< Home

FAQ About User and User Authentication

This section provides FAQs on user management and authentication.

What Are the Requirements on the Browser for Portal Authentication?

Internet Explorers are recommended. If users and MAC addresses are bound on the FW, the Internet Explorer must be used, and ActiveX must be enabled. Otherwise, user MAC addresses cannot be obtained.

Can the FW Interwork with an External Portal Server?

The FW provides an embedded Portal authentication page through port 8887. Users can proactively access the authentication page (https://interface IP address:8887) or be directed to the page through the HTTP direction function.

In addition, the FW allows you to set the address of an external Portal server as the address of the authentication page. The external Portal server must interwork with the FW to complete authentication. Currently, the Portal servers that can interwork with the FW include Huawei Agile Controller and Policy Center. For details, see CLI: Example for Configuring Agile Controller SSO for Internet Access Users (Users' HTTP Services Are Redirected to the Controller). The commands for specifying a Portal authentication page are as follows:

<sysname> system-view
[sysname] user-manage portal-template test
[sysname-portal-template-test] portal-url http://10.2.0.50:8080/portal

Does the FW Store User Information in Server Authentication?

  • Users on the local device: If the information on a user who has passed server authentication exists on the FW, the FW checks the attributes of the user, including the user status, account expiration time, IP address bound to the user, and whether the account can be used by multiple users for simultaneous login. The user can go online only after the attribute check succeeds. The group to which the user belongs after login is a local group.
  • Users not on the local device: The FW determines whether to allow a user who has passed server authentication to go online based on 16 and the group from which the user goes online.
    • The FW does not allow the user to go online.
    • The FW considers the user as a temporary group and allows the user to go online from a local group and use the permission of the group.

What Is the Relationship Between Network Access User Authentication and VPN Access User Authentication?

  • Network access user authentication and VPN access user authentication share user data. The FW also checks user attributes (such as user status and account expiration time) during VPN access user authentication.
  • The local authentication and server authentication processes are the same. Users are authenticated based on the authentication domain. However, the authentication triggering modes are different.
    • Network access user authentication: determines the data flows to be authenticated based on an authentication policy. The FW implements Portal authentication for the data flows matching the authentication policy.
    • VPN user: The existing mode for triggering VPN access authentication is used. For example, SSL VPN uses the virtual gateway page to authenticate users.

  • To configure user-specific security policies and bandwidth policies for VPN access users, specify access control types using the service-type command, VPN access authentication, and online behavior management. In addition, you need to configure authentication policies for private IP addresses after VPN decapsulation.

    After passing authentication, VPN access users exist in the online user list. User-specific policy control can be implemented only for the users in the online user list.

Parent Topic: User and User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic