No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the Dual-Stack Access Service by Using Web Authentication

Example for Configuring the Dual-Stack Access Service by Using Web Authentication

This section provides an example for configuring the dual-stack access service by using Web authentication, including the networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

The networking is shown in Figure 6-12. The requirements are as follows:

  • The user belongs to the domain isp5 and accesses the Internet by using GE 1/0/2 on the NE40E in Web authentication mode.

  • RADIUS authentication and RADIUS accounting are used.

  • The IP address of the RADIUS server is 10.6.55.55. The authentication port number is 1645 and the accounting port number is 1646. The standard RADIUS protocol is adopted. The shared key is hello.

  • The IP addresses of the two DNS servers are respectively 3001:0410::1:2 and 10.10.10.1.

  • The IP address of the Web authentication server is 10.6.55.56 and the key is it-is-my-secret1.

Figure 6-12 Networking for configuring the dual-stack access service by using Web authentication
NOTE:

Interfaces 1 and 2 in this example are GE1/0/1, GE1/0/2, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure AAA schemes.

  2. Configure a Web authentication server.

  3. Configure a RADIUS server group.

  4. Configure an ACL to allow the user to access only the Web server before Web authentication is implemented.

  5. Configure a local IPv4 address pool.

  6. Configure a local IPv6 prefix pool.

  7. Configure a local IPv6 address pool and bind the address pool to the prefix pool.

  8. Configure a pre-authentication domain and an authentication domain for Web authentication.

  9. Configure interfaces.

Data Preparation

To complete the configuration, you need the following data:

  • Authentication template name and authentication mode

  • Accounting template name and accounting mode

  • RADIUS server group name, and IP addresses and port numbers of the RADIUS authentication server and accounting server

  • Local prefix pool name

  • Prefix length and assignable IPv6 prefixes

  • Local address pool name

  • Domain name

Procedure

  1. Configure AAA schemes.

    # Configure an authentication scheme.

    [*Device] aaa
    [*Device-aaa] authentication-scheme auth5
    [*Device-aaa-authen-auth5] authentication-mode radius
    [*Device-aaa-authen-auth5] commit
    [~Device-aaa-authen-auth5] quit

    # Configure an accounting scheme.

    [*Device-aaa] accounting-scheme acct5
    [*Device-aaa-accounting-acct5] accounting-mode radius
    [*Device-aaa-accounting-acct5] commit
    [~Device-aaa-accounting-acct5] quit
    [~Device-aaa] quit

  2. Configure a Web authentication server.

    [*Device] web-auth-server 10.6.55.56 key cipher Root@123

  3. Configure a RADIUS server group.

    [*Device] radius-server group rd5
    [*Device-radius-rd5] radius-server authentication 10.6.55.55 1645
    [*Device-radius-rd5] radius-server accounting 10.6.55.55 1646
    [*Device-radius-rd5] radius-server type standard
    [*Device-radius-rd5] radius-server shared-key-cipher it-is-my-secret1
    [*Device-radius-rd5] commit
    [~Device-radius-rd5] quit

  4. Configure an ACL to allow the user to access only the Web server before Web authentication is implemented.

    # Configure a user group.

    [*Device] user-group huawei

    # Configure ACL rules.

    [*Device] acl 6000 match-order auto
    [*Device-acl-ucl-6000] rule permit ip source user-group huawei destination ip-address 10.6.55.56 0.0.0.255
    [*Device-acl-ucl-6000] rule deny ip source user-group huawei destination ip-address any
    [*Device-acl-ucl-6000] commit
    [~Device-acl-ucl-6000] quit

    # Configure a traffic classifier.

    [*Device] traffic classifier c1
    [*Device-classifier-c1] if-match acl 6000
    [*Device-classifier-c1] commit
    [~Device-classifier-c1] quit

    # Configure a traffic behavior.

    [*Device] traffic behavior b1
    [*Device-behavior-b1] permit
    [*Device-behavior-b1] commit
    [~Device-behavior-b1] quit

