< Home

(Optional) Configuring Authentication-Free Authorization Information for Users

Context

Before being authenticated, users need to obtain some network access rights to meet basic network access requirements such as downloading the 802.1X client and updating antivirus database. The device uses an authentication-free rule profile to uniformly manage authorization information for authentication-free users. You can define some network access rules in the profile to determine network access rights that can be obtained by authentication-free users. You need to bind a configured authentication-free rule profile to an authentication profile. Users using the authentication profile then can obtain authentication-free authorization information.

An authentication-free rule can be a common authentication-free rule or an authentication-free rule defined by an ACL. A common authentication-free rule is determined by parameters such as IP address, MAC address, interface, and VLAN. An authentication-free rule defined by an ACL is determined by the ACL rule (configured using the rule command). The destination IP address that users can access without authentication can be specified in both a common authentication-free rule and an authentication-free rule defined by an ACL. In addition, the destination domain name that users can access without authentication can be specified in an authentication-free rule defined by an ACL.

Compared with the authentication-free rule defined by IP address, the one defined by domain name is sometimes simple and convenient. For example, some authentication users who do not have an authentication account must first log in to the official website of a carrier and apply for a member account, or log in using the account of a third party such as Twitter or Facebook. This requires that the users can access specified websites before successful authentication. The domain name of a website is easier to remember than the IP address; therefore, the authentication-free rule defined by ACL can be configured to enable the users to access the domain names of websites without authentication.

Pay attention to the following when you use common authentication-free rules:
  • When multiple authentication-free rules are configured simultaneously, the system matches the rules one by one.
  • In a wireless scenario or an SVF system, only the authentication-free rules with IDs in the range of 0 to 127 on the AP or AS can take effect. On the AC or parent, all configured authentication-free rules take effect.
  • In a wireless scenario, the VLAN ID and interface number cannot be specified in authentication-free rules configured on an AP. You are advised to set the authentication-free rule ID to 128 or a larger value when specifying the VLAN ID and interface number. If the ID of an authentication-free rule is less than 128, Portal redirection cannot be performed.
  • In an SVF system, interface information in an authentication-free rule is invalid.
  • If you specify both the VLAN ID and interface number in an authentication-free rule, the interface must belong to the VLAN. Otherwise, the rule is invalid.
  • If the destination port number is configured in an authentication-free rule, fragments cannot match the rule and packets cannot be forwarded.
  • No authentication-free rule needs to be configured for DHCP, CAPWAP, ARP, and HTTP packets, because these packets can be processed or forwarded before user authentication. Authentication-free rules must be configured for other protocol packets that need to be forwarded. When the packets need to be processed locally, authentication-free rules need to be configured on only the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI. Authentication-free rules are not required if the portal pass dns enable command has been run to allow DNS packets to pass during Portal authentication. However, this mode is not recommended because the command allows all DNS packets to pass.
    • DHCP packet: If authentication and DHCP are enabled on an interface, authentication can be triggered by DHCP packets and the device acts as the DHCP relay or DHCP server to forward or process DHCP packets. If only authentication is configured on the interface and the DHCP function is not configured, authentication can be triggered by DHCP packets and the device broadcasts the DHCP packets.
    • CAPWAP packet: CAPWAP packets are classified into control packets and data packets. Generally, NAC is still effective for CAPWAP data packets after they are decapsulated, and the authentication-free rule takes effect (except for ARP and DHCP packets that are encapsulated in CAPWAP data packets). CAPWAP control packets are sent to the CPU for processing (such as SVF and wireless scenarios). If authentication is enabled on the physical interface connected to an AP, you need to configure the authentication-free rule to transmit packets from the management VLAN. In this scenario, the server may be overloaded due to multiple times of re-authentication. Therefore, this scenario is not recommended.
    • ARP packet: No authentication-free rule needs to be configured for ARP packets, which can be directly processed or forwarded.
    • HTTP packet: If Portal authentication is enabled on an interface and the destination URL of HTTP packets is not the URL of the Portal server, the device redirects HTTP packets to the Portal server for authentication. When both an authentication-free rule and an ACL are configured for authorization, only the authentication-free rule takes effect.
Pay attention to the following when you use authentication-free rules defined by ACLs:
  • Authentication-free rules based on domain names are valid for only wireless users.
  • When SVF is enabled, authentication-free rules defined by ACL cannot be delivered to an AS.
  • An authentication-free rule can be dynamically modified. The authentication-free rule performs the permit action no matter whether the action in an ACL rule (configured using the rule command) is set to deny or permit. The ACL rule number ranges from 0 to 127.
  • If multiple domain names correspond to the same IP address and one matches the authentication-free rule, other domain names also match the authentication-free rule.

Pre-configuration Tasks

  • To use the authentication-free rule defined by ACL: An ACL rule has been configured using the rule command. This ACL rule can be based on an IP address or a domain name. If the rule is defined by IP address, the source and destination parameters can be configured; if the rule is defined by domain name, only the destination parameter can be configured.

    If the user ACL is created using a name (specified by acl-name), a named ACL has been created and the ACL number (6000-6031) has been specified using the acl name acl-name acl-number command.

  • When configuring authentication on a physical interface, you must run the authentication pre-authen-access enable command to enable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state.

Procedure

  1. Configure an authentication-free rule profile.

    1. Run system-view

      The system view is displayed.

    2. Run free-rule-template name free-rule-template-name

      An authentication-free rule profile is created and the authentication-free rule profile view is displayed.

      By default, the device has a built-in authentication-free rule profile named default_free_rule.

      Currently, the device supports only one authentication-free rule profile, that is, the built-in profile default_free_rule.

    3. Configure an authentication-free rule.

      • Run free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id } * } } *

        A common authentication-free rule is configured.

      • Run free-rule acl { acl-id | acl-name acl-name | ipv6 ipv6-acl-id }

        An authentication-free rule defined by ACL is configured.

      By default, no authentication-free rule is configured for NAC authentication users.

    4. Run quit

      Return to the system view.

  2. Bind the authentication-free rule profile to an authentication profile.

    1. Run authentication-profile name authentication-profile-name

      The authentication profile view is displayed.

    2. Run free-rule-template free-rule-template-name

      The authentication-free rule profile is bound to the authentication profile.

      By default, no authentication-free rule profile is bound to an authentication profile.

    For wireless users, the configured authentication-free rule in an authentication-free rule profile takes effect only after the profile is bound to an authentication profile using the free-rule-template command in the authentication profile view.

    For wired users, an authentication-free rule profile takes effect for all wired users after it is created in the system view. The authentication-free rule profile does not need to be bound to an authentication profile using the free-rule-template command in the authentication profile view.

Follow-up Procedure

The domain name specified in an ACL only supports dynamic DNS resolution. Therefore, when you define the authentication-free rule by domain name, configure dynamic DNS resolution on the device. The procedure is as follows:
  1. Run the dns resolve command in the system view to enable dynamic DNS resolution.
  2. Run the dns server ip-address command in the system view to specify an IP address for the DNS server.
Parent Topic: Configuring an Authentication Profile
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >