Login
- Table of Contents
-
- 09-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Port security configuration
- 06-Password control configuration
- 07-Public key management
- 08-PKI configuration
- 09-IPsec configuration
- 10-SSH configuration
- 11-SSL configuration
- 12-IP source guard configuration
- 13-ARP attack protection configuration
- 14-MFF configuration
- 15-Crypto engine configuration
- 16-FIPS configuration
- 17-User profile configuration
- 18-Attack detection and prevention configuration
- 19-ND attack defense configuration
- 20-Keychain configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 17-User profile configuration | 67.27 KB |
Configuration restrictions and guidelines
Configuring parameters for a user profile
Configuring QoS parameters for traffic management
Displaying and maintaining user profiles
User profile configuration examples
Local 802.1X authentication/authorization with QoS policy configuration example
Configuring user profiles
Overview
A user profile saves a set of predefined parameters, such as a QoS policy.
The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user.
The user profile restricts authenticated user behaviors as follows:
1. After the authentication server verifies a user, the server sends the device the name of the user profile specified for the user.
2. The device applies the parameters in the user profile to the user.
3. When the user logs out, the device automatically removes the user profile parameters.
Configuration task list
|
(Required.) Creating a user profile |
Configuration restrictions and guidelines
Before creating a user profile, perform the following tasks:
1. Plan the authentication method for your network. The user profile supports working with 802.1X authentication and MAC authentication.
¡ In remote authentication, specify a user profile for each user account on the authentication server.
¡ In local authentication, specify a user profile for each user account in the local user view. For more information, see "Configuring AAA."
2. Configure the authentication parameters on the client, the device, and the authentication server. The parameters include username, password, authentication scheme, and authentication domain.
Creating a user profile
To create a user profile:
|
2. Create a user profile and enter user profile view. |
You can use the command to enter the view of an existing user profile. |
Configuring parameters for a user profile
Configurations in user profile view take effect only after the device applies the user profile to the user.
Configuring QoS parameters for traffic management
To configure QoS parameters:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user profile view. |
user-profile profile-name |
N/A |
|
3. Apply a QoS policy |
qos apply policy policy-name { inbound | outbound } |
The QoS policy must already exist. For information about QoS policy configuration, see ACL and QoS Configuration Guide. For information about the commands, see ACL and QoS Command Reference. |
Displaying and maintaining user profiles
Execute display commands in any view.
|
display user-profile [ name profile-name ] [ slot slot-number ] |
User profile configuration examples
Local 802.1X authentication/authorization with QoS policy configuration example
Network requirements
As shown in Figure 1, the access switch performs local 802.1X authentication and authorization for User A, User B, and User C.
Configure user profiles for the users and apply a QoS policy to each user to implement the following functions:
· Deny User A's access to the network from 8:30 to 12:00 daily.
· Limit the outgoing traffic rate to 2000 kbps for User B.
· Limit the incoming traffic rate to 4000 kbps for User C.
