03-Security Configuration Guide

HomeSupportSecurityH3C SecPath F5000 FirewallConfigure & DeployConfiguration GuidesH3C SecPath F50X0-D[F5000-AK] Firewalls Series Configuration Guides (V7) (R9620)-6W40103-Security Configuration Guide
09-User identification configuration
Title Size Download
09-User identification configuration 176.69 KB

Configuring user identification

About user identification

The user identification feature works with other security features such as blacklist and object policy to control users' network access based on the users' IP addresses. This feature provides facilitation for network administrators to deploy policies for security features and to collect statistics and analysis for network attack behaviors and traffic flow on a per-user basis. It also enables the network administrators to implement policy control regardless of changes to the user IP addresses.

Identity-based user access control

The following shows the process for identity-based user access control:

1.     Identity authentication. A network access user passes identity authentication and comes online.

2.     User identification. The device obtains the username and IP address of the online user, and associates the information with the local identity user account and the local identity group. Then, the username-IP mapping for the network access user is created. The administrator can also add static username-IP mappings to permit network access without identity authentication.

3.     Identity-based access control. The device identifies the source IP address of the traffic destined for the network, and resolves the IP address to the username and user group based on the mapping. The device performs network access control for the user or user group based on other security feature settings such as blacklist and object policy.

Identity user management

All identity users are organized in a tree structure. Identity user, identity group, and identity domain are management units, and their hierarchy levels are in ascending order.

·     An identity user can belong to one or multiple identity groups.

·     An identity group can belong to one or multiple higher-layer identity groups.

·     An identity user or an identity group can belong to no or one identity domain.

The device uniquely identifies a managed object by the combination of identity domain and username or the combination of identity domain and identity group.

The tree structure facilitates user location and query. As shown in Figure 1, the network administrator creates identity groups and identity users for different departments and employees to implement identity-based network access control.

Figure 1 Identity user management architecture

 

Identity user accounts

Identity user accounts are used to record identification information of network access users from different sources. The identification information includes the username, user group name, and identity domain name of the users. The user identification module uniformly manages identity users from different sources.

The device supports the following methods to create identity user accounts:

·     Learning from the local user database—The user identification module learns network access user information from the local user database and saves the user information as identity user accounts. For more information about network access users, see "Configuring AAA."

·     Importing from a .csv file—The network administrator imports user information from a .csv file to the device and the device automatically creates identity user accounts based on the imported information.

·     Importing from remote servers—The device initiates user information requests to remote servers, imports network access user information, and then creates identity user accounts based on the imported information. This method enables the network administrator to manage identity user accounts when user information is on the remote servers. Supported remote servers include LDAP servers and H3C IMC RESTful servers.

Online identity users

Online identity users are online network access users (including portal, PPP, IPoE, and SSL VPN users) that are managed by the user identification module. The device records the username, identity domain name, IP address, and MAC address of online identity users.

Online identity users include dynamic online identity users and static online identity users.

Dynamic online identity users

Dynamic online identity users have the following sources:

·     Online network access users that access the network through the device—After a user passes local or remote authentication and comes online, the user identification module searches the user's username and domain name in local identity user accounts. If a matching entry is found, the device creates an online identity user entry for the user.

·     Online network access users obtained from remote servers—After the device obtains information about an online user from a remote server, the user identification module searches the user's username and domain name in local identity user accounts. If a matching entry is found, the device creates an online identity user entry for the user. The device can obtain information about all online users of remote servers (including online users on the other devices) for unified management and monitoring.

Supported remote servers include security management servers and H3C IMC RESTful servers.

¡     The device obtains online network access user information pushed by security management servers.

¡     The device actively imports online network access user information from an H3C IMC RESTful server.

Static online identity users

Static online identity users originate from static identity users configured by the network administrator. Each static identity user contains the mapping between the username and the IP addresses of the user. After a static identity user is created, the user identification module searches the user's username and domain name in local identity user accounts. If a matching entry is found, the device creates a static online identity user entry for the static identity user. Static online identity users can access the network without identity authentication but their access to the network is controlled by security features. The network administrator can configure static identity users when only few people need to temporarily access the network.

