09-Security Configuration Guide

HomeSupportResource CenterSwitchesH3C S6300 Switch SeriesH3C S6300 Switch SeriesTechnical DocumentsConfigureConfiguration GuidesH3C S6300 Switch Series Configuration Guides-Release 243x-6W10009-Security Configuration Guide
17-User profile configuration
Title Size Download
17-User profile configuration 67.27 KB

Configuring user profiles

Overview

A user profile saves a set of predefined parameters, such as a QoS policy.

The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user.

The user profile restricts authenticated user behaviors as follows:

1.      After the authentication server verifies a user, the server sends the device the name of the user profile specified for the user.

2.      The device applies the parameters in the user profile to the user.

3.      When the user logs out, the device automatically removes the user profile parameters.

Configuration task list

Tasks at a glance

(Required.) Creating a user profile

(Required.) Configuring parameters for a user profile

 

Configuration restrictions and guidelines

Before creating a user profile, perform the following tasks:

1.      Plan the authentication method for your network. The user profile supports working with 802.1X authentication and MAC authentication.

¡  In remote authentication, specify a user profile for each user account on the authentication server.

¡  In local authentication, specify a user profile for each user account in the local user view. For more information, see "Configuring AAA."

2.      Configure the authentication parameters on the client, the device, and the authentication server. The parameters include username, password, authentication scheme, and authentication domain.

Creating a user profile

To create a user profile:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Create a user profile and enter user profile view.

user-profile profile-name

You can use the command to enter the view of an existing user profile.

 

Configuring parameters for a user profile

Configurations in user profile view take effect only after the device applies the user profile to the user.

Configuring QoS parameters for traffic management

To configure QoS parameters:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter user profile view.

user-profile profile-name

N/A

3.      Apply a QoS policy

qos apply policy policy-name { inbound | outbound }

The QoS policy must already exist.

For information about QoS policy configuration, see ACL and QoS Configuration Guide.

For information about the commands, see ACL and QoS Command Reference.

 

Displaying and maintaining user profiles

Execute display commands in any view.

 

Task

Command

Display configuration and online user information for the specified user profile or all user profiles.

display user-profile [ name profile-name ] [ slot slot-number ]

 

User profile configuration examples

Local 802.1X authentication/authorization with QoS policy configuration example

Network requirements

As shown in Figure 1, the access switch performs local 802.1X authentication and authorization for User A, User B, and User C.

Configure user profiles for the users and apply a QoS policy to each user to implement the following functions:

·           Deny User A's access to the network from 8:30 to 12:00 daily.

·           Limit the outgoing traffic rate to 2000 kbps for User B.

·           Limit the incoming traffic rate to 4000 kbps for User C.

Figure 1 Network diagram

 

Configuration procedure

1.      Configure a QoS policy to control the access time for User A:

# Create periodic time range for_usera, setting it to be active from 8:30 to 12:00 daily.

[Switch] time-range for_usera 8:30 to 12:00 daily

# Configure IPv4 basic ACL 2000 to identify packets in time range for_usera.

[Switch] acl number 2000

[Switch-acl-basic-2000] rule permit time-range for_usera

[Switch-acl-basic-2000] quit

# Create traffic class for_usera, and define a match criterion to match ACL 2000.

[Switch] traffic classifier for_usera

[Switch-classifier-for_usera] if-match acl 2000

[Switch-classifier-for_usera] quit

# Create traffic behavior for_usera, and configure a traffic filtering action as deny.

[Switch] traffic behavior for_usera

[Switch-behavior-for_usera] filter deny

[Switch-behavior-for_usera] quit

# Create QoS policy for_usera, and associate traffic class for_usera with traffic behavior for_usera.

[Switch] qos policy for_usera

[Switch-qospolicy-for_usera] classifier for_usera behavior for_usera

[Switch-qospolicy-for_usera] quit

2.      Configure a user profile for User A, and apply the QoS policy:

# Create user profile usera.

[Switch] user-profile usera

# Apply the QoS policy to the incoming traffic of the switch.

[Switch-user-profile-usera] qos apply policy for_usera inbound

[Switch-user-profile-usera] quit

3.      Configure a QoS policy to limit the outgoing traffic rate of User B:

# Create traffic class class, and define a match criterion to match all packets.

[Switch] traffic classifier class

[Switch-classifier-class] if-match any

[Switch-classifier-class] quit

# Create traffic behavior for_userb, and configure a CAR action in traffic behavior database. Set the CIR to 2000 kbps.

[Switch] traffic behavior for_userb

[Switch-behavior-for_userb] car cir 2000

[Switch-behavior-for_userb] quit

# Create QoS policy for_userb, and associate traffic class class with traffic behavior for_userb.

[Switch] qos policy for_userb

[Switch-qospolicy-for_userb] classifier class behavior for_userb

[Switch-qospolicy-for_userb] quit

4.      Configure a user profile for User B, and apply the QoS policy:

# Create user profile userb.

[Switch] user-profile userb

# Apply the QoS policy to the incoming traffic of the switch.

[Switch-user-profile-userb] qos apply policy for_userb inbound

[Switch-user-profile-userb] quit

5.      Configure a QoS policy to limit the incoming traffic rate on User C:

# Create traffic behavior for_userc, and configure a CAR action in traffic behavior database. Set the CIR to 4000 kbps.

[Switch] traffic behavior for_userc

[Switch-behavior-for_userc] car cir 4000

[Switch-behavior-for_userc] quit

# Create QoS policy for_userc, and associate traffic class class with traffic behavior for_userc.

[Switch] qos policy for_userc

[Switch-qospolicy-for_userc] classifier class behavior for_userc

[Switch-qospolicy-for_userc] quit

6.      Configure a user profile for User C, and apply the QoS policy:

# Create user profile userc.

[Switch] user-profile userc

# Apply the QoS policy to the outgoing traffic of the switch.

[Switch-user-profile-userc] qos apply policy for_userc outbound

[Switch-user-profile-userc] quit

7.      Add local users:

# Add local user usera.

[Switch] local-user usera class network

New local user added.

# Set the password of local user usera to a12345 in plain text.

[Switch-luser-network-usera] password simple a12345

# Specify the service type as lan-access for usera.

[Switch-luser-network-usera] service-type lan-access

# Configure the authorization user profile as usera.

[Switch-luser-network-usera] authorization-attribute user-profile usera

[Switch-luser-network-usera] quit

# Add local user userb.

[Switch] local-user userb class network

New local user added.

# Set the password of local user userb to b12345 in plain text.

[Switch-luser-network-userb] password simple b12345

# Specify the service type as lan-access for userb.

[Switch-luser-network-userb] service-type lan-access

# Configure the authorization user profile as userb.

[Switch -luser-network-userb] authorization-attribute user-profile userb

[Switch -luser-network-userb] quit

# Add local user userc.

[Switch] local-user userc class network

New local user added.

# Set the password of local user userc to c12345 in plain text.

[Switch-luser-network-userc] password simple c12345

# Specify the service type as lan-access for userc.

[Switch-luser-network-userc] service-type lan-access

# Configure the authorization user profile as userc.

[Switch-luser-network-userc] authorization-attribute user-profile userc

[Switch-luser-network-userc] quit

8.      Configure the authentication, authorization, and accounting method for local users:

# Configure ISP domain user to use local authentication and authorization without accounting for local users.

[Switch] domain user

[Switch-isp-user] authentication lan-access local

[Switch-isp-user] authorization lan-access local

[Switch-isp-user] accounting login none

[Switch-isp-user] quit

9.      Configure 802.1X:

# Enable 802.1X on Ten-GigabitEthernet 1/0/1.

[Switch] interface ten-gigabitethernet 1/0/1

[SwitchA-Ten-GigabitEthernet1/0/1] dot1x

# Configure Ten-GigabitEthernet 1/0/1 to implement MAC-based access control (the default).

[Switch-Ten-GigabitEthernet1/0/1] dot1x port-method macbased

[Switch-Ten-GigabitEthernet1/0/1] quit

# Enable 802.1X globally.

[Switch] dot1x

Verifying the configuration

# Use the correct usernames and passwords to access the network from User A, User B, and User C. A username must include the ISP domain name. For example, enter username usera@user and password a12345 for User A.

# Verify that the user profiles are active for User A, User B, and User C.

<Switch> display user-profile

  User-Profile: usera

    Inbound:

      Policy: for_usera

 

    slot 1:

      User -:

        Authentication type: 802.1X

        Network attributes:

          Interface    : Ten-GigabitEthernet1/0/1

          MAC address  : 6805-ca06-557b

          Service VLAN : 1

 

  User-Profile: userb

    Inbound:

      Policy: for_userb

 

    slot 1:

      User -:

        Authentication type: 802.1X

        Network attributes:

          Interface    : Ten-GigabitEthernet1/0/1

          MAC address  : 80c1-6ee0-2664

          Service VLAN : 1

 

  User-Profile: userc

    Outbound:

      Policy: for_userc

 

    slot 1:

      User -:

        Authentication type: 802.1X

        Network attributes:

          Interface    : Ten-GigabitEthernet1/0/1

          MAC address  : 6805-ca05-3efa

          Service VLAN : 1