No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPv4/IPv6 Dual-Stack Access Based on Web+MAC Authentication

Example for Configuring IPv4/IPv6 Dual-Stack Access Based on Web+MAC Authentication

This section provides an example for configuring IPv4/IPv6 dual-stack access based on web+MAC authentication.

Networking Requirements

For example, wired users, wireless users, and dumb terminals in faculty dormitory areas, student dormitory areas, and office areas implement IPv4/IPv6 dual-stack access based on web authentication. When a user accesses the Internet for the first time, the user enters the MAC authentication domain. During web authentication, the user must enter the user name and password. The RADIUS server automatically records the terminal's MAC address and associates it with the user name and password. The user automatically accesses the Internet when going online again. This authentication mode is called MAC authentication. If the user fails authentication, the user is redirected to the web authentication domain. A user in the web authentication domain can access only limited network addresses, such as the web server's address. When a user in the domain accesses an authorized address, the user is redirected to a specified web server. The user must enter the correct user name and password. After the authentication is successful, the user enters the authentication domain and can access network resources properly. When the user logs in to next time, the router authenticates the user based on the terminal's MAC address.
  • RADIUS authentication and RADIUS accounting are used.

  • The IP address of the RADIUS server is 10.1.2.10. The authentication and accounting ports are 1812 and 1813, respectively. The standard RADIUS protocol is adopted, with the key being Root@1234.

  • The IP addresses of the two DNS servers are 3001:DA8:20D:30::30 and 10.1.6.2, respectively.

  • The IP address of the web server is 10.1.1.10, and the key is Root@123.

Figure 7-11 Networking for configuring IPv4/IPv6 dual-stack access based on web+MAC authentication
NOTE:

Interface1 in this example is GE1/0/0.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable IPv6 packet forwarding.

  2. Create a MAC authentication domain named mac-domain, a web authentication domain named web-domain, and an authentication domain named after-domain.

  3. Configure AAA schemes. Create a RADIUS server group named group1, configure the hw-auth-type attribute for authentication request packets in the RADIUS server group, and configure attribute translation to translate the hw-auth-type attribute into Huawei proprietary No. 109 attribute.

  4. Configure address pools.

  5. Enable MAC authentication in the MAC authentication domain mac-domain, and bind the RADIUS server group group1 and authentication scheme portal-mac-auth to the domain.

  6. Configure forcible redirection to a specified web server in the web authentication domain web-domain, and bind a user group that can access only limited resources, authentication scheme (non-authentication), and accounting scheme (non-accounting) to the domain.

  7. Configure ACL rules for the web authentication domain web-domain.

  8. Configure the authentication domain after-domain.

  9. Run the default-user-name include mac-address command in the AAA view to directly use the MAC address carried in a user connection request packet as the user name.

  10. Configure a DUID for the DHCPv6 server.

  11. Enable IPv6 and configure the MAC authentication domain, authentication domain, and authentication method on a BAS interface.

Procedure

  1. Enable IPv6 packet forwarding.

    <HUAWEI> system-view
    [~HUAWEI] ipv6

  2. Create a MAC authentication domain, a web authentication domain, and an authentication domain.

    [~HUAWEI] aaa
    [*HUAWEI-aaa] domain mac-domain
    [~HUAWEI-aaa-domain-mac-domain] quit
    [*HUAWEI-aaa] domain web-domain
    [~HUAWEI-aaa-domain-web-domain] quit
    [*HUAWEI-aaa] domain after-domain
    [*HUAWEI-aaa-domain-after-domain] commit
    [~HUAWEI-aaa-domain-after-domain] quit
    [~HUAWEI-aaa] quit

  3. Configure AAA schemes and a RADIUS server group.

    # Create a RADIUS server group named group1, configure the hw-auth-type attribute for authentication request packets in the RADIUS server group, and configure attribute translation to translate the hw-auth-type attribute into Huawei proprietary No. 109 attribute.

    [~HUAWEI] radius-server group group1
    [*HUAWEI-radius-group1] radius-server authentication 10.1.2.10 1812
    [*HUAWEI-radius-group1] radius-server accounting 10.1.2.10 1813
    [*HUAWEI-radius-group1] radius-server shared-key-cipher Root@1234
    [*HUAWEI-radius-group1] radius-attribute include hw-auth-type
    [*HUAWEI-radius-group1] radius-server attribute translate
    [*HUAWEI-radius-group1] radius-attribute translate extend hw-auth-type vendor-specific 2011 109 access-request account
    [*HUAWEI-radius-group1] commit
    [~HUAWEI-radius-group1] quit

    # Create an authentication scheme named portal-mac-auth, and configure the user to be redirected to the web authentication domain web-domain when authentication fails in the authentication scheme.

    [~HUAWEI] aaa
    [*HUAWEI-aaa] authentication-scheme portal-mac-auth
    [*HUAWEI-aaa-authen-portal-mac-auth] authening authen-fail online authen-domain web-domain
    [*HUAWEI-aaa-authen-portal-mac-auth] commit
    [~HUAWEI-aaa-authen-portal-mac-auth] quit

    # Configure an authentication scheme named radius, with RADIUS authentication specified.

    [*HUAWEI-aaa] authentication-scheme radius
    [*HUAWEI-aaa-authen-radius] authentication-mode radius local
    [*HUAWEI-aaa-authen-radius] commit
    [~HUAWEI-aaa-authen-radius] quit

    # Configure an authentication scheme named none, with non-authentication specified.

    [*HUAWEI-aaa] authentication-scheme none
    [*HUAWEI-aaa-authen-none] authentication-mode none
    [*HUAWEI-aaa-authen-none] commit
    [~HUAWEI-aaa-authen-none] quit

    # Configure an accounting scheme named radius, with RADIUS accounting specified.

    [*HUAWEI-aaa] accounting-scheme radius
    [*HUAWEI-aaa-accounting-radius] accounting interim interval 10 hash
    [*HUAWEI-aaa-accounting-radius] commit
    [~HUAWEI-aaa-accounting-radius] quit

    # Configure an accounting scheme named none, with non-accounting specified.

    [*HUAWEI-aaa] accounting-scheme none
    [*HUAWEI-aaa-accounting-none] accounting-mode none
    [*HUAWEI-aaa-accounting-none] commit
    [~HUAWEI-aaa-accounting-none] quit
    [~HUAWEI-aaa] quit

  4. Configure address pools.

    • # Configure an IPv4 address pool.

      [~HUAWEI] ip pool pool1 bas local
      [*HUAWEI-ip-pool-pool1] gateway 10.10.17.1 255.255.240.0
      [*HUAWEI-ip-pool-pool1] section 0 10.10.17.2 10.10.19.254
      [*HUAWEI-ip-pool-pool1] dns-server 10.1.6.2
      [*HUAWEI-ip-pool-pool1] commit
      [~HUAWEI-ip-pool-pool1] quit
    • # Configure an IPv6 prefix pool.

      [~HUAWEI] ipv6 prefix prefix1 local
      [*HUAWEI-ipv6-prefix-prefix1] prefix 3001:DA8:801D:2005::/64
      [*HUAWEI-ipv6-prefix-prefix1] commit
      [~HUAWEI-ipv6-prefix-prefix1] quit
    • # Configure an IPv6 address pool.

      [~HUAWEI] ipv6 pool pool1 bas local
      [*HUAWEI-ip-pool-pool1] prefix prefix1
      [*HUAWEI-ip-pool-pool1] dns-server 3001:DA8:20D:30::30
      [*HUAWEI-ip-pool-pool1] commit
      [~HUAWEI-ip-pool-pool1] quit

  5. Enable MAC authentication in the MAC authentication domain mac-domain, and bind the RADIUS server group group1 and authentication scheme portal-mac-auth to the domain.

    [~HUAWEI] user-group mac-group
    [~HUAWEI] aaa
    [*HUAWEI-aaa] domain mac-domain
    [*HUAWEI-aaa-domain-mac-domain] radius-server group group1
    [*HUAWEI-aaa-domain-mac-domain] authentication-scheme portal-mac-auth
    [*HUAWEI-aaa-domain-mac-domain] accounting-scheme radius
    [*HUAWEI-aaa-domain-mac-domain] ip-pool pool1
    [*HUAWEI-aaa-domain-mac-domain] ipv6-pool pool1
    [*HUAWEI-aaa-domain-mac-domain] mac-authentication enable
    [*HUAWEI-aaa-domain-mac-domain] user-group mac-group
    [*HUAWEI-aaa-domain-mac-domain] commit
    [~HUAWEI-aaa-domain-mac-domain] quit
    [~HUAWEI-aaa] quit

  6. Configure forcible redirection to a specified web server in the web authentication domain web-domain, and bind a user group that can access only limited resources, authentication scheme (non-authentication), and accounting scheme (non-accounting) to the domain.

    [~HUAWEI] user-group web-group
    [~HUAWEI] aaa
    [*HUAWEI-aaa] http-redirect enable
    [*HUAWEI-aaa] domain web-domain
    [*HUAWEI-aaa-domain-web-domain] authentication-scheme none
    [*HUAWEI-aaa-domain-web-domain] accounting-scheme none
    [*HUAWEI-aaa-domain-web-domain] ip-pool pool1
    [*HUAWEI-aaa-domain-web-domain] ipv6-pool pool1
    [*HUAWEI-aaa-domain-web-domain] user-group web-group
    [*HUAWEI-aaa-domain-web-domain] web-server 10.1.1.10
    [*HUAWEI-aaa-domain-web-domain] web-server url http://10.1.1.10
    [*HUAWEI-aaa-domain-web-domain] commit
    [~HUAWEI-aaa-domain-web-domain] quit
    [~HUAWEI-aaa] quit

    # Configure a web authentication server.

    [*HUAWEI] web-auth-server 10.1.1.10 key cipher Root@123

    # Enable HTTP fast reply.

    [*HUAWEI] slot 1
    [*HUAWEI-slot-1] http-reply enable
    [*HUAWEI-slot-1] commit
    [~HUAWEI-slot-1] quit

  7. Configure ACL rules for the web authentication domain web-domain.

    • # Configure IPv4 ACL rules.

      [~HUAWEI] acl number 6000
      [*HUAWEI-acl-ucl-6000] rule 5 permit ip source ip-address 10.1.1.10 0 destination user-group web-group
      [*HUAWEI-acl-ucl-6000] rule 10 permit ip source user-group web-group destination ip-address 10.1.1.10 0
      [*HUAWEI-acl-ucl-6000] rule 15 permit ip source ip-address 10.1.6.2 0 destination user-group web-group
      [*HUAWEI-acl-ucl-6000] rule 20 permit ip source user-group web-group destination ip-address 10.1.6.2 0
      [~HUAWEI-acl-ucl-6000] quit
      [~HUAWEI] acl number 6001
      [*HUAWEI-acl-ucl-6001] rule 5 permit tcp source user-group web-group destination-port eq www
      [*HUAWEI-acl-ucl-6001] rule 10 permit tcp source user-group web-group destination-port eq 8080
      [*HUAWEI-acl-ucl-6001] rule 15 permit ip source user-group web-group
      [~HUAWEI-acl-ucl-6001] quit
      [~HUAWEI] acl number 6002
      [*HUAWEI-acl-ucl-6002] rule 5 permit ip source user-group web-group destination user-group web-group
      [*HUAWEI-acl-ucl-6002] rule 10 permit ip source user-group web-group destination ip-address any
      [~HUAWEI-acl-ucl-6002] quit
      [~HUAWEI] acl number 6003
      [*HUAWEI-acl-ucl-6003] rule 5 permit ip destination user-group web-group
      [~HUAWEI-acl-ucl-6003] quit
    • # Configure IPv6 ACL rules.

      [~HUAWEI] acl ipv6 number 6000
      [*HUAWEI-acl6-ucl-6000] rule 5 deny ipv6 source user-group web-group destination ipv6-address 3001:DA8:20D:30::30/128
      [*HUAWEI-acl6-ucl-6000] rule 10 deny ipv6 source ipv6-address 3001:DA8:20D:30::30/128 destination user-group web-group
      [~HUAWEI-acl6-ucl-6000] quit
      [~HUAWEI] acl ipv6 number 6001
      [*HUAWEI-acl6-ucl-6001] rule 5 permit tcp source user-group web-group destination-port eq www
      [*HUAWEI-acl6-ucl-6001] rule 10 permit tcp source user-group web-group destination-port eq 8080
      [*HUAWEI-acl6-ucl-6001] rule 15 permit ipv6 source user-group web-group
      [~HUAWEI-acl6-ucl-6001] quit
    • # Configure a traffic policy.

      [~HUAWEI] traffic classifier 6000
      [*HUAWEI-classifier-6000] if-match acl 6000
      [*HUAWEI-classifier-6000] if-match ipv6 acl 6000
      [~HUAWEI-classifier-6000] quit
      [~HUAWEI] traffic classifier 6001
      [*HUAWEI-classifier-6001] if-match acl 6001
      [*HUAWEI-classifier-6001] if-match ipv6 acl 6001
      [~HUAWEI-classifier-6001] quit
      [~HUAWEI] traffic classifier 6002
      [*HUAWEI-classifier-6002] if-match acl 6002
      [~HUAWEI-classifier-6002] quit
      [~HUAWEI] traffic classifier 6003
      [*HUAWEI-classifier-6003] if-match acl 6003
      [~HUAWEI-classifier-6003] quit
      [~HUAWEI] traffic behavior permit
      [*HUAWEI-behavior-permit] permit
      [~HUAWEI] traffic behavior in-deny
      [*HUAWEI-behavior-in-deny] deny
      [~HUAWEI-behavior-in-deny] quit
      [~HUAWEI] traffic behavior out-deny
      [*HUAWEI-behavior-out-deny] deny
      [~HUAWEI-behavior-out-deny] quit
      [~HUAWEI] traffic behavior redirect
      [*HUAWEI-behavior-redirect] http-redirect
      [~HUAWEI-behavior-redirect] quit
      [~HUAWEI] traffic policy before-auth-in
      [*HUAWEI-policy-before-auth-in] share-mode
      [*HUAWEI-policy-before-auth-in] classifier 6000 behavior permit
      [*HUAWEI-policy-before-auth-in] classifier 6001 behavior redirect
      [*HUAWEI-policy-before-auth-in] classifier 6002 behavior in-deny
      [~HUAWEI-policy-before-auth-in] quit
      [~HUAWEI] traffic policy before-auth-out
      [*HUAWEI-policy-before-auth-out] share-mode
      [*HUAWEI-policy-before-auth-out] classifier 6000 behavior permit
      [*HUAWEI-policy-before-auth-out] classifier 6003 behavior out-deny
      [~HUAWEI-policy-before-auth-out] quit

      # Apply the traffic policy globally.

      [*HUAWEI] traffic-policy before-auth-in inbound
      [*HUAWEI] traffic-policy before-auth-out outbound

  8. Configure the authentication domain after-domain.

    [~HUAWEI] aaa
    [*HUAWEI-aaa] domain after-domain
    [*HUAWEI-aaa-domain-after-domain] authentication-scheme radius
    [*HUAWEI-aaa-domain-after-domain] accounting-scheme radius
    [*HUAWEI-aaa-domain-after-domain] radius-server group group1
    [*HUAWEI-aaa-domain-after-domain] commit
    [~HUAWEI-aaa-domain-after-domain] quit

  9. Run the default-user-name include mac-address command in the AAA view to directly use the MAC address carried in a user connection request packet as the user name.

    [*HUAWEI-aaa] default-user-name include mac-address -
    [*HUAWEI-aaa] commit
    [~HUAWEI-aaa] quit

  10. Configure a DUID for the DHCPv6 server.

    [*HUAWEI] dhcpv6 duid 12345678

  11. Enable IPv6 and configure the MAC authentication domain, authentication domain, and authentication method on a BAS interface.

    [~HUAWEI] license
    [*HUAWEI-license] active bas slot 1
    [~HUAWEI-license] quit
    [~HUAWEI] interface gigabitethernet1/0/0
    [*HUAWEI-GigabitEthernet1/0/0] ipv6 enable
    [*HUAWEI-GigabitEthernet1/0/0] ipv6 nd autoconfig managed-address-flag
    [*HUAWEI-GigabitEthernet1/0/0] ipv6 nd autoconfig other-flag
    [*HUAWEI-GigabitEthernet1/0/0] bas
    [*HUAWEI-GigabitEthernet1/0/0-bas] access-type layer2-subscriber default-domain pre-authentication mac-domain authentication after-domain
    [*HUAWEI-GigabitEthernet1/0/0-bas] authentication-method web
    [*HUAWEI-GigabitEthernet1/0/0-bas] authentication-method-ipv6 web

  12. Verify the configuration.

    1. A user logs in to the PC and obtains an IP address.

    2. Run the display access-user domain web-domain command on the router to check information about online users.

    3. The user enters another website in the address bar and is automatically redirected to the address of the web server.

    4. The user enters the user name and password, and accesses the Internet after the authentication succeeds.

    5. Run the display domain mac-domain command to check that the IPv4 and IPv6 address pools are bound to the domain mac-domain.