Application of online identity users

Application modules can impose policies of security features on online identity users. When online identity user entries are deleted, the user identification module will instruct the application modules to stop processing services for the users.

Identity groups

Identity users can be added to different groups for batch configuration and hierarchical user management. The groups are called identity groups. The user identification module uniformly manages identity groups from different sources.

Creation of identity groups

The device supports the following methods to create identity groups:

·     Learning from the local user database—When a local user group is created, the device instructs the user identification module to create an identity group with the same group name. For more information about local user groups, see "Configuring AAA."

·     Importing from a .csv file—The device imports identity user account information from a .csv file and then automatically creates identity groups based on the imported information.

·     Importing from remote servers—The device can import identity user account information from an H3C IMC RESTful server or LDAP servers and then create identity groups based on the group information in the accounts. The device can also directly obtain user group information from LDAP servers and then creates identity groups.

Application of identity groups

An identity group is activated when it is used by an application module, and all services based on the identity group will take effect. When the application module stops using the identity group, the identity group is inactive.

Restrictions and guidelines: User identification configuration

The user identity feature on the device can interact with the following remote servers to learn user information:

·     H3C IMC RESTful server—The device imports identity user accounts, identity groups, and online identity users from the H3C IMC RESTful server.

·     LDAP servers—The device imports identity user accounts and identity groups from LDAP servers.

·     Security management servers—The device obtains online identity users from security management servers.

To use the H3C IMC RESTful server, make sure the server is installed with the SSM E0503P04 component and runs on IMC PLAT 7.3 (E0605P04).

User identification is not applicable to portal users that perform MAC-based quick portal authentication. For more information about MAC-based quick portal authentication, see "Configuring portal authentication."

User identification tasks at a glance

To configure user identification, perform the following tasks:

1.     Enabling the user identification feature

2.     Configuring remote servers and an identity user import policy

Perform this task if the device needs to import user information from RESTful or LDAP servers.

a.     Configure remote server parameters

Configuring a RESTful server

Configuring an LDAP scheme

b.     Configuring an identity user import policy

3.     Configuring a security management server set

Perform this task if the device needs to obtain user information from security management servers.

4.     (Optional.) Managing identity user accounts

¡     Enabling automatic identity user account import

¡     Manually importing identity user accounts from remote servers

¡     Manually importing identity user accounts from a .csv file

¡     Manually exporting identity user accounts

¡     Deleting identity user accounts

5.     (Optional.) Managing online identity users

¡     Configuring static identity users

¡     Specifying the username match mode for user identification

¡     Importing online identity users from a remote server

¡     Deleting online identity users

6.     (Optional.) Deleting identity groups

Enabling the user identification feature

About this task

With the user identification feature, the device learns information about online users (such as PPP, portal, IPoE, and SSL VPN) from the user access modules. The device uses the obtained information for user identification and works with other security features for identity-based network access control.

Procedure

1.     Enter system view.

system-view

2.     Enable the user identification feature.

user-identity enable

By default, the user identification feature is disabled.

Configuring remote servers and an identity user import policy

Configuring a RESTful server

About this task

The RESTful server view defines the related parameter settings for the device to communicate with the RESTful server. The parameters include the login account and the URIs of the RESTful server. After establishing a connection with the RESTful server, the device can import identity user accounts, identity groups, and online identity users from the server.

Restrictions and guidelines

The system can have only one RESTful server.

Procedure

1.     Enter system view.

system-view

2.     Create a RESTful server and enter its view.

user-identity restful-server server-name

3.     Specify the username and password to log in to the RESTful server.

login-name user-name password { cipher | simple } string

By default, no username or password is specified for the device to log in to the RESTful server.

The specified username and password must exist on the RESTful server. Otherwise, the device cannot establish a connection with the RESTful server.

4.     Specify a URI for the RESTful server.

uri { get-online-user | get-user-database | get-user-group-database | put-offline-user | put-online-user } uri-string

By default, no URIs are specified for the RESTful server.

The specified URIs must be the same as those on the RESTful server. Otherwise, user information interaction will fail.

You can repeat this command to specify multiple URIs of the RESTful server.

5.     Specify an MPLS L3VPN instance for the RESTful server.

vpn-instance vpn-instance-name

By default, the RESTful server belongs to the public network.

6.     (Optional.) Configure RESTful server reachability detection:

a.     Enable RESTful server reachability detection.

connection-detect enable

By default, RESTful server reachability detection is disabled.

b.     Configure parameters for RESTful server reachability detection.

connection-detect { interval interval | maximum max-times }

By default, the reachability detection interval is 5 minutes and the maximum number of probes per detection is 3.

Configuring an LDAP scheme

About this task

An LDAP scheme includes the LDAP server that interacts with the device and the related parameter settings. After establishing a connection with the LDAP server, the device can import identity user accounts and identity groups from the server.

For more information about LDAP attribute maps, see "Configuring AAA."

Restrictions and guidelines

The device cannot import online identity users from the LDAP server.

When importing identity user accounts and identity groups from the LDAP server, the device does not carry parent groups to which the identity users or identity groups belong by default. To configure the device to carry the parent group information, you must configure an LDAP attribute map and specify the LDAP attribute map in the LDAP scheme.

Procedure

1.     Enter system view.

system-view

2.     Configure an LDAP server.

The LDAP server configuration includes the server IP address, the administrator DN and password for binding with the LDAP server, DN search policy, and user group filter. For more information, see "Configuring AAA."

3.     Create an LDAP attribute map and enter LDAP attribute map view.

ldap attribute-map map-name

4.     Configure an LDAP attribute mapping entry for the user group attribute.

map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute user-group

5.     Create an LDAP scheme and enter LDAP scheme view.

ldap scheme ldap-scheme-name

6.     Specify the LDAP authentication server.

authentication-server server-name

By default, no LDAP authentication server is specified.

7.     Specify the LDAP attribute map.

attribute-map map-name

By default, no LDAP attribute map is specified.

After this command is executed, the device imports identity user accounts and identity groups with parent group information. However, the device does not create new identity groups based on the parent group information.

Configuring an identity user import policy

About this task

To import identity user accounts, online identity users, or identity groups from a RESTful server or LDAP servers, you must configure an identity user import policy. In this policy, you can set the parameters for the device to interact with the RESTful server or LDAP servers.

Restrictions and guidelines

The system can have only one identity user import policy. Before you configure a new identity user import policy, you must delete the existing one.

Procedure

1.     Enter system view.

system-view

2.     Create an identity user import policy and enter its view.

user-identity user-import-policy policy-name

3.     Specify a RESTful server.

restful-server server-name

By default, no RESTful server is specified.

You can specify only one RESTful server. Before you specify a new RESTful server, remove the currently specified one.

4.     Specify an LDAP scheme.

ldap-scheme ldap-scheme-name

By default, no LDAP schemes are specified.

You can specify a maximum of 16 LDAP schemes.

5.     (Optional.) Set the interval for automatic identity user account import.

account-update-interval interval

By default, the interval for automatic identity user account import is 24 hours.

6.     Specify the type of user information to be imported from LDAP servers.

import-type { all | group | user }

By default, the device imports both user information and user group information from LDAP servers.

Configuring a security management server set

About this task

The security management server set view defines the related parameters of the device to communicate with security management servers. The parameters include the IP addresses of the servers, the port number for listening to the servers, and the shared key to secure communication between the device and the servers.

When the device establishes connections with security management servers, it can receive user online and offline notifications that the servers push to the device.

·     Based on user online notifications, the device obtains online user information and creates online identity user entries for users that match identity user accounts.

·     Based on user offline notifications, the device obtains information about users that have gone offline and deletes the corresponding online identity user entries.

Restrictions and guidelines

The system can have only one security management server set.

Procedure

1.     Enter system view.

system-view

2.     Create a security management server set and enter its view.

user-identity security-manage-server server-set-name

3.     Specify IP addresses of security management servers.

ip ip-address&<1-10>

By default, no IP addresses of security management servers are specified.

4.     Configure the encryption algorithm and shared key for securing communication with security management servers.

encryption algorithm { 3des | aes128 } key { simple | cipher } string

By default, no encryption algorithm or shared key is configured for securing communication with security management servers.

5.     Set the port number for listening to security management servers.

listen-port port-num

By default, the device listens to security management servers on port 8001.

Managing identity user accounts

Enabling automatic identity user account import

About this task

After this feature is enabled, the device first imports all identity user accounts and online identity user information from the servers specified in the identity user import policy. Then, the device periodically imports identity user accounts from the remote servers at the interval set by using the account-update-interval command.

Restrictions and guidelines

If automatic identity user account import is enabled but user identity is disabled, the device can import only identity user accounts from the remote servers specified in the policy.

If RESTful server reachability detection is enabled for the RESTful server in the specified policy, the device will automatically import online identity user information from that server when the state of that server changes from unreachable to reachable.

Procedure

1.     Enter system view.

system-view

2.     Enable automatic identity user account import.

user-identity user-account auto-import policy policy-name

By default, automatic identity user account import is disabled.

Manually importing identity user accounts from remote servers

About this task

Perform this task to manually import identity user accounts from remote servers. The device initiates user information requests to the servers, imports network access user account information from the servers, and then creates corresponding identity user accounts. If the device fails to import an account, the device skips the account and continues to import the next account.

Prerequisites

Before you import identity user accounts from remote servers, make sure the following conditions are met:

·     An identity user import policy is configured.

·     The specified URIs of the RESTful server or the IP addresses of the LDAP servers in the policy must be valid.

Procedure

1.     Enter system view.

system-view

2.     Import identity user accounts from remote servers.

user-identity user-account import policy policy-name

Manually importing identity user accounts from a .csv file

About this task

Perform this task to manually import identity user accounts from a .csv file. If the device fails to import an account, it stops importing the remaining identity user accounts in the file.

Prerequisites

Before you import identity user accounts from a .csv file, make sure the .csv file is a standard .csv file. To see the format of a standard .csv file, use the user-identity user-account export url command to export a standard template.

Procedure

1.     Enter system view.

system-view

2.     Import identity user accounts from a .csv file.

user-identity user-account import url url-string [ vpn-instance vpn-instance-name ] [ auto-create-group | override | start-line line-number ] *

Manually exporting identity user accounts

About this task

Perform this task to export identity user accounts on the device to a .csv file. You can directly import identity user accounts in the exported file to other devices. Or, you can edit the exported file and then import identity user accounts in the file back to the device or to other devices.

If you specify the template keyword, the device exports a standard .csv file template. You can use this file template as a reference when you edit .csv files.

Procedure

1.     Enter system view.

system-view

2.     Export identity user accounts to a .csv file.

user-identity user-account export url url-string [ { domain domain-name | null-domain } [ user user-name ] | template ] [ vpn-instance vpn-instance-name ]

Deleting identity user accounts

About this task

Identity user accounts can be deleted by using the following methods:

·     Manual deletion—The administrator uses a command to delete identity user accounts imported from remote servers or .csv files.

·     Dynamic deletion—Deletion of network access users in the local user database triggers the deletion of corresponding identity user accounts.

Manually deleting identity user accounts

To manually delete identity user accounts, execute the following command in user view:

reset user-identity user-account { all | { domain domain-name | null-domain } [ name user-name ] }

Managing online identity users

Configuring static identity users

Restrictions and guidelines

A username can be bound with multiple IP addresses or with multiple IP-MAC address combinations. However, an IP address or an IP-MAC address combination cannot be bound with multiple usernames.

Procedure

1.     Enter system view.

system-view

2.     Configure a static identity user.

user-identity static-user user-name [ domain domain-name ] bind { ipv4 ipv4-address | ipv6 ipv6-address } [ mac mac-address ]

Specifying the username match mode for user identification

About this task

Perform this task to specify the username match mode for user identification. The device creates online identity users only for online users whose usernames can match the usernames in the local identity user accounts.

Procedure

1.     Enter system view.

system-view

2.     Specify the username match mode for user identification.

user-identity online-user-name-match { keep-original | with-domain | without-domain }

By default, the username match mode for user identification is keep-original.

Importing online identity users from a remote server

About this task

Perform this task to import online identity user information from a remote server. The device initiates a realtime online user information request to the server and then imports all online user information.

Restrictions and guidelines

The device can import online identity users only from an H3C IMC RESTful server.

For the device to successfully import online identity users from a remote server, make sure the user identification feature is enabled.

Prerequisites

Before you import online identity users from a remote server, make sure the following conditions are met:

·     An identity user import policy is configured.

·     The specified URIs of the RESTful server in the policy must be valid.

Procedure

1.     Enter system view.

system-view

2.     Import online identity users.

user-identity online-user import policy policy-name

Deleting online identity users

About this task

Online identity users can be deleted by using the following methods:

·     Manual deletion—The administrator uses a command to delete dynamic online identity users imported from remote servers and static online identity users.

·     Dynamic deletion—Multiple events trigger the deletion of identity users.

¡     After a network access user goes offline, the access module instructs the user identification module to delete the associated online identity users.

¡     After the device reboots, all dynamic online identity users are deleted.

¡     After the user identification feature is disabled, all dynamic online identity users are deleted.

¡     After a user on a remote server goes offline, the remote server instructs the device to delete the associated online identity user.

Manually deleting dynamic online identity users

To manually delete dynamic online identity users, execute the following command in user view:

reset user-identity dynamic-online-user { all | { domain domain-name | null-domain } [ name user-name ] | { ip ipv4-address | ipv6 ipv6-address } [ mac mac-address ] }

Manually deleting static online identity users

1.     Enter system view.

system-view

2.     Delete static online identity users.

undo user-identity static-user [ domain domain-name ] [ bind { ipv4 ipv4-address | ipv6 ipv6-address } [ mac mac-address ] ]

Deleting identity groups

About this task

Identity groups can be deleted by using the following methods:

·     Manual deletion—The administrator uses a command to delete identity groups imported from remote servers or .csv files.

·     Dynamic deletion—Deletion of user groups in the local user database triggers the deletion of corresponding identity groups.

Manually deleting identity groups

To manually delete identity groups, execute the following command in user view:

reset user-identity user-group { all | { domain domain-name | null-domain } [ name group-name ] }

Display and maintenance commands for user identification

Execute display commands in any view.

 

Task

Command

Display information about identity users or identity groups.

display user-identity { domain domain-name | null-domain } { user [ user-name [ group ] ] | user-group [ group-name [ member { group | user } ] ] }

Display information about active identity groups.

display user-identity active-user-group { all | domain domain-name | null-domain }

Display information about all identity users or identity groups.

display user-identity all { user | user-group }

Display information about online identity users.

display user-identity online-user { domain domain-name | null-domain } name user-name

Display RESTful server configuration.

display user-identity restful-server [ server-name ]

Display configuration information for security management server sets.

display user-identity security-manage-server [ server-set-name ]

Display identity user import policy information.

display user-identity user-import-policy [ policy-name ]

 

User identification configuration examples

Example: Configuring static user identification based on an object policy

Network configuration

As shown in Figure 2, the administrator permits user usera with IP address 1.2.3.4 and MAC address 0001-0001-0001 to access the network without identity authentication. Configure an object policy for access control, which permits the user to access the network only from 8:00 to 18:00 in working days.

Figure 2 Network diagram

Procedure

1.     Assign IP addresses to interfaces and configure routes. Make sure the network connections are available. (Details not shown.)

2.     Configure user identification:

# Create a network access user named usera.

<Device> system-view

[Device] local-user usera class network

[Device-luser-network-usera] quit

# Configure a static identity user named usera with IP address 1.2.3.4 and MAC address 0001-0001-0001.

[Device] user-identity static-user usera bind ipv4 1.2.3.4 mac 0001-0001-0001

# Enable the user identification feature.

[Device] user-identity enable

3.     Configure the object policy and rules:

# Create a time range named work and specify the time range in working days.

[Device] time-range work 08:00 to 18:00 working-day

# Create an IPv4 address object group named ipgroup1, and specify the network access user usera as an object in the group.

