No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an Authentication Mode for IPoE Access

Configuring an Authentication Mode for IPoE Access

You can use authentication technologies to exchange authentication packets, user names and passwords between user terminals and the NE40E. The NE40E supports multiple authentication technologies.

Applicable Environment

Web authentication is an interactive authentication mode in which the user opens the authentication page on the web authentication server, and enters the user name and password to be authenticated.

Fast authentication is the simplified web authentication. The user opens the web page for authentication but does not need to enter the user name and password. The NE40E generates the user name and password according to information about the BAS interface from which the user logs in.

Binding authentication means that the NE40E automatically generates the user name and password based on the user's physical location.

Configuring Web Authentication or Fast Authentication

Web authentication refers to an interactive authentication mode in which a user opens the authentication page on the Web authentication server, and enters the user name and password for authentication. Fast authentication refers to an authentication mode in which a user opens the authentication page on the Web authentication server for authentication, without entering the user name and password.

Context

When configuring Web authentication or fast authentication, you need the following parameters:

  • IP address and VPN instance of the server

  • Port number of the server

  • Shared key of the server

  • Whether the NE40E reports its own IP address to the server

  • Portal protocol version, listening port number, and source interface sending portal packets

  • Pages to which users are redirected

Perform the following steps on the NE40E:

NOTE:
  • The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
  • When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.

Procedure

  1. Configuring the Web Authentication Server
    1. Run system-view

      The system view is displayed.

    2. Run web-auth-server ip-address [ vpn-instance instance-name ] [ port port-number ] [ key { simple simple-key | cipher cipher-key } ] [ nas-ip-address ][ detect-time detect-time ] [ user-query exclude pre-domain ]

      The Web authentication server is configured.

  2. (Optional) Configuring the Portal Protocol
    1. Run system-view

      The system view is displayed.

    2. (Optional) Run web-auth-server version { v2 [ v1 ] | v3 }

      The portal protocol version is set.

    3. (Optional) run:

      web-auth-server listening-port port

      The number of the listening port on the NE40E is specified.

    4. (Optional) run:

      web-auth-server source interface interface-type interface-number

      The source interface for sending packets is configured on the NE40E.

    5. (Optional) run:

      web-auth-server reply-message

      The NE40E is configured to transparently transmit Remote Authentication Dial in User Service (RADIUS) packets.

    6. Run web response-error-id enable

      The host is enabled to send an Access-Reject packet with an error code to the Portal server.

  3. (Optional) Configuring Mandatory Web Authentication

    Mandatory web authentication means that the NE40E redirects the access request of a user to the specified web server for authentication if the user accesses a URL without permission before the authentication.

    1. Run aaa

      The AAA view is displayed.

    2. (Optional) Run http-redirect enable

      The HTTP packet redirection function is enabled.

    3. Run domain domain-name

      The view of the default pre-authentication domain is displayed.

    4. (Optional) Run web-server url urlweb-server url-parameterweb-server ip-address [ ipv6–address ] [ slave ]web-server mode { get | post }web-server redirect-key { mscg-ip mscg-ip-key | mscg-name mscg-name-key | user-ip-address user-ip-key | user-location user-location-key | nas-logic-sysname nas-logic-sysname-key | user-mac-address { user-mac-key [ simple ] [ type1 ] | cipher aes128 } }, web-server redirect-key ap-mac-address ap-mac-key [ simple [ type1 ] | cipher aes128 ], web-server redirect-key ssid ssid-key, web-server redirect-key agent-remote-id agent-remote-id-key web-server url-parameter { shared-key shared-key | shared-key-cipher shared-key-cipher }web-server user-first-url-key { key-name | default-name }

      The redirection URL address for forced web authentication is configured.

      • Or Run

        The protocol adopted by Web authentication is set to the extension Portal protocol supported by the ISP.

      • Or Run

        The IP address of web authentication server is configured.

        The IPv6 address of web authentication server should be configured for a web dual-stack user.

      • Or Run

        The HTTP mode of forced web authentication is configured.

      • Or Run

        The keyword for attributes of a customized portal is configured.

