MAC Authorization
Authentication checks whether the identity of the user who attempts to access the network is valid. Authorization specifies the network access rights that an authorized user can have, that is, the resources that the authorized user can access. VLANs, ACLs, and UCLs are often used for authorization. RADIUS authorization is used as an example. For details about other authorization methods and more authorization parameters, see Authorization Scheme.
VLAN
To prevent unauthenticated users from accessing restricted network resources, the restricted network resources and unauthenticated users are allocated to different VLANs. After a user is authenticated, the authentication server returns an authorized VLAN to the user. The access device then changes the VLAN to which the user belongs to the authorized VLAN, with the interface configuration remaining unchanged. The authorized VLAN takes precedence over the VLAN configured on the interface. That is, the authorized VLAN takes effect after the authentication succeeds, and the configured VLAN takes effect after the user goes offline. When the RADIUS server assigns an authorized VLAN, the following standard RADIUS attributes must be used together:
- Tunnel-Type: This attribute must be set to VLAN or 13.
- Tunnel-Medium-Type: This attribute must be set to 802 or 6.
- Tunnel-Private-Group-ID: The value can be a VLAN ID or VLAN description.
ACL
After a user is authenticated, the authentication server assigns an ACL to the user. Then, the access device controls the user packets according to the ACL.
- If the user packets match the permit rule in the ACL, the packets are allowed to pass through.
- If the user packets match the deny rule in the ACL, the packets are discarded.
The RADIUS server can assign an ACL to a user in either of the following modes:
- Static ACL assignment: The RADIUS server uses the standard RADIUS attribute Filter-Id to assign an ACL ID to the user. In this mode, the ACL and corresponding rules are configured on the access device in advance.
- Dynamic ACL assignment: The RADIUS server uses the RADIUS attribute HW-Data-Filter extended by Huawei to assign an ACL ID and corresponding rules to the user. In this mode, the ACL ID and ACL rules are configured on the RADIUS server.
UCL
A User Control List (UCL) is a collection of network terminals such as PCs and smartphones. The administrator can add users having the same network access requirements to a UCL, and configure a network access policy for the UCL, greatly reducing the administrator's workload. The RADIUS server assigns a UCL to a specified user in either of the following modes:
- Assigns the UCL name through the standard RADIUS attribute Filter-Id.
- Assigns the UCL ID through the RADIUS attribute HW-UCL-Group extended by Huawei.
You must configure the UCL and its network access policy on the access device in advance regardless of the UCL authorization mode used.
Free Rule
A free rule allows users to obtain certain network access rights before they are authenticated, to meet basic network access requirements.
You can configure either a common free rule or an ACL-defined free rule. A common free rule is determined by parameters such as the IP address, MAC address, interface, and VLAN, while an ACL-defined free rule is determined by ACL rules. Both the rules can specify the destination IP address that users can access before being authenticated. An ACL-based free rule can also define the name of a destination domain that users can access before being authenticated.
Sometimes, defining a free rule by domain name is simpler and more convenient than defining a free rule by IP address. This is because a domain name is easier to remember. For example, some users who do not have an authentication account must first log in to the official website of a carrier and apply for a member account, or log in using a third-party account such as a Twitter or Facebook account. In this case, you can configure ACL-defined free rules to specify domain names of the websites that users can access before they are authenticated.