No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Terminal access in Which PPPoE Authentication Is Used

Example for Configuring Terminal access in Which PPPoE Authentication Is Used

Networking Requirements

As shown in Figure 4-6, terminal users of an enterprise access the Internet through the Router (functioning as the egress gateway and access device). The Router needs to authenticate, charge, and manage users.

The enterprise requires that:

  • PPPoE authentication should be used for terminal users. The Router should allow only authenticated users to access the Internet.
  • The Router should not charge users for intranet (192.168.100.0/24) access, and should charge the users based on duration when they access external networks.
  • If an online user is identified as an unauthorized user, the user is forced to go offline by specifying the IP address.
Figure 4-6  Configuring terminal access in which PPPoE authentication is used

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the AAA authentication and accounting schemes in RADIUS mode to ensure information exchange between the Router and RADIUS server.
  2. Configure the PPPoE server to perform PPP authentication on access users.
  3. Configure DAA. After that, the Router does not charge users for intranet access, and charges the users based on duration when they access external networks.
  4. Configure the device to force unauthorized users with the IP address 192.168.1.3/24 to go offline.

Procedure

  1. Create VLANs and configure interfaces to allow the VLANs to ensure network communication.

    # Create VLAN 10 and VLAN 20.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 10 20
    

    # On the Router, configure the interface connected to users as a trunk interface and add the interface to VLAN 10.

    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type trunk
    [Router-Ethernet2/0/0] undo port trunk allow-pass vlan 1
    [Router-Ethernet2/0/0] port trunk allow-pass vlan 10
    [Router-Ethernet2/0/0] quit

    # On the Router, configure the interface connected to the RADIUS server as a trunk interface and add the interface to VLAN 20.

    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] port link-type trunk
    [Router-Ethernet2/0/1] undo port trunk allow-pass vlan 1
    [Router-Ethernet2/0/1] port trunk allow-pass vlan 20
    [Router-Ethernet2/0/1] quit

    # Create VLANIF 10 and VLANIF 20, and assign IP address to the VLANIF20 interface so that reachable routes can be set up between the terminals, Router, and enterprise internal servers.

    [Router] interface vlanif 10
    [Router-Vlanif10] quit
    [Router] interface vlanif 20
    [Router-Vlanif20] ip address 192.168.2.29 24
    [Router-Vlanif20] quit
    

  2. Create and configure a RADIUS server template, an AAA authentication scheme, accounting scheme and an authentication domain.

    NOTE:

    Ensure that the shared key in the RADIUS server template is the same as on the RADIUS server.

    # Create and configure the RADIUS server template rd1.

    [Router] radius-server template rd1
    [Router-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Router-radius-rd1] radius-server accounting 192.168.2.30 1813
    [Router-radius-rd1] radius-server shared-key cipher Huawei@1234
    [Router-radius-rd1] quit

    # Create an AAA scheme, configure the authentication scheme auth, and set the authentication mode to RADIUS authentication.

    [Router] aaa
    [Router-aaa] authentication-scheme auth
    [Router-aaa-authen-auth] authentication-mode radius
    [Router-aaa-authen-auth] quit

    # Configure the accounting scheme abc in the AAA scheme and set the accounting mode to RADIUS accounting.

    [Router-aaa] accounting-scheme abc
    [Router-aaa-accounting-abc] accounting-mode radius
    [Router-aaa-accounting-abc] quit

    # Configure the AAA domain isp1, and apply the authentication scheme auth, accounting scheme abc, and RADIUS server template rd1 to the domain.

    [Router-aaa] domain isp1
    [Router-aaa-domain-isp1] authentication-scheme auth
    [Router-aaa-domain-isp1] accounting-scheme abc
    [Router-aaa-domain-isp1] radius-server rd1
    [Router-aaa-domain-isp1] quit
    [Router-aaa] quit

    # Configure isp1 as the global default domain. During access authentication, enter a user name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

    [Router] domain isp1

  3. Configure the PPPoE server.

    # Configure a global address pool so that the PPPoE server can dynamically assign IP addresses to access users.

    [Router] ip pool pool1
    [Router-ip-pool-pool1] network 192.168.1.0 mask 255.255.255.0 
    [Router-ip-pool-pool1] gateway-list 192.168.1.1
    [Router-ip-pool-pool1] quit
    

