Configuring an Authentication Policy

Procedure

1. Access the authentication policy view.

   auth-policy

2. In the authentication policy view, create an authentication policy rule and access the authentication policy rule view.

   rule name rule-name

   You can run the rule rename old-name new-name command to rename an authentication policy rule.

3. Optional: Configure the description of the authentication policy rule.

   description description

   Describe an authentication policy in a way that helps you understand the use of the authentication policy.

4. Optional: Configure a label for the policy.

   add tag tag-name

   After policies reference labels, you can query policies based on labels and delete, move, enable, or disable policies in batches based on query results. For the label description and configuration, see Tag.

5. Configure matching conditions in the authentication policy.

   Matching conditions of an authentication rule are logically ANDed. A packet matches an authentication rule only after the packet attributes match all matching conditions. Items of a matching condition are logically ORed. A packet attribute matches a matching condition if the packet attribute matches any item of the matching condition.

   You must configure authentication rules in order from the most specific to the least specific.

   Function	Command
   Configure a source security zone.	source-zone { zone-name &<1-6> | any }
   Configure a destination security zone.	destination-zone { zone-name &<1-6> | any }
   Configure a source address.	source-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description description ] | ipv6-address ipv6-prefix-length [ description description ] | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } [ description description ] | geo-location geo-location-name &<1-6> | geo-location-set geo-location-set-name &<1-6> | mac-address &<1-6> | domain-set domain-set-name &<1-6> | any } source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description description ]
   Configure a destination address.	destination-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description description ] | ipv6-address ipv6-prefix-length [ description description ] | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } [ description description ] | geo-location geo-location-name &<1-6> | geo-location-set geo-location-set-name &<1-6> | mac-address &<1-6> | domain-set domain-set-name &<1-6> | any } destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description description ]
   Configure a service (by referencing a service or service group).	service { service-name &<1-6> | any } service-exclude service-name &<1-6>
   Configure a service (by referencing a TCP/UDP/SCTP port or IP-layer protocol).	service protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] * service protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service protocol protocol-number service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] * service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service-exclude protocol protocol-number

   

   The MAC address configured in the policy relies on the across-Layer-3 MAC identification function or the firewall ARP entries are learned.

   • If the FW works at Layer 2 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions.
   • If the FW works at Layer 3 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions through ARP learning.
   • If the FW connects to an intranet through a Layer-3 network device, configure across-Layer-3 MAC identification on the FW and then use MAC addresses as matching conditions. For the description of across-Layer-3 MAC identification, see Across-Layer-3 MAC Identification.

6. Configure an action in the authentication policy rule.

   action { auth [ portal-template template-name ] | exempt-auth | none | anonymous-auth }