    # Configure a traffic policy.

    [*Device] traffic policy policy
    [*Device-trafficpolicy-policy] classifier c1 behavior b1
    [*Device-trafficpolicy-policy] commit
    [~Device-trafficpolicy-policy] quit

    # Apply the traffic policy globally.

    [*Device] traffic-policy policy inbound
    [*Device] traffic-policy policy outbound

  5. Configure a user-side local IPv4 address pool.

    [*Device] ip pool pool2 bas local
    [*Device-ip-pool-pool2] gateway 10.10.10.2 255.255.255.0
    [*Device-ip-pool-pool2] section 0 10.10.10.3 10.10.10.100
    [*Device-ip-pool-pool2] dns-server 10.10.10.1
    [*Device-ip-pool-pool2] commit
    [~Device-ip-pool-pool2] quit

  6. Configure a local IPv6 prefix pool.

    [*Device] ipv6 prefix pre1 delegation
    [*Device-ipv6-prefix-pre1] prefix 2001:2421::/48
    [*Device-ipv6-prefix-pre1] slaac-unshare-only
    [*Device-ipv6-prefix-pre1] commit
    [~Device-ipv6-prefix-pre1] quit

  7. Configure a user-side local IPv6 address pool.

    [*Device] ipv6 pool pool1 bas delegation
    [*Device-ipv6-pool-pool1] prefix pre1
    [*Device-ipv6-pool-pool1] dns-server 3001:0410::1:2
    [*Device-ipv6-pool-pool1] commit
    [~Device-ipv6-pool-pool1] quit

  8. Configure domains.

    # Configure a pre-authentication domain named domain1.

    [*Device] aaa
    [*Device-aaa] domain domain1
    [*Device-aaa-domain-domain1] prefix-assign-mode unshared
    [*Device-aaa-domain-domain1] user-group huawei
    [*Device-aaa-domain-domain1] ipv6-pool pool1
    [*Device-aaa-domain-domain1] ip-pool pool2
    [*Device-aaa-domain-domain1] web-server 10.6.55.56 3001::3
    [*Device-aaa-domain-domain1] web-server url isp1.com
    [*Device-aaa-domain-domain1] commit
    [~Device-aaa-domain-domain1] quit

    # Configure an authentication domain named isp5.

    [*Device-aaa] domain isp5
    [*Device-aaa-domain-isp5] authentication-scheme auth5
    [*Device-aaa-domain-isp5] accounting-scheme acct5
    [*Device-aaa-domain-isp5] radius-server group rd5
    [*Device-aaa-domain-isp5] commit
    [~Device-aaa-domain-isp5] quit
    [~Device-aaa] quit

  9. Configure interfaces.

    # Configure a BAS interface.

    [*Device] interface GigabitEthernet 1/0/2
    [*Device-GigabitEthernet1/0/2] bas
    [*Device-GigabitEthernet1/0/2-bas] access-type layer2-subscriber default-domain pre-authentication domain1 authentication isp5
    [*Device-GigabitEthernet1/0/2-bas] authentication-method web
    [*Device-GigabitEthernet1/0/2-bas] authentication-method-ipv6 web
    [*Device-GigabitEthernet1/0/2-bas] commit
    [~Device-GigabitEthernet1/0/2-bas] quit

    # Enable IPv6 on GE 1/0/2.

    [*Device-GigabitEthernet1/0/2] ipv6 enable
    [*Device-GigabitEthernet1/0/2] ipv6 address auto link-local
    [*Device-GigabitEthernet1/0/2] commit
    [~Device-GigabitEthernet1/0/2] quit

    # Configure an upstream interface.

    [*Device] interface GigabitEthernet 1/0/1
    [*Device-GigabitEthernet1/0/1] ipv6 enable
    [*Device-GigabitEthernet1/0/1] ipv6 address auto link-local
    [*Device-GigabitEthernet1/0/1] ipv6 address 2001::/64 eui-64

  10. Verify the configuration.

    # Check information about the address pool named pool2. You can see that the IP address of pool2's gateway is 10.10.10.2, the IP address of the DNS server is 10.10.10.1, and addresses in pool2 range from 10.10.10.3 to 10.10.10.100.

    <HUAWEI> display ip pool name pool2
    Pool-Name      : pool2
      Pool-No        : 0 
      Pool-constant-index :- 
      Lease          : 3 Days 0 Hours 0 Minutes
      NetBois Type   : N-Node
      DNS-Suffix     : -
    
      DNS1         :10.10.10.1
      Position       : Local           Status           : Unlocked
      Gateway        : 10.10.10.2      Mask             : 255.255.255.0
      Vpn instance   : --
      Profile-Name   : -               Server-Name      : -
      Codes: CFLCT(conflicted)
      ---------------------------------------------------------------------------
      ID           start             end total  used  idle CFLCT disable reserved
      ---------------------------------------------------------------------------
       0      10.10.10.3    10.10.10.100    98     0    98     0       0        0
      --------------------------------------------------------------------------- 

    # Check information about the prefix pool named pre1. You can see that the prefix pool is a local prefix pool and the prefix address is 2010:2021::/64.

    <HUAWEI> display ipv6 prefix pre1
     ------------------------------------------------------------------------------
     Prefix Name        : pre1                
     Prefix Index       : 3
     Prefix constant index: -
     Prefix Type        : DELEGATION          
     Prefix Address     : 2001:2421::                                       
     Prefix Length      : 48                  
     Reserved Type      : NONE  
     Valid Lifetime     : 3 Days 0 Hours 0 Minutes
     Preferred Lifetime : 2 Days 0 Hours 0 Minutes
     IfLocked           : Unlocked            
     Vpn instance       : -       
     PD Prefix Len      : 64
     PD Prefix/C-DUID   : -
     slaac-unshare-only : TRUE                
     pd-unshare-only    : FALSE               
     Free Prefix Count  : 65536
     Used Prefix Count  : 0
     Binded Prefix Count (Free): 0
     Binded Prefix Count (Used): 0
     Flexibly-Allocted Prefix Count: 0
     Reserved Prefix Count: 0
     Excluded Prefix Count: 0
     ------------------------------------------------------------------------------
    

    # Check information about the address pool named pool1. You can see that the address pool is a local address pool at the user side and the address pool is bound to the prefix pool named pre1.

    <HUAWEI> display ipv6 pool pool1
     ----------------------------------------------------------------------
     Pool name          : pool1                            
     Pool No            : 2     
     Pool-constant-index :- 
     Pool type          : BAS DELEGATION      
     Preference         : 255   
     Renew time         : 50    
     Rebind time        : 80    
     Status             : UNLOCKED  
     Refresh interval   : infinite
     Used by domain     : 0     
     Dhcpv6 Unicast     : disable
     Dhcpv6 rapid-commit: disable
     Dns list           : -
     Dns server master  : -
     Dns server slave   : -
     AFTR name          : - 
     ----------------------------------------------------------------------
     Prefix-Name                      Prefix-Type 
     ----------------------------------------------------------------------
     pre1                             DELEGATION
     ----------------------------------------------------------------------
    

    # Check information about the domain named isp5. You can see that the domain is bound to the IPv6 address pool named pool1 and the IPv4 address pool named pool2.

    <HUAWEI> display domain isp5
    ------------------------------------------------------------------------------
      Domain-name                     : isp5
      Domain-state                    : Active
      Authentication-scheme-name      : auth5
      Accounting-scheme-name          : acct5
      Authorization-scheme-name       :
      Primary-DNS-IP-address          : -
      Second-DNS-IP-address           : -
      Web-server-URL-parameter        : No
      Slave Web-IP-address            : -
      Slave Web-URL                   : -
      Slave Web-auth-server           : - 
      Slave Web-auth-state            : - 
      Portal-server-URL-parameter     : No
      Primary-NBNS-IP-address         : -
      Second-NBNS-IP-address          : -
      User-group-name                 : -
      Idle-data-attribute (time,flow) : 0, 60
      Install-BOD-Count               : 0
      Report-VSM-User-Count           : 0
      Value-added-service             : COPS
      User-access-limit               : 279552
      Online-number                   : 0
      Web-IP-address                  : -
      Web-URL                         : -
      Portal-server-IP                : -
      Portal-URL                      : -
      Portal-force-times              : 2
      PPPoE-user-URL                  : Disable
      IPUser-ReAuth-Time(second)      : 300
      mscg-name-portal-key            : -
      Portal-user-first-url-key       : -
      Ancp auto qos adapt             : Disable
      RADIUS-server-template          : rd5
      Two-acct-template               : -
      HWTACACS-server-template        : -
      Bill Flow                       : Disable
      Tunnel-acct-2867                : Disabled
    
      Flow Statistic:
      Flow-Statistic-Up               : Yes
      Flow-Statistic-Down             : Yes
      Source-IP-route                 : Disable
      IP-warning-threshold            : -
      IPv6-warning-threshold          : - 
      Multicast Forwarding            : Yes
      Multicast Virtual               : No
      Max-multilist num               : 4
      Multicast-profile               : -
      Multicast-profile ipv6          : -
      IP-address-pool-name            : pool2
      IPv6-Pool-name                  : pool1
       Quota-out                     : Offline
      Service-type                    : -
      User-basic-service-ip-type      : -/-/-
      PPP-ipv6-address-protocol       : Ndra
      IPv6-information-protocol       : Stateless dhcpv6
      IPv6-PPP-assign-interfaceid     : Disable
      Trigger-packet-wait-delay       : 60s
      Peer-backup                     : enable    
      ------------------------------------------------------------------------------
    

Configuration Files

  • router Configuration Files

    #
     sysname Device
    #
     ipv6
    #
     user-group huawei
    
    #
    radius-server group rd5
     radius-server authentication 10.6.55.55 1645 weight 0
     radius-server accounting 10.6.55.55 1646 weight 0
     radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%
    #
    acl number 6000  match-order auto
     rule 5 permit ip source user-group huawei destination ip-address 10.6.55.0 0.0
    .0.255
     rule 10 deny ip source user-group huawei destination ip-address any
    #
    traffic classifier class1 operator or
    traffic classifier c1 operator or
     if-match acl 6000
    #
    traffic behavior database
    traffic behavior b1
    #
    traffic policy policy
     share-mode
     classifier c1 behavior b1
    #
    interface Virtual-Template1
     ppp authentication-mode chap
    #
    ip pool pool2 bas local
     gateway 10.10.10.2 255.255.255.0
     section 0 10.10.10.3 10.10.10.100
     dns-server 10.10.10.1
    #
    ipv6 prefix pre1 delegation
     prefix 2001:2421::/48
     slaac-unshare-only
    #
    ipv6 pool pool1 bas delegation
     dns-server 3001:410::1:2
     prefix pre1
    #
    aaa
     authentication-scheme default0
     authentication-scheme default1
     authentication-scheme default
     authentication-scheme auth5
      authentication-mode  radius
     #
     authorization-scheme default
     #
     accounting-scheme default0
     accounting-scheme default1
     accounting-scheme default
     accounting-scheme acct5
      accounting-mode radius
     #
    domain domain1
     prefix-assign-mode unshared
     ip-pool pool2
     ipv6-pool pool1
      user-group huawei
     web-server 10.6.55.56 3001::3
     web-server url isp1.com
    domain isp5
     authentication-scheme auth5
     accounting-scheme acct5
      radius-server group rd5
    #
    interface GigabitEthernet1/0/2
    undo shutdown
     ipv6 enable
     ipv6 address auto link-local
     bas
     #
      access-type layer2-subscriber default-domain pre-authentication domain1 authentication isp5
      authentication-method web
      authentication-method-ipv6 web
    #
    interface GigabitEthernet1/0/1
    undo shutdown
     ipv6 enable
     ipv6 address 2001::/64 eui-64
     ipv6 address auto link-local
    #
     traffic-policy policy inbound
     traffic-policy policy outbound
    #
     web-auth-server 10.6.55.56 port 50100 key cipher %^%#oNUw%i-|"WcBgt8=fSVID7F<=K_N+.(ip[H\:a{D%^%#
    #
    return
    
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 19312

Downloads: 83

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next