No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudCampus Solution V100R019C10 Maintenance Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Disabling Access Control on Devices

Disabling Access Control on Devices

If a large number of users cannot be authenticated, you can disable access control on devices so that services will not be affected.

When access control is disabled, all users can access post-authentication domain resources. Therefore, you must evaluate the risk before disabling access control.

Eudemon/USG Series Firewalls (SACG Earlier Versions)

The following table lists the product models and matching versions of Eudemon/USG series firewalls running earlier versions.

Product Model

Version

Eudemon 100E

V200R007C03SPC001

Eudemon 200S

V200R007C03SPC001

Eudemon 200

V200R001C03SPC001

Eudemon 300/500/1000

V200R006C02SPC001

USG2130

V100R005C00SPC500

USG2200

V100R005C00SPC500

USG5100

V100R005C00SPC500

USG5500

V200R001C00SPC600

ACL rule 3099 for the pre-authentication domain is executed before the access control function on a firewall, and ACL rule 3099 can be edited after association is enabled. To disable access control on the firewall, change the rule ID and action in ACL 3099 to 0 and permit.

Check whether the emergency channel has been enabled on the firewall before editing ACL 3099.

  1. Check the ACL rules of firewall 0. If rule 1000 permit 1000 ip is configured on firewall 0, the emergency channel has been enabled. In this case, end users can access the network without being authenticated. You do not need to disable access control on the firewall.

    <USG> display right-manager role-id 0 rule
Advanced ACL 3099, 5 rules, not binding with vpn-instance 
Acl's step is 1
 rule 1000 permit ip (1280 times matched)
 rule 1001 permit ip destination 172.18.11.221 0 (581 times matched)
 rule 1002 permit ip destination 172.18.11.223 0 (77 times matched)
 rule 1003 permit ip destination 172.19.0.0 0.0.255.255 (0 times matched)
 rule 1004 deny ip (507759 times matched)
  2. If the emergency channel is disabled, change the rule ID and action in ACL 3099 to 0 to permit network access from all end users.
    <USG> system-view
[USG] acl 3099
[USG-acl-adv-3099] rule 0 permit ip

Eudemon/USG Series Firewalls (SACG Later Versions)

The following table lists the product models and matching versions of Eudemon/USG series firewalls running later versions.

Product Model

Version

USG2130
  • V300R001C00SPC900

  • V300R001C00SPC800

  • V300R001C00SPC700

  • V300R001C00SPC600

USG2200
  • V300R001C00SPC900

  • V300R001C00SPC800

  • V300R001C00SPC700

  • V300R001C00SPC600

USG5500
  • V300R001C00SPC900

  • V300R001C00SPC800

  • V300R001C00SPC700

  • V300R001C00SPC600

Different from commands in earlier versions, ACL rule 3099 for the pre-authentication domain cannot be edited after association is enabled. In the interworking view, the policy command has a higher priority than the access control command. To disable access control on the firewall, configure a policy with the action permit in the interworking view.

Similar to later versions, you need to check whether the emergency channel has been enabled on the firewall before configuring a policy.

  1. Check the ACL rules of firewall 0. If rule 1000 permit 1000 ip is configured on firewall 0, the emergency channel has been enabled. In this case, end users can access the network without being authenticated. You do not need to disable access control on the firewall.
    <USG> display right-manager role-id 0 rule
Advanced ACL 3099, 5 rules, not binding with vpn-instance
Acl's step is 1
 rule 1000 permit ip (1280 times matched)
 rule 1001 permit ip destination 172.18.11.221 0 (581 times matched)
 rule 1002 permit ip destination 172.18.11.223 0 (77 times matched)
 rule 1003 permit ip destination 172.19.0.0 0.0.255.255 (0 times matched)
  2. If the emergency channel is disabled, you need to create a policy to permit network access from all end users.
    <USG> system-view
[USG] policy right-manager
[USG-policy-rightmanager] policy 999
[USG-policy-rightmanager-999] policy source any
[USG-policy-rightmanager-999] policy destination any
[USG-policy-rightmanager-999] action permit

Wired Switches (802.1X and Portal)

When the wired 802.1X or Portal access control solution is used, you can configure an authentication-free rule to permit all or cancel the authentication configuration on the authentication interface.

Method 1 (recommended): Configure an authentication-free rule profile.

[HUAWEI] free-rule-template name default_free-rule
[HUAWEI-free-rule-default_free_rule] free-rule 0 destination any

Method 2: Delete the authentication configuration from the authentication interface. If authentication is enabled on multiple interfaces, the following commands need to be run on each of the interfaces.

[HUAWEI]interface GigabitEthernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1]undo authentication-profile

Wireless WAC (802.1X)

When the wireless 802.1X access control solution is used, you can only delete the authentication configuration from the corresponding VAP profile.

<WAC> system-view
[WAC] wlan
[WAC-wlan-view] vap-profile name xxx
[WAC-wlan-vap-prof-xxx] undo authentication-profile
[WAC-wlan-vap-prof-xxx] undo security-profile
[WAC-wlan-vap-prof-xxx] quit
[WAC-wlan-view] commit       //This command is required in V200R010 and earlier versions.

Wireless WAC (Portal)

When the wireless Portal access control solution is used, you can configure an authentication-free rule to permit all or cancel the authentication configuration in the corresponding VAP profile.

  • If only one WAC on the network provides the Portal access control function, you need to disable Portal access control on the WAC.

  • If multiple WACs on the network provide the Portal access control function, you need to disable Portal access control on all the WACs. (In a multi-link solution, load-balance information is displayed in the output of the display current-configuration command.)

  • If two WACs on the network provide the Portal access control function, you need to disable Portal access control on the master WAC, the status of which is master or active after you run the display vrrp command. (In a dual-system hot standby solution, VRRP information is displayed in the output of the display current-configuration command.)

Method 1 (recommended): Configure an authentication-free rule profile.

[HUAWEI] free-rule-template name xxx      // Create an authentication-free rule profile. xxx indicates the profile name. 
[HUAWEI-free-rule-xxx] free-rule 0 destination any

Method 2: Delete the authentication configuration from the corresponding VAP profile.

<WAC> system-view
[WAC] wlan
[WAC-wlan-view] vap-profile name xxx     //xxx indicates the VAP profile name. 
[WAC-wlan-vap-prof-xxx] undo authentication-profile
[WAC-wlan-vap-prof-xxx] quit
[WAC-wlan-view] commit       //This command is required in V200R010 and earlier versions.
Translation
简体中文
Download
Updated: 2021-05-07

Document ID: EDOC1100141251

Views: 107102

Downloads: 275

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :