Configuration Guide - User Access (V600R003C00 - 02) PDF

HUAWEI NetEngine80E/40E Router
V600R003C00
Configuration Guide - User Access
Issue 02
Date 2011-09-10
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 02 (2011-09-10) Huawei Proprietary and Confidential i

Copyright Huawei Technologies Co., Ltd.
Configuration Guide - User Access About This Document
About This Document
Purpose
This document is a guide to configuring the user access service. It describes the basic principles,
configuration procedures, and configuration methods of AAA, user management, DHCPv4,
DHCPv6, .
NOTE
l This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this
document.
l On NE80E/40E series excluding NE80E/40E-X1 and NE80E/40E-X2, line processing boards are
called Line Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units
(SFUs). On the NE80E/40E-X1 and NE80E/40E-X2, there are no LPUs and SFUs, and NPUs
implement the same functions of LPUs and SFUs to exchange and forward packets.
Related Versions
The following table lists the product versions related to this document.
Product Name Version
HUAWEI NetEngine80E/40E V600R003C00

Router
Intended Audience
This document is intended for:
l Commissioning engineers
l Data configuration engineers
l Network monitoring engineers
l System maintenance engineers
Issue 02 (2011-09-10) Huawei Proprietary and Confidential ii

Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Alerts you to a high risk hazard that could, if not avoided,

result in serious injury or death.
DANGER
Alerts you to a medium or low risk hazard that could, if

not avoided, result in moderate or minor injury.
WARNING
Alerts you to a potentially hazardous situation that could,

if not avoided, result in equipment damage, data loss,
CAUTION
performance deterioration, or unanticipated results.
TIP Provides a tip that may help you solve a problem or save
time.
NOTE Provides additional information to emphasize or

supplement important points in the main text.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential iii

Change History
Changes in Issue 02 (2011-09-10)
The second commercial release has the following updates.
l BRAS Access Configuration
As defined in 4.3.4 Configuring a BAS Interface, DHCP users can be filtered based
on the ACL rule configured on a BAS interface.
l DHCPv4 Configuration
As defined in 2.4.2 Creating a DHCPv4 Server Group, the polling mechanism can
be used to select a DHCPv4 server.
Changes in Issue 01 (2011-06-30)

Initial commercial release.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential iv

Configuration Guide - User Access Contents
Contents
About This Document.....................................................................................................................ii

1 AAA Configuration.......................................................................................................................1
1.1 AAA Overview...................................................................................................................................................2
1.1.1 Introduction to AAA..................................................................................................................................2
1.1.2 AAA Supported by the NE80E/40E..........................................................................................................3
1.2 Configuring AAA Schemes................................................................................................................................4
1.2.1 Establishing the Configuration Task.........................................................................................................4
1.2.2 (Optional) Enabling RADIUS or HWTACACS.......................................................................................5
1.2.3 Configuring an Authentication Scheme....................................................................................................5
1.2.4 (Optional) Configuring an Authorization Scheme....................................................................................7
1.2.5 Configuring an Accounting Scheme..........................................................................................................8
1.2.6 (Optional) Configuring a Recording Scheme..........................................................................................10
1.2.7 Checking the Configuration.....................................................................................................................11
1.3 Configuring a RADIUS Server.........................................................................................................................13
1.3.1 Establishing the Configuration Task.......................................................................................................13
1.3.2 Creating a RADIUS Server Group..........................................................................................................14
1.3.3 Configuring RADIUS Authentication and Accounting Servers..............................................................15
1.3.4 (Optional) Configuring the Algorithm for Selecting a RADIUS Server.................................................16
1.3.5 (Optional) Configuring Negotiated Parameters of the RADIUS Server.................................................16
1.3.6 (Optional) Disabling RADIUS Attributes...............................................................................................18
1.3.7 (Optional) Configuring RADIUS Attribute Translation.........................................................................19
1.3.8 (Optional) Configuring the Tunnel Password Delivery Mode................................................................20
1.3.9 (Optional) Configuring the Class Attribute to Carry the CAR Value.....................................................21
1.3.10 (Optional) Configuring the Format of the NAS-Port Attribute.............................................................22
1.3.11 (Optional) Configuring the Source Interface of a RADIUS Server......................................................22
1.3.12 (Optional) Configuring a RADIUS Authorization Server.....................................................................23
1.3.13 (Optional) Setting the Status Parameters of a RADIUS Server............................................................24
1.3.14 (Optional) Configuring the Extended Source Interfaces of a RADIUS Server.....................................24
1.3.15 Checking the Configuration...................................................................................................................25
1.4 Configuring an HWTACACS Server...............................................................................................................27
1.4.2 Creating an HWTACACS Server Template............................................................................................28
1.4.3 Configuring HWTACACS Authentication/Authorization/Accounting Servers.....................................29
Issue 02 (2011-09-10) Huawei Proprietary and Confidential v

1.4.4 Configuring the Source IP Address of an HWTACACS Server.............................................................31

1.4.5 (Optional) Setting the Negotiated Parameters of the HWTACACS Server............................................31
1.4.6 (Optional) Configuring the Timers for the HWTACACS Server...........................................................33
1.4.7 (Optional) Configuring Retransmission of Accounting Stop Packets.....................................................34
1.4.8 (Optional) Configuring HWTACACS Users to Change Passwords.......................................................35
1.5 Configuring Bill Saving....................................................................................................................................36
1.5.2 Creating a Local CDR Pool.....................................................................................................................37
1.5.3 Configuring the Backup Mode of Cached Bills......................................................................................38
1.5.4 (Optional) Backing up Bills in the CF Card to the Bill Server................................................................38
1.5.5 (Optional) Backing up the Bills in the Cache to the Bill Server.............................................................40
1.6 Configuring a Domain......................................................................................................................................42
1.6.2 Creating a Domain...................................................................................................................................44
1.6.3 Configuring an AAA Scheme for a Domain...........................................................................................44
1.6.4 Configuring Servers for a Domain..........................................................................................................45
1.6.5 Specifying an IPv4 Address Pool for a Domain......................................................................................46
1.6.6 (Optional) Setting the Maximum Number of Access Users for a Domain..............................................47
1.6.7 (Optional) Setting the Maximum Number of Sessions for an Account..................................................48
1.6.8 (Optional) Setting the Priority of a Domain User....................................................................................48
1.6.9 (Optional) Configuring Additional Functions for a Domain...................................................................49
1.6.10 (Optional) Activating a Domain............................................................................................................52
1.7 Maintaining AAA.............................................................................................................................................54
1.7.1 Clearing AAA Statistics..........................................................................................................................54
1.8 Configuration Examples...................................................................................................................................55
1.8.1 Example for Performing Authentication and Accounting for Users by Using RADIUS........................55
1.8.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting.....................59
1.8.3 Example for Configuring HWTACACS Authentication and Authorization on the MPLS VPN...........62
2 DHCPv4 Configuration..............................................................................................................74
2.1 Introduction to DHCPv4...................................................................................................................................75
2.2 DHCPv4 Supported by the NE80E/40E...........................................................................................................75
2.3 Configuring an IPv4 Address Pool...................................................................................................................75
2.3.2 Creating an Address Pool........................................................................................................................78
2.3.3 (Optional) Configuring Static IP Address Binding.................................................................................80
2.3.4 (Optional) Configuring DNS Services for the DHCPv4 Client..............................................................80
2.3.5 (Optional) Configuring NetBIOS Services for the DHCPv4 Client........................................................81
2.3.6 (Optional) Configuring SIP Services for the DHCPv4 Client.................................................................82
2.3.7 (Optional) Configuring DHCPv4 Self-Defined Options.........................................................................83
Issue 02 (2011-09-10) Huawei Proprietary and Confidential vi

2.3.8 (Optional) Configuring Address Protection............................................................................................84

2.4 Configuring a DHCPv4 Server Group..............................................................................................................86
2.4.2 Creating a DHCPv4 Server Group..........................................................................................................87
2.4.3 Associating the IP Address Pool and the DHCPv4 Server Group..........................................................88
2.5 Configuring DHCPv4 Relay.............................................................................................................................89
2.5.2 Configuring Relay...................................................................................................................................90
2.6 Adjusting DHCPv4 Service Parameters...........................................................................................................93
2.6.2 Configuring Global DHCPv4 Parameters...............................................................................................93
2.6.3 Configuring Transparent Transmission of DHCPv4 Packets..................................................................94
2.6.4 Enabling a DHCPv4 Server to Detect Unauthorized DHCPv4 Servers..................................................95
2.6.5 Enabling the Detection of an IP Address Conflict..................................................................................95
2.6.6 Saving DHCPv4 Data..............................................................................................................................96
2.6.7 Restoring DHCPv4 Data.........................................................................................................................97
2.7 Maintaining DHCPv4.......................................................................................................................................98
2.7.1 Clearing DHCPv4 Statistics....................................................................................................................98
2.7.2 Monitoring DHCPv4 Operation Status....................................................................................................99
2.8 Configuration Examples...................................................................................................................................99
2.8.1 Example for Configuring Address Assignment Based on the Local Address Pool..............................100
2.8.2 Example for Configuring Address Assignment Based on the Remote Address Pool...........................103
2.8.3 Example for Configuring Layer 3 DHCPv4 User Access.....................................................................107
2.8.4 Example for Configuring IP Address Assignment for Ethernet Users (with No Relay Agent)............111
2.8.5 Example for Configuring IP Address Assignment for Ethernet Users (with a Relay Agent Deployed)
........................................................................................................................................................................114
3 DHCPv6 Configuration............................................................................................................118
3.1 Introduction to DHCPv6.................................................................................................................................119
3.1.1 DHCPv6 Overview................................................................................................................................119
3.1.2 DHCPv6 Features Supported by the NE80E/40E.................................................................................119
3.2 Configuring a DHCPv6 Relay Agent.............................................................................................................119
3.2.1 Establishing the Configuration Task.....................................................................................................120
3.2.2 Enabling DHCPv6 Relay.......................................................................................................................120
3.2.3 Enabling DHCPv6 on Network-side Interfaces.....................................................................................122
4 BRAS Access Configuration....................................................................................................124

4.1 Introduction....................................................................................................................................................125
4.1.1 Overview of BRAS Authentication.......................................................................................................125
Issue 02 (2011-09-10) Huawei Proprietary and Confidential vii

4.1.2 Access Authentication Supported by the NE80E/40E..........................................................................125

