Login
- Table of Contents
-
- 09-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Web authentication configuration
- 06-Triple authentication configuration
- 07-Port security configuration
- 08-User profile configuration
- 09-Password control configuration
- 10-Keychain configuration
- 11-Public key management
- 12-PKI configuration
- 13-IPsec configuration
- 14-SSH configuration
- 15-SSL configuration
- 16-Attack detection and prevention configuration
- 17-TCP attack prevention configuration
- 18-IP source guard configuration
- 19-ARP attack protection configuration
- 20-ND attack defense configuration
- 21-uRPF configuration
- 22-MFF configuration
- 23-Crypto engine configuration
- 24-FIPS configuration
- 25-MACsec configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-User profile configuration | 75.81 KB |
Configuration restrictions and guidelines
Displaying and maintaining user profiles
User profile configuration example
Configuring user profiles
Overview
A user profile saves a set of predefined parameters, such as a QoS policy.
The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user.
The user profile restricts authenticated user behavior as follows:
1. After the authentication server verifies a user, the server sends the device the name of the user profile specified for the user.
2. The device applies the parameters in the user profile to the user.
3. When the user logs out, the device automatically removes the user profile parameters.
Configuration restrictions and guidelines
When you configure user profiles, follow these restrictions and guidelines:
· Configure authentication parameters before you create a user profile. The user profile can work with 802.1X authentication, portal authentication, and MAC authentication.
· Specify a user profile for each user account:
¡ In remote authentication, specify a user profile on the authentication server.
¡ In local authentication, specify a user profile in the local user view. For information about local users, see "Configuring AAA."
Configuring a user profile
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a user profile and enter user profile view. |
user-profile profile-name |
By default, no user profiles exist. You can use the command to enter the view of an existing user profile. |
|
3. Apply a QoS policy. |
N/A |
For information about QoS policy configuration, see ACL and QoS Configuration Guide. |
Displaying and maintaining user profiles
Execute display commands in any view.
|
Task |
Command |
|
Display configuration and online user information for the specified user profile or all user profiles. |
display user-profile [ name profile-name ] [ slot slot-number ] |
User profile configuration example
Network requirements
As shown in Figure 1, the device performs local 802.1X authentication on the users in domain user for authentication and authorization efficiency.
Configure user profiles and QoS policies on the device to meet the following requirements:
· User A cannot access the Internet during 8: 30 and 12:00 every day even if User A passes 802.1X authentication.
· User B has an upload speed of 2 Mbps after passing 802.1X authentication.
· User C has a download speed of 4 Mbps after passing 802.1X authentication.
Configuration procedure
1. Configure a QoS policy for User A:
# Create a periodic time range from 8:30 to 12:00 every day.
<Device> system-view
[Device] time-range for_usera 8:30 to 12:00 daily
# Create IPv4 basic ACL 2000, and configure a rule to match all packets during the time range for_usera.
[Device] acl basic 2000
[Device-acl-basic-2000] rule permit time-range for_usera
[Device-acl-basic-2000] quit
# Create a traffic class named for_usera, and use ACL 2000 as the match criterion.
[Device] traffic classifier for_usera
[Device-classifier-for_usera] if-match acl 2000
[Device-classifier-for_usera] quit
# Create a traffic behavior named for_usera, and configure the deny action.
[Device] traffic behavior for_usera
[Device-behavior-for_usera] filter deny
[Device-behavior-for_usera] quit
# Create a QoS policy named for_usera, and associate traffic class for_usera and traffic behavior for_usera in the QoS policy.
[Device] qos policy for_usera
[Device-qospolicy-for_usera] classifier for_usera behavior for_usera
[Device-qospolicy-for_usera] quit
2. Create a user profile for User A and apply the QoS policy to the user profile:
# Create a user profile named usera.
[Device] user-profile usera
# Apply QoS policy for_usera to the inbound direction of user profile usera.
[[Device-user-profile-usera] qos apply policy for_usera inbound
[Device-user-profile-usera] quit
3. Configure a QoS policy for limiting the traffic rate for User B:
# Create a traffic class named class to match all packets.
[Device] traffic classifier class
[Device-classifier-class] if-match any
[Device-classifier-class] quit
# Create a traffic behavior named for_userb, and configure a traffic policing action (CIR 2000 kbps).
[Device] traffic behavior for_userb
[Device-behavior-for_userb] car cir 2000
[Device-behavior-for_userb] quit
# Create a QoS policy named for_userb, and associate traffic class class and traffic behavior for_userb in the QoS policy.
[Device] qos policy for_userb
[Device-qospolicy-for_userb] classifier class behavior for_userb
[Device-qospolicy-for_userb] quit
4. Create a user profile for User B and apply the QoS policy to the user profile:
# Create a user profile named userb.
[Device] user-profile userb
# Apply QoS policy for_userb to the inbound direction of user profile userb.
[Device-user-profile-userb] qos apply policy for_userb inbound
[Device-user-profile-userb] quit
5. Configure a QoS policy for limiting the traffic rate for User C:
# Create a traffic behavior named for_userc, and configure a traffic policing action (CIR 4000 kbps).
[Device] traffic behavior for_userc
[Device-behavior-for_userc] car cir 4000
[Device-behavior-for_userc] quit
# Create a QoS policy named for_userc, and associate traffic class class and traffic behavior for_userc in the QoS policy.
[Device] qos policy for_userc
[Device-qospolicy-for_userc] classifier class behavior for_userc
[Device-qospolicy-for_userc] quit
6. Create a user profile for User C and apply the QoS policy to the user profile:
# Create a user profile named userc.
[Device] user-profile userc
# Apply QoS policy for_userc to the outbound direction of user profile userc.
[Device-user-profile-userc] qos apply policy for_userc outbound
[Device-user-profile-userc] quit
7. Configure local users:
# Create a local user named usera.
[Device] local-user usera class network
New local user added.
# Set the password to a12345 for user usera.
[Device-luser-network-usera] password simple a12345
# Authorize user usera to use the LAN access service.
[Device-luser-network-usera] service-type lan-access
# Specify user profile usera as the authorization user profile for user usera.
[Device-luser-network-usera] authorization-attribute user-profile usera
[Device-luser-network-usera] quit
# Create a local user named userb.
[Device] local-user userb class network
New local user added.
# Set the password to b12345 for user userb.
[Device-luser-network-userb] password simple b12345
# Authorize user userb to use the LAN access service.
[Device-luser-network-userb] service-type lan-access
# Specify user profile userb as the authorization user profile for user userb.
[Device-luser-network-userb] authorization-attribute user-profile userb
[Device-luser-network-userb] quit
# Create a local user named userc.
[Device] local-user userc class network
New local user added.
# Set the password to c12345 for user userc.
[Device-luser-network-userc] password simple c12345
# Authorize user userc to use the LAN access service.
[Device-luser-network-userc] service-type lan-access
# Specify user profile userc as the authorization user profile for user userc.
[Device-luser-network-userc] authorization-attribute user-profile userc
[Device-luser-network-userc] quit
8. Configure the authentication, authorization, and accounting methods for local users:
[Device] domain user
[Device-isp-user] authentication lan-access local
[Device-isp-user] authorization lan-access local
[Device-isp-user] accounting login none
[Device-isp-user] quit
9. Configure 802.1X:
# Enable 802.1X on Ten-GigabitEthernet 1/0/1.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] dot1x
# Enable MAC-based access control on the port. By default, a port uses MAC-based access control.
[Device-Ten-GigabitEthernet1/0/1] dot1x port-method macbased
[Device-Ten-GigabitEthernet1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
Verifying the configuration
# Verify that the three users can pass 802.1X authentication and that QoS policies take effect on these users. (Details not shown.)
# Display user profile information.
<Device> display user-profile
User-Profile: usera
Inbound:
Policy: for_usera
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : Ten-GigabitEthernet1/0/1
MAC address : 6805-ca06-557b
Service VLAN : 1
User-Profile: userb
Inbound:
Policy: for_userb
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : Ten-GigabitEthernet1/0/1
MAC address : 80c1-6ee0-2664
Service VLAN : 1
User-Profile: userc
Outbound:
Policy: for_userc
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : Ten-GigabitEthernet1/0/1
MAC address : 6805-ca05-3efa
Service VLAN : 1
