Example: Configuring user profiles and QoS policies

Network requirements

As shown in Figure 97, the device performs local 802.1X authentication on the users in domain user for authentication and authorization efficiency.

Configure user profiles and QoS policies on the device to meet the following requirements:

Figure 97: Network diagram

Configuration procedure

  1. Configure a QoS policy for User A:

    # Create a periodic time range from 8:30 to 12:00 every day.

    <Device> system-view
    [Device] time-range for_usera 8:30 to 12:00 daily
    

    # Create IPv4 basic ACL 2000, and configure a rule to match all packets during the time range for_usera.

    [Device] acl basic 2000
    [Device-acl-basic-2000] rule permit time-range for_usera
    [Device-acl-basic-2000] quit
    

    # Create a traffic class named for_usera, and use ACL 2000 as the match criterion.

    [Device] traffic classifier for_usera
    [Device-classifier-for_usera] if-match acl 2000
    [Device-classifier-for_usera] quit
    

    # Create a traffic behavior named for_usera, and configure the deny action.

    [Device] traffic behavior for_usera
    [Device-behavior-for_usera] filter deny
    [Device-behavior-for_usera] quit
    

    # Create a QoS policy named for_usera, and associate traffic class for_usera and traffic behavior for_usera in the QoS policy.

    [Device] qos policy for_usera
    [Device-qospolicy-for_usera] classifier for_usera behavior for_usera
    [Device-qospolicy-for_usera] quit
    
  2. Create a user profile for User A and apply the QoS policy to the user profile:

    # Create a user profile named usera.

    [Device] user-profile usera
    

    # Apply QoS policy for_usera to the inbound direction of user profile usera.

    [[Device-user-profile-usera] qos apply policy for_usera inbound
    [Device-user-profile-usera] quit
    
  3. Configure a QoS policy for limiting the traffic rate for User B:

    # Create a traffic class named class to match all packets.

    [Device] traffic classifier class
    [Device-classifier-class] if-match any
    [Device-classifier-class] quit
    

    # Create a traffic behavior named for_userb, and configure a traffic policing action (CIR 2000 kbps).

    [Device] traffic behavior for_userb
    [Device-behavior-for_userb] car cir 2000
    [Device-behavior-for_userb] quit
    

    # Create a QoS policy named for_userb, and associate traffic class class and traffic behavior for_userb in the QoS policy.

    [Device] qos policy for_userb
    [Device-qospolicy-for_userb] classifier class behavior for_userb
    [Device-qospolicy-for_userb] quit
    
  4. Create a user profile for User B and apply the QoS policy to the user profile:

    # Create a user profile named userb.

    [Device] user-profile userb
    

    # Apply QoS policy for_userb to the inbound direction of user profile userb.

    [Device-user-profile-userb] qos apply policy for_userb inbound
    [Device-user-profile-userb] quit
    
  5. Configure a QoS policy for limiting the traffic rate for User C:

    # Create a traffic behavior named for_userc, and configure a traffic policing action (CIR 4000 kbps).

    [Device] traffic behavior for_userc
    [Device-behavior-for_userc] car cir 4000
    [Device-behavior-for_userc] quit
    

    # Create a QoS policy named for_userc, and associate traffic class class and traffic behavior for_userc in the QoS policy.

    [Device] qos policy for_userc
    [Device-qospolicy-for_userc] classifier class behavior for_userc
    [Device-qospolicy-for_userc] quit
    
  6. Create a user profile for User C and apply the QoS policy to the user profile:

    # Create a user profile named userc.

    [Device] user-profile userc
    

    # Apply QoS policy for_userc to the outbound direction of user profile userc.

    [Device-user-profile-userc] qos apply policy for_userc outbound
    [Device-user-profile-userc] quit
    
  7. Configure local users:

    # Create a local user named usera.

    [Device] local-user usera class network
    New local user added.
    

    # Set the password to a12345 for user usera.

    [Device-luser-network-usera] password simple a12345
    

    # Authorize user usera to use the LAN access service.

    [Device-luser-network-usera] service-type lan-access
    

    # Specify user profile usera as the authorization user profile for user usera.

    [Device-luser-network-usera] authorization-attribute user-profile usera
    [Device-luser-network-usera] quit
    

    # Create a local user named userb.

    [Device] local-user userb class network
    New local user added.
    

    # Set the password to b12345 for user userb.

    [Device-luser-network-userb] password simple b12345
    

    # Authorize user userb to use the LAN access service.

    [Device-luser-network-userb] service-type lan-access
    

    # Specify user profile userb as the authorization user profile for user userb.

    [Device-luser-network-userb] authorization-attribute user-profile userb
    [Device-luser-network-userb] quit
    

    # Create a local user named userc.

    [Device] local-user userc class network
    New local user added.
    

    # Set the password to c12345 for user userc.

    [Device-luser-network-userc] password simple c12345
    

    # Authorize user userc to use the LAN access service.

    [Device-luser-network-userc] service-type lan-access
    

    # Specify user profile userc as the authorization user profile for user userc.

    [Device-luser-network-userc] authorization-attribute user-profile userc
    [Device-luser-network-userc] quit
    
  8. Configure the authentication, authorization, and accounting methods for local users:

    [Device] domain user
    [Device-isp-user] authentication lan-access local
    [Device-isp-user] authorization lan-access local
    [Device-isp-user] accounting login none
    [Device-isp-user] quit
    
  9. Configure 802.1X:

    # Enable 802.1X on HundredGigE 1/0/1.

    [Device] interface hundredgige 1/0/1
    [Device-HundredGigE1/0/1] dot1x
    

    # Enable MAC-based access control on the port. By default, a port uses MAC-based access control.

    [Device-HundredGigE1/0/1] dot1x port-method macbased
    [Device-HundredGigE1/0/1] quit
    

    # Enable 802.1X globally.

    [Device] dot1x
    

Verifying the configuration

# Verify that the three users can pass 802.1X authentication and that QoS policies take effect on these users. (Details not shown.)

# Display user profile information.

<Device> display user-profile
  User-Profile: usera
    Inbound:
      Policy: for_usera

    slot 1:
      User -:
        Authentication type: 802.1X
        Network attributes:
          Interface    : HundredGigE1/0/1
          MAC address  : 6805-ca06-557b
          Service VLAN : 1

  User-Profile: userb
    Inbound:
      Policy: for_userb

    slot 1:
      User -:
        Authentication type: 802.1X
        Network attributes:
          Interface    : HundredGigE1/0/1
          MAC address  : 80c1-6ee0-2664
          Service VLAN : 1

  User-Profile: userc
    Outbound:
      Policy: for_userc

    slot 1:
      User -:
        Authentication type: 802.1X
        Network attributes:
          Interface    : HundredGigE1/0/1
          MAC address  : 6805-ca05-3efa
          Service VLAN : 1