No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Integrated Wired and Wireless Access of Campus Users in BRAS Scenarios

Example for Configuring Integrated Wired and Wireless Access of Campus Users in BRAS Scenarios

This section provides an example of configuring IPoE and PPPoE access and MAC address authentication to implement integrated wired and wireless access of campus users in BRAS scenarios.

Applicable Products and Versions

The following table lists the applicable products and software versions of this solution.

Table 1-25  Applicable Products and Versions

Product Name

Software Version

S5700

V200R011C10 or later

S7703

V200R011C10 or later

S12708

V200R011C10 or later

ME60

V800R008C10 or later

USG6680

V500R001C30 or later

Networking Requirements

NOTE:

The ME60 in this example functions as an authentication gateway to authenticate user access on a large campus network (over 20,000 users).

In Figure 1-27, the campus network requires integrated authentication of wired and wireless users in dormitories and teachers' offices. The networking requirements are as follows:

  • Access: Both wired and wireless networks are deployed, allowing users to choose their preferred access method.
  • Authentication: Both wired and wireless users need to be authenticated. PPPoE authentication, IPoE authentication, and MAC address authentication are performed for wired users, wireless users, and dumb terminals, respectively.
  • Extranet access: Private IP addresses are used on the campus intranet. Therefore, Network Address Translation (NAT) must be performed to allow user access to external networks ISP1 and ISP2 (such as the Internet and education networks). Extranet users can also access server resources on the intranet.
  • Network access rights: Teachers and students have different accounts and network access rights, as shown in Table 1-26.
  • Differentiated rate limiting: Students, teachers, commercial users, and dumb terminals access the campus intranet at different bandwidths. For example, the bandwidths for students, teachers, China Unicom subscribers, and dumb terminals may be 10 Mbit/s, 20 Mbit/s, 50 Mbit/s, and 20 Mbit/s, respectively. Destination Address Accounting (DAA) is used to implement bandwidth control for different users and destination addresses.
  • Differentiated accounting: Students and teachers are not charged for accessing the campus intranet, but are charged for accessing external carrier networks ISP1 and ISP2. DAA implements differentiated accounting for access to the campus intranet and external networks.
  • Security: Traffic entering and leaving the campus network needs to be identified and filtered to ensure network security.
Figure 1-27  Networking diagram for configuring integrated wired and wireless access of campus users in BRAS scenarios

Table 1-26  Planning authentication modes, network access rights, and bandwidth control for different user accounts

Account

Internet Access Mode

Authentication Mode

Network Access Right

Bandwidth Control

Remarks

Student account

Wired

PPPoE

Access the campus intranet.

10 Mbit/s

-

Student account

Wireless

IPoE

10 Mbit/s

-

Teacher account

Wired access

PPPoE

Access the campus intranet and access ISP1 and ISP2 through the private line egress.

Campus intranet: 20 Mbit/s

Campus extranet: 50 Mbit/s

-

Teacher account

Wireless

IPoE

-

Carrier account

Wired access

PPPoE

Access the campus intranet and access ISP1 and ISP2 through a VPN.

Campus intranet: 10 Mbit/s for students and 20 Mbit/s for teachers

Campus extranet: 50 Mbit/s

Bound to a teacher or student account

Service account

Wireless

IPoE

Dump terminal

Wired

MAC

Access the campus intranet.

20 Mbit/s

Dumb terminals include printers and fax machines.

Configuration Roadmap

  • Users are connected to an S5700 or an AP with user VLANs configured. Upstream packets are aggregated to an S7703 which adds outer VLAN tags to the packets. QinQ implements user isolation.
  • All aggregation switches are connected to the core switch S12708 with built-in native ACs (no additional hardware AC is required, reducing network device investment). The native AC function is configured on the S12708 to manage APs on the entire network and implement wireless network access.
  • The S12708 transparently transmits QinQ packets to the ME60, and the ME60 terminates them.
  • As an authentication gateway, the ME60 provides a variety of authentication modes for wired and wireless users, including IPoE, PPPoE, and MAC address authentication. In addition, DAA can be configured on the ME60 to implement differentiated rate limiting and accounting for different users and destination addresses.
  • The egress firewall USG6680 functions as an outbound interface of an external network, isolating the external network from the internal network. It implement inter-network service routes and NAT.
    • To improve link resource utilization and user experience, intelligent uplink selection is enabled on the firewall to dynamically select outbound interfaces based on the egress link bandwidth.

    • To allow users with private IP addresses to access the Internet, NAT is configured on the egress firewall.

    • Security policies are configured on the egress firewall to filter users' Internet access packets, block unauthorized websites, and monitor and track user network packets.

NOTE:

The following describes how to configure the ME60. For configuration details of other devices, see their product documentation.

Initial Configuration

Log in to a device for the first time.

For details, see "Logging In to a Device for the First Time" in "Common Features."

Configure device names.

Configure a specific name for each device to facilitate device identification after user login. For example, name a device "ME60".

#
sysname ME60
#
Assign IP addresses to devices' interfaces.
  • Overall planning

    IP addresses are planned for devices' interfaces as follows:

    Table 1-27  Interface IP address planning

    Device

    Interface

    Interface IP address

    ME60

    10GE 1/0/1

    172.16.11.6/30

    ME60

    10GE 1/0/2

    172.16.11.10/30

    ME60

    10GE 1/0/3

    172.16.11.13/30

    ME60

    Loopback0

    172.16.10.3/32

    UGS6680-A

    10GE1/0/7

    172.16.11.5/30

    UGS6680-A

    Loopback0

    172.16.10.1/32

    UGS6680-B

    10GE 1/0/8

    172.16.11.9/30

    UGS6680-B

    Loopback0

    172.16.10.2/32

    S12708

    Loopback0

    172.16.10.4/32

    S12708

    XGE 5/0/7

    172.16.10.14/30

  • Interface address configuration

    Set the IP address of GE 1/0/1 on the ME60 to 172.16.11.6/30.

    #
    interface GigabitEthernet1/0/1
     undo shutdown
     ip address 172.16.11.6 255.255.255.252      //Configure an IP address on the interface.
    #
    

    Other interface addresses are configured in a similar way and are not described here.

Configure remote login.

You can remotely log in to a device through Telnet or SSH. Telnet has security risks. SSH, which is more secure, is recommended.

For details, see "Using STelnet (SSH) to Remotely Log In to a Device" in "Common Features."

Configuring Static Routes

Overall planning

Routers use routing protocols to discover routes, generate routing tables, and guide packet forwarding. Unlike with dynamic routing protocols, static routing involves manually configuring routes in a routing table.

The network structure of the campus network in this example is simple. To simplify maintenance, you only need to configure static routs to meet user requirements.

The static routes from the ME60 to each device are as follows:

Table 1-28  Static routes on the ME60

Device

Destination Address

Next-Hop IP Address

ME60

172.16.10.1/32

172.16.11.5/30

ME60

172.16.10.2/32

172.16.11.9/30

ME60

172.16.10.4/32

172.16.11.14/30

Static route configuration

To configure static routes from the ME60 to each device, run the following commands:

#
ip route-static 172.16.10.1 255.255.255.255 172.16.11.5      //Configure a static route from the ME60 to USG6680-A.
ip route-static 172.16.10.2 255.255.255.255 172.16.11.9      //Configure a static route from the ME60 to USG6680-B.
ip route-static 172.16.10.4 255.255.255.255 172.16.11.14     //Configure a static route from the ME60 to the S12708
#

Configuring IPoE Access

Overall planning

Wireless student and teacher users access the campus network in IPoE mode. The ME60 functions as an authentication gateway. After authentication succeeds, the ME60 assigns private IP addresses to users and grants them access rights. The users can access the Internet only after passing web authentication.

Table 1-29  Planning of IPoE access parameters

Parameter

Planned Value

AAA schemes

  • Authentication schemes: authen and none (The authentication mode is none.)
  • Accounting schemes: acc and none (The accounting mode is none.)

RADIUS servers

  • Name of the RADIUS server: radius
  • IP address and port number of the authentication server: 192.168.10.55 and 1812
  • IP address and port number of the accounting server: 192.168.10.55 and 1813
  • IP addresses of the authorization servers: 192.168.10.55 and 192.168.10.241
  • Source interface of the RADIUS server: LoopBack0 (This interface is used by the ME60 to send packets to the RADIUS server.)
  • Shared key of the RADIUS server: Huawei@123

Web server

  • Source interface of the web server: LoopBack0 (This interface is used by the ME60 to send packets to the web server.)
  • IP address and port number of the web server: 192.168.10.53 and 50100

Address pools

  • Name of the IP address pool: xuesheng
    • Gateway address and subnet mask are 10.254.0.1 and 255.255.128.0, respectively.
    • Network segment: 10.254.0.2 to 10.254.127.254
    • IP addresses of the DNS servers: 192.168.10.2 and 10.255.57.5
    • Lease period: 12 hours
  • Name of the IP address pool: pre-pool

    • Gateway address and subnet mask are 10.253.0.1 and 255.255.128.0, respectively.
    • Network segment: 10.253.0.2 to 10.253.127.254
    • IP addresses of the DNS servers: 192.168.10.2 and 10.255.57.5
    • Lease period: 12 hours
  • Name of the IP address pool: jiaoshi

    • Gateway address and subnet mask are 10.254.128.1 and 255.255.128.0, respectively.
    • Network segment: 10.254.128.2 to 10.254.255.254
    • IP addresses of the DNS servers: 192.168.10.2 and 10.255.57.5
    • Lease period: 12 hours

User group

The user group pre-web denies user access to the network from the pre-authentication domain.

Pre-authentication domain

  • The pre-authentication domain pre-authen allows users to access only the web server.
  • The authentication scheme, accounting scheme, user group, and address pool bound to the domain are none, none, pre-web, and pre-pool, respectively.

UCL rules

The UCL rules for redirecting users in the pre-authentication domain to the web authentication page are:
  • UCL rule 6010 allows users to access the authentication server, authorization server, accounting server, web server, and DNS server
  • UCL rule 6011 redirects users in the user group pre-web to the web authentication page.

Authentication domains

  • The name of the domain is xs. The authentication scheme, accounting scheme, RADIUS server, and address pool bound to the domain are authen, acc, radius, and xuesheng, respectively.
  • The name of the domain is jg. The authentication scheme, accounting scheme, RADIUS server, and address pool bound to the domain are authen, acc, radius, and jiaoshi, respectively.

BAS interfaces

  • The BAS interface GE 3/0/2.1001:
    • The access type is set to layer2-subscriber, the pre-authentication domain is pre-authen, and the authentication domain is xs.
    • The authentication method is web authentication.
  • The BAS interface GE 3/0/2.1003:

    • The access type is set to layer2-subscriber, the pre-authentication domain is pre-authen, and the authentication domain is jg.
    • The authentication method is web authentication.
NOTE:

All unauthenticated web authentication users are assigned to a default domain configured on an interface. This default domain is called the pre-authentication domain, or pre-authen. Unauthenticated web authentication users obtain IP addresses from the pre-authentication domain and access the web authentication server through the authorities granted to pre-authen for web authentication. After web authentication is complete, users are authenticated by the RADIUS server in the authentication domain xs.

IPoE access configuration

To configure IPoE access, run the following commands:

#
aaa                                        //Configure AAA schemes.
 http-redirect enable                      //Enable HTTP packet redirection.
 authentication-scheme none                //Configure the authentication scheme none.
  authentication-mode none                 //Set the authentication mode to none.
 accounting-scheme none                    //Configure the accounting scheme none.
  accounting-mode none                     //Set the accounting mode to none.
 authentication-scheme authen              //Configure the authentication scheme authen.
 accounting-scheme acc                     //Configure the accounting scheme acc.
 accounting interim interval 15            //set the interval for real-time accounting to 15 minutes.
#                                          //Configure RADIUS servers.
 radius-server source interface LoopBack0  //Configure the source interface of a RADIUS server.
radius-server group radius                 //Configure a RADIUS server group radius
 radius-server authentication 192.168.10.55 1812 weight 0
 radius-server accounting 192.168.10.55 1813 weight 0
 radius-server shared-key-cipher %$%$]&yT6A~x)JPlIv#3CKo2Vs\R%$%$
#   
radius-server authorization 192.168.10.55 shared-key-cipher %$%$/g"p5}]wvO1JPz$/gbc%R)=M%$%$      //Configure a RADIUS authorization server.
radius-server authorization 192.168.10.241 shared-key-cipher %$%$L(eNJFNKu1}D`&2JJbnRmh)R%$%$     //Configure another RADIUS authorization server.
#                                             //Configure a web server.
web-auth-server source interface LoopBack0    //Configure the source interface of the web server as Loopback0.
web-auth-server 192.168.10.53 port 50100 key   cipher %$%$lj5k020t7.0:*p'fCdM4WL0`%$%$     //Configure the IP address and port number of the web server.
#                                             //Configure address pools.
ip pool xuesheng bas local                    //Configure an address pool named xuesheng.
 gateway 10.254.0.1 255.255.128.0             //Configure a gateway address.
 section 0 10.254.0.2 10.254.127.254          //Configure an address segment.
 dns-server 192.168.10.2 10.255.57.5          //Configure DNS servers.
 lease 0 12 0                                 //Set the lease period to 12 hours.        
ip pool pre-pool bas local                    //Configure an address pool named per-pool.
 gateway 10.253.0.1 255.255.128.0
 section 0 10.253.0.2 10.253.127.254
 dns-server 192.168.10.2 10.255.57.5
 lease 0 12 0
ip pool jiaoshi bas local                      //Configure an address pool named jiaoshi.
 gateway 10.254.128.1 255.255.128.0
 section 0 10.254.128.2 10.254.255.254
 excluded-ip-address 10.254.128.2 10.254.129.254     //Set the range of IP addresses that cannot be assigned to users.
 dns-server 192.168.10.2 10.255.57.5
 lease 0 12 0
#
user-group pre-web                            //Configure a user group named pre-web.
#
aaa
 domain pre-authen                            //Configure a pre-authentication domain named pre-authen.
  authentication-scheme none                 //Bind the authentication scheme none to the domain.
  accounting-scheme none                     //Bind the accounting scheme none to the domain.
  ip-pool pre-pool                           //Bind the address pool pre-pool to the domain.
  user-group pre-web                         //Bind the user group pre-web to the domain.
  web-server 192.168.10.53                   //Configure a web authentication server.
  web-server url http://192.168.10.53/help/help.html  //Configure the redirection URL for mandatory web authentication. 
 #
#
acl number 6010                              //Configure the UCL rule 6010, which allows users to access the RADIUS, web, and DNS servers.
 rule 3 permit ip source user-group pre-web destination ip-address 192.168.10.2 0
 rule 6 permit ip source user-group pre-web destination ip-address 192.168.10.53 0
 rule 7 permit ip source user-group pre-web destination ip-address 192.168.10.55 0
 rule 10 permit ip source user-group pre-web destination ip-address 192.168.10.241 0
 rule 15 permit ip source user-group pre-web destination ip-address 10.255.57.5 0
#
acl number 6011                              //Configure the UCL rule 6011 which redirects users to the web authentication page.
 rule 5 permit tcp source user-group pre-web destination-port eq www
 rule 10 permit tcp source user-group pre-web destination-port eq 8080
 rule 20 permit ip source user-group pre-web
#
traffic classifier 6010 operator or         //Configure a traffic classifier named 6010.
 if-match acl 6010
traffic classifier 6011 operator or         //Configure a traffic classifier named 6011.
 if-match acl 6011
#
traffic behavior 6010                       //Configure a traffic behavior named 6010.
traffic behavior 6011                       //Configure a traffic behavior named 6011 to trigger HTTP redirection.
 http-redirect
#
traffic policy traffic-policy-1             //Configure a traffic policy named traffic-policy-1.
 share-mode                                 //Set the attributes of a traffic policy to shared.
 classifier 6010 behavior 6010
 classifier 6011 behavior 6011
#                                           //Apply traffic-policy-1 globally to filter BAS-side user packets.
 traffic-policy traffic-policy-1 inbound
 traffic-policy traffic-policy-1 outbound
# 
#
aaa
 domain xs                                 //Configure an authentication domain named xs.
  authentication-scheme authen             //Bind the authentication scheme authen to the domain.
  accounting-scheme acc                    //Bind the accounting scheme acc to the domain.
  ip-pool xuesheng                         //Bind the address pool xuesheng to the domain.
  value-added-service account-type none        //Set the accounting mode for DAA services to none.
  value-added-service policy 10m               //Configure a DAA service policy named 10m for the domain.
  radius-server group radius                   //Bind the RADIUS server group radius to the domain.
  quota-out online                             //Allow users to stay online upon quota exhaustion.
  #
 domain jg                                     //Configure an authentication domain named jg.
  authentication-scheme authen                 //Bind the authentication scheme authen to the domain.
  accounting-scheme acc                        //Bind the accounting scheme acc to the domain.
  ip-pool jiaoshi                              //Bind the address pool jiaoshi to the domain.
  value-added-service account-type none        //Set the accounting mode for DAA services to none.
  value-added-service policy 20m               //Configure a DAA service policy named 20m for the domain.
  radius-server group radius                   //Bind the RADIUS server group radius to the domain.
  quota-out online                             //Allow users to stay online upon quota exhaustion.
  #
#
interface GigabitEthernet3/0/2.1001            //Configure a BAS interface.
 description xuesheng-web
 user-vlan 3001 3500 qinq 1601 1800
 bas                                 
 #                                              //Set the access type, pre-authentication domain, and authentication domain to layer2-subscriber, pre-authen, and xs, respectively.
  access-type layer2-subscriber default-domain pre-authentication pre-authen authentication xs
  authentication-method web                     //Set the authentication method to web authentication.
 #
#
interface GigabitEthernet3/0/2.1003             //Configure a BAS interface.
 description jiaoshi-web
 user-vlan 3001 3500 qinq 1801 2000
 bas                             
  #                                              //Set the access type, pre-authentication domain, and authentication domain to layer2-subscriber, pre-authen, and jg, respectively.
  access-type layer2-subscriber default-domain pre-authentication pre-authen authentication jg
  dhcp session-mismatch action offline
  authentication-method web                     //Set the authentication method to web authentication.
 #
#

Configuring PPPoE Access

Overall planning

Wired users access the campus network in PPPoE mode. The ME60 functions as an authentication gateway, sending the user account and password to the RADIUS server for authentication. After authentication succeeds, the ME60 assigns an IP address to the user.

Table 1-30  Planning of PPPoE access parameters

Parameter

Planned Value

AAA schemes

Same as the AAA schemes planned for IPoE access

RADIUS servers

Same as the RADIUS servers planned for IPoE access

Address pools

  • Name of the address pool: pre-ppp

    • Gateway address and subnet mask are 10.253.128.1 and 255.255.128.0, respectively.
    • Network segment: 10.253.128.2 to 10.253.255.254
    • IP addresses of the DNS servers: 192.168.10.2 and 10.255.57.5
    • Lease period: 12 hours
  • Name of the address pool: xuesheng
    • Gateway address and subnet mask are 10.254.0.1 and 255.255.128.0, respectively.
    • Network segment: 10.254.0.2 to 10.254.127.254
    • IP addresses of the DNS servers: 200.1.1.1
    • Lease period: 12 hours
  • Name of the IP address pool: jiaoshi

    • Gateway address and subnet mask are 10.254.128.1 and 255.255.128.0, respectively.
    • Network segment: 10.254.128.2 to 10.254.255.254
    • IP addresses of the DNS servers: 192.168.10.2 and 10.255.57.5
    • Lease period: 12 hours

User group

The user group pre-ppp denies user access to the network from the pre-authentication domain.

Pre-authentication domain

  • The pre-authentication domain pre-ppp allows users to access only the web server.
  • The authentication scheme, accounting scheme, user group, and address pool bound to the domain are none, none, pre-ppp, and pre-ppp, respectively.

UCL rules

The UCL rules for redirecting users in the pre-authentication domain to the web authentication page are:
  • UCL rule 6012 allows users to access the authentication server, authorization server, accounting server, and DNS server.
  • UCL rule 6013 redirects users in the user group pre-ppp to the web authentication page.

Authentication domains

Same as the authentication domains planned for IPoE access

Virtual template (VT) interface

The VT interface number is 1 and the user authentication mode is auto.

BAS interfaces

  • The BAS interface GE 3/0/2.1000:
    • The BAS interface is bound to VT interface 1.
    • User VLANs are configured on the BAS interface. Upon receipt of packets carrying double VLAN tags, the BAS interface removes those tags, then forwards the packets at Layer 3.
    • The access type of the BAS interface is set to layer2-subscriber, the pre-authentication domain is pre-ppp, and the authentication domain is xs.
    • The authentication mode of the BAS interface is PPP authentication and web authentication.
  • The BAS interface GE3/0/2.1002:

    • The BAS interface is bound to VT interface 1.
    • User VLANs are configured on the BAS interface. Upon receipt of packets carrying double VLAN tags, the BAS interface removes those tags, then forwards the packets at Layer 3.
    • The access type of the BAS interface is set to layer2-subscriber, the pre-authentication domain is pre-ppp, and the authentication domain is jg.
    • The authentication mode of the BAS interface is PPP authentication and web authentication.

PPPoE access configuration

The following example describes configuration of PPPoE access for students. (Only the configuration related to PPPoE access is described here. For details about how to configure AAA schemes, RADIUS servers, and authentication domains, see the configuration of IPoE access.)

#
ip pool xuesheng bas local                               //Configure an address pool named xuesheng.
 gateway 10.254.0.1 255.255.128.0                        //Configure a gateway IP address.
 section 0 10.254.0.2 10.254.127.254                     //Configure an address segment.
 dns-server 192.168.10.2 10.255.57.5                     //Configure DNS servers.
 lease 0 12 0                                            //Set the lease period to 12 hours.        
ip pool pre-ppp bas local                                //Configure an address pool named pre-ppp.
 gateway 10.253.128.1 255.255.128.0
 section 0 10.253.128.2 10.253.255.254
 dns-server 192.168.10.2 10.255.57.5
 lease 0 12 0
#
user-group pre-ppp                                       //Configure a user group named pre-ppp.
#
aaa
 domain pre-ppp                                          //Configure a pre-authentication domain named pre-ppp.
  authentication-scheme none                             //Bind the authentication scheme none to the domain.
  accounting-scheme none                                 //Bind the accounting scheme none to the domain.
  ip-pool pre-ppp                                        //Bind the address pool pre-ppp to the domain.
  user-group pre-ppp                                     //Bind the user group pre-ppp to the domain.
  web-server 192.168.10.55                               //Configure a web authentication server.
  web-server url http://192.168.10.55/help/help.html     //Configure the redirection URL for mandatory web authentication. 
 #
#
acl number 6012                                          //Configure the UCL rule 6012 which allows users to access the RADIUS, web, and DNS servers.
 rule 5 permit ip source user-group pre-ppp destination ip-address 192.168.10.55 0
 rule 6 permit ip source user-group pre-ppp destination ip-address 192.168.10.53 0
rule 15 permit ip source user-group pre-ppp destination ip-address 192.168.10.2 0
#
acl number 6013                                          //Configure the UCL rule 6013 which redirects users to the web authentication page.
 rule 5 permit tcp source user-group pre-ppp destination-port eq www
 rule 10 permit tcp source user-group pre-ppp destination-port eq 8080
 rule 20 deny ip source user-group pre-ppp
#
traffic classifier 6012 operator or                     //Configure a traffic classifier named 6012.
 if-match acl 6012
traffic classifier 6013 operator or                     //Configure a traffic classifier named 6013.
 if-match acl 6013
#
traffic behavior 6012                                  //Configure a traffic behavior named 6012.
traffic behavior 6013                                  //Configure a traffic behavior named 6013 to trigger HTTP redirection.
 http-redirect
#
traffic policy traffic-policy-1                        //Configure a traffic policy named traffic-policy-1.
 share-mode                                            //Set the attributes of a traffic policy to shared.
 classifier 6012 behavior 6012
 classifier 6013 behavior 6013
#                                                      //Apply traffic-policy-1 globally to filter BAS-side user packets.
 traffic-policy traffic-policy-1 inbound
 traffic-policy traffic-policy-1 outbound
#
interface Virtual-Template1                             //Create a virtual template numbered 1. 
 ppp authentication-mode auto                          //Set the ppp authentication mode to auto (autonegotiation mode).
#
interface GigabitEthernet3/0/2.1000                    //Configure a VE interface. 
 pppoe-server bind Virtual-Template 1                  //Bind the virtual template numbered 1 to the VE interface.
 description xuesheng-ppp
 user-vlan 2001 3000 qinq 101 200                      //Configure user-side VLANs.
 bas
 #                                                     //Set the access type, pre-authentication domain, and authentication domain to layer2-subscriber, pre-ppp, and xs, respectively.
  access-type layer2-subscriber default-domain pre-authentication pre-ppp authentication xs
  authentication-method ppp web                        //Configure PPP authentication and web authentication.
 #
#

Configuring MAC Address Authentication

Overall planning

To simplify the web authentication process, MAC address authentication is performed for dumb terminals such as printers and fax machines on the campus network. If MAC address authentication is enabled, a web authentication user needs to enter the user name and password only for the first authentication, and the RADIUS server records the user's MAC address. For subsequent web authentication of the user, RADIUS server authentication uses the user's MAC address and does not require that the user input the user name and password again.

Table 1-31  Planning of MAC address authentication parameters

Parameter

Planned Value

AAA schemes

  • Authentication schemes: mac
  • Accounting schemes: acc

RADIUS servers

  • Names of the RADIUS servers: mac
  • IP address and port number of the authentication server: 192.168.10.55 and 1812
  • IP address and port number of the accounting server: 192.168.10.55 and 1813
  • IP addresses of the authorization servers: 192.168.10.55 and 192.168.10.241
  • Source interface of the RADIUS server: LoopBack0 (This interface is used by the ME60 to send packets to the RADIUS server)
  • Shared key of the RADIUS server: Huawei@123

Web server

Same as the web server planned for IPoE access

Address pools

  • Name of the IP address pool: pre-pool

    • Gateway address and subnet mask are 10.253.0.1 and 255.255.128.0, respectively.
    • Network segment: 10.253.0.2 to 10.253.127.254
    • IP addresses of the DNS servers: 192.168.10.2 and 10.255.57.5
    • Lease period: 12 hours
  • Name of the IP address pool: jiaoshi

    • Gateway address and subnet mask are 10.254.128.1 and 255.255.128.0, respectively
    • Network segment: 10.254.128.2 to 10.254.255.254
    • IP addresses of the DNS servers: 192.168.10.2 and 10.255.57.5
    • Lease period: 12 hours

User group

The user group pre-web denies user access to the network from the pre-authentication domain.

Authentication domain (domain to which users are redirected upon authentication failures)

  • The pre-authentication domain pre-authen allows users to access only the web server.
  • The authentication scheme, accounting scheme, user group, and address pool bound to the domain are none, none, pre-web, and pre-pool, respectively.

UCL rules

The UCL rules for redirecting users in the domain pre-authen to the web authentication page are:
  • UCL rule 6010 allows users to access the authentication server, authorization server, accounting server, web server, and DNS server.
  • UCL rule 6011 redirects users in the user group pre-web to the web authentication page.

Pre-authentication domain

The domain name is mac. The authentication scheme, accounting scheme, RADIUS server, and address pool bound to the domain is mac, acc, mac, and pre-pool, respectively.

Authentication domain

The domain name is jg. The authentication scheme, accounting scheme, RADIUS server, and address pool bound to the domain are authen, acc, radius, and jiaoshi, respectively.

BAS interfaces

  • The BAS interface GE 3/0/2.1101:
  • The access type is set to layer2-subscriber, the authentication domain is mac, and the post-authentication domain is jg.
  • The authentication method is web authentication.

MAC address authentication configuration

The following describes how to configure MAC address authentication. Only the configuration related to MAC address authentication is described here. For details about how to configure AAA schemes, RADIUS servers, web servers, address pools, and UCL rules, see the configuration of IPoE and PPPoE access.

#
aaa
 default-user-name include mac-address -                          //Configure the system to use the MAC address carried in a user login request as the pure user name.
 default-password cipher %$%$MD{\.!~j'P#Jl%3cJBm6#QWv%$%$         //Set the user password.
 authentication-scheme mac                                        //Configure an authentication scheme named mac.
 authening authen-fail online authen-domain pre-authen            //Configure the system to switch users to the domain pre-authen for web authentication after user authentication fails.
#
radius-server group mac                                          //Configure a RADIUS server group named mac.
 radius-server authentication 192.168.10.55 1812 weight 0
 radius-server accounting 192.168.10.55 1813 weight 0
 radius-server shared-key-cipher %$%$wJ\~N5\D[,Zw-qP$[.=GR!A}%$%$
#
aaa
 domain mac                                                       //Configure an authentication domain named mac.
  authentication-scheme mac                                       //Bind the authentication scheme mac to the domain.
  accounting-scheme acc                                           //Bind the authentication scheme acc to the domain.
  ip-pool pre-pool                                                //Configure an address pool for the domain.
  mac-authentication enable                                       //Enable MAC address authentication.
  radius-server group mac                                         //Bind the RADIUS server group mac to the domain.
  #
#
interface GigabitEthernet3/0/2.1101                                //Configure a VE interface.
 description mac-web
 user-vlan 600
 bas
 #
 access-type layer2-subscriber default-domain pre-authentication mac authentication jg      //Set the access type, pre-authentication domain, and authentication domain to layer2-subscriber, mac, and jg, respectively.
 authentication-method web                                        //Set the authentication mode to web authentication.
 #
#

Configuring DAA

DAA implements rate limiting and accounting based on destination addresses of user access traffic. DAA is configured on the ME60 to implement differentiated management of destination addresses of user traffic as well as accounting and bandwidth control at different tariff levels defined based on different destination addresses. Students, teachers, commercial users, and dumb terminals access the campus intranet at different bandwidths. For example, the bandwidths for students, teachers, commercial users, and dumb terminals may be 10 Mbit/s, 20 Mbit/s, 50 Mbit/s, and 20 Mbit/s, respectively. DAA implements bandwidth control for different users and destination addresses.

Table 1-32  Planning of DAA Parameters

Parameter

Planned Value

DAA status

Enable DAA in the system view.

AAA schemes

Same as the AAA schemes planned for IPoE access.

RADIUS servers

Same as the RADIUS servers planned for IPoE access.

Web server

Same as the web server planned for IPoE access.

Address pools

Same as the IP address pool planned for IPoE access parameters.

User groups

  • The user group pre-web denies user access to the network from the pre-authentication domain.

  • The user group xuesheng contains students.

  • The user group jiaoshi contains teachers.

Pre-authentication domain

Same as the pre-authentication domain planned for IPoE access.

UCL rules

The UCL rules for redirecting users in the pre-authentication domain to the web authentication page are:
  • UCL rule 6010 allows users to access the authentication server, authorization server, accounting server, web server, and DNS server.
  • UCL rule 6011 redirects users in the user group pre-web to the web authentication page.
  • UCL rule 6003 allows students to access the campus intranet, RADIUS server, web server, and DNS server.
  • UCL rule 6005 allows teachers to access the campus intranet, RADIUS server, web server, and DNS server.

