No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Accounting for the Specified Network

Example for Configuring Accounting for the Specified Network

Networking Requirements

As shown in Figure 2-3, a Portal user on the campus network can access resources on the Network 1 (192.168.100.0/24) and Network 2 (10.102.64.0/24) through the Router. Resources on Network 1 are free and resources on Network 2 are not free. The users are charged based on traffic when they access resources on Network 2.

The DAA function needs to be configured on the Router so that the user is not charged when accessing the Network 1 and charged based on traffic when accessing the Network 2.

Figure 2-3  Networking diagram of configuring accounting for the specified network

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs and add interfaces to VLANs to ensure network communication.
  2. Create and configure a RADIUS server template, an AAA scheme and a domain, and bind the RADIUS server template and AAA scheme to the domain, so that the device can exchange information with the RADIUS server.
  3. Configure Portal authentication so that the user can access networks in Portal authentication mode.
  4. Configure DAA to perform destination-based accounting.
    1. Configure the traffic identification rules for the two network segments so that the device can classify traffic going to different destination addresses.
    2. Configure different tariff levels for traffic destined for different network segments. The tariff level of traffic going to Network 1 is 1 and the tariff level of traffic going to Network 2 is 2.
    3. Configure accounting policies for tariff levels:
      • For tariff level 1, traffic statistics collection is enabled but accounting is not performed.
      • For tariff level 2, traffic statistics collection is enabled and accounting is performed.
NOTE:

Ensure that the RADIUS server IP address, port number, and shared key in the RADIUS server template are configured correctly and are the same as those on the RADIUS server.

Ensure that reachable routes exist between the Router and RADIUS server, and between the user and two network segments.

Procedure

  1. Configure Eth0/0/0 that is connected to users.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] interface ethernet 0/0/0
    [Router-Ethernet0/0/0] undo portswitch
    [Router-Ethernet0/0/0] ip address 192.168.10.1 24
    [Router-Ethernet0/0/0] quit
    

  2. Configure AAA.

    # Configure a RADIUS server template shiva. The IP address and port number of the RADIUS authentication server are 10.7.66.66 and 1812; the IP address and port number of the RADIUS accounting server are 10.7.66.66 and 1813. The shared key is Huawei@123.

    [Router] radius-server template shiva
    [Router-radius-shiva] radius-server authentication 10.7.66.66 1812
    [Router-radius-shiva] radius-server accounting 10.7.66.66 1813
    [Router-radius-shiva] radius-server shared-key cipher Huawei@123
    [Router-radius-shiva] quit

    # Configure the authentication scheme auth and set the authentication method to RADIUS authentication.

    [Router] aaa
    [Router-aaa] authentication-scheme auth
    [Router-aaa-authen-auth] authentication-mode radius
    [Router-aaa-authen-auth] quit

    # Configure the accounting scheme abc and set the accounting method to RADIUS accounting.

    [Router-aaa] accounting-scheme abc
    [Router-aaa-accounting-abc] accounting-mode radius
    [Router-aaa-accounting-abc] quit
    

    # Configure an AAA domain huawei, and apply the authentication scheme auth, accounting scheme abc, and RADIUS server template shiva to the domain.

    [Router-aaa] domain huawei
    [Router-aaa-domain-huawei] authentication-scheme auth
    [Router-aaa-domain-huawei] accounting-scheme abc
    [Router-aaa-domain-huawei] radius-server shiva
    [Router-aaa-domain-huawei] quit
    [Router-aaa] quit
    

  3. Configure DAA.

    # Configure ACL 3000 and ACL 3001, which are used as traffic identification rules.

    [Router] acl 3000
    [Router-acl-adv-3000] rule 1 permit ip destination 192.168.100.0 0.0.0.255
    [Router-acl-adv-3000] quit
    [Router] acl 3001
    [Router-acl-adv-3001] rule 1 permit ip destination 10.102.64.0 0.0.0.255
    [Router-acl-adv-3001] quit
    

    # Configure the tariff levels. The tariff level of traffic destined for 192.168.100.0/24 is 1 and the tariff level of traffic destined for 10.102.64.0/24 is 2.

    [Router] traffic-group huawei
    [Router-traffic-group-huawei] acl 3000 tariff-level 1
    [Router-traffic-group-huawei] acl 3001 tariff-level 2
    [Router-traffic-group-huawei] quit
    [Router] traffic-group huawei enable
    

    # Configure traffic-based accounting.

    [Router] qos-profile huawei
    [Router-qos-profile-huawei] statistics enable
    [Router-qos-profile-huawei] quit
    [Router] aaa
    [Router-aaa] domain huawei
    [Router-aaa-domain-huawei] tariff-level 1 qos-profile huawei
    [Router-aaa-domain-huawei] tariff-level 2 qos-profile huawei accounting-on 
    [Router-aaa-domain-huawei] quit
    [Router-aaa] quit
    

  4. Configure Portal authentication.

    # Configure the Portal server template abc.
    [Router] web-auth-server abc
    [Router-web-auth-server-abc] server-ip 10.7.66.66
    [Router-web-auth-server-abc] port 50200
    [Router-web-auth-server-abc] url http://10.7.66.66:8080/webagent
    [Router-web-auth-server-abc] shared-key cipher Huawei@123
    [Router-web-auth-server-abc] quit
    
    # Configure the Portal access profile web1.
    [Router] portal-access-profile name web1
    [Router-portal-acces-profile-web1] web-auth-server abc layer3
    [Router-portal-acces-profile-web1] quit
    # Configure the authentication-free rule profile default_free_rule to allow packets to the DNS server to pass through.
    [Router] free-rule-template name default_free_rule
    [Router-free-rule-default_free_rule] free-rule 1 destination ip 10.7.66.65 mask 32
    [Router-free-rule-default_free_rule] quit

    # Configure the authentication profile p1, bind the Portal access profile web1 and authentication-free rule profile default_free_rule to the authentication profile, and specify the domain huawei as the forcible authentication domain in the authentication profile.

    [Router] authentication-profile name p1
    [Router-authen-profile-p1] portal-access-profile web1
    [Router-authen-profile-p1] access-domain huawei force
    [Router-authen-profile-p1] free-rule-template default_free_rule
    [Router-authen-profile-p1] quit

    # Bind the authentication profile p1 to Eth0/0/0 and enable Portal authentication.

    [Router] interface ethernet 0/0/0
    [Router-Ethernet0/0/0] authentication-profile p1
    [Router-Ethernet0/0/0] quit
    

  5. Verify the configuration.

    # Run the display traffic-group name group-name command to check information about the traffic group huawei.

    [Router] display traffic-group name huawei
      ----------------------------------------------------------------------------
      Acl-id                Tariff-level                             
      ----------------------------------------------------------------------------
      3000                      1                          
      3001                      2                     
      ----------------------------------------------------------------------------
      Total: 2  

Configuration Files

Router configuration file

#
 sysname Router
#
authentication-profile name p1
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain huawei force
#
radius-server template shiva
 radius-server shared-key cipher %^%#}O.80;*E;-a|55;)dmDEL;b!0YmhAPafqkV{CMf;%^%# 
 radius-server authentication 10.7.66.66 1812 weight 80
 radius-server accounting 10.7.66.66 1813 weight 80
#
acl number 3000
 rule 1 permit ip destination 192.168.100.0 0.0.0.255
acl number 3001
 rule 1 permit ip destination 10.102.64.0 0.0.0.255
#
qos-profile huawei 
  statistics enable 
# 
free-rule-template name default_free_rule
 free-rule 1 destination ip 10.7.66.65 mask 255.255.255.255
#
web-auth-server abc
 server-ip 10.7.66.66
 port 50200
 shared-key cipher %^%#'=oP;*.KKUSPqB7M5Cf2G)!!!t/&,$!!!!!!!!!!%^%#
 url http://10.7.66.66:8080/webagent
#
portal-access-profile name web1
 web-auth-server abc layer3
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme abc
  accounting-mode radius
 domain huawei
  authentication-scheme auth
  accounting-scheme abc
  radius-server shiva
  tariff-level 1 qos-profile huawei
  tariff-level 2 qos-profile huawei accounting-on
  statistic enable
#
interface Ethernet0/0/0
 undo portswitch                                                                
 ip address 192.168.10.1 255.255.255.0
 authentication-profile p1 
#
traffic-group huawei
  acl 3000 tariff-level 1
  acl 3001 tariff-level 2
traffic-group huawei enable
#
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 127413

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next