< Home

(Optional) Configuring Authentication Event Authorization Information

Context

If users establish pre-connections with the device or fail to be authenticated, they have no network access rights.

To meet these users' basic network access requirements such as updating the antivirus database and downloading the client, configure authentication event authorization information. The device will assign network access rights to these users based on the authentication phase.

An authorized VLAN cannot be delivered to online Portal users.

If a user uses Portal authentication, the function that allows online users to retain the original network access rights is not supported.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure authorization parameters.

    If users are in the pre-connection phase or fail to be authenticated, or the authentication server is Down, the device can use VLANs, UCL groups, and service schemes to grant network access rights to users.

    • VLAN

      Configure a VLAN and network resources in the VLAN on the device.

    • UCL group

      1. Run ucl-group group-index [ name group-name ]

        A UCL group is created.

        By default, no UCL group is created.

      2. (Optional) Run ucl-group ip ip-address { mask-length | ip-mask } { group-index | name group-name } [ escape ]

        An IP address is configured in the static UCL group.

        By default, no IP address is configured in a static UCL group.

        IP addresses in static UCL groups are only supported by S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI.

      3. (Optional) Run ucl-group domain domain-name domain-name { group-index | name group-name }

        A domain name is configured in the static UCL group.

        By default, no domain name is configured in a static UCL group.

        You also need to perform the following steps:

        Run the dns snooping enable command in the interface view or port group view to enable DNS snooping. After this function is enabled, the device parses the received DNS response packets to obtain IP addresses and generates mappings between the IP addresses and domain names.

        Run the dns snooping ttl delay-time delay-time command in the system view to set the delay in aging DNS snooping IP address and domain name entries. The default delay is 5760 minutes.

        Run the dns snooping server-ip-address server-ip-address command in the system view to configure the IP address of a DNS server.

        After configuration, the device then processes only the DNS response packets with the configured DNS server IP address as the source IP address.

        Only the S5720-HI, S5730-HI, S5731-H, S5731S-H, S6720-HI, S5732-H, S6730-H, S6730S-H, and S6730S-HI support domain names in static UCL groups.

      4. Configure a user ACL or ACL6 to filter packets based on the UCL group. For details, see "Configuring a User ACL" or "Configuring a User ACL6" in "ACL Configuration" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.

      5. Use the following methods to process packets:

        • Run traffic-filter inbound acl [ ipv6 ] { acl-number | name acl-name }

          ACL-based packet filtering is configured.

          By default, ACL-based packet filtering is not configured.

        • Run traffic-redirect inbound acl { acl-number | name acl-name } [ vpn-instance vpn-instance-name ] ip-nexthop nexthop-address

          Or run traffic-redirect inbound acl { acl-number | name acl-name } vpn-instance vpn-instance-name

          ACL-based packet redirection is configured.

          By default, ACL-based packet redirection is not configured.

          The traffic-redirect command is supported only by the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI.

          Only S5720-HI, S5730-HI, S5731-H S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S support the traffic-redirect inbound acl { acl-number | name acl-name } vpn-instance vpn-instance-name command.

    • Service scheme

      1. Run aaa

        The AAA view is displayed.

      2. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

        By default, no service scheme is configured on the device.

      3. Run acl-id [ ipv6 ] acl-number

        An ACL is bound to the service scheme.

        By default, no ACL is bound to a service scheme.

        S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S5731-H, S5731S-H, S5731-S, S5731S-S, S5730-HI, S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support the ipv6 parameter.

        Before running this command, ensure that an ACL has been created using the acl or acl name command, and ACL rules have been configured using the rule command.

        The priorities of the following access policies are in descending order:

        ACL number delivered by the RADIUS server > ACL number configured on the local device > ACL rule or DACL group delivered by the RADIUS server through the attribute HW-Data-Filter numbered 26-82 > User group delivered by the RADIUS server > User group configured on the local device > UCL group delivered by the RADIUS server > UCL group configured on the local device

      4. Run ucl-group { group-index | name group-name }

        A UCL group is bound to the service scheme.

        By default, no UCL group is bound to a service scheme.

        Before running this command, ensure that a UCL group that identifies the user category has been created and configured.

      5. Run user-vlan vlan-id

        A user VLAN is configured in the service scheme.

        By default, no user VLAN is configured in a service scheme.

        Before running this command, ensure that a VLAN has been created using the vlan command.

      6. Run voice-vlan

        The voice VLAN function is enabled in the service scheme.

        By default, the voice VLAN function is disabled in a service scheme.

        To make this configuration take effect, ensure that a VLAN has been specified as the voice VLAN using the voice-vlan enable command and the voice VLAN function has been enabled on the interface.

      7. Run sac-profile profile-name

        The SAC profile is bound to the service scheme.

        By default, no SAC profile is bound to a service scheme.

        Layer 3 Portal authentication does not support this command.

        The device supports only local authorization based on an SA profile. In wireless scenarios, the direct forwarding mode does not support local authorization based on an SAC profile.