    # Create and configure a virtual interface template.

    [Router] interface virtual-template 1
    [Router-Virtual-Template1] ppp authentication-mode chap domain isp1
    [Router-Virtual-Template1] ip address 192.168.1.1 255.255.255.0
    [Router-Virtual-Template1] remote address pool pool1
    [Router-Virtual-Template1] quit

    # Enable the PPPoE protocol on the VLANIF10 interface.

    [Router] interface vlanif10
    [Router-Vlanif10] pppoe-server bind virtual-template 1
    [Router-Vlanif10] quit

  4. Configure DAA.

    # Configure the traffic identification rule ACL 3000 to identify the traffic destined for the internal network segment 192.168.100.0/24.

    [Router] acl 3000
    [Router-acl-adv-3000] rule 5 permit ip destination 192.168.100.0 0.0.0.255
    [Router-acl-adv-3000] quit
    

    # Set the tariff level to 1.

    [Router] traffic-group huawei
    [Router-traffic-group-huawei] acl 3000 tariff-level 1
    [Router-traffic-group-huawei] quit
    [Router] traffic-group huawei enable
    
    # Configure accounting for all the traffic that does not match ACL 3000.
    • For traffic of tariff level 1, traffic statistics collection is disabled and accounting is not performed.
    • For other traffic, the device collects traffic statistics and sends the statistics to the RADIUS accounting server.
    [Router] aaa
    [Router-aaa] domain isp1
    [Router-aaa-domain-isp1] statistic enable
    [Router-aaa-domain-isp1] quit
    

  5. Force the access users with the IP address 192.168.1.3 to go offline.

    [Router-aaa] cut access-user ip-address 192.168.1.3
    [Router-aaa] quit
    [Router] quit
    

  6. Verify the configuration.

    # Run the display pppoe-server session all command to check the PPPoE session status and configuration. The command output shows that the PPPoE session status is Up and the session configuration is correct.

    Run the display traffic-group name command to check information about the traffic group huawei.

    <Router> display traffic-group name huawei
      ----------------------------------------------------------------------------  
      Acl-id                Tariff-level                                            
      ----------------------------------------------------------------------------  
      3000                      1                                                   
      ----------------------------------------------------------------------------  
      Total: 1                                                                   

    # After the user goes online, run the display access-user command to check the IP address and traffic statistics of online users.

Configuration Files

Configuration files on Router

#                                                                               
 sysname Router
#                                                                               
vlan batch 10 20  
#                                                                               
domain isp1
#                                                                                             
radius-server template rd1                                                      
 radius-server shared-key cipher %#%#s@<60z+%'"EJI#4KOij5M)"m&9%"k:63Vl+xTc"K%#%#               
 radius-server authentication 192.168.2.30 1812 weight 80                       
 radius-server accounting 192.168.2.30 1813 weight 80                           
#
acl number 3000                                                                 
 rule 5 permit ip destination 192.168.100.0 0.0.0.255                           
#
ip pool pool1
 gateway-list 192.168.1.1
 network 192.168.1.0 mask 255.255.255.0  
#
aaa                                                                             
 authentication-scheme auth                                                     
  authentication-mode radius                                                    
 accounting-scheme abc                                                          
  accounting-mode radius                                                        
 domain isp1                                                                    
  authentication-scheme auth                                                    
  accounting-scheme abc                                                         
  radius-server rd1                                                             
  statistic enable                                                              
#
interface Vlanif10                                                              
 pppoe-server bind Virtual-Template 1
#                                                                               
interface Vlanif20                                                              
 ip address 192.168.2.29 255.255.255.0 
#
interface Ethernet2/0/0
 port link-type trunk                                                           
 undo port trunk allow-pass vlan 1                                              
 port trunk allow-pass vlan 10 
#                                                                              
interface Ethernet2/0/1            
 port link-type trunk                                                           
 undo port trunk allow-pass vlan 1                                              
 port trunk allow-pass vlan 20
# 
interface Virtual-Template1
 ppp authentication-mode chap domain isp1
 remote address pool pool1
 ip address 192.168.1.1 255.255.255.0
# 
traffic-group huawei                                                            
  acl 3000 tariff-level 1                                                       
traffic-group huawei enable                                                     
# 
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 119792

Downloads: 221

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next