No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Layer 2 IPoE Access (Web+MAC Authentication)

Example for Configuring Layer 2 IPoE Access (Web+MAC Authentication)

This section provides an example for configuring Layer 2 IPoE access (web+MAC authentication).

Applicable Products and Versions

This configuration example applies to NE40E/ME60 series products running V800R010C00 or later.

Networking Requirements

Web+MAC authentication is the most common authentication mode for Layer 2 IPoE access. In web+MAC authentication mode, a user must enter the user name and password on a portal page when accessing the Internet for the first time. The RADIUS server automatically records the terminal's MAC address and associates it with the user name. When the user accesses the Internet again within a certain time, the user does not need to enter the user name and password again.

The authentication process is as shown in Figure 1-18. By default, the user enters the MAC authentication domain. If the user accesses the Internet for the first time, the MAC address fails to be found on the RADIUS server and the authentication fails. The user is forcibly switched to the web authentication domain and can access only the web authentication page. On this page, the user enters the user name and password for authentication. After the authentication is successful, the user enters the authentication domain after-auth and can access the Internet properly. If the user accesses the Internet not for the first time, the MAC address can be found on the RADIUS server and the authentication succeeds. The user then enters the authentication domain after-auth and can access the Internet properly. Commonly used third-party servers are Srun Server and City Hots.

Figure 1-18  Flow diagram for configuring Layer 2 IPoE access (web+MAC authentication)

Figure 1-19  Networking for configuring Layer 2 IPoE access (web+MAC authentication)

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a MAC authentication domain named mac-auth, a web authentication domain named web-auth, and an authentication domain named after-auth.

  2. Configure AAA schemes.

  3. Create a RADIUS server group named d, configure the hw-auth-type attribute for authentication request packets in the RADIUS server group, and configure attribute translation to translate the hw-auth-type attribute into Huawei proprietary No. 109 attribute.

  4. Create an authentication scheme named mac-auth, and configure the user to be redirected to the web authentication domain web-auth when authentication fails in the authentication scheme.

  5. Enable MAC authentication in the MAC authentication domain mac-auth, and bind the RADIUS server group d and authentication scheme mac-auth to the domain.

  6. Configure forcible redirection to a specified web server in the web authentication domain web-auth, and bind a user group that can access only limited resources, authentication scheme (non-authentication), and accounting scheme (non-accounting) to the domain.

  7. Bind an authentication scheme (RADIUS authentication) and accounting scheme (RADIUS accounting) to the authentication domain after-auth.

  8. Run the default-user-name include mac-address command in the AAA view to directly use the MAC address carried in a user connection request packet as the user name.

  9. Configure a MAC authentication domain (mac-auth) and authentication domain (after-auth) on a BAS interface.

Procedure

  1. Create a MAC authentication domain, a web authentication domain, and an authentication domain.

    # Create a MAC authentication domain named mac-auth, a web authentication domain named web-auth, and an authentication domain named after-auth.

    <HUAWEI> system-view
    [*HUAWEI] aaa
    [*HUAWEI-aaa] domain mac-auth
    [*HUAWEI-aaa-domain-mac-auth] quit
    [*HUAWEI-aaa] domain web-auth
    [*HUAWEI-aaa-domain-web-auth] quit
    [*HUAWEI-aaa] domain after-auth
    [*HUAWEI-aaa-domain-after-auth] commit
    [~HUAWEI-aaa-domain-after-auth] quit
    [~HUAWEI-aaa] quit

  2. Configure AAA schemes and a RADIUS server group.

    # Create a RADIUS server group named d, configure the hw-auth-type attribute for authentication request packets in the RADIUS server group, and configure attribute translation to translate the hw-auth-type attribute into Huawei proprietary No. 109 attribute.

    [~HUAWEI] radius-server group d
    [*HUAWEI-radius-d] radius-server authentication 192.168.7.249 1812
    [*HUAWEI-radius-d] radius-server accounting 192.168.7.249 1813
    [*HUAWEI-radius-d] radius-server type standard
    [*HUAWEI-radius-d] radius-server shared-key-cipher Root@1234
    [*HUAWEI-radius-d] radius-attribute include hw-auth-type
    [*HUAWEI-radius-d] radius-server attribute translate
    [*HUAWEI-radius-d] radius-attribute translate extend hw-auth-type vendor-specific 2011 109 access-request account
    [*HUAWEI-radius-d] commit
    [~HUAWEI-radius-d] quit

    # Configure a RADIUS server group named rd2.

    [*HUAWEI] radius-server group rd2
    [*HUAWEI-radius-rd2] radius-server authentication 192.168.8.249 1812
    [*HUAWEI-radius-rd2] radius-server accounting 192.168.8.249 1813
    [*HUAWEI-radius-rd2] radius-server type standard
    [*HUAWEI-radius-rd2] radius-server shared-key-cipher Root@1234
    [*HUAWEI-radius-rd2] commit
    [~HUAWEI-radius-rd2] quit

    # Create an authentication scheme named mac-auth, and configure the user to be redirected to the web authentication domain web-auth when authentication fails in the authentication scheme.