      • (Optional) Or Run

        Specifies the keyword for generating ciphertext user MAC address or AP MAC address to be displayed. After the web-server redirect-key command with cipher aes128 configured is run, this command is used to generate ciphertext user MAC address or AP MAC address to be displayed.

      • Or Run

        The keywords for tracing the main page are configured.

      NOTE:

      Redirection URL must be configured in the preauthentication domain for a web dual-stack user. Otherwise, mandatory web authentication may fail.

    5. (Optional) Run web-server { ip-address | url url } bind web-auth-server ip-address [ vpn-instance vpn-instance ]

      The Web authentication server bound to the mandatory Web authentication server is configured.

    6. (Optional) Run web-server { ip-address | url url } bind web-auth-server ip-address [ vpn-instance vpn-instance ] slave

      The Web authentication server bound to the standby mandatory Web authentication server is configured.

    7. (Optional) Run mac-authentication enable

      The MAC address authentication is enabled.

      NOTE:

      MAC address authentication is used to simplify Web authentication. If MAC address authentication is enabled, the user for Web authentication only needs to input the user name and password at the first time and the RADIUS server records the user's MAC address. When the user attempts to pass the Web authentication again, the RADIUS server performs the authentication based on the users' MAC address and the user does not need to input the user name and password again.

      In the existing network, this command is usually used together with the authening authen-fail online authen-domain domain-name command. If the MAC authentication fails, the user can perform the Web authentication by inputting the user name and password in the re-direction domain, and then enter the authentication domain and access the network resources.

    8. (Optional) Run http-hostcar enable

      The hostcar function is enabled on HTTP packets of forcible web users

    9. Run quit

      The AAA view is displayed.

    10. Run quit

      The system view is displayed.

  4. (Optional) Configuring for Optimizing the Web Performance
    1. Run system-view

      The system view is displayed.

    2. Run http-url deny urlstring

      The URLs for which web authentication or portal redirection will be performed forcibly (blacklist) are configured.

    3. Run http-url count enable slot [ interval interval-value ] [ aging aging-value ]

      Statistics on URLs are collected based on the host field.

    4. Run slot slotid

      The slot view is displayed.

    5. Run http-hostcar cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ]

      Bandwidth limitations are configured for HTTP packets sent by users for authentication.

    6. Run quit

      The system view is displayed.

    7. Run aaa

      The AAA view is displayed.

    8. Run domain domain-name

      The domain view is displayed.

    9. Run http-hostcar enable [ no-fast-reply ] enable

      hostcar and quick reply are configured for HTTP packets of users on which web authentication is performed forcibly.

    10. Run quit

      The AAA view is displayed.

    11. Run quit

      The system view is displayed.

  5. (Optional) Configuring IP address reallocation
    1. Run domain domain-name

      The view of the authentication domain is displayed.

    2. Run reallocate-ip-address

      IP address reallocation is enabled in a domain.

      Currently, many PCs do not need to be authenticated and can be connected to the network. If public IP addresses are allocated to PCs after the PCs start, IP addresses will be wasted. With IP address reallocation, the NE40E allocates a private address to a user who is not authenticated, and then allocates a public address to a user who is authenticated. This solves the problem that public addresses are insufficient, and improves public address usage.

      The reallocate-ip-address command is used only for Web users.

    3. Run quit

      The AAA view is displayed.

    4. Run quit

      The system view is displayed.

  6. Configuring the Authentication Domain and Authentication Method on the BAS Interface

    Web authentication users are considered unauthorized users before they are authenticated. Therefore, they cannot obtain IP addresses or access the web authentication server.

    This means web authentication cannot be performed on web authentication users. To resolve this problem, all unauthenticated web authentication users are assigned to a default domain configured on an interface. This default domain is called the pre-authentication default domain. Unauthenticated web authentication users can obtain IP addresses through the pre-authentication default domain and access the web authentication server through the authorities granted to the pre-authentication default domain for web authentication.

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Run bas

      The BAS interface view is displayed.