[Device] object-group ip address ipgroup1

[Device-obj-grp-ip-ipgroup1] network user usera

[Device-obj-grp-ip-ipgroup1] quit

# Create an IPv4 object policy named ippolicy1 to allow the user to access the network in the time range defined by work.

[Device] object-policy ip ippolicy1

[Device-obj-policy-ip-ippolicy1] rule pass source-ip ipgroup1 time-range work

[Device-obj-policy-ip-ippolicy1] quit

4.     Configure a zone pair and apply the object policy to the zone pair:

# Create a security zone named trust and add GigabitEthernet 1/2/5/1 to the security zone.

[Device] security-zone name trust

[Device-security-zone-Trust] import interface gigabitethernet 1/2/5/1

[Device-security-zone-Trust] quit

# Create a security zone named untrust and add GigabitEthernet 1/2/5/2 to the security zone.

[Device] security-zone name untrust

[Device-security-zone-Untrust] import interface gigabitethernet 1/2/5/2

[Device-security-zone-Untrust] quit

# Create a zone pair with source security zone trust and destination security zone untrust.

[Device] zone-pair security source trust destination untrust

# Apply object policy ippolicy1 to the zone pair.

[Device-zone-pair-security-Trust-Untrust] object-policy apply ip ippolicy1

[Device-zone-pair-security-Trust-Untrust] quit

Verifying the configuration

# Display online identity user information for user usera.

[Device] display user-identity online-user null-domain name usera

User name: usera

  IP  : 1.2.3.4

  MAC : 0001-0001-0001

  Type: Static

 

Total 1 records matched.

# Verify that the user can access the network only from 8:00 to 18:00 in working days. (Details not shown.)

Example: Configuring static user identification based on a security policy

Network configuration

As shown in Figure 3, the administrator permits user usera with IP address 1.2.3.4 and MAC address 0001-0001-0001 to access the network without identity authentication. Configure a security policy for access control, which permits the user to access the network only from 8:00 to 18:00 in working days.

Figure 3 Network diagram

Procedure

1.     Assign IP addresses to interfaces and configure routes. Make sure the network connections are available. (Details not shown.)

2.     Configure user identification:

# Create a network access user named usera.

<Device> system-view

[Device] local-user usera class network

[Device-luser-network-usera] quit

# Configure a static identity user named usera with IP address 1.2.3.4 and MAC address 0001-0001-0001.

[Device] user-identity static-user usera bind ipv4 1.2.3.4 mac 0001-0001-0001

# Enable the user identification feature.

[Device] user-identity enable

3.     Configure a time range and an object group:

# Create a time range named work and specify the time range in working days.

[Device] time-range work 08:00 to 18:00 working-day

# Create an IPv4 address object group named ipgroup1, and specify the network access user usera as an object in the group.

[Device] object-group ip address ipgroup1

[Device-obj-grp-ip-ipgroup1] network user usera

[Device-obj-grp-ip-ipgroup1] quit

4.     Configure a security zone:

# Create a security zone named trust and add GigabitEthernet 1/2/5/1 to the security zone.

[Device] security-zone name trust

[Device-security-zone-Trust] import interface gigabitethernet 1/2/5/1

[Device-security-zone-Trust] quit

# Create a security zone named untrust and add GigabitEthernet 1/2/5/2 to the security zone.

[Device] security-zone name untrust

[Device-security-zone-Untrust] import interface gigabitethernet 1/2/5/2

[Device-security-zone-Untrust] quit

5.     Configure a security policy:

# Enter IPv4 security policy view.

[Device] security-policy ip

# Configure a security policy rule named ippolicy1 to permit user usera to access the network only from 8:00 to 18:00 in working days.

[Device-security-policy-ip] rule 1 name ippolicy1

[Device-security-policy-ip-1-ippolicy1] source-zone trust

[Device-security-policy-ip-1-ippolicy1] destination-zone untrust

[Device-security-policy-ip-1-ippolicy1] action pass

[Device-security-policy-ip-1-ippolicy1] source-ip ipgroup1

[Device-security-policy-ip-1-ippolicy1] time-range work

[Device-security-policy-ip-1-ippolicy1] quit

[Device-security-policy-ip] quit

Verifying the configuration

# Display online identity user information for user usera.

[Device] display user-identity online-user null-domain name usera

User name: usera

  IP  : 1.2.3.4

  MAC : 0001-0001-0001

  Type: Static

 

Total 1 records matched

# Verify that the user can access the network only from 8:00 to 18:00 in working days. (Details not shown.)

Example: Configuring portal user identification

Network configuration

As shown in Figure 4, hosts obtain public IP addresses through DHCP for portal authentication. The portal server provides portal authentication and Web services. The RADIUS server provides user authentication and accounting.

Configure the device to perform identity-based access control and permit portal users to access the network only from 8:00 to 18:00 in working days.

Figure 4 Network diagram

Procedure

1.     Assign IP addresses to interfaces and configure routes. Make sure the network connections are available. (Details not shown.)

2.     Configure portal authentication. Make sure users usera, userb, and userc can pass portal authentication on Host A, Host B, and Host C, respectively. (Details not shown.)

For more information about portal configuration, see "Configuring portal authentication."

3.     Configure user identification:

# Create network access users usera, userb, and userc.

<Device> system-view

[Device] local-user usera class network

[Device-luser-network-usera] quit

[Device] local-user userb class network

[Device-luser-network-userb] quit

[Device] local-user userc class network

[Device-luser-network-userc] quit

# Create a user group named group1.

[Device] user-group group1

# Add users usera, userb, and userc to user group group1 as identity members.

[Device-ugroup-group1] identity-member user usera

[Device-ugroup-group1] identity-member user userb

[Device-ugroup-group1] identity-member user userc

[Device-ugroup-group1] quit

# Enable the user identification feature.

[Device] user-identity enable

4.     Configure an object policy and rules:

# Create a time range named work and specify the time range in working days.

[Device] time-range work 08:00 to 18:00 working-day

# Create an IPv4 address object group named ipgroup1, and specify identity group group1 as an object in the object group.

[Device] object-group ip address ipgroup1

[Device-obj-grp-ip-ipgroup1] network user-group group1

[Device-obj-grp-ip-ipgroup1] quit

# Create an IPv4 object policy named ippolicy1 to allow users to access the network in the time range defined by work.

[Device] object-policy ip ippolicy1

[Device-obj-policy-ip-ippolicy1] rule pass source-ip ipgroup1 time-range work

[Device-obj-policy-ip-ippolicy1] quit

5.     Configure a zone pair and apply the object policy to the zone pair:

# Create a security zone named zone1 and add GigabitEthernet 1/2/5/1 to the security zone.

[Device] security-zone name zone1

[Device-security-zone-zone1] import interface gigabitethernet 1/2/5/1

[Device-security-zone-zone1] quit

# Create a security zone named zone2 and add GigabitEthernet 1/2/5/2 to the security zone.

[Device] security-zone name untrust

[Device-security-zone-zone2] import interface gigabitethernet 1/2/5/2

[Device-security-zone-zone2] quit

# Create a zone pair with source security zone zone1 and destination security zone zone2.

[Device] zone-pair security source zone1 destination zone2

# Apply object policy ippolicy1 to the zone pair.

[Device-zone-pair-security-zone1-zone2] object-policy apply ip ippolicy1

[Device-zone-pair-security-zone1-zone2] quit

Verifying the configuration

# Display all identity members in group group1.

[Device] display user-group name group1 identity-member all

Total 1 user groups matched.

 

User group: group1

  Identity groups: 0

  Identity users: 3

  User ID       Username

  0x1           usera

  0x2           userb

  0x3           userc

# Users usera, userb, and userc come online. (Details not shown.)

# Display online identity user information for the users. This example uses usera.

[Device] display user-identity online-user null-domain name usera

User name: usera

  IP  : 2.2.2.2

  MAC : 0001-0002-0003

  Type: Dynamic

 

Total 1 records matched

# Verify that users usera, userb, and userc can access the network only from 8:00 to 18:00 in working days. (Details not shown.)

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网