No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


Deploying AAA for Internet Access Users

Figure 1-18  AAA deployment for Internet access users

As shown in Figure 1-18, an enterprise network connects to the Router through LAN Switch. Users on the enterprise network need to connect to the Internet. To ensure network security, the administrator controls the Internet access rights of the users.

The administrator configures AAA on the Router to allow the Router to communicate with the AAA server. The AAA server then can manage users centrally. After a user enters the user name and password on the client, the Router forwards the authentication information including user name and password to the AAA server, and the AAA server authenticates the user. After being successfully authenticated, the user can access the Internet. The AAA server also records the network resource usage of the user.

Two AAA servers can be deployed in active/standby mode to improve reliability. When the active server fails, the standby one takes over the AAA services, ensuring uninterrupted services.

Deploying AAA for Management Users

As shown in Figure 1-19, the management user (Admin) connects to the Router to manage, configure, and maintain the Router.

After the management user logs in to the Router with AAA configured, the Router sends the user name and password of the user to the AAA server. The AAA server then authenticates the user and records the user operations.

Figure 1-19  AAA deployment for management users

Deploying AAA for VPN Users

AAA is also applicable to VPN users. For example, AAA can provide authentication, authorization, and accounting for PPP dial-up users in an L2TP VPN.

As shown in Figure 1-20, an enterprise has some branches located in other cities, and branches use Ethernet networks. Users in a branch need to establish VPDN connections with the headquarters. L2TP is deployed between the branch and the headquarters. The branch has no dial-up network, and its gateway functions as a PPPoE server to allow PPP dial-up data to be transmitted over the Ethernet. The branch gateway also functions as an L2TP access concentrator (LAC) to establish L2TP tunnels with the headquarters. The gateway at the enterprise headquarters is configured as an L2TP network server (LNS) to establish L2TP connections with the branch.

The LNS needs to manage access users, so LNS must have AAA authentication configured to communicate with the AAA server. When the LNS receives authentication information of dial-up users, the LNS sends the authentication information to the AAA server, and the AAA server centrally manages the users.

Figure 1-20  AAA deployment for VPN users

Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 12899

Downloads: 38

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next