No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Layer 3 IPoE Access with Web Authentication

Example for Configuring Layer 3 IPoE Access with Web Authentication

This section provides an example of how to configure Layer 3 IPoE access with web authentication. The example provides the networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

As shown in Figure 6-3, the networking requirements for configuring Layer 3 IPoE access are as follows:

  • A user belongs to the domain isp2. The user connects to GE 1/0/2.1 on Device B through Device A, a DHCP relay agent. The user then accesses the Internet in Layer 3 IPoE access mode.

  • The user adopts web authentication, Remote Authentication Dial In User Service (RADIUS) authentication, and RADIUS accounting.

  • The IP address of the RADIUS server is 192.168.8.249. The authentication port number is 1812, and the accounting port number is 1813. The standard RADIUS protocol is used. The shared key is it-is-my-secret1.

  • The IP address of the DNS server is 192.168.8.252.

  • The IP address of the WEB server is 192.168.8.251. The shared key is webvlan.

Figure 6-3 Networking for configuring Layer 3 IPoE access
NOTE:

Interfaces 1 through 4 in this example are GE 1/0/1, GE 1/0/2, GE1/0/1.1, GE 1/0/2.1, respectively.



Configuration Roadmap

The configuration roadmap is as follows (all functions, except DHCP relay, are configured on Device B):

  1. Configure DHCP relay on Device A.

  2. Configure authentication and accounting schemes.

  3. Configure a RADIUS server group.

  4. Configure an IP address pool.

  5. Configure a pre-authentication domain and a post-authentication domain for web authentication.

  6. Configure a WEB server.

  7. Configure Upper Control Limit (UCL) rules and traffic management policies.

  8. Configure a BAS interface and an uplink interface.

Data Preparation

To complete the configuration, you need the following data:

  • Authentication scheme name and authentication mode

  • Accounting scheme name and accounting mode

  • Name of the RADIUS server group as well as IP addresses and port numbers of the RADIUS authentication server and accounting server

  • IP address pool name, gateway address, and DNS server address

  • Domain names

  • IP address of the WEB server

  • UCL rules

  • Traffic management policies

  • BAS interface parameters

Procedure

  1. Assign IP addresses to interfaces on Device A and Device B.

    # Assign IP addresses to the interfaces on Device A.

    <DeviceA> system-view
    [~DeviceA] interface GigabitEthernet1/0/2
    [*DeviceA-GigabitEthernet1/0/2] ip address 11.11.11.1 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/2] quit
    [*DeviceA] interface GigabitEthernet1/0/1.1
    [*DeviceA-GigabitEthernet1/0/1.1] ip address 192.168.1.2 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/1.1] vlan-type dot1q 1
    [*DeviceA-GigabitEthernet1/0/1.1] commit
    [~DeviceA-GigabitEthernet1/0/1.1] quit

    # Assign an IP address to the interface on Device B.

    [~DeviceB] interface GigabitEthernet1/0/2.1
    [*DeviceB-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/2.1] vlan-type dot1q 1
    [*DeviceB-GigabitEthernet1/0/2.1] commit
    [~DeviceB-GigabitEthernet1/0/2.1] quit
    

  2. Configure DHCP relay on Device A.

    [~DeviceA] interface GigabitEthernet1/0/2
    [*DeviceA-GigabitEthernet1/0/2] dhcp select relay
    [*DeviceA-GigabitEthernet1/0/2] ip relay address 192.168.1.1
    [*DeviceA-GigabitEthernet1/0/2] commit
    [~DeviceA-GigabitEthernet1/0/2] quit
    

  3. Configure a network-side IP address pool on Device B. The gateway address of the IP address pool must be on the same network segment as the IP address of the inbound interface on Device A, the DHCP relay agent.

    <DeviceB> system-view
    [~DeviceB] ip pool huawei bas local
    [*DeviceB-ip-pool-huawei] gateway 11.11.11.1 24
    [*DeviceB-ip-pool-huawei] section 0 11.11.11.2 11.11.11.255
    [*DeviceB-ip-pool-huawei] dns-server 192.168.8.252
    [*DeviceB-ip-pool-huawei] commit
    [~DeviceB-ip-pool-huawei] quit
    

  4. Configure AAA schemes.

    # Configure an authentication scheme.

    [~DeviceB] aaa
    [*DeviceB-aaa] authentication-scheme auth2
    [*DeviceB-aaa-authen-auth2] authentication-mode radius
    [*DeviceB-aaa-authen-auth2] commit
    [~DeviceB-aaa-authen-auth2] quit

    # Configure an accounting scheme.

    [~DeviceB-aaa] accounting-scheme acct2
    [*DeviceB-aaa-accounting-acct2] accounting-mode radius
    [*DeviceB-aaa-accounting-acct2] commit
    [~DeviceB-aaa-accounting-acct2] quit
    [~DeviceB-aaa] quit

