No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Layer 2 IPoE Access (Web Authentication)

Example for Configuring Layer 2 IPoE Access (Web Authentication)

This section provides an example for configuring Layer 2 IPoE access (web authentication).

Applicable Products and Versions

This configuration example applies to ME60 series products running V800R010C00 or later.

Networking Requirements

In web authentication mode, users must enter user names and passwords on a portal page before accessing the Internet.

Figure 1-17  Networking for configuring Layer 2 IPoE access (web authentication)

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a pre-authentication domain named pre-web and an authentication domain named after-auth.

  2. Configure AAA schemes.

  3. Create a RADIUS server group.

  4. Configure forcible redirection to a specified web server in the pre-authentication domain pre-web, and bind a user group that can access only limited resources, authentication scheme (non-authentication), and accounting scheme (non-accounting) to the domain.

  5. Bind an authentication scheme (RADIUS authentication) and accounting scheme (RADIUS accounting) to the authentication domain after-auth.

  6. Configure a pre-authentication domain and authentication domain on a BAS interface.

Procedure

  1. Create a pre-authentication domain and an authentication domain.

    # Create a pre-authentication domain named pre-web and an authentication domain named after-auth.

    <HUAWEI> system-view
    [~HUAWEI] aaa
    [*HUAWEI-aaa] domain pre-web
    [*HUAWEI-aaa-domain-pre-web] commit
    [~HUAWEI-aaa-domain-pre-web] quit
    [*HUAWEI-aaa] domain after-auth
    [*HUAWEI-aaa-domain-after-auth] commit
    [~HUAWEI-aaa-domain-after-auth] quit
    [~HUAWEI] quit

  2. Configure AAA schemes and a RADIUS server group.

    # Configure a RADIUS server group named rd2.

    [~HUAWEI] radius-server group rd2
    [*HUAWEI-radius-rd2] radius-server authentication 192.168.8.249 1812
    [*HUAWEI-radius-rd2] radius-server accounting 192.168.8.249 1813
    [*HUAWEI-radius-rd2] radius-server type standard
    [*HUAWEI-radius-rd2] radius-server shared-key-cipher Root@1234
    [*HUAWEI-radius-rd2] commit
    [~HUAWEI-radius-rd2] quit

    # Configure an authentication scheme named auth2, with RADIUS authentication specified.

    [~HUAWEI] aaa
    [*HUAWEI-aaa] authentication-scheme auth2
    [*HUAWEI-aaa-authen-auth2] authentication-mode radius
    [*HUAWEI-aaa-authen-auth2] commit
    [~HUAWEI-aaa-authen-auth2] quit

    # Configure an accounting scheme named acct2, with RADIUS accounting specified.

    [*HUAWEI-aaa] accounting-scheme acct2
    [*HUAWEI-aaa-accounting-acct2] accounting-mode radius
    [*HUAWEI-aaa-accounting-acct2] commit
    [~HUAWEI-aaa-accounting-acct2] quit
    [~HUAWEI-aaa] quit

    # Configure an authentication scheme named auth3, with none authentication specified.

    [~HUAWEI] aaa
    [*HUAWEI-aaa] authentication-scheme auth3
    [*HUAWEI-aaa-authen-auth3] authentication-mode none
    [*HUAWEI-aaa-authen-auth3] commit
    [~HUAWEI-aaa-authen-auth3] quit

    # Configure an accounting scheme named acct3, with none accounting specified.

    [*HUAWEI-aaa] accounting-scheme acct3
    [*HUAWEI-aaa-accounting-acct3] accounting-mode none
    [*HUAWEI-aaa-accounting-acct3] commit
    [~HUAWEI-aaa-accounting-acct3] quit
    [~HUAWEI-aaa] quit

  3. Configure an address pool.

    [~HUAWEI] ip pool pool2 bas local
    [*HUAWEI-ip-pool-pool2] gateway 172.16.1.1 255.255.255.0
    [*HUAWEI-ip-pool-pool2] section 0 172.16.1.2 172.16.1.200
    [*HUAWEI-ip-pool-pool2] dns-server 192.168.8.252
    [*HUAWEI-ip-pool-pool2] commit
    [~HUAWEI-ip-pool-pool2] quit

  4. Configure forcible redirection to a specified web server in the pre-authentication domain pre-web, and bind a user group that can access only limited resources, to the domain.
    1. Enable HTTP redirection in the pre-authentication domain and bind the authentication scheme (none authentication) and accounting scheme (none accounting) to the domain.

