free-rule

Function

The free-rule command configures authentication-free rules for NAC authentication users.

The undo free-rule command restores the default settings.

By default, no authentication-free rule is configured for NAC authentication users.

Format

Common authentication-free rule:

free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id } ^* } } ^*

undo free-rule { rule-id | all }

Authentication-free rule defined by ACL:

free-rule acl { acl-id | acl-name acl-name | ipv6 ipv6-acl-id }

undo free-rule { acl { acl-id | acl-name acl-name | ipv6 ipv6-acl-id } | all }

free-rule acl acl-id

On the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S , S5720-EI, S6720-EI, and S6720S-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, and S5735-S-I, authentication-free rules can be defined vby IPv6 ACLs.

Parameters

Parameter	Description	Value
rule-id	Specifies the number of an authentication-free rule for NAC authentication users.	The value is an integer. S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720I-SI, S5720S-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, and S5735-S-I: The value range is 0 to 31. S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S , S5720-EI, S6720-EI, and S6720S-EI: The value range is 0 to 511.
destination	Specifies the destination network resource that NAC authentication users can access without authentication.	-
source	Specifies source information for NAC authentication users without authentication.	-
any	Indicates any condition. When any is used together with different keywords, the effect of the command is different.	-
interface interface-type interface-number	Specifies a source interface in the rule. interface-type specifies the interface type. interface-number specifies the interface number.	-
ip ip-address	Specifies the source or destination IP address depending on the keyword.	The value is in dotted decimal notation.
mask mask-length	Specifies the mask length of the source or destination IP address depending on the keyword.	The value is an integer that ranges from 1 to 32.
mask ip-mask	Specifies the mask of the source or destination IP address depending on the keyword.	The value is in dotted decimal notation.
tcp destination-port port	Specifies a TCP destination port number.	The value is an integer that ranges from 1 to 65535.
udp destination-port port	Specifies a UDP destination port number.	The value is an integer that ranges from 1 to 65535.
vlan vlan-id	Specifies the VLAN ID of source packets.	The value is an integer that ranges from 1 to 4094.
acl	Specifies an authentication-free rule defined by ACL.	-
acl-id	Specifies the number of an IPv4 ACL.	The value is an integer that ranges from 6000 to 6031.
acl-name acl-name	Specifies the name of an IPv4 ACL.	The value must be the name of an existing IPv4 ACL with a number in the range from 6000 to 6031.
ipv6 ipv6-acl-id	Specifies the number of an IPv6 ACL.	The value is an integer that ranges from 3000 to 3031.
all	Specifies all rules.	-

Views

Authentication-free rule profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before being authenticated, users need to obtain some network access rights to meet basic network access requirements such as downloading the 802.1X client and updating the antivirus database. After running the free-rule-template command in the system view to create an authentication-free rule profile, run the free-rule command to configure authentication-free rules in the profile. The users then can obtain some network access rights without authentication.

An authentication-free rule can be a common authentication-free rule or an authentication-free rule defined by an ACL. A common authentication-free rule is determined by parameters such as IP address, MAC address, interface, and VLAN. An authentication-free rule defined by an ACL is determined by the ACL rule (configured using the rule command). The destination IP address that users can access without authentication can be specified in both a common authentication-free rule and an authentication-free rule defined by an ACL. In addition, the destination domain name that users can access without authentication can be specified in an authentication-free rule defined by an ACL.

Compared with the authentication-free rule defined by IP address, the one defined by domain name is sometimes simple and convenient. For example, some authentication users who do not have an authentication account must first log in to the official website of a carrier and apply for a member account, or log in using the account of a third party such as Twitter or Facebook. This requires that the users can access specified websites before successful authentication. The domain name of a website is easier to remember than the IP address; therefore, the authentication-free rule defined by ACL can be configured to enable the users to access the domain names of websites without authentication.

Prerequisites

To use the authentication-free rule defined by ACL: An ACL rule has been configured using the rule command. This ACL rule can be based on an IP address or a domain name. If the rule is defined by IP address, the source and destination parameters can be configured; if the rule is defined by domain name, only the destination parameter can be configured.

If the user ACL is created using a name (specified by acl-name), a named ACL has been created and the ACL number (6000-6031) has been specified using the acl name acl-name acl-number command.

Follow-up Procedure

The domain name specified in an ACL only supports dynamic DNS resolution. Therefore, when you define the authentication-free rule by domain name, configure dynamic DNS resolution on the device. The procedure is as follows:

Run the dns resolve command in the system view to enable dynamic DNS resolution.
Run the dns server ip-address command in the system view to specify an IP address for the DNS server.

Precautions

Wireless 802.1X authentication does not support this function.

When 802.1X authentication or MAC address authentication is configured on a physical interface, the free-rule configuration will not take effect after the undo authentication pre-authen-access enable command is configured to disable the pre-connection function.

Pay attention to the following when you use common authentication-free rules:

When multiple authentication-free rules are configured simultaneously, the system matches the rules one by one.
In a wireless scenario or an SVF system, only the authentication-free rules with IDs in the range of 0 to 127 on the AP or AS can take effect. On the AC or parent, all configured authentication-free rules take effect.
In a wireless scenario, the VLAN ID and interface number cannot be specified in authentication-free rules configured on an AP. You are advised to set the authentication-free rule ID to 128 or a larger value when specifying the VLAN ID and interface number. If the ID of an authentication-free rule is less than 128, Portal redirection cannot be performed.
In an SVF system, interface information in an authentication-free rule is invalid.
If you specify both the VLAN ID and interface number in an authentication-free rule, the interface must belong to the VLAN. Otherwise, the rule is invalid.
If the destination port number is configured in an authentication-free rule, fragments cannot match the rule and packets cannot be forwarded.
No authentication-free rule needs to be configured for DHCP, CAPWAP, ARP, and HTTP packets, because these packets can be processed or forwarded before user authentication. Authentication-free rules must be configured for other protocol packets that need to be forwarded. When the packets need to be processed locally, authentication-free rules need to be configured on only the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI. Authentication-free rules are not required if the portal pass dns enable command has been run to allow DNS packets to pass during Portal authentication. However, this mode is not recommended because the command allows all DNS packets to pass.
- DHCP packet: If authentication and DHCP are enabled on an interface, authentication can be triggered by DHCP packets and the device acts as the DHCP relay or DHCP server to forward or process DHCP packets. If only authentication is configured on the interface and the DHCP function is not configured, authentication can be triggered by DHCP packets and the device broadcasts the DHCP packets.
- CAPWAP packet: CAPWAP packets are classified into control packets and data packets. Generally, NAC is still effective for CAPWAP data packets after they are decapsulated, and the authentication-free rule takes effect (except for ARP and DHCP packets that are encapsulated in CAPWAP data packets). CAPWAP control packets are sent to the CPU for processing (such as SVF and wireless scenarios). If authentication is enabled on the physical interface connected to an AP, you need to configure the authentication-free rule to transmit packets from the management VLAN. In this scenario, the server may be overloaded due to multiple times of re-authentication. Therefore, this scenario is not recommended.
- ARP packet: No authentication-free rule needs to be configured for ARP packets, which can be directly processed or forwarded.
- HTTP packet: If Portal authentication is enabled on an interface and the destination URL of HTTP packets is not the URL of the Portal server, the device redirects HTTP packets to the Portal server for authentication. When both an authentication-free rule and an ACL are configured for authorization, only the authentication-free rule takes effect.

Pay attention to the following when you use authentication-free rules defined by ACLs:

Authentication-free rules based on domain names are valid for only wireless users.
When SVF is enabled, authentication-free rules defined by ACL cannot be delivered to an AS.
An authentication-free rule can be dynamically modified. The authentication-free rule performs the permit action no matter whether the action in an ACL rule (configured using the rule command) is set to deny or permit. The ACL rule number ranges from 0 to 127.
If multiple domain names correspond to the same IP address and one matches the authentication-free rule, other domain names also match the authentication-free rule.

The free-rule command configures a rule for specifying the resources accessible to users before authentication. However, this command does not mean that users matching the rule do not need to be authenticated. To free specified users from authentication, run the access-context profile enable command to enable the user context identification function, and run the if-match vlan-id { start-vlan-id [ to end-vlan-id ] } &<1-10> command in the user context profile to configure the VLAN ID-based user identification policy. In addition, run the authentication-mode none command to enable non-configuration in the authentication scheme bound in the authentication domain of the users.

Example

# In the authentication-free rule profile default_free_rule, allow all NAC authentication users to access the network with the IP address 10.1.1.1/24 without authentication.

<HUAWEI> system-view
[HUAWEI] free-rule-template name default_free_rule
[HUAWEI-free-rule-default_free_rule] free-rule 1 destination ip 10.1.1.1 mask 24 source ip any