No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Accounting for External Network and No Accounting for Internal Network

Example for Configuring Accounting for External Network and No Accounting for Internal Network

Networking Requirements

As shown in Figure 2-3, a PPPoE user on the campus network can access resources on the campus network and external network through the Switch. The campus network built by the university provides a large number of learning materials. The external network is leased from the ISP. The user needs to be charged when accessing the external network resources.

The DAA function needs to be configured on the Switch so that the user is not charged when accessing the campus network and charged based on traffic when accessing the external network.

Figure 2-3  Networking diagram of configuring accounting for external network and no accounting for internal network

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs and add interfaces to VLANs to ensure network communication.
  2. Create and configure a RADIUS server template, an AAA scheme and a domain, and bind the RADIUS server template and AAA scheme to the domain, so that the device can exchange information with the RADIUS server.
  3. Configure PPPoE authentication so that the user can access networks in PPPoE authentication mode.
  4. Configure DAA to perform destination-based accounting.
    1. Configure traffic identification rules to identify the traffic destined for internal network.
    2. Set the tariff level corresponding to the traffic destined for the internal network segments to 1.
    3. Configure the following accounting policy:
      • For tariff level 1, traffic statistics collection is enabled and accounting is not performed.
      • For other traffic, the device collects traffic statistics and sends the statistics to the RADIUS accounting server.
NOTE:

Ensure that the RADIUS server IP address, port number, and shared key in the RADIUS server template are configured correctly and are the same as those on the RADIUS server.

Procedure

  1. Create a VLAN and add interfaces to the VLAN to ensure network communication.

    # Create VLAN 11 on the Switch.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 11

    # Add GE1/0/1 connected to the user to VLAN 11.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] port link-type access
    [Switch-GigabitEthernet1/0/1] port default vlan 11
    [Switch-GigabitEthernet1/0/1] quit

  2. Configure AAA.

    # Configure a RADIUS server template shiva. The IP address and port number of the RADIUS authentication server are 10.7.66.66 and 1812; the IP address and port number of the RADIUS accounting server are 10.7.66.66 and 1813. The shared key is Huawei@123.

    [Switch] radius-server template shiva
    [Switch-radius-shiva] radius-server authentication 10.7.66.66 1812
    [Switch-radius-shiva] radius-server accounting 10.7.66.66 1813
    [Switch-radius-shiva] radius-server shared-key cipher Huawei@123
    [Switch-radius-shiva] quit

    # Configure the authentication scheme auth and set the authentication method to RADIUS authentication.

    [Switch] aaa
    [Switch-aaa] authentication-scheme auth
    [Switch-aaa-authen-auth] authentication-mode radius
    [Switch-aaa-authen-auth] quit

    # Configure the accounting scheme abc and set the accounting method to RADIUS accounting.

    [Switch-aaa] accounting-scheme abc
    [Switch-aaa-accounting-abc] accounting-mode radius
    [Switch-aaa-accounting-abc] quit

    # Configure an AAA domain huawei, and apply the authentication scheme auth, accounting scheme abc, and RADIUS server template shiva to the domain.

    [Switch-aaa] domain huawei
    [Switch-aaa-domain-huawei] authentication-scheme auth
    [Switch-aaa-domain-huawei] accounting-scheme abc
    [Switch-aaa-domain-huawei] radius-server shiva
    [Switch-aaa-domain-huawei] quit
    [Switch-aaa] quit

  3. Configure PPPoE.

    # Configure the device as a PPPoE server to assign IP addresses to hosts.

    [Switch] ip pool test
    [Switch-ip-pool-test] network 192.168.10.0 mask 255.255.255.0 
    [Switch-ip-pool-test] gateway-list 192.168.10.1
    [Switch-ip-pool-test] quit
    [Switch] aaa
    [Switch-aaa] service-scheme test
    [Switch-aaa-service-test] ip-pool test
    [Switch-aaa-service-test] quit
    [Switch-aaa] domain huawei
    [Switch-aaa-domain-huawei] service-scheme test 
    [Switch-aaa-domain-huawei] quit
    [Switch-aaa] quit

    # Create virtual template 1 to which default PPPoE settings are applied.

    [Switch] interface virtual-template 1
    [Switch-Virtual-Template1] ip address 192.168.10.1 24
    [Switch-Virtual-Template1] quit

    # Bind the virtual template to VLANIF 11.

    [Switch] interface vlanif 11
    [Switch-Vlanif11] pppoe-server bind virtual-template 1
    [Switch-Vlanif11] quit

  4. Configure DAA.

    # Configure the traffic identification rule ACL 3000 to identify the traffic destined for internal network segment 192.168.100.0/24.

    [Switch] acl 3000
    [Switch-acl-adv-3000] rule 1 permit ip destination 192.168.100.0 0.0.0.255
    [Switch-acl-adv-3000] quit

    # Set the tariff level to 1.

    [Switch] traffic-group huawei
    [Switch-traffic-group-huawei] acl 3000 tariff-level 1
    [Switch-traffic-group-huawei] quit

    # Apply the traffic group to the device globally.

    NOTE:

    If you modify the source address or destination address in a traffic identification rule or the tariff level in a traffic group, you must run the traffic-group group-name enable command to make the modification effective.

    [Switch] traffic-group huawei enable

    # Configure accounting for all the traffic that does not match ACL 3000.

    [Switch] qos-profile name huawei
    [Switch-qos-huawei] statistic enable
    [Switch-qos-huawei] quit
    [Switch] aaa
    [Switch-aaa] domain huawei
    [Switch-aaa-domain-huawei] tariff-level 1 qos-profile huawei
    [Switch-aaa-domain-huawei] statistic enable
    [Switch-aaa-domain-huawei] quit
    [Switch-aaa] quit
    [Switch] quit
    

  5. Verify the configuration.

    Run the display traffic-group name group-name command to check information about the traffic group huawei.

    <Switch> display traffic-group name huawei
      ----------------------------------------------------------------------------
      Acl-id                Tariff-level                             
      ----------------------------------------------------------------------------
      3000                      1                          
      ----------------------------------------------------------------------------
      Total: 1  

    Run the display traffic-group state command. The use status of the traffic group is success.

    <Switch> display traffic-group state
      ----------------------------------------------------------------------------
      Slot-id                        State                        
      ----------------------------------------------------------------------------
      10                             success                 
      ----------------------------------------------------------------------------
      Total: 1 

    After the user goes online, run the display access-user command to check traffic statistics at each tariff level.

Configuration Files

Configuration file of the Switch

#
sysname Switch
#
vlan batch 11
#
radius-server template shiva
 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
 radius-server authentication 10.7.66.66 1812 weight 80
 radius-server accounting 10.7.66.66 1813 weight 80
#
acl number 3000
 rule 1 permit ip destination 192.168.100.0 0.0.0.255
#
qos-profile name huawei
 statistic enable 
#
ip pool test
 gateway-list 192.168.10.1  
 network 192.168.10.0 mask 255.255.255.0  
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme abc
  accounting-mode radius
 service-scheme test
  ip-pool test 
 domain huawei
  authentication-scheme auth
  accounting-scheme abc
  service-scheme test 
  radius-server shiva
  tariff-level 1 qos-profile huawei  
  statistic enable 
#
interface Vlanif11
 pppoe-server bind virtual-template 1
#
interface Virtual-Template1
 ip address 192.168.10.1 255.255.255.0 
# 
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 11
#
traffic-group huawei
  acl 3000 tariff-level 1
traffic-group huawei enable
#
return
Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 117765

Downloads: 55

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next