No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the IPoE Access Service for VPN Users by Using Web Authentication

Example for Configuring the IPoE Access Service for VPN Users by Using Web Authentication

This section provides an example for configuring IPoE access to a VPN by Using Web Authentication, including the networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

The networking is shown in Figure 6-5. The requirements are as follows:

  • The user belongs to domain isp2 and accesses the Internet by using GE 1/0/2 on the router in IPoE mode.

  • The user adopts Web authentication, RADIUS authentication, and RADIUS accounting.

  • The IP address of the RADIUS server is 192.168.8.249. The authentication port number is 1812 and the accounting port number is 1813. The standard RADIUS protocol is used. The shared key is it-is-my-secret1.

  • The user is a VPN user and belongs to a VPN instance named vpn1.

  • The IP address of the DNS server is 192.168.8.252.

  • The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.

  • The network-side interface is GE 1/0/1.

Figure 6-5 Networking for configuring the IPoE access service
NOTE:

Interfaces 1 and 2 in this example are GE 1/0/1, GE 1/0/2, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a VPN instance.

  2. Configure authentication and accounting schemes.

  3. Configure a RADIUS server group.

  4. Configure an address pool.

  5. Configure a pre-authentication domain and an authentication domain for Web authentication.

  6. Configure the Web authentication server.

  7. Configure ACL rules and traffic policies.

  8. Configure a BAS interface and an upstream interface.

Data Preparation

To complete the configuration, you need the following data:

  • VPN instance name, RD, and VPN target

  • Authentication template name and authentication mode

  • Accounting template name and accounting mode

  • RADIUS server group name, and IP addresses and port numbers of the RADIUS authentication server and accounting server

  • IP address pool name, gateway address, and DNS server address

  • Domain name

  • Web authentication server address

  • ACL rules

  • Traffic policy

  • BAS interface parameters

Procedure

  1. Configure a VPN instance.

    <HUAWEI> system-view
    [~HUAWEI] ip vpn-instance vpn1
    [*HUAWEI-vpn-instance-vpn1] ipv4-family
    [*HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
    [*HUAWEI-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
    [*HUAWEI-vpn-instance-vpn1-af-ipv4] commit
    [~HUAWEI-vpn-instance-vpn1-af-ipv4] quit
    [~HUAWEI-vpn-instance-vpn1] quit

  2. Configure AAA schemes.

    # Configure an authentication scheme.

    <HUAWEI> system-view
    [~HUAWEI] aaa
    [*HUAWEI-aaa] authentication-scheme auth2
    [*HUAWEI-aaa-authen-auth2] authentication-mode radius
    [*HUAWEI-aaa-authen-auth2] commit
    [~HUAWEI-aaa-authen-auth2] quit

    # Configure an accounting scheme.

    [*HUAWEI-aaa] accounting-scheme acct2
    [*HUAWEI-aaa-accounting-acct2] accounting-mode radius
    [*HUAWEI-aaa-accounting-acct2] commit
    [~HUAWEI-aaa-accounting-acct2] quit
    [~HUAWEI-aaa] quit

  3. Configure a RADIUS server group.

    [~HUAWEI] radius-server group rd2
    [*HUAWEI-radius-rd2] radius-server authentication 192.168.8.249 1812
    [*HUAWEI-radius-rd2] radius-server accounting 192.168.8.249 1813
    [*HUAWEI-radius-rd2] radius-server type standard
    [*HUAWEI-radius-rd2] radius-server shared-key-cipher it-is-my-secret1
    [*HUAWEI-radius-rd2] commit
    [~HUAWEI-radius-rd2] quit

  4. Configure an address pool.

    [~HUAWEI] ip pool pool2 bas local
    [*HUAWEI-ip-pool-pool2] gateway 10.82.1.1 255.255.255.0
    [*HUAWEI-ip-pool-pool2] section 0 10.82.1.2 10.82.1.200
    [*HUAWEI-ip-pool-pool2] dns-server 192.168.8.252
    [*HUAWEI-ip-pool-pool2] vpn-instance vpn1
    [*HUAWEI-ip-pool-pool2] commit
    [~HUAWEI-ip-pool-pool2] quit

  5. Configure a domain.

    # Configure domain default0 as the pre-authentication domain for Web authentication.

    [~HUAWEI] user-group web-before
    [*HUAWEI] aaa
    [*HUAWEI-aaa] http-redirect enable
    [*HUAWEI-aaa] domain default0
    [*HUAWEI-aaa-domain-default0] ip-pool pool2
    [*HUAWEI-aaa-domain-default0] user-group web-before
    [*HUAWEI-aaa-domain-default0] web-server 192.168.8.251
    [*HUAWEI-aaa-domain-default0] web-server url http://192.168.8.251
    [*HUAWEI-aaa-domain-default0] vpn-instance vpn1
    [*HUAWEI-aaa-domain-default0] http-hostcar enable
    [*HUAWEI-aaa-domain-default0] commit
    [~HUAWEI-aaa-domain-default0] quit

    # Configure domain isp2 as the authentication domain for Web authentication.

    [*HUAWEI-aaa] domain isp2
    [*HUAWEI-aaa-domain-isp2] authentication-scheme auth2
    [*HUAWEI-aaa-domain-isp2] accounting-scheme acct2
    [*HUAWEI-aaa-domain-isp2] radius-server group rd2
    [*HUAWEI-aaa-domain-isp2] vpn-instance vpn1
    [*HUAWEI-aaa-domain-isp2] commit
    [~HUAWEI-aaa-domain-isp2] quit
    [~HUAWEI-aaa] quit
    NOTE:

    If the reallocate-ip-address command has been run for the web authentication domain isp2 to enable secondary address allocation, the web authentication domain isp2 must be bound to an address pool. The secondary address allocation function is optional. In normal circumstances, a private network address is allocated in the pre-authentication domain before authentication, and a public network address is allocated in the authentication domain after authentication. This addresses public network address shortage and increases usage of public network addresses.

    However, the secondary address allocation function requires the web server to comply with the Huawei proprietary protocol for secondary address allocation, and the client must download the plug-in through the web server.

  6. Configure the Web authentication server.

    [~HUAWEI] web-auth-server 192.168.8.251 key webvlan

  7. Configure an ACL.

    # Configure ACL rules.

    [~HUAWEI] acl number 6000
    [*HUAWEI-acl-ucl-6000] rule 20 permit tcp source user-group web-before destination-port eq www
    [*HUAWEI-acl-ucl-6000] acl number 6001
    [*HUAWEI-acl-ucl-6001] rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
    [*HUAWEI-acl-ucl-6001] rule 10 permit ip source user-group web-before destination ip-address 192.168.8.252 0
    [*HUAWEI-acl-ucl-6001] rule 15 permit ip source user-group web-before destination ip-address 127.0.0.1 0
    [*HUAWEI-acl-ucl-6001] commit
    [~HUAWEI-acl-ucl-6001] quit
    [~HUAWEI] acl number 6002
    [*HUAWEI-acl-ucl-6002] rule 30 permit ip source user-group web-before destination ip-address any 
    [*HUAWEI-acl-ucl-6002] rule 35 permit ip source ip-address any destination user-group web-before 
    [*HUAWEI-acl-ucl-6002] rule 35 permit ip source ip-address any destination user-group web-before 
    [~HUAWEI-acl-ucl-6002] quit

