No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring User Access (Web+MAC Authentication) in a Dual-Device Hot Backup Scenario

Example for Configuring User Access (Web+MAC Authentication) in a Dual-Device Hot Backup Scenario

This section provides an example for configuring user access (web+MAC authentication) in a dual-device hot backup scenario, so that users can access the network again without re-entering usernames and passwords within a specified period after their first login.

Applicable Products and Versions

This configuration example applies to NE40E/ME60/NE20E-S series products running V800R010C00 or later.

Networking Requirements

On the network shown in Figure 1-25, users access BRAS1 and BRAS2 through SW1. When a user accesses the network for the first time, the user is required to enter the username and password on the portal page. The RADIUS server automatically records the MAC address of the user terminal and associates the MAC address with the username. Later, the user can access the network again without re-entering the username and password within a specified period after the first login.

The networking requirements are as follows:

  • RADIUS authentication and accounting are used.

  • The IP address of the RADIUS server is 192.168.7.249. The authentication port number is 1812, and the accounting port number is 1813. The standard RADIUS protocol is adopted, and the key is Root@1234.

  • The IP address of the DNS server is 192.168.8.252.

  • The IP address of the web server is 192.168.8.251.

Figure 1-25  User access (web+MAC authentication) in a dual-device hot backup scenario
NOTE:

Interfaces 1 through 3 in this example are GE 0/3/1, GE 0/3/6, and GE 0/3/2, respectively.



Device Interface IP Address Description
BRAS1 GE0/3/1 10.32.1.1/24 BRAS1's interface for establishing a remote backup service (RBS) channel
  GE0/3/6.1 10.24.0.1/24 Interface running VRRP
  Loopback 1 10.1.1.1/32 Protection tunnel interface
BRAS2 GE0/3/2 10.32.1.2/24 BRAS2's interface for establishing an RBS channel
  GE0/3/6.1 10.24.0.2/24 Interface running VRRP
  Loopback 1 10.1.1.2/32 Protection tunnel interface

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic user access functions and ensure that the two BRASs have the same configuration.

  2. Configure VRRP on the access side of the master and backup BRASs. BRAS1 is the master, and BRAS2 is the backup.

  3. Configure an RBS and a remote backup profile (RBP) for backing up BRAS user information.

  4. Configure Layer 2 IPoE access (web+MAC authentication).

  5. Specify the source IP address of portal packets to be sent to the web authentication server.

Data Preparation

To complete the configuration, you need the following data:

  • VRRP parameters (VRRP group ID and preemption delay)

  • IP address of each interface on BRAS1 and BRAS2

  • Backup ID, which works together with an RBS to identify an RBP to which users belong

Procedure

  1. Configure VRRP on the access side of the master and backup BRASs. BRAS1 is the master, and BRAS2 is the backup.

    The configurations on BRAS1 are as follows:

    # Configure a VRRP group on an interface (GE 0/3/6.1 is used in this example).

    <HUAWEI> system-view
     [~HUAWEI] sysname BRAS1
     [*BRAS1] commit
     [~BRAS1] interface GigabitEthernet 0/3/6.1               
     [*BRAS1-GigabitEthernet0/3/6.1] vlan-type dot1q 400                           
     [*BRAS1-GigabitEthernet0/3/6.1] ip address 10.24.0.1 255.255.255.0            
     [*BRAS1-GigabitEthernet0/3/6.1] vrrp vrid 1 virtual-ip 10.24.0.100            
     [*BRAS1-GigabitEthernet0/3/6.1] admin-vrrp vrid 1                             
     [*BRAS1-GigabitEthernet0/3/6.1] vrrp vrid 1 priority 120                      
     [*BRAS1-GigabitEthernet0/3/6.1] commit
     [~BRAS1-GigabitEthernet0/3/6.1] quit

    The configurations on BRAS2 are as follows:

    # Configure a VRRP group on an interface (GE 0/3/6.1. is used in this example).

    <HUAWEI> system-view
     [~HUAWEI] sysname BRAS2
     [*BRAS2] commit
     [~BRAS2] interface GigabitEthernet 0/3/6.1               
     [*BRAS2-GigabitEthernet0/3/6.1] vlan-type dot1q 400                           
     [*BRAS2-GigabitEthernet0/3/6.1] ip address 10.24.0.2 255.255.255.0            
     [*BRAS2-GigabitEthernet0/3/6.1] vrrp vrid 1 virtual-ip 10.24.0.100            
     [*BRAS2-GigabitEthernet0/3/6.1] admin-vrrp vrid 1                             
     [*BRAS2-GigabitEthernet0/3/6.1] vrrp vrid 1 priority 110                      
     [*BRAS2-GigabitEthernet0/3/6.1] commit
     [~BRAS2-GigabitEthernet0/3/6.1] quit

  2. Configure an RBS and an RBP.

    The configurations on BRAS1 are as follows:

    # Configure an IP address for the protection tunnel.

    [~BRAS1] interface loopback1
     [*BRAS1-loopback1] ip address 10.1.1.1 32
     [*BRAS1-loopback1] commit
     [~BRAS1-loopback1] quit

    # Configure an interface for establishing an RBS channel.

    [~BRAS1] interface gigabitethernet 0/3/1
     [*BRAS1-GigabitEthernet0/3/1] undo shutdown
     [*BRAS1-GigabitEthernet0/3/1] ip address 10.32.1.1 24
     [*BRAS1-GigabitEthernet0/3/1] mpls
     [*BRAS1-GigabitEthernet0/3/1-mpls] mpls ldp
     [*BRAS1-GigabitEthernet0/3/1-mpls-ldp] commit
     [~BRAS1-GigabitEthernet0/3/1] quit

    # Configure an RBS.

    [~BRAS1] remote-backup-service s1
     [*BRAS1-rm-backup-srv-s1] peer 10.32.1.2 source 10.32.1.1 port 11000
     [*BRAS1-rm-backup-srv-s1] protect lsp-tunnel for-all-instance peer-ip 10.1.1.2
     [*BRAS1-rm-backup-srv-s1] commit
     [~BRAS1-rm-backup-srv-s1] quit

    # Configure an RBP.

    [~BRAS1] remote-backup-profile p1
     [*BRAS1-rm-backup-prf-p1] service-type bras
     [*BRAS1-rm-backup-prf-p1] backup-id 1 remote-backup-service s1
     [*BRAS1-rm-backup-prf-p1] peer-backup hot
     [*BRAS1-rm-backup-prf-p1] vrrp-id 1 interface gigabitethernet 0/3/6.1
     [*BRAS1-rm-backup-prf-p1] commit
     [~BRAS1-rm-backup-prf-p1] quit

    # Bind the RBP to the user access interface.

    [~BRAS1] interface gigabitethernet 0/3/6.2
     [*BRAS1-GigabitEthernet0/3/6.2] remote-backup-profile p1
     [*BRAS1-GigabitEthernet0/3/6.2] commit
     [~BRAS1-GigabitEthernet0/3/6.2] quit
     [~BRAS1] quit

    The configurations on BRAS2 are as follows:

    # Configure an IP address for the protection tunnel.

    [~BRAS2] interface loopback1
     [*BRAS2-loopback1] ip address 10.1.1.2 32
     [*BRAS2-loopback1] commit
     [~BRAS2-loopback1] quit

    # Configure an interface for establishing an RBS channel.

    [~BRAS1] interface gigabitethernet 0/3/2
     [*BRAS1-GigabitEthernet0/3/2] undo shutdown
     [*BRAS1-GigabitEthernet0/3/2] ip address 10.32.1.2 24
     [*BRAS1-GigabitEthernet0/3/2] mpls
     [*BRAS1-GigabitEthernet0/3/2-mpls] mpls ldp
     [*BRAS1-GigabitEthernet0/3/2-mpls-ldp] commit
     [~BRAS1-GigabitEthernet0/3/2] quit

    # Configure an RBS.

    [~BRAS2] remote-backup-service s1
     [*BRAS2-rm-backup-srv-s1] peer 10.32.1.1 source 10.32.1.2 port 11000
     [*BRAS2-rm-backup-srv-s1] protect lsp-tunnel for-all-instance peer-ip 10.1.1.2
     [*BRAS2-rm-backup-srv-s1] commit
     [~BRAS2-rm-backup-srv-s1] quit

    # Configure an RBP.

    [~BRAS2] remote-backup-profile p1
     [*BRAS2-rm-backup-prf-p1] service-type bras
     [*BRAS2-rm-backup-prf-p1] backup-id 1 remote-backup-service s1
     [*BRAS2-rm-backup-prf-p1] peer-backup hot
     [*BRAS2-rm-backup-prf-p1] vrrp-id 1 interface gigabitethernet 0/3/6.1
     [*BRAS2-rm-backup-prf-p1] commit
     [~BRAS2-rm-backup-prf-p1] quit

    # Bind the RBP to the user access interface.

    [~BRAS2] interface gigabitethernet 0/3/6.2
     [*BRAS2-GigabitEthernet0/3/6.2] remote-backup-profile p1
     [*BRAS2-GigabitEthernet0/3/6.2] commit
     [~BRAS2-GigabitEthernet0/3/6.2] quit
     [~BRAS2] quit

  3. Configure MPLS.

    The configurations on BRAS1 are as follows:

    [~BRAS1] mpls lsr-id 10.1.1.1
     [~BRAS1] mpls
     [*BRAS1-mpls] commit
     [~BRAS1-mpls] mpls ldp
     [*BRAS1-mpls-ldp] commit
     [~BRAS1-mpls] quit

    The configurations on BRAS2 are as follows:

    [~BRAS2] mpls lsr-id 10.1.1.2
     [~BRAS2] mpls
     [*BRAS2-mpls] commit
     [~BRAS2-mpls] mpls ldp
     [*BRAS2-mpls-ldp] commit
     [~BRAS2-mpls] quit

  4. Configure OSPF.

    The configurations on BRAS1 are as follows:

