< Home

(Optional) Configuring Network Access Rights for Users When the 802.1X Client Does Not Respond

Context

If the 802.1X client does not respond, users cannot pass authentication and thereby have no network access right. Before being successfully authenticated, some users may need certain basic network access rights to download client software and update the antivirus database. The network access rights can be configured for the users when the 802.1X client does not respond, so that the users can access specified network resources.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    • VLAN

      Configure a VLAN and network resources in the VLAN on the device.

    • UCL group

      1. Run ucl-group group-index [ name group-name ]

        A UCL group is created.

        By default, no UCL group is created.

      2. (Optional) Run ucl-group ip ip-address { mask-length | ip-mask } { group-index | name group-name } [ escape ]

        An IP address is configured in the static UCL group.

        By default, no IP address is configured in a static UCL group.

        IP addresses in static UCL groups are only supported by S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI.

      3. (Optional) Run ucl-group domain domain-name domain-name { group-index | name group-name }

        A domain name is configured in the static UCL group.

        By default, no domain name is configured in a static UCL group.

        You also need to perform the following steps:

        Run the dns snooping enable command in the interface view or port group view to enable DNS snooping. After this function is enabled, the device parses the received DNS response packets to obtain IP addresses and generates mappings between the IP addresses and domain names.

        Run the dns snooping ttl delay-time delay-time command in the system view to set the delay in aging DNS snooping IP address and domain name entries. The default delay is 5760 minutes.

        Run the dns snooping server-ip-address server-ip-address command in the system view to configure the IP address of a DNS server.

        After configuration, the device then processes only the DNS response packets with the configured DNS server IP address as the source IP address.

        Only the S5720-HI, S5730-HI, S5731-H, S5731S-H, S6720-HI, S5732-H, S6730-H, S6730S-H, and S6730S-HI support domain names in static UCL groups.

      4. Configure a user ACL or ACL6 to filter packets based on the UCL group. For details, see "Configuring a User ACL" or "Configuring a User ACL6" in "ACL Configuration" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.

      5. Use the following methods to process packets:

        • Run traffic-filter inbound acl [ ipv6 ] { acl-number | name acl-name }

          ACL-based packet filtering is configured.

          By default, ACL-based packet filtering is not configured.

        • Run traffic-redirect inbound acl { acl-number | name acl-name } [ vpn-instance vpn-instance-name ] ip-nexthop nexthop-address

          Or run traffic-redirect inbound acl { acl-number | name acl-name } vpn-instance vpn-instance-name

          ACL-based packet redirection is configured.

          By default, ACL-based packet redirection is not configured.

          The traffic-redirect command is supported only by the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI.

          Only S5720-HI, S5730-HI, S5731-H S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S support the traffic-redirect inbound acl { acl-number | name acl-name } vpn-instance vpn-instance-name command.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Run acl-id [ ipv6 ] acl-number

        An ACL is bound to the service scheme.

        By default, no ACL is bound to a service scheme.

        S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5731-H, S5731S-H, S5731-S, S5731S-S, S5730-HI, S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support the ipv6 parameter.

        Before running this command, ensure that an ACL has been created using the acl or acl name command, and ACL rules have been configured using the rule command.

        The priorities of the following access policies are in descending order:

        ACL number delivered by the RADIUS server > ACL number configured on the local device > ACL rule or DACL group delivered by the RADIUS server through the attribute HW-Data-Filter numbered 26-82 > User group delivered by the RADIUS server > User group configured on the local device > UCL group delivered by the RADIUS server > UCL group configured on the local device

      4. Run ucl-group { group-index | name group-name }

        A UCL group is bound to the service scheme.

        By default, no UCL group is bound to a service scheme.

        Before running this command, ensure that a UCL group that identifies the user category has been created and configured.

      5. Run user-vlan vlan-id

        A user VLAN is configured in the service scheme.

        By default, no user VLAN is configured in a service scheme.

        Before running this command, ensure that a VLAN has been created using the vlan command.

      6. Run voice-vlan

        The voice VLAN function is enabled in the service scheme.

        By default, the voice VLAN function is disabled in a service scheme.

        To make this configuration take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      7. Run sac-profile profile-name

        The SAC profile is bound to the service scheme.

        By default, no SAC profile is bound to a service scheme.

        Layer 3 Portal authentication does not support this command.

        The device supports only local authorization based on an SA profile. In wireless scenarios, the direct forwarding mode does not support local authorization based on an SAC profile.

        When a static UCL group having an IP address with a non-32-bit mask is also configured, this static UCL group does not take effect.

        When the sac-profile profile-name and traffic-remark inbound acl command are configured together, the traffic-remark inbound acl command takes effect.

        Only the S5731-S, S5731S-S, S5731-H, and S5731S-Hsupports this command.

      8. Run qos-profile profile-name

        A QoS profile is bound to the service scheme.

        By default, no QoS profile is bound to a service scheme.

        The QoS profile is supported only by the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI, and the user-queue command is supported only by the S5720-HI.

        Before running this command, ensure that a QoS profile has been configured. The procedure for configuring a QoS profile is as follows:

        1. In the system view, run qos-profile name profile-name

          A QoS profile is created and the QoS profile view is displayed.

        2. Configure traffic policing, packet processing priority, and user queue in the QoS profile view. (Among all parameters in the QoS profile bound to the service scheme, only the parameters configured using the following commands take effect.)
          • Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { inbound | outbound }

            Traffic policing is configured in the QoS profile.

            By default, traffic policing is not configured in a QoS profile.

          • Run remark dscp dscp-value { inbound | outbound }

            The action of re-marking DSCP priorities of IP packets is configured in the QoS profile.

            By default, the action of re-marking DSCP priorities of IP packets is not configured in a QoS profile.

          • Run remark 8021p 8021p-value

            The action of re-marking 802.1p priorities of VLAN packets is configured in the QoS profile.

            By default, the action of re-marking 802.1p priorities of VLAN packets is not configured in a QoS profile.

      9. Run quit

        Return to the AAA view.

      10. Run quit

        Return to the system view.

      11. Run traffic-remark inbound acl ucl-acl local-precedence local-precedence-value

        The device is configured to re-mark packets based on a user ACL.

  3. Run dot1x-access-profile name access-profile-name

    The 802.1X access profile view is displayed.

  4. Run authentication event client-no-response action authorize { service-scheme service-scheme-name | ucl-group ucl-group-name | vlan vlan-id }

    Network access rights are configured for users when the 802.1X client does not respond.

    By default, no network access right is configured for users when the 802.1X client does not respond.

Parent Topic: Configuring an 802.1X Access Profile
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >