< Home

Configuring a Service Scheme

Context

Users must obtain authorization information before going online. You can configure a service scheme to manage authorization information about users.

When the device is switched to the NAC common mode, only the administrator level, number of users who can access the network using the same user name, and redirection ACL can be configured in the service scheme.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run service-scheme service-scheme-name

    A service scheme is created and the service scheme view is displayed.

    By default, no service scheme is configured on the device.

  4. Run admin-user privilege level level

    The user is configured as the administrator and the administrator level for login is specified.

    The value range of level is from 0 to 15. By default, the user level is not specified.

  5. Configure server information.

    Step

    Command

    Remarks

    Configure the IP address of the primary DNS server.

    dns ip-address

    By default, no primary DNS server is configured in a service scheme.

    Configure the IP address of the secondary DNS server.

    dns ip-address secondary

    By default, no secondary DNS server is configured in a service scheme.

  6. Run redirect-acl [ ipv6 ] { acl-number | name acl-name }

    The ACL used for redirection is configured in the service scheme.

    By default, no ACL used for redirection is configured in a service scheme.

    S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5731-H, S5731S-H, S5731-S, S5731S-S, S5730-HI, S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support the ipv6 parameter.

    Only wired users support the authorization of the IPv6 ACL used for redirection.

  7. Run idle-cut idle-time flow-value [ inbound | outbound ]

    The idle-cut function is enabled for domain users and the idle-cut parameters are set.

    By default, the idle-cut function is disabled for domain users.

    The idle-cut command configured in the service scheme view takes effect for administrators. For common users, the function takes effect only for wireless users.

  8. Run access-limit user-name max-num number

    The maximum number of users who are allowed to access the network using the same user name is configured.

    By default, the number of users who are allowed to access the network using the same user name is not limited, and is determined by the maximum number of access users supported by the device.

    Only users who are successfully authenticated support the configurations for limiting the number of access users based on the same user name, and pre-connection users do not support such configurations.

  9. Run priority priority-value

    The user priority is configured in the service scheme.

    By default, the user priority is 0.

  10. Configure network access control parameters in the service scheme.

    1. Run acl-id [ ipv6 ] acl-number

      An ACL is bound to the service scheme.

      By default, no ACL is bound to a service scheme.

      S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5731-H, S5731S-H, S5731-S, S5731S-S, S5730-HI, S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support the ipv6 parameter.

      Before running this command, ensure that an ACL has been created using the acl or acl name command and ACL rules have been configured using the rule command.

      The priorities of the following access policies are in descending order:

      ACL number delivered by the RADIUS server > ACL number configured on the local device > ACL rule or DACL group delivered by the RADIUS server through the attribute HW-Data-Filter numbered 26-82 > User group delivered by the RADIUS server > User group configured on the local device > UCL group delivered by the RADIUS server > UCL group configured on the local device

      IPv6 ACL authorization and IPv4 ACL authorization have the same priority. Therefore, according to the preceding priority, when the server delivers the IPv4 ACL number, the locally configured IPv6 ACL number does not take effect.

    2. Run ucl-group { group-index | name group-name }

      A UCL group is bound to the service scheme.

      By default, no UCL group is bound to a service scheme.

      Before running this command, ensure that a UCL group that identifies the user category has been created and configured.

    3. Run user-vlan vlan-id

      A user VLAN is configured in the service scheme.

      By default, no user VLAN is configured in a service scheme.

      Before running this command, ensure that a VLAN has been created using the vlan command.

    4. Run voice-vlan

      The voice VLAN function is enabled in the service scheme.

      By default, the voice VLAN function is disabled in a service scheme.

      For this configuration to take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

    5. Run qos-profile profile-name

      A QoS profile is bound to the service scheme.

      The QoS profile is supported only by the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI.

      By default, no QoS profile is bound to a service scheme.

      Before running this command, ensure that a QoS profile has been configured. The procedure for configuring a QoS profile is as follows:

      1. In the system view, run qos-profile name profile-name

        A QoS profile is created and the QoS profile view is displayed.

      2. Configure traffic policing, packet processing priority, and user queue in the QoS profile view. (Of all parameters in the QoS profile bound to the service scheme, only those configured using the following commands take effect.)

        • Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { inbound | outbound }

          Traffic policing is configured in the QoS profile.

          By default, traffic policing is not configured in a QoS profile.

        • Run remark dscp dscp-value { inbound | outbound }

          The action of re-marking DSCP priorities of IP packets is configured in the QoS profile.

          By default, the action of re-marking DSCP priorities of IP packets is not configured in a QoS profile.

        • Run remark 8021p 8021p-value

          The action of re-marking 802.1p priorities of VLAN packets is configured in the QoS profile.

          By default, the action of re-marking 802.1p priorities of VLAN packets is not configured in a QoS profile.

    6. Run sac-profile profile-name

      An SAC profile is bound to the service scheme.

      By default, no SAC profile is bound to a service scheme.

      For details about authorization HQoS configuration and guidelines, see Configuring a Subscriber Queue.

      Before running this command, ensure that an SAC profile has been configured. To configure an SAC profile, perform the following operations:

      1. Run sac-profile name profile-name

        An SAC profile is created and the SAC profile view is displayed; or the existing SAC profile view is displayed.

      2. Run acl { ucl-number | name acl-name } remark local-precedence local-precedence-value

        The internal priority used for user-ACL-based remarking is configured.

        By default, no internal priority is configured for user-ACL-based remarking in an SAC profile.

    7. Run quit

      The AAA view is displayed.

    8. Run quit

      The system view is displayed.

Parent Topic: Using HWTACACS to Perform Authentication, Authorization, and Accounting
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >