No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring MAC Authentication

Example for Configuring MAC Authentication

This section provides an example for configuring MAC authentication.

Networking Requirements

On the network shown in Figure 6-9, a user in domain a enters a user name and password for web authentication when going online for the first time. The RADIUS server automatically records the MAC address of the user terminal and associates the user name and password with the MAC address. In subsequent network access, the user can automatically go online without entering the user name and password. Once the user fails authentication, the user is redirected to domain b. However, users in domain b can only access limited network addresses, such as the web server address. If a user in domain b accesses an authorized address, the user is forcibly redirected to a specified web server where the user must re-enter the user name and password. After being authenticated, the user belongs to domain c and is able to access network resources.

Figure 6-9 MAC authentication networking

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a MAC authentication domain named a, a pre-authentication domain named b, and an authentication domain named c.

  2. Configure AAA schemes.

  3. Create a RADIUS server group named d, configure the hw-auth-type attribute in the authentication request packets and convert the hw-auth-type attribute to the Huawei proprietary No. 109 attribute in the RADIUS server group view.

  4. Create an authentication template named e and configure the redirection domain for authentication failures in the authentication template.

  5. Enable MAC authentication in the MAC authentication domain a and bind the MAC authentication domain a to the RADIUS server group d and authentication template e.

  6. Bind non-authentication and non-accounting schemes to the pre-authentication domain named b to allow users to have access only to limited resources and be redirected to a specified web server.

  7. Bind the RADIUS authentication and accounting schemes to the authentication domain c.

  8. Configure the device to use the MAC address carried in the access request packets as the pure user name.

  9. Configure a pre-authentication domain and an authentication domain on the BAS interface.

Procedure

  1. Create a MAC authentication domain named a, a pre-authentication domain named b, and an authentication domain named c.

    # Create a MAC authentication domain named a, a pre-authentication domain named b, and an authentication domain named c.

    <HUAWEI> system-view
    [*Device] aaa
    [*Device-aaa] domain a
    [*Device-aaa-domain-a] quit
    [*Device-aaa] domain b
    [*Device-aaa-domain-b] quit
    [*Device-aaa] domain c
    [*Device-aaa-domain-c] commit
    [~Device-aaa-domain-c] quit
    [~Device-aaa] quit

  2. Configure AAA schemes and RADIUS server groups.

    # Create a RADIUS server group named d, configure the hw-auth-type attribute in the authentication request packets and convert the hw-auth-type attribute to the Huawei proprietary No. 109 attribute in the RADIUS server group view.

    [*Device] radius-server group d
    [*Device-radius-d] radius-server authentication 192.168.7.249 1812
    [*Device-radius-d] radius-server accounting 192.168.7.249 1813
    [*Device-radius-d] radius-server type standard
    [*Device-radius-d] radius-server shared-key-cipher it-is-my-secret1
    [*Device-radius-d] radius-attribute include hw-auth-type
    [*Device-radius-d] radius-server attribute translate
    [*Device-radius-d] radius-attribute translate extend hw-auth-type vendor-specific 2011 109 access-request account
    [*Device-radius-d] commit
    [~Device-radius-d] quit

    # Create a RADIUS server group named rd2.

    [*Device] radius-server group rd2
    [*Device-radius-rd2] radius-server authentication 192.168.8.249 1812
    [*Device-radius-rd2] radius-server accounting 192.168.8.249 1813
    [*Device-radius-rd2] radius-server type standard
    [*Device-radius-rd2] radius-server shared-key-cipher it-is-my-secret1
    [*Device-radius-rd2] commit
    [~Device-radius-rd2] quit

    # Create an authentication template named e and configure the pre-authentication domain b as the redirection domain for authentication failures in the authentication template e.

    [*Device] aaa
    [*Device-aaa] authentication-scheme e
    [*Device-aaa-authen-e] authening authen-fail online authen-domain b
    [*Device-aaa-authen-e] commit
    [~Device-aaa-authen-e] quit
    [*Device] aaa
    [*Device-aaa] authentication-scheme auth2
    [*Device-aaa-authen-auth2] authentication-mode radius
    [*Device-aaa-authen-auth2] commit
    [~Device-aaa-authen-auth2] quit
    [*Device-aaa] accounting-scheme acct2
    [*Device-aaa-accounting-acct2] accounting-mode radius
    [*Device-aaa-accounting-acct2] commit
    [~Device-aaa-accounting-acct2] quit
    [~Device-aaa] quit
    [*Device] aaa
    [*Device-aaa] authentication-scheme auth3
    [*Device-aaa-authen-auth3] authentication-mode none
    [*Device-aaa-authen-auth3] commit
    [~Device-aaa-authen-auth3] quit

    # Configure an accounting scheme named acct3, with non-accounting.

    [*Device-aaa] accounting-scheme acct3
    [*Device-aaa-accounting-acct3] accounting-mode none
    [*Device-aaa-accounting-acct3] commit
    [~Device-aaa-accounting-acct3] quit
    [~Device-aaa] quit

  3. Configure an address pool.

    [*Device] ip pool pool2 bas local
    [*Device-ip-pool-pool2] gateway 172.16.1.1 255.255.255.0
    [*Device-ip-pool-pool2] section 0 172.16.1.2 172.16.1.200
    [*Device-ip-pool-pool2] dns-server 192.168.8.252
    [*Device-ip-pool-pool2] commit
    [~Device-ip-pool-pool2] quit

  4. Enable MAC authentication in the MAC authentication domain a and bind the MAC authentication domain a to the RADIUS server group d and authentication template e.

    [*Device-aaa] domain a
    [*Device-aaa-domain-a] radius-server group d
    [*Device-aaa-domain-a] authentication-scheme e
    [*Device-aaa-domain-a] accounting-scheme acct2
    [*Device-aaa-domain-a] ip-pool pool2
    [*Device-aaa-domain-a] mac-authentication enable
    [*Device-aaa-domain-a] commit
    [~Device-aaa-domain-a] quit

  5. Bind non-authentication and non-accounting schemes to the pre-authentication domain named b to allow users to have access only to limited resources and be redirected to a specified web server.

    [*Device] user-group web-before
    [*Device] aaa
    [*Device-aaa] http-redirect enable
    [*Device-aaa] domain b
    [*Device-aaa-domain-b] authentication-scheme auth3
    [*Device-aaa-domain-b] accounting-scheme acct3
    [*Device-aaa-domain-b] ip-pool pool2
    [*Device-aaa-domain-b] user-group web-before
    [*Device-aaa-domain-b] web-server 192.168.8.251
    [*Device-aaa-domain-b] web-server url http://192.168.8.251

    # Configure a web authentication server.

    [HUAWEI] web-auth-server 192.168.8.251 key webvlan

    # Configure ACL rules.

    [*Device] acl number 6004
    [*Device-acl-ucl-6004] rule 3 permit ip source user-group web-before destination user-group web-before
    [*HUAWEI-acl-ucl-6004] rule 5 permit ip source user-group web-before destination ip-address any
    [*Device-acl-ucl-6004] commit
    [~Device-acl-ucl-6004] quit
    [*Device] acl number 6005
    [*Device-acl-ucl-6005] rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
    [*Device-acl-ucl-6005] rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
    [*Device-acl-ucl-6005] rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
    [*Device-acl-ucl-6005] rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
    [*Device-acl-ucl-6005] rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
    [*Device-acl-ucl-6005] rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
    [*Device-acl-ucl-6005] commit[~Device-acl-ucl-6005] quit
    [*Device] acl number 6006
    [*Device-acl-ucl-6006] rule 5 permit ip destination user-group web-before
    [*Device-acl-ucl-6006] commit[~Device-acl-ucl-6006] quit
    [*Device] acl number 6008
    [*Device-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-port eq www
    [*Device-acl-ucl-6008] rule 10 permit tcp source user-group web-before destination-port eq 8080
    [*Device-acl-ucl-6008] commit[~Device-acl-ucl-6008] quit
    [*Device] acl number 6010
    [*Device-acl-ucl-6010] commit
    [~Device-acl-ucl-6010] quit

    # Configure traffic policies.

    [*Device] traffic classifier web-out
    [*Device-classifier-web-out] if-match acl 6006
    [*Device-classifier-web-out] commit
    [~Device-classifier-web-out] quit
    [*Device] traffic classifier web-be-permit
    [*Device-classifier-web-be-permit] if-match acl 6005
    [*Device-classifier-web-be-permit] commit
    [~Device-classifier-web-be-permit] quit
    [*Device] traffic classifier http-before
    [*Device-classifier-http-before] if-match acl 6010
    [*Device-classifier-http-before] commit
    [~Device-classifier-http-before] quit
    [*Device] traffic classifier web-be-deny
    [*Device-classifier-web-be-deny] if-match acl 6004
    [*Device-classifier-web-be-deny] commit
    [~Device-classifier-web-be-deny] quit
    [*Device] traffic classifier redirect
    [*Device-classifier-redirect] if-match acl 6008
    [*Device-classifier-redirect] commit
    [~Device-classifier-redirect] quit
    [*Device] traffic behavior http-discard
    [*Device-behavior-http-discard] car cir 0 cbs 0 green pass red discard
    [*Device-behavior-http-discard] commit
    [~Device-behavior-http-discard] quit
    [*Device] traffic behavior web-out
    [*Device-behavior-web-out] deny
    [*Device-behavior-web-out] commit
    [~Device-behavior-web-out] quit
    [*Device] traffic behavior perm1
    [*Device-behavior-perm1] permit
    [*Device-behavior-perm1] commit
    [~Device-behavior-perm1] quit
    [*Device] traffic behavior deny1
    [*Device-behavior-deny1] deny
    [*Device-behavior-deny1] commit
    [~Device-behavior-deny1] quit
    [*Device] traffic behavior redirect
    [*Device-behavior-redirect] http-redirect plus
    [*Device-behavior-redirect] commit
    [~Device-behavior-redirect] quit
    [*Device] traffic policy web-out
    [*Device-policy-web-out] share-mode
    [*Device-policy-web-out] classifier web-be-permit behavior perm1
    [*Device-policy-web-out] classifier web-out behavior web-out
    [*Device-policy-web-out] commit
    [~Device-policy-web-out] quit
    [*Device] traffic policy web
    [*Device-policy-web] share-mode
    [*Device-policy-web] classifier web-be-permit behavior perm1
    [*Device-policy-web] classifier http-before behavior http-discard
    [*Device-policy-web] classifier redirect behavior redirect
    [*Device-policy-web] classifier web-be-deny behavior deny1
    [*Device-policy-web] commit
    [~Device-policy-web] quit

    # Apply the traffic policies in the system view.

    [HUAWEI] traffic-policy web inbound
    [HUAWEI] traffic-policy web-out outbound

  6. Bind the RADIUS authentication and accounting schemes to the authentication domain c.

    [*Device-aaa] domain c
    [*Device-aaa-domain-c] authentication-scheme auth2
    [*Device-aaa-domain-c] accounting-scheme acct2
    [*Device-aaa-domain-c] radius-server group rd2
    [*Device-aaa-domain-c] commit
    [~Device-aaa-domain-c] quit
    [~Device-aaa] quit

  7. Configure the device to use the MAC address carried in the access request packets as the pure user name.

    [*Device-aaa] default-user-name include mac-address -
    [*Device-aaa] default-password cipher Root@123
    [*Device-aaa] commit
    [~Device-aaa] quit

  8. Configure a pre-authentication domain, an authentication domain, and an authentication method on the BAS interface.

    [*Device] interface GigabitEthernet1/0/2
    [*Device] bas
    [*Device-GigabitEthernet1/0/2-bas] access-type layer2-subscriber default-domain pre-authentication a authentication c
    [*Device-GigabitEthernet1/0/2-bas] authentication-method web

  9. Run commit

    The configuration is committed.

Configuration Files

#
 sysname Device
#
user-group web-before
#
radius-server group rd2
 radius-server authentication 192.168.8.249 1812 weight 0
 radius-server accounting 192.168.8.249 1813 weight 0 
 radius-server shared-key-cipher %$%$8;fLT*OW4VX|#9Dr(Gl!}M%4%$%$
#
radius-server group d
 radius-server authentication 192.168.7.249 1812 weight 0
 radius-server accounting 192.168.7.249 1813 weight 0 
 radius-server shared-key-cipher %$%$8;fLT*OW4VX|#9Dr(Gl!}M%4%$%$
 radius-server attribute translate
 radius-attribute include HW-Auth-Type
 radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-request account
#
acl number 6004
 rule 3 permit ip source user-group web-before destination user-group wlan
 rule 5 permit ip source user-group web-before destination ip-address any
#
acl number 6005
 rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
 rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
 rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
 rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
 rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
 rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
#
acl number 6006
 rule 5 permit ip destination user-group web-before
#
acl number 6008
 rule 5 permit tcp source user-group web-before destination-port eq www
 rule 10 permit tcp source user-group web-before destination-port eq 8080
#
acl number 6010
#
traffic classifier web-out operator or
 if-match acl 6006
traffic classifier web-be-permit operator or
 if-match acl 6005
traffic classifier http-before operator or
 if-match acl 6010
traffic classifier web-be-deny operator or
 if-match acl 6004
traffic classifier redirect operator or
 if-match acl 6008
#
traffic behavior http-discard
 car cir 0 cbs 0 green pass red discard
traffic behavior web-out
 deny
traffic behavior perm1
traffic behavior deny1
 deny
traffic behavior redirect
 http-redirect
#
traffic policy web-out
 share-mode
 classifier web-be-permit behavior perm1
 classifier web-out behavior web-out
traffic policy web
 share-mode
 classifier web-be-permit behavior perm1
 classifier http-before behavior http-discard
 classifier redirect behavior redirect    
 classifier web-be-deny behavior deny1
#
ip pool pool2 bas local
 gateway 172.16.1.1 255.255.255.0
 section 0 172.16.1.2 172.16.1.200
 dns-server  192.168.8.252
#
aaa
 http-redirect enable
 default-user-name include mac-address -
 default-password cipher %^%#oNUw%i-|"WcBgt8=fSVID7F<=K_N+.(ip[H\:a{D%^%#
 authentication-scheme auth2
 authentication-scheme auth3
  authentication-mode none
 authentication-scheme e
  authening authen-fail online authen-domain b
#
 accounting-scheme acct2
 accounting-scheme acct3
  accounting-mode none
 #
 domain a
  authentication-scheme e
  accounting-scheme e
  radius-server group d
  ip-pool pool2
  mac-authentication enable
 domain b
  authentication-scheme auth3
  accounting-scheme acct3
  ip-pool pool2
  user-group web-before
  web-server 192.168.8.251
  web-server url http://192.168.8.251
  web-server url-parameter
  
 domain c
  authentication-scheme auth2
  accounting-scheme acct2
  radius-server group rd2
#
interface GigabitEthernet1/0/2
 bas
 #
  access-type layer2-subscriber default-domain pre-authentication a authentication c
  authentication-method web
#
 traffic-policy web inbound
 traffic-policy web-out outbound
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17433

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next