< Home

access-context profile enable

Function

The access-context profile enable command enables the user context identification function.

The undo access-context profile enable command disables the user context identification function.

By default, the user context identification function is disabled.

Format

access-context profile enable

undo access-context profile enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

User context refers to association information of a user, such as the user name, user VLAN, and access interface.

To simplify the authentication server configuration, the administrator can add the users with the same network access rights to the same user context profile based on the user context, and configure the network access rights for the users based on the user context profile. When a user goes online after the user context identification function is enabled, the device can identify the user context information and add the user to the corresponding context profile based on the identification result.
  • If the user is authenticated successfully, the authentication server can assign the network access rights mapping the user context profile to the user based on the user context reported by the device.
  • If the user fails to be authenticated, the device assigns the user the network access rights in each phase before authentication success, which are bound to the context profile in the user authentication event authorization policy.

For example, on some enterprise networks, VLANs are used to divide the entire network into different areas with various security levels. The administrator requires that a user should obtain different network access rights when the user connects to the network from different areas. In this case, the user context identification function can be enabled on access devices, and a group of VLANs that belong to the same area are added to the same user context profile. The administrator then assigns the mapping network access rights to different user context profiles based on the security level of each area. When a user connects to the network from different areas, the user is added to different user context profiles matching their access VLANs and therefore obtains different network access rights.

Follow-up Procedure

  1. In the system view, run the access-context profile name profile-name command to create a user context profile.

  2. In the user context profile view, run the if-match vlan-id { start-vlan-id [ to end-vlan-id ] } &<1-10> command to configure the user identification policy based on VLAN IDs.

Precautions

  • The device can only identify user VLANs.

Example

# Enable the user context identification function.

<HUAWEI> system-view
[HUAWEI] access-context profile enable
Parent Topic: NAC Configuration Commands (Unified Mode)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >