Table 1 describes authorization parameters that can be set locally during local authorization configuration.
Authorization Parameter |
Usage Scenario |
Description |
|---|---|---|
VLAN |
VLAN-based authorization is easy to deploy and maintenance costs are low. It applies to scenarios where employees in an office or a department have the same access rights. |
In local authorization, you only need to configure VLANs and corresponding network resources on the device. An authorized VLAN cannot be delivered to online Portal users. After a user is authorized based on a VLAN, the user needs to manually trigger an IP address request using DHCP. |
Service scheme |
A service scheme and corresponding network resources need to be configured on the device. |
You need to configure a service scheme and corresponding network resources on the device. A service scheme can be applied to a domain, and users in the domain then can obtain authorization information in the service scheme. |
User group (common mode) |
A user group consists of users (terminals) with the same attributes, such as the role and rights. For example, according to the enterprise department structure, you can divide users on a campus network into different groups, such as R&D group, finance group, marketing group, and guest group, and perform different security policies for these groups. |
In local authorization, all you need to do is configure user groups and corresponding network resources on the device. A user group can be applied to a domain, and users in the domain then can obtain authorization information in the user group. For details on how to configure a user group, see Configure an authorization user group. |
UCL group (unified mode) |
A UCL group identifies a user type. The administrator can add the users using the same network access policy to the same UCL group, and configure the network access policy for the group. |
In local authorization, you can configure UCL groups and corresponding network resources on the device. A UCL group can be applied to a domain, and users in the domain can obtain authorization information in the UCL group. For details on how to configure a UCL group, see Configure an authorization UCL group. |
Configure a VLAN and the network resources in the VLAN on the device.
For details on how to configure a service scheme, see Configuring a Service Scheme.
Procedure |
Command |
Description |
|---|---|---|
Enter the system view. |
system-view |
– |
Create a user group and enter the user group view. |
user-group group-name |
When using a user group in a hot standby scenario or a dual-link backup scenario, specify the user group index, and ensure that the user group name and index specified on the active device are the same as those specified on the standby device. |
Bind an ACL to the user group. |
acl-id acl-number |
By default, no ACL is bound to a user group. NOTE:
Before running this command, ensure that the ACL has been created using the acl or acl name command and ACL rules have been configured using the rule command. |
Bind a VLAN to the user group. |
user-vlan vlan-id |
By default, no VLAN is specified for a user group. |
Set the priority for the user group. |
remark { 8021p 8021p-value | dscp dscp-value }* |
By default, the user group priority is not specified. NOTE:
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI support this command. |
Limit the rate of traffic from users in the user group. |
car { outbound | inbound } cir cir-value [ pir pir-value | cbs cbs-value | pbs pbs-value ] * |
By default, the rate of traffic from users in the user group is not limited. NOTE:
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI support this command, and the user group CAR can only be applied in the interface outbound direction (outbound) on the S5720-EI, S6720-EI, and S6720S-EI. |
Return to the system view. |
quit |
– |
Enable the user group function. |
user-group group-name enable |
The settings for a user group are in effect only when the user group function is enabled. By default, the user group function is disabled. |
Procedure |
Command |
Description |
|---|---|---|
Enter the system view. |
system-view |
– |
Create a UCL group. |
ucl-group group-index [ name group-name ] |
By default, no UCL group is created. |
(Optional) Configure an IP address for the static UCL group. |
ucl-group ip ip-address { mask-length | ip-mask } { group-index | name group-name } [ escape ] |
By default, no IP address is configured for a static UCL group. NOTE:
IP addresses in static UCL groups are only supported by S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI. |
(Optional) Configure a domain name for the static UCL group. |
ucl-group domain domain-name domain-name { group-index | name group-name } |
By default, no domain name is configured for a static UCL group. NOTE:
Only the S5720-HI, S5730-HI, S5731-H, S5731S-H, S6720-HI, S5732-H, S6730-H, S6730S-H, and S6730S-HI support domain names in static UCL groups. |
Configure a user ACL or user ACL6. |
For details, see Configuring a User ACL or User ACL6 under "ACL Configuration" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security. |
The ACL filters packets based on the UCL group. |
Configure ACL-based packet filtering. |
traffic-filter inbound acl [ ipv6 ] acl-number |
By default, ACL-based packet filtering is not configured. |