Portal Authorization

Authentication is used to check whether the identity of the user who attempts to access the network is valid. Authorization is used to specify the network access rights that an authorized user can have, that is, the resources that the authorized user can access. ACLs and UCL groups are often used for authorization. RADIUS authorization is used as an example. For details about other authorization methods and more authorization parameters, see AAA Authorization Scheme.

ACL

After a user is authenticated, the authentication server assigns an ACL to the user. Then, the access device controls the user packets according to the ACL.

If the user packets match the permit rule in the ACL, the packets are allowed to pass through.
If the user packets match the deny rule in the ACL, the packets are discarded.

The RADIUS server can assign an ACL to a user in either of the following modes:

Static ACL assignment: The RADIUS server uses the standard RADIUS attribute Filter-Id to assign an ACL ID to the user. In this mode, the ACL and corresponding rules are configured on the access device in advance.
Dynamic ACL assignment: The RADIUS server uses the RADIUS attribute HW-Data-Filter extended by Huawei to assign an ACL ID and corresponding rules to the user. In this mode, the ACL ID and ACL rules are configured on the RADIUS server.

UCL

A User Control List (UCL) is a collection of network terminals such as PCs and smartphones. The administrator can add users having the same network access requirements to a UCL, and configure a network access policy for the UCL, greatly reducing the administrator's workload. The RADIUS server assigns a UCL to a specified user in either of the following modes:

Assigns the UCL name through the standard RADIUS attribute Filter-Id.
Assigns the UCL ID through the RADIUS attribute HW-UCL-Group extended by Huawei.

You must configure the UCL and its network access policy on the access device in advance regardless of the UCL authorization mode used.

Free Rule

A free rule allows users to obtain certain network access rights before they are authenticated, to meet basic network access requirements.

You can configure either a common free rule or an ACL-defined free rule. A common free rule is determined by parameters such as the IP address, MAC address, interface, and VLAN, while an ACL-defined free rule is determined by ACL rules. Both the rules can specify the destination IP address that users can access before being authenticated. An ACL-based free rule can also define the name of a destination domain that users can access before being authenticated.

Sometimes, defining a free rule by domain name is simpler and more convenient than defining a free rule by IP address. This is because a domain name is easier to remember. For example, some users who do not have an authentication account must first log in to the official website of a carrier and apply for a member account, or log in using a third-party account such as a Twitter or Facebook account. In this case, you can configure ACL-defined free rules to specify domain names of the websites that users can access before they are authenticated.