< Home

Assigning Network Access Rights to Users Based on User Context Profiles

Context

User context refers to association information of a user, such as the user name, user VLAN, and access interface.

To simplify the authentication server configuration, the administrator can add the users with the same network access rights to the same user context profile based on the user context, and configure the network access rights for the users based on the user context profile. When a user goes online after the user context identification function is enabled, the device can identify the user context information and add the user to the corresponding context profile based on the identification result.
  • If the user is authenticated successfully, the authentication server can assign the network access rights mapping the user context profile to the user based on the user context reported by the device.
  • If the user fails to be authenticated, the device assigns the user the network access rights in each phase before authentication success, which are bound to the context profile in the user authentication event authorization policy.

For example, on some enterprise networks, VLANs are used to divide the entire network into different areas with various security levels. The administrator requires that a user should obtain different network access rights when the user connects to the network from different areas. In this case, the user context identification function can be enabled on access devices, and a group of VLANs that belong to the same area are added to the same user context profile. The administrator then assigns the mapping network access rights to different user context profiles based on the security level of each area. When a user connects to the network from different areas, the user is added to different user context profiles matching their access VLANs and therefore obtains different network access rights.

The device can only identify user VLANs.

During 802.1X authentication, if the client does not respond, even if the user context profile is matched, 802.1X authentication cannot be triggered. In this case, the configured user context profile does not take effect.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run access-context profile enable

    The user context identification function is enabled.

    By default, the user context identification function is disabled.

  3. Create a user context profile and configure an identification policy.

    1. Run access-context profile name profile-name

      The user context profile is created and the user context profile view is displayed.

      By default, no user context profile is created.

    2. Run if-match vlan-id { start-vlan-id [ to end-vlan-id ] } &<1-10>

      The VLAN ID-based user identification policy is configured.

      By default, no VLAN ID-based user identification policy is configured.

    3. Run quit

      Return to the system view.

  4. Assign network access rights to users based on user context profiles.

    1. Run access-author policy name policy-name

      The user authentication event authorization policy is created and the user authentication event authorization policy view is displayed.

      By default, no user authentication event authorization policy is created.

    2. Run match access-context-profile profile-name action { authen-fail service-scheme service-scheme-name | authen-server-down service-scheme service-scheme-name | authen-server-up re-authen | client-no-response service-scheme service-scheme-name | portal-server-down service-scheme service-scheme-name | portal-server-up re-authen | pre-authen service-scheme service-scheme-name } *

      The network access rights are configured based on the user context profile for specified users in each phase before authentication success.

      By default, no network access right is configured for specified users in each phase before authentication success.

      The network access rights for users in each phase before authentication success are assigned using a service scheme. Therefore, before performing this operation, run the service-scheme command in the AAA view to create a service scheme.

    3. Run match access-context-profile profile-name action access-domain domain-name [ dot1x | mac-authen | portal ] * [ force ], an access user's authentication domain is configured based on the user context profile.

      By default, no access user's authentication domain is configured based on the user context profile.

      Before performing this operation, run the domain command in the AAA view to create a domain.

    4. Run quit

      Return to the system view.

    5. Run access-author policy policy-name global

      The user authentication event authorization policy is applied.

      By default, no user authentication event authorization policy is applied.

Parent Topic: (Optional) Configuring NAC Extended Functions
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >