No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Terminal access in Which Portal Authentication Is Used

Example for Configuring Terminal access in Which Portal Authentication Is Used

Networking Requirements

As shown in Figure 4-5, terminal users of an enterprise access the Internet through the Router (functioning as the egress gateway and access device). The Router needs to authenticate, charge, and manage users.

The enterprise requires that:

  • Portal authentication should be used for terminal users. The Router should allow only authenticated users to access the Internet.
  • The Router should not charge users for intranet (192.168.100.0/24) access, and should charge the users based on duration when they access external networks.
  • If an online user is identified as an unauthorized user, the user is forced to go offline by specifying the IP address.
Figure 4-5  Configuring terminal access in which Portal authentication is used

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the AAA authentication and accounting schemes in RADIUS mode to ensure information exchange between the Router and RADIUS server.
  2. Configure Portal authentication to authenticate access users.
  3. Configure DAA. After that, the Router does not charge users for intranet (192.168.100.0/24) access, and charges the users based on duration when they access external networks.
  4. Configure the device to force unauthorized users with the IP address 192.168.1.3/24 to go offline.

Procedure

  1. Create VLANs and configure interfaces to allow the VLANs to ensure network communication.

    # Create VLAN 10 and VLAN 20.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 10 20
    

    # On the Router, configure the interface connected to users as a trunk interface and add the interface to VLAN 10.

    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type trunk
    [Router-Ethernet2/0/0] undo port trunk allow-pass vlan 1
    [Router-Ethernet2/0/0] port trunk allow-pass vlan 10
    [Router-Ethernet2/0/0] quit

    # On the Router, configure the interface connected to the RADIUS server as a trunk interface and add the interface to VLAN 20.

    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] port link-type trunk
    [Router-Ethernet2/0/1] undo port trunk allow-pass vlan 1
    [Router-Ethernet2/0/1] port trunk allow-pass vlan 20
    [Router-Ethernet2/0/1] quit

    # Create VLANIF 10 and VLANIF 20, and assign IP addresses to the VLANIF interfaces so that reachable routes can be set up between the terminals, Router, and enterprise internal servers.

    [Router] interface vlanif 10
    [Router-Vlanif10] ip address 192.168.1.20 24
    [Router-Vlanif10] quit
    [Router] interface vlanif 20
    [Router-Vlanif20] ip address 192.168.2.29 24
    [Router-Vlanif20] quit
    

  2. Create and configure a RADIUS server template, AAA authentication and accounting schemes, and an authentication domain.

    NOTE:

    Ensure that the shared key in the RADIUS server template is the same as on the RADIUS server.

    # Create and configure the RADIUS server template rd1.

    [Router] radius-server template rd1
    [Router-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Router-radius-rd1] radius-server accounting 192.168.2.30 1813
    [Router-radius-rd1] radius-server shared-key cipher Huawei@1234
    [Router-radius-rd1] quit

    # Create an AAA scheme, configure the authentication scheme auth, and set the authentication mode to RADIUS authentication.

    [Router] aaa
    [Router-aaa] authentication-scheme auth
    [Router-aaa-authen-auth] authentication-mode radius
    [Router-aaa-authen-auth] quit

    # Configure the accounting scheme abc in the AAA scheme and set the accounting mode to RADIUS accounting.

    [Router-aaa] accounting-scheme abc
    [Router-aaa-accounting-abc] accounting-mode radius
    [Router-aaa-accounting-abc] quit

    # Configure the AAA domain isp1, and apply the authentication scheme auth, accounting scheme abc, and RADIUS server template rd1 to the domain.

    [Router-aaa] domain isp1
    [Router-aaa-domain-isp1] authentication-scheme auth
    [Router-aaa-domain-isp1] accounting-scheme abc
    [Router-aaa-domain-isp1] radius-server rd1
    [Router-aaa-domain-isp1] quit
    [Router-aaa] quit

    # Configure isp1 as the global default domain. During access authentication, enter a user name in the format user@isp1 to perform AAA authentication in the domain isp1. If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

    [Router] domain isp1

  3. Configure Portal authentication.

    # Create and configure a Portal server template abc.

    [Router] web-auth-server abc
    [Router-web-auth-server-abc] server-ip 192.168.2.20
    [Router-web-auth-server-abc] port 50200
    [Router-web-auth-server-abc] url http://192.168.2.20:8080/webagent
    

    # Set the shared key that the device uses to exchange information with the Portal server to Huawei@1234 in cipher text.

    [Router-web-auth-server-abc] shared-key cipher Huawei@1234
    
    # Configure the detection and keepalive function of Portal authentication.
    [Router-web-auth-server-abc] server-detect action log
    [Router-web-auth-server-abc] user-sync
    [Router-web-auth-server-abc] quit
    

    # Enable Portal authentication.

    [Router] interface vlanif 10 
    [Router-Vlanif10] web-auth-server abc direct
    [Router-Vlanif10] quit
    

  4. Configure DAA.

    # Configure the traffic identification rule ACL 3000 to identify the traffic destined for the internal network segment 192.168.100.0/24.