Configuration procedure
1. Configure a QoS policy to control the access time for User A:
# Create periodic time range for_usera, setting it to be active from 8:30 to 12:00 daily.
[Switch] time-range for_usera 8:30 to 12:00 daily
# Configure IPv4 basic ACL 2000 to identify packets in time range for_usera.
[Switch-acl-basic-2000] rule permit time-range for_usera
[Switch-acl-basic-2000] quit
# Create traffic class for_usera, and define a match criterion to match ACL 2000.
[Switch] traffic classifier for_usera
[Switch-classifier-for_usera] if-match acl 2000
[Switch-classifier-for_usera] quit
# Create traffic behavior for_usera, and configure a traffic filtering action as deny.
[Switch] traffic behavior for_usera
[Switch-behavior-for_usera] filter deny
[Switch-behavior-for_usera] quit
# Create QoS policy for_usera, and associate traffic class for_usera with traffic behavior for_usera.
[Switch-qospolicy-for_usera] classifier for_usera behavior for_usera
[Switch-qospolicy-for_usera] quit
2. Configure a user profile for User A, and apply the QoS policy:
# Create user profile usera.
# Apply the QoS policy to the incoming traffic of the switch.
[Switch-user-profile-usera] qos apply policy for_usera inbound
[Switch-user-profile-usera] quit
3. Configure a QoS policy to limit the outgoing traffic rate of User B:
# Create traffic class class, and define a match criterion to match all packets.
[Switch] traffic classifier class
[Switch-classifier-class] if-match any
[Switch-classifier-class] quit
# Create traffic behavior for_userb, and configure a CAR action in traffic behavior database. Set the CIR to 2000 kbps.
[Switch] traffic behavior for_userb
[Switch-behavior-for_userb] car cir 2000
[Switch-behavior-for_userb] quit
# Create QoS policy for_userb, and associate traffic class class with traffic behavior for_userb.
[Switch-qospolicy-for_userb] classifier class behavior for_userb
[Switch-qospolicy-for_userb] quit
4. Configure a user profile for User B, and apply the QoS policy:
# Create user profile userb.
# Apply the QoS policy to the incoming traffic of the switch.
[Switch-user-profile-userb] qos apply policy for_userb inbound
[Switch-user-profile-userb] quit
5. Configure a QoS policy to limit the incoming traffic rate on User C:
# Create traffic behavior for_userc, and configure a CAR action in traffic behavior database. Set the CIR to 4000 kbps.
[Switch] traffic behavior for_userc
[Switch-behavior-for_userc] car cir 4000
[Switch-behavior-for_userc] quit
# Create QoS policy for_userc, and associate traffic class class with traffic behavior for_userc.
[Switch-qospolicy-for_userc] classifier class behavior for_userc
[Switch-qospolicy-for_userc] quit
6. Configure a user profile for User C, and apply the QoS policy:
# Create user profile userc.
# Apply the QoS policy to the outgoing traffic of the switch.
[Switch-user-profile-userc] qos apply policy for_userc outbound
[Switch-user-profile-userc] quit
# Add local user usera.
[Switch] local-user usera class network
New local user added.
# Set the password of local user usera to a12345 in plain text.
[Switch-luser-network-usera] password simple a12345
# Specify the service type as lan-access for usera.
[Switch-luser-network-usera] service-type lan-access
# Configure the authorization user profile as usera.
[Switch-luser-network-usera] authorization-attribute user-profile usera
[Switch-luser-network-usera] quit
# Add local user userb.
[Switch] local-user userb class network
New local user added.
# Set the password of local user userb to b12345 in plain text.
[Switch-luser-network-userb] password simple b12345
# Specify the service type as lan-access for userb.
[Switch-luser-network-userb] service-type lan-access
# Configure the authorization user profile as userb.
[Switch -luser-network-userb] authorization-attribute user-profile userb
[Switch -luser-network-userb] quit
# Add local user userc.
[Switch] local-user userc class network
New local user added.
# Set the password of local user userc to c12345 in plain text.
[Switch-luser-network-userc] password simple c12345
# Specify the service type as lan-access for userc.
[Switch-luser-network-userc] service-type lan-access
# Configure the authorization user profile as userc.
[Switch-luser-network-userc] authorization-attribute user-profile userc
[Switch-luser-network-userc] quit
8. Configure the authentication, authorization, and accounting method for local users:
# Configure ISP domain user to use local authentication and authorization without accounting for local users.
[Switch-isp-user] authentication lan-access local
[Switch-isp-user] authorization lan-access local
[Switch-isp-user] accounting login none
[Switch-isp-user] quit
# Enable 802.1X on Ten-GigabitEthernet 1/0/1.
[Switch] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] dot1x
# Configure Ten-GigabitEthernet 1/0/1 to implement MAC-based access control (the default).
[Switch-Ten-GigabitEthernet1/0/1] dot1x port-method macbased
[Switch-Ten-GigabitEthernet1/0/1] quit
# Enable 802.1X globally.
Verifying the configuration
# Verify that the user profiles are active for User A, User B, and User C.
User-Profile: usera
Inbound:
Policy: for_usera
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : Ten-GigabitEthernet1/0/1
MAC address : 6805-ca06-557b
Service VLAN : 1
User-Profile: userb
Inbound:
Policy: for_userb
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : Ten-GigabitEthernet1/0/1
MAC address : 80c1-6ee0-2664
Service VLAN : 1
User-Profile: userc
Outbound:
Policy: for_userc
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : Ten-GigabitEthernet1/0/1
MAC address : 6805-ca05-3efa
Service VLAN : 1
