Example: Configuring user profiles and QoS policies
Network requirements
As shown in Figure 97, the device performs local 802.1X authentication on the users in domain user for authentication and authorization efficiency.
Configure user profiles and QoS policies on the device to meet the following requirements:
User A cannot access the Internet during 8: 30 and 12:00 every day even if User A passes 802.1X authentication.
User B has an upload speed of 2 Mbps after passing 802.1X authentication.
User C has a download speed of 4 Mbps after passing 802.1X authentication.
Figure 97: Network diagram
Configuration procedure
Configure a QoS policy for User A:
# Create a periodic time range from 8:30 to 12:00 every day.
<Device> system-view [Device] time-range for_usera 8:30 to 12:00 daily
# Create IPv4 basic ACL 2000, and configure a rule to match all packets during the time range for_usera.
[Device] acl basic 2000 [Device-acl-basic-2000] rule permit time-range for_usera [Device-acl-basic-2000] quit
# Create a traffic class named for_usera, and use ACL 2000 as the match criterion.
[Device] traffic classifier for_usera [Device-classifier-for_usera] if-match acl 2000 [Device-classifier-for_usera] quit
# Create a traffic behavior named for_usera, and configure the deny action.
[Device] traffic behavior for_usera [Device-behavior-for_usera] filter deny [Device-behavior-for_usera] quit
# Create a QoS policy named for_usera, and associate traffic class for_usera and traffic behavior for_usera in the QoS policy.
[Device] qos policy for_usera [Device-qospolicy-for_usera] classifier for_usera behavior for_usera [Device-qospolicy-for_usera] quit
Create a user profile for User A and apply the QoS policy to the user profile:
# Create a user profile named usera.
[Device] user-profile usera
# Apply QoS policy for_usera to the inbound direction of user profile usera.
[[Device-user-profile-usera] qos apply policy for_usera inbound [Device-user-profile-usera] quit
Configure a QoS policy for limiting the traffic rate for User B:
# Create a traffic class named class to match all packets.
[Device] traffic classifier class [Device-classifier-class] if-match any [Device-classifier-class] quit
# Create a traffic behavior named for_userb, and configure a traffic policing action (CIR 2000 kbps).
[Device] traffic behavior for_userb [Device-behavior-for_userb] car cir 2000 [Device-behavior-for_userb] quit
# Create a QoS policy named for_userb, and associate traffic class class and traffic behavior for_userb in the QoS policy.
[Device] qos policy for_userb [Device-qospolicy-for_userb] classifier class behavior for_userb [Device-qospolicy-for_userb] quit
Create a user profile for User B and apply the QoS policy to the user profile:
# Create a user profile named userb.
[Device] user-profile userb
# Apply QoS policy for_userb to the inbound direction of user profile userb.
[Device-user-profile-userb] qos apply policy for_userb inbound [Device-user-profile-userb] quit
Configure a QoS policy for limiting the traffic rate for User C:
# Create a traffic behavior named for_userc, and configure a traffic policing action (CIR 4000 kbps).
[Device] traffic behavior for_userc [Device-behavior-for_userc] car cir 4000 [Device-behavior-for_userc] quit
# Create a QoS policy named for_userc, and associate traffic class class and traffic behavior for_userc in the QoS policy.
[Device] qos policy for_userc [Device-qospolicy-for_userc] classifier class behavior for_userc [Device-qospolicy-for_userc] quit
Create a user profile for User C and apply the QoS policy to the user profile:
# Create a user profile named userc.
[Device] user-profile userc
# Apply QoS policy for_userc to the outbound direction of user profile userc.
[Device-user-profile-userc] qos apply policy for_userc outbound [Device-user-profile-userc] quit
Configure local users:
# Create a local user named usera.
[Device] local-user usera class network New local user added.
# Set the password to a12345 for user usera.
[Device-luser-network-usera] password simple a12345
# Authorize user usera to use the LAN access service.
[Device-luser-network-usera] service-type lan-access
# Specify user profile usera as the authorization user profile for user usera.
[Device-luser-network-usera] authorization-attribute user-profile usera [Device-luser-network-usera] quit
# Create a local user named userb.
[Device] local-user userb class network New local user added.
# Set the password to b12345 for user userb.
[Device-luser-network-userb] password simple b12345
# Authorize user userb to use the LAN access service.
[Device-luser-network-userb] service-type lan-access
# Specify user profile userb as the authorization user profile for user userb.
[Device-luser-network-userb] authorization-attribute user-profile userb [Device-luser-network-userb] quit
# Create a local user named userc.
[Device] local-user userc class network New local user added.
# Set the password to c12345 for user userc.
[Device-luser-network-userc] password simple c12345
# Authorize user userc to use the LAN access service.
[Device-luser-network-userc] service-type lan-access
# Specify user profile userc as the authorization user profile for user userc.
[Device-luser-network-userc] authorization-attribute user-profile userc [Device-luser-network-userc] quit
Configure the authentication, authorization, and accounting methods for local users:
[Device] domain user [Device-isp-user] authentication lan-access local [Device-isp-user] authorization lan-access local [Device-isp-user] accounting login none [Device-isp-user] quit
Configure 802.1X:
# Enable 802.1X on HundredGigE 1/0/1.
[Device] interface hundredgige 1/0/1 [Device-HundredGigE1/0/1] dot1x
# Enable MAC-based access control on the port. By default, a port uses MAC-based access control.
[Device-HundredGigE1/0/1] dot1x port-method macbased [Device-HundredGigE1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
Verifying the configuration
# Verify that the three users can pass 802.1X authentication and that QoS policies take effect on these users. (Details not shown.)
# Display user profile information.
<Device> display user-profile User-Profile: usera Inbound: Policy: for_usera slot 1: User -: Authentication type: 802.1X Network attributes: Interface : HundredGigE1/0/1 MAC address : 6805-ca06-557b Service VLAN : 1 User-Profile: userb Inbound: Policy: for_userb slot 1: User -: Authentication type: 802.1X Network attributes: Interface : HundredGigE1/0/1 MAC address : 80c1-6ee0-2664 Service VLAN : 1 User-Profile: userc Outbound: Policy: for_userc slot 1: User -: Authentication type: 802.1X Network attributes: Interface : HundredGigE1/0/1 MAC address : 6805-ca05-3efa Service VLAN : 1