No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring WLAN User Access Based on RADIUS Proxy Authentication

Example for Configuring WLAN User Access Based on RADIUS Proxy Authentication

This section provides an example for configuring WLAN user access based on RADIUS proxy authentication.

Applicable Products and Versions

This configuration example applies to NE40E/ME60 series products running V800R010C00 or later.

Networking Requirements

On the network shown in Figure 1-21, when WLAN users access the Internet, EAP packets are used for RADIUS authentication on the AC. The router is then used for RADIUS accounting. The user access process is as follows:
  1. A WLAN user sends an EAP packet to the AC. The AC terminates the EAP packet and sends a RADIUS packet to the router.
  2. The router functions as a RADIUS proxy. The router listens to authentication packets sent from the AC to the RADIUS server and forwards them to the RADIUS server, and listens to authentication response packets sent by the RADIUS server and forwards them to the AC. In the proxy process, the router saves the authorization information delivered by the RADIUS server to the user account.
  3. After the authentication is successful, the user sends a DHCP packet to the router to obtain an IP address. During address obtainment, the router queries the authorization information saved for the user account in the proxy process based on the user's MAC address. If the user account's authorization information exists, the router assigns an idle IP address to the user and uses the saved authorization information to authorize the user. In addition, the router sends an accounting start packet to the RADIUS server for user accounting.
  4. The router directly responds to accounting packets sent by the AC without sending them to the RADIUS server.
Figure 1-21  Networking for configuring WLAN user access based on RADIUS proxy authentication

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a RADIUS server group, an authentication scheme, an accounting scheme, and an address pool.
  2. Bind the RADIUS server group, authentication scheme, accounting scheme, and address pool to the domain.
  3. Configure the RADIUS proxy function.
  4. Configure BAS access on an interface.
  5. Configure an IP address for AC access on an interface.
NOTE:

By default, the router can listen to RADIUS packets through ports 1812, 1813, 1645, 1646, and 3799. To use another port to listen to RADIUS packets, run the radius-server extended-source-ports port-number port-number command in the system view to specify a listening port.

Data Preparation

To complete the configuration, you need the following data:
  • IP address of the RADIUS authentication server
  • IP address of the RADIUS accounting server
  • Interface IP address for the AC to send RADIUS packets

Procedure

  1. Configure a RADIUS server group, an authentication scheme, an accounting scheme, and an address pool.

    # Configure a RADIUS server group named shiva.

    <HUAWEI> system-view
    [~HUAWEI] radius-server group shiva
    [*HUAWEI-radius-shiva] radius-server authentication 10.1.123.151 1812
    [*HUAWEI-radius-shiva] radius-server accounting 10.1.123.151 1813
    [*HUAWEI-radius-shiva] commit
    [~HUAWEI-radius-shiva] quit

    # Configure a local IP address pool named a.

    [HUAWEI] ip pool a bas local
    [*HUAWEI-ip-pool-a] gateway 172.30.0.1 24
    [*HUAWEI-ip-pool-a] section 0 172.30.0.2 172.30.0.254
    [*HUAWEI-ip-pool-a] commit
    [~HUAWEI-ip-pool-a] quit
    

    # Configure an authentication scheme named rdp, with RADIUS proxy authentication specified.

    [~HUAWEI] aaa
    [*HUAWEI-aaa] authentication-scheme rdp
    [*HUAWEI-aaa-authen-rdp] authentication-mode radius-proxy
    [*HUAWEI-aaa-authen-rdp] commit
    [~HUAWEI-aaa-authen-rdp] quit
    

    # Configure an accounting scheme named rds, with RADIUS accounting specified.

    [*HUAWEI-aaa] accounting-scheme rds
    [*HUAWEI–aaa-accounting-rds] accounting-mode radius
    [*HUAWEI-aaa-accounting-rds] commit
    [~HUAWEI–aaa-accounting-rds] quit
    

  2. Configure a domain named radiusproxy, and bind the authentication scheme rdp, accounting scheme rds, and RADIUS server group shiva to the domain.

    [~HUAWEI-aaa] domain radiusproxy
    [*HUAWEI-aaa-domain-radiusproxy] authentication-scheme rdp
    [*HUAWEI-aaa-domain- radiusproxy] accounting-scheme rds
    [*HUAWEI-aaa-domain- radiusproxy] radius-server group shiva
    [*HUAWEI-aaa-domain- radiusproxy] ip-pool a
    

  3. Configure RADIUS proxy.

    [*HUAWEI] radius-client 10.1.0.201 server-group shiva shared-key-cipher !QAZ2wsx
    NOTE:

    The IP address configured after radius-client is the interface IP address for the AC to send RADIUS packets. In this example, the RADIUS server group bound to the domain is the same as that for RADIUS proxy. In practice, the RADIUS server group bound to a domain may be different from that for RADIUS proxy.

  4. Configure an IP address for AC access.

    [~HUAWEI] interface GigabitEthernet 0/1/2
    [*HUAWEI-GigabitEthernet0/1/2] ip address 10.1.0.197 8
    [*HUAWEI-GigabitEthernet0/1/2] commit
    [~HUAWEI-GigabitEthernet0/1/2] quit
    
    NOTE:

    This IP address is used for AC access. RADIUS authentication packets sent by the AC should be sent to this address. If the router has another IP address connected to the AC, you may not configure the IP address.

  5. Configure BAS access on an interface.

    [~HUAWEI] license
    [HUAWEI-license] active bas slot 1
    [~HUAWEI-license] quit
    [~HUAWEI] interface GigabitEthernet 0/1/1
    [*HUAWEI-GigabitEthernet0/1/1] bas
    [*HUAWEI-GigabitEthernet0/1/1-bas] access-type layer2-subscriber default-domain authentication radiusproxy
    [*HUAWEI-GigabitEthernet0/1/1-bas] authentication-method bind
    [*HUAWEI-GigabitEthernet0/1/1-bas] commit
    [~HUAWEI-GigabitEthernet0/1/1-bas] quit
    [~HUAWEI-GigabitEthernet0/1/1] quit
    NOTE:

    The BAS access configuration on an interface in RADIUS proxy scenarios is the same as that in IPoE access scenarios. RADIUS proxy applies only to IPoE users and not PPPoE users.

  6. Verify the configuration.

    Run the display radius-server configuration group shiva command on the router to check RADIUS server group configurations.

    [~HUAWEI] display radius-server configuration group shiva
      -------------------------------------------------------
      Server-group-name    :  shiva
      Authentication-server:  IP:10.1.123.151 Port:1812 Weight[0] [UP]
                              Vpn: -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Authentication-server:  -
      Accounting-server    :  IP:10.1.123.151 Port:1813 Weight[0] [UP]
                              Vpn: -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Accounting-server    :  -
      Protocol-version     :  radius
      Shared-secret-key    :  ******
      Retransmission       :  3
      Timeout-interval(s)  :  5
      Acct-Stop-Packet Resend  :  NO
      Acct-Stop-Packet Resend-Times  :  0
      Traffic-unit         :  B
      ClassAsCar           :  NO
      User-name-format     :  Domain-included
      Option82 parse mode  :  -
      Attribute-translation:  NO
      Packet send algorithm:  Master-Backup
      Tunnel password      :  cipher 
    

    Run the display domain command on the router to check domain configurations.

    [~HUAWEI] display domain radiusproxy
      ------------------------------------------------------------------------------
      Domain-name                     : radiusproxy
      Domain-state                    : Active
      Authentication-scheme-name      : rdp
      Accounting-scheme-name          : rds
      Authorization-scheme-name       : -
      Primary-DNS-IP-address          : -
      Second-DNS-IP-address           : -
      Primary-DNS-IPV6-address        : -
      Second-DNS-IPV6-address         : -
      Web-server-URL-parameter        : No
      Portal-server-URL-parameter     : No
      Primary-NBNS-IP-address         : -
      Second-NBNS-IP-address          : -
      Time-range                      : Disable
      Idle-cut direction              : Both
      Idle-data-attribute (time,flow) : 0, 60
      User detect interval            : 0s
      User detect retransmit times    : 0
      Install-BOD-Count               : 0
      Report-VSM-User-Count           : 0
      Value-added-service             : default
      User-access-limit               : 283648
      Online-number                   : 0
      Web-IP-address                  : -
      Web-URL                         : -
      Web-auth-server                 : -
      Web-auth-state                  : -
      Web-server-mode                 : get
      Slave Web-IP-address            : -
      Slave Web-URL                   : -
      Slave Web-auth-server           : -
      Slave Web-auth-state            : -
      Portal-server-IP                : -
      Portal-URL                      : -
      Portal-force-times              : 2
      Service-policy(Portal)          : -
      PPPoE-user-URL                  : Disable
      AdminUser-priority              : 16
      IPUser-ReAuth-Time              : 300s
      mscg-name-portal-key            : -
      Portal-user-first-url-key       : -
      User-session-limit              : 4294967295
      Ancp auto qos adapt             : Disable
      L2TP-group-name                 : -
      User-lease-time-no-response     : 0s
      RADIUS-server-template          : shiva
      Two-acct-template               : -
      RADIUS-server-pre-template      : -
                                        -
                                        -
      HWTACACS-server-template        : -
      Bill Flow                       : Disable
      Tunnel-acct-2867                : Disable
      Qos-profile-name inbound        : -
      Qos-profile-name outbound       : -
    
      Flow Statistic:
      Flow-Statistic-Up               : Yes
      Flow-Statistic-Down             : Yes
      Source-IP-route                 : Disable
      IP-warning-threshold            : -
      IP-warning-threshold(Low)       : -
      IPv6-warning-threshold          : -
      IPv6-warning-threshold(Low)     : -
      Multicast Forwarding            : Yes
      Multicast Virtual               : No
      Max-multilist num               : 4
      Multicast-profile               : -
      Multicast-profile ipv6          : -
      IP-address-pool-name            : a
      Quota-out                       : Offline
      Service-type                    : -
      User-basic-service-ip-type      : -/-/-
      PPP-ipv6-address-protocol       : Ndra
      IPv6-information-protocol       : Stateless dhcpv6
      IPv6-PPP-assign-interfaceid     : Disable
      IPv6-PPP-NDRA-halt              : Disable
      IPv6-PPP-NDRA-unicast           : Disable
      Trigger-packet-wait-delay       : 60s
      Peer-backup                     : Enable
      Reallocate-ip-address           : Disable
      Cui  enable                     : Disable
      Igmp enable                     : Enable
      L2tp-user radius-force          : Disable
      Accounting dual-stack           : Separate
      Radius server domain-annex      : -
      Dhcp-option64-service           : Disable
      Parse-separator                 : -
      Parse-segment-value             : -
      Dhcp-receive-server-packet      : -
      Http-hostcar                    : Disable
      Public-address assign-first     : Disable
      Public-address nat              : Enable
      Dhcp-user auto-save             : Disable
      IP-pool usage-status threshold  : 255 , 255
      Select-Pool-Rule                : gateway + local priority
      AFTR name                       : -
      Traffic-rate-mode               : Separate
      Traffic-statistic-mode          : Separate
      Rate-limit-mode-inbound         : Car
      Rate-limit-mode-outbound        : Car
      Service-change-mode             : Stop-start
      DAA Direction                   : both
      ------------------------------------------------------------------------------
    

    Run the display radius-client configuration command on the router to check RADIUS proxy configurations.

    [~HUAWEI] display radius-client configuration
      -----------------------------------------------------------------------------
      IP-Address      VPN-instance         Shared-key         Group
      Domain-authorization   Roam-domain
      -----------------------------------------------------------------------------
      10.1.0.201       --                   ******            shiva
      NO                     --
    
      -----------------------------------------------------------------------------
      1 Radius client(s) in total   
    

Configuration Files

#
sysname HUAWEI
#
license
 active bas slot 5
#
radius-server group shiva
 radius-server authentication 10.1.123.151 1812 weight 0
radius-server accounting 10.1.123.151 1813 weight 0
#
aaa
  authentication-scheme rdp
  authentication-mode radius-proxy
 #
  accounting-scheme rds
  accounting-mode radius
 #
 domain radiusproxy
  authentication-scheme rdp
  accounting-scheme rds
  radius-server group shiva 
  ip-pool a
#
interface GigabitEthernet 0/1/2
  undo shutdown
  ip address 10.1.0.197 255.0.0.0
#
interface GigabitEthernet 0/1/1
  undo shutdown
  bas
  #
  access-type layer2-subscriber default-domain authentication radiusproxy
  authentication-method bind
  #
#
ip pool a bas local
 gateway 172.30.0.1 255.255.255.0
 section 0 172.30.0.2 172.30.0.254
#
return
Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 26231

Downloads: 879

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next