Login
- Table of Contents
-
- 09-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Web authentication configuration
- 06-Triple authentication configuration
- 07-Port security configuration
- 08-User profile configuration
- 09-Password control configuration
- 10-Public key management
- 11-PKI configuration
- 12-IPsec configuration
- 13-SSH configuration
- 14-SSL configuration
- 15-Attack detection and prevention configuration
- 16-TCP attack prevention configuration
- 17-IP source guard configuration
- 18-ARP attack protection configuration
- 19-ND attack defense configuration
- 20-SAVI configuration
- 21-MFF configuration
- 22-Crypto engine configuration
- 23-FIPS configuration
- 24-802.1X client configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-User profile configuration | 71.29 KB |
Prerequisites for user profile
Display and maintenance commands for user profiles
User profile configuration examples
Example: Configuring user profiles and QoS policies
Configuring user profiles
About user profiles
A user profile defines a set of parameters, such as a QoS policy, for a user or a class of users. A user profile can be reused when a user connected to the network on a different interface.
The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the server sends the device the name of the user profile specified for the user. The device applies the parameters in the user profile to the user.
User profiles are typically used for resource allocation per user. For example, the interface-based traffic policing limits the total amount of bandwidth available to a group of users. However, user-profile-based traffic policing can limit the amount of bandwidth available to a single user.
Prerequisites for user profile
A user profile works with authentication methods. You must configure authentication for a user profile. For information about supported authentication methods, see the configuration guides for the related authentication modules.
Configuring a user profile
1. Enter system view.
system-view
2. Create a user profile and enter user profile view.
user-profile profile-name
3. Apply an existing QoS policy to the user profile.
qos apply policy policy-name { inbound | outbound }
By default, no QoS policy is applied to a user profile.
For information about QoS policies, see ACL and QoS Configuration Guide.
Display and maintenance commands for user profiles
Execute display commands in any view.
|
Task |
Command |
|
Display configuration and online user information for the specified user profile or all user profiles. |
display user-profile [ name profile-name ] [ slot slot-number ] |
User profile configuration examples
Example: Configuring user profiles and QoS policies
Network requirements
As shown in Figure 1, the device performs local 802.1X authentication on the users in domain user for authentication and authorization efficiency.
Configure user profiles and QoS policies on the device to meet the following requirements:
· User A cannot access the Internet during 8: 30 and 12:00 every day even if User A passes 802.1X authentication.
· User B has an upload speed of 2 Mbps after passing 802.1X authentication.
· User C has a download speed of 4 Mbps after passing 802.1X authentication.
Configuration procedure
1. Configure a QoS policy for User A:
# Create a periodic time range from 8:30 to 12:00 every day.
<Device> system-view
[Device] time-range for_usera 8:30 to 12:00 daily
# Create IPv4 basic ACL 2000, and configure a rule to match all packets during the time range for_usera.
[Device] acl basic 2000
[Device-acl-basic-2000] rule permit time-range for_usera
[Device-acl-basic-2000] quit
# Create a traffic class named for_usera, and use ACL 2000 as the match criterion.
[Device] traffic classifier for_usera
[Device-classifier-for_usera] if-match acl 2000
[Device-classifier-for_usera] quit
# Create a traffic behavior named for_usera, and configure the deny action.
[Device] traffic behavior for_usera
[Device-behavior-for_usera] filter deny
[Device-behavior-for_usera] quit
# Create a QoS policy named for_usera, and associate traffic class for_usera and traffic behavior for_usera in the QoS policy.
[Device] qos policy for_usera
[Device-qospolicy-for_usera] classifier for_usera behavior for_usera
[Device-qospolicy-for_usera] quit
2. Create a user profile for User A and apply the QoS policy to the user profile:
# Create a user profile named usera.
[Device] user-profile usera
# Apply QoS policy for_usera to the inbound direction of user profile usera.
[[Device-user-profile-usera] qos apply policy for_usera inbound
[Device-user-profile-usera] quit
3. Configure a QoS policy for limiting the traffic rate for User B:
# Create a traffic class named class to match all packets.
[Device] traffic classifier class
[Device-classifier-class] if-match any
[Device-classifier-class] quit
# Create a traffic behavior named for_userb, and configure a traffic policing action (CIR 2000 kbps).
[Device] traffic behavior for_userb
[Device-behavior-for_userb] car cir 2000
[Device-behavior-for_userb] quit
# Create a QoS policy named for_userb, and associate traffic class class and traffic behavior for_userb in the QoS policy.
[Device] qos policy for_userb
[Device-qospolicy-for_userb] classifier class behavior for_userb
[Device-qospolicy-for_userb] quit
4. Create a user profile for User B and apply the QoS policy to the user profile:
# Create a user profile named userb.
[Device] user-profile userb
# Apply QoS policy for_userb to the inbound direction of user profile userb.
[Device-user-profile-userb] qos apply policy for_userb inbound
[Device-user-profile-userb] quit
5. Configure a QoS policy for limiting the traffic rate for User C:
# Create a traffic behavior named for_userc, and configure a traffic policing action (CIR 4000 kbps).
[Device] traffic behavior for_userc
[Device-behavior-for_userc] car cir 4000
[Device-behavior-for_userc] quit
# Create a QoS policy named for_userc, and associate traffic class class and traffic behavior for_userc in the QoS policy.
[Device] qos policy for_userc
[Device-qospolicy-for_userc] classifier class behavior for_userc
[Device-qospolicy-for_userc] quit
6. Create a user profile for User C and apply the QoS policy to the user profile:
# Create a user profile named userc.
[Device] user-profile userc
# Apply QoS policy for_userc to the outbound direction of user profile userc.
[Device-user-profile-userc] qos apply policy for_userc outbound
[Device-user-profile-userc] quit
7. Configure local users:
# Create a local user named usera.
[Device] local-user usera class network
New local user added.
# Set the password to a12345 for user usera.
[Device-luser-network-usera] password simple a12345
# Authorize user usera to use the LAN access service.
[Device-luser-network-usera] service-type lan-access
# Specify user profile usera as the authorization user profile for user usera.
[Device-luser-network-usera] authorization-attribute user-profile usera
[Device-luser-network-usera] quit
# Create a local user named userb.
[Device] local-user userb class network
New local user added.
# Set the password to b12345 for user userb.
[Device-luser-network-userb] password simple b12345
# Authorize user userb to use the LAN access service.
[Device-luser-network-userb] service-type lan-access
# Specify user profile userb as the authorization user profile for user userb.
[Device-luser-network-userb] authorization-attribute user-profile userb
[Device-luser-network-userb] quit
# Create a local user named userc.
[Device] local-user userc class network
New local user added.
# Set the password to c12345 for user userc.
[Device-luser-network-userc] password simple c12345
# Authorize user userc to use the LAN access service.
[Device-luser-network-userc] service-type lan-access
# Specify user profile userc as the authorization user profile for user userc.
[Device-luser-network-userc] authorization-attribute user-profile userc
[Device-luser-network-userc] quit
8. Configure the authentication, authorization, and accounting methods for local users:
[Device] domain user
[Device-isp-user] authentication lan-access local
[Device-isp-user] authorization lan-access local
[Device-isp-user] accounting login none
[Device-isp-user] quit
9. Configure 802.1X:
# Enable 802.1X on GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
# Enable MAC-based access control on the port. By default, a port uses MAC-based access control.
[Device-GigabitEthernet1/0/1] dot1x port-method macbased
[Device-GigabitEthernet1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
Verifying the configuration
# Verify that the three users can pass 802.1X authentication and that QoS policies take effect on these users. (Details not shown.)
# Display user profile information.
<Device> display user-profile
User-Profile: usera
Inbound:
Policy: for_usera
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet1/0/1
MAC address : 6805-ca06-557b
Service VLAN : 1
User-Profile: userb
Inbound:
Policy: for_userb
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet1/0/1
MAC address : 80c1-6ee0-2664
Service VLAN : 1
User-Profile: userc
Outbound:
Policy: for_userc
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet1/0/1
MAC address : 6805-ca05-3efa
Service VLAN : 1