    [Router] acl 3000
    [Router-acl-adv-3000] rule 5 permit ip destination 192.168.100.0 0.0.0.255
    [Router-acl-adv-3000] quit
    

    # Set the tariff level for access the internal network to 1.

    [Router] traffic-group huawei
    [Router-traffic-group-huawei] acl 3000 tariff-level 1
    [Router-traffic-group-huawei] quit
    [Router] traffic-group huawei enable
    
    # Configure accounting for all the traffic that does not match ACL 3000.
    • For traffic of tariff level 1, traffic statistics collection is disabled and accounting is not performed.
    • For other traffic, the device collects traffic statistics and sends the statistics to the RADIUS accounting server.
    [Router] aaa
    [Router-aaa] domain isp1
    [Router-aaa-domain-isp1] statistic enable
    [Router-aaa-domain-isp1] quit
    

  5. Force the access users with the IP address 192.168.1.3 to go offline.

    [Router-aaa] cut access-user ip-address 192.168.1.3
    [Router-aaa] quit
    [Router] quit
    

  6. Verify the configuration.

    # Run the display web-auth-server configuration command to check the configuration of the Portal server.

    <Router> display web-auth-server configuration
      Listening port        : 2000                                                  
      Portal                : version 1, version 2                                  
      Include reply message : enabled                                               
                                                                                    
    ------------------------------------------------------------------------------- 
      Web-auth-server Name : abc                                                    
      IP-address           : 192.168.2.20                                           
      Shared-key           : %^%#s@<60z+%'"EJI#4KOij5M)"m&9%"k:63Vl+xTc"K%^%#                       
      Source-IP            : -                                                      
      Port / PortFlag      : 50200 / NO                                             
      URL                  : http://192.168.2.20:8080/webagent                      
      URL Template         :                                                        
      Redirection          : Enable                                                 
      Sync                 : Enable                                                 
      Sync Seconds         : 300                                                    
      Sync Max-times       : 3                                                      
      Detect               : Enable                                                 
      Detect Seconds       : 60                                                     
      Detect Max-times     : 3                                                      
      Detect Critical-num  : 0                                                      
      Detect Action        : log                                                    
      Bound Vlanif         : 10                                                     
      VPN Instance         :                                                        
      Bound Interface      :                                                        
                                                                                    
                                                                                    
    ------------------------------------------------------------------------------- 
      1 Web authentication server(s) in total                                       

    Run the display traffic-group name command to check information about the traffic group huawei.

    <Router> display traffic-group name huawei
      ----------------------------------------------------------------------------  
      Acl-id                Tariff-level                                            
      ----------------------------------------------------------------------------  
      3000                      1                                                   
      ----------------------------------------------------------------------------  
      Total: 1                                                                   

    # After the user goes online, run the display access-user command to check traffic statistics at each tariff level.

Configuration Files

Configuration files on Router

#                                                                               
 sysname Router
# 
vlan batch 10 20  
#                                                                               
domain isp1
#                                                                                             
radius-server template rd1                                                      
 radius-server shared-key cipher %^%#s@<60z+%'"EJI#4KOij5M)"m&9%"k:63Vl+xTc"K%^%#               
 radius-server authentication 192.168.2.30 1812 weight 80                       
 radius-server accounting 192.168.2.30 1813 weight 80                           
#
acl number 3000                                                                 
 rule 5 permit ip destination 192.168.100.0 0.0.0.255                           
#
web-auth-server abc                                                             
 server-ip 192.168.2.20                                                         
 port 50200                                                                     
 shared-key cipher %^%#s@<60z+%'"EJI#4KOij5M)"m&9%"k:63Vl+xTc"K%^%#                             
 url http://192.168.2.20:8080/webagent                                          

server-detect action log                                                    
 user-sync                                                                      
#                               
aaa                                                                             
 authentication-scheme auth                                                     
  authentication-mode radius                                                    
 accounting-scheme abc                                                          
  accounting-mode radius                                                        
 domain isp1                                                                    
  authentication-scheme auth                                                    
  accounting-scheme abc                                                         
  radius-server rd1                                                             
  statistic enable                                                              
#
interface Vlanif10                                                              
 ip address 192.168.1.20 255.255.255.0 
 web-auth-server abc direct  
#                                                                               
interface Vlanif20                                                              
 ip address 192.168.2.29 255.255.255.0 
#
interface Ethernet2/0/0
 port link-type trunk                                                           
 undo port trunk allow-pass vlan 1                                              
 port trunk allow-pass vlan 10 
#                                                                              
interface Ethernet2/0/1            
 port link-type trunk                                                           
 undo port trunk allow-pass vlan 1                                              
 port trunk allow-pass vlan 20
# 
traffic-group huawei                                                            
  acl 3000 tariff-level 1                                                       
traffic-group huawei enable                                                     
# 
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 137328

Downloads: 244

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next