No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E-M2 V800R010C10SPC500 Feature Description - User Access 01

This is NE40E-M2 V800R010C10SPC500 Feature Description - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
BRAS User Management

BRAS User Management

BRASs manage users in either of the following modes:

  • Based on domains

    In this mode, each user belongs to a domain. By default, if the user name used by a user to access a BRAS does not contain a domain name, the user is added to the default domain. Service attributes can be configured for a domain. Then all users in the domain have the same service attributes. This implementation allows the BRAS to manage users.

  • Based on user accounts

    User accounts and service attributes are configured on an AAA server, such as a RADIUS or HWTACACS server. The configured user accounts and service attributes are then delivered to users when they go online or dynamically delivered to users after the users go online.

    In actual applications (except in non-authentication and non-accounting scenarios), all user accounts must be configured on an AAA server, and all the domains to which the user accounts belong must be configured on the BRAS. The BRAS allows local user accounts to be configured and managed.

Generally, the service attributes configured in a domain have a lower priority than the service attributes delivered by an AAA server. Therefore, when service attributes configured in a domain and those delivered by an AAA server both exist on the BRAS, the BRAS prefers the service attributes delivered by the AAA server. The service attributes configured in a domain take effect only when no AAA server is available or the configured service attributes are not delivered by the AAA server.

Domain-based User Management

A domain is a collection of service management features. User management functions, such as AAA and traffic control, are implemented based on domains on a BRAS. Therefore, user groups can be differentiated by domains to have specific services.

The user name format can be username@domain or domain@username on a BRAS, where @ is a domain name delimiter. A domain name can precede or follow a user name, which can be configured. If a user name does not contain @, the user belongs to the default domain. Any user belongs to a specific domain.

Domain-based Access Management

In a domain, you can specify authentication, authorization, and accounting schemes and servers for user access, the authentication mode used in user authentication, the DNS server and IP address pool assignable to users, a limit on the number of access users, the address pool for allocating IPv6 addresses, NDRA prefixes, and PD prefixes, and DNS server's IPv6 address.

This section mainly describes the following attributes:

  • Time range control

    Domain-based time range control allows a domain to be automatically blocked in the specified time range. During this time range, users in this domain are denied access, and online users are forced offline. After this time range elapses, the domain becomes activated again, and the users in this domain are allowed access again. Four time ranges can be set for a domain, and all of them take effect, independent of each other.

  • Mandatory PPP authentication

    In normal situations, the PPP client and VT interface negotiate the PPP authentication mode, such as PAP, CHAP, or MSCHAP. If a mandatory PPP authentication mode is configured for a domain, this authentication mode is used.

  • IP address usage alarm

    After an IP address usage alarm threshold (in percentage) is configured, if the IP address usage in a domain exceeds the alarm threshold, the BRAS reports an alarm to the NMS. If no such alarm threshold is configured, the BRAS does not generate any alarm, irrespective of the IP address usage.

  • IPv6 address and prefix usage alarm functions

    After an IPv6 address and prefix usage alarm threshold (in percentage) is configured, if the usage of IPv6 addresses, NDRA prefixes, or PD prefixes in a domain exceeds the alarm threshold, the BRAS reports an alarm to the NMS. If no such alarm threshold is configured, the BRAS does not generate any alarm, irrespective of the usage of IPv6 addresses, NDRA prefixes, or PD prefixes.

  • Mandatory Portal

    If unauthorized users attempt to access addresses that they are not authorized to, the BRAS forcibly redirects their access requests to the mandatory web server.

Domain-based Service Management

After a user goes online, the user can be managed through a domain in terms of basic access services (such as the access to the Internet) or the authorities, bandwidth, and QoS of value-added services. The involved service attributes include QoS profile, user priority, captive portal, multicast group, time range, traffic statistics, accounting packet copy, and idle-cut. This section mainly describes the following attributes:

  • Captive portal

    When a user accesses an external network for the first time after being authenticated, the BRAS forcibly redirects the access request to a specific server, which is usually the portal server of a carrier. This implementation allows the user to access a carrier service immediately after the user accesses the Internet.

  • Idle-cut

    When a user's traffic volume goes below the lower threshold in a specified period of time, the BRAS considers the user idle, and therefore cuts off the connection with the user. When idle-cut is configured, you must also specify the time period and traffic.

    NOTE:
    • For Layer 2 DHCPv4 and DHCPv6 users whose IP addresses are not assigned by the BRAS (for example, they are assigned by a remote DHCP server), configuring idle-cut is not recommended. If idle-cut is configured and the users are logged out, the DHCP server will reclaim the IP addresses so that the users can no longer be triggered to go online.

    • For Layer 2 DHCPv4 and DHCPv6 users whose IP addresses are assigned by the BRAS, idle-cut can be configured.
      • If Layer 2 DHCPv4 users are logged out and need to be triggered to go online again, they must send ARP or IP packets to go online. Some STBs cannot send ARP packets to go online. By default, the device does not allow users to send ARP or IP packets to go online. In addition, IP address reservation based on leases or MAC addresses must be configured. If this function is not configured, the IP addresses used by users to go online may be allocated to other users, so that the users will fail to go online again.

      • If Layer 2 DHCPv6 users are logged out and need to be triggered to go online again, they must send NS/NA or IPv6 packets to go online. By default, the device does not allow users to send NS/NA or IPv6 packets to go online. In addition, IPv6 address reservation based on DUIDs or MAC addresses must be configured. If PD prefixes must be allocated, you must also configure prefix reservation. If these functions are not configured, the IPv6 addresses and prefixes used by users to go online may be allocated to other users, so that the users will fail to go online again.

    • Do not configure idle-cut for Layer 3 DHCPv4 and DHCPv6 users because they cannot be triggered to go online.

    • Idle-cut cannot be configured or leased lines or leased line users.

    • Idle-cut takes effect only for users who go online after idle-cut is configured.

  • Traffic statistics

    Traffic statistics cover the total traffic in a domain and the upstream and downstream traffic of each user.

  • Time range-based QoS control

    QoS control is performed for domain users in a specified time range. After the time range elapses, QoS control is no longer performed for domain users.

Download
Updated: 2019-01-02

Document ID: EDOC1100058415

Views: 14911

Downloads: 9

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next