QoS profiles

Names of the QoS profiles: 10M and 20M

DAA service policies

  • Names of DAA service policies: 10m and 20m
  • Accounting mode: none
  • Enable DAA service separation.
  • Tariff level 1 is used and bound to the QoS profiles 10M and 20M.

Authentication domains

  • The domain name is xs. The authentication scheme, accounting scheme, RADIUS server, address pool, and accounting mode for DAA services, and DAA service policy bound to the domain are authen, acc, radius, xuesheng, none, and 10m, respectively.
  • The domain name is jg. The authentication scheme, accounting scheme, RADIUS server, address pool, and accounting mode for DAA services, and DAA service policy bound to the domain are authen, acc, radius, jiaoshi, none, and 20m, respectively.

BAS interfaces

Same as the BAS interfaces planned for IPoE access

DAA configuration

The following describes only the configuration related to DAA. For details about how to configure AAA schemes, RADIUS servers, and web servers, see the configuration of IPoE access.

#
 value-added-service enable                           //Enable the value-added service globally.
#
user-group xuesheng                                   //Configure a user group named xuesheng.
user-group jiaoshi                                    //Configure a user group named jiaoshi.
# 
acl number 6003                                       //Configure the UCL rule 6003.
 rule 5 permit ip source user-group jiaoshi destination ip-address 10.0.0.0 0.255.255.255
 rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group jiaoshi
 rule 15 permit ip source user-group jiaoshi destination ip-address 172.16.0.0 0.15.255.255
 rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group jiaoshi
 rule 25 permit ip source user-group jiaoshi destination ip-address 192.168.0.0 0.0.255.255
 rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group jiaoshi
#
acl number 6005                                       //Configure the UCL rule 6005.
 rule 5 permit ip source user-group xuesheng destination ip-address 10.0.0.0 0.255.255.255
 rule 10 permit ip source ip-address 10.0.0.0 0.255.255.255 destination user-group xuesheng
 rule 15 permit ip source user-group xuesheng destination ip-address 172.16.0.0 0.15.255.255
 rule 20 permit ip source ip-address 172.16.0.0 0.15.255.255 destination user-group xuesheng
 rule 25 permit ip source user-group xuesheng destination ip-address 192.168.0.0 0.0.255.255
 rule 30 permit ip source ip-address 192.168.0.0 0.0.255.255 destination user-group xuesheng
#
traffic classifier 6003 operator or                  //Configure a traffic classifier named 6003.
 if-match acl 6003
traffic classifier 6005 operator or                  //Configure a traffic classifier named 6005.
 if-match acl 6005
#
traffic behavior 6003                                //Configure a traffic behavior named 6003.
 tariff-level 1                                      //Configure the tariff level 1 for DAA services.
 car                                                 //Configure the CAR function for DAA service packets.
 traffic-statistic                                   //Enable traffic statistics collection for DAA services.
traffic behavior 6005                                //Configure a traffic behavior named 6005.
 tariff-level 1
 car
 traffic-statistic
#
traffic policy traffic_policy_daa                     //Configure a DAA traffic policy named traffic-policy-daa.
 share-mode
classifier 6003 behavior 6003
classifier 6005 behavior 6005
#
accounting-service-policy traffic_policy_daa          //Apply traffic_policy_daa globally.
#
qos-profile 10M                                       //Configure a QoS profile named 10M.
 car cir 10000 cbs 1870000 green pass red discard inbound
 car cir 10000 cbs 1870000 green pass red discard outbound
qos-profile 20M                                       //Configure a QoS profile named 20M.
 car cir 20000 cbs 3740000 green pass red discard inbound
 car cir 20000 cbs 3740000 green pass red discard outbound
#
value-added-service policy 10m daa                    //Configure a DAA service policy named 10m.
 accounting-scheme none
 traffic-separate enable
 tariff-level 1 qos-profile 10M
#
value-added-service policy 20m daa                    //Configure a DAA service policy named 20m.
 accounting-scheme none                   
 traffic-separate enable
 tariff-level 1 qos-profile 20M
#
aaa
 domain xs                                            //Configure an authentication domain named xs.  
  value-added-service account-type none               //Set the DAA service accounting mode to none.
  value-added-service policy 10m                      //Bind the DAA service police named 10m to the domain.
  #
 domain jg                                            //Configure an authentication domain named jg.
  value-added-service account-type none               //Set the DAA service accounting mode to none.
  value-added-service policy 20m                      //Bind the DAA service police named 20m to the domain.
  #
#
Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 26270

Downloads: 879

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next