    # Configure a traffic policy.

    [~HUAWEI] traffic classifier c1
    [*HUAWEI-classifier-c1] if-match acl 6000
    [*HUAWEI-classifier-c2] commit
    [~HUAWEI-classifier-c2] quit
    [~HUAWEI] traffic classifier c2
    [*HUAWEI-classifier-c2] if-match acl 6001
    [*HUAWEI-classifier-c2] commit
    [~HUAWEI-classifier-c2] quit
    [~HUAWEI] traffic classifier c3
    [*HUAWEI-classifier-c3] if-match acl 6002
    [*HUAWEI-classifier-c3] commit
    [~HUAWEI-classifier-c3] quit
    [~HUAWEI] traffic behavior deny1
    [*HUAWEI-behavior-deny1] http-redirect plus
    [*HUAWEI-behavior-deny1] traffic behavior perm1
    [*HUAWEI-behavior-perm1] permit
    [*HUAWEI-behavior-perm1] commit
    [~HUAWEI-behavior-perm1] quit
    [~HUAWEI] traffic behavior deny2
    [*HUAWEI-behavior-deny2] deny
    [*HUAWEI-behavior-deny2] commit
    [~HUAWEI-behavior-deny2] quit
    [~HUAWEI] traffic policy action1
    [*HUAWEI-policy-action1] share-mode
    [*HUAWEI-policy-action1] classifier c2 behavior perm1
    [*HUAWEI-policy-action1] classifier c1 behavior deny1
    [*HUAWEI-policy-action1] classifier c3 behavior deny2
    [*HUAWEI-policy-action1] commit
    [~HUAWEI-policy-action1] quit

    # Apply the traffic policy globally.

    [~HUAWEI] traffic-policy action1 inbound
    [~HUAWEI] traffic-policy action1 outbound

  8. Configure interfaces.

    # Configure a BAS interface.

    [~HUAWEI] interface gigabitethernet1/0/2
    [*HUAWEI-GigabitEthernet1/0/2] bas
    [*HUAWEI-GigabitEthernet1/0/2-bas] access-type layer2-subscriber
    [*HUAWEI-GigabitEthernet1/0/2-bas] authentication-method web
    [*HUAWEI-GigabitEthernet1/0/2-bas] default-domain authentication isp2
    [*HUAWEI-GigabitEthernet1/0/2-bas] commit
    [*HUAWEI-GigabitEthernet1/0/2-bas] quit
    [*HUAWEI-GigabitEthernet1/0/2] quit

    # Configure an upstream interface.

    NOTE:

    The upstream interface connected to MPLS network, the configuration is not mentioned here. For details, refer to the chapter BGP/MPLS IP VPN of the HUAWEI NetEngine40E Universal Service Router Configuration Guide - VPN

    [HUAWEI] interface GigabitEthernet 1/0/1
    [HUAWEI-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0

Configuration Files

#
 sysname HUAWEI
#
 user-group web-before
#
ip vpn-instance vpn1
 ipv4-family
 route-distinguisher 100:1
 vpn-target 100:1 export-extcommunity
 vpn-target 100:1 import-extcommunity
#
 radius-server group rd2
 radius-server authentication 192.168.8.249 1812 weight 0
 radius-server accounting 192.168.8.249 1813 weight 0
 radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
#
acl number 6000
#
acl number 6001
 rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
 rule 10 permit ip source user-group web-before destination ip-address 192.168.8.252 0
#
acl number 6002
 rule 30 permit ip source user-group web-before destination ip-address any 
 rule 35 permit ip source ip-address any destination user-group web-before
#
traffic classifier c2 operator and
 if-match acl 6001
traffic classifier c1 operator and
 if-match acl 6000
traffic classifier c3 operator and
 if-match acl 6002
#
traffic behavior perm1
traffic behavior deny1
traffic behavior deny2
 deny
#
traffic policy action1
 classifier c2 behavior perm1
 classifier c1 behavior deny1
 classifier c3 behavior deny2
traffic-policy action1 inbound
traffic-policy action1 outbound
#
interface GigabitEthernet1/0/2
 bas
  access-type layer2-subscriber  default-domain  authentication isp2
  authentication-method  web
#
interface GigabitEthernet1/0/1
 ip address 192.168.8.1 255.255.255.0
#
ip pool pool2 bas local
 vpn-instance vpn1
 gateway 10.82.1.1 255.255.255.0
 section 0 10.82.1.2 10.82.1.200
 dns-server  192.168.8.252
#
aaa
 authentication-scheme  auth2
 accounting-scheme  acct2
 domain  default0
  web-server  192.168.8.251
  web-server url  http://192.168.8.251
  user-group   web-before
  vpn-instance  vpn1
  ip-pool   pool2
  http-hostcar enable 
 domain  isp2
  authentication-scheme   auth2
  accounting-scheme   acct2
  vpn-instance vpn1
  radius-server group  rd2
#
return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17372

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next