      [~HUAWEI] user-group web-before
      [*HUAWEI] aaa
      [*HUAWEI-aaa] http-redirect enable
      [*HUAWEI-aaa] domain pre-web
      [*HUAWEI-aaa-domain-pre-web] authentication-scheme auth3
      [*HUAWEI-aaa-domain-pre-web] accounting-scheme acct3
      [*HUAWEI-aaa-domain-pre-web] ip-pool pool2
      [*HUAWEI-aaa-domain-pre-web] user-group web-before
      [*HUAWEI-aaa-domain-pre-web] web-server 192.168.8.251
      [*HUAWEI-aaa-domain-pre-web] web-server url http://192.168.8.251

    2. Configure a web authentication server.

      [*HUAWEI] web-auth-server 192.168.8.251 key webvlan

    3. Configure ACL rules.

      # Configure an ACL numbered 6004 and create ACL rules to match all traffic from the user group web-before, so that the traffic can be denied access to the network.

      [~HUAWEI] acl number 6004
      [*HUAWEI-acl-ucl-6004] rule 3 permit ip source user-group web-before destination user-group web-before
       [*HUAWEI-acl-ucl-6004] rule 5 permit ip source user-group web-before destination ip-address any
       [~HUAWEI-acl-ucl-6004] quit

      # Configure an ACL numbered 6005 and create ACL rules to match traffic between the user group web-before and the web authentication server and the DNS server, so that the traffic can pass through.

      [~HUAWEI] acl number 6005
      [*HUAWEI-acl-ucl-6005] rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
       [*HUAWEI-acl-ucl-6005] rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
       [*HUAWEI-acl-ucl-6005] rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
       [*HUAWEI-acl-ucl-6005] rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
       [*HUAWEI-acl-ucl-6005] rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
       [*HUAWEI-acl-ucl-6005] rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
       [~HUAWEI-acl-ucl-6005] quit

      # Configure an ACL numbered 6006 and create an ACL rule to match all traffic destined for the user group web-before, so that the traffic can be denied access to the network.

      [~HUAWEI] acl number 6006
      [*HUAWEI-acl-ucl-6006] rule 5 permit ip destination user-group web-before
       [~HUAWEI-acl-ucl-6006] quit

      # Configure an ACL numbered 6008 and create ACL rules to match TCP packets from the user group web-before and with a destination port of www or 8080, so that the packets can be redirected to an authentication web page.

      [~HUAWEI] acl number 6008
      [*HUAWEI-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-port eq www
       [*HUAWEI-acl-ucl-6008] rule 10 permit tcp source user-group web-before destination-port eq 8080
       [~HUAWEI-acl-ucl-6008] quit

    4. Configure traffic policies.

      # Configure traffic classifiers.

      [~HUAWEI] traffic classifier web-out
      [*HUAWEI-classifier-web-out] if-match acl 6006
      [*HUAWEI-classifier-web-out] commit
      [~HUAWEI-classifier-web-out] quit
      [~HUAWEI] traffic classifier web-be-permit
      [*HUAWEI-classifier-web-be-permit] if-match acl 6005
      [*HUAWEI-classifier-web-be-permit] commit
      [~HUAWEI-classifier-web-be-permit] quit
      [*HUAWEI] traffic classifier web-be-deny
      [*HUAWEI-classifier-web-be-deny] if-match acl 6004
      [*HUAWEI-classifier-web-be-deny] commit
      [~HUAWEI-classifier-web-be-deny] quit
      [~HUAWEI] traffic classifier redirect
      [*HUAWEI-classifier-redirect] if-match acl 6008
      [*HUAWEI-classifier-redirect] commit
      [~HUAWEI-classifier-redirect] quit

      # Configure traffic behaviors.

      [~HUAWEI] traffic behavior web-out
      [*HUAWEI-behavior-web-out] deny
      [*HUAWEI-behavior-web-out] commit
      [~HUAWEI-behavior-web-out] quit
      [~HUAWEI] traffic behavior perm1
      [*HUAWEI-behavior-perm1] permit
      [*HUAWEI-behavior-perm1] commit
      [~HUAWEI-behavior-perm1] quit
      [~HUAWEI] traffic behavior deny1
      [*HUAWEI-behavior-deny1] deny
      [~HUAWEI-behavior-deny1] quit
      [~HUAWEI] traffic behavior redirect
      [*HUAWEI-behavior-redirect] http-redirect plus
      [*HUAWEI-behavior-redirect] commit
      [~HUAWEI-behavior-redirect] quit

      # Configure traffic policies.

      [~HUAWEI] traffic policy web-out
      [*HUAWEI-policy-web-out] share-mode
      [*HUAWEI-policy-web-out] classifier web-be-permit behavior perm1
      [*HUAWEI-policy-web-out] classifier web-out behavior web-out
      [*HUAWEI-policy-web-out] commit
      [~HUAWEI-policy-web-out] quit
      [~HUAWEI] traffic policy web
      [*HUAWEI-policy-web] share-mode
      [*HUAWEI-policy-web] classifier web-be-permit behavior perm1
      [*HUAWEI-policy-web] classifier redirect behavior redirect
      [*HUAWEI-policy-web] classifier web-be-deny behavior deny1
      [*HUAWEI-policy-web] commit
      [~HUAWEI-policy-web] quit

      # Apply the traffic policy globally.

      [*HUAWEI] traffic-policy web inbound
      [*HUAWEI] traffic-policy web-out outbound

  5. Configure the authentication domain after-auth.

    [*HUAWEI-aaa] domain after-auth
    [*HUAWEI-aaa-domain-after-auth] authentication-scheme auth2
    [*HUAWEI-aaa-domain-after-auth] accounting-scheme acct2
    [*HUAWEI-aaa-domain-after-auth] radius-server group rd2
    [*HUAWEI-aaa-domain-after-auth] commit
    [~HUAWEI-aaa-domain-after-auth] quit
    [HUAWEI-aaa] quit

  6. Configure a pre-authentication domain, authentication domain, and authentication method on a BAS interface.

    [~HUAWEI] license
    [*HUAWEI-license]active bas slot 1
    [*HUAWEI-license] commit
    [~HUAWEI-license]quit
    [~HUAWEI] interface GigabitEthernet0/1/0
    [*HUAWEI-GigabitEthernet0/1/0] bas
    [*HUAWEI-GigabitEthernet0/1/0-bas] access-type layer2-subscriber default-domain pre-authentication pre-web authentication after-auth
    [*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method web

Configuration Files

#
 sysname HUAWEI
#
 license
  active bas slot 1
 #
 user-group web-before
 #
 radius-server group rd2
  radius-server authentication 192.168.8.249 1812 weight 0
  radius-server accounting 192.168.8.249 1813 weight 0 
  radius-server shared-key-cipher Root@1234
 #
 acl number 6004
  rule 3 permit ip source user-group web-before destination user-group web-before
  rule 5 permit ip source user-group web-before destination ip-address any
 #
 acl number 6005
  rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
  rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
  rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
  rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
  rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
  rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
 #
 acl number 6006
  rule 5 permit ip destination user-group web-before
 #
 acl number 6008
  rule 5 permit tcp source user-group web-before destination-port eq www
  rule 10 permit tcp source user-group web-before destination-port eq 8080
 #
 traffic classifier web-out operator or
  if-match acl 6006
 traffic classifier web-be-permit operator or
  if-match acl 6005
 traffic classifier web-be-deny operator or
  if-match acl 6004
 traffic classifier redirect operator or
  if-match acl 6008
 #
 traffic behavior web-out
  deny
 traffic behavior perm1
 traffic behavior deny1
  deny
 traffic behavior redirect
  http-redirect
 #
 traffic policy web-out
  share-mode
  classifier web-be-permit behavior perm1
  classifier web-out behavior web-out
 traffic policy web
  share-mode
  classifier web-be-permit behavior perm1
  classifier redirect behavior redirect    
  classifier web-be-deny behavior deny1
 #
 ip pool pool2 bas local
  gateway 172.16.1.1 255.255.255.0
  section 0 172.16.1.2 172.16.1.200
  dns-server  192.168.8.252
 #
 aaa
  http-redirect enable
  authentication-scheme auth2
  authentication-scheme auth3
   authentication-mode none
  #
  accounting-scheme acct2
  accounting-scheme acct3
   accounting-mode none
  #
   domain pre-web
   authentication-scheme auth3
   accounting-scheme acct3
   ip-pool pool2
   user-group web-before
   web-server 192.168.8.251
   web-server url http://192.168.8.251
   web-server url-parameter
   
 domain after-auth
   authentication-scheme auth2
   accounting-scheme acct2
   radius-server group rd2
 #
 interface GigabitEthernet0/1/0
  bas
  #
   access-type layer2-subscriber default-domain pre-authentication pre-web authentication after-auth
   authentication-method web
 #
  traffic-policy web inbound
  traffic-policy web-out outbound
Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 26069

Downloads: 877

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next