    [~HUAWEI] aaa
    [*HUAWEI-aaa] authentication-scheme mac-auth
    [*HUAWEI-aaa-authen-mac-auth] authening authen-fail online authen-domain web-auth
    [*HUAWEI-aaa-authen-mac-auth] commit
    [~HUAWEI-aaa-authen-mac-auth] quit

    # Configure an authentication scheme named auth2, with RADIUS authentication specified.

    [~HUAWEI] aaa
    [*HUAWEI-aaa] authentication-scheme auth2
    [*HUAWEI-aaa-authen-auth2] authentication-mode radius
    [*HUAWEI-aaa-authen-auth2] commit
    [~HUAWEI-aaa-authen-auth2] quit

    # Configure an accounting scheme named acct2, with RADIUS accounting specified.

    [*HUAWEI-aaa] accounting-scheme acct2
    [*HUAWEI-aaa-accounting-acct2] accounting-mode radius
    [*HUAWEI-aaa-accounting-acct2] commit
    [~HUAWEI-aaa-accounting-acct2] quit
    [~HUAWEI-aaa] quit

    # Configure an authentication scheme named auth3, with non-authentication specified.

    [~HUAWEI] aaa
    [*HUAWEI-aaa] authentication-scheme auth3
    [*HUAWEI-aaa-authen-auth3] authentication-mode none
    [*HUAWEI-aaa-authen-auth3] commit
    [~HUAWEI-aaa-authen-auth3] quit

    # Configure an accounting scheme named acct3, with non-accounting specified.

    [*HUAWEI-aaa] accounting-scheme acct3
    [*HUAWEI-aaa-accounting-acct3] accounting-mode none
    [*HUAWEI-aaa-accounting-acct3] commit
    [~HUAWEI-aaa-accounting-acct3] quit
    [~HUAWEI-aaa] quit

  3. Configure an address pool.

    [*HUAWEI] ip pool pool2 bas local
    [*HUAWEI-ip-pool-pool2] gateway 172.16.1.1 255.255.255.0
    [*HUAWEI-ip-pool-pool2] section 0 172.16.1.2 172.16.1.200
    [*HUAWEI-ip-pool-pool2] dns-server 192.168.8.252
    [*HUAWEI-ip-pool-pool2] commit
    [~HUAWEI-ip-pool-pool2] quit

  4. Enable MAC authentication in the MAC authentication domain mac-auth, and bind the RADIUS server group d and authentication scheme mac-auth to the domain.

    [~HUAWEI-aaa] domain mac-auth
    [*HUAWEI-aaa-domain-mac-auth] radius-server group d
    [*HUAWEI-aaa-domain-mac-auth] authentication-scheme mac-auth
    [*HUAWEI-aaa-domain-mac-auth] accounting-scheme acct2
    [*HUAWEI-aaa-domain-mac-auth] ip-pool pool2
    [*HUAWEI-aaa-domain-mac-auth] mac-authentication enable
    [*HUAWEI-aaa-domain-mac-auth] commit
    [~HUAWEI-aaa-domain-mac-auth] quit

  5. Configure forcible redirection to a specified web server in the web authentication domain web-auth, and bind a user group that can access only limited resources, authentication scheme (non-authentication), and accounting scheme (non-accounting) to the domain.

    [*HUAWEI] user-group web-before
    [~HUAWEI] aaa
    [*HUAWEI-aaa] http-redirect enable
    [~HUAWEI-aaa] domain web-auth
    [*HUAWEI-aaa-domain-web-auth] authentication-scheme auth3
    [*HUAWEI-aaa-domain-web-auth] accounting-scheme acct3
    [*HUAWEI-aaa-domain-web-auth] ip-pool pool2
    [*HUAWEI-aaa-domain-web-auth] user-group web-before
    [*HUAWEI-aaa-domain-web-auth] web-server 192.168.8.251
    [*HUAWEI-aaa-domain-web-auth] web-server url http://192.168.8.251

    # Configure a web authentication server.

    [*HUAWEI] web-auth-server 192.168.8.251 key webvlan

    # Configure web fast reply.

    [*HUAWEI] slot 1
    [*HUAWEI-slot-1] http-reply enable
    [*HUAWEI-slot-1] commit
    [~HUAWEI-slot-1] quit

    # Configure ACL rules.

    [~HUAWEI] acl number 6004
    [*HUAWEI-acl-ucl-6004] rule 3 permit ip source user-group web-before destination user-group web-before
    *HUAWEI-acl-ucl-6004] rule 5 permit ip source user-group web-before destination ip-address any
    [~HUAWEI-acl-ucl-6004] quit
    [~HUAWEI] acl number 6005
    [*HUAWEI-acl-ucl-6005] rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
    [*HUAWEI-acl-ucl-6005] rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
    [*HUAWEI-acl-ucl-6005] rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
    [*HUAWEI-acl-ucl-6005] rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
    [*HUAWEI-acl-ucl-6005] rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
    [*HUAWEI-acl-ucl-6005] rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
    [~HUAWEI-acl-ucl-6005] quit
    [~HUAWEI] acl number 6006
    [*HUAWEI-acl-ucl-6006] rule 5 permit ip destination user-group web-before
    [~HUAWEI-acl-ucl-6006] quit
    [~HUAWEI] acl number 6008
    [*HUAWEI-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-port eq www
    [*HUAWEI-acl-ucl-6008] rule 10 permit tcp source user-group web-before destination-port eq 8080
    [~HUAWEI-acl-ucl-6008] quit
    [~HUAWEI] acl number 6010
    [*HUAWEI-acl-ucl-6010] commit
    [~HUAWEI-acl-ucl-6010] quit

    # Configure a traffic policy.

    [*HUAWEI] traffic classifier web-out
    [*HUAWEI-classifier-web-out] if-match acl 6006
    [~HUAWEI-classifier-web-out] quit
    [*HUAWEI] traffic classifier web-be-permit
    [*HUAWEI-classifier-web-be-permit] if-match acl 6005
    [~HUAWEI-classifier-web-be-permit] quit
    [*HUAWEI] traffic classifier http-before
    [*HUAWEI-classifier-http-before] if-match acl 6010
    [~HUAWEI-classifier-http-before] quit
    [*HUAWEI] traffic classifier web-be-deny
    [*HUAWEI-classifier-web-be-deny] if-match acl 6004
    [~HUAWEI-classifier-web-be-deny] quit
    [*HUAWEI] traffic classifier redirect
    [*HUAWEI-classifier-redirect] if-match acl 6008
    [~HUAWEI-classifier-redirect] quit
    [*HUAWEI] traffic behavior http-discard
    [*HUAWEI-behavior-http-discard] car cir 0 cbs 0 green pass red discard
    [~HUAWEI-behavior-http-discard] quit
    [*HUAWEI] traffic behavior web-out
    [HUAWEI-behavior-web-out] deny
    [~HUAWEI-behavior-web-out] quit
    [*HUAWEI] traffic behavior perm1
    [HUAWEI-behavior-perm1] permit
    [~HUAWEI-behavior-perm1] quit
    [*HUAWEI] traffic behavior deny1
    [HUAWEI-behavior-deny1] deny
    [~HUAWEI-behavior-deny1] quit
    [*HUAWEI] traffic behavior redirect
    [*HUAWEI-behavior-redirect] http-redirect plus
    [~HUAWEI-behavior-redirect] quit
    [*HUAWEI] traffic policy web-out
    [*HUAWEI-policy-web-out] share-mode
    [*HUAWEI-policy-web-out] classifier web-be-permit behavior perm1
    [*HUAWEI-policy-web-out] classifier web-out behavior web-out
    [~HUAWEI-policy-web-out] quit
    [*HUAWEI] traffic policy web
    [*HUAWEI-policy-web] share-mode
    [*HUAWEI-policy-web] classifier web-be-permit behavior perm1
    [*HUAWEI-policy-web] classifier http-before behavior http-discard
    [*HUAWEI-policy-web] classifier redirect behavior redirect
    [*HUAWEI-policy-web] classifier web-be-deny behavior deny1
    [*HUAWEI-policy-web] commit
    [~HUAWEI-policy-web] quit

    # Apply the traffic policy globally.

    [*HUAWEI] traffic-policy web inbound
    [*HUAWEI] traffic-policy web-out outbound

  6. Configure the authentication domain after-auth.

    [~HUAWEI-aaa] domain after-auth
    [*HUAWEI-aaa-domain-after-auth] authentication-scheme auth2
    [*HUAWEI-aaa-domain-after-auth] accounting-scheme acct2
    [*HUAWEI-aaa-domain-after-auth] radius-server group rd2
    [*HUAWEI-aaa-domain-after-auth] commit
    [~HUAWEI-aaa-domain-after-auth] quit
    [~HUAWEI-aaa] quit

  7. Run the default-user-name include mac-address command in the AAA view to directly use the MAC address carried in a user connection request packet as the user name.

    [*HUAWEI-aaa] default-user-name include mac-address -
    [*HUAWEI-aaa] default-password simple Root@123
    [*HUAWEI-aaa] commit
    [~HUAWEI-aaa] quit

  8. Configure a MAC authentication domain, authentication domain, and authentication method on a BAS interface.

    [~HUAWEI] license
    [*HUAWEI-license] active bas slot 1
    [*HUAWEI-license] commit
    [~HUAWEI-license] quit
    [~HUAWEI] interface GigabitEthernet0/1/0
    [~HUAWEI-GigabitEthernet0/1/0] bas
    [*HUAWEI-GigabitEthernet0/1/0-bas] access-type layer2-subscriber default-domain pre-authentication mac-auth authentication after-auth
    [*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method web
    [*HUAWEI-GigabitEthernet0/1/0-bas] commit
    [~HUAWEI-GigabitEthernet0/1/0-bas] quit
    [~HUAWEI-GigabitEthernet0/1/0] quit

  9. Verify the configuration.

    • A user logs in to the PC and obtains an IP address.

    • Run the display access-user domain web-domain command on the router to check information about online users.

    • The user enters another website in the address bar and is automatically redirected to the address of the web server.

    • The user enters the user name and password, and accesses the Internet after the authentication succeeds.

Configuration Files

#
 sysname HUAWEI
#
license
 active bas slot 1
#
user-group web-before
#
slot 1
 http-reply enable
#
radius-server group rd2
 radius-server authentication 192.168.8.249 1812 weight 0
 radius-server accounting 192.168.8.249 1813 weight 0 
 radius-server shared-key-cipher Root@1234
#
radius-server group d
 radius-server authentication 192.168.7.249 1812 weight 0
 radius-server accounting 192.168.7.249 1813 weight 0 
 radius-server shared-key-cipher Root@1234
 radius-server attribute translate
 radius-attribute include HW-Auth-Type
 radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-request account
#
acl number 6004
 rule 3 permit ip source user-group web-before destination user-group web-before
 rule 5 permit ip source user-group web-before destination ip-address any
#
acl number 6005
 rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
 rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
 rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
 rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
 rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
 rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
#
acl number 6006
 rule 5 permit ip destination user-group web-before
#
acl number 6008
 rule 5 permit tcp source user-group web-before destination-port eq www
 rule 10 permit tcp source user-group web-before destination-port eq 8080
#
acl number 6010
#
traffic classifier web-out operator or
 if-match acl 6006
traffic classifier web-be-permit operator or
 if-match acl 6005
traffic classifier http-before operator or
 if-match acl 6010
traffic classifier web-be-deny operator or
 if-match acl 6004
traffic classifier redirect operator or
 if-match acl 6008
#
traffic behavior http-discard
 car cir 0 cbs 0 green pass red discard
traffic behavior web-out
 deny
traffic behavior perm1
traffic behavior deny1
 deny
traffic behavior redirect
 http-redirect
#
traffic policy web-out
 share-mode
 classifier web-be-permit behavior perm1
 classifier web-out behavior web-out
traffic policy web
 share-mode
 classifier web-be-permit behavior perm1
 classifier http-before behavior http-discard
 classifier redirect behavior redirect    
 classifier web-be-deny behavior deny1
#
ip pool pool2 bas local
 gateway 172.16.1.1 255.255.255.0
 section 0 172.16.1.2 172.16.1.200
 dns-server  192.168.8.252
#
aaa
 http-redirect enable
 default-user-name include mac-address -
 authentication-scheme auth2
 authentication-scheme auth3
  authentication-mode none
 authentication-scheme mac-auth
  authening authen-fail online authen-domain web-auth
#
 accounting-scheme acct2
 accounting-scheme acct3
  accounting-mode none
 #
 domain mac-auth
  authentication-scheme mac-auth
  accounting-scheme acct2
  ip-pool pool2
  mac-authentication enable
  radius-server group d
 domain web-auth
  authentication-scheme auth3
  accounting-scheme acct3
  ip-pool pool2
  user-group web-before
  web-server 192.168.8.251
  web-server url http://192.168.8.251
  web-server url-parameter
  
 domain after-auth
  authentication-scheme auth2
  accounting-scheme acct2
  radius-server group rd2
#
interface GigabitEthernet0/1/0
 bas
 #
  access-type layer2-subscriber default-domain pre-authentication mac-auth authentication after-auth
  authentication-method web
#
 traffic-policy web inbound
 traffic-policy web-out outbound
Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 25942

Downloads: 872

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next