- Table of Contents
-
- 06-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Triple Authentication Configuration
- 05-Port Security Configuration
- 06-User Profile Configuration
- 07-HABP Configuration
- 08-Public Key Configuration
- 09-PKI Configuration
- 10-SSH2.0 Configuration
- 11-SSL Configuration
- 12-TCP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-ND Attack Defense Configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
06-User Profile Configuration | 105.64 KB |
This chapter includes these sections:
· User profile configuration task list
· Displaying and maintaining user profiles
|
NOTE: · The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. · The WX3000E series comprises WX3024E and WX3010E wireless switches. · The port numbers in this chapter are for illustration only. |
User profile overview
A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios.
The user profile supports working with 802.1X authentications. It is capable of restricting authenticated users' behaviors. After the authentication server verifies a user, it sends the device the name of the user profile that is associated with the user. Then the device applies the configurations in the user profile if the profile is enabled, and allows user access based on all valid configurations. If the user profile is not enabled, the device denies the user access. After the user logs out, the device automatically disables the configurations in the user profile, and the restrictions on the users are removed.
Without user profiles, service applications are based on interface, VLAN, or globally, and a policy applies to any user that accesses the interface, or VLAN, or device. If a user moves between ports to access a device, to restrict the user behavior, you must remove the policy from the previous port and then configure the same policy on the port that the user uses. The configuration task is tedious and error prone.
User profiles provide flexible user-based service applications because a user profile is associated with a target user. Every time the user accesses the device, the device automatically applies the configurations in the associated user profile.
User profile configuration task list
Complete the following tasks to configure a user profile:
Task |
Remarks |
Required |
|
Required |
|
Required |
Creating a user profile
Configuration prerequisites
Before you create a user profile, complete the following tasks:
· Configure authentication parameters on the device.
· Perform configurations on the client, the device, and the authentication server, for example, username, password, authentication scheme, domain, and binding a user profile with a user.
Creating a user profile
Follow these steps to create a user profile:
To do… |
Use the command… |
Remarks |
Enter system view |
system-view |
— |
Create a user profile, and enter its view |
user-profile profile-name |
Required You can use the command to enter the view of an existing user profile. |
Configuring a user profile
After a user profile is created, apply a QoS policy in user profile view to implement restriction on online users. The QoS policy takes effect when the user profile is enabled and a user using the user profile goes online.
Follow these steps to configure a user profile:
To do… |
Use the command… |
Remarks |
Enter system view |
system-view |
— |
Enter user profile view |
user-profile profile-name |
Required |
Apply the QoS policy |
qos apply policy policy-name inbound |
Required |
|
NOTE: · If a user profile is enabled but not used by any online user, you can edit only the content of the ACL that is referenced by the QoS policy in the profile. If the user profile is being used by online users, you cannot edit any configuration in the QoS policy. · The QoS policies that can be applied to user profiles support only the remark and filter actions. · Do not apply an empty policy in user profile view because a user profile with an empty policy applied cannot be enabled. · For information about QoS policy configurations, see the ACL and QoS Configuration Guide. |
Enabling a user profile
Enable a user profile so that configurations in the profile can be applied by the device to restrict user behaviors. If the device detects that the user profile is disabled, the device denies the associated user even the user has been verified by the authentication server.
Follow these steps to enable a user profile:
To do… |
Use the command… |
Remarks |
Enter system view |
system-view |
— |
Enable a user profile |
user-profile profile-name enable |
Required A user profile is disabled by default. |
|
NOTE: · You can only edit or remove the configurations in a disabled user profile. · Disabling a user profile logs out the users that are using the user profile. |
Displaying and maintaining user profiles
To do… |
Use the command… |
Remarks |
Display information about all the created user profiles |
display user-profile [ | { begin | exclude | include } regular-expression ] |
Available in any view |