Configuration Files

#
 sysname HUAWEI
#
license
 active bas slot 1
#
ipv6
#
 user-group after-domain
 user-group web-domain
 user-group mac-domain
#
 dhcpv6 duid 12345678
#
slot 1
 http-reply enable
#
radius-server group group1
 radius-server shared-key-cipher Root@1234
 radius-server authentication 10.1.2.10 1812 weight 0
 radius-server accounting 10.1.2.10 1813 weight 0 
 radius-server attribute translate
 radius-attribute include HW-Auth-Type
 radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-request account
#
acl ipv6 number 6000
 rule 5 deny ipv6 source user-group web-group destination ipv6-address 3001:DA8:20D:30::30/128
 rule 10 deny ipv6 source ipv6-address 3001:DA8:20D:30::30/128 destination user-group web-group
#
acl ipv6 number 6000
 rule 5 permit tcp source user-group web-group destination-port eq www
 rule 10 permit tcp source user-group web-group destination-port eq 8080
 rule 15 permit ipv6 source user-group web-group
#
acl number 6000
 rule 5 permit ip source ip-address 10.1.1.10 0 destination user-group web-group
 rule 10 permit ip source user-group web-group destination ip-address 10.1.1.10 0
 rule 15 permit ip source ip-address 10.1.6.2 0 destination user-group web-group
 rule 20 permit ip source user-group web-group destination ip-address 10.1.6.2 0
#
acl number 6001
 rule 5 permit tcp source user-group web-group destination-port eq www
 rule 10 permit tcp source user-group web-group destination-port eq 8080
 rule 15 permit ip source user-group web-group
#
acl number 6002
 rule 5 permit ip source user-group web-group destination user-group web-group
 rule 10 permit ip source user-group web-group destination ip-address any
#
acl number 6003
 rule 5 permit ip destination user-group web-group
#
acl number 6010
#
traffic classifier 6000 operator or
 if-match acl 6000
 if-match ipv6 acl 6000
traffic classifier 6001 operator or
 if-match acl 6001
 if-match ipv6 acl 6001
traffic classifier 6002 operator or
 if-match acl 6002
traffic classifier 6003 operator or
 if-match acl 6003
#
traffic behavior in-deny
 deny
traffic behavior out-deny
 deny
traffic behavior permit
traffic behavior redirect
 deny
traffic behavior redirect
 http-redirect
#
traffic policy before-auth-in
 share-mode
 classifier 6000 behavior permit
 classifier 6001 behavior redirect
 classifier 6002 behavior in-deny
traffic policy before-auth-out
 share-mode
 classifier 6000 behavior permit
 classifier 6003 behavior out-deny
#
ip pool pool1 bas local
 gateway 10.10.17.1 255.255.240.0
 section 0 10.10.17.2 10.10.19.254
 dns-server 10.1.6.2
#
ipv6 prefix prefix1 local
 prefix 3001:DA8:801D:2005::/64
#
ipv6 pool pool1 bas local
 prefix prefix1
 dns-server 3001:DA8:20D:30::30
#
aaa
 http-redirect enable
 default-user-name include mac-address -
 authentication-scheme portal-mac-auth
  authening authen-fail online authen-domain web-domain
 authentication-scheme radius
  authentication-mode radius local
 authentication-scheme none
  authentication-mode none
#
 accounting-scheme radius
  accounting interim interval 10 hash
 accounting-scheme none
  accounting-mode none
 #
 domain mac-domain
  authentication-scheme portal-mac-auth
  accounting-scheme radius
  ip-pool pool1
  ipv6-pool pool1
  mac-authentication enable
  radius-server group group1
  user-group mac-group
 domain web-domain
  authentication-scheme none
  accounting-scheme none
  ip-pool pool1
  ipv6-pool pool1
  user-group web-group
  web-server 10.1.1.10
  web-server url http://10.1.1.10
 domain after-domain
  authentication-scheme radius
  accounting-scheme radius
  radius-server group group1
#
interface GigabitEthernet1/0/0
 ipv6 enable
 ipv6 nd autoconfig managed-address-flag
 ipv6 nd autoconfig other-flag
 bas
 #
  access-type layer2-subscriber default-domain pre-authentication mac-domain authentication after-domain
  authentication-method web
  authentication-method-ipv6 web
#
 traffic-policy before-auth-in inbound
 traffic-policy before-auth-out outbound
#
 web-auth-server 10.1.1.10 key cipher Root@1234
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17625

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next