  5. Configure a RADIUS server group.

    [~DeviceB] radius-server group rd2
    [*DeviceB-radius-rd2] radius-server authentication 192.168.8.249 1812
    [*DeviceB-radius-rd2] radius-server accounting 192.168.8.249 1813
    [*DeviceB-radius-rd2] radius-server type standard
    [*DeviceB-radius-rd2] radius-server shared-key-cipher it-is-my-secret1
    [*DeviceB-radius-rd2] commit
    [~DeviceB-radius-rd2] quit

  6. Configure domains.

    # Configure a domain named default0 to be the pre-authentication domain for web authentication.

    [~DeviceB] user-group huawei
    [*DeviceB] aaa
    [*DeviceB-aaa] domain default0
    [*DeviceB-aaa-domain-default0] user-group huawei
    [*DeviceB-aaa-domain-default0] web-server 192.168.8.251
    [*DeviceB-aaa-domain-default0] web-server url http://192.168.8.251
    [*DeviceB-aaa-domain-default0] ip-pool huawei
    [*DeviceB-aaa-domain-default0] commit
    [~DeviceB-aaa-domain-default0] quit

    # Configure a domain named isp2 to be the post-authentication domain for web authentication.

    [~DeviceB-aaa] domain isp2
    [*DeviceB-aaa-domain-isp2] authentication-scheme auth2
    [*DeviceB-aaa-domain-isp2] accounting-scheme acct2
    [*DeviceB-aaa-domain-isp2] radius-server group rd2
    [*DeviceB-aaa-domain-isp2] portal-server 192.168.8.251
    [*DeviceB-aaa-domain-isp2] portal-server url http://192.168.8.251/portal/admin/
    [*DeviceB-aaa-domain-isp2] commit
    [~DeviceB-aaa-domain-isp2] quit
    [~DeviceB-aaa] quit

  7. Configure a WEB server.

    [~DeviceB] web-auth-server 192.168.8.251 key webvlan

  8. Configure UCL.

    # Configure UCL rules.

    [~DeviceB] acl 6000
    [*DeviceB-acl-ucl-6000] rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0
    [*DeviceB-acl-ucl-6000] rule 15 permit ip source ip-address 127.0.0.1 0  destination user-group huawei
    NOTE:

    In this example, a UCL rule is configured to permit packets destined for 127.0.0.1 to be sent to the CPU of Device B.

    [*DeviceB-acl-ucl-6000] rule 20 permit ip source user-group huawei destination ip-address 192.168.8.252 0
    [*DeviceB-acl-ucl-6000] rule 25 permit ip source ip-address 192.168.8.252 0  destination user-group huawei
    [*DeviceB-acl-ucl-6000] rule 30 permit ip source user-group huawei destination ip-address 192.168.8.249 0
    [*DeviceB-acl-ucl-6000] rule 35 permit ip source ip-address 192.168.8.249 0  destination user-group huawei
    [*DeviceB-acl-ucl-6000] rule 40 permit ip source user-group huawei destination ip-address 192.168.8.251 0
    [*DeviceB-acl-ucl-6000] rule 45 permit ip source ip-address 192.168.8.251 0  destination user-group huawei
    [*DeviceB-acl-ucl-6000] commit
    [~DeviceB-acl-ucl-6000] quit
    [~DeviceB] acl 6001
    [*DeviceB-acl-ucl-6001] rule 10 permit tcp source user-group huawei destination-port eq www
    [*DeviceB-acl-ucl-6001] rule 15 permit tcp source user-group huawei destination-port eq 8080
    [~DeviceB-acl-ucl-6001] commit
    [~DeviceB-acl-ucl-6001] quit
    [~DeviceB] acl 6002
    [*DeviceB-acl-ucl-6002] rule 5 permit ip source ip-address any destination user-group huawei
    [*DeviceB-acl-ucl-6002] commit
    [~DeviceB-acl-ucl-6002] quit

    # Configure traffic management policies.

    [~DeviceB] traffic classifier web_permit
    [*DeviceB-classifier-web_permit] if-match acl 6000
    [*DeviceB-classifier-web_permit] commit
    [~DeviceB-classifier-web_permit] quit
    [~DeviceB] traffic behavior web_permit
    [*DeviceB-behavior-web_permit] permit
    [*DeviceB-behavior-web_permit] commit
    [~DeviceB-behavior-web_permit] quit
    [~DeviceB] traffic classifier web_deny
    [*DeviceB-classifier-web_deny] if-match acl 6001
    [*DeviceB-classifier-web_deny] commit
    [~DeviceB-classifier-web_deny] quit
    [~DeviceB] traffic behavior web_deny
    [*DeviceB-behavior-web_deny] http-redirect
    [*DeviceB-behavior-web_deny] commit
    [~DeviceB-behavior-web_deny] quit
    [~DeviceB] traffic classifier web_out
    [*DeviceB-classifier-web_out] if-match acl 6002
    [*DeviceB-classifier-web_out] commit
    [~DeviceB-classifier-web_out] quit
    [~DeviceB] traffic behavior web_out
    [*DeviceB-behavior-web_out] deny
    [*DeviceB-behavior-web_out] commit
    [~DeviceB-behavior-web_out] quit
    [~DeviceB] traffic policy web 
    [*DeviceB-policy-web] classifier web_permit behavior web_permit
    [*DeviceB-policy-web] classifier web_deny behavior web_deny
    [*DeviceB-policy-web] commit
    [~DeviceB-policy-web] quit
    [~DeviceB] traffic policy web_out 
    [*DeviceB-policy-web_out] classifier web_permit behavior web_permit
    [*DeviceB-policy-web_out] classifier web_out behavior web_out
    [*DeviceB-policy-web_out] commit
    [~DeviceB-policy-web_out] quit
    

