No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Common Web Authentication + DAA (Rate Limit)

Example for Configuring Common Web Authentication + DAA (Rate Limit)

This section describes how to configure common web authentication + DAA (rate limit).

Applicable Products and Versions

This configuration example applies to NE40E/ME60 series products running V800R008C00 or later.

Networking Requirements

The campus network shown in Figure 1-14 needs to meet the following requirements to allow students to access an extranet and implement rate limit and accounting:

  • Internet access: Students access BRASs over switches and access the portal server for user authentication.
  • Independent rate limit and accounting: Rate limit and accounting are required if a student wants to access an extranet (192.168.100.0/24). The RADIUS server delivers the DAA service to implement rate limit and accounting, with the bandwidth limited to 10 Mbit/s and the tariff level set to 1.
Figure 1-14  Networking for common web authentication + DAA (rate limit)

Configuration Roadmap

  1. Configure a AAA server.
  2. Configure a RADIUS server.
  3. Configure a web server.
  4. Configure an address pool.
  5. Enable the value-added service function.
  6. Configure a user group.
  7. Configure a DAA traffic policy and a common web authentication policy.
  8. Configure a QoS profile.
  9. Configure a DAA service policy.
  10. Configure an authentication domain.
  11. Configure a BAS interface.

Procedure

  1. Configure a AAA server.

    #
    aaa
     http-redirect enable
      authentication-scheme radius           //Configure a RADIUS authentication scheme.
      authentication-scheme none             //Set the authentication mode to none.
      authentication-mode none
     #
     accounting-scheme radius                //Configure an accounting scheme.
     accounting-scheme none
      accounting-mode none
     #
    

  2. Configure a RADIUS server.

    #
    radius-server group radius             
    radius-server authentication 192.168.8.249 1812 weight 0  //Configure a RADIUS authentication server. 
    radius-server accounting 192.168.8.249 1813 weight 0      //Configure a RADIUS accounting server.
    #
    

  3. Configure a web server.

    #
    web-auth-server 192.168.8.251 port 50100 key simple huawei   //Configure the IP address of a portal server.
    #
    

  4. Configure an address pool.

    #
    ip pool pool1 bas local
     gateway 10.100.100.1 255.255.255.0
     section 0 10.100.100.2 10.100.100.200
    #
    

  5. Enable the value-added service function.

    #
    value-added-service enable
    #
    

  6. Configure a user group.

    #
    user-group preweb                    //Configure a user group named preweb.
    user-group daa                       //Configure a user group named daa.
    #
    

  7. Configure a DAA traffic policy and a common web authentication policy.

    #     //Configure a UCL policy.
    acl number 6000
     rule 20 permit ip source user-group preweb destination ip-address 192.168.8.251 0
     rule 25 permit ip source ip-address 192.168.8.251 0 destination user-group preweb
    #
    acl number 6001
     rule 5 permit tcp source user-group preweb destination-port eq www
     rule 10 permit tcp source user-group preweb destination-port eq 8080
    #
    acl number 6002
     rule 5 permit ip source ip-address any destination user-group preweb
     rule 10 permit ip source user-group preweb destination ip-address any
    #
    acl number 6999
     rule 5 permit ip source user-group daa destination ip-address 192.168.100.0 0.0.0.255
     rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination user-group daa
    #       //Configure a traffic classifier.
    traffic classifier web-deny operator or    
     if-match acl 6002
    traffic classifier web-permit operator or
     if-match acl 6000
    traffic classifier daa operator or
     if-match acl 6999
    traffic classifier preweb operator or
     if-match acl 6001
    #                                      //Configure a traffic behavior.
    traffic behavior web-deny              //Configure a traffic behavior named web-deny.
     deny
    traffic behavior web-permit            //Configure a traffic behavior named web-permit.
    traffic behavior daa                   //Configure a traffic behavior named daa.
     traffic-statistic                     //Enable traffic statistics collection for the DAA service.
     car                                   //Enable traffic policing for the DAA service.
     tariff-level 1                        //Set the tariff level of the DAA service to 1.
    #
    traffic behavior preweb                //Configure a traffic behavior named preweb.
     http-redirect                         //Push web pages to the online PC user.
    #                                      //Configure a traffic policy and bind it to the traffic behavior and traffic classifier.
    traffic policy daa                     //Configure a traffic policy named daa.
     share-mode
     statistics enable
     classifier daa behavior daa
    traffic policy preweb                  //Configure a traffic policy named preweb.
     share-mode
     classifier web-permit behavior web-permit
     classifier preweb behavior preweb
     classifier web-deny behavior web-deny
    #                                      //Globally apply the traffic policy.
    accounting-service-policy daa          //Globally apply the traffic policy daa that distinguishes accounting based on destination addresses.
    traffic-policy preweb inbound          //Globally apply the traffic policy preweb.
    #
    

  8. Configure a QoS profile.

    #
    qos-profile 10M              
     car cir 10000 cbs 1870000 green pass red discard
    #
    

  9. Configure a DAA service policy.

    #
    value-added-service policy daa daa     //Configure a DAA service policy.
     accounting-scheme radius
     traffic-separate enable               //Configure accounting and rate limit of the DAA service not counted in the overall accounting and rate limit of the user.
     rate-limit-mode car outbound          //Configure CAR.
     tariff-level 1 qos-profile 10M        //Configure the tariff level and the corresponding QoS profile.
    #
    

  10. Configure an authentication domain.

    #
    aaa
     domain swjf                                           //Configure an authentication domain named swjf.
      authentication-scheme radius
      accounting-scheme radius
      ip-pool pool1
      value-added-service account-type radius radius     //Configure the DAA accounting mode as radius.
      value-added-service policy daa                     //Configure a DAA policy named daa.
      domain preweb                                      //Configure an authentication domain named preweb for DHCP and web authentication.
      authentication-scheme none
      accounting-scheme none
      ip-pool pool1
      user-group preweb                                 //Bind the domain to the user group preweb.
      web-server 192.168.8.251                          //Configure a web authentication server.
      web-server url http://192.168.8.251               //Configure the redirection URL for forcible web authentication in the domain. 
      radius-server group radius                        //Bind the domain to the RADIUS server group.
      user-group daa                                    //Bind the domain to the user group daa.
    
    #
    

  11. Configure an interface.

    #                                                                                              //Configure a BAS interface.
    interface GigabitEthernet1/1/0
     bas
      #                                                                                           
      access-type layer2-subscriber default-domain pre-authentication preweb authentication swjf   //Configure the BAS interface as a common Layer 2 user interface. Configure a pre-authentication domain named preweb and an authentication domain named swjf.
      authentication-method web                                                                   //Configure the web authentication mode.
    #
    

  12. Verify the configuration.

    Run the display value-added-service user user-id command to view statistics about the value-added service for DAA users.

Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 26128

Downloads: 878

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next