The match access-context-profile action command configures the network access rights for specified users in each phase before authentication success based on user context profiles.
The undo match access-context-profile action command deletes the configured network access rights.
By default, no network access right is configured for specified users in each phase before authentication success.
match access-context-profile profile-name action { authen-fail service-scheme service-scheme-name | authen-server-down service-scheme service-scheme-name | authen-server-up re-authen | client-no-response service-scheme service-scheme-name | portal-server-down service-scheme service-scheme-name | portal-server-up re-authen | pre-authen service-scheme service-scheme-name } *
undo match access-context-profile profile-name action { authen-fail | authen-server-down | authen-server-up | client-no-response | portal-server-down | portal-server-up | pre-authen } *
| Parameter | Description | Value |
|---|---|---|
| profile-name | Specifies the name of a user context profile. |
The value must be the name of an existing user context profile. |
| authen-fail | Configures the device to assign network access rights to users when the authentication server sends authentication failure packets to the device. |
- |
| authen-server-down | Configures the device to assign network access rights to users when the authentication server is unreachable and thereby the users fail to be authenticated. |
- |
| authen-server-up | Re-authenticates users when the authentication server can be reachable again. |
- |
| client-no-response | Configures the device to assign network access rights to users when clients do not respond and thereby the users fail to be authenticated. | - |
| portal-server-down | Configures the device to assign network access rights to users when the Portal server is unreachable and thereby the users fail to be authenticated. |
- |
| portal-server-up | Re-authenticates users when the Portal server can be reachable again. |
- |
| pre-authen | Configures the device to assign network access rights to users when the users establish pre-connections with the device. |
- |
| re-authen | Re-initializes user rights. |
- |
| service-scheme service-scheme-name | Specifies the name of the service scheme based on which network access rights are assigned to users. |
The value must be the name of an existing service scheme name on the device. |
Usage Scenario
Users need basic network access rights before they are authenticated. For example, the users need to download 802.1X clients and update the antivirus database. A user authentication event authorization policy can be used to bind the network access rights of users in each phase before authentication success to a user context profile. When a user goes online after a user authentication event authorization policy is applied to the device, the device adds the user to the context profile based on the user context identification result, and assigns the network access rights to the user based on the user authentication result. The match access-context-profile action command can be used to configure the network access rights for users in each phase (including an authentication failure, an authentication server fault, and no response from the users) before authentication success.
Prerequisites
A service scheme has been created using the service-scheme command in the AAA view.
A user context profile has been created using the access-context profile name profile-name command in the system view.
Follow-up Procedure
In the global view, run the access-author policy global command to apply the user authentication event authorization policy.
Precautions
The priority of user authorization based on a user context profile is higher than that of user authorization in an authentication profile.
This function takes effect only for users who go online after this function is successfully configured.
# Match the user authentication event authorization policy a1 with the identification result of the user context profile p1, and use the service scheme s1 to authorize the users who fail to be authenticated.
<HUAWEI> system-view [HUAWEI] access-context profile name p1 [HUAWEI-access-context-p1] quit [HUAWEI] aaa [HUAWEI-aaa] service-scheme s1 [HUAWEI-aaa-service-s1] quit [HUAWEI-aaa] quit [HUAWEI] access-author policy name a1 [HUAWEI-access-author-a1] match access-context-profile p1 action authen-fail service-scheme s1