    # Apply user-side traffic management policies globally.

    [*DeviceB] traffic-policy web inbound
    [*DeviceB] traffic-policy web_out outbound
    

  9. Configure interfaces.

    # Configure a BAS interface.

    [*DeviceB] interface GigabitEthernet 1/0/2.1
    [*DeviceB-GigabitEthernet1/0/2.1] vlan-type dot1q 1
    [*DeviceB-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0 
    [*DeviceB-GigabitEthernet1/0/2.1] bas
    [*DeviceB-GigabitEthernet1/0/2.1-bas] access-type layer3-subscriber default-domain pre-authentication default0 authentication isp2
    NOTE:

    For Layer 3 users that do not obtain IP addresses from Device B, run the layer3-subscriber start-ip-address [ end-ip-address ] [ vpn-instance instance-name ] domain-name domain-name command in the system view to specify the IP address segment on which the Layer 3 users reside and the authentication domain name.

    [*DeviceB-GigabitEthernet1/0/2.1-bas] commit
    [~DeviceB-GigabitEthernet1/0/2.1-bas] quit
    [~DeviceB-GigabitEthernet1/0/2.1] quit

    # Configure an uplink interface.

    [*DeviceB] interface GigabitEthernet 1/0/1
    [*DeviceB-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/1] commit
    [~DeviceB-GigabitEthernet1/0/1] quit

Configuration Files

  • Device A configuration file

    #
     sysname DeviceA
    #
    interface 1/0/2
     undo shutdown
     ip address 11.11.11.1 255.255.255.0
     ip relay address 192.168.1.1
     dhcp select relay
    #
    interface GigabitEthernet1/0/1.1
     vlan-type dot1q 1
     ip address 192.168.1.2 255.255.255.0
    #
    return
  • Device B configuration file

    #
     sysname DeviceB
    #
    user-group huawei
    #
    radius-server group rd2
     radius-server authentication 192.168.8.249 1812 weight 0
     radius-server accounting 192.168.8.249 1813 weight 0
     radius-server shared-key-cipher %^%#vS%796FO7%C~pB%CR=q;j}gSCqR-X6+P!.DYI@)%^%       
    #
    acl number 6000
    rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0 
    rule 15 permit ip source ip-address 127.0.0.1 0  destination user-group huawei
    rule 20 permit ip source user-group huawei destination ip-address 192.168.8.252 0
    rule 25 permit ip source ip-address 192.168.8.252 0  destination user-group huawei
    rule 30 permit ip source user-group huawei destination ip-address 192.168.8.249 0
    rule 35 permit ip source ip-address 192.168.8.249 0  destination user-group huawei
    rule 40 permit ip source user-group huawei destination ip-address 192.168.8.251 0
    rule 45 permit ip source ip-address 192.168.8.251 0  destination user-group huawei
    #
    acl number 6001
    rule 10 permit tcp source user-group huawei destination-port eq www
    rule 15 permit tcp source user-group huawei destination-port eq 8080
    #
    acl number 6002
    rule 5 deny ip source ip-address any destination user-group huawei
    #
    traffic classifier web_permit operator or
    if-match acl 6000
    traffic classifier web_deny operator or
    if-match acl 6001
    traffic classifier web_out operator or
    if-match acl 6002
    #
    traffic behavior web_permit
    traffic behavior web_deny
    http-redirect
    traffic behavior web_out
    deny
    #
    traffic policy web
    share-mode
    classifier web_permit behavior web_permit
    classifier web_deny behavior web_deny
    traffic policy web_out
    share-mode
    classifier web_permit behavior web_permit
    classifier web_out behavior web_out
    #
    ip pool huawei bas local
     gateway 11.11.11.1 255.255.255.0
     section 0 11.11.11.2 11.11.11.255 
     dns-server 192.168.8.252
    #
    aaa  
     authentication-scheme auth2
     #
      accounting-scheme acct2 
     #  
     domain default0
      user-group huawei
      web-server 192.168.8.251
      web-server url http://192.168.8.251
      ip-pool huawei
     domain isp2
      authentication-scheme auth2
      accounting-scheme acct2
      radius-server group rd2
      portal-server 192.168.8.251
      portal-server url http://192.168.8.251/portal/admin/
    #
    interface GigabitEthernet1/0/2
     undo shutdown
    #
    interface GigabitEthernet1/0/2.1
     vlan-type dot1q 1
     ip address 192.168.1.1 255.255.255.0
     bas
     #
      access-type layer3-subscriber default-domain pre-authentication default0 authentication isp2
    #
     traffic-policy web inbound
     traffic-policy web_out outbound
    #
     web-auth-server 192.168.8.251 key webvlan
    #
    return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17112

Downloads: 69

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next