No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Terminal Access

Configuring Terminal Access

Access User Authentication

Authentication determines whether users can access a network.

As shown in Figure 4-2, physical access modes of user are shielded on access devices, and the Router can identify encryption formats of user packets. That is, the terminal access differentiates users based on the protocol stacks of user packets and applies different authentication methods to users flexibly.

The Terminal access supports two authentication modes: PPPoE authentication and Portal authentication.

Figure 4-2  Connecting to the Router using different broadband access modes
  • PPPoE authentication

    In Figure 4-3, PPPoE users connect to the Internet through PPPoE dial-up (in Ethernet or ADSL access mode). When PPPoE users use client software on their terminals to perform PPPoE dial-up, the Router functions as the PPPoE server to perform PPP authentication for the PPPoE users, and user information such as the user names and passwords are authenticated on the AAA server. After the PPPoE users are authenticated, the Router assigns IP addresses to the users so that they can access the Internet.

    Figure 4-3  PPPoE authentication process

    For details on PPPoE server configuration, see Configuring the Device as a PPPoE Server in the Huawei AR Series Access Routers Configuration Guide - WAN.

    NOTE:

    In addition to allocating IP addresses to PPPoE clients through the global address pool, the device can also allocate IP addresses to users through domains. That is, an IP address pool is bound to an AAA scheme and the AAA scheme is bound to a domain. When the users in the domain go online, the device allocates IP addresses to the users. The priority of IP addresses allocated through domains is higher than the priority of IP addresses allocated through the global address pool.

    #
    ip pool pool1
     gateway-list 192.168.1.1
     network 192.168.1.0 mask 255.255.255.0  
    #
    aaa
     service-scheme sch1
      ip-pool pool1 
     domain huawei
      service-scheme sch1
    #
  • Portal authentication

    Portal authentication (web authentication): When a user attempts to access an address before authentication, the Router redirects the access request to the forcible Portal server. The user enters the user name and password on the authentication page. After the Router exchanges information with the remote terminal, user information such as the user name and password is authenticated on the AAA server.

    In Figure 4-4, web users log in to the authentication page of the Portal server to access the Internet (in Ethernet or WLAN access mode). After a web user obtains a static IP address or uses DHCP to obtain an IP address, the Portal authentication website is pushed to the user for Portal authentication. The web user can access the Internet only after the authentication succeeds.

    Figure 4-4  Portal authentication process

    For details on Portal authentication configuration, see Configuring NAC in the Huawei AR Series Access Routers Configuration Guide - Security.

NOTE:

The preceding two authentication modes require AAA authentication schemes to complete user authentication. AAA is configured on the Router so that the Router can work with the AAA server. After users enter their user names and passwords, the Router receives the user authentication information and sends it to the AAA server for authentication. If the authentication succeeds, the users can access the Internet.

In Terminal access configuration, you can configure local or RADIUS authentication in an AAA authentication scheme on the Terminal access. For details on AAA authentication scheme configuration, see AAA Configuration in the Huawei AR Series Access Routers Configuration Guide - Security.

The Router delivers bandwidth to access users through the AAA server. Therefore, you should understand the RADIUS attributes supported by the Router. For details see RADIUS Attributes in the Huawei AR Series Access Routers Configuration Guide - Security.

In PPPoE authentication, the PPPoE server assigns IP addresses to users using the address negotiation function of the PPP protocol. In Portal authentication, static IP addresses or DHCP must be configured for users before the authentication.

  • For details on how to configure static IP addresses, see IP Address Configuration in the Huawei AR Series Access Routers Configuration Guide - IP Service.
  • For details on how to obtain IP addresses using DHCP, see DHCP Configuration in the Huawei AR Series Access Routers Configuration Guide - IP Service.

User Access Management

After access users go online, the Router uses AAA to manage the users. For example, the Router charges users for the network resources they use, controls bandwidth of online users, and forces users to go offline.

  • Managing access users based on domains

    In addition to authentication, AAA provides two security functions: authorization and accounting. AAA manages users based on domains, and user authentication, authorization, and accounting are all implemented in domains. All authentication, authorization, and accounting schemes for access users are created in the AAA view, and the corresponding schemes are referenced in the domain view.

    For example, users in the same domain can access the same websites and share the same accounting policies, and share the same bandwidth.

    NOTE:

    Authorization information configured in a domain has a lower priority than authorization information delivered by an AAA server. That is, the authorization information delivered by an AAA server is used preferentially. When the AAA server does not have or does not support authorization, the authorization attributes configured in a domain take effect. In this manner, you can increase services flexibly by means of domain management, regardless of the authorization attributes provided by the AAA server.

  • Charging access users based on their network resource usage

    • The Router performs remote accounting based on traffic or online duration through a RADIUS server.

      For the AAA accounting scheme configuration, see Using RADIUS to Perform Authentication, Authorization, and Accounting in the Huawei AR Series Access Routers Configuration Guide - Security.

    • Destination address accounting (DAA)

      In traffic-based accounting, if DAA is configured, users can access specified destination addresses (for example, internal network resources) for free. When users access external networks, the Router charges the users based on the access traffic.

      For the DAA configuration, see Configuring DAA in the Huawei AR Series Access Routers Configuration Guide - Security.

  • Controlling access user bandwidth

    • When selecting an AAA authentication scheme in local mode:

      Create a QoS profile on the Router to specify the uplink and downlink traffic limits for each user and bind the QoS profile to the AAA service scheme. After that, access users in different domains have different bandwidths.

      1. Create a QoS profile to specify the uplink and downlink traffic limits.

        <Huawei> system-view
        [Huawei] qos-profile profile1
        [Huawei-qos-profile-profile1] car cir 200 pir 300 cbs 1500 pbs 3500 outbound
        [Huawei-qos-profile-profile1] car cir 200 pir 300 cbs 1500 pbs 3500 inbound
        [Huawei-qos-profile-profile1] quit
      2. Create an AAA service scheme and bind the QoS profile to the scheme.

        [Huawei] aaa
        [Huawei-aaa] service-scheme scheme1
        [Huawei-aaa-service-scheme1] qos-profile profile1
        [Huawei-aaa-service-scheme1] quit
      3. Create an AAA domain and bind the AAA service scheme to the domain.

        [Huawei-aaa] domain huawei
        [Huawei-aaa-domain-huawei] service-scheme scheme1
        
    • When selecting an AAA authentication scheme in RADIUS mode:

      The AAA server delivers bandwidth limits to the corresponding domains so that access users in different domains have different bandwidths.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 136043

Downloads: 244

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next