a user group. A user group contains multiple users. When configuring an access control policy, you can specify the user group to which the policy applies.
Table 5-90 Creating a PPSK user account

Parameter

Description

Account

Name of a PPSK user account.

Wi-Fi key

Password used by a PPSK user account to connect to a cloud-managed device.

Confirm the Wi-Fi key

Max. number of terminals

Maximum number of terminals that can use the same account to connect to the network simultaneously.

MAC Addresses

Terminal's MAC address bound to the PPSK user account if the account allows only one terminal to access the network. You can bind the terminal MAC address to the PPSK user account when creating the account, or enable automatic MAC address binding when configuring an AP SSID.

When a terminal accesses an SSID using a PPSK user account used which is bound to the MAC address of another terminal, the terminal cannot access the SSID.

VLAN

ID of the VLAN to which the PPSK user account belongs.

SSID

Name of an AP SSID.
Table 5-91 Creating a MAC account

Parameter

Description

MAC Account Name

MAC account name.

MAC address list

List of MAC addresses that can be accessed by end users.

User Group

User group to which the MAC account belongs.

Role

Role attached to the MAC account.

Terminals Bound to an Access Device

Terminal IP address

Terminal IP address bound to the user account.

Bound terminal ESN

Terminal ESN bound to the user account. The value is a string of 20 characters consisting of uppercase letters (A to Z) and digits, such as 2102310WYGG6EC914846.

SIM/USIM's IMSI

SIM card or IMSI bound to an account. The value is a string of 1 to 15 characters consisting of digits (0-9). IMSIs are sensitive data. Exercise caution when using IMSIs in case of data leakage.

Bind an access device

Access device IP address

IP address of the access device to which a user connects.

Port

Port number of the access device to which a user connects.

VLAN

VLAN of the access device to which a user connects.

(Optional) Attaching a Role to an Account

Context

In addition to user groups, accounts can be managed based on account roles. An account can belong to only one user group but can be attached to multiple roles. Accounts and roles are mapped in a one-to-many manner. Roles can be created manually by an administrator or created automatically during AD/LDAP account synchronization. Roles can be used for authentication, authorization, and security policy allocation.

Procedure
  1. Choose Admission > Admission Resources > User Management > Role Management from the main menu.

    • Click Create to create a role.

    • After the role is created, click next to the role, and click Add to attach the role to a user account, guest account, or MAC account.

    • Click Import to import roles in batches using an Excel template.
    • Click Export All to export information about all roles.

Setting Basic Parameters

Context

Validity periods can be set for user accounts, and expired user accounts can be cleaned up automatically.

You can configure a password policy for user accounts.

Procedure
  1. Choose Admission > Admission Policy > Admission Settings from the main menu.
  2. Click the User Password Policy Configuration tab and modify the password policy for user accounts.

    The password policy allows you to properly set the complexity of your account password, password updating period, and character limitations to prevent your password from being stolen. iMaster NCE-Campus provides a default password policy which you can modify as required.

  3. Click the SMS Verification Code tab, and set SMS verification code length and SMS verification template.

  4. Click the Advanced Parameter tab, and set advanced parameters. The following figure only shows some parameters. For details about other parameters, see Parameter Description at the end of this section.

Parameter Description
Table 5-92 Password policy settings

Parameter

Description

Complexity rule

Password complexity and password length of a user account.

Length range

Validity period

Password validity period of a user account.

  • After the password of an account expires, the account cannot be used to access cloud-managed devices.
  • If the password of an account is about to expire, the system displays a prompt when an end user uses the account to connect to a cloud-managed device. It is recommended that users change the passwords in a timely manner.

Days of notifications before password expiration

Password repetition not allowed (number of times)

Number of recent historical passwords that a user is not allowed to reuse. When changing the password, users cannot reuse previous passwords specified by Password repetition not allowed.

User lockout

Whether to lock user accounts for a specific period. With this function enabled, if a terminal uses an account and password to connect to a cloud-managed device, but the number of consecutive login failures reaches the value of Login failure count in specified times within the period specified by Specified time period, the terminal's account is locked for a period, which is specified by Lockout duration.

Specified time period

Login failure count in specified times

Lockout duration

IP/MAC address binding

Whether to bind an IP address or a MAC address to a user account.
Table 5-93 SMS verification code settings

Parameter

Description

SMS Verification Code Generation Policy

Character types in an SMS verification code sent to users. The options are as follows:

  • Digits
  • Letters
  • Digits + letters
  • Digits + letters + special

SMS verification code length

Length of an SMS verification code sent to a user.

SMS verification template

Template of an SMS verification code sent to a user. After the configuration, the system sends an SMS message based on the settings. All languages supported by the system share a configuration result.
Table 5-94 Advanced parameters

Parameter

Description

Account Validity Allocation

Account validity period extension

Whether to extend the validity period of an account. With this function enabled, after portal authentication-free is configured to implement MAC address-prioritized authentication, if a self-registered user logs in to iMaster NCE-Campus within the account validity period, the validity period of the user account will be extended for a further period from the user login time.

For example, if the validity period of a self-registered user account is set to 1 day, when the user logs in to iMaster NCE-Campus at 8:00 a.m. on 1st September, the account is valid till 8:00 a.m. on 2nd September. If the user logs in to the system again at 12:00 p.m. on 1st September, the account is valid till 12:00 p.m. on 2nd September.

Portal authentication-free

NOTE:

If this function is enabled on the current page, you need to enable the portal authentication-free function in SSID settings of APs or routers, and authentication settings of switches.

Inter-site portal authentication-free

After a terminal connects to an SSID of a site, the terminal can preferentially use the MAC address for authentication. If this function is enabled, the terminal is allowed to connect to the same SSID of other sites and preferentially use the MAC address for authentication.

Portal authentication-free for MAC accounts

Whether to enable MAC address-prioritized portal authentication. If a user uses a MAC account that has passed portal authentication to log in to the controller within the authentication-free validity period, or uses a MAC address that has been recorded on the user management page of the controller, the user can log in to the controller successfully without authentication.

Portal authentication-free extension

After a user passes MAC address authentication and logs in to iMaster NCE-Campus within the validity period, the validity period of the user account will be extended for a further period from the user login time.

Configuration for Expired Accounts

Automatically clear expired users

The Automatically clear expired users parameter indicates whether to automatically delete expired accounts. If this function is enabled, accounts that have expired for specified days are deleted automatically.

Retaining expired users

Timeout Interval of an Offline Device

Timeout period

Device offline duration. When the device offline time exceeds the value of this parameter, the system logs out the online users on the device.

Sensitive data

IMSI export in plaintext

Whether to export IMSIs in clear text.

RADIUS Username Identification Policy

RADIUS username identification rule

Whether to enable RADIUS username identification. If this function is enabled, specified parameters will be carried in RADIUS usernames based on user identification rules. In such cases, the controller can learn the parameter values from RADIUS usernames automatically when RADIUS users go online. Currently, only an IMSI or an ESN can be carried in a RADIUS username. Therefore, if IMSIs or ESNs are specified in authentication rules, you need to enable this function. Currently, the following user identification rules are supported:

ACCOUNT

IMSI@ACCOUNT

IMSI@ESN@ACCOUNT

ESN@ACCOUNT

RADIUS Authentication Transmission Protocol

SSL

SSL for RADIUS authentication. TLSv1.2 is used by default. To set the RADIUS authentication transmission protocol to TLSv1 or TLSv1.1, perform the following operations:

  1. Run the cd /opt/oss/envs/Product-CampusAccountService/20191115134736825/controller/configuration/tlsconfig/ command as the system administrator to access the specified directory. In the preceding command, 20191115134736825 indicates the directory timestamp. Change it based on the site requirements.
  2. Run the vi tlsConfig.properties command as the system administrator to open the tlsConfig.properties file and change enable_tls_config=false to enable_tls_config=true.
  3. If the minimum cluster deployment solution is adopted, the tlsonfig.properties file on each node needs to be modified.
  4. The tenant administrator enables this function on the iMaster NCE-Campus page, select TLSv1 or TLSv1.1, and click OK.

TLSv1 and TLSv1.1 may pose data leakage risks. For security purposes, TLSv1.2 is recommended because it is more secure than TLSv1 and TLSv1.1.

Default self-registration user policy

Subscriber validity period

If third-party devices function as authentication devices, this policy takes effect only when no guest account policy is bound to the portal page specified in the desired portal page push policy. If cloud-managed devices function as authentication devices, this policy takes effect only when no guest account policy is bound to the portal page specified in the desired portal page push policy and the user self-registration function is disabled in the site configuration.

Password validity period

User group

Anonymous authentication

Anonymous authentication

Whether to enable anonymous authentication. If this function is enabled, you need to set network areas where anonymous authentication is allowed.

(Optional) Connecting to Third-Party Platforms

Configuring an Email Server

Context

If iMaster NCE-Campus needs to send emails to users, you need to configure an email server first.

iMaster NCE-Campus needs to send emails in the following scenarios:

  • The MSP administrator or tenant administrator forgets the password: iMaster NCE-Campus sends a reset password to the administrator through an email.
  • The tenant administrator performs alarm settings on iMaster NCE-Campus: iMaster NCE-Campus sends emails to notify users of reported alarms.
  • The tenant administrator wants to use the email-based deployment function: iMaster NCE-Campus needs to send deployment emails to related personnel.
  • Tenants want to register accounts by themselves: iMaster NCE-Campus sends an email containing an activation link to the tenants.
  • The MSP administrator inspects tenant devices: iMaster NCE-Campus sends the inspection report to the administrator's mailbox, if needed.
  • The MSP administrator deletes ESNs or devices: iMaster NCE-Campus sends a notification email to the tenant administrator, if needed.
  • A tenant license is about to expire: iMaster NCE-Campus sends a notification email to a tenant.
  • When portal authentication is configured for guest access, you need to set the approver notification mode or guest notification mode to email notification.

The system administrator has configured an email server for sending emails. If the MSP administrator wants to use another email server, the MSP administrator needs to configure an email server separately.

If both the system administrator and MSP administrator have configured an email server, the email server configured by the MSP administrator is used preferentially. If the email server configured by the MSP administrator is not found, the email server configured by the system administrator is used.

Procedure
  1. Upload an email server certificate.

    1. Contact the SMS server provider to obtain a certificate file.
    2. Choose System > System Management > Certificate Management from the main menu.
    3. Choose Service Certificate Management from the navigation pane. On the Services page, click CampusBaseServiceServerConfigMoudle.
    4. Click the Trust Certificate tab and click Import. On the displayed page, enter the certificate information, select the desired email server certificate, and click Submit to upload the certificate to iMaster NCE-Campus.

  2. Choose System > System Management > Third-Party Service from the main menu.
  3. Set parameters for connecting to the email server.

    If the email server uses a third-party CA certificate, you are advised to disable Validate server certificate.

  4. Click Test to verify the email sending function.

    • If the message "The test succeeds" is displayed and the mailbox receives the test email, the configuration is successful. Click Save.
    • If the message "The test succeeds" is displayed but the mailbox does not receive the test email, check whether the email function of the SMTP server is normal.
    • If the message "Failed to connect to the email server" is displayed, check whether the above parameters are correctly configured.
      • Affected by the network quality and performance of the SMTP server, the time of receiving emails will be delayed within two minutes.
      • Some SMTP providers set the right control for third-party application access. If the test fails, check whether the function of controlling third-party application access is enabled on the SMTP server and set password to the authentication password of the SMTP server.
      • Limited by security policies of email service providers, administrators may fail to receive emails in some scenarios. If no email is received, log in to the email service website or contact the email service provider to check whether the email is returned or other exceptions occur. Alternatively, replace the email server and try again.

Parameter Description
Table 5-95 Parameters on the Email Server tab page

Parameter

Description

SMTP address

SMTP address of the mailbox from which emails are sent. The address must be an IP address or in the smtp.mail.com format.

NOTE:

SMTP is short for Simple Mail Transfer Protocol. SMTP is mainly used to transfer system emails and provide email notifications.

Port

Port number of the SMTP service provided by the email server. You can obtain the port number from the email service provider. By default, the port number is 25.

Secure connection

Whether secure connection is enabled.

Encryption connection type

Protocol for establishing an encrypted communication link between iMaster NCE-Campus and the SMTP server. This parameter is available only when Secure connection is selected.

NOTE:

Secure protocol TLSv1.2 is recommended. TLSv1.0 and TLSv1.1 are insecure protocols; therefore, exercise caution when using them.

Validate server certificate

For security purposes, select Secure connection and Validate server certificate. Select certificate.

Certificate File

Certificate file of the email server. This certificate ensures communication security between iMaster NCE-Campus and the email server.

Authentication

Whether to enable the email account and password authentication.

Account

The two parameters are valid only when Authentication is selected.

User name and password for logging in to the SMTP server.

Password

Sender Email

Sender email address, which must have been registered on the email server. During the email test, this address is used as a recipient email address. After the connectivity test is successfully performed and the configurations are saved, this address is used as the sender email address.

Customized email subject

Email subject. An administrator can customize the prefix and suffix of the email subject. When an email is sent, the prefix and suffix are automatically added before and after the email subject.

Customized email signature

Email signature. An administrator can customize the email signature, and the signature is automatically attached to emails.

Configuring an SMS Server

Context

You need to configure the SMS service if SMS authentication is required. iMaster NCE-Campus needs to send SMS messages in the following scenarios:

  • Two-factor authentication is performed when the system administrator, an MSP administrator, or a tenant administrator logs in to iMaster NCE-Campus
  • An end user attempts to access the network using a verification code received in an SMS message.
  • When a guest attempts to access the network using SMS authentication, iMaster NCE-Campus needs to send an SMS message to notify administrators of guest access. After the guest passes authentication, iMaster NCE-Campus needs to send another SMS message to notify the administrators of the guest authentication result.

Before configuring the SMS service, you need to configure an SMS platform to specify the SMS gateway and configure an account based on the SMS platform to send SMS messages.

  • SMS platform: You need to set parameters about a third-party SMS platform on iMaster NCE-Campus according to the information provided by the SMS platform. For details, see the interface document of the third-party SMS platform.
  • SMS server: You need to set parameters for interconnection between iMaster NCE-Campus and a third-party SMS platform. After the interconnection is successful, iMaster NCE-Campus can send SMS messages.

By default, the system is pre-configured with the following SMS server connection parameters:

  • fungo: http://qxt.fungo.cn/Recv_center. This is the SMS platform of fungo.cn (Beijing, China).
  • twilio: https://api.twilio.com:8443/2010-04-01/Accounts/{USERNAME}/Messages.json. To use this SMS server, access www.twilio.com and apply for an account.
  • If the system administrator has configured an SMS server and enabled Tenant heritable, tenant administrators can use the SMS server configured by the system administrator. Otherwise, they cannot use the SMS server configured by the system administrator and need to configure an SMS server on their own. For details about how a system administrator configures an SMS server, see Configuring an SMS Server.

    If you do not want to use the SMS server configured by the system administrator, you can configure an SMS server as needed.

Prerequisites

If a tenant administrator wants to configure an SMS server, the tenant administrator needs to contact the system administrator to configure the SMS platform information. Only the system administrator can configure the SMS platform information.

Procedure
  1. Import an SMS server certificate.

    1. Contact the SMS server provider to obtain a certificate file.
    2. Log in to iMaster NCE-Campus as a system administrator and choose System > System Management > Certificate Management from the main menu.
    3. Choose Service Certificate Management from the navigation pane. On the Services page, click CampusBaseServiceServerConfigMoudle.
    4. Click the Trust Certificate tab and click Import. On the displayed page, enter the certificate information, select the desired SMS server certificate, and click Submit to upload the certificate to iMaster NCE-Campus.

  2. Choose System > System Settings > Third-Party Service from the main menu and click the SMS Server tab.
  3. Select an SMS platform, and set required parameters.

    HTTPS is recommended because it is more secure than HTTP.

    • Set SMS service type to HTTP SMS Service and select fungo from the SMS platform drop-down list box.

    • Set SMS service type to HTTP SMS Service and select twilio from the SMS platform drop-down list box.

    • Set SMS service type to SMPP SMS Service and select the created SMS platform template from the SMS platform drop-down list box.

  4. Click Test to verify validity of the SMS message sending function.

    • If the test succeeds, the message "The test succeeds" is displayed, and you can receive the test SMS message from iMaster NCE-Campus.
    • If the test fails, the message "Failed to test the SMS serve" is displayed. Perform operations according to the scenarios:
      • If an error code is displayed in the dialog box, check the product documentation of the SMS service provider for the cause of the error, and obtain the troubleshooting method.
      • If no error code is displayed in the dialog box, contact the system administrator to check the URL specified in the SMS server template to see whether the SMS server is reachable.

  5. After the test is successful, click Save.
Parameter Description
Table 5-96 HTTP SMS server

Parameter

Description

SMS platform

SMS template. Administrators can configure an SMS server template to specify an SMS gateway.

By default, the following SMS server connection parameters are pre-configured on iMaster NCE-Campus:

  • fungo: http://qxt.fungo.cn/Recv_center. This is the SMS platform of fungo.cn (Beijing, China).
  • twilio: https://api.twilio.com:8443/2010-04-01/Accounts/{USERNAME}/Messages.json. To use the SMS service provided by twilio, access www.twilio.com and apply for an account.

To use the SMS service provided by another carrier, you can create an SMS platform template as needed.

Account

Account obtained during SMS service application.

Token

Password obtained during SMS service application.

NOTE:

For system and user security purposes, it is recommended that the password provided by a third party meet the complexity requirements.

SMS message signature

Signature of SMS messages.

Send number

Number obtained from the SMS service provider, used to check whether the number for sending SMS messages is correct. This parameter is configurable only when the twilio template is selected.

Inheritance

When this function is enabled and neither the MSP administrator nor the tenant administrator configures an SMS server, the SMS server configured by the system administrator is used. When this function is disabled, MSPs and tenants cannot use the SMS server configured by the system administrator.

Test number

Number for sending a test SMS message. The value can be any available mobile number.

Test SMS message

Content in a test SMS message.
Table 5-97 SMPP SMS server

Parameter

Description

SMS platform

SMS platform template. Administrators can configure an SMS platform template to specify an SMS gateway.

System id

SMS server ID obtained during SMS service application.

Password

Password obtained during SMS service application.

Source number

Number obtained from the SMS service provider, used to check whether the number for sending SMS messages is correct.

Inheritance

When this function is enabled and neither the MSP administrator nor the tenant administrator configures an SMS server, the SMS server configured by the system administrator is used. When this function is disabled, MSPs and tenants cannot use the SMS server configured by the system administrator.

Test number

Number for sending a test SMS message. The value can be any available mobile number.

Test SMS message

Content in a test SMS message.

(Optional) Enabling the HTTP Port

Context

By default, iMaster NCE-Campus supports only the HTTPS protocol. The HTTP protocol may pose security risks and is disabled by default. If you need to configure HTTP for pushing portal pages to end users, enable HTTP ports on the management plane.

For iMaster NCE-Campus V300R019C10SPC205, enable port 8445 on the node in advance. For details, see How Do I Enable Port 8445 When HTTP Is Used for Portal Authentication (iMaster NCE-Campus V300R019C10SPC205)?. Then perform this step to enable the port on the management plane.

Procedure
  1. Log in to the management plane.
  2. Choose Product > Software Management > Deploy Product Software from the main menu, click More > Modify Configurations, set ENABLE_8445(enable ACANginx 8445 Virtual Server or not) to true, and click OK.
  3. Click in the upper right corner to check whether the configuration is successful.

  4. Wait for about 10 minutes, choose Product > System Monitoring from the main menu, click the Service tab, and search for CampusAccesscfgService and SouthboundService. Check whether CampusAccesscfgService and SouthboundService are successfully restarted. If the services are running properly, configure other parameters for pushing portal pages to end users.

(Optional) Enabling the Port for Outdated Device Certificates

Context

During HACA-based Portal authentication, an HTTP/2 channel needs to be established for a device to report its data to iMaster NCE-Campus. When establishing an HTTP/2 channel with a device, iMaster NCE-Campus will check whether the actual device certificate is the same as that on itself. If a switch running V200R008C00 or an earlier version is managed, ensure that the port for legacy device certificates is enabled on the management plane.

Procedure
  1. Log in to the management plane.
  2. Choose Product > Software Management > Deploy Product Software from the main menu, click More > Modify Configurations, set DEVICE_OLD_CERT_ENABLE(enable device old cert or not) to true, and click OK.

  3. Click in the upper right corner to check whether the configuration is successful.

  4. Wait for about 10 minutes, choose Product > System Monitoring from the main menu, click the Service tab, and search for PortalServerService . Check whether PortalServerService is successfully restarted. If the service is running properly, configure other parameters for pushing portal pages to end users.

(Optional) Customizing a Portal Page Pushed to End Users

Context

If iMaster NCE-Campus is used as a portal server and you do not want to use the default push pages, you can customize a portal page. iMaster NCE-Campus provides a set of default portal pages for each authentication mode.

When a tenant administrator creates an SSID, the administrator can decide whether to push an authentication page to end users, set the page push mode, and set the end user login mode. In addition, a tenant administrator can configure a portal page pushing policy to determine which portal page is pushed to end users when the users log in via different modes.

The privacy statement for end users is displayed on the user notice page pushed to end users. Customize portal pages based on actual usage and purpose.

If default portal pages do not satisfy your requirements, you can customize a push page in either of the following ways as a tenant administrator:

  • Customization based on a built-in template:

    In this mode, you need to download a built-in template, customize a portal page, and upload the page. For example, you can modify the content displayed on the pages, supported languages, push protocols, and background images.

    The language of a portal page customized based on a built-in template can be Chinese or English. If you want to support more languages, customize portal pages based on a user-defined template.

  • Customization based on a user-defined template:

    By this way, you can have more space to play. For example, you can customize portal pages in more languages, design the page layout, and configure the content and text layout.

    The language that a push page uses can be Chinese, English, German, or Spanish. On the Language Template tab page, you can choose to configure a portal page in one language, and then configure the content to be displayed on different pages.

Importing a Customized Page Using a Template

Procedure
  1. Choose Admission > Admission Resources > Page Management > Page Customization from the main menu.
  2. Click on the left of the page. In the displayed window, download the template set.

  3. Select the template of the target type from the template set, customize a page using the selected template, and upload the new page.

    When customizing the page content, select a proper template according to Preferred page type and Language. When you upload a template, ensure that the values of Preferred page type and Language are the same as those of the selected template.

    For details about the files in the template set, functions of the files, and customization methods, see the Help information in the downloaded .zip package.

Manually Customizing a Page

Context

After a user-defined template is created, you can add, modify, or delete a control to customize the page style.

There are many limitations when you customize a portal page based on a built-in template, for example, the portal page layout cannot be modified. Therefore, if the page layout needs to be customized or a large number of multimedia elements and images need to be used, portal pages customized based on a built-in template cannot meet users' requirements.

However, when customizing a portal page based on a user-defined template, you can configure these elements using multiple page controls embedded in iMaster NCE-Campus. You can customize the content and style of the page controls. If some controls cannot meet requirements, administrators can edit the controls through the HTML customized editing function provided by iMaster NCE-Campus.

Procedure
  1. Choose Admission > Admission Resources > Page Management > Page Customization from the main menu.
  2. On the Page Customization tab page, click to create a user-defined template.

  3. When customizing a portal page, you can add or delete controls, and drag controls vertically to change the positions of the controls on the page. The height of a control can be modified.

  4. Configure the control style. For each control, you can set the background image, background color, text alignment mode, border thickness, border radius, border color, and margins (padding and margin).

  5. You can customize controls in HTML customized editing mode. The <script></script> tag is not supported in HTML customized editing.

  6. After a page is customized, click Save and Release.
Common Control

After a user-defined portal page template is created, you can adjust the controls displayed on portal pages, for example, add, modify, or delete a control, to adjust the page style.

iMaster NCE-Campus provides 25 controls in total, which are classified into common controls and page controls based on application scenarios. Common controls can be used on all portal pages, and there is no limit on the number of common controls used on each page. Page controls can only be used on the page to which each page control belongs. Only one control of a control type can be configured on each page.

Generally, each time you select a control in Component area, the control is automatically displayed in the page preview, locating at the bottom of the previously configured controls. The control will not display in the page preview only if the page does not support the selected control, or a control of the same type as the selected control has been added on the page (for example, the page background control).

  • Title control

    Generally, a page title is located at the top of the page, and describes the page function. It is defined by a title control. The text content, font, font size, font weight, italic or not, background, hyperlinks, and alignment mode can be customized. A title can contain a maximum of 65535 characters.

    If the font color is set to white, the texts previewed in the text editor are invisible against the white background of the text editor. In this case, select all characters in the text editor and change the front color to make the texts visible.

  • Image control

    An image control is used to add images to pages. You can upload new images and use the images that have been uploaded. A maximum of 20 images can be uploaded on a single portal page. The size of an image cannot exceed 1 MB and the size of all images cannot exceed 4 MB. Images in JPG, PNG, JPEG, BMP, and GIF formats can be uploaded. You can set image links, set the width and height of an image in percentage, and delete an image that has been uploaded.

  • Text control

    A text control is used to provide information that guide users to perform operations. This control can be edited in a similar way as a title control.

  • Background control

    A background control is used to set the background of a portal page. You can set a background color or background image. If both a background image and color are configured, the background image applies. When setting a background image, the checkbox for enabling the background image needs to be selected. Otherwise, the configured background image will not take effect. The background style cannot be customized through a background control.

  • Language control

    A language control is used to change the language in which a portal page is displayed. Using this control, you can customize the language link text, and the portal page to be redirected. You can set a maximum of five language links using one language control.

    The language links specified in a language control must be the portal pages that have been launched. For details about how to customize and launch a portal page, see Example for Portal Page Customization.

  • Boarding control

    A boarding control is used to customize the boarding function on a pushed portal page. It allows users to click the link available on the page to download the boarding client.

Page Control

Eight types of portal pages are supported on iMaster NCE-Campus: user authentication page, authentication success page, user notice page, user registration page, registration success page, password change page, user name verification page, and password reset page. The pages have different controls because they provide different functions. The following controls are supported on these portal pages:

  • Controls on a user authentication page

    A user enters information on the authentication page and sends an authentication request to the authentication server. iMaster NCE-Campus provides ten types of authentication controls based on the supported authentication modes:

    • User name and password authentication control: You can customize whether to add the links for user notice, user registration and password retrieval on the user authentication page. The button labels, control style and placeholders of text boxes can be customized as well.
    • SMS authentication control: You can customize whether to add the link for user notice on the user authentication page. The button labels and placeholders of text boxes can be customized as well.
    • WeChat authentication control: The text, style and image of the authentication button can be customized.
    • Anonymous authentication control: The text, style and image of the authentication button can be customized.
    • Social media authentication control: You can customize whether to display the user notice during social media authentication.
    • Passcode authentication control: You can customize whether to display the user notice during passcode authentication. The text, style and image of the authentication button can be customized as well.
    • Multi-mode authentication control: In this authentication mode, multiple authentication methods can be used together. For example, the user name and password authentication, SMS authentication, passcode authentication, and Facebook authentication can be used together.

      Facebook authentication supports only the HTTPS protocol. When configuring multi-mode authentication, check whether the protocol of the portal page can be supported by Facebook. The placeholders of text boxes and button style can be customized.

    • Username and SMS authentication control: You can customize whether to add the link for user notice on the user authentication page.
    • 2FA authentication control: You can customize whether to add the link for user notice on the user authentication page.
    • 2FA (AD + RSA) authentication control: You can customize whether to add the link for user notice on the user authentication page.
  • Controls on an authentication success page

    Users will be redirected to an authentication success page after successful authentication. The page displays the authentication result and allows users to log out or change their passwords. There are two controls available on this page: authentication success information and authentication success message.

    • Authentication success information: On an authentication success page, information including the user name, remaining data volume, remaining online duration and expiration time along with the password change button and logout button can be customized.
    • Authentication success message: This control defines a message that indicates that user authentication succeeds.
  • Controls on a user notice page

    On the user notice page, rules and information that users need to be aware of when they attempt to connect to the Wi-Fi network are displayed.

    • User notice control: allows you to edit a user notice.
    • Agree button: After a user clicks the agree button, the login page is displayed. The content and style of the button can be customized.
  • Control on a user registration page

    On a user registration page, a user can register an account for authentication. User account registration is available only when the username and password authentication is used.

    • User registration control: The button labels, control style, and placeholders of text boxes can be customized.
  • Control on a registration success page
    • Registration success control: You can customize the style of the buttons and controls that are used to redirect users to the user authentication page.
  • Control on a password change page
    • Password change control: The button labels, control style, and placeholders of text boxes can be customized.
  • Control on a user name verification page
    • User name verification control: The button labels, control style, and placeholders of text boxes can be customized.
  • Control on a password reset page
    • Password reset control: The button labels, control style, and placeholders of text boxes can be customized.

Configuring a Language Template

Context

You can customize the title, button labels, and text boxes on a portal page using a language template, and customize portal pages in different languages using different language templates. By default, iMaster NCE-Campus provides four language templates: Chinese, English, German, and Spanish. If the default language templates do not satisfy your requirements, you can create a language template as needed.

Procedure
  1. Choose Admission > Admission Resources > Page Management > Page Customization from the main menu.
  2. Click the Language Template tab, and click Create. When creating a language template, you can either manually create one or import one.

    • Manual creation: On the web UI of iMaster NCE-Campus, customize the content displayed in all areas on each page.
    • Import: Download a sample Excel template from iMaster NCE-Campus. Then, edit the template, and upload the edited template to iMaster NCE-Campus.

    The following figure uses an authentication page as an example. It shows the mapping between controls on the authentication page and fields specified in a language template.

Example for Portal Page Customization

This section describes how to customize a portal page for user name and password authentication.

Procedure
  1. Choose Admission > Admission Resources > Page Management > Page Customization from the main menu.
  2. On the Page Customization tab page, click to customize a portal page for user name and password authentication.
  3. Set the page name, language template, access protocol, and system template.

    For example, set the page name to username, System template to User Name and Password Template, Language template to English default template, and Access protocol to HTTPS.

    • A default template for authentication page customization is provided for each authentication method, including the user name and password authentication, generic authentication, anonymous authentication, SMS authentication, social media authentication, WeChat portal one key authentication, passcode authentication, one key authentication, and WeChat link authentication.
    • The language template defines the default language of the portal page. For example, if you select an English template, the texts of all controls are displayed in English.

  4. Access the editing page of the created portal page.

  5. Select a page, for example, a user authentication page, and edit controls one by one.
  6. During the editing, you can click Save to save the settings temporarily.

    The settings will be saved to the server. In this step, the page is still a draft and cannot be used as an official user authentication page.

  7. After customizing the portal page for mobile phones, click Customize PC Page on the upper part of the page to customize a portal page for PCs.

    You can customize different portal pages for PCs and mobile phones on iMaster NCE-Campus.

    The authentication modes configured on portal pages for PCs and for mobile phones must be the same. Otherwise, the authentication on one page will fail.

  8. After customizing portal pages for PCs and for mobile phones, click Release in the upper right corner.

    After the pages are successfully launched, the portal page list is displayed.

    After a page is launched, if the page is not configured as a user authentication page or is configured with a portal page push policy, you can still modify the page.

    However, if the page is configured as a user authentication page or is configured with a portal page push policy, you can still modify the page but cannot change the authentication mode.

  9. Select a page from the portal page list to preview the selected page. Both the portal pages for PCs and for mobile phones can be previewed.

    The following figure is the preview of a portal page for mobile phones.

    The following figure is the preview of a portal page for PCs.

    If the pages meet your requirements, you can then set the pages as user authentication pages, configure portal page push policies, and bind an SSID and a portal page push policy to each page.

Configuring a Portal Page Pushing Policy

If iMaster NCE-Campus is used as a portal server, you need to configure portal page pushing policies. iMaster NCE-Campus pushes a specified portal page to end users based on portal page pushing policies.

Context

iMaster NCE-Campus provides default pages of various authentication modes, such as the authentication page and authentication success page. Tenant administrators can configure portal page pushing rules to determine the portal pages to be pushed to end users. If the default pages do not meet the requirements, you can customize pages as needed.

If multiple portal page pushing rules are configured, the portal page pushing policy with the smallest priority value has the highest priority. If the high-priority portal page pushing rule is matched, other policies are not matched.

Procedure
  1. Choose Admission > Admission Resources > Page Management > Portal Page Push Policy from the main menu.
  2. Click Create to create a portal page pushing policy.
Parameter Description
Table 5-98 Portal page pushing policy

Parameter

Description

Push Rule

Push condition. A specified page is pushed for the portal authentication request that meets the pushing condition.

If all the pushing conditions are not set, a portal page is pushed to all devices at the selected site. If multiple conditions are set, portal authentication requests match portal page pushing rules when they met all the conditions.

Authentication mode

Authentication mode. The portal page to be pushed is selected based on the authentication mode. During page customization, different login modes require different page elements.

Push page

Portal page to be pushed. The portal page to be pushed is selected based on the authentication mode. When the default pushed page of the system cannot meet the requirement, you can customize a portal page as prompted.

Each set of portal pages to be pushed contains an authentication page, user notice page, and registration page. A tenant administrator can specify one of them as the first page to be pushed.

First page to push

Portal page to be pushed to users upon first login. The options are as follows:

  • Authentication page.
  • User notice page. This page is unavailable when anonymous authentication is used.
  • Registration page. This page is available only when username and password authentication is used.

Page displayed after successful authentication

Page displayed after a user is authenticated.

  • Page with a specified URL: A user is redirected to the URL specified by a tenant administrator.
NOTE:

In the UC browser of the HD type, the redirected URL can only be an HTTP URL.

If Push mode is set to Fast for the desired portal page when you configure an authentication point, end users cannot be redirected to a specified URL.

  • Do not switch to another page: A user remains on the authentication success page.
  • Continue to access the desired page: When an unauthenticated user attempts to access a website, the user is first redirected to a portal page for authentication and then redirected to the desired website after being authenticated.

(Optional) Configuring an Online Duration or Data Allowance Policy

You can configure a policy to limit the online duration or data allowance of end users. In this case, end users will be forced offline when they reach the online duration or data limit. Such policies are required if end users need to be charged.

Context

In some public areas, the online duration or data allowance of guests needs to be limited. For example, each user can be online for at most one hour a day or is allowed to consume a maximum of 500 MB data. If any of the limits is reached, the user is forced offline.

The policies for limiting the online duration or data allowance take effect only when iMaster NCE-Campus functions as a portal server or RADIUS server. These policies take effect in HACA authentication, Portal2.0 authentication, 802.1X authentication, and MAC address authentication. However, such policies do not take effect in the following scenarios: without authentication, username and password authentication, third-party portal server authentication, or third-party RADIUS server authentication.

This configuration is not required if firewalls function as authentication points.

End users who go online through the terminal identification and automatic terminal admission functions are not added to any user group. Therefore, such policies cannot be configured for these users based on user groups.

Procedure
  1. Choose Admission > Admission Policy > Online User Control > User Control Policy from the main menu.
  2. Click the Traffic and Duration Policy tab. Then, click Create and configure a policy for limiting the online duration or data allowance of users.

  3. (Optional) Choose Admission > Admission Policy > Online User Control > User Control Policy from the main menu.

    1. Click the Maximum Number Of Access Terminals tab, and then click Create to create a user control policy.

    2. After the parameters are set, click to apply the created user control policy to a specific user group or user.

      When creating a user, you can also set the maximum number of access terminals. The maximum number of access terminals configured on different pages takes effect in the following sequence in descending order: Maximum number of access terminals when a user is created > Number of access terminals allocated to the user > Number of access terminals allocated to the user group. If the Maximum number of terminals parameter is disabled when a user is created, the maximum number of access terminals is subject to the configuration in the user control policy. If the Maximum number of terminals parameter is enabled and no restrictions is selected, there will be no limit on the number of access terminals.

Follow-Up Procedure
  1. Choose Admission > Admission Policy > Online User Control > Online User from the main menu to view online users. Tenant administrators can forcibly log out users and export online user data.

    When you click Log Out, selected users are forced offline. If you click Log Out And Disable The Port, selected users are forced offline and the authentication ports to which the users are connected are disabled. When performing this operation, ensure that only one online user is connected to each authentication port. Otherwise, other irrelevant users will be forced offline as well.

    For wireless access users, in policy association scenarios with Eth-Trunk interfaces, when you click Log Out And Disable The Port, users will be forced offline but the Eth-Trunk interfaces will not be disabled.

  2. Choose Admission > Admission Policy > Online User Control > Traffic Duration from the main menu to view the online duration or data allowance of users or terminals. You can reset the allowances as needed. By default, the username, terminal IP address, and terminal MAC address are masked. If you need to view the information, disable terminal data masking on the Configuring a Terminal Privacy Policy page.
Parameter Description
Table 5-99 Online user control policy

Parameter

Description

site

Site where the online user control policy takes effect. If Site Information Matching is disabled in an online user control policy, this policy takes effect at all sites under the tenant. In such cases, user's traffic usage or online duration is controlled on a per-site basis.

User Level/Terminal Level

Whether to configure an online user control policy on a per-user basis or on a per-terminal basis. The following two types of policies are available on each basis.

  • Traffic limit: Limits the total Internet access traffic of users or terminals within a specified period.

    After this policy is enabled, you can set a traffic usage limit for users or terminals within a specified period (every day, every week, every month, or every year) to limit the total Internet access traffic within this period.

  • Duration limit: Limits the total user or terminal online duration within a specified period.

    After this policy is enabled, you can set an online duration limit for users or terminals within a specified period (every day, every week, every month, or every year) to limit the total user online duration within this period.

    When configuring an online duration limit for terminals, you can set a one-time online duration limit. The value is in the range from 5 to 44640, in minutes. This function is disabled by default. After this function is enabled, if the online duration of a terminal exceeds the specified one-time online duration limit, the terminal is forced offline.

NOTE:

The amount of available user traffic and online duration are restricted based on the accounting request packets sent by devices. Since devices send accounting request packets periodically, there may be differences between the configured amount of available user traffic or online duration and that in actual situations.

Assume that:

1. The interval for sending accounting request packets is set to 5 minutes in SSID configuration whereas the interval is set to 10 minutes in online duration control policy configuration.

2. A user or terminal initiates portal authentication at the beginning of the fourth minute in an accounting period.

In this scenario, when a device sends accounting request packets for the first time and the second time, the available online duration of the user is not used up. Therefore, the user or terminal can continue to access the network. When the device sends an accounting request packet for the third time, the system determines that the online duration of the user or terminal exceeds the upper limit, and then restricts the network access of the user or terminal. In this case, the actual online duration of the user or terminal is 12 minutes, rather than 10 minutes specified in the online control policy.

If both traffic-based control and duration-based control are enabled, re-authentication is triggered when either of the conditions is met.

Reset traffic usage and duration:

  • When this function is enabled, after the available traffic and online duration are used up, users can be granted with extra traffic or online duration as configured after re-authentication.
  • When this function is disabled, the user cannot access the network after the granted traffic and minutes are used up.

Allocate User Group

Click and select a user group. The traffic- or duration-based control policies take effect only for users in this user group.

(Optional) Configuring a Portal Template

Context

To simplify the configuration roadmap and facilitate unified management, iMaster NCE-Campus encapsulate authentication parameters into a template. When configuring related services, you can import a template and deliver the parameter values in this template to the configuration object.

When the portal protocol type of the authentication device is set to Portal 2.0, you need to configure a portal template and use the built-in portal server.

Procedure
  1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select Portal Server.
  2. Click Create, set parameters, and click OK.

Parameter Description
Table 5-100 Policy template (portal server)

Parameter

Description

Name

Unique identifier of the portal server template.

Using Built-in Server

Specify iMaster NCE-Campus as the portal server. If this function is enabled, you can configure either the service manager (SM) or a remote server as the primary or secondary authentication component. The SM is the controller deployed at the headquarters. The default protocol for pushing portal pages is HTTPS. To use HTTP, enable the HTTP port.

IP address

IP address of a third-party portal server. Use commas (,) to separate multiple IP addresses.

Port

Port of a third-party portal server.

URL

Interface URL of a third-party portal server.

Portal user synchronization

Whether to synchronize user information between devices and iMaster NCE-Campus. You can enable this function when Portal 2.0 authentication is configured. The synchronization interval and maximum allowable number of synchronization failures can be set. The synchronization interval is in the range from 20 to 65535, in seconds, and its default value is 300. The maximum allowable number of synchronization failures is in the range from 2 to 255 and its default value is 3.

The synchronization interval multiplied by the maximum allowable number of synchronization failures must be greater than the interval at which the portal server sends synchronization packets to devices. Otherwise, devices will log out users if they do not receive any synchronization packet from the portal server after the maximum allowable number of synchronization failures is reached. The built-in portal server of iMaster NCE-Campus sends synchronization packets at an interval of 3600 seconds.

Key

Shared key of a portal server.

URL parameter profile

URL template (with related parameters specified) associated with a portal server. If an SSID is associated with a Portal server template, the SSID is also associated with this URL template.

(Optional) Configuring a RADIUS Template

Context

To simplify the configuration roadmap and facilitate unified management, iMaster NCE-Campus encapsulate authentication parameters into a template. When configuring related services, you can import a template and deliver the parameter values in this template to the configuration object.

When the portal protocol type of the authentication device is set to Portal 2.0, you need to configure a portal template and use the built-in portal server.

Procedure
  1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select RADIUS Server.
  2. Click Create, set parameters, and click OK.

    • When configuring an SSID for authentication based on a RADIUS server, you can select this template to specify the RADIUS server associated with the SSID. For details, see Configuring an SSID.
    • Only APs running V200R008C10 and later versions support the Disable RADIUS attributes parameter. The RADIUS attributes supported vary with the AP model. If this parameter is configured in the selected RADIUS template, ensure that the model and version of the target AP meet requirements. Otherwise, the SSID-related service configuration will fail to be delivered. To view RADIUS attributes supported by a device, run the display radius-attribute command in the system view of the device.
    • Only APs running V200R009C00 and later versions support the Set called-station-id attribute value parameter.
    • Only APs running V200R008C00 and later versions support the Real-time accounting parameter.

Parameter Description
Table 5-101 Policy template (RADIUS server)

Parameter

Description

Name

Unique identifier of a RADIUS server template.

Using Built-in Server

Whether to configure iMaster NCE-Campus as a RADIUS server. If this function is enabled, you can configure either the service manager (SM) or a remote server as the primary or secondary authentication component. The SM is the controller deployed at the headquarters.

Primary authentication server address/Port

IP address and port number of the active and standby authentication servers.

Secondary authentication server address/Port

Primary accounting server address/Port

IP address and port number of the active and standby accounting servers.

Secondary accounting server address/Port

Real-time accounting

Whether to enable real-time accounting. After this function is enabled, you can configure a real-time accounting interval. By default, this function is disabled.

Billing reporting cycle

Real-time accounting interval.

Key

Shared key of the RADIUS server. You are advised to periodically change the shared key.

Disable RADIUS attributes

Whether to filter specific attributes in the packets exchanged between the device and the RADIUS server. The default value is OFF, indicating that specific attributes are not filtered.

Disable attributes

-

Click Create and configure a filtering policy.

Attribute name

Click ... and select the names of attributes to be filtered in the displayed dialog box.

Prohibit Sending

The device is disabled from sending packets containing specified RADIUS attributes to the RADIUS server.

Prohibit Receiving

The device is disabled from receiving packets containing specified RADIUS attributes from the RADIUS server.

Service-Type

-

The value of the same RADIUS attribute may vary on RADIUS servers from different vendors. Therefore, RADIUS attribute values need to be modified, so that a Huawei device can successfully communicate with a third-party RADIUS server.

Attribute value

Specifies the value of service-type attribute to be modified.

Option

Sets the user authentication mode to MAC address authentication.

called-station-id

-

After this function is enabled, you can set the called-station-id attribute value, which specifies content encapsulated in the called-station-id attribute of RADIUS packets. Currently, only APs support this function. By default, this function is disabled.

Attribute separator

Content encapsulated in the called-station-id attribute. The value can be ap-mac or ap-location.

Carry SSID attribute

After this function is enabled, the content encapsulated in the called-station-id attribute contains the SSID. By default, this function is disabled.

Attribute delimiter

Delimiter before the SSID when the content encapsulated in the called-station-id attribute contains the SSID.

The value is of enumerated type, and can be \, /, :, <, &gt;, |, @, ', %, *, +, -, &, !, #, ^, and ~. The default value is :.

MAC address format setting

MAC address format in RADIUS packets. The following formats are supported:

  • Mac address case

    MAC address separator

  • Mac address format

Configuring an Authentication Point

Context

After authentication and authorization rules are configured, you need to configure an authentication mode on authentication points. For example, when configuring an SSID on an AP, you need to specify an authentication mode to implement access control on wireless access users. Only one authentication mode can be specified for each SSID. Therefore, the authentication mode for an access user is determined by the SSID selected when the user accesses the Internet. However, multiple SSIDs can be deployed on one AP. Employees and guests access the Internet using different SSIDs and different authentication modes.

Procedure
  1. Select a site.

    1. Choose Provision > Physical Network > Site Configuration from the main menu.
    2. In the displayed window, select a site from the Site drop-down list in the upper left corner.
    3. Choose the Site Configuration tab.

  2. Configure authentication points based on the device type.

    Authentication Point

    Configuration Procedure

    AP
    1. Choose AP > SSID from the navigation pane, click Create, and configure basic information about an SSID.
    2. On the Security Authentication page, set Authentication mode to Open network, Push pages to ON, Page pusher to Built-in authentication by cloud platform, and Push mode to Advanced. Set Login mode to the actual login mode configured on the network. Currently, iMaster NCE-Campus supports ten authentication modes: anonymous authentication, user name and password authentication, SMS authentication, URL-based WeChat authentication, Facebook authentication, twitter authentication, Sina WEIBO authentication, QQ authentication, passcode authentication, and one key authentication.
    3. Set the portal protocol. Currently, HACA and Portal 2.0 are supported. If you set the protocol to Portal 2.0, enable the built-in portal server and RADIUS server in the portal template and RADIUS template, respectively. The Portal 2.0 protocol is a Huawei proprietary protocol. Currently, only CHAP is supported in Portal 2.0. Portal 2.0 is not supported in Huawei public cloud scenarios.
    4. (Optional) If HACA is used, configure the protocol for pushing portal pages to end users. By default, HTTPS is used. If HTTP is required, enable the HTTP port. For details, see (Optional) Enabling the HTTP Port.
    5. (Optional) Configure a survival policy to ensure basic network access when a network fault occurs or the HUAWEI CLOUD platform is being upgraded. Currently, the following survival solutions are supported:
      • Permit access from authenticated users and reject access from new users.
      • Permit user access without authentication.
      • Permit user access without authentication based on a user-defined escape policy. In this solution, you need to configure an escape policy profile.

    AR
    1. Choose AR > SSID from the navigation pane, click Create, and configure basic information about an SSID.
    2. On the Security authentication page, set Authentication mode to OPEN, Push pages (Portal authentication) to ON, Push mode to Advanced. Set Login mode to the actual login mode configured on the network. Currently, iMaster NCE-Campus supports seven authentication modes: user name and password authentication, SMS authentication, anonymous authentication, URL-based WeChat authentication, Facebook authentication, passcode authentication, and one key authentication.
    3. (Optional) If HACA is used, configure the protocol for pushing portal pages to end users. By default, HTTPS is used. If HTTP is required, enable the HTTP port. For details, see (Optional) Enabling the HTTP Port.
    4. (Optional) Configure a survival policy to ensure basic network access when a network fault occurs or the HUAWEI CLOUD platform is being upgraded. Currently, the following survival solutions are supported:
      • Permit access from authenticated users and reject access from new users.
      • Permit user access without authentication.
      • Permit user access without authentication based on a user-defined escape policy. In this solution, you need to configure an escape policy profile.

    Firewall
    1. Choose Firewall > SSID from the navigation pane, click Create, and configure basic information about an SSID.
    2. Set the Page pusher to Authentication built in controller, and select the actual login mode configured on the network. Currently, iMaster NCE-Campus supports nine authentication modes: anonymous authentication, user name and password authentication, SMS authentication, Facebook authentication, twitter authentication, Sina WEIBO authentication, QQ authentication, passcode authentication, and one key authentication.

      If Push page based on source IP address is configured, iMaster NCE-Campus pushes portal pages to the terminals whose IP addresses are in the source IP address list, but not other terminals.

    3. Set the portal protocol. Currently, HACA and Portal 2.0 are supported. If you set the protocol to Portal 2.0, enable the built-in portal server and RADIUS server in the portal template and RADIUS template, respectively. The Portal 2.0 protocol is a Huawei proprietary protocol. Currently, only CHAP is supported in Portal 2.0. Portal 2.0 is not supported in Huawei public cloud scenarios.
    4. (Optional) If HACA is used, configure the protocol for pushing portal pages to end users. By default, HTTPS is used. If HTTP is required, enable the HTTP port. For details, see (Optional) Enabling the HTTP Port.
    5. (Optional) Configure a survival policy to ensure basic network access when a network fault occurs or the HUAWEI CLOUD platform is being upgraded. Currently, the following survival solutions are supported:
      • Permit access from authenticated users and reject access from new users.
      • Permit user access without authentication.
      NOTE:

      A firewall also supports built-in portal anonymous authentication. To use this function, set Page pusher to Authentication built in firewall, and set Redirection page after successful authentication and Idle timeout period.

    Switch
    1. Choose Switch > Authentication from the navigation pane. On the Wired Authentication or Wireless Authentication tab page, click Create.
    2. Set Authentication mode to Open network, Page pusher to Built-in authentication by cloud platform, Push mode to Advanced, and Authentication Policy to the actual login mode configured on the network. Currently, iMaster NCE-Campus supports ten authentication modes: anonymous authentication, user name and password authentication, SMS authentication, URL-based WeChat authentication, Facebook authentication, twitter authentication, Sina WEIBO authentication, QQ authentication, passcode authentication, and one key authentication.
    3. Set the portal protocol. Currently, HACA and Portal 2.0 are supported. If you set the protocol to Portal 2.0, enable the built-in portal server and RADIUS server in the portal template and RADIUS template, respectively. The Portal 2.0 protocol is a Huawei proprietary protocol. Currently, only CHAP is supported in Portal 2.0. Portal 2.0 is not supported in Huawei public cloud scenarios.
    4. (Optional) If HACA is used, configure the protocol for pushing portal pages to end users. By default, HTTPS is used. If HTTP is required, enable the HTTP port. For details, see (Optional) Enabling the HTTP Port.
    5. (Optional) In wired authentication scenarios, if you want APs connected to the switch not to be authenticated, toggle on Enable AP authentication-free on the interface and enable LLDP and automatic AP identification on the Provision > Physical Network > Site Configuration > Site Configuration > Site > Service Parameters.
    6. (Optional) If the terminal to be authenticated uses the IPv6 protocol, enable IPv6 terminal authentication and set an IPv6 URL for the page pushed by the portal server. In such cases, IPv4 URLs are not supported.
    7. (Optional) Configure a survival policy to ensure basic network access when a network fault occurs or the HUAWEI CLOUD platform is being upgraded. Currently, the following survival solutions are supported:
      • Permit access from authenticated users and reject access from new users.
      • Permit user access without authentication.
      • Permit user access without authentication based on a user-defined escape policy. In this solution, you need to configure an escape policy profile.
    NOTE:

    Wireless authentication needs to be configured in the web network management system (NMS). For details, see Configuration &gt; Web-based Configuration in the Wireless Access Controller (AC and Fit AP) Product Document.

    WAC
    1. Choose WAC(Fit AP) > Authentication from the navigation pane. Click add and configure authentication.
    2. Set Authentication mode to Open network, Page pusher to Built-in authentication by cloud platform, Push mode to Advanced, and Authentication Policy to the actual login mode configured on the network. Currently, iMaster NCE-Campus supports ten authentication modes: anonymous authentication, user name and password authentication, SMS authentication, URL-based WeChat authentication, Facebook authentication, twitter authentication, Sina WEIBO authentication, QQ authentication, passcode authentication, and one key authentication.
    3. Set the portal protocol. Currently, HACA and Portal 2.0 are supported. If you set the protocol to Portal 2.0, enable the built-in portal server and RADIUS server in the portal template and RADIUS template, respectively. The Portal 2.0 protocol is a Huawei proprietary protocol. Currently, only CHAP is supported in Portal 2.0. Portal 2.0 is not supported in Huawei public cloud scenarios.
    4. (Optional) If HACA is used, configure the protocol for pushing portal pages to end users. By default, HTTPS is used. If HTTP is required, enable the HTTP port. For details, see (Optional) Enabling the HTTP Port.
    NOTE:

    Configurations of WACs need to be performed in the web system. For details, see Configuration > Web-based Configuration > Authentication Configuration Examples in the Wireless Access Controller (AC and Fit AP) Product Document. When configuring a WAC using the CLI, you need to configure an AAA scheme, an HACA server template, a service scheme, an access profile, and an authentication profile. For details, see Using RADIUS to Perform Authentication, Authorization, and Accounting, Configuring HACA Authentication (Cloud AC), Configuring an Access Profile, and Configuring an Authentication Profile.

    When iMaster NCE-Campus functions as a portal server, you can select an existing portal page and set parameters based on the authentication mode on the page if Push mode is set to Fast.

Configuring an Authentication Rule

Context

Currently, iMaster NCE-Campus supports two portal protocols: HACA and Portal 2.0. The Portal 2.0 protocol is a Huawei proprietary protocol and is supported only in non-NAT private cloud scenarios.

Currently, only Challenge-Handshake Authentication Protocol (CHAP) is supported in the Portal 2.0 protocol. If CHAP is used, passwords are stored in the Chap-Password attribute, and an index value instead of a password is transmitted over the network, which improves security. However, the RADIUS server must know user passwords so that it can calculate password index values and compare them with those carried in authentication requests. The algorithm for password encryption in the Chap-Password attribute is MD5 (chapId + password + chapChallenge).

If the HACA protocol is used, set the authentication mode to User Access Authentication and enable the Portal-HACA protocol. If the Portal 2.0 protocol is used, set the authentication mode to User Access Authentication.

iMaster NCE-Campus provides a default authentication rule default that uses a local data source for authentication. The default template can be modified to use a third-party data source for authentication.

Procedure
  1. Choose Admission > Admission Policy > Authentication And Authorization > Authentication Rules from the main menu.
  2. Click Create to configure an authentication rule. Set the authentication mode to user access authentication. When iMaster NCE-Campus interworks with a third-party device to authenticate users, users will fail to match the authentication rule if the authentication rule defines user authentication based on sites, access device types, or devices.

Parameter Description
Table 5-102 Authentication rule (user access authentication&enable the Portal-HACA protocol)

Parameter

Description

Matching

Condition

User Information

User group

User authentication based on user groups.

Account

User authentication based on user accounts.

Role

User authentication based on user roles.

Location Information

Site

User authentication based on sites.

Admission device group

User authentication based on access device groups.

Access device type

User authentication based on access device types. Currently, the following device types are supported: LSW, AP, WAC, AR, and firewall.

Device

User authentication based on devices.

SSID

User authentication based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

User authentication based on terminal types.

Operating system

User authentication based on the OS of terminals.

Terminal IP range

User authentication based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Other Information

Time information

User authentication based on time ranges.

Authentication Information

Access Parameters

Access attributes specified for accounts. When Accounts that are not bound to access parameters are not allowed to access the network is enabled, if the access attributes of an account are inconsistent with the ones specified on the controller, the account fails to be authenticated. If Self-learning access parameters is enabled, after an account is authenticated successfully, the access attributes are learned automatically and bound to the user account. If Self-learning access parameters is disabled, you need to bind the user's access attributes to the user account manually on the Admission > Admission Resources > User Management > User Management page.

Currently, the following access attributes are supported:

Device IP address, access VLAN, access port, user MAC address, user IP address, user IMSI, and terminal ESN.

Data sources

Data source used for authentication. You can select either the local data source or an external data source.

Two-Factor Authentication

Two-factor authentication type

Type of the desired two-factor authentication method.

Second data source type

Second authentication source for two-factor authentication. You can specify dynamic SMS verification codes or RADIUS tokens.

Authentication timeout interval in phase 2 (s)

Timeout period for the second phase in two-factor authentication. The value ranges from 60 to 100, in seconds. The default value is 60.
Table 5-103 Authentication rule (user access authentication&disable the Portal-HACA protocol)

Parameter

Description

Matching

Condition

User Information

User group

User authentication based on user groups.

Account

User authentication based on user accounts.

Role

User authentication based on user roles.

Location Information

Site

User authentication based on sites.

Admission device group

User authentication based on access device groups.

Access device type

User authentication based on access device types. Currently, the following device types are supported: LSW, firewall, AP, and WAC.

Device

User authentication based on devices.

SSID

User authentication based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

User authentication based on terminal types.

Operating system

User authentication based on the OS of terminals.

Terminal IP range

User authentication based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Other Information

Time

User authentication based on time ranges.

Customization Condition

User authentication based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

Authentication Information

Enable RADIUS relay

User authentication based on specified relay server templates.

Access Parameters

Access attributes specified for accounts. When Accounts that are not bound to access parameters are not allowed to access the network is enabled, if the access attributes of an account are inconsistent with the ones specified on the controller, the account fails to be authenticated. If Self-learning access parameters is enabled, after an account is authenticated successfully, the access attributes are learned automatically and bound to the user account. If Self-learning access parameters is disabled, you need to bind the user's access attributes to the user account manually on the Admission > Admission Resources > User Management > User Management page.

Currently, the following access attributes are supported:

Device IP address, access VLAN, access port, user MAC address, user IP address, user IMSI, and terminal ESN.

Data sources

Data source used for authentication. You can select either the local data source or an external data source. This parameter is not supported when the RADIUS relay function is enabled.

Two-Factor Authentication

Two-factor authentication type

Type of the desired two-factor authentication method. Currently, two methods are available: two-factor authentication using accounts and SMS verification code or RADIUS tokens, and two-factor authentication using SSL VPN-enabled firewalls.

Second data source type

Second authentication source for two-factor authentication. You can specify dynamic SMS verification codes or RADIUS tokens. The RADIUS token factor is supported only when the two-factor authentication method is used.

Authentication timeout interval in phase 2 (s)

Timeout period for the second phase in two-factor authentication. The value ranges from 60 to 100, in seconds. The default value is 60.

Authentication protocol

Protocol used for authentication. The options are as follows:

  • PAP
  • CHAP
  • EAP-MD5
  • EAP-PEAP-MSCHAPv2
  • EAP-TLS
  • EAP-PEAP-GTC
  • EAP-TTLS-PAP

PAP must be enabled when LDAP accounts are used for Portal 2.0 authentication, FW SSL VPN authentication, and MAC address authentication. In addition, CHAP must be enabled for Portal 2.0 authentication. If iMaster NCE-Campus functions as an authentication server in other services, enable the required protocol.

One of the EAP-MD5, EAP-PEAP-MSCHAPv2, EAP-TLS, EAP-PEAP-GTC, and EAP-TTLS-PAP protocols can be specified as the preferential protocol used for authentication.

If EAP-PEAP-GTC is used, configure the EAP-GTC plug-in. For details, see EAP-GTC Plug-In.

This parameter is not supported when the RADIUS relay function is enabled.

Advanced options

The Account Does Not Exist

Authentication action performed when an account does not exist. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
    NOTE:
    • When iMaster NCE-Campus interworks with an AD/LDAP server (without account synchronization), an HTTPS server, or a database, if a user matches an authentication rule but the corresponding user account cannot be found locally, you need to set this parameter to Continue Processing. Otherwise, the authentication fails.
    • When iMaster NCE-Campus interworks with an AD/LDAP server to synchronize user accounts, if a user matches an authentication rule but the corresponding local account does not match an account on the AD/LDAP server (for example, the account on the AD/LADP server contains a domain name but the local account does not), you need to set this parameter to Continue Processing. Otherwise, the authentication fails.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.

Identity Authentication Failed

Authentication process performed when the use identify fails to be authenticated. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.
Table 5-104 Authentication rule (MAC address authentication)

Parameter

Description

Matching

Condition

User Information

MAC account mapping user group

User authentication based on user groups to which MAC accounts are mapped.

MAC account

User authentication based on MAC accounts.

Role

User authentication based on user roles.

Location Information

Site

User authentication based on sites.

Admission device group

User authentication based on access device groups.

Access device type

User authentication based on access device types. Currently, the following device types are supported: LSW, AP, and WAC.

Device

User authentication based on devices.

SSID

User authentication based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

User authentication based on terminal types.

Operating system

User authentication based on the OS of terminals.

Terminal IP range

User authentication based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Other Information

Time

User authentication based on time ranges.

Customization Condition

User authentication based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

Authentication Information

Enable RADIUS relay

User authentication based on specified relay server templates.

Access Parameters

Access attributes specified for accounts. When Accounts that are not bound to access parameters are not allowed to access the network is enabled, if the access attributes of an account are inconsistent with the ones specified on the controller, the account fails to be authenticated. If Self-learning access parameters is enabled, after an account is authenticated successfully, the access attributes are learned automatically and bound to the user account. If Self-learning access parameters is disabled, you need to bind the user's access attributes to the user account manually on the Admission > Admission Resources > User Management > User Management page.

Currently, the following access attributes are supported:

Device IP address, access VLAN, access port, user MAC address, user IP address, user IMSI, and terminal ESN.

Advanced options

The Account Does Not Exist

Authentication action performed when an account does not exist. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.

Identity Authentication Failed

Authentication process performed when the use identify fails to be authenticated. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.
Table 5-105 Authentication rule (device administrator authentication)

Parameter

Description

Matching

Condition

User Information

User group

User authentication based on user groups.

Account

User authentication based on user accounts.

Role

User authentication based on user roles.

Location Information

Admission device group

User authentication based on access device groups.

Terminal IP range

User authentication based on terminal IP addresses.

Other Information

Time

User authentication based on time ranges.

Customization Condition

User authentication based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

Authentication Information

Enable RADIUS relay

User authentication based on specified relay server templates.

Access Parameters

Access attributes specified for accounts. When Accounts that are not bound to access parameters are not allowed to access the network is enabled, if the access attributes of an account are inconsistent with the ones specified on the controller, the account fails to be authenticated. If Self-learning access parameters is enabled, after an account is authenticated successfully, the access attributes are learned automatically and bound to the user account. If Self-learning access parameters is disabled, you need to bind the user's access attributes to the user account manually on the Admission > Admission Resources > User Management > User Management page.

Currently, the following access attributes are supported:

Device IP address, access VLAN, access port, user MAC address, user IP address, user IMSI, and terminal ESN.

Data sources

Data source used for authentication. You can select either the local data source or an external data source. This parameter is not supported when the RADIUS relay function is enabled.

Authentication protocol

Protocol used for authentication. The options are as follows:

  • PAP
  • CHAP

This parameter is not supported when the RADIUS relay function is enabled.

Advanced options

The Account Does Not Exist

Authentication action performed when an account does not exist. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.

Identity Authentication Failed

Authentication process performed when the use identify fails to be authenticated. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.

Configuring an Authorization Result

Context

When you configure portal authentication, 802.1X authentication, and MAC address authentication, an authorization result defines the rights assigned to authenticated end users and traffic rate limiting and filtering policies for them. This configuration applies to the scenario where a FW, an AR, an AP, an LSW, or a WAC functions as an authentication point. An authorization result can be configured for a specific user group.

When you configure device administrator authentication, an authorization result defines the rights assigned to authenticated end users and traffic rate limiting and filtering policies for them. This configuration applies to the scenario where a FW, an AR, an AP, an LSW, or a WAC functions as an authentication point. An authorization result can be configured for a specific user group.

iMaster NCE-Campus provides two default authorization results: Permit Access and Deny Access. The two results are bound to all sites to form default templates, which cannot be modified or deleted.

The rights assigned to an authenticated end user are specified by an authorization result. The permissions involve the destination IP address, protocol, and port defined by an ACL, URL permitted or rejected, and uplink or downlink bandwidth of terminals.

SSID-based policy control indicates that the STA connected to an SSID has the corresponding rights. The set of rights specified in an authorization result is dynamically authorized according to the matching policy after an end user is authenticated. The rights assigned to an end user include those specified both in an SSID and an authorization result.

Procedure
  1. Choose Admission > Admission Policy > Authentication And Authorization > Authorization Result from the main menu.
  2. Click Create to create an authorization result. Parameters in an authorization result vary with the device type. For details about the parameters, see Parameter Description at the end of this section.

  3. Click OK to bind the authorization result to sites. You can also select an authorization result, click , and select desired sites to bind them to the result.

Parameter Description
Table 5-106 Authorization result

Parameter

Description

Device management service

Whether to enable device administrator authentication.

NMS login privilege: indicates the login privilege of users who match an authorization rule. The value is in the range from 0 to 15. Only Huawei authentication devices support this parameter.

Custom authorization parameter: indicates the custom authorization parameters for end users who match an authorization rule. The following custom authorization parameters are supported: attribute ID, attribute type, attribute value, and vendor. You can set RADIUS attribute values as needed. For details about the supported RADIUS attributes, see descriptions on the Authorization Results page of the controller web UI.

The following parameters are not supported if Device management service is enabled.

VIP

Whether to ensure preferential access for VIP users. After this function is enabled, you can set Access threshold policy on the AP > Radio page and AP > SSID page, ensuring preferential access for VIP users.

For switches, you can also set the guaranteed bandwidth for VIP users in an application scheduling template on the Design > Basic Network Design > Template Management > Policy Template.

ACL/Dynamic ACL

ACL or dynamic ACL that permits or prevents STAs to access or from accessing specified resources.

  • ACL: ACLs are configured on authentication points. When authorizing users, iMaster NCE-Campus delivers ACL numbers to authentication control devices. The authentication points then match users against ACLs based on the delivered ACL numbers to implement access control.
    NOTE:

    For APs, LSWs, and ARs only. Only ACLs with a specified number are supported. ACLs with a number range are not supported. Wireless users are 3001 to 3031, and wired users are 3001 to 3988.

  • Dynamic ACL: ACLs are configured on iMaster NCE-Campus. When authorizing users, iMaster NCE-Campus dynamically delivers ACLs to authentication points. The authentication points then match users against the delivered ACLs to implement access control.
    NOTE:

    Only Huawei switches support dynamic ACLs. Huawei WLAN devices and devices from other vendors do not support this function.

IPV6 ACL

ACL6 that permits or prevents STAs to access or from accessing specified resources. Only some switch models support ACL6. For details, see the section "acl-id (service scheme view)" in the product documentation of switches.

NOTE:

For LSWs only. Only IPv6 ACLs with a specified number are supported. ACLs with a number range are not supported. Wireless users are 3001 to 3031, and wired users are 3001 to 3999.

Security group

Security group to which STAs matching an authorization rule are dynamically assigned.

URL Filtering

URL filtering mode:

  • Blacklist: User cannot access the websites specified in the URL list.
  • Whitelist: Users can access only the websites specified in the URL list.
NOTE:

This parameter is supported only on APs, excluding central APs.

VLAN

ID of the VLAN to which an end user that matches the authorization rule is assigned. Different control policies can be bound to different VLAN IDs or the same VLAN ID. The value can be a VLAN ID or a VLAN pool. The interfaces that join the VLANs authorized to end users must be hybrid interfaces. To configure interfaces as hybrid interfaces, choose Provision > Physical Network > Site Configuration from the main menu and choose Switch > Interface > Physical Interface from the navigation pane.

Downlink rate (Mbit/s)/Uplink rate (Mbit/s)

Uplink or downlink bandwidth limit for STAs.

Forcible redirection

ACL or URL to which users are forcibly redirected to. This function is available in common authentication, boarding, and CWA authentication services.

  • Forcible redirect ACL: Users are redirected to a specified URL when matching an ACL. The ACL can be either a numbered ACL or a named ACL. A named ACL must start with a character. For a numbered ACL, the number range of IPv4 is from 3000 to 3988 for wired users and from 3000 to 3031 for wireless users, the number range of IPv6 is from 3000 to 3999 for wired users and from 3000 to 3031 for wireless users. Only Huawei devices support this function. The RADIUS attribute name and number corresponding to this function is HW-Redirect-ACL and 173, respectively.
  • Redirect URL: If the forcible redirect URL delivered by the RADIUS server matches the URL template configured on a device, the URL configured in the URL template applies. Otherwise, the URL delivered by the RADIUS server applies. Only Huawei devices support this function. The RADIUS attribute name and number corresponding to this function is HW-Portal-URL and 156, respectively.

DSCP

DSCP for a STA that matches an authorization rule. The differentiated services code point (DSCP) is used to classify the traffic QoS of STAs.

Custom Authorization Parameters

Authorization parameters customized for end users that matches an authorization rule.

The following custom authorization parameters are supported: attribute ID, attribute type, attribute value, and vendor. You can set RADIUS attribute values as needed. For details about the supported RADIUS attributes, see descriptions on the authorization result page of the controller web UI.

Configuring an Authorization Rule

When iMaster NCE-Campus authorizes authenticated users, it grants specific permissions only to the users who hit the specified authorization rules.

iMaster NCE-Campus provides a default authorization rule default with the authorization result Deny Access. You can modify the authorization result in this default template as required.

Context

Authorization results define the rights assigned to authenticated end users. Each authentication rule corresponds to an authentication result. If an authenticated end user matches an authentication rule, the corresponding authorization result applies to the user. If no authorization rule is set, an authorization result is applicable to all authenticated terminals.

Procedure
  1. Choose Admission > Admission Policy > Authentication And Authorization > Authorization Rules from the main menu.
  2. Click Create to create an authorization rule. Set the authentication method to user access authentication. When iMaster NCE-Campus interworks with a third-party device to authenticate users, users will fail to match the authorization rule if the authorization rule defines user authorization based on sites, access device types, or devices.

Parameter Description
Table 5-107 Authorization rule (user access authentication&enable the Portal-HACA protocol)

Parameter

Description

Matching Condition

User Information

User Group

Authenticated users are authorized based on user groups.

Account

Authenticated users are authorized based on accounts.

Role Information

Authenticated users are authorized based on roles.

Location Information

site

Authenticated users are authorized based on sites.

Admission Device Group

Authenticated users are authorized based on access device groups.

Access Device Type

Authenticated users are authorized based on access device types. The following device types are supported: LSW, AP, WAC, AR, and firewall.

Device

Authenticated users are authorized based on devices.

SSID

Authenticated users are authorized based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

Authenticated users are authorized based on terminal types.

Operating system

Authenticated users are authorized based on OS types of terminals.

Terminal IP Range

Authenticated users are authorized based on terminal IP addresses.

Region

Authenticated users are authorized based on regions.

Other Information

Time

Authenticated users are authorized based on time ranges.

Authentication result

Authorization result that takes effect after successful authentication.
Table 5-108 Authorization rule (user access authentication&disable the Portal-HACA protocol)

Parameter

Description

Matching Condition

User Information

User Group

Authenticated users are authorized based on user groups.

Account

Authenticated users are authorized based on user accounts.

Role Information

Authenticated users are authorized based on user roles.

Location Information

site

Authenticated users are authorized based on sites.

Admission Device Group

Authenticated users are authorized based on access device groups.

Access Device Type

Authenticated users are authorized based on access device types. The following device types are supported: LSW, AP, WAC, and FW.

Device

Authenticated users are authorized based on devices.

SSID

Authenticated users are authorized based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

Authenticated users are authorized based on terminal types.

Operating system

Authenticated users are authorized based on OS types of terminals.

Terminal IP Range

Authenticated users are authorized based on regions.

Region

Authenticated users are authorized based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Protocol Information

Enable protocol information matching

Authenticated users are authorized based on protocols. Currently, the following protocols are supported:

EEAP-MD5 protocol (Local account)

EAP-PEAP-MSCHAPv2 protocol (Local account, AD, and LDAP)

EAP-TLS protocol (Local account, AD, LDAP)

EAP-PEAP-GTC protocol (Local account, AD, LDAP, and RADIUS Token)

EAP-TTLS-PAP protocol (Local account, AD, and LDAP)

Other Information

Time

Authenticated users are authorized based on time ranges.

Customization Condition

User authorization based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

The Authentication Terminal Has Been Added to the AD Domain

Whether authenticated users using terminals that have been added to AD domains have been authorized.

Authentication result

Authorization result that takes effect after successful authentication.
Table 5-109 Authorization rule (MAC address authentication)

Parameter

Description

Matching Condition

User Information

MAC account mapping user group

Authenticated users are authorized based on user groups.

MAC account

Authenticated users are authorized based on user accounts.

Role Information

Authenticated users are authorized based on user roles.

Location Information

site

Authenticated users are authorized based on sites.

Admission Device Group

Authenticated users are authorized based on access device groups.

Access Device Type

Authenticated users are authorized based on access device types. The following device types are supported: LSW, AP, and WAC.

Device

Authenticated users are authorized based on devices.

SSID

Authenticated users are authorized based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

Authenticated users are authorized based on terminal types.

Operating system

Authenticated users are authorized based on OS types of terminals.

Terminal IP Range

Authenticated users are authorized based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Region

Authenticated users are authorized based on regions.

Other Information

Time

Authenticated users are authorized based on time ranges.

Customization Condition

User authorization based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

Authentication result

Authorization result that takes effect after successful authentication.
Table 5-110 Authorization rule (device administrator authentication)

Parameter

Description

Matching Condition

User Information

MAC account mapping user group

Authenticated users are authorized based on user groups.

MAC account

Authenticated users are authorized based on user accounts.

Role Information

Authenticated users are authorized based on user roles.

Location Information

Admission Device Group

Authenticated users are authorized based on access device groups.

Region

Authenticated users are authorized based on regions.

Terminal IP Range

Authenticated users are authorized based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Other Information

Time

Authenticated users are authorized based on time ranges.

Customization Condition

User authorization based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

Authentication result

Authorization result that takes effect after successful authentication.

802.1X Authentication

Configuring a User Group and User

Context

In the enterprise employee access scenario, user name, and password authentication can be used to implement end user access. During portal authentication or 802.1X authentication, end users need to enter the following account information.

Authentication Mode

Account Type

Description

User name and password authentication

User

A user name and the password are required for authentication, and need to be preconfigured by tenant administrators on iMaster NCE-Campus. Users need to obtain user names and passwords from tenant administrators.

NOTE:

iMaster NCE-Campus predefines the ~anonymous account (without a password) for anonymous authentication. This account cannot be deleted or modified.
Procedure
  1. Choose Admission > Admission Resources > User Management > User Management > User from the main menu.

    • Click to create a user. You can create users one by one.

    • Select a user group and click Create to create a user. You can create users one by one.

      When creating a user, you are advised to bind an email address or phone number to the user to facilitate password change.

    • Click to import users and user groups. You can use an Excel template to import users and user groups in batches.
    • Click to export users and user groups. After the export task is created, click OK and choose Maintenance > File Management > File Management > Download Task Management > Export File to view and download the task.

Parameter Description
Table 5-111 Creating a user

Parameter

Description

User name

Username and password used by an end user during authentication to connect to a cloud-managed device.

Password

Confirm password

Role

Role attached to the user.