4.2 Configuring the Authentication Mode............................................................................................................126
4.2.2 Configuring Web Authentication or Fast Authentication......................................................................127
4.2.3 Configuring Other Authentication Modes.............................................................................................129
4.3 Configuring the IPoX Access Service............................................................................................................132
4.3.2 Creating a Static User............................................................................................................................134
4.3.3 Binding Sub-interfaces to a VLAN.......................................................................................................135
4.3.4 Configuring a BAS Interface.................................................................................................................136
4.4 Configuring and Managing Users...................................................................................................................140
4.4.2 Configuring User Account Parsing........................................................................................................141
4.4.3 Creating a Local User Account.............................................................................................................142
4.4.4 Configuring the User Name Format and Password...............................................................................144
4.4.5 Configuring the Local User Status........................................................................................................145
4.4.6 Configuring the Limit on the Number of Access Users........................................................................146
4.4.7 Disconnecting Online Users..................................................................................................................147
4.4.8 Generating Offline Records and Online Failure Records......................................................................148
4.4.9 Tracing Services of Users......................................................................................................................149
4.4.10 Checking the Configuration.................................................................................................................149
4.5 Maintaining BRAS Access.............................................................................................................................151
4.5.1 Displaying BRAS Access Information..................................................................................................151
4.5.2 Clearing BRAS Access Information......................................................................................................151
4.6 Configuration Examples.................................................................................................................................152
4.6.1 Example for Configuring the IPoE Access Service for VPN Users by Using Web Authentication
........................................................................................................................................................................152
4.6.2 Example for Configuring the IPoEoVLAN Access Service..................................................................157
4.6.3 Example for Configuring the IPoEoQ Access Service..........................................................................160
4.6.4 Example for Configuring Remote Authentication for Static Users.......................................................163
4.6.5 Example for Configuring Local Authentication for Static Users..........................................................167
A Glossary......................................................................................................................................171
B Acronyms and Abbreviations.................................................................................................174
Issue 02 (2011-09-10) Huawei Proprietary and Confidential viii

Configuration Guide - User Access 1 AAA Configuration
1 AAA Configuration
About This Chapter
This chapter describes how to configure authentication, authorization, and accounting (AAA)
to implement local or remote authentication, authorization, and accounting.
1.1 AAA Overview

This section describes concepts related to AAA, including the AAA scheme, RADIUS server
template, HWTACAS server template, and domain attribute.
1.2 Configuring AAA Schemes
By configuring AAA schemes, you can determine the authentication, authorization, and
accounting modes for a user.
1.3 Configuring a RADIUS Server
A RADIUS server must be configured to perform authentication and accounting by using
RADIUS.
1.4 Configuring an HWTACACS Server
An HWTACACS server must be configured to perform authentication and accountingby using
HWTACACS.
1.5 Configuring Bill Saving
Saving bills to the local device is to back up the bills on the remote accounting server. In this
case, when the remote server fails, there is still accounting information.
1.6 Configuring a Domain
The NE80E/40E supports domain-based management for local users and access users.
1.7 Maintaining AAA
This section describes how to maintain AAA by clearing HWTACACS statistics and debugging
RADIUS or HWTACACS.
1.8 Configuration Examples
This section provides configuration examples of AAA, including networking requirements,
configuration notes, and configuration roadmap.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential 1

1.1 AAA Overview

This section describes concepts related to AAA, including the AAA scheme, RADIUS server
template, HWTACAS server template, and domain attribute.
1.1.1 Introduction to AAA

AAA can be performed for domain users by using a remote RADIUS or HWTACACS server.
AAA
AAA provides security functions for user authentication, authorization, and accounting.
l Authentication: determines the users who can access the network.
l Authorization: authorizes users to use specific services.
l Accounting: records usage of network resources of users.
AAA adopts the client/server model. This model has good extensibility and facilitates
concentrated management over user information.
AAA supports three types of authentication modes: non-authentication, local authentication, and
remote authentication. Remote authentication is implemented through either the Remote
Authentication Dial In User Service (RADIUS) and Huawei Terminal Access Controller Access
Control System (HWTACACS).
AAA supports four types of authorization modes: direct authorization, local authorization,
HWTACACS authorization, and if-authenticated authorization.
NOTE
l RADIUS integrates authentication and authorization. Therefore, RADIUS authorization accompanies

with RADIUS authentication.
l Users that have passed HWTACACS authentication can actively modify the passwords saved on the
HWTACACS server.
AAA supports four types of accounting modes: non-accounting, remote accounting.

All user authentication, authorization, and accounting should be performed in the domain view.
Domain-based User Management

The network access server (NAS) can manage users in two ways.
l Managing users based on domains: You can configure the default authorization, RADIUS/
HWTACACS template, and authentication and accounting schemes in the domain.
l Managing users based on user accounts.
In current AAA implementations, users are categorized into different domains. The domain to
which a user belongs depends on the character string that follows "@" of a user name. For
example, the user "user@hua" belongs to the domain "hua". If there is no "@" in the user name,
the user belongs to the default0 domain, default1 domain or default_admin domain.
In the AAA view, users can create a maximum of 1021 domains except the default0 domain,
default1 domain, or default_admin domain.

To perform AAA for users, you need to configure authentication, authorization, and accounting
modes in the AAA view, and then apply the authentication, authorization, and accounting
schemes in the domain view.
The authorization configured in the domain view has a lower priority than the authorization
delivered by an AAA server. That is, the authorization delivered by an AAA server is preferred.
When the AAA server does not have or support the authorization, the authorization configured
in the domain view takes effect. In this manner, you can increase services flexibly by means of
domain management, regardless of the authorization by the AAA server.
1.1.2 AAA Supported by the NE80E/40E

The NE80E/40E supports AAA implemented through a local or remote server. HWTACACS
users can change passwords on the NE80E/40E.
The NE80E/40E supports the following authentication, authorization, and accounting schemes,
and manages users based on domains.
1. Authentication
The authentication modes supported by AAA include non-authentication, local
authentication, and remote authentication. Remote authentication can be performed
through either RADIUS or HWTACACS.
The authentication modes can be used in combination, which is configured through
commands. If the first authentication mode fails (including the situation where the remote
server does not respond), you can adopt another authentication mode according to the
configured sequence of authentication modes. For example, you can configure
authentication to be performed in the sequence of RADIUS authentication, local
authentication, and non-authentication.
2. Authorization
The authorization modes supported by AAA include direct authorization, local
authorization, HWTACACS authorization, and if-authenticated authorization.
NOTE
RADIUS integrates authorization and authentication . Therefore, RADIUS authorization

accompanies with RADIUS authentication.
The NE80E/40E supports Change of Authorization (CoA). Authorization information about online
users can be dynamically changed. While maintaining the online status of users, the network
administrator can modify the service attributes on the RADIUS server and then send CoA packets
to dynamically change the services used by users. This authorization mode is referred to as dynamic
authorization.
3. Accounting
The accounting modes supported by AAA include non-accounting and remote accounting.
After being authenticated and authorized, users successfully go online, and accounting
starts with the access of services. Accounting is performed based on online time, user traffic,
or both. The accounting process is as follows: The NE80E/40E collects statistics on the
online time and the upstream and downstream traffic, and then sends the statistics to the
RADIUS or HWTACACS server in the format specified by the RADIUS or HWTACACS
protocol. At last, the server returns a message to the NE80E/40E indicating whether
accounting succeeds.
NOTE
User authentication, authorization, and accounting must be performed in the domain view.

The NE80E/40E supports two methods of modifying passwords of users after they pass through
HWTACACS authentication:
l The HWTACACS server enables users to modify passwords.
l Users actively modify their passwords through commands.
HWTACACS supports VPN instance-based forwarding. When the HWTACACS server of an

operator is deployed in a VPN and the NE80E/40E is deployed in the public network, the NE80E/
40E communicates with an HWTACACS server by using VPN instances to implement
authentication, authorization, and accounting for users.
1.2 Configuring AAA Schemes

By configuring AAA schemes, you can determine the authentication, authorization, and
accounting modes for a user.
1.2.1 Establishing the Configuration Task

Before configuring AAA schemes, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration. This
will help you complete the configuration task quickly and accurately.
Applicable Environment
To provide access services for authorized users and protect sensitive network devices against
unauthorized access, configure AAA on the router.
NOTE
AAA is always enabled on the NAS.
Addresses, such as Class A addresses XXX.255.255.255 and XXX.0.0.0, Class B addresses

XXX.XXX.255.255 and XXX.XXX.0.0, and Class C addresses XXX.XXX.XXX.255 and
XXX.XXX.XXX.0, must not be configured as valid start or end addresses in an address pool.
These addresses in an address pool cannot be allocated.
NOTE
IP address negotiation needs to be configured on the client and server respectively.
Pre-configuration Tasks
Before configuring AAA schemes, complete the following tasks:
Configuring parameters of the link layer protocol and IP addresses for the interfaces, ensuring
that the status of the link layer protocol on the interfaces is Up
Data Preparation
To configure AAA schemes, you need the following data.
No. Data
1 Name of the authentication scheme and authentication mode

No. Data
2 (Optional) Name of the authorization scheme, authorization mode, level of the

HWTACACS user to be authorized through command lines, and timeout period of
command-line-based authorization
3 Name of the accounting scheme, accounting mode, interval for real-time accounting,
accounting-start failure policy, real-time accounting failure policy, and number of
real-time accounting failures
4 (Optional) Name of the recording scheme, name of the HWTACACS server template
associated with the recording mode, and events to be recorded
5 Interface type and interface number of the server and client, ID and IP address range
of the address pool, and IP addresses to be allocated to users when no address pool
is used
1.2.2 (Optional) Enabling RADIUS or HWTACACS

After RADIUS or HWTACACS is enabled, AAA requests sent from users are forwarded. After
RADIUS or HWTACACS is disabled, AAA requests sent from users are discarded.
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 (Optional) Run the following command as required.

l To enable RADIUS, run:
radius enable
l To enable HWTACACS, run:

hwtacacs enable
RADIUS or HWTACACS is enabled by default.
----End
1.2.3 Configuring an Authentication Scheme

After configuring an authentication mode, you need to configure relevant user information on
the authentication server; if user information is not configured, users cannot pass the
authentication.
Context

Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
The AAA view is displayed.
Step 3 Run:
authentication-scheme scheme-name
An authentication scheme is created.
Step 4 Run:
authentication-mode { hwtacacs | radius | local } *[ none ]
An authentication mode is set.
The NE80E/40E supports RADIUS authentication, HWTACACS authentication, local

authentication, and non-authentication. In addition, the NE80E/40E supports secondary
authentication. This means that if there is no response from the first authentication (the remote
server does not respond or user information is not configured on the local device), the NE80E/
40E performs authentication in another mode.
The authentication schemes named default, default0, and default1 are set by default on the
NE80E/40E. They can be modified but cannot be deleted.
l By default, the authentication mode of default0 is non-authentication.
l By default, the authentication mode of default1 is RADIUS authentication.
l By default, the authentication mode of default is local radius authentication.
Step 5 (Optional) Run:

authening authen-fail { offline | online authen-domain domain-name }
The policy for handling the authentication failure is configured.
The policy for handling the authentication failure refers to the policy used by the NE80E/40E
after the user fails the authentication. By default, if the authentication fails, the NE80E/40E
forces the user to log out. If you enable the secondary authentication function for the user (for
example, after the PPP authentication fails, the Web authentication is used), the NE80E/40E
keeps the user online when the first authentication fails. In this case, the user is added to a default
domain (default 0 by default).
NOTE
The policy for handling the authentication failure cannot be configured on the X1 or X2 models of the
NE80E/40E.

authentication-super { [ hwtacacs | super ] * | none } *
The method of changing the administrative level of an operator is configured.
If users want to change their administrative levels online, for example, a Telnet user of level 2
wants to change the administrative level to 3, the user must pass the authentication.

The NE80E/40E supports non-authentication, HWTACACS authentication, and super

authentication for changing the administrative level of an operator. The NE80E/40E supports
secondary authentication. If the super password is not configured for super authentication, or
the HWTACACS server does not respond in HWTACACS authentication, you can adopt another
authentication scheme according to the configuration.
authening authen-redirect online authen-domain domain-name
The redirection domain is configured.

After you configure the redirection domain, the users that pass the authentication and the users
that actually fail the authentication go online from different domains.
By configuring a private IP address pool, UCL-based access control, and security domain in the
redirection domain, you can differentiate the functions of address allocation (private addresses
and public addresses), access control, for different user domains. In this manner, users in
different domains are separated by differentiated configurations. This solution effectively saves
Internet IP addresses and prevents unauthorized users from occupying many Internet IP
addresses.
NOTE
The redirection domain cannot be configured on the X1 or X2 models of the NE80E/40E.
----End
1.2.4 (Optional) Configuring an Authorization Scheme

The default authorization mode is local authorization. RADIUS integrates authentication and
authorization. HWTACACS separates authentication and authorization. HWTACACS allows
user-based authorization and command-line authorization.
Context
Do as follow on the router:
NOTE
l You can configure command-line authorization for users of a certain level only when HWTACACS is
adopted.
l Command-line authorization of HWTACACS is irrelevant to the authorization mode configured by
using the authorization-mode command.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
authorization-scheme authorization-scheme-name

An authorization scheme is created and the authorization scheme view is displayed.

By default, an authorization scheme named default exists. This scheme can be modified but
cannot be deleted.
Step 4 Run:
authorization-mode { hwtacacs | if-authenticated | local }* [ none ]
The authorization mode is configured.

By default, the authorization mode is set to local.
If the authorization mode is set to HWTACACS, you must configure an HWTACACS server
template and apply the template in the view of the domain to which the user belongs.
Step 5 Run:
authorization-cmd privilege-level hwtacacs [ local ]
Command-line authorization is enabled.

By default, command-line authorization is disabled.
If command-line authorization is enabled, you must configure an HWTACACS template and
apply the template in the view of the domain to which the user belongs.
Step 6 Run:
authorization-cmd no-response-policy { online | offline [ max-times max-times-
value ] }
The policy for authorization failures in the case where the HWTACACS server is unavailable
or no user is locally configured is set.
Step 7 Run:
quit
Return to the AAA view.

Step 8 Run:
quit
Return to the system view.

Step 9 Run:
hwtacacs-server template template-name
The HWTACACS server template view is displayed.

Step 10 Run:
hwtacacs-server timer response-timeout timeout-value
The timeout period of the authorization response is set.
----End
1.2.5 Configuring an Accounting Scheme

You need to configure an accounting scheme before implementing accounting for users.
Context

Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
accounting-scheme scheme-name
An accounting scheme is created.
The authentication schemes named default0 and default1 are set by default on the NE80E/
40E. They can be modified but cannot be deleted.
l By default, the accounting mode of default0 is non-accounting.

l By default, the accounting mode of default1, and a user-defined accounting scheme is
RADIUS accounting.
Step 4 Run:
accounting-mode { hwtacacs | none | radius }
An accounting mode is set.
The NE80E/40E supports RADIUS accounting, HWTACACS accounting, and non-accounting.

accounting interim interval interval [ second ]
Real-time accounting is configured.
Real-time accounting indicates that the NE80E/40E periodically generates accounting packets
and send them to the remote accounting server when a user is online. Real-time accounting
minimizes loss of accounting information when the communication between the NE80E/40E
and the remote server is interrupted.
The interval for real-time accounting can be in minutes or seconds. By default, the unit of the
interval is minute.

accounting start-fail { offline | online }
The policy for handling the accounting start failure is configured.
If the NE80E/40E does not receive any response after sending an accounting start packet to the
remote accounting server, the NE80E/40E adopts the policy for the accounting start failure. This
policy may keep the user online or log the user out.
By default, the NE80E/40E logs the user out when the accounting fails to start.

accounting interim-fail [ max-times times ] { offline | online }
The policy for the real-time accounting failure is configured.

If the NE80E/40E does not receive any response after re-sending the real-time accounting
packets to the remote accounting server for certain times, the NE80E/40E adopts the policy for
the real-time accounting failure. This policy may keep the user online or log the user out.
By default, the number of retransmission times for real-time accounting packets is 3. When the
real-time accounting fails, the NE80E/40E keeps the user online.

accounting send-update
The NE80E/40E is configured to send real-time accounting packets immediately after receiving
the accounting start response.
After receiving the accounting response, the NE80E/40E determines whether to send the real-
time accounting packet immediately according to the configuration.
By default, the NE80E/40E does not send any real-time accounting packet immediately after
receiving an accounting response.
----End
1.2.6 (Optional) Configuring a Recording Scheme

The recording function is applicable only when HWTACACS is adopted. The commands that
have been used, number of connection times, and system events can be recorded.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
recording-scheme recording-scheme-name
A recording scheme is created and the recording scheme view is displayed.
By default, no recording scheme exists.
Step 4 Run:
recording-mode hwtacacs template-name
The recording mode is configured.
By default, the recording scheme is not associated with the HWTACACS template.
Step 5 Run:
quit

Return to the AAA view.

cmd recording-scheme recording-scheme-name
The commands that have been used on the router are recorded.
outbound recording-scheme recording-scheme-name
Information about the connections is recorded.

Step 8 Run:
system recording-scheme recording-scheme-name
The system events are recorded.
----End
1.2.7 Checking the Configuration

When an AAA scheme is configured, you can view the configuration of AAA, the recording
scheme, and basic information about online users.
Prerequisite
The configurations of the AAA schemes are complete.
Procedure
l Run the display aaa configuration command to check brief information about AAA.
l Run the display accounting-scheme [ accounting-scheme-name ] command to check the
configuration about the accounting scheme.
l Run the display authentication-scheme [ authentication-scheme-name ] command to
check the configuration about the authentication scheme.
l Run the display authorization-scheme [ authorization-scheme-name ] command to check
the configuration about the authorization scheme.
l Run the display recording-scheme [ recording-scheme-name ] command to check the
configuration about the recording scheme.
l Run the display ip pool global | domain domain-name } command to check the usage of
the address pool.
----End
Example
Run the display aaa configuration command. If brief information about AAA is displayed, it
means that the configuration succeeds. For example:
<HUAWEI> display aaa configuration
---------------------------------------------------------------------------
AAA configuration information :
---------------------------------------------------------------------------
Domain : total: 255 used: 2
Authentication-scheme : total: 16 used: 2
Authorization-scheme : total: 16 used: 2
Accounting-scheme : total: 128 used: 2

Recording-scheme : total: 128 used: 0

AAA-access-user : total: 384 used: 0
Access-user-state : authen: 0 author: 0 accounting: 0
---------------------------------------------------------------------------
Run the display authentication-scheme command. If information about the authentication

scheme is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display authentication-scheme scheme0
---------------------------------------------------------------------------
Authentication-scheme-name : scheme0
Authentication-method : Local authentication
Authentication-super method : Super authentication-super
---------------------------------------------------------------------------
Run the display authorization-scheme command. If information about the authorization

scheme is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display authorization-scheme scheme0
---------------------------------------------------------------------------
Authorization-scheme-name : scheme0
Authorization-method : Local authorization
Authorization-cmd level 0 : disabled
Authorization-cmd level 2 : enabled ( Hwtacacs )
Authorization-cmd no-response-policy : Online
---------------------------------------------------------------------------
Run the display accounting-scheme command. If information about the accounting scheme is
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display accounting-scheme scheme0
---------------------------------------------------------------------------
Accounting-scheme-name : scheme0
Accounting-method : RADIUS accounting
Realtime-accounting-switch : Open
Realtime-accounting-interval(min) : 5
Start-accounting-fail-policy : Cut user
Realtime-accounting-fail-policy : Cut user
Realtime-accounting-failure-retries : 3
---------------------------------------------------------------------------
Run the display recording-scheme command. If information about the recording scheme is
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display recording-scheme scheme0
---------------------------------------------------------------------------
Recording-scheme-name : scheme0
HWTACACAS-template-name : template0
---------------------------------------------------------------------------
Run the display ip pool global command. If brief information about usage of the address pool
is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display ip pool global

----------------------------------------------------------------------------
Pool-number Pool-start-addr Pool-end-addr Pool-length Used-addr-number
----------------------------------------------------------------------------
2 10.1.1.1 10.1.1.10 10 0
----------------------------------------------------------------------------
Total pool number: 1
1.3 Configuring a RADIUS Server

A RADIUS server must be configured to perform authentication and accounting by using
RADIUS.
Context
NOTE
The access-side RADIUS server cannot be configured on the X1 or X2 models of the NE80E/40E.

Before configuring a RADIUS server, you need to familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
When the RADIUS protocol is used for implementing AAA, you need to configure a RADIUS
server.
The NE80E/40E uses RADIUS server groups to manage RADIUS servers. A RADIUS server
group is a set of RADIUS servers that have the same attributes (except IP addresses and port
numbers) and work in either primary/secondary or load balancing mode.
NOTE
l There are default values for all RADIUS configurations. You can configure RADIUS as required.
l The RADIUS server group can be modified or deleted regardless of whether it is in use. Modifying or
deleting a RADIUS server group does not affect existing users.
None.
Data Preparation
To configure a RADIUS server, you need the following data.
No. Data
1 Name of the RADIUS server group
2 (Optional) Algorithm for selecting a RADIUS server
3 IP address and port number of the RADIUS authentication server
4 IP address and port number of the RADIUS accounting server

No. Data
5 (Optional) Protocol version of the RADIUS server
6 (Optional) Key of the RADIUS server
7 (Optional) User name format adopted by the RADIUS server
8 (Optional) Traffic unit of the RADIUS server
9 (Optional) Response timeout period for the RADIUS server and number of the
retransmission times for RADIUS packets
10 (Optional) RADIUS attributes to be disabled
11 (Optional) Source RADIUS attributes, target RADIUS attributes in translation, and

option of enabling the RADIUS attribute translation function
12 (Optional) Option of carrying the CAR value in the Class attribute of RADIUS
packets
13 (Optional) IP address of the RADIUS authorization server, VPN instance, shared

key, RADIUS server group to which the RADIUS authorization server belongs, and
time of retaining the authorization response
14 (Optional) Number of response failures used to determine whether the RADIUS

server is abnormal and time before the RADIUS server is restored to the Up state
15 (Optional) Number of extended source ports of the RADIUS server and number of
the start extended source port
1.3.2 Creating a RADIUS Server Group

A RADIUS server group is composed of RADIUS servers with the same attributes (excluding
the IP addresses and port numbers). These RADIUS servers work in either master/slave or load
balancing mode.
Context
You can create up to 128 RADIUS server groups on the router.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server group group-name
A RADIUS server group is created.

After the RADIUS server group is created, the system displays the RADIUS server group view.
If a RADIUS server group already exists, you can enter the RADIUS server group view directly.
----End
1.3.3 Configuring RADIUS Authentication and Accounting Servers

If one server is used for both authentication and accounting, different interfaces should be used
for authentication and accounting.
Context
To configure RADIUS authentication and accounting servers, you need to set the following
parameters:
l IP addresses of the authentication and accounting servers

l VPN instance to which the authentication and accounting servers belong (public being the
default value for the VPN instance)
l Port numbers of the authentication and accounting servers (1812 and 1813 by default)
l Weights of the authentication and accounting servers (applicable only to the load balancing
mode with the default value being 0)
NOTE
The RADIUS authentication and accounting servers can use the same IP address. This means that a server
can function as both an authentication server and an accounting server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server groupgroup-name
The RADIUS server group view is displayed.
Step 3 Run:
radius-server authentication { ip-address [ vpn-instance instance-name ] | ipv6-
address } port [ weightweight-value ]
A RADIUS authentication server is configured.
Step 4 Run:
radius-server accounting { ip-address [ vpn-instance instance-name ] | ipv6-
address } port [ weightweight-value ]
A RADIUS accounting server is configured.

radius-server accounting-stop-packet resend [ resend-times ]
The number of times the accounting-stop packet is retransmitted is configured.

By default, accounting-stop packets are not retransmitted.
----End
1.3.4 (Optional) Configuring the Algorithm for Selecting a RADIUS

Server
When there are more than one authentication or accounting server in a RADIUS server group,
you can specify either the load balancing or master/backup mode for these RADIUS servers.
Context
When multiple authentication or accounting servers are configured in the RADIUS server group,
you can configure the algorithm for selecting the RADIUS servers. The algorithm of selecting
the RADIUS server can be load balancing or master/backup.
l Load balancing: The NE80E/40E allocates the load according to the weight of each server.
l Master/backup: The first configured server functions as the master server, and the others
function as slave servers.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
radius-server algorithm { loading-share | master-backup }
The algorithm for selecting the RADIUS server is configured.
By default, the algorithm for selecting the RADIUS server is master/backup.
----End
1.3.5 (Optional) Configuring Negotiated Parameters of the RADIUS

Server
A RADIUS server and the NE80E/40E must use the same RADIUS parameters and message
format to communicate.
Context
The negotiated parameters specify the conventions of the RADIUS protocol and message format
used for communication between the RADIUS server and the NE80E/40E. The negotiated
parameters are as follows:

l RADIUS protocol version

The NE80E/40E supports the standard RADIUS protocol, RADIUS+1.0, and RADIUS
+1.1.
The IP Hotel server supports RADIUS+1.0.
The Portal server supports RADIUS+1.1.
l Key
The key is used to encrypt user passwords and generate the response authenticator. The
RADIUS server encrypts the user password into an authentication packet by using the MD5
algorithm before sending the packet. This ensures the security of authentication data over
the network.
The key on the NE80E/40E must be the same as that on the RADIUS server so that both
parties of the authentication identify each other. The key is case sensitive.
l User name format
On the NE80E/40E, a user name is in the format of user@domain. Certain RADIUS servers
do not support the user names that contain domain names. Therefore, you must set the
format of the user name that the NE80E/40E sends to the RADIUS server according to
whether the user name containing the domain name is supported on the RADIUS server.
l Traffic unit
The traffic units used by different RADIUS servers may be different. The NE80E/40E
supports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meet requirements of various
RADIUS servers.
l Retransmission parameters
After sending a packet to the RADIUS server, if no response is returned within the specified
time, the NE80E/40E resends the packet. In this manner, authentication or accounting
information will not be lost due to temporary congestion on the network.
Retransmission parameters of the RADIUS server include the timeout period and the
number of retransmission times.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
radius-server type { standard | plus10 | plus11 }
The protocol version of the RADIUS server is configured.

By default, the RADIUS server uses the standard RADIUS protocol.
Step 4 Run:
radius-server shared-key key-string [ authentication | accounting ] ip-address
[ vpn-instance instance-name ] port-number [ weight weight ]

The key of the RADIUS server is configured.

You can configure a key on the NE80E/40E for each RADIUS server.
By default, the key of the RADIUS server is huawei.
Step 5 Run:
radius-server user-name { domain-included | original }
The format of the user name contained in the RADIUS packets is configured.
By default, the user name on the RADIUS server contains the domain name.
Step 6 Run:
radius-server traffic-unit { byte | gbyte | kbyte | mbyte }
The traffic unit of the RADIUS packets is configured.

This command is invalid for the RADIUS servers that do not measure traffic by bytes and the
RADIUS servers that use the standard RADIUS protocol.
By default, the traffic unit used by the RADIUS server is byte.
Step 7 Run:
radius-server timeout timeout-value
The retransmission parameters of the RADIUS packets are set.

By default, the response timeout period is 5 seconds.
Step 8 Run:
radius-server retransmit retry-times
The retransmission parameters of the RADIUS packets are set.

By default, the number of retransmission times is 3.
Step 9 Run:
radius-attribute agent-circuit-id format { cn | tr-101 }
The ID format of the circuit through which RADIUS packets are transmitted to the upstream
device is set.
By default, the packets that inform the upstream device of the link ID are in the cn format.
Step 10 Run:
radius-server calling-station-id include option82
The method of constructing the No. 31 RADIUS public attribute is set.

By default, no method of constructing the No. 31 RADIUS public attribute is configured.
----End
1.3.6 (Optional) Disabling RADIUS Attributes

You must enable RADIUS attribute translation before disabling RADIUS attributes.
Context
This function is configured for a RADIUS server group and takes effect on only the RADIUS
servers in this group. You can disable up to 64 attributes in a RADIUS server group.

You can disable the RADIUS attributes of both the sender and receiver on the NE80E/40E.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
radius-server attribute translate
RADIUS attribute translation is enabled.
Step 4 Run:
radius-attribute disable attribute-name { { access-accept | access-request |
account } * | { receive | send } * }
The RADIUS attributes are disabled.
Or, run:
radius-attribute disable extend attribute-description { access-accept | { access-
request | account } * }
The extend RADIUS attributes are disabled.
----End
1.3.7 (Optional) Configuring RADIUS Attribute Translation

The NE80E/40E can communicate with RADIUS servers from different vendors through the
RADIUS attribute translation function.
Context
RADIUS servers from various vendors support different RADIUS attributes, and the vendors
also define RADIUS attributes in different manners. This makes interconnection between the
NE80E/40E and RADIUS servers more difficult.
To address this problem, the NE80E/40E provides the attribute translation function. After the
attribute translation function is configured, the NE80E/40E can encapsulate or parse src-
attribute by using the format of dest-attribute when transmitting or receiving RADIUS packets.
By doing this, the NE80E/40E can communicate with different types of RADIUS servers.
This function is usually applied when one attribute has multiple formats. For example, the nas-
port-id attribute has a new format and an old format. The NE80E/40E uses the new format. If
the RADIUS server uses the old format, you can run the radius-attribute translate nas-port-
id nas-port-identify-old receive send command on the NE80E/40E. Do as follows on the
router:

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
radius-server attribute translate
RADIUS attribute translation is enabled.

Step 4 Run:
radius-attribute translate src-attr-descriptiondest-attr-description { { access-
accept | access-request | account } * | { receive | send } * }
Or, run:
radius-attribute translate extend src-attr-description dest-attr-description{
access-accept | { access-request | account } * }
RADIUS attribute translation is configured.

Using the radius-attribute translate extend command configures translation of private
RADIUS attributes.
NOTE
You can configure translation of up to 64 attributes on the NE80E/40E.
----End
1.3.8 (Optional) Configuring the Tunnel Password Delivery Mode

The RADIUS server supports a tunnel password in cipher text or plain text.
Context
The RADIUS protocol specifies that the RADIUS server must deliver the tunnel password in
cipher text. Most RADIUS servers, however, do not conform to this specification. Therefore,
the NE80E/40E supports configuration of the tunnel password delivery mode so that the NE80E/
40E can communicate with various types of RADIUS servers.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
radius-attribute tunnel-password { cipher | simple }
The mode in which the RADIUS server delivers the tunnel password is configured.
By default, the NE80E/40E requires the RADIUS server to deliver the tunnel password in cipher
text.
----End
1.3.9 (Optional) Configuring the Class Attribute to Carry the CAR

Value
You can configure the Class attribute to carry or not to carry the committed access rate (CAR)
value to ensure the communication between the NE80E/40E and RADIUS servers from different
vendors.
Context
As specified in the standard RADIUS protocol, the Class attribute carried in an access accept
packet sent from the RADIUS server to the client must be returned to the accounting server
without any change in an accounting request packet.
The NE80E/40E extends the standard RADIUS protocol by adding the CAR value to the Class
attribute (RADIUS attribute 25).
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
radius-server class-as-car [ enable-pir ]
The Class attribute is configured to carry the CAR value.
By default, the Class attribute does not carry any CAR value.
NOTE
To meet the requirements of various RADIUS servers, the NE80E/40E can use the RADIUS attribute 25
or RADIUS attribute 26 to send the CAR value to the RADIUS server. The preceding commands configure
how to use the RADIUS attribute 25 to send the CAR value to the RADIUS server.
----End

1.3.10 (Optional) Configuring the Format of the NAS-Port Attribute

You can configure different formats of the NAS-Port attribute so that the NE80E/40E can
communicate with RADIUS servers from different vendors.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
radius-server groupgroup-name

Step 3 Run:
radius-server format-attribute { nas-port format-string | nas-port-idvendor vendor-
id }
The format of the NAS-Port attribute and format of the NAS-Port-Id attribute are configured.
NOTE
When configuring the format of the NAS-Port-Id attribute, note the following:
l If the vendor ID is 2352, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the default
format defined by Redback.
l If the vendor ID is 2636, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the default
format defined by Juniper.
l If the vendor ID is 9, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the default format
defined by Cisco.
l For other vendors, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the original format.
----End
1.3.11 (Optional) Configuring the Source Interface of a RADIUS

Server
When the NE80E/40E connects to multiple RADIUS servers, you can configure the source
interface of each RADIUS server on the NE80E/40E to identify the route between the NE80E/
40E and each RADIUS server.
Context
On the NE80E/40E, you can configure the interface that connects to a RADIUS server as the
source interface of the RADIUS server. On the NE80E/40E, you can configure the source
interface in the system view or in the view of a RADIUS server group. Thus, the RADIUS servers
in the RADIUS server group use this source interface to interact with the NE80E/40E. If the
source interface of the RADIUS server group is not configured, the RADIUS servers use the
global source interface.

Procedure
l Configure the global source interface of all RADIUS servers in all RADIUS server groups.
1. Run:
system-view

2. Run:
radius-server source interface interface-type interface-number
The global source interface of all the RADIUS servers is configured.

l Configure the source interface of a specified RADIUS server group.
1. Run:
system-view

2. Run:

3. Run:
radius-server source interface interface-type interface-number
The source interface of the RADIUS server group is configured.
----End
1.3.12 (Optional) Configuring a RADIUS Authorization Server

You can configure multiple RADIUS authorization servers to authorize users who use dynamic
services.
Context
You need to configure a RADIUS authorization server for a dynamic service so that the RADIUS
server can dynamically authorize a user when the user uses the dynamic service.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server authorization ip-address [ vpn-instance instance-name ] { shared-key
key | server-group groupname } * [ ack-reserved-interval interval ]
The global RADIUS authorization server is configured.

To retain the RADIUS authorization response packet to respond to the