No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the Device as a PPPoE Server to Allow PPPoE Users on Campus Network to Access the Internet

Example for Configuring the Device as a PPPoE Server to Allow PPPoE Users on Campus Network to Access the Internet

Networking Requirements

As shown in Figure 7-8, a lot of users in a campus network connect to the Internet through Switch (access device). To ensure network security, the administrator needs to centrally control and manage network access rights of the users and separate these users from each other.

The Switch is configured as a PPPoE server to control the network access rights of users. Only the users passing PPPoE authentication can access Internet resources.

Figure 7-8  Configuring the device as a PPPoE server to allow PPPoE users on campus network to access the Internet

Configuration Roadmap

To control the network access rights of users, configure PPPoE authentication on the Switch.

The configuration roadmap is as follows:

  1. Create VLANs and add interfaces to VLANs to ensure network communication.
  2. Create a local IP address pool to allocate IP addresses to PPPoE users.
  3. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain on the Switch so that the RADIUS server can authenticate users.
  4. Configure PPPoE authentication on the Switch.
    1. Create a virtual template and configure PPP negotiation parameters in the virtual template, including authentication method, retransmission times of handshake packets, negotiation timeout interval, and MRU.
    2. Bind the virtual template to the interface and start the PPPoE server.

Procedure

  1. Create VLANs and add interfaces to VLANs to ensure network communication.

    # Create VLAN 10 and VLAN 20.

    <HUAWEI> system-view
    [HUAWEI] vlan batch 10 20
    

    # On the Switch, configure GE1/0/1 connected to users as hybrid interface and add GE1/0/1 to VLAN 10.

    [HUAWEI] interface gigabitethernet 1/0/1
    [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
    [HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 10
    [HUAWEI-GigabitEthernet1/0/1] quit
    NOTE:

    Configure the interface type and VLANs based on the site requirements. In this example, users are added to VLAN 10.

    # On the Switch, configure GE1/0/2 connected to the RADIUS server as an access interface and add GE1/0/2 to VLAN 20.

    [HUAWEI] interface gigabitethernet 1/0/2
    [HUAWEI-GigabitEthernet1/0/2] port link-type access
    [HUAWEI-GigabitEthernet1/0/2] port default vlan 20
    [HUAWEI-GigabitEthernet1/0/2] quit

    # Create VLANIF 10 and VLANIF 20, and assign IP addresses to the VLANIF20 interfaces so that reachable routes can be set up between the terminals, Switch, and campus internal servers. In this example, the IP address of VLANIF 20 is 192.168.2.29/24.

    [HUAWEI] interface vlanif 10
    [HUAWEI-Vlanif10] quit
    [HUAWEI] interface vlanif 20
    [HUAWEI-Vlanif20] ip address 192.168.2.29 24
    [HUAWEI-Vlanif20] quit
    

  2. Create a local IP address pool.

    [HUAWEI] ip pool ippool1
    [HUAWEI-ip-pool-ippool1] network 192.168.1.0 mask 24
    [HUAWEI-ip-pool-ippool1] gateway-list 192.168.1.20
    [HUAWEI-ip-pool-ippool1] quit

  3. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.

    # Create and configure the RADIUS server template rd1.

    [HUAWEI] radius-server template rd1
    [HUAWEI-radius-rd1] radius-server authentication 192.168.2.30 1812
    [HUAWEI-radius-rd1] radius-server shared-key cipher Huawei@123
    [HUAWEI-radius-rd1] radius-server retransmit 2
    [HUAWEI-radius-rd1] quit

    # Create AAA scheme abc and set the authentication mode to RADIUS.

    [HUAWEI] aaa
    [HUAWEI-aaa] authentication-scheme abc
    [HUAWEI-aaa-authen-abc] authentication-mode radius
    [HUAWEI-aaa-authen-abc] quit

    # Configure the service scheme pppoe.

    [HUAWEI-aaa] service-scheme pppoe
    [HUAWEI-aaa-service-pppoe] ip-pool ippool1
    [HUAWEI-aaa-service-pppoe] quit

    # Create authentication domain isp1, and bind the AAA scheme abc, RADIUS server template rd1, and service scheme pppoe to the authentication domain.

    [HUAWEI-aaa] domain isp1
    [HUAWEI-aaa-domain-isp1] authentication-scheme abc
    [HUAWEI-aaa-domain-isp1] radius-server rd1
    [HUAWEI-aaa-domain-isp1] service-scheme pppoe
    [HUAWEI-aaa-domain-isp1] quit

    # Configure the global default domain isp1. During access authentication, if the user enters a user name in the format user@isp1, the user is authenticated in the domain isp1. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

    [HUAWEI-aaa] quit
    [HUAWEI] domain isp1

  4. Configure PPPoE authentication on the Switch.

    # Configure a virtual template.

    [HUAWEI] interface virtual-template 1
    [HUAWEI-Virtual-Template1] ip address 192.168.1.20 24
    [HUAWEI-Virtual-Template1] ppp authentication-mode chap
    [HUAWEI-Virtual-Template1] ppp keepalive retransmit 4
    [HUAWEI-Virtual-Template1] ppp mru 1400
    [HUAWEI-Virtual-Template1] ppp timer negotiate 5
    [HUAWEI-Virtual-Template1] quit

    # Enable PPPoE server on the interface.

    [HUAWEI] interface vlanif 10
    [HUAWEI-Vlanif10] pppoe-server bind virtual-template 1
    [HUAWEI-Vlanif10] quit

  5. Check PPPoE configuration.

    [HUAWEI] interface virtual-template 1
    [HUAWEI-Virtual-Template1] display this
    #                                                                               
    interface Virtual-Template1                                                     
     ppp keepalive retransmit 4                                                     
     ppp mru 1400                                                                   
     ppp timer negotiate 5                                                          
     ip address 192.168.1.20 255.255.255.0                                              
    #                                                                               
    return                                        

Configuration Files

# Configuration file of the Switch

#                                     
vlan batch 10 20
#                                    
domain isp1
#
radius-server template rd1
 radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
 radius-server authentication 192.168.2.30 1812 weight 80
 radius-server retransmit 2
#
ip pool ippool1                          
 gateway-list 192.168.1.20              
 network 192.168.1.0 mask 255.255.255.0      
#
aaa
 authentication-scheme abc
  authentication-mode radius
 service-scheme pppoe        
  ip-pool ippool1           
 domain isp1
  authentication-scheme abc
  service-scheme pppoe
  radius-server rd1
#                         
interface Vlanif10                            
 pppoe-server bind virtual-template 1             
#                                                                
interface Vlanif20                                        
 ip address 192.168.2.29 255.255.255.0 
#                                                                               
interface Virtual-Template1                                                     
 ppp keepalive retransmit 4                                                     
 ppp mru 1400                                                                   
 ppp timer negotiate 5                                                          
 ip address 192.168.1.20 255.255.255.0                                              
#
interface GigabitEthernet1/0/1
 port link-type hybrid         
 port hybrid tagged vlan 10                                             
#                                                                              
interface GigabitEthernet1/0/2            
 port link-type access                                                          
 port default vlan 20
#                                                         
return
Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 118103

Downloads: 55

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next