        When a static UCL group having an IP address with a non-32-bit mask is also configured, this static UCL group does not take effect.

        When the sac-profile profile-name and traffic-remark inbound acl command are configured together, the traffic-remark inbound acl command takes effect.

        Only the S5731-S, S5731S-S, S5731-H, and S5731S-Hsupports this command.

      8. Run qos-profile profile-name

        A QoS profile is bound to the service scheme.

        By default, no QoS profile is bound to a service scheme.

        The QoS profile is supported only by the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI, and the user-queue command is supported only by the S5720-HI.

        Before running this command, ensure that a QoS profile has been configured. The procedure for configuring a QoS profile is as follows:

        1. In the system view, run qos-profile name profile-name

          A QoS profile is created and the QoS profile view is displayed.

        2. Configure traffic policing, packet processing priority, and user queue in the QoS profile view. (Among all parameters in the QoS profile bound to the service scheme, only the parameters configured using the following commands take effect.)
          • Run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] { inbound | outbound }

            Traffic policing is configured in the QoS profile.

            By default, traffic policing is not configured in a QoS profile.

          • Run remark dscp dscp-value { inbound | outbound }

            The action of re-marking DSCP priorities of IP packets is configured in the QoS profile.

            By default, the action of re-marking DSCP priorities of IP packets is not configured in a QoS profile.

          • Run remark 8021p 8021p-value

            The action of re-marking 802.1p priorities of VLAN packets is configured in the QoS profile.

            By default, the action of re-marking 802.1p priorities of VLAN packets is not configured in a QoS profile.

      9. Run quit

        Return to the AAA view.

      10. Run quit

        Return to the system view.

      11. Run traffic-remark inbound acl ucl-acl local-precedence local-precedence-value

        The device is configured to re-mark packets based on a user ACL.

  3. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  4. Configure authorization information.

    • Run authentication event pre-authen action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name }

      Network access rights are configured for users who are in the pre-connection phase.

    • Run authentication event authen-fail action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

      Network access rights are configured for users who fail to be authenticated.

    • Run authentication event authen-server-down action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

      Network access rights are configured for users when the authentication server is Down.

    • Run authentication event authen-server-down action authorize keep [ no-response | response-fail ]

      Users are configured to retain the original network access rights when the authentication server is Down.

    • Run authentication event authen-server-noreply action authorize keep [ no-response | response-fail ]

      Users are configured to retain the original network access rights when the authentication server does not respond.

    By default, no authentication event authorization information is configured.

    If no network access right is configured for users who fail authentication or when the authentication server is Down, the users establish pre-connections with the device after the authentication fails and then have the network access rights mapping pre-connection users.

    VLAN-based authorization does not apply to the authentication users who access through VLANIF interfaces.

    In 802.1X authentication for wired users, when the RADIUS server is Down, some new clients do not have escape rights. For example, when a new Windows client receives a Success packet from the device but does not receive the authentication packets exchanged with the RADIUS server, the client will fail the authentication and cannot go online. Currently, the following clients have escape rights when they go online for the first time: H3C iNode clients using EAP-MD5 or PEAP and Cisco AnyConnect clients using EAP-FAST or PEAP. For Windows clients, for example, Windows 7, choose "Local Area Connection> Properties> Authentication> Fallback to unauthorized network access".

    If authorization upon an authentication server Down event is configured and the device detects that the authentication server is Down, the device grants corresponding network access rights to users who fail to be authenticated, and add the users to entries of users who fail to be authenticated upon an authentication server Down event. If authorization upon an authentication server Down event is not configured and the device detects that the authentication server is Down, the device grants corresponding network access rights to users who fail to be authenticated, and add the users to entries of users who fail to be authenticated.

    The device assigns network access rights based on the priorities of the configured rights in a network status as follows:

    • If the authentication server is Down: network access right upon an authentication server Down event > network access right for users who fail authentication > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If users fail authentication: network access right for users who fail authentication > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If users are in the pre-connection state: network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled
    • If an 802.1X client does not respond: network access right if an 802.1X client does not respond > network access right for users in the pre-connection state > user authorization based on whether the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state is enabled

  5. (Optional) Configure the aging time of user entries.

    • Run authentication timer pre-authen-aging aging-time

      The aging time is configured for pre-connection user entries.

      By default, the aging time for pre-connection user entries is 23 hours.

    • Run authentication timer authen-fail-aging aging-time

      The aging time is configured for entries of users who fail to be authenticated.

      By default, the aging time for entries of users who fail to be authenticated is 23 hours.

      You can run the authentication timer authen-fail-aging aging-time command to configure the aging time for entries of users who fail to be authenticated upon an authentication server Down event and entries of users who fail to be authenticated.

    • Run authentication timer authorize-keep-aging aging-time

      The aging time is configured for entries of online users who retain the original network access rights.

      By default, the aging time for entries of online users who retain the original network access rights is 0. That is, these entries are not aged out by default.

Parent Topic: Configuring an Authentication Profile
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >