- Table of Contents
-
- 17-User Access and Authentication Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Port security configuration
- 06-PPPoE configuration
- 07-L2TP configuration
- 08-User profile configuration
- 09-Password control configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
08-User profile configuration | 130.01 KB |
Prerequisites for user profile
Configuring a user profile for a single user
Configuring a user profile for a user group
Verifying and maintaining user profiles
User profile configuration examples
Example: Configuring user profiles for a single user
Example: Configuring user profiles for multiple users
Configuring user profiles
About user profiles
A user profile defines a set of parameters, such as a QoS policy, for a user or a class of users. A user profile can be reused when a user connected to the network on a different interface.
The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the server sends the device the name of the user profile specified for the user. The device applies the parameters in the user profile to the user.
User profiles are typically used in the following scenarios:
· Resource allocation per user—Interface-based traffic policing limits the total amount of bandwidth available to a group of users. However, user-profile-based traffic policing can limit the amount of bandwidth available to a single user.
· User access control—When a user passes authentication but the account is overdue, only the resources defined by the ACL permit rules in the free rules are accessible for this user.
Prerequisites for user profile
A user profile works with authentication methods. You must configure authentication for a user profile. For information about supported authentication methods, see the configuration guides for the related authentication modules.
Configuring a user profile for a single user
1. Enter system view.
system-view
2. Create a user profile and enter user profile view.
user-profile profile-name
3. Configure the user profile. Choose the options to configure as needed:
¡ Apply an existing QoS policy to the user profile.
qos apply policy policy-name { inbound | outbound }
By default, no QoS policy is applied to a user profile.
¡ Configure a CAR policy for the user profile.
qos car { inbound | outbound } any cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ]
qos car { inbound | outbound } any cir committed-information-rate [ cbs committed-burst-size ] pir peak-information-rate [ ebs excess-burst-size ]
By default, no CAR policy is configured for a user profile.
¡ Configure GTS for the user profile.
qos gts cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ]
By default, GTS is not configured for a user profile.
¡ Configure a packet filter for the user profile.
packet-filter [ ipv6] { acl-number | name acl-name } { inbound | outbound }
By default, no packet filter is configured for a user profile.
¡ Set the maximum number of user connections.
connection-limit amount amount
By default, the number of user connections is not limited for a user profile.
¡ Set the maximum connection establishment rate.
connection-limit rate rate
By default, the connection establishment rate is not limited for a user profile.
For information about QoS policies, CAR policies, and GTS, see ACL and QoS Configuration Guide.
For information about connection limits, see configuring connection limits in Security Configuration Guide.
Configuring a user profile for a user group
About this task
A session group profile is a particular type of user profile for a group of users. It implements QoS traffic control on a per-group basis. A user group can include multiple users and multiple services. For example, you can configure a session group profile to limit the total bandwidth for the user group in addition to configuring a user profile for each user.
After user profiles for user groups are deployed, the device identifies different user groups by sessions and associates each user group with a user profile.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Identify a session group on the interface.
qos session-group identify { customer-vlan | service-vlan | customer-service-vlan | subscriber-id }
By default, no session group is identified on the interface.
The interface identifies packets according to the specified method and classifies packets with the same characteristics to the same user group.
4. Return to system view.
quit
5. Create a session group profile and enter session group profile view.
user-profile profile-name type session-group
You can use the command to enter the view of an existing session group profile.
6. Configure the session group profile. Choose the options to configure as needed:
¡ Configure a CAR policy for the session group profile.
qos car { inbound | outbound } any cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ]
qos car { inbound | outbound } any cir committed-information-rate [ cbs committed-burst-size ] pir peak-information-rate [ ebs excess-burst-size ]
By default, no CAR policy is configured for a session group profile.
¡ Configure GTS for the session group profile.
qos gts [ inbound ] { any | queue queue-id } cir committed-information-rate
[ cbs committed-burst-size [ ebs excess-burst-size ] ] [ queue-length queue-length ]
qos
gts [ inbound ] { any | queue queue-id } cir committed-information-rate
[ cbs committed-burst-size ] pir peak-information-rate [ ebs excess-burst-size ] [ queue-length queue-length ]
By default, no GTS is configured for a session group profile.
For information about CAR policies and GTS, see ACL and QoS Configuration Guide.
Verifying and maintaining user profiles
To display configuration and online user information for the specified user profile or all user profiles, execute the following command in any view.
display user-profile [ session-group ] [ name profile-name ] [ slot slot-number ]
User profile configuration examples
Example: Configuring user profiles for a single user
Network configuration
As shown in Figure 1, the AAA server performs 802.1X authentication for User A accessing the network. The interface GigabitEthernet 0/0/1 implements MAC-based access control on 802.1X users.
Configure common user profiles and a session group profile to meet the following requirements:
· Limit the traffic rate to 4000 kbps for the STB service.
· Limit the traffic rate to 8000 kbps for the HSI service.
· Limit the traffic rate to 2000 kbps for the VoIP service.
· Limit the traffic rate to 10000 kbps for User A.
Procedure
1. Configure the AAA server:
a. Configure user accounts for the STB, HSI, and VoIP services. (Details not shown.)
b. Specify user profile upstb for the STB user account, user profile uphsi for the HSI user account, and user profile upvoip for the VoIP user account. (Details not shown.)
c. Specify session group profile sgp for each user account. (Details not shown.)
2. Configure the device:
a. Configure CAR for the STB service:
# Create user profile upstb.
<Device> system-view
[Device] user-profile upstb
# Set the CIR to 4000 kbps for incoming traffic sent by user profile upstb.
[Device-user-profile-upstb] qos car inbound any cir 4000
# Set the CIR to 4000 kbps for outgoing traffic received by user profile upstb.
[Device-user-profile-upstb] qos car outbound any cir 4000
[Device-user-profile-upstb] quit
b. Configure CAR for the HSI service:
# Create user profile uphsi.
[Device] user-profile uphsi
# Set the CIR to 8000 kbps for incoming traffic sent by user profile uphsi.
[Device-user-profile-uphsi] qos car inbound any cir 8000
# Set the CIR to 8000 kbps for outgoing traffic received by user profile uphsi.
[Device-user-profile-uphsi] qos car outbound any cir 8000
[Device-user-profile-uphsi] quit
c. Configure CAR for the VoIP service:
# Create user profile upvoip.
[Device] user-profile upvoip
# Set the CIR to 2000 kbps for incoming traffic sent by user profile upvoip.
[Device-user-profile-upvoip] qos car inbound any cir 2000
# Set the CIR to 2000 kbps for outgoing traffic received by user profile upvoip.
[Device-user-profile-upvoip] qos car outbound any cir 2000
[Device-user-profile-upvoip] quit
d. Configure session group profile:
# Create 4-queue scheduling profile qm.
[Device] qos qmprofile qm type four-queue
# Configure queue 0 to meet the following requirements:
- The WRR queuing is used.
- The WRR group is group 1.
- The scheduling weight is 5.
- The minimum guaranteed bandwidth is 200 kbps.
- The service type is VoIP.
[Device-qmprofile-four-queue-qm] queue 0 wrr group 1 weight 5 min-bandwidth 200 service-type voip
# Configure queue 1 to meet the following requirements:
- The WRR queuing is used.
- The WRR group is group 1.
- The scheduling weight is 1.
- The minimum guaranteed bandwidth is 2000 kbps.
- The service type is STB.
[Device-qmprofile-four-queue-qm] queue 1 wrr group 1 weight 1 min-bandwidth 2000 service-type stb
# Configure queue 2 to meet the following requirements:
- The WRR queuing is used.
- The WRR group is group 1.
- The scheduling weight is 1.
- The minimum guaranteed bandwidth is 4000 kbps.
- The service type is HSI.
[Device-qmprofile-four-queue-qm] queue 2 wrr group 1 weight 1 min-bandwidth 4000 service-type hsi
[Device-qmprofile-four-queue-qm] quit
# Identify a session group by SVLAN.
[Device] interface gigabitethernet 0/0/1
[Device-GigabitEthernet0/0/1] qos session-group identify service-vlan
[Device-GigabitEthernet0/0/1] quit
# Create session group profile sgp.
[Device] user-profile sgp type session-group
# Apply 4-queue scheduling profile qm to session group profile sgp.
[Device-session-group-profile-sgp] qos apply qmprofile four-queue qm
# Configure CAR to set the CIR to 10000 kbps for outgoing traffic received by session group profile sgp.
[Device-session-group-profile-sgp] qos car outbound any cir 10000
[Device-session-group-profile-sgp] quit
e. Configure 802.1X:
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on GigabitEthernet 0/0/1.
[Device] interface gigabitethernet 0/0/1
[Device-GigabitEthernet0/0/1] dot1x
# Configure GigabitEthernet 0/0/1 to implement MAC-based access control.
[Device-GigabitEthernet0/0/1] dot1x port-method macbased
[Device-GigabitEthernet0/0/1] quit
Verifying the configuration
# Verify that the user profiles are correctly configured and are effective on online users.
<Device> display user-profile
User-Profile: upstb
Inbound:
CIR 4000 (kbps), CBS 250000 (Bytes), EBS 0 (Bytes)
Outbound:
CIR 4000 (kbps), CBS 250000 (Bytes), EBS 0 (Bytes)
slot 1:
User user_1:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet0/0/1
MAC address : 0000-1111-2222
User-Profile: uphsi
Inbound:
CIR 8000 (kbps), CBS 500000 (Bytes), EBS 0 (Bytes)
Outbound:
CIR 8000 (kbps), CBS 500000 (Bytes), EBS 0 (Bytes)
slot 1:
User user_2:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet0/0/1
MAC address : 0000-1111-2223
User-Profile: upvoip
Inbound:
CIR 2000 (kbps), CBS 125000 (Bytes), EBS 0 (Bytes)
Outbound:
CIR 2000 (kbps), CBS 125000 (Bytes), EBS 0 (Bytes)
slot 1:
User user_3:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet0/0/1
MAC address : 0000-1111-2224
# Verify that the 4-queue scheduling profile qm is correctly configured and is active for users.
<Device> display user-profile session-group name sgp
Session-Group-Profile: sgp
Outbound:
CIR 10000 (kbps), CBS 625000 (Bytes), EBS 0 (Bytes)
QMProfile: qm
slot 1:
User user_1:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet0/0/1
MAC address : 0000-1111-2222
User user_2:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet0/0/1
MAC address : 0000-1111-2223
User user_3:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet0/0/1
MAC address : 0000-1111-2224
Example: Configuring user profiles for multiple users
Network configuration
As shown in Figure 2, the AAA server performs 802.1X authentication for the user group (User A and User B) accessing the network. The interface GigabitEthernet 0/0/1 implements MAC-based access control on 802.1X users.
Configure common user profiles and a session group profile to meet the following requirements:
· Limit the traffic rate to 8000 kbps for User A.
· Limit the traffic rate to 4000 kbps for User B.
· Limit the traffic rate to 10000 kbps for the user group.
Procedure
1. Configure the AAA server:
a. Configure user accounts for User A and User B. (Details not shown.)
b. Specify user profile up1 for the User A user account, and user profile up2 for the User B user account. (Details not shown.)
c. Specify session group profile sgp for each user account. (Details not shown.)
2. Configure the device:
a. Configure CAR for User A:
# Create user profile up1.
[Device] user-profile up1
# Set the CIR to 8000 kbps for incoming traffic sent by user profile up1.
[Device-user-profile-up1] qos car inbound any cir 8000
# Set the CIR to 8000 kbps for outgoing traffic received by user profile up1.
[Device-user-profile-up1] qos car outbound any cir 8000
b. Configure CAR for User B:
# Create user profile up2.
[Device]user-profile up2
# Set the CIR to 4000 kbps for incoming traffic sent by user profile up2.
[Device-user-profile-up2] qos car inbound any cir 4000
# Set the CIR to 4000 kbps for outgoing traffic received by user profile up2.
[Device-user-profile-up2] qos car outbound any cir 4000
c. Configure session group profile:
# Create 4-queue scheduling profile qm.
<Device> system-view
[Device] qos qmprofile qm type four-queue
# Configure queue 1 and queue 2 to meet the following requirements:
- The WRR queuing is used.
- The WRR group is group 1.
- The scheduling weight is 5.
- The service type is HSI.
[Device-qmprofile-four-queue-qm] queue 1 wrr group 1 weight 5 service-type hsi
[Device-qmprofile-four-queue-qm] queue 2 wrr group 1 weight 5 service-type hsi
[Device-qmprofile-four-queue-qm] quit
# Identify a session group by SVLAN.
[Device] interface gigabitethernet 0/0/1
[Device-GigabitEthernet0/0/1] qos session-group identify service-vlan
[Device-GigabitEthernet0/0/1] quit
# Create session group profile sgp.
[Device]user-profile sgp type session-group
# Apply 4-queue scheduling profile qm to session group profile sgp.
[Device-session-group-profile-sgp] qos apply qmprofile four-queue qm
# Configure CAR to set the CIR to 10000 kbps for outgoing traffic received by session group profile sgp.
[Device-session-group-profile-sgp] qos car outbound any cir 10000
[Device-session-group-profile-sgp] quit
d. Configure 802.1X:
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on GigabitEthernet 0/0/1.
[Device] interface gigabitethernet 0/0/1
[Device-GigabitEthernet0/0/1] dot1x
# Configure GigabitEthernet 0/0/1 to implement MAC-based access control (the default).
[Device-GigabitEthernet0/0/1] dot1x port-method macbased
[Device-GigabitEthernet0/0/1] quit
Verifying the configuration
# Verify that the user profiles are correctly configured and are effective on online users.
<Device> display user-profile
User-Profile: up1
Inbound:
CIR 8000 (kbps), CBS 500000 (Bytes), EBS 0 (Bytes)
Outbound:
CIR 8000 (kbps), CBS 500000 (Bytes), EBS 0 (Bytes)
Queue Name: af1
slot 1:
User user_1:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet0/0/1
MAC address : 0000-1111-2222
User-Profile: up2
Inbound:
CIR 4000 (kbps), CBS 250000 (Bytes), EBS 0 (Bytes)
Outbound:
CIR 4000 (kbps), CBS 250000 (Bytes), EBS 0 (Bytes)
Queue Name: af2
slot 1:
User user_2:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet0/0/1
MAC address : 0000-1111-2223
# Verify that the 4-queue scheduling profile qm is correctly configured and is active for users.
<Device> display user-profile session-group name sgp
Session-Group-Profile: sgp
QMProfile: qm
slot 1:
User user_1:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet0/0/1
MAC address : 0000-1111-2222
User user_2:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet0/0/1
MAC address : 0000-1111-2223