No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Accounting for the Specified Network

Example for Configuring Accounting for the Specified Network

Networking Requirements

As shown in Figure 2-4, an 802.1X user on the campus network can access resources on Network 1 (192.168.100.0/24) and Network 2 (10.102.64.0/24) through the Switch. Network 1 stores national resources and Network 2 stores international resources.

The DAA function can be configured on the Switch to perform accounting on the traffic destined for Network 1 and Network 2 separately. When users access Network 1, they are charged at a low charge rate; when users access Network 2, they are charged at a high charge rate.

Figure 2-4  Networking diagram of configuring accounting for the specified network

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs and add interfaces to VLANs to ensure network communication.
  2. Create and configure a RADIUS server template, an AAA scheme and a domain, and bind the RADIUS server template and AAA scheme to the domain, so that the device can exchange information with the RADIUS server.
  3. Configure 802.1X authentication so that the user can access networks in 802.1X authentication mode.
  4. Configure DAA to perform destination-based accounting.
    1. Configure the traffic identification rules for the two network segments so that the device can classify traffic going to different destination addresses.
    2. Configure different tariff levels for traffic destined for different network segments. The tariff level of traffic going to Network 1 is 1 and the tariff level of traffic going to Network 2 is 2.
    3. Configure accounting policies for tariff levels:
      • For tariff level 1, traffic statistics collection is enabled but accounting is not performed.
      • For tariff level 2, traffic statistics collection is enabled and accounting is performed.
NOTE:

Ensure that the RADIUS server IP address, port number, and shared key in the RADIUS server template are configured correctly and are the same as those on the RADIUS server.

Ensure that reachable routes exist between the Switch and RADIUS server, and between the user and two network segments.

Procedure

  1. Create a VLAN and add interfaces to the VLAN to ensure network communication.

    # Create VLAN 11 on the Switch.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 11
    

    # Add GE1/0/1 connected to the user to VLAN 11.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] port link-type access
    [Switch-GigabitEthernet1/0/1] port default vlan 11
    [Switch-GigabitEthernet1/0/1] quit

    # Create VLANIF 11 and set its IP address to 192.168.10.1/24.

    [Switch] interface vlanif 11
    [Switch-Vlanif11] ip address 192.168.10.1 24
    [Switch-Vlanif11] quit
    

  2. Configure AAA.

    # Configure a RADIUS server template shiva. The IP address and port number of the RADIUS authentication server are 10.7.66.66 and 1812; the IP address and port number of the RADIUS accounting server are 10.7.66.66 and 1813. The shared key is Huawei@123.

    [Switch] radius-server template shiva
    [Switch-radius-shiva] radius-server authentication 10.7.66.66 1812
    [Switch-radius-shiva] radius-server accounting 10.7.66.66 1813
    [Switch-radius-shiva] radius-server shared-key cipher Huawei@123
    [Switch-radius-shiva] quit

    # Configure the authentication scheme auth and set the authentication method to RADIUS authentication.

    [Switch] aaa
    [Switch-aaa] authentication-scheme auth
    [Switch-aaa-authen-auth] authentication-mode radius
    [Switch-aaa-authen-auth] quit

    # Configure the accounting scheme abc and set the accounting method to RADIUS accounting.

    [Switch-aaa] accounting-scheme abc
    [Switch-aaa-accounting-abc] accounting-mode radius
    [Switch-aaa-accounting-abc] quit
    

    # Configure an AAA domain huawei, and apply the authentication scheme auth, accounting scheme abc, and RADIUS server template shiva to the domain.

    [Switch-aaa] domain huawei
    [Switch-aaa-domain-huawei] authentication-scheme auth
    [Switch-aaa-domain-huawei] accounting-scheme abc
    [Switch-aaa-domain-huawei] radius-server shiva
    [Switch-aaa-domain-huawei] quit
    [Switch-aaa] quit
    

    # Configure the global default domain huawei. During access authentication, enter a user name in the format user@huawei to perform AAA authentication in the domain huawei. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

    [Switch] domain huawei

  3. Configure 802.1X authentication.

    # Set the NAC mode to unified.
    NOTE:

    By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.

    [Switch] authentication unified-mode
    # Configure the 802.1X access profile d1.
    NOTE:

    By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

    [Switch] dot1x-access-profile name d1
    [Switch-dot1x-access-profile-d1] quit

    # Configure the authentication profile p1, bind the 802.1X access profile d1, set the user access mode to multi-authen, and set the maximum number of access users to 100.

    [Switch] authentication-profile name p1
    [Switch-authen-profile-p1] dot1x-access-profile d1
    [Switch-authen-profile-p1] authentication mode multi-authen max-user 100
    [Switch-authen-profile-p1] quit

    # Bind the authentication profile p1 to GE1/0/1 and enable 802.1X authentication on the interface.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] authentication-profile p1
    [Switch-GigabitEthernet1/0/1] quit
    

  4. Configure DAA.

    # Configure ACL 3000 and ACL 3001, which are used as traffic identification rules.

    [Switch] acl 3000
    [Switch-acl-adv-3000] rule 1 permit ip destination 192.168.100.0 0.0.0.255
    [Switch-acl-adv-3000] quit
    [Switch] acl 3001
    [Switch-acl-adv-3001] rule 1 permit ip destination 10.102.64.0 0.0.0.255
    [Switch-acl-adv-3001] quit
    

    # Configure the tariff levels. The tariff level of traffic destined for 192.168.100.0/24 is 1 and the tariff level of traffic destined for 10.102.64.00/24 is 2.

    [Switch] traffic-group huawei
    [Switch-traffic-group-huawei] acl 3000 tariff-level 1
    [Switch-traffic-group-huawei] acl 3001 tariff-level 2
    [Switch-traffic-group-huawei] quit
    [Switch] traffic-group huawei enable
    

    # Configure traffic-based accounting.

    [Switch] qos-profile name huawei
    [Switch-qos-huawei] statistic enable
    [Switch-qos-huawei] quit
    [Switch] aaa
    [Switch-aaa] domain huawei
    [Switch-aaa-domain-huawei] tariff-level 1 qos-profile huawei accounting-on
    [Switch-aaa-domain-huawei] tariff-level 2 qos-profile huawei accounting-on 
    [Switch-aaa-domain-huawei] quit
    [Switch-aaa] quit
    [Switch] quit
    

  5. Verify the configuration.

    Run the display traffic-group name group-name command to check information about the traffic group huawei.

    <Switch> display traffic-group name huawei
      ----------------------------------------------------------------------------
      Acl-id                Tariff-level                             
      ----------------------------------------------------------------------------
      3000                      1                          
      3001                      2                     
      ----------------------------------------------------------------------------
      Total: 2  

    Run the display traffic-group state command. The use status of the traffic group is success.

    <Switch> display traffic-group state
      ----------------------------------------------------------------------------
      Slot-id                        State                        
      ----------------------------------------------------------------------------
      1                              success                 
      ----------------------------------------------------------------------------
      Total: 1 

Configuration Files

Configuration file of the Switch

#
sysname Switch
#
vlan batch 11
#
authentication-profile name p1
 dot1x-access-profile d1
 authentication mode multi-authen max-user 100
#
domain huawei 
#
radius-server template shiva
 radius-server shared-key cipher %^%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%^%#
 radius-server authentication 10.7.66.66 1812 weight 80
 radius-server accounting 10.7.66.66 1813 weight 80
#
dot1x-access-profile name d1
#
acl number 3000
 rule 1 permit ip destination 192.168.100.0 0.0.0.255
acl number 3001
 rule 1 permit ip destination 10.102.64.0 0.0.0.255
#
qos-profile name huawei
 statistic enable 
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme abc
  accounting-mode radius
 domain huawei
  authentication-scheme auth
  accounting-scheme abc
  radius-server shiva
  tariff-level 1 qos-profile huawei accounting-on
  tariff-level 2 qos-profile huawei accounting-on
#
interface Vlanif11
 ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 11
 authentication-profile p1
#
traffic-group huawei
  acl 3000 tariff-level 1
  acl 3001 tariff-level 2
traffic-group huawei enable
#
return
Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 118945

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next