No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Accounting for the Specified Network

Example for Configuring Accounting for the Specified Network

Networking Requirements

As shown in Figure 2-3, a 802.1x user on the campus network can access resources on the Network 1 (192.168.100.0/24) and Network 2 (10.102.64.0/24) through the Router. Resources on Network 1 are free and resources on Network 2 are not free. The users are charged based on traffic when they access resources on Network 2.

The DAA function needs to be configured on the Router so that the user is not charged when accessing the Network 1 and charged based on traffic when accessing the Network 2.

Figure 2-3  Networking diagram of configuring accounting for the specified network

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs and add interfaces to VLANs to ensure network communication.
  2. Create and configure a RADIUS server template, an AAA scheme and a domain, and bind the RADIUS server template and AAA scheme to the domain, so that the device can exchange information with the RADIUS server.
  3. Configure 802.1x authentication so that the user can access networks in 802.1x authentication mode.
  4. Configure DAA to perform destination-based accounting.
    1. Configure the traffic identification rules for the two network segments so that the device can classify traffic going to different destination addresses.
    2. Configure different tariff levels for traffic destined for different network segments. The tariff level of traffic going to Network 1 is 1 and the tariff level of traffic going to Network 2 is 2.
    3. Configure accounting policies for tariff levels:
      • For tariff level 1, traffic statistics collection is enabled but accounting is not performed.
      • For tariff level 2, traffic statistics collection is enabled and accounting is performed.
NOTE:

Ensure that the RADIUS server IP address, port number, and shared key in the RADIUS server template are configured correctly and are the same as those on the RADIUS server.

Ensure that reachable routes exist between the Router and RADIUS server, and between the user and two network segments.

Procedure

  1. Create a VLAN and add interfaces to the VLAN to ensure network communication.

    # Create VLAN 11 on the Router.

    <Huawei> system-view
    [Huawei] vlan batch 11
    

    # Add Eth0/0/1 connected to the user to VLAN 11.

    [Huawei] interface ethernet 2/0/0
    [Huawei-Ethernet2/0/0] port link-type access
    [Huawei-Ethernet2/0/0] port default vlan 11
    [Huawei-Ethernet2/0/0] quit

    # Create VLANIF 11 and set its IP address to 192.168.10.1/24.

    [Huawei] interface vlanif 11
    [Huawei-Vlanif11] ip address 192.168.10.1 24
    [Huawei-Vlanif11] quit
    

  2. Configure AAA.

    # Configure a RADIUS server template shiva. The IP address and port number of the RADIUS authentication server are 10.7.66.66 and 1812; the IP address and port number of the RADIUS accounting server are 10.7.66.66 and 1813. The shared key is huawei1234.

    [Huawei] radius-server template shiva
    [Huawei-radius-shiva] radius-server authentication 10.7.66.66 1812
    [Huawei-radius-shiva] radius-server accounting 10.7.66.66 1813
    [Huawei-radius-shiva] radius-server shared-key cipher Huawei@123
    [Huawei-radius-shiva] quit

    # Configure the authentication scheme auth and set the authentication method to RADIUS authentication.

    [Huawei] aaa
    [Huawei-aaa] authentication-scheme auth
    [Huawei-aaa-authen-auth] authentication-mode radius
    [Huawei-aaa-authen-auth] quit

    # Configure the accounting scheme abc and set the accounting method to RADIUS accounting.

    [Huawei-aaa] accounting-scheme abc
    [Huawei-aaa-accounting-abc] accounting-mode radius
    [Huawei-aaa-accounting-abc] quit
    

    # Configure an AAA domain huawei, and apply the authentication scheme auth, accounting scheme abc, and RADIUS server template shiva to the domain.

    [Huawei-aaa] domain huawei
    [Huawei-aaa-domain-huawei] authentication-scheme auth
    [Huawei-aaa-domain-huawei] accounting-scheme abc
    [Huawei-aaa-domain-huawei] radius-server shiva
    [Huawei-aaa-domain-huawei] quit
    [Huawei-aaa] quit
    

  3. Configure 802.1x.

    # Enable 802.1x authentication globally and on an interface.

    [Huawei] dot1x enable
    [Huawei] interface ethernet 2/0/0
    [Huawei-Ethernet2/0/0] dot1x enable

    # Configure MAC address bypass authentication.

    [Huawei-Ethernet2/0/0] dot1x mac-bypass

    # Set the maximum number of concurrent access users for 802.1x authentication on an interface to 200.

    [Huawei-Ethernet2/0/0] dot1x max-user 200
    [Huawei-Ethernet2/0/0] quit

    # Set the maximum number of times that an authentication request packet is sent to the user to 3.

    [Huawei] dot1x retry 3

  4. Configure DAA.

    # Configure ACL 3000 and ACL 3001, which are used as traffic identification rules.

    [Huawei] acl 3000
    [Huawei-acl-adv-3000] rule 1 permit ip destination 192.168.100.0 0.0.0.255
    [Huawei-acl-adv-3000] quit
    [Huawei] acl 3001
    [Huawei-acl-adv-3001] rule 1 permit ip destination 10.102.64.0 0.0.0.255
    [Huawei-acl-adv-3001] quit
    

    # Configure the tariff levels. The tariff level of traffic destined for 192.168.100.0/24 is 1 and the tariff level of traffic destined for 10.102.64.0/24 is 2.

    [Huawei] traffic-group huawei
    [Huawei-traffic-group-huawei] acl 3000 tariff-level 1
    [Huawei-traffic-group-huawei] acl 3001 tariff-level 2
    [Huawei-traffic-group-huawei] quit
    [Huawei] traffic-group huawei enable
    

    # Configure traffic-based accounting.

    [Huawei] qos-profile huawei
    [Huawei-qos-profile-huawei] statistics enable
    [Huawei-qos-profile-huawei] quit
    [Huawei] aaa
    [Huawei-aaa] domain huawei
    [Huawei-aaa-domain-huawei] tariff-level 1 qos-profile huawei
    [Huawei-aaa-domain-huawei] tariff-level 2 qos-profile huawei accounting-on 
    [Huawei-aaa-domain-huawei] quit
    [Huawei-aaa] quit
    

  5. Verify the configuration.

    # Run the display traffic-group name group-name command to check information about the traffic group huawei.

    [Huawei] display traffic-group name huawei
      ----------------------------------------------------------------------------
      Acl-id                Tariff-level                             
      ----------------------------------------------------------------------------
      3000                      1                          
      3001                      2                     
      ----------------------------------------------------------------------------
      Total: 2  

    # Run the display dot1x command to check 802.1x configuration.

    [Huawei] display dot1x interface ethernet 2/0/0
     Ethernet2/0/0 status: UP  802.1x protocol is Enabled[mac-bypass] 
      Port control type is Auto                                                     
      Authentication method is MAC-based                                            
      Authentication method is CHAP 
      Reauthentication is disabled                                                  
      Maximum users: 200                                                            
      Current users: 0                                                              
      Guest VLAN is disabled                                                        
      Restrict VLAN is disabled     
                                                                                    
      Authentication Success: 0          Failure: 0                                 
      EAPOL Packets: TX     : 0          RX     : 0                                 
      Sent      EAPOL Request/Identity Packets  : 0                                 
                EAPOL Request/Challenge Packets : 0                                 
                Multicast Trigger Packets       : 0                                 
                EAPOL Success Packets           : 0                                 
                EAPOL Failure Packets           : 0                                 
      Received  EAPOL Start Packets             : 0                                 
                EAPOL Logoff Packets            : 0                                 
                EAPOL Response/Identity Packets : 0                                 
                EAPOL Response/Challenge Packets: 0    

Configuration Files

Configuration file of the Router

#
vlan batch 11
#
dot1x enable 
dot1x retry 3
# 
radius-server template shiva
 radius-server shared-key cipher %^%#BS'$!w:u7H.lu:/&W9A5=pUt%^%#
 radius-server authentication 10.7.66.66 1812 weight 80
 radius-server accounting 10.7.66.66 1813 weight 80
#
acl number 3000
 rule 1 permit ip destination 192.168.100.0 0.0.0.255
acl number 3001
 rule 1 permit ip destination 10.102.64.0 0.0.0.255
#
qos-profile huawei 
  statistics enable 
# 
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme abc
  accounting-mode radius
 domain huawei
  authentication-scheme auth
  accounting-scheme abc
  radius-server shiva
  tariff-level 1 qos-profile huawei
  tariff-level 2 qos-profile huawei accounting-on
  statistic enable
#
interface vlanif11
 ip address 192.168.10.1 255.255.255.0
#
interface Ethernet2/0/0
 port link-type access
 port default vlan 11
 dot1x mac-bypass                                                               
 dot1x max-user 200                                                             
#
traffic-group huawei
  acl 3000 tariff-level 1
  acl 3001 tariff-level 2
traffic-group huawei enable
#
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13568

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next