The authentication event action authorize command configures authentication event authorization information.
The undo authentication event action authorize command restores the default setting.
By default, authentication event authorization information is not configured.
User authorization in the case of pre-connections:
authentication event pre-authen action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name }
undo authentication event pre-authen action authorize
User authorization when authentication fails:
authentication event authen-fail action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]
undo authentication event authen-fail action authorize
User authorization when the authentication server is Down:
authentication event authen-server-down action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]
authentication event authen-server-down action authorize keep [ no-response | response-fail ]
undo authentication event authen-server-down action authorize
User authorization when the authentication server does not respond:
authentication event authen-server-noreply action authorize keep [ no-response | response-fail ]
undo authentication event authen-server-noreply action authorize
Parameter |
Description |
Value |
|---|---|---|
pre-authen |
Configures the device to assign network access rights to users when the users establish pre-connections with the device. |
- |
authen-fail |
Configures the device to assign network access rights to users when the authentication server sends authentication failure packets to the device. |
- |
authen-server-down |
Configures the device to assign network access rights to users when the authentication server is Down or the server is in the forcible Up state. |
- |
authen-server-noreply |
Configures the device to assign network access rights to users when the authentication server does not respond. |
- |
response-fail |
Configures the device to send authentication failure packets to users after assigning network access rights to the users. If this parameter is not specified, the device by default sends authentication success packets to users and therefore the users cannot know the fact that they fail to be authenticated. To solve this problem, specify this parameter so that the device will send authentication failure packets for the users to know their authentication results. |
- |
vlan vlan-id |
Specifies a VLAN ID. When this parameter is specified, users can access only the resources in the VLAN. |
The value is an integer that ranges from 1 to 4094. |
service-scheme service-scheme-name |
Specifies the name of the service scheme based on which network access rights are assigned to users. |
The value must be an existing service scheme name on the device. |
ucl-group ucl-group-name |
Specifies the name of the UCL group based on which network access rights are assigned to users. |
The value must be an existing UCL group name on the device. |
keep |
Configures online uses to retain original network access rights. |
- |
no-response |
Configures the device not to send response packets to users after assigning network access rights to the users. If this parameter is not specified, the device sends an authentication success packet to users. |
- |
Usage Scenario
If users establish pre-connections with the device or fail to be authenticated, they have no network access rights.
To meet these users' basic network access requirements such as updating the antivirus database and downloading the client, configure authentication event authorization information. The device will assign network access rights to these users based on the authentication phase.
Precautions
Wireless 802.1X authentication only supports the keep parameter.
If no network access right is configured for users who fail authentication or when the authentication server is Down, the users establish pre-connections with the device after the authentication fails and then have the network access rights mapping pre-connection users.
VLAN-based authorization does not apply to the authentication users who access through VLANIF interfaces.
To use VLAN-based authorization (excluding authentication of pre-connection users), run the undo authentication pre-authen-access enable command to disable the pre-connection function first.
An authorized VLAN cannot be delivered to online Portal users.
If a user uses Portal authentication, the keep parameter cannot be configured.
The configured vlan, service-scheme, or ucl-group parameter takes effect only for new online users.
For S5720-EI, S6720-EI, and S6720S-EI, if the user upstream rate limit is configured in the QoS profile bound to a service scheme, do not configure the device to use the service scheme to grant network access rights to users in the pre-connection phase. Otherwise, users go offline.
When the authentication server is in Down state, user authentication fails, or the user is in pre-connection state, the redirect ACL function is not supported. For details about this function, see redirect-acl.
In 802.1X authentication for wired users, when the RADIUS server is Down, some new clients do not have escape rights. For example, when a new Windows client receives a Success packet from the device but does not receive the authentication packets exchanged with the RADIUS server, the client will fail the authentication and cannot go online. Currently, the following clients have escape rights when they go online for the first time: H3C iNode clients using EAP-MD5 or PEAP and Cisco AnyConnect clients using EAP-FAST or PEAP. For Windows clients, for example, Windows 7, choose "Local Area Connection> Properties> Authentication> Fallback to unauthorized network access".
<HUAWEI> system-view [HUAWEI] vlan batch 10 [HUAWEI] authentication-profile name authen1 [HUAWEI-authen-profile-authen1] authentication event pre-authen action authorize vlan 10