(Optional) Configuring the User Group Function

Context

In NAC applications, there are many access users, but user types are limited. You can create user groups on the device and associate each user group to an ACL. In this way, users in the same group share rules in the ACL.

After creating user groups, you can set priorities and VLANs for the user groups, so that users in different user groups have different priorities and network access rights. The administrator can then flexibly manage users.

When the user group function is enabled on models except the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI, ACL rules are delivered to each user and the user group function cannot be used to save ACL resources.

The priority of the user group authorization information delivered by the authentication server is higher than that of the user group authorization information applied in the AAA domain. If the user group authorization information delivered by the authentication server cannot take effect, the user group authorization information applied in the AAA domain is used. For example, if only user group B is configured on the device and the group authorization information is applied in the AAA domain when the authentication server delivers authorization information about user group A, the authorization information about user group A cannot take effect and the authorization information about user group B is used. To make the user group authorization information delivered by the authentication server take effect, ensure that this user group is configured on the device.

If the authentication server authorizes multiple attributes to the device and the authorized attributes overlap the existing configurations on the device, the attributes take effect based on the minimum rule. For example, if the authentication server authorizes a VLAN and user group to the device and the VLAN parameters are configured in the user group on the device, the VLAN authorized by the authentication server takes effect.

Procedure

Run system-view
The system view is displayed.
Run user-group group-name
A user group is created and the user group view is displayed.
Run acl-id acl-number
An ACL is bound to the user group.

By default, no ACL is bound to a user group.

Before running this command, ensure that the ACL has been created using the acl or acl name command and ACL rules have been configured using the rule command.
Run user-vlan vlan-id
The user group VLAN is configured.

By default, no user group VLAN is configured.

Before running this command, ensure that the VLAN has been created using the vlan command.
Run remark { 8021p 8021p-value | dscp dscp-value }^*
The user group priority is configured.

By default, no user group priority is configured.

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI support this command.
Run car { outbound | inbound } cir cir-value [ pir pir-value | cbs cbs-value | pbs pbs-value ] ^*
The rate of traffic from users in the user group is limited.

By default, the rate of traffic from users in the user group is not limited.

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI support this command, and the user group CAR can only be applied in the interface outbound direction (outbound) on the S5720-EI, S6720-EI, and S6720S-EI.
Run quit
Return to the system view.
Run user-group group-name enable
The user group function is enabled.

The user group configuration takes effect only after the user group function is enabled.

By default, the user group function is disabled.