Email

Email address and phone number of a user. When resetting passwords, a user receives a verification code via an email or an SMS message and sets a new password based on the verification code.

Phone number

Max. number of terminals

Maximum number of terminals that can use the same account to connect to the network simultaneously. This parameter does not take effect for HWTACACS authentication access users.

Expiration time

Time when the user account expires. If this parameter is left empty, the account is valid permanently.

Change password upon next login

Whether to change the account password upon next login. If this parameter is enabled, users need to change the initial passwords upon next login. This parameter is valid only for portal authentication. This parameter does not take effect for HWTACACS authentication access users.

Device administrator

Whether the device administrator can use the user name and password set when the account is created to remotely log in to devices for management. This parameter takes effect only for HWTACACS authentication.

Terminals Bound to an Access Device

Terminal IP address

Terminal IP address bound to the user account.

Terminal MAC address

Terminal MAC address bound to the user account. The value must be in the format **-**-**-**-**-**, such as 11-11-11-11-11-11.

Bound terminal ESN

Terminal ESN bound to the user account. The value is a string of 20 characters consisting of uppercase letters (A to Z) and digits, such as 2102310WYGG6EC914846.

SIM/USIM's IMSI

International mobile subscriber identity (IMSI) or SIM card number bound to the user account. The value is a string of 1 to 15 digits. IMSIs are sensitive data. Exercise caution when using IMSIs in case of data leakage.

Binding an Access Device

Access device IP address

IP address of the access device to which a user connects.

Port

Port number of the access device to which a user connects.

VLAN

VLAN of the access device to which a user connects.
Table 5-112 Creating a user group

Parameter

Description

User group name

Name of a user group. A user group contains multiple users. When configuring an access control policy, you can specify the user group to which the policy applies.

(Optional) Attaching a Role to an Account

Context

In addition to user groups, accounts can be managed based on account roles. An account can belong to only one user group but can be attached to multiple roles. Accounts and roles are mapped in a one-to-many manner. Roles can be created manually by an administrator or created automatically during AD/LDAP account synchronization. Roles can be used for authentication, authorization, and security policy allocation.

Procedure
  1. Choose Admission > Admission Resources > User Management > Role Management from the main menu.

    • Click Create to create a role.

    • After the role is created, click next to the role, and click Add to attach the role to a user account, guest account, or MAC account.

    • Click Import to import roles in batches using an Excel template.
    • Click Export All to export information about all roles.

Setting Basic Parameters

Context

Validity periods can be set for user accounts, and expired user accounts can be cleaned up automatically.

You can configure a password policy for user accounts.

Procedure
  1. Choose Admission > Admission Policy > Admission Settings from the main menu.
  2. Click the User Password Policy Configuration tab and modify the password policy for user accounts.

    The password policy allows you to properly set the complexity of your account password, password updating period, and character limitations to prevent your password from being stolen. iMaster NCE-Campus provides a default password policy which you can modify as required.

  3. Click the SMS Verification Code tab, and set SMS verification code length and SMS verification template.

  4. Click the Advanced Parameter tab, and set advanced parameters. The following figure only shows some parameters. For details about other parameters, see Parameter Description at the end of this section.

Parameter Description
Table 5-113 Password policy settings

Parameter

Description

Complexity rule

Password complexity and password length of a user account.

Length range

Validity period

Password validity period of a user account.

  • After the password of an account expires, the account cannot be used to access cloud-managed devices.
  • If the password of an account is about to expire, the system displays a prompt when an end user uses the account to connect to a cloud-managed device. It is recommended that users change the passwords in a timely manner.

Days of notifications before password expiration

Password repetition not allowed (number of times)

Number of recent historical passwords that a user is not allowed to reuse. When changing the password, users cannot reuse previous passwords specified by Password repetition not allowed.

User lockout

Whether to lock user accounts for a specific period. With this function enabled, if a terminal uses an account and password to connect to a cloud-managed device, but the number of consecutive login failures reaches the value of Login failure count in specified times within the period specified by Specified time period, the terminal's account is locked for a period, which is specified by Lockout duration.

Specified time period

Login failure count in specified times

Lockout duration

IP/MAC address binding

Whether to bind an IP address or a MAC address to a user account.
Table 5-114 SMS verification code settings

Parameter

Description

SMS Verification Code Generation Policy

Character types in an SMS verification code sent to users. The options are as follows:

  • Digits
  • Letters
  • Digits + letters
  • Digits + letters + special

SMS verification code length

Length of an SMS verification code sent to a user.

SMS verification template

Template of an SMS verification code sent to a user. After the configuration, the system sends an SMS message based on the settings. All languages supported by the system share a configuration result.
Table 5-115 Advanced parameters

Parameter

Description

Account Validity Allocation

Account validity period extension

Whether to extend the validity period of an account. With this function enabled, after portal authentication-free is configured to implement MAC address-prioritized authentication, if a self-registered user logs in to iMaster NCE-Campus within the account validity period, the validity period of the user account will be extended for a further period from the user login time.

For example, if the validity period of a self-registered user account is set to 1 day, when the user logs in to iMaster NCE-Campus at 8:00 a.m. on 1st September, the account is valid till 8:00 a.m. on 2nd September. If the user logs in to the system again at 12:00 p.m. on 1st September, the account is valid till 12:00 p.m. on 2nd September.

Portal authentication-free

NOTE:

If this function is enabled on the current page, you need to enable the portal authentication-free function in SSID settings of APs or routers, and authentication settings of switches.

Inter-site portal authentication-free

After a terminal connects to an SSID of a site, the terminal can preferentially use the MAC address for authentication. If this function is enabled, the terminal is allowed to connect to the same SSID of other sites and preferentially use the MAC address for authentication.

Portal authentication-free for MAC accounts

Whether to enable MAC address-prioritized portal authentication. If a user uses a MAC account that has passed portal authentication to log in to the controller within the authentication-free validity period, or uses a MAC address that has been recorded on the user management page of the controller, the user can log in to the controller successfully without authentication.

Portal authentication-free extension

After a user passes MAC address authentication and logs in to iMaster NCE-Campus within the validity period, the validity period of the user account will be extended for a further period from the user login time.

Configuration for Expired Accounts

Automatically clear expired users

The Automatically clear expired users parameter indicates whether to automatically delete expired accounts. If this function is enabled, accounts that have expired for specified days are deleted automatically.

Retaining expired users

Timeout Interval of an Offline Device

Timeout period

Device offline duration. When the device offline time exceeds the value of this parameter, the system logs out the online users on the device.

Sensitive data

IMSI export in plaintext

Whether to export IMSIs in clear text.

RADIUS Username Identification Policy

RADIUS username identification rule

Whether to enable RADIUS username identification. If this function is enabled, specified parameters will be carried in RADIUS usernames based on user identification rules. In such cases, the controller can learn the parameter values from RADIUS usernames automatically when RADIUS users go online. Currently, only an IMSI or an ESN can be carried in a RADIUS username. Therefore, if IMSIs or ESNs are specified in authentication rules, you need to enable this function. Currently, the following user identification rules are supported:

ACCOUNT

IMSI@ACCOUNT

IMSI@ESN@ACCOUNT

ESN@ACCOUNT

RADIUS Authentication Transmission Protocol

SSL

SSL for RADIUS authentication. TLSv1.2 is used by default. To set the RADIUS authentication transmission protocol to TLSv1 or TLSv1.1, perform the following operations:

  1. Run the cd /opt/oss/envs/Product-CampusAccountService/20191115134736825/controller/configuration/tlsconfig/ command as the system administrator to access the specified directory. In the preceding command, 20191115134736825 indicates the directory timestamp. Change it based on the site requirements.
  2. Run the vi tlsConfig.properties command as the system administrator to open the tlsConfig.properties file and change enable_tls_config=false to enable_tls_config=true.
  3. If the minimum cluster deployment solution is adopted, the tlsonfig.properties file on each node needs to be modified.
  4. The tenant administrator enables this function on the iMaster NCE-Campus page, select TLSv1 or TLSv1.1, and click OK.

TLSv1 and TLSv1.1 may pose data leakage risks. For security purposes, TLSv1.2 is recommended because it is more secure than TLSv1 and TLSv1.1.

Default self-registration user policy

Subscriber validity period

If third-party devices function as authentication devices, this policy takes effect only when no guest account policy is bound to the portal page specified in the desired portal page push policy. If cloud-managed devices function as authentication devices, this policy takes effect only when no guest account policy is bound to the portal page specified in the desired portal page push policy and the user self-registration function is disabled in the site configuration.

Password validity period

User group

Anonymous authentication

Anonymous authentication

Whether to enable anonymous authentication. If this function is enabled, you need to set network areas where anonymous authentication is allowed.

(Optional) Configuring an Online Duration or Data Allowance Policy

You can configure a policy to limit the online duration or data allowance of end users. In this case, end users will be forced offline when they reach the online duration or data limit. Such policies are required if end users need to be charged.

Context

In some public areas, the online duration or data allowance of guests needs to be limited. For example, each user can be online for at most one hour a day or is allowed to consume a maximum of 500 MB data. If any of the limits is reached, the user is forced offline.

The policies for limiting the online duration or data allowance take effect only when iMaster NCE-Campus functions as a portal server or RADIUS server. These policies take effect in HACA authentication, Portal2.0 authentication, 802.1X authentication, and MAC address authentication. However, such policies do not take effect in the following scenarios: without authentication, username and password authentication, third-party portal server authentication, or third-party RADIUS server authentication.

This configuration is not required if firewalls function as authentication points.

End users who go online through the terminal identification and automatic terminal admission functions are not added to any user group. Therefore, such policies cannot be configured for these users based on user groups.

Procedure
  1. Choose Admission > Admission Policy > Online User Control > User Control Policy from the main menu.
  2. Click the Traffic and Duration Policy tab. Then, click Create and configure a policy for limiting the online duration or data allowance of users.

  3. (Optional) Choose Admission > Admission Policy > Online User Control > User Control Policy from the main menu.

    1. Click the Maximum Number Of Access Terminals tab, and then click Create to create a user control policy.

    2. After the parameters are set, click to apply the created user control policy to a specific user group or user.

      When creating a user, you can also set the maximum number of access terminals. The maximum number of access terminals configured on different pages takes effect in the following sequence in descending order: Maximum number of access terminals when a user is created > Number of access terminals allocated to the user > Number of access terminals allocated to the user group. If the Maximum number of terminals parameter is disabled when a user is created, the maximum number of access terminals is subject to the configuration in the user control policy. If the Maximum number of terminals parameter is enabled and no restrictions is selected, there will be no limit on the number of access terminals.

Follow-Up Procedure
  1. Choose Admission > Admission Policy > Online User Control > Online User from the main menu to view online users. Tenant administrators can forcibly log out users and export online user data.

    When you click Log Out, selected users are forced offline. If you click Log Out And Disable The Port, selected users are forced offline and the authentication ports to which the users are connected are disabled. When performing this operation, ensure that only one online user is connected to each authentication port. Otherwise, other irrelevant users will be forced offline as well.

    For wireless access users, in policy association scenarios with Eth-Trunk interfaces, when you click Log Out And Disable The Port, users will be forced offline but the Eth-Trunk interfaces will not be disabled.

  2. Choose Admission > Admission Policy > Online User Control > Traffic Duration from the main menu to view the online duration or data allowance of users or terminals. You can reset the allowances as needed. By default, the username, terminal IP address, and terminal MAC address are masked. If you need to view the information, disable terminal data masking on the Configuring a Terminal Privacy Policy page.
Parameter Description
Table 5-116 Online user control policy

Parameter

Description

site

Site where the online user control policy takes effect. If Site Information Matching is disabled in an online user control policy, this policy takes effect at all sites under the tenant. In such cases, user's traffic usage or online duration is controlled on a per-site basis.

User Level/Terminal Level

Whether to configure an online user control policy on a per-user basis or on a per-terminal basis. The following two types of policies are available on each basis.

  • Traffic limit: Limits the total Internet access traffic of users or terminals within a specified period.

    After this policy is enabled, you can set a traffic usage limit for users or terminals within a specified period (every day, every week, every month, or every year) to limit the total Internet access traffic within this period.

  • Duration limit: Limits the total user or terminal online duration within a specified period.

    After this policy is enabled, you can set an online duration limit for users or terminals within a specified period (every day, every week, every month, or every year) to limit the total user online duration within this period.

    When configuring an online duration limit for terminals, you can set a one-time online duration limit. The value is in the range from 5 to 44640, in minutes. This function is disabled by default. After this function is enabled, if the online duration of a terminal exceeds the specified one-time online duration limit, the terminal is forced offline.

NOTE:

The amount of available user traffic and online duration are restricted based on the accounting request packets sent by devices. Since devices send accounting request packets periodically, there may be differences between the configured amount of available user traffic or online duration and that in actual situations.

Assume that:

1. The interval for sending accounting request packets is set to 5 minutes in SSID configuration whereas the interval is set to 10 minutes in online duration control policy configuration.

2. A user or terminal initiates portal authentication at the beginning of the fourth minute in an accounting period.

In this scenario, when a device sends accounting request packets for the first time and the second time, the available online duration of the user is not used up. Therefore, the user or terminal can continue to access the network. When the device sends an accounting request packet for the third time, the system determines that the online duration of the user or terminal exceeds the upper limit, and then restricts the network access of the user or terminal. In this case, the actual online duration of the user or terminal is 12 minutes, rather than 10 minutes specified in the online control policy.

If both traffic-based control and duration-based control are enabled, re-authentication is triggered when either of the conditions is met.

Reset traffic usage and duration:

  • When this function is enabled, after the available traffic and online duration are used up, users can be granted with extra traffic or online duration as configured after re-authentication.
  • When this function is disabled, the user cannot access the network after the granted traffic and minutes are used up.

Allocate User Group

Click and select a user group. The traffic- or duration-based control policies take effect only for users in this user group.

(Optional) Configuring a Customization Condition

Context

RADIUS attributes, that is the Attribute field in RADIUS packets carry authentication, authorization, and accounting information. iMaster NCE-Campus supports Huawei, Cisco, and IETF standard RADIUS attributes and also user-defined RADIUS attributes. You can define the logical relationships among multiple user-defined attributes and use them as the customization condition in authentication and authorization rules.

Procedure
  1. Choose Admission > Admission Policy > Authentication And Authorization > Policy Element from the main menu.
  2. (Optional) To use your own RADIUS attributes, click the RADIUS Attribute tab and click Create.

  3. Click the Customization Condition tab and create a custom condition.

Follow-Up Procedure

After a custom condition is configured, you can reference it in an authentication or authorization rule.

Parameter Description
Table 5-117 RADIUS attribute parameters

Parameter

Description

Vendor ID

ID of the RADIUS attribute.

Vendor

Vendor of the RADIUS attribute.

Attribute ID

ID of the RADIUS attribute.

Attribute Nam

Name of the RADIUS attribute.

Attribute Type

Type of the RADIUS attribute. The options are as follows:

  • Integer
  • Character string
  • Hexadecimal
  • IP address
Table 5-118 Customization condition parameters

Parameter

Description

Name

Name of a customization condition.

Logical Relationship

Logical relationships among multiple attributes. The options are as follows:

  • Or
  • And

Attribute List

List of configured attributes. The list contains the following fields:

  • Name
  • Attribute Type
  • Operator
  • Attribute Value

Configuring a RADIUS Template

Context

When configuring related services, you can set required parameters for configuration objects using templates.

To use iMaster NCE-Campus as a RADIUS server, you need to configure a RADIUS template and enable Using Built-in Server in the template.

Procedure
  1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select RADIUS Server.
  2. Click Create, set parameters, and click OK.

    • When configuring an SSID for authentication based on a RADIUS server, you can select this template to specify the RADIUS server associated with the SSID. For details, see Configuring an SSID.
    • Only APs running V200R008C10 and later versions support the Disable RADIUS attributes parameter. The RADIUS attributes supported vary with the AP model. If this parameter is configured in the selected RADIUS template, ensure that the model and version of the target AP meet requirements. Otherwise, the SSID-related service configuration will fail to be delivered. To view RADIUS attributes supported by a device, run the display radius-attribute command in the system view of the device.
    • Only APs running V200R009C00 and later versions support the Set called-station-id attribute value parameter.
    • Only APs running V200R008C00 and later versions support the Real-time accounting parameter.

Parameter Description
Table 5-119 Policy template (RADIUS server)

Parameter

Description

Name

Unique identifier of a RADIUS server template.

Using Built-in Server

Whether to configure iMaster NCE-Campus as a RADIUS server. If this function is enabled, you can configure either the service manager (SM) or a remote server as the primary or secondary authentication component. The SM is the controller deployed at the headquarters.

Primary authentication server address/Port

IP address and port number of the active and standby authentication servers.

Secondary authentication server address/Port

Primary accounting server address/Port

IP address and port number of the active and standby accounting servers.

Secondary accounting server address/Port

Real-time accounting

Whether to enable real-time accounting. After this function is enabled, you can configure a real-time accounting interval. By default, this function is disabled.

Billing reporting cycle

Real-time accounting interval.

Key

Shared key of the RADIUS server. You are advised to periodically change the shared key.

Disable RADIUS attributes

Whether to filter specific attributes in the packets exchanged between the device and the RADIUS server. The default value is OFF, indicating that specific attributes are not filtered.

Disable attributes

-

Click Create and configure a filtering policy.

Attribute name

Click ... and select the names of attributes to be filtered in the displayed dialog box.

Prohibit Sending

The device is disabled from sending packets containing specified RADIUS attributes to the RADIUS server.

Prohibit Receiving

The device is disabled from receiving packets containing specified RADIUS attributes from the RADIUS server.

Service-Type

-

The value of the same RADIUS attribute may vary on RADIUS servers from different vendors. Therefore, RADIUS attribute values need to be modified, so that a Huawei device can successfully communicate with a third-party RADIUS server.

Attribute value

Specifies the value of service-type attribute to be modified.

Option

Sets the user authentication mode to MAC address authentication.

called-station-id

-

After this function is enabled, you can set the called-station-id attribute value, which specifies content encapsulated in the called-station-id attribute of RADIUS packets. Currently, only APs support this function. By default, this function is disabled.

Attribute separator

Content encapsulated in the called-station-id attribute. The value can be ap-mac or ap-location.

Carry SSID attribute

After this function is enabled, the content encapsulated in the called-station-id attribute contains the SSID. By default, this function is disabled.

Attribute delimiter

Delimiter before the SSID when the content encapsulated in the called-station-id attribute contains the SSID.

The value is of enumerated type, and can be \, /, :, <, &gt;, |, @, ', %, *, +, -, &, !, #, ^, and ~. The default value is :.

MAC address format setting

MAC address format in RADIUS packets. The following formats are supported:

  • Mac address case

    MAC address separator

  • Mac address format

Configuring an Authentication Point

Context

After the authentication and authorization rules are configured, you need to configure the authentication mode on the authentication point. For example, when configuring an SSID on an AP, you need to specify an authentication mode to implement access control on wireless access users. Only one authentication mode can be specified for each SSID. Therefore, the authentication mode for an access user is determined by the SSID selected when the user accesses the Internet. However, multiple SSIDs can be deployed on one AP. Employees and guests access the Internet using different SSIDs and different authentication modes.

When iMaster NCE-Campus is used as a RADIUS server, the value-added features of the RADIUS service must be installed.

Procedure
  1. Select a site.

    1. Choose Provision > Physical Network > Site Configuration from the main menu.
    2. In the displayed window, select a site from the Site drop-down list in the upper left corner.
    3. Choose the Site Configuration tab.

  2. Configure authentication points based on the device type.

    Authentication Point

    Configuration Procedure

    AP
    1. Choose AP > SSID from the navigation pane, click Create, and configure basic information about an SSID.
    2. On the Security Authentication page, set Authentication mode to Secure network, select an encryption mode, and specify a RADIUS server using a RADIUS template.
    3. (Optional) Configure a survival policy to ensure basic network access when a network fault occurs or the HUAWEI CLOUD platform is being upgraded. Currently, the following survival solutions are supported:
      • Permit access from authenticated users and reject access from new users.
      • Permit user access without authentication.
      • Permit user access without authentication based on a user-defined escape policy. In this solution, you need to configure an escape policy profile.

    Switch
    1. Choose Switch > Authentication from the navigation pane. On the Wired Authentication or Wireless Authentication tab page, click Create.
    2. Set Authentication mode to Secure network and specify a RADIUS server using a RADIUS template.
    3. Set Interface access mode and Terminal access mode. Currently, the following access modes are supported:
      • Allow multi-terminal access under interface and Multi-terminal authenticated access: An interface allows multiple users to go online. In this mode, the device authenticates each user. If the authentication succeeds, the device grants independent network access rights to the user. That is, if a user goes offline, other users are not affected.

        Allow multi-terminal access under interface and Only the first terminal needs authentication access: An interface allows multiple users to go online. In this mode, the device authenticates only the first go-online user. If the authentication succeeds, subsequent users share the network access permission of the first user. If the first user goes offline, other users go offline accordingly.

      • Allow single-terminal access under interface and Single-terminal access: An interface allows only one user to go online.

        Allow single-terminal access under interface and Single common terminal accesses through voice terminal: An interface allows only one data user and one voice user to go online. This mode applies to the scenario where a data user accesses the network through a voice terminal.

    4. (Optional) Configure MAC authentication bypass.

      If dumb terminals such as PCs, printers, and fax machines are connected to the interfaces of an access device and only 802.1X authentication is configured, printers and fax machines will fail to be authenticated. In this scenario, you can configure MAC authentication bypass, so dumb terminals that do not support 802.1X authentication can access the Internet using MAC address authentication.

    5. (Optional) Configure a survival policy to ensure basic network access when a network fault occurs or the HUAWEI CLOUD platform is being upgraded. Currently, the following survival solutions are supported:
      • Permit access from authenticated users and reject access from new users.
      • Permit user access without authentication.
      • Permit user access without authentication based on a user-defined escape policy. In this solution, you need to configure an escape policy profile.
    NOTE:

    Wireless authentication needs to be configured in the web system. For details, see Configuration > Web-based Configuration in the Wireless Access Controller (AC and Fit AP) Product Document.

    WAC
    1. Choose WAC(Fit AP) > Authentication from the navigation pane. Click add and configure authentication.
    2. Set Authentication mode to Secure network, and specify a RADIUS server using a RADIUS template.
      NOTE:

      WAC configuration needs to be performed in the web system. For details, see Configuration > Web-based Configuration in the Wireless Access Controller (AC and Fit AP) Product Document.

Configuring an Authentication Rule

Authentication rules can be configured to authenticate clients and users on the network to ensure network security.

iMaster NCE-Campus provides a default authentication rule default that uses a local data source for authentication. The default template can be modified to use a third-party data source for authentication.

When configuring 802.1X authentication, set the authentication mode to User Access Authentication. When configuring MAC address authentication, set the authentication mode to MAC Address Authentication.

Authentication Rule Matching

Administrators can configure authentication rules based on network requirements. End users who access the network can be authenticated successfully after matching authentication rules. One or more parameters can be configured in an authentication rule, and the relationship between the parameters is AND. For example, configure an authentication rule named test and specify site1 and group1 in the rule. When an end user attempts to access the network, if the user belongs to group1 and accesses the network through the authentication point at site1, the user will be authenticated successfully. Otherwise, the user fails the authentication. The following figure shows the authentication procedure.

Figure 5-11 Authentication procedure

Neither the device MAC address nor the flag indicating wired or wireless access is carried in test-aaa packets. Currently, the system uses the access type (wired or wireless) to match authentication rules. By default, such test-aaa packets match authentication rules that allow wired and wireless access.

Context

You can configure multiple authentication rules to generate an authentication scheme. The authentication scheme defines the authentication rules used for user authentication. If multiple authentication schemes are configured, the authentication scheme with the smallest priority value has the highest priority. If the high-priority authentication scheme is matched, other schemes are not matched.

Procedure
  1. Choose Admission > Admission Policy > Authentication And Authorization > Authentication Rules from the main menu.
  2. Click Create to configure an authentication rule. When iMaster NCE-Campus interworks with a third-party device to authenticate users, users will fail to match the authentication rule if the authentication rule defines user authentication based on sites, access device types, or devices.

Parameter Description
Table 5-120 Authentication rule (user access authentication&enable the Portal-HACA protocol)

Parameter

Description

Matching

Condition

User Information

User group

User authentication based on user groups.

Account

User authentication based on user accounts.

Role

User authentication based on user roles.

Location Information

Site

User authentication based on sites.

Admission device group

User authentication based on access device groups.

Access device type

User authentication based on access device types. Currently, the following device types are supported: LSW, AP, WAC, AR, and firewall.

Device

User authentication based on devices.

SSID

User authentication based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

User authentication based on terminal types.

Operating system

User authentication based on the OS of terminals.

Terminal IP range

User authentication based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Other Information

Time information

User authentication based on time ranges.

Authentication Information

Access Parameters

Access attributes specified for accounts. When Accounts that are not bound to access parameters are not allowed to access the network is enabled, if the access attributes of an account are inconsistent with the ones specified on the controller, the account fails to be authenticated. If Self-learning access parameters is enabled, after an account is authenticated successfully, the access attributes are learned automatically and bound to the user account. If Self-learning access parameters is disabled, you need to bind the user's access attributes to the user account manually on the Admission > Admission Resources > User Management > User Management page.

Currently, the following access attributes are supported:

Device IP address, access VLAN, access port, user MAC address, user IP address, user IMSI, and terminal ESN.

Data sources

Data source used for authentication. You can select either the local data source or an external data source.

Two-Factor Authentication

Two-factor authentication type

Type of the desired two-factor authentication method.

Second data source type

Second authentication source for two-factor authentication. You can specify dynamic SMS verification codes or RADIUS tokens.

Authentication timeout interval in phase 2 (s)

Timeout period for the second phase in two-factor authentication. The value ranges from 60 to 100, in seconds. The default value is 60.
Table 5-121 Authentication rule (user access authentication&disable the Portal-HACA protocol)

Parameter

Description

Matching

Condition

User Information

User group

User authentication based on user groups.

Account

User authentication based on user accounts.

Role

User authentication based on user roles.

Location Information

Site

User authentication based on sites.

Admission device group

User authentication based on access device groups.

Access device type

User authentication based on access device types. Currently, the following device types are supported: LSW, firewall, AP, and WAC.

Device

User authentication based on devices.

SSID

User authentication based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

User authentication based on terminal types.

Operating system

User authentication based on the OS of terminals.

Terminal IP range

User authentication based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Other Information

Time

User authentication based on time ranges.

Customization Condition

User authentication based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

Authentication Information

Enable RADIUS relay

User authentication based on specified relay server templates.

Access Parameters

Access attributes specified for accounts. When Accounts that are not bound to access parameters are not allowed to access the network is enabled, if the access attributes of an account are inconsistent with the ones specified on the controller, the account fails to be authenticated. If Self-learning access parameters is enabled, after an account is authenticated successfully, the access attributes are learned automatically and bound to the user account. If Self-learning access parameters is disabled, you need to bind the user's access attributes to the user account manually on the Admission > Admission Resources > User Management > User Management page.

Currently, the following access attributes are supported:

Device IP address, access VLAN, access port, user MAC address, user IP address, user IMSI, and terminal ESN.

Data sources

Data source used for authentication. You can select either the local data source or an external data source. This parameter is not supported when the RADIUS relay function is enabled.

Two-Factor Authentication

Two-factor authentication type

Type of the desired two-factor authentication method. Currently, two methods are available: two-factor authentication using accounts and SMS verification code or RADIUS tokens, and two-factor authentication using SSL VPN-enabled firewalls.

Second data source type

Second authentication source for two-factor authentication. You can specify dynamic SMS verification codes or RADIUS tokens. The RADIUS token factor is supported only when the two-factor authentication method is used.

Authentication timeout interval in phase 2 (s)

Timeout period for the second phase in two-factor authentication. The value ranges from 60 to 100, in seconds. The default value is 60.

Authentication protocol

Protocol used for authentication. The options are as follows:

  • PAP
  • CHAP
  • EAP-MD5
  • EAP-PEAP-MSCHAPv2
  • EAP-TLS
  • EAP-PEAP-GTC
  • EAP-TTLS-PAP

PAP must be enabled when LDAP accounts are used for Portal 2.0 authentication, FW SSL VPN authentication, and MAC address authentication. In addition, CHAP must be enabled for Portal 2.0 authentication. If iMaster NCE-Campus functions as an authentication server in other services, enable the required protocol.

One of the EAP-MD5, EAP-PEAP-MSCHAPv2, EAP-TLS, EAP-PEAP-GTC, and EAP-TTLS-PAP protocols can be specified as the preferential protocol used for authentication.

If EAP-PEAP-GTC is used, configure the EAP-GTC plug-in. For details, see EAP-GTC Plug-In.

This parameter is not supported when the RADIUS relay function is enabled.

Advanced options

The Account Does Not Exist

Authentication action performed when an account does not exist. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
    NOTE:
    • When iMaster NCE-Campus interworks with an AD/LDAP server (without account synchronization), an HTTPS server, or a database, if a user matches an authentication rule but the corresponding user account cannot be found locally, you need to set this parameter to Continue Processing. Otherwise, the authentication fails.
    • When iMaster NCE-Campus interworks with an AD/LDAP server to synchronize user accounts, if a user matches an authentication rule but the corresponding local account does not match an account on the AD/LDAP server (for example, the account on the AD/LADP server contains a domain name but the local account does not), you need to set this parameter to Continue Processing. Otherwise, the authentication fails.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.

Identity Authentication Failed

Authentication process performed when the use identify fails to be authenticated. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.
Table 5-122 Authentication rule (MAC address authentication)

Parameter

Description

Matching

Condition

User Information

MAC account mapping user group

User authentication based on user groups to which MAC accounts are mapped.

MAC account

User authentication based on MAC accounts.

Role

User authentication based on user roles.

Location Information

Site

User authentication based on sites.

Admission device group

User authentication based on access device groups.

Access device type

User authentication based on access device types. Currently, the following device types are supported: LSW, AP, and WAC.

Device

User authentication based on devices.

SSID

User authentication based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

User authentication based on terminal types.

Operating system

User authentication based on the OS of terminals.

Terminal IP range

User authentication based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Other Information

Time

User authentication based on time ranges.

Customization Condition

User authentication based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

Authentication Information

Enable RADIUS relay

User authentication based on specified relay server templates.

Access Parameters

Access attributes specified for accounts. When Accounts that are not bound to access parameters are not allowed to access the network is enabled, if the access attributes of an account are inconsistent with the ones specified on the controller, the account fails to be authenticated. If Self-learning access parameters is enabled, after an account is authenticated successfully, the access attributes are learned automatically and bound to the user account. If Self-learning access parameters is disabled, you need to bind the user's access attributes to the user account manually on the Admission > Admission Resources > User Management > User Management page.

Currently, the following access attributes are supported:

Device IP address, access VLAN, access port, user MAC address, user IP address, user IMSI, and terminal ESN.

Advanced options

The Account Does Not Exist

Authentication action performed when an account does not exist. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.

Identity Authentication Failed

Authentication process performed when the use identify fails to be authenticated. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.
Table 5-123 Authentication rule (device administrator authentication)

Parameter

Description

Matching

Condition

User Information

User group

User authentication based on user groups.

Account

User authentication based on user accounts.

Role

User authentication based on user roles.

Location Information

Admission device group

User authentication based on access device groups.

Terminal IP range

User authentication based on terminal IP addresses.

Other Information

Time

User authentication based on time ranges.

Customization Condition

User authentication based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

Authentication Information

Enable RADIUS relay

User authentication based on specified relay server templates.

Access Parameters

Access attributes specified for accounts. When Accounts that are not bound to access parameters are not allowed to access the network is enabled, if the access attributes of an account are inconsistent with the ones specified on the controller, the account fails to be authenticated. If Self-learning access parameters is enabled, after an account is authenticated successfully, the access attributes are learned automatically and bound to the user account. If Self-learning access parameters is disabled, you need to bind the user's access attributes to the user account manually on the Admission > Admission Resources > User Management > User Management page.

Currently, the following access attributes are supported:

Device IP address, access VLAN, access port, user MAC address, user IP address, user IMSI, and terminal ESN.

Data sources

Data source used for authentication. You can select either the local data source or an external data source. This parameter is not supported when the RADIUS relay function is enabled.

Authentication protocol

Protocol used for authentication. The options are as follows:

  • PAP
  • CHAP

This parameter is not supported when the RADIUS relay function is enabled.

Advanced options

The Account Does Not Exist

Authentication action performed when an account does not exist. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.

Identity Authentication Failed

Authentication process performed when the use identify fails to be authenticated. The options are as follows:

  • Continue Processing: The authentication server continues to match the authorization rule and sends a response packet to the authentication device. EAP-PEAP-MSCHAPV2 is not supported in this scenario.
  • No Response Packet Is Sent: The authentication server does not send any response packet to the authentication device.
  • Deny Access: The authentication server sends a response packet to the authentication device, indicating that the access request is denied.

Configuring an Authorization Result

Context

When you configure portal authentication, 802.1X authentication, and MAC address authentication, an authorization result defines the rights assigned to authenticated end users and traffic rate limiting and filtering policies for them. This configuration applies to the scenario where a FW, an AR, an AP, an LSW, or a WAC functions as an authentication point. An authorization result can be configured for a specific user group.

When you configure device administrator authentication, an authorization result defines the rights assigned to authenticated end users and traffic rate limiting and filtering policies for them. This configuration applies to the scenario where a FW, an AR, an AP, an LSW, or a WAC functions as an authentication point. An authorization result can be configured for a specific user group.

iMaster NCE-Campus provides two default authorization results: Permit Access and Deny Access. The two results are bound to all sites to form default templates, which cannot be modified or deleted.

The rights assigned to an authenticated end user are specified by an authorization result. The permissions involve the destination IP address, protocol, and port defined by an ACL, URL permitted or rejected, and uplink or downlink bandwidth of terminals.

SSID-based policy control indicates that the STA connected to an SSID has the corresponding rights. The set of rights specified in an authorization result is dynamically authorized according to the matching policy after an end user is authenticated. The rights assigned to an end user include those specified both in an SSID and an authorization result.

Procedure
  1. Choose Admission > Admission Policy > Authentication And Authorization > Authorization Result from the main menu.
  2. Click Create to create an authorization result. Parameters in an authorization result vary with the device type. For details about the parameters, see Parameter Description at the end of this section.

  3. Click OK to bind the authorization result to sites. You can also select an authorization result, click , and select desired sites to bind them to the result.

Parameter Description
Table 5-124 Authorization result

Parameter

Description

Device management service

Whether to enable device administrator authentication.

NMS login privilege: indicates the login privilege of users who match an authorization rule. The value is in the range from 0 to 15. Only Huawei authentication devices support this parameter.

Custom authorization parameter: indicates the custom authorization parameters for end users who match an authorization rule. The following custom authorization parameters are supported: attribute ID, attribute type, attribute value, and vendor. You can set RADIUS attribute values as needed. For details about the supported RADIUS attributes, see descriptions on the Authorization Results page of the controller web UI.

The following parameters are not supported if Device management service is enabled.

VIP

Whether to ensure preferential access for VIP users. After this function is enabled, you can set Access threshold policy on the AP > Radio page and AP > SSID page, ensuring preferential access for VIP users.

For switches, you can also set the guaranteed bandwidth for VIP users in an application scheduling template on the Design > Basic Network Design > Template Management > Policy Template.

ACL/Dynamic ACL

ACL or dynamic ACL that permits or prevents STAs to access or from accessing specified resources.

  • ACL: ACLs are configured on authentication points. When authorizing users, iMaster NCE-Campus delivers ACL numbers to authentication control devices. The authentication points then match users against ACLs based on the delivered ACL numbers to implement access control.
    NOTE:

    For APs, LSWs, and ARs only. Only ACLs with a specified number are supported. ACLs with a number range are not supported. Wireless users are 3001 to 3031, and wired users are 3001 to 3988.

  • Dynamic ACL: ACLs are configured on iMaster NCE-Campus. When authorizing users, iMaster NCE-Campus dynamically delivers ACLs to authentication points. The authentication points then match users against the delivered ACLs to implement access control.
    NOTE:

    Only Huawei switches support dynamic ACLs. Huawei WLAN devices and devices from other vendors do not support this function.

IPV6 ACL

ACL6 that permits or prevents STAs to access or from accessing specified resources. Only some switch models support ACL6. For details, see the section "acl-id (service scheme view)" in the product documentation of switches.

NOTE:

For LSWs only. Only IPv6 ACLs with a specified number are supported. ACLs with a number range are not supported. Wireless users are 3001 to 3031, and wired users are 3001 to 3999.

Security group

Security group to which STAs matching an authorization rule are dynamically assigned.

URL Filtering

URL filtering mode:

  • Blacklist: User cannot access the websites specified in the URL list.
  • Whitelist: Users can access only the websites specified in the URL list.
NOTE:

This parameter is supported only on APs, excluding central APs.

VLAN

ID of the VLAN to which an end user that matches the authorization rule is assigned. Different control policies can be bound to different VLAN IDs or the same VLAN ID. The value can be a VLAN ID or a VLAN pool. The interfaces that join the VLANs authorized to end users must be hybrid interfaces. To configure interfaces as hybrid interfaces, choose Provision > Physical Network > Site Configuration from the main menu and choose Switch > Interface > Physical Interface from the navigation pane.

Downlink rate (Mbit/s)/Uplink rate (Mbit/s)

Uplink or downlink bandwidth limit for STAs.

Forcible redirection

ACL or URL to which users are forcibly redirected to. This function is available in common authentication, boarding, and CWA authentication services.

  • Forcible redirect ACL: Users are redirected to a specified URL when matching an ACL. The ACL can be either a numbered ACL or a named ACL. A named ACL must start with a character. For a numbered ACL, the number range of IPv4 is from 3000 to 3988 for wired users and from 3000 to 3031 for wireless users, the number range of IPv6 is from 3000 to 3999 for wired users and from 3000 to 3031 for wireless users. Only Huawei devices support this function. The RADIUS attribute name and number corresponding to this function is HW-Redirect-ACL and 173, respectively.
  • Redirect URL: If the forcible redirect URL delivered by the RADIUS server matches the URL template configured on a device, the URL configured in the URL template applies. Otherwise, the URL delivered by the RADIUS server applies. Only Huawei devices support this function. The RADIUS attribute name and number corresponding to this function is HW-Portal-URL and 156, respectively.

DSCP

DSCP for a STA that matches an authorization rule. The differentiated services code point (DSCP) is used to classify the traffic QoS of STAs.

Custom Authorization Parameters

Authorization parameters customized for end users that matches an authorization rule.

The following custom authorization parameters are supported: attribute ID, attribute type, attribute value, and vendor. You can set RADIUS attribute values as needed. For details about the supported RADIUS attributes, see descriptions on the authorization result page of the controller web UI.

Configuring an Authorization Rule

When iMaster NCE-Campus authorizes authenticated users, it grants specific permissions only to the users who hit the specified authorization rules.

iMaster NCE-Campus provides a default authorization rule default with the authorization result Deny Access. You can modify the authorization result in this default template as required.

Context

Authorization results define the rights assigned to authenticated end users. Each authentication rule corresponds to an authentication result. If an authenticated end user matches an authentication rule, the corresponding authorization result applies to the user. If no authorization rule is set, an authorization result is applicable to all authenticated terminals.

Procedure
  1. Choose Admission > Admission Policy > Authentication And Authorization > Authorization Rules from the main menu.
  2. Click Create to create an authorization rule. Set the authentication method to user access authentication. When iMaster NCE-Campus interworks with a third-party device to authenticate users, users will fail to match the authorization rule if the authorization rule defines user authorization based on sites, access device types, or devices.

Parameter Description
Table 5-125 Authorization rule (user access authentication&enable the Portal-HACA protocol)

Parameter

Description

Matching Condition

User Information

User Group

Authenticated users are authorized based on user groups.

Account

Authenticated users are authorized based on accounts.

Role Information

Authenticated users are authorized based on roles.

Location Information

site

Authenticated users are authorized based on sites.

Admission Device Group

Authenticated users are authorized based on access device groups.

Access Device Type

Authenticated users are authorized based on access device types. The following device types are supported: LSW, AP, WAC, AR, and firewall.

Device

Authenticated users are authorized based on devices.

SSID

Authenticated users are authorized based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

Authenticated users are authorized based on terminal types.

Operating system

Authenticated users are authorized based on OS types of terminals.

Terminal IP Range

Authenticated users are authorized based on terminal IP addresses.

Region

Authenticated users are authorized based on regions.

Other Information

Time

Authenticated users are authorized based on time ranges.

Authentication result

Authorization result that takes effect after successful authentication.
Table 5-126 Authorization rule (user access authentication&disable the Portal-HACA protocol)

Parameter

Description

Matching Condition

User Information

User Group

Authenticated users are authorized based on user groups.

Account

Authenticated users are authorized based on user accounts.

Role Information

Authenticated users are authorized based on user roles.

Location Information

site

Authenticated users are authorized based on sites.

Admission Device Group

Authenticated users are authorized based on access device groups.

Access Device Type

Authenticated users are authorized based on access device types. The following device types are supported: LSW, AP, WAC, and FW.

Device

Authenticated users are authorized based on devices.

SSID

Authenticated users are authorized based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

Authenticated users are authorized based on terminal types.

Operating system

Authenticated users are authorized based on OS types of terminals.

Terminal IP Range

Authenticated users are authorized based on regions.

Region

Authenticated users are authorized based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Protocol Information

Enable protocol information matching

Authenticated users are authorized based on protocols. Currently, the following protocols are supported:

EEAP-MD5 protocol (Local account)

EAP-PEAP-MSCHAPv2 protocol (Local account, AD, and LDAP)

EAP-TLS protocol (Local account, AD, LDAP)

EAP-PEAP-GTC protocol (Local account, AD, LDAP, and RADIUS Token)

EAP-TTLS-PAP protocol (Local account, AD, and LDAP)

Other Information

Time

Authenticated users are authorized based on time ranges.

Customization Condition

User authorization based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

The Authentication Terminal Has Been Added to the AD Domain

Whether authenticated users using terminals that have been added to AD domains have been authorized.

Authentication result

Authorization result that takes effect after successful authentication.
Table 5-127 Authorization rule (MAC address authentication)

Parameter

Description

Matching Condition

User Information

MAC account mapping user group

Authenticated users are authorized based on user groups.

MAC account

Authenticated users are authorized based on user accounts.

Role Information

Authenticated users are authorized based on user roles.

Location Information

site

Authenticated users are authorized based on sites.

Admission Device Group

Authenticated users are authorized based on access device groups.

Access Device Type

Authenticated users are authorized based on access device types. The following device types are supported: LSW, AP, and WAC.

Device

Authenticated users are authorized based on devices.

SSID

Authenticated users are authorized based on SSIDs. This parameter is configurable only when the wireless access mode is configured.

Device type

Authenticated users are authorized based on terminal types.

Operating system

Authenticated users are authorized based on OS types of terminals.

Terminal IP Range

Authenticated users are authorized based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Region

Authenticated users are authorized based on regions.

Other Information

Time

Authenticated users are authorized based on time ranges.

Customization Condition

User authorization based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

Authentication result

Authorization result that takes effect after successful authentication.
Table 5-128 Authorization rule (device administrator authentication)

Parameter

Description

Matching Condition

User Information

MAC account mapping user group

Authenticated users are authorized based on user groups.

MAC account

Authenticated users are authorized based on user accounts.

Role Information

Authenticated users are authorized based on user roles.

Location Information

Admission Device Group

Authenticated users are authorized based on access device groups.

Region

Authenticated users are authorized based on regions.

Terminal IP Range

Authenticated users are authorized based on terminal IP addresses. This parameter is configurable only when the wired access mode is configured.

Other Information

Time

Authenticated users are authorized based on time ranges.

Customization Condition

User authorization based on customized conditions. You can select either preset RADIUS attributes or customized RADIUS attributes to match those carried in user accounts.

Authentication result

Authorization result that takes effect after successful authentication.

MAC Address Authentication

Creating a MAC Account

Context

If dumb terminals such as printers and phones are connected to a network, you are advised to use the following methods to implement MAC address authentication:

Authentication Mode

Account Type

Description

MAC address authentication

MAC

The MAC address list is provisioned by a tenant administrator on iMaster NCE-Campus in advance.
Procedure
  1. Choose Admission > Admission Resources > User Management > User Management > MAC Account from the main menu.

    • Click Create to create a MAC account.

Parameter Description
Table 5-129 Creating a MAC account

Parameter

Description

MAC Account Name

MAC account name.

MAC address list

List of MAC addresses that can be accessed by end users.

User Group

User group to which the MAC account belongs.

Role

Role attached to the MAC account.

Terminals Bound to an Access Device

Terminal IP address

Terminal IP address bound to the user account.

Bound terminal ESN

Terminal ESN bound to the user account. The value is a string of 20 characters consisting of uppercase letters (A to Z) and digits, such as 2102310WYGG6EC914846.

SIM/USIM's IMSI

SIM card or IMSI bound to an account. The value is a string of 1 to 15 characters consisting of digits (0-9). IMSIs are sensitive data. Exercise caution when using IMSIs in case of data leakage.

Bind an access device

Access device IP address

IP address of the access device to which a user connects.