    [~BRAS1] ospf 1
     [*BRAS1-ospf-1] default cost inherit-metric
     [*BRAS1-ospf-1] import-route unr
     [*BRAS1-ospf-1] area 0
     [*BRAS1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.0
     [*BRAS1-ospf-1-area-0.0.0.0] network 10.32.1.1 0.0.0.255
     [*BRAS1-ospf-1-area-0.0.0.0] commit
     [~BRAS1-ospf-1-area-0.0.0.0] quit
     [~BRAS1-ospf-1] quit

    The configurations on BRAS2 are as follows:

    [~BRAS1] ospf 1
     [*BRAS1-ospf-1] default cost inherit-metric
     [*BRAS1-ospf-1] import-route unr
     [*BRAS1-ospf-1] area 0
     [*BRAS1-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.0
     [*BRAS1-ospf-1-area-0.0.0.0] network 10.32.1.2 0.0.0.255
     [*BRAS1-ospf-1-area-0.0.0.0] commit
     [~BRAS1-ospf-1-area-0.0.0.0] quit
     [~BRAS1-ospf-1] quit

  5. Configure Layer 2 IPoE access (web+MAC authentication).

    NOTE:

    The configurations on BRAS2 are similar to those on BRAS1. For details about configurations on BRAS2, see the configuration file of BRAS2.

    1. Configure a MAC authentication domain named mac-auth, a web pre-authentication domain named web-auth, and a web authentication domain named after-auth.

      <HUAWEI> system-view
      [~BRAS1] aaa
      [*BRAS1-aaa] domain mac-auth
      [*BRAS1-aaa-domain-mac-auth] commit
      [~BRAS1-aaa-domain-mac-auth] quit
      [~BRAS1-aaa] domain web-auth
      [*BRAS1-aaa-domain-web-auth] commit
      [~BRAS1-aaa-domain-web-auth] quit
      [~BRAS1-aaa] domain after-auth
      [*BRAS1-aaa-domain-after-auth] commit
      [~BRAS1-aaa-domain-after-auth] quit
      [~BRAS1-aaa] quit
    2. Configure AAA schemes and a RADIUS server group.

      # Create a RADIUS server group named rd1. In the view of the RADIUS server group rd1, configure the device to carry the HW-Auth-Type attribute in Access-Request packets to be sent to the RADIUS server and translate the HW-Auth-Type attribute into Huawei proprietary attribute 109 if the RADIUS server does not support the HW-Auth-Type attribute.

      [~BRAS1] radius-server group rd1
      [*BRAS1-radius-rd1] radius-server authentication 192.168.7.249 1812 weight 0
      [*BRAS1-radius-rd1] radius-server accounting 192.168.7.249 1813 weight 0
      [*BRAS1-radius-rd1] radius-server type standard
      [*BRAS1-radius-rd1] radius-server shared-key-cipher Root@1234
      [*BRAS1-radius-rd1] radius-attribute include hw-auth-type
      [*BRAS1-radius-rd1] radius-server attribute translate
      [*BRAS1-radius-rd1] radius-attribute translate extend hw-auth-type vendor-specific 2011 109 access-request account
      [*BRAS1-radius-rd1] commit
      [~BRAS1-radius-rd1] quit

      # Configure a RADIUS server group named rd2.

      [~BRAS1] radius-server group rd2
      [*BRAS1-radius-rd2] radius-server authentication 192.168.8.249 1812 weight 0
      [*BRAS1-radius-rd2] radius-server accounting 192.168.8.249 1813 weight 0
      [*BRAS1-radius-rd2] radius-server type standard
      [*BRAS1-radius-rd2] radius-server shared-key-cipher Root@1234
      [*BRAS1-radius-rd2] commit
      [~BRAS1-radius-rd2] quit

      # Create an authentication scheme named mac-auth, and configure the device to redirect users to the web pre-authentication domain web-auth upon authentication failures.

      [~BRAS1] aaa
      [*BRAS1-aaa] authentication-scheme mac-auth
      [*BRAS1-aaa-authen-mac-auth] authening authen-fail online authen-domain web-auth
      [*BRAS1-aaa-authen-mac-auth] commit
      [~BRAS1-aaa-authen-mac-auth] quit

      # Set the authentication mode of the authentication scheme auth2 to RADIUS authentication so that the authentication scheme can be bound to the authentication domain after-auth for user authentication.

      [~BRAS1] aaa
      [*BRAS1-aaa] authentication-scheme auth2
      [*BRAS1-aaa-authen-auth2] authentication-mode radius
      [*BRAS1-aaa-authen-auth2] commit
      [~BRAS1-aaa-authen-auth2] quit

      # Set the accounting mode of the accounting scheme acct2 to RADIUS accounting so that the accounting scheme can be bound to the authentication domain after-auth for user accounting.

      [~BRAS1-aaa] accounting-scheme acct2
      [*BRAS1-aaa-accounting-acct2] accounting-mode radius
      [*BRAS1-aaa-accounting-acct2] commit
      [~BRAS1-aaa-accounting-acct2] quit
      [~BRAS1-aaa] quit

      # Set the authentication mode of the authentication scheme auth3 to none authentication so that the authentication scheme can be bound to the web pre-authentication domain web-auth. Users in this domain can access only the web authentication page.

      [~BRAS1] aaa
      [*BRAS1-aaa] authentication-scheme auth3
      [*BRAS1-aaa-authen-auth3] authentication-mode none
      [*BRAS1-aaa-authen-auth3] commit
      [~BRAS1-aaa-authen-auth3] quit

      # Set the accounting mode of the accounting scheme acct3 to none accounting so that the accounting scheme can be bound to the web pre-authentication domain web-auth. No accounting is performed for users in this domain.

      [~BRAS1-aaa] accounting-scheme acct3
      [*BRAS1-aaa-accounting-acct3] accounting-mode none
      [*BRAS1-aaa-accounting-acct3] commit
      [~BRAS1-aaa-accounting-acct3] quit
      [~BRAS1-aaa] quit
    3. 4. Configure an address pool.

      [~BRAS1] ip pool pool2 bas local
      [*BRAS1-ip-pool-pool2] gateway 172.16.1.1 255.255.255.0
      [*BRAS1-ip-pool-pool2] section 0 172.16.1.2 172.16.1.200
      [*BRAS1-ip-pool-pool2] dns-server 192.168.8.252
      [*BRAS1-ip-pool-pool2] commit
      [~BRAS1-ip-pool-pool2] quit
    4. Enable MAC authentication in the MAC authentication domain mac-auth, and bind the RADIUS server group rd1 and authentication scheme mac-auth to the domain.

      [~BRAS1-aaa] domain mac-auth
      [*BRAS1-aaa-domain-mac-auth] radius-server group rd1
      [*BRAS1-aaa-domain-mac-auth] authentication-scheme mac-auth
      [*BRAS1-aaa-domain-mac-auth] accounting-scheme acct2
      [*BRAS1-aaa-domain-mac-auth] ip-pool pool2
      [*BRAS1-aaa-domain-mac-auth] mac-authentication enable
      [*BRAS1-aaa-domain-mac-auth] commit
      [~BRAS1-aaa-domain-mac-auth] quit
    5. Configure a web pre-authentication domain named web-auth to allow users in this domain to have access only to the web authentication page. Then, bind the authentication scheme auth3 (none authentication) and accounting scheme acct3 (none accounting) to this domain.

      # Configure a web pre-authentication domain named web-auth.

      [~BRAS1] user-group web-before
      [~BRAS1] aaa
      [*BRAS1-aaa] http-redirect enable
      [~BRAS1-aaa] domain web-auth
      [*BRAS1-aaa-domain-web-auth] authentication-scheme auth3
      [*BRAS1-aaa-domain-web-auth] accounting-scheme acct3
      [*BRAS1-aaa-domain-web-auth] ip-pool pool2
      [*BRAS1-aaa-domain-web-auth] user-group web-before
      [*BRAS1-aaa-domain-web-auth] web-server 192.168.8.251
      [*BRAS1-aaa-domain-web-auth] web-server url http://192.168.8.251
      [*BRAS1-aaa-domain-web-auth] commit

      # Configure keywords of customized portal attributes.

      [~BRAS1-aaa-domain-web-auth] web-server redirect-key mscg-ip mscgip
      [*BRAS1-aaa-domain-web-auth] web-server redirect-key mscg-name mscgname
      [*BRAS1-aaa-domain-web-auth] web-server redirect-key user-ip-address userip
      [*BRAS1-aaa-domain-web-auth] web-server redirect-key nas-logic-sysname nasname
      [*BRAS1-aaa-domain-web-auth] web-server redirect-key user-mac-address usermac
      [*BRAS1-aaa-domain-web-auth] web-server redirect-key ssid wlan
      [*BRAS1-aaa-domain-web-auth]commit
      [~BRAS1-aaa-domain-web-auth]quit
      [~BRAS1-aaa] quit

      # Configure a web authentication server.

      [~BRAS1] web-auth-server 192.168.8.251 key simple webvlan
    6. Configure an authentication domain named after-auth.

      [~BRAS1-aaa] domain after-auth
      [*BRAS1-aaa-domain-after-auth] authentication-scheme auth2
      [*BRAS1-aaa-domain-after-auth] accounting-scheme acct2
      [*BRAS1-aaa-domain-after-auth] radius-server group rd2
      [*BRAS1-aaa-domain-after-auth] commit
      [~BRAS1-aaa-domain-after-auth] quit
      [~BRAS1-aaa] quit
    7. Configure ACL rules.

      # Configure an ACL numbered 6004 and create ACL rules to match all traffic from the user group web-before, so that the traffic can be denied access to the network.

      [~BRAS1] acl number 6004
      [*BRAS1-acl-ucl-6004] rule 3 permit ip source user-group web-before destination user-group web-before
      [*BRAS1-acl-ucl-6004] rule 5 permit ip source user-group web-before destination ip-address any
      [~BRAS1-acl-ucl-6004] quit

      # Configure an ACL numbered 6005 and create ACL rules to match traffic between the user group web-before and the web authentication and DNS servers, so that the traffic can pass through.

      [~BRAS1] acl number 6005
      [*BRAS1-acl-ucl-6005] rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
      [*BRAS1-acl-ucl-6005] rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
      [*BRAS1-acl-ucl-6005] rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
      [*BRAS1-acl-ucl-6005] rule 20 permit ip source ip-address 192.168.8.252 0 destination user-group web-before
      [*BRAS1-acl-ucl-6005] rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
      [*BRAS1-acl-ucl-6005] rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
      [~BRAS1-acl-ucl-6005] quit

      # Configure an ACL numbered 6006 and create an ACL rule to match all traffic destined for the user group web-before, so that the traffic can be denied access to the network.

      [~BRAS1] acl number 6006
      [*BRAS1-acl-ucl-6006] rule 5 permit ip destination user-group web-before
      [~BRAS1-acl-ucl-6006] quit

      # Configure an ACL numbered 6008 and create ACL rules to match TCP packets from the user group web-before and with a destination port of www or 8080, so that the packets can be redirected to a web authentication server address.

      [~BRAS1] acl number 6008
      [*BRAS1-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-port eq www
      [*BRAS1-acl-ucl-6008] rule 10 permit tcp source user-group web-before destination-port eq 8080
      [~BRAS1-acl-ucl-6008] quit
    8. Configure traffic classifiers.

      [~BRAS1] traffic classifier web-out
      [*BRAS1-classifier-web-out] if-match acl 6006
      [~BRAS1-classifier-web-out] quit
      [*BRAS1] traffic classifier web-be-permit
      [*BRAS1-classifier-web-be-permit] if-match acl 6005
      [~BRAS1-classifier-web-be-permit] quit
      [*BRAS1] traffic classifier http-before
      [*BRAS1-classifier-http-before] if-match acl 6010
      [~BRAS1-classifier-http-before] quit
      [*BRAS1] traffic classifier web-be-deny
      [*BRAS1-classifier-web-be-deny] if-match acl 6004
      [~BRAS1-classifier-web-be-deny] quit
      [*BRAS1] traffic classifier redirect
      [*BRAS1-classifier-redirect] if-match acl 6008
      [~BRAS1-classifier-redirect] quit
    9. Configure traffic behaviors.

      [*BRAS1] traffic behavior http-discard
      [*BRAS1-behavior-http-discard] car cir 0 cbs 0 green pass red discard
      [~BRAS1-behavior-http-discard] quit
      [*BRAS1] traffic behavior web-out
      [*BRAS1-behavior-web-out] deny
      [~BRAS1-behavior-web-out] quit
      [*BRAS1] traffic behavior perm1
      [*BRAS1-behavior-perm1] permit
      [~BRAS1-behavior-perm1] quit
      [*BRAS1] traffic behavior deny1
      [*BRAS1-behavior-deny1] deny
      [~BRAS1-behavior-deny1] quit
      [*BRAS1] traffic behavior redirect
      [*BRAS1-behavior-redirect] http-redirect plus
      [~BRAS1-behavior-redirect] quit
    10. Configure and apply traffic policies.

      # Configure traffic policies.

      [*BRAS1] traffic policy web-out
      [*BRAS1-policy-web-out] share-mode
      [*BRAS1-policy-web-out] classifier web-be-permit behavior perm1
      [*BRAS1-policy-web-out] classifier web-out behavior web-out
      [~BRAS1-policy-web-out] quit
      [*BRAS1] traffic policy web
      [*BRAS1-policy-web] share-mode
      [*BRAS1-policy-web] classifier web-be-permit behavior perm1
      [*BRAS1-policy-web] classifier http-before behavior http-discard
      [*BRAS1-policy-web] classifier redirect behavior redirect
      [*BRAS1-policy-web] classifier web-be-deny behavior deny1
      [*BRAS1-policy-web] commit
      [~BRAS1-policy-web] quit

      # Apply the traffic policies globally.

      [~BRAS1] traffic-policy web inbound
      [*BRAS1] traffic-policy web-out outbound
    11. In the AAA view, configure the device to use the MAC address carried in Access-Request packets as the pure username.

      [~BRAS1-aaa] default-user-name include mac-address -
      [*BRAS1-aaa] default-password cipher Root@123
      [*BRAS1-aaa] commit
      [~BRAS1-aaa] quit
    12. Configure the access type of the BAS interface.

      [~BRAS1] license
      [*BRAS1-license] active bas slot 1
      [*BRAS1-license] commit
      [~BRAS1-license] quit
      [~BRAS1] interface GigabitEthernet0/3/6.2
      [~BRAS1-GigabitEthernet0/3/6.2] bas
      [*BRAS1-GigabitEthernet0/3/6.2-bas] access-type layer2-subscriber default-domain pre-authentication mac-auth authentication after-auth
      [*BRAS1-GigabitEthernet0/3/6.2-bas] authentication-method web

  6. Specify the source IP address of portal packets to be sent to the web authentication server.

    NOTE:

    The configurations on BRAS2 are similar to those on BRAS1. For details about configurations on BRAS2, see the configuration file of BRAS2.

    # In the view of the RBS s1, configure the source IP address of portal packets to be sent to the web authentication server as 192.168.8.252.

    [~BRAS1] remote-backup-service s1
     [*BRAS1-rm-backup-srv-s1] web-auth-server source 192.168.8.252
     [*BRAS1-rm-backup-srv-s1] commit
     [~BRAS1-rm-backup-srv-s1] quit

  7. Verify the Configuration

    # Check the RBS configuration on BRAS1. The command output shows that the TCP connection state (TCP-State) of the RBS is Connected.

    <BRAS1> display remote-backup-service s1
    ----------------------------------------------------------
      Service-Index    : 1
      Service-Name     : s1
      TCP-State        : Connected
      Peer-ip          : 10.32.1.2
      Source-ip        : 10.32.1.1
      TCP-Port         : 11000
      Track-BFD        : -
      SSL-Policy-Name  : --
      SSL-State        : --
      Last up time     : 2019-03-06 09:03:59
      Last down time   : 2019-03-06 06:28:37
      Last down reason : TCP closed for echo time out
      Uplink state     : 2 (1:DOWN 2:UP)
      Domain-map-list  : --
     ----------------------------------------------------------
      ip pool:  
      ipv6 pool:  
      NULL0 Static route tag:
      Failure ratio    : 100%
      Failure duration : 0 min
     ----------------------------------------------------------
      Rbs-ID         : 0
      Peer-ip        : 10.1.1.2
      Vrfid          : 0
      Tunnel-state   : UP
      Tunnel-OperFlag: NORMAL
      Spec-interface : Null
      Total users    : 1
      Path 1:
          Tunnel-index   : 0x4c4b42
          Tunnel-index-v6: 0x4c4b42
          Out-interface  : GigabitEthernet3/0/1
          Vc-lable       : 48210
          Vc-lable-v6    : 48211
          User-number    : --
          Public-Lsp-Load: TRUE
     ----------------------------------------------------------
      Rbs-ID         : 0
      Protect-type   : public(LSP)
      Peer-ip        : 10.1.1.2
      Vrfid          : 4294967295
      Tunnel-state   : UP
      Tunnel-OperFlag: NORMAL
      Spec-interface : Null
      Total users    : 0
      Path 1:
          Tunnel-index   : 0x4c4b42
          Tunnel-index-v6: 0x0
          Out-interface  : GigabitEthernet3/0/1
          Vc-lable       : 4294967295
          Vc-lable-v6    : 4294967295
          User-number    : --
          Public-Lsp-Load: TRUE

    # Check the RBP configuration on BRAS1. The command output shows that the state of the local end is Master and that of the peer end is Slave.

    <BRAS1> display remote-backup-profile p1
    ----------------------------------------------------------
      Profile-Index        : 0x1000
      Profile-Name         : p1
      Service              : bras 
      Remote-backup-service: s1
      Backup-ID            : 1
      track protocol       : VRRP
      VRRP-ID              : 1
      VRRP-Interface       : GigabitEthernet0/3/6.1
      Access-Control       : --
      State                : Master
      Peer State           : Slave
      Interface            :
                             GigabitEthernet0/3/6.2
      Backup mode          : hot
      Slot-Number          : 3
      Card-Number          : 0
      Port-Number          : 6
      Traffic threshold       : 50(MB)
      Traffic interval       : 10(minutes)
      Forwarding Configured: Slave Forwarding 

Configuration files

  • BRAS1 configuration file

    #
     sysname BRAS1
     #
     vlan batch 5 400
     #
     user-group web-before
     #
     radius-server group rd2
      radius-server shared-key-cipher %^%#0Iy%9Gu1),kLlP/jw;X-AOiZD%{YoCH<RC(P*>^5%^%#    
      radius-server authentication 192.168.8.249 1812 weight 0
      radius-server accounting 192.168.8.249 1813 weight 0
     #               
     radius-server group rd1
      radius-server shared-key-cipher %^%#)';d7xr::-'Nq3)5BO|-:WVZ7$|Tt,7rbP&tz\()%^%#    
      radius-server authentication 192.168.7.249 1812 weight 0
      radius-server accounting 192.168.7.249 1813 weight 0
      radius-attribute include HW-Auth-Type
      radius-server attribute translate
      radius-server attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-request account
     #
     soc
     #
     ip dcn vpn-instance __dcn_vpn__
      ipv4-family
     #
     mpls lsr-id 10.1.1.1
     #
     mpls
     #
     mpls ldp
     #
     ipv4-family
     #               
     ip pool pool2 bas local
      gateway 172.16.1.1 255.255.255.0
      dns-server 192.168.8.252
     #
     remote-backup-service s1
      peer 10.32.1.2 source 10.32.1.1 port 11000
      protect lsp-tunnel for-all-instance peer-ip 10.1.1.2
      web-auth-server source 192.168.8.252
     #
     remote-backup-profile p1
      service-type bras
      backup-id 1 remote-backup-service s1
      peer-backup hot
      vrrp-id 1 interface GigabitEthernet0/3/6.1
     #
     acl number 6004
      rule 3 permit ip source user-group web-before destination user-group web-before
      rule 5 permit ip source user-group web-before destination ip-address any
     #
     acl number 6005
      rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
      rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
      rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
      rule 20 permit ip source ip-address 192.168.8.252 0 destination user-group web-before
      rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
      rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
     #
     acl number 6006
      rule 5 permit ip destination user-group web-before
     #
     acl number 6008
      rule 5 permit tcp source user-group web-before destination-port eq www
      rule 10 permit tcp source user-group web-before destination-port eq 8080
     #
     traffic classifier redirect operator or
      if-match acl 6008
     #
     traffic classifier web-be-deny operator or
      if-match acl 6004
     #
     traffic classifier web-be-permit operator or
      if-match acl 6005
     #
     traffic classifier web-out operator or
      if-match acl 6006
     #
     traffic behavior deny1
      deny
     #
     traffic behavior http-discard
      car cir 0 cbs 0 green pass red discard
     #
     traffic behavior perm1
     #
     traffic behavior redirect
      http-redirect
     #
     traffic behavior web-out
      deny
     #               
     traffic policy web
      share-mode
      classifier web-be-permit behavior perm1 precedence 1
      classifier http-before behavior http-discard precedence 2
      classifier redirect behavior redirect precedence 3
      classifier web-be-deny behavior deny1 precedence 4
     #
     traffic policy web-out
      share-mode
      classifier web-be-permit behavior perm1 precedence 1
      classifier web-out behavior web-out precedence 2
     #
     aaa
      http-redirect enable
      default-user-name include mac-address - 
      #
      authentication-scheme mac-auth
       authening authen-fail online authen-domain web-auth
      #
      authentication-scheme auth2
      #
      authentication-scheme auth3
       authentication-mode none
      #
      accounting-scheme acct2
      #
      accounting-scheme acct3
       accounting-mode none
      #
      domain mac-auth
       authentication-scheme mac-auth
       accounting-scheme acct2
       radius-server group rd1
       ip-pool pool2
       mac-authentication enable
      #
      domain web-auth
       authentication-scheme auth3
       accounting-scheme acct3
       ip-pool pool2 
       user-group web-before
       web-server 192.168.8.251
       web-server url http://192.168.8.251
       web-server redirect-key mscg-ip mscgip
       web-server redirect-key mscg-name mscgname
       web-server redirect-key user-ip-address userip
       web-server redirect-key nas-logic-sysname nasname
       web-server redirect-key user-mac-address usermac
       web-server redirect-key ssid wlan
      #
      domain after-auth
       authentication-scheme auth2
       accounting-scheme acct2
       radius-server group rd2
     #
     interface GigabitEthernet0/3/6.1
      vlan-type dot1q 400
      ip address 10.24.0.1 255.255.255.0
      vrrp vrid 1 virtual-ip 10.24.0.100
      vrrp vrid 1 priority 120
     #               
     interface GigabitEthernet0/3/6.2
      statistic enable
      user-vlan 5
      remote-backup-profile p1
      bas
      #
       access-type layer2-subscriber default-domain pre-authentication mac-auth authentication after-auth
       authentication-method web
      #
     #
     interface GigabitEthernet0/3/1
      undo shutdown
      ip address 10.32.1.1 255.255.255.0
      mpls
      mpls ldp
      dcn
     #
     interface LoopBack1
      ip address 10.1.1.1 255.255.255.255
     #
     ospf 1
      default cost inherit-metric
      import-route unr
      area 0.0.0.0
       network 10.1.1.1 0.0.0.0
       network 10.32.1.1 0.0.0.255
     #
     ospf 65534 vpn-instance __dcn_vpn__
      description DCN ospf create by default
      opaque-capability enable
      hostname
      vpn-instance-capability simple
      area 0.0.0.0
       network 0.0.0.0 255.255.255.255
     #
     route-policy rui permit node 1
      if-match ip-prefix 192
      apply cost 10
     #
     ip ip-prefix 192 index 10 permit 192.87.1.0 24
     #
     traffic-policy web inbound
     traffic-policy web-out outbound
     #
     return
  • BRAS2 configuration file

    #
     sysname BRAS2
     #
     vlan batch 5 400
     #
     user-group web-before
     #
     radius-server group rd2
      radius-server shared-key-cipher %^%#EQ0X4:387-4{QP9I,j.Dbx1rRedx2PO.j]HJZW1Y%^%#    
      radius-server authentication 192.168.8.249 1812 weight 0
      radius-server accounting 192.168.8.249 1813 weight 0
     #               
     radius-server group rd1
      radius-server shared-key-cipher %^%#3~8T2}\sbBuWA|)^$>07yX78&.Q(W3DG$p"|h`NH%^%#    
      radius-server authentication 192.168.7.249 1812 weight 0
      radius-server accounting 192.168.7.249 1813 weight 0
      radius-attribute include HW-Auth-Type
      radius-server attribute translate
      radius-server attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-request account
     #
     soc
     #
     ip dcn vpn-instance __dcn_vpn__
      ipv4-family
     #
     mpls lsr-id 10.1.1.2
     #
     mpls
     #
     mpls ldp
     #
     ipv4-family
     #
     ip pool pool2 bas local rui-slave
      gateway 172.16.1.1 255.255.255.0
      # LOCAL        
       section 0 172.16.1.2 172.16.1.200 
       dns-server 192.168.8.252
      # REMOTE 
     #
     remote-backup-service s1
      peer 10.32.1.1 source 10.32.1.2 port 11000
      protect lsp-tunnel for-all-instance peer-ip 10.1.1.2
      web-auth-server source 192.168.8.252
     #
     remote-backup-profile p1
      service-type bras
      backup-id 1 remote-backup-service s1
      peer-backup hot
      vrrp-id 1 interface GigabitEthernet0/3/6.1
     #
     acl number 6004
      rule 3 permit ip source user-group web-before destination user-group web-before
      rule 5 permit ip source user-group web-before destination ip-address any
     #
     acl number 6005
      rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
      rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
      rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
      rule 20 permit ip source ip-address 192.168.8.252 0 destination user-group web-before
      rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
      rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
     #
     acl number 6006
      rule 5 permit ip destination user-group web-before
     #
     acl number 6008
      rule 5 permit tcp source user-group web-before destination-port eq www
      rule 10 permit tcp source user-group web-before destination-port eq 8080
     #
     traffic classifier redirect operator or
      if-match acl 6008
     #
     traffic classifier web-be-deny operator or
      if-match acl 6004
     #
     traffic classifier web-be-permit operator or
      if-match acl 6005
     #
     traffic classifier web-out operator or
      if-match acl 6006
     #
     traffic behavior deny1
      deny
     #
     traffic behavior http-discard
      car cir 0 cbs 0 green pass red discard
     #
     traffic behavior perm1
     #
     traffic behavior redirect
      http-redirect
     #
     traffic behavior web-out
      deny
     #
     traffic policy web
      share-mode
      classifier web-be-permit behavior perm1 precedence 1
      classifier http-before behavior http-discard precedence 2
      classifier redirect behavior redirect precedence 3
      classifier web-be-deny behavior deny1 precedence 4
     #               
     traffic policy web-out
      share-mode
      classifier web-be-permit behavior perm1 precedence 1
      classifier web-out behavior web-out precedence 2
     #
     aaa
      http-redirect enable
      default-user-name include mac-address - 
      #
      authentication-scheme auth2
      #
      authentication-scheme auth3
       authentication-mode none
      #
      authentication-scheme mac-auth
       authening authen-fail online authen-domain web-auth
      #
      accounting-scheme acct2
      #
      accounting-scheme acct3
       accounting-mode none
      #
      domain mac-auth
       authentication-scheme mac-auth
       accounting-scheme acct2
       radius-server group rd1
       ip-pool pool2
       mac-authentication enable
      #
      domain web-auth
       authentication-scheme auth3
       accounting-scheme acct3
       ip-pool pool2
       user-group web-before
       web-server 192.168.8.251
       web-server url http://192.168.8.251
       web-server redirect-key mscg-ip mscgip
       web-server redirect-key mscg-name mscgname
       web-server redirect-key user-ip-address userip
       web-server redirect-key nas-logic-sysname nasname
       web-server redirect-key user-mac-address usermac
       web-server redirect-key ssid wlan
      #
      domain after-auth
       authentication-scheme auth2
       accounting-scheme acct2
       radius-server group rd2
     #
     interface LoopBack1
      ip address 10.1.1.2 255.255.255.255
     #
     #
     interface GigabitEthernet0/3/2
      undo shutdown  
      ip address 10.32.1.2 255.255.255.0
      mpls
      mpls ldp
      dcn
     #
     interface GigabitEthernet0/3/6.1
      vlan-type dot1q 400
      ip address 10.24.0.2 255.255.255.0
      vrrp vrid 1 virtual-ip 10.24.0.100
      vrrp vrid 1 priority 110
     #
     interface GigabitEthernet0/3/6.2
      statistic enable
      user-vlan 5
      remote-backup-profile p1
      bas
      #
       access-type layer2-subscriber default-domain pre-authentication mac-auth authentication after-auth
       authentication-method web
      #
     #
     ospf 1
      default cost inherit-metric
      import-route unr
      area 0.0.0.0
       network 10.1.1.2 0.0.0.0
       network 10.32.1.2 0.0.0.255
     #
     ospf 65534 vpn-instance __dcn_vpn__
      description DCN ospf create by default
      opaque-capability enable
      hostname
      vpn-instance-capability simple
      area 0.0.0.0
       network 0.0.0.0 255.255.255.255
     #
     ip ip-prefix 192 index 10 permit 192.87.1.0 24
     #
     web-auth-server 192.168.8.251 port 50100 key cipher %^%#aQL6,Ua<|@sxPQK/1f'4/GBJ6,6)q>$Z^7*,!2yR%^%# 
     #
     traffic-policy web inbound
     traffic-policy web-out outbound
     #
     return
Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 26136

Downloads: 878

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next