No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Web Authentication (HTTPS Address Input) and Rate Limiting

Example for Configuring Web Authentication (HTTPS Address Input) and Rate Limiting

This section provides an example for configuring web authentication (HTTPS address input) and rate limiting.

Applicable Products and Versions

This configuration example applies to NE40E/ME60 series products running V600R008C10 or later.

Networking Requirements

On the network shown in Figure 1-13, configure web authentication (HTTPS address input) and rate limiting. The configurations include:
  • Configure a user group, an IP address pool, pre-authentication and authentication domains, and a BAS interface.
  • Configure AAA authentication and accounting schemes: Configure a RADIUS server group. Configure none authentication and none accounting schemes for the pre-authentication domain. Configure RADIUS authentication and accounting schemes for the authentication domain.
  • Configure ACLs to implement the functions shown in Figure 1-12.
    • Configure an ACL to allow users to access only a web server address and a DNS server address when they are in the pre-authentication domain and to redirect them to the web server address if they access other web pages.
    • Configure an ACL to redirect DNS response packets for users in the pre-authentication domain to the preceding web server address.
      Figure 1-12  DNS redirection process

  • Configure a QoS profile to limit the traffic rate to 10 Mbit/s and apply the profile to the authentication domain.
Figure 1-13  Configuring web authentication (HTTPS address input) and rate limiting

Table 1-24  Data Preparation

Device

Item

Data

Router

IP address of a web server

10.1.1.2

IP address of a DNS server

172.16.0.2

Configuration Roadmap

  1. Configure AAA accounting and authentication schemes.

  2. Configure a RADIUS server group.

  3. Configure a domain.

  4. Configure ACLs.

  5. Configure traffic classification and a traffic management policy.

  6. Configure a QoS profile to limit the rates of incoming and outgoing traffic.

Procedure

  1. Configure the Device.

    //Configure AAA authentication schemes.
    #
    aaa
     authentication-scheme none
     authentication-mode none
    #
    aaa
     authentication-scheme radius
     authentication-mode radius
    //Configure AAA accounting schemes.
    #
    aaa
     accounting-scheme none
     accounting-mode none
    #
    aaa
     accounting-scheme radius
     accounting-mode radius
    //Configure a RADIUS server group.
    #
    radius-server group 13
     radius-server authentication 10.9.7.13.1812
     radius-server accounting 10.9.7.13.1813
    //Configure an IP address pool.
    #
    ip pool pool1 bas local
     gateway 172.20.0.1 255.255.255.0
     section 0 172.20.0.2 172.20.0.10 
    //Configure a user group.
    #
    user-group web-before
    //Configure ACLs.
    #
    //Configure an ACL numbered 6000 and create ACL rules to match traffic from the user group web-before to the web server address and DNS server address, so that the traffic can pass through.
    acl number 6000                             
     rule 5 permit ip source user-group web-before destination ip-address 10.1.1.2 0
     rule 10 permit ip source user-group web-before destination ip-address 172.16.0.2 0
    #
    //Configure an ACL numbered 6001 and create ACL rules to match all traffic from the user group web-before, so that the traffic can be denied access to the network.
    acl number 6001                            
    rule 5 permit ip source user-group web-before
    #
    //Configure an ACL numbered 6002 and create an ACL rule to match DNS response packets for the user group web-before, so that the packets can be redirected to the web server address.
    acl number 6002                           
     rule 5 permit udp source-port eq dns destination user-group web-before
    //Configure traffic classifiers.
    #
    traffic classifier c1
     if-match acl 6000
    traffic classifier c2
     if-match acl 6001
    traffic classifier c3
     if-match acl 6002
    //Configure traffic behaviors.
    #
    traffic behavior b1
     permit
    traffic behavior b2
     deny
    traffic behavior b3
     dns-redirect
    //Configure traffic policies.
    #
    traffic policy p1
     classifier c1 behavior b1                   //Allow traffic from the user group web-before to the web server address and DNS server address to pass through.
     classifier c2 behavior b2                  //Deny other traffic of the user group web-before.
    traffic policy dns
     share-mode
     classifier c3 behavior b3 precedence 1    //Redirect DNS response packets to the web server address. 
    //Apply the traffic policies globally.
    #
    traffic-policy p1 inbound
    traffic-policy dns outbound
    //Configure a QoS profile.
    #
    qos-profile 10M
     car cir 10000 inbound
     car cir 10000 outbound
    #
    //Configure a domain named domain1.
    #
    aaa 
     domain domain1 
      authentication-scheme none 
      accounting-scheme none 
      ip-pool pool1 
      user-group web-before 
      dns-redirect web-server 10.1.1.2  
      web-server url http://10.1.1.2:85/portal 
      max-ipuser-reauthtime 0 
    //Configure a domain named isp1.
    #
    aaa
     domain isp1 
      authentication-scheme radius 
      accounting-scheme radius 
      radius-server group 13 
      qos-profile 10M inbound  
      qos-profile 10M outbound
    //Configure a BAS interface.
    #
    interface GigabitEthernet 0/1/2.1
     vlan-type dot1q 1
     ip address 192.168.1.1 255.255.255.0
     bas
    #
       access-type layer3-subscriber default-domain pre-authentication domain1
    //Configure an upstream interface. 
    #
    interface GigabitEthernet 0/1/1
     ip address 172.16.0.1 255.255.255.0
    #

  2. Verify the configuration.

    Run the display access-user domain isp1 command to check information about online users of the specified domain.

Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 26225

Downloads: 879

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next