    3. Run access-type layer2-subscriber

      The user access type is set to Layer 2 subscriber access.

    4. Run default-domain pre-authentication domain-name

      The default pre-authentication domain is specified.

    5. Run default-domain authentication [ force | replace ] domain-name

      The default authentication domain is specified.

    6. Run authentication-method { web | fast }authentication-method-ipv6 { web | fast }

      or

      The Web authentication or fast authentication is configured.

  7. Run commit

    The configuration is committed.

Configuring Binding Authentication

In addition to Web authentication, users can also be authenticated using binding authentication.

Context

Perform the following steps on the NE40E:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run bas

    The BAS interface view is displayed.

  4. Run access-type layer2-subscriber

    The user access type is set to Layer 2 subscriber access.

  5. Run default-domain pre-authentication domain-name

    The default pre-authentication domain is specified.

  6. Run default-domain authentication [ force | replace ] domain-name

    The default authentication domain is specified.

  7. Run authentication-method { { ppp | dot1x } * | bind }

    PPP authentication, 802.1X authentication, or binding authentication is configured.

    You can set the authentication mode for only Layer 2 users on the BAS interface. Multiple authentication modes can be configured on an interface except for the following:

    • Web authentication conflicts with fast authentication.
    • Binding authentication conflicts with the other authentication modes.

  8. Run commit

    The configuration is committed.

Verifying the Authentication Mode Configuration for IPoE Access

After an authentication mode is configured, you can view the authentication mode by checking the domain configuration.

Procedure

  • Run the display web-auth-server configuration command to check the configuration of the Web authentication server.
  • Run the display domain [ domain-name ] command to check the configuration of the domain.
  • Run the display aaa default-user-name [ template template-name | global ] command to check the mode in which pure IPoE user names are generated.
  • Run the display aaa default-password [ template template-name | global ] command to check the IPoE user password or the password generation mode.

Example

After the configuration is complete, you can run the display web-auth-server configuration command to view the configuration of the Web authentication server.

<HUAWEI> display web-auth-server configuration
  Source interface      : -
  Listening port        : 2000
  Portal                : version 1, version 2, version 3
  Display reply message : enabled
  ------------------------------------------------------------------------
           Server  Share-Password     Port  NAS-IP  Vpn-instance
  ------------------------------------------------------------------------
    192.168.3.140  ******            50100   NO
  ------------------------------------------------------------------------
  1 Web authentication server(s) in total

After the configuration is complete, you can run the display domain [ domain-name ] command to view the configuration of the domain. For example:

<HUAWEI> display domain
  ------------------------------------------------------------------------------
  Domain name           State        CAR Access-limit   Online  BODNum RptVSMNum
  ------------------------------------------------------------------------------
  default0              Active         0       279552        0       0         0
  default1              Active         0       279552        0       0         0
  default_admin         Active         0       279552        0       0         0
  default               Active         0       279552        0       0         0
  isp1                  Active         0       279552        0       0         0
  ------------------------------------------------------------------------------
  Total 5,5 printed

After the configuration is complete, you can run the display aaa default-user-name command to view the mode in which IPoE user names are generated. For example:

<HUAWEI> display aaa default-user-name global
Global user name format:enable
Sysname:yes, separator :"-"
Gateway-address:-, separator :no
IP address:-, separator :no
MAC address:-, separator :no
Access-line-id: -, separator :no
Access-line-id circuit-id:-, separator :no, offset: -, parse-mode:%s
Access-line-id remote-id:-, separator :no,offset: -, parse-mode:%s
Vendor-class: -, separator: no,cn-format:-, sub-option:-, offset:-, length:-
Client-id:-, separator :no
DHCPv4 option12:-,separator :no
PE VLAN: -, separator :no
CE VLAN:-, separator :no
Port:-, separator :no
Slot:-, separator :no
Subslot:-, separator :no

After the configuration is complete, you can run the display aaa default-password command to view the IPoE user password or the mode in which IPoE user passwords are generated. For example:

<HUAWEI> display aaa default-password global
Global password:the default is ******
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 19303

Downloads: 83

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next