所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE40E V800R010C00 配置指南 - 用户接入 01

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置MAC认证示例

配置MAC认证示例

介绍一个MAC认证方案示例,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、思路准备、操作步骤和配置文件。

组网需求

图6-9所示,用户上网时属于a域用户,首次上网通过Web认证时需要输入用户名和密码,RADIUS服务器自动记录终端的MAC地址,与用户名和密码做一个关联关系,在后续的入网过程中,用户可以不再重复登录,自动接入到网络。用户认证失败后,被重定向域b,b域用户只能访问受限的网络地址,如Web服务器,b域用户访问其无权访问的地址时被强制重定向到指定的Web服务器,重新输入正确的用户名、密码,通过认证后变为c域用户可正常访问网络资源。

图6-9  MAC认证组网图

配置思路

采用如下思路配置MAC认证:

  1. 创建3个域,MAC认证域a,认证前域b,认证后域c

  2. 配置AAA方案

  3. 创建RADIUS服务器组d,在RADIUS服务器组下配置认证请求报文hw-auth-type属性,配置属性转换把hw-auth-type属性转换成华为私有109号属性

  4. 创建认证模板e,在认证模板下配置认证失败重定向域

  5. 在MAC认证域a下配置MAC认证使能,绑定RADIUS组d及认证模板e

  6. 在认证前域b下配置强制重定向到指定的Web服务器,绑定只能访问有限资源的用户组,绑定不认证模板和不计费的模板

  7. 认证后域c配置绑定RADIUS认证的认证模板和计费模板

  8. 在AAA视图下配置default-user-name include mac-address直接使用用户连接请求报文携带的MAC地址作为纯用户名

  9. BAS口下配置认证前域及认证后域

操作步骤

  1. 创建3个域,MAC认证域a,认证前域b,认证后域c。

    # 配置MAC认证域a,认证前域b,认证后域c。

    <HUAWEI> system-view
    [*Device] aaa
    [*Device-aaa] domain a
    [*Device-aaa-domain-a] quit
    [*Device-aaa] domain b
    [*Device-aaa-domain-b] quit
    [*Device-aaa] domain c
    [*Device-aaa-domain-c] commit
    [~Device-aaa-domain-c] quit
    [~Device-aaa] quit

  2. 配置AAA方案和RADIUS服务器组。

    # 创建RADIUS服务器组d,在RADIUS服务器组下配置认证请求报文hw-auth-type属性,配置属性转换把hw-auth-type属性转换成华为私有109号属性。

    [*Device] radius-server group d
    [*Device-radius-d] radius-server authentication 192.168.7.249 1812
    [*Device-radius-d] radius-server accounting 192.168.7.249 1813
    [*Device-radius-d] radius-server type standard
    [*Device-radius-d] radius-server shared-key-cipher it-is-my-secret1
    [*Device-radius-d] radius-attribute include hw-auth-type
    [*Device-radius-d] radius-server attribute translate
    [*Device-radius-d] radius-attribute translate extend hw-auth-type vendor-specific 2011 109 access-request account
    [*Device-radius-d] commit
    [~Device-radius-d] quit

    # 配置RADIUS服务器组rd2。

    [*Device] radius-server group rd2
    [*Device-radius-rd2] radius-server authentication 192.168.8.249 1812
    [*Device-radius-rd2] radius-server accounting 192.168.8.249 1813
    [*Device-radius-rd2] radius-server type standard
    [*Device-radius-rd2] radius-server shared-key-cipher it-is-my-secret1
    [*Device-radius-rd2] commit
    [~Device-radius-rd2] quit

    # 创建认证模板e,在认证模板下配置认证失败重定向到认证前域b。

    [*Device] aaa
    [*Device-aaa] authentication-scheme e
    [*Device-aaa-authen-e] authening authen-fail online authen-domain b
    [*Device-aaa-authen-e] commit
    [~Device-aaa-authen-e] quit

    # 配置认证方案auth2为RADIUS认证。

    [*Device] aaa
    [*Device-aaa] authentication-scheme auth2
    [*Device-aaa-authen-auth2] authentication-mode radius
    [*Device-aaa-authen-auth2] commit
    [~Device-aaa-authen-auth2] quit

    # 配置计费方案acct2为RADIUS计费。

    [*Device-aaa] accounting-scheme acct2
    [*Device-aaa-accounting-acct2] accounting-mode radius
    [*Device-aaa-accounting-acct2] commit
    [~Device-aaa-accounting-acct2] quit
    [~Device-aaa] quit

    # 配置认证方案auth3为不认证。

    [*Device] aaa
    [*Device-aaa] authentication-scheme auth3
    [*Device-aaa-authen-auth3] authentication-mode none
    [*Device-aaa-authen-auth3] commit
    [~Device-aaa-authen-auth3] quit

    # 配置计费方案acct3为不计费。

    [*Device-aaa] accounting-scheme acct3
    [*Device-aaa-accounting-acct3] accounting-mode none
    [*Device-aaa-accounting-acct3] commit
    [~Device-aaa-accounting-acct3] quit
    [~Device-aaa] quit

  3. 配置地址池

    [*Device] ip pool pool2 bas local
    [*Device-ip-pool-pool2] gateway 172.16.1.1 255.255.255.0
    [*Device-ip-pool-pool2] section 0 172.16.1.2 172.16.1.200
    [*Device-ip-pool-pool2] dns-server 192.168.8.252
    [*Device-ip-pool-pool2] commit
    [~Device-ip-pool-pool2] quit

  4. 在MAC认证域a下配置MAC认证使能,绑定RADIUS组d及认证模板e。

    [*Device-aaa] domain a
    [*Device-aaa-domain-a] radius-server group d
    [*Device-aaa-domain-a] authentication-scheme e
    [*Device-aaa-domain-a] accounting-scheme acct2
    [*Device-aaa-domain-a] ip-pool pool2
    [*Device-aaa-domain-a] mac-authentication enable
    [*Device-aaa-domain-a] commit
    [~Device-aaa-domain-a] quit

  5. 配置认证前域b,认证前域用户只能受限访问,绑定不认证模板和不计费模板。

    [*Device] user-group web-before
    [*Device] aaa
    [*Device-aaa] http-redirect enable
    [*Device-aaa] domain b
    [*Device-aaa-domain-b] authentication-scheme auth3
    [*Device-aaa-domain-b] accounting-scheme acct3
    [*Device-aaa-domain-b] ip-pool pool2
    [*Device-aaa-domain-b] user-group web-before
    [*Device-aaa-domain-b] web-server 192.168.8.251
    [*Device-aaa-domain-b] web-server url http://192.168.8.251

    # 配置Web认证服务器

    [*Device] web-auth-server 192.168.8.251 key webvlan

    # 配置ACL规则。

    [*Device] acl number 6004
    [*Device-acl-ucl-6004] rule 3 permit ip source user-group web-before destination user-group web-before
    [*HUAWEI-acl-ucl-6004] rule 5 permit ip source user-group web-before destination ip-address any
    [*Device-acl-ucl-6004] commit
    [~Device-acl-ucl-6004] quit
    [*Device] acl number 6005
    [*Device-acl-ucl-6005] rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
    [*Device-acl-ucl-6005] rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
    [*Device-acl-ucl-6005] rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
    [*Device-acl-ucl-6005] rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
    [*Device-acl-ucl-6005] rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
    [*Device-acl-ucl-6005] rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
    [*Device-acl-ucl-6005] commit[~Device-acl-ucl-6005] quit
    [*Device] acl number 6006
    [*Device-acl-ucl-6006] rule 5 permit ip destination user-group web-before
    [*Device-acl-ucl-6006] commit[~Device-acl-ucl-6006] quit
    [*Device] acl number 6008
    [*Device-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-port eq www
    [*Device-acl-ucl-6008] rule 10 permit tcp source user-group web-before destination-port eq 8080
    [*Device-acl-ucl-6008] commit[~Device-acl-ucl-6008] quit
    [*Device] acl number 6010
    [*Device-acl-ucl-6010] commit
    [~Device-acl-ucl-6010] quit

    # 配置流量管理策略。

    [*Device] traffic classifier web-out
    [*Device-classifier-web-out] if-match acl 6006
    [*Device-classifier-web-out] commit
    [~Device-classifier-web-out] quit
    [*Device] traffic classifier web-be-permit
    [*Device-classifier-web-be-permit] if-match acl 6005
    [*Device-classifier-web-be-permit] commit
    [~Device-classifier-web-be-permit] quit
    [*Device] traffic classifier http-before
    [*Device-classifier-http-before] if-match acl 6010
    [*Device-classifier-http-before] commit
    [~Device-classifier-http-before] quit
    [*Device] traffic classifier web-be-deny
    [*Device-classifier-web-be-deny] if-match acl 6004
    [*Device-classifier-web-be-deny] commit
    [~Device-classifier-web-be-deny] quit
    [*Device] traffic classifier redirect
    [*Device-classifier-redirect] if-match acl 6008
    [*Device-classifier-redirect] commit
    [~Device-classifier-redirect] quit
    [*Device] traffic behavior http-discard
    [*Device-behavior-http-discard] car cir 0 cbs 0 green pass red discard
    [*Device-behavior-http-discard] commit
    [~Device-behavior-http-discard] quit
    [*Device] traffic behavior web-out
    [*Device-behavior-web-out] deny
    [*Device-behavior-web-out] commit
    [~Device-behavior-web-out] quit
    [*Device] traffic behavior perm1
    [*Device-behavior-perm1] permit
    [*Device-behavior-perm1] commit
    [~Device-behavior-perm1] quit
    [*Device] traffic behavior deny1
    [*Device-behavior-deny1] deny
    [*Device-behavior-deny1] commit
    [~Device-behavior-deny1] quit
    [*Device] traffic behavior redirect
    [*Device-behavior-redirect] http-redirect plus
    [*Device-behavior-redirect] commit
    [~Device-behavior-redirect] quit
    [*Device] traffic policy web-out
    [*Device-policy-web-out] share-mode
    [*Device-policy-web-out] classifier web-be-permit behavior perm1
    [*Device-policy-web-out] classifier web-out behavior web-out
    [*Device-policy-web-out] commit
    [~Device-policy-web-out] quit
    [*Device] traffic policy web
    [*Device-policy-web] share-mode
    [*Device-policy-web] classifier web-be-permit behavior perm1
    [*Device-policy-web] classifier http-before behavior http-discard
    [*Device-policy-web] classifier redirect behavior redirect
    [*Device-policy-web] classifier web-be-deny behavior deny1
    [*Device-policy-web] commit
    [~Device-policy-web] quit

    # 在全局下应用策略。

    [*Device] traffic-policy web inbound
    [*Device] traffic-policy web-out outbound

  6. 配置认证后域c

    [*Device-aaa] domain c
    [*Device-aaa-domain-c] authentication-scheme auth2
    [*Device-aaa-domain-c] accounting-scheme acct2
    [*Device-aaa-domain-c] radius-server group rd2
    [*Device-aaa-domain-c] commit
    [~Device-aaa-domain-c] quit
    [~Device-aaa] quit

  7. 在AAA视图下配置直接使用用户连接请求报文携带的MAC地址作为纯用户名。

    [*Device-aaa] default-user-name include mac-address -
    [*Device-aaa] default-password cipher Root@123
    [*Device-aaa] commit
    [~Device-aaa] quit

  8. BAS口下配置认证前域及认证后域及认证方法

    [*Device] interface GigabitEthernet1/0/2
    [*Device-GigabitEthernet1/0/2-bas] access-type layer2-subscriber default-domain pre-authentication a authentication c
    [*Device-GigabitEthernet1/0/2-bas] authentication-method web

  9. 执行命令commit,提交配置。

配置文件

#
 sysname Device
#
user-group web-before
#
radius-server group rd2
 radius-server authentication 192.168.8.249 1812 weight 0
 radius-server accounting 192.168.8.249 1813 weight 0 
 radius-server shared-key-cipher %$%$8;fLT*OW4VX|#9Dr(Gl!}M%4%$%$
#
radius-server group d
 radius-server authentication 192.168.7.249 1812 weight 0
 radius-server accounting 192.168.7.249 1813 weight 0 
 radius-server shared-key-cipher %$%$8;fLT*OW4VX|#9Dr(Gl!}M%4%$%$
 radius-server attribute translate
 radius-attribute include HW-Auth-Type
 radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-request account
#
acl number 6004
 rule 3 permit ip source user-group web-before destination user-group wlan
 rule 5 permit ip source user-group web-before destination ip-address any
#
acl number 6005
 rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
 rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
 rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
 rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
 rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
 rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
#
acl number 6006
 rule 5 permit ip destination user-group web-before
#
acl number 6008
 rule 5 permit tcp source user-group web-before destination-port eq www
 rule 10 permit tcp source user-group web-before destination-port eq 8080
#
acl number 6010
#
traffic classifier web-out operator or
 if-match acl 6006
traffic classifier web-be-permit operator or
 if-match acl 6005
traffic classifier http-before operator or
 if-match acl 6010
traffic classifier web-be-deny operator or
 if-match acl 6004
traffic classifier redirect operator or
 if-match acl 6008
#
traffic behavior http-discard
 car cir 0 cbs 0 green pass red discard
traffic behavior web-out
 deny
traffic behavior perm1
traffic behavior deny1
 deny
traffic behavior redirect
 http-redirect
#
traffic policy web-out
 share-mode
 classifier web-be-permit behavior perm1
 classifier web-out behavior web-out
traffic policy web
 share-mode
 classifier web-be-permit behavior perm1
 classifier http-before behavior http-discard
 classifier redirect behavior redirect    
 classifier web-be-deny behavior deny1
#
ip pool pool2 bas local
 gateway 172.16.1.1 255.255.255.0
 section 0 172.16.1.2 172.16.1.200
 dns-server  192.168.8.252
#
aaa
 http-redirect enable
 default-user-name include mac-address -
 default-password cipher %^%#oNUw%i-|"WcBgt8=fSVID7F<=K_N+.(ip[H\:a{D%^%#
 authentication-scheme auth2
 authentication-scheme auth3
  authentication-mode none
 authentication-scheme e
  authening authen-fail online authen-domain b
#
 accounting-scheme acct2
 accounting-scheme acct3
  accounting-mode none
 #
 domain a
  authentication-scheme e
  accounting-scheme e
  radius-server group d
  ip-pool pool2
  mac-authentication enable
 domain b
  authentication-scheme auth3
  accounting-scheme acct3
  ip-pool pool2
  user-group web-before
  web-server 192.168.8.251
  web-server url http://192.168.8.251
  web-server url-parameter
  
 domain c
  authentication-scheme auth2
  accounting-scheme acct2
  radius-server group rd2
#
interface GigabitEthernet1/0/2
 bas
 #
  access-type layer2-subscriber default-domain pre-authentication a authentication c
  authentication-method web
#
 traffic-policy web inbound
 traffic-policy web-out outbound
下载文档
更新时间:2018-07-12

文档编号:EDOC1100028564

浏览量:15999

下载量:204

平均得分:
本文档适用于这些产品
相关文档
相关版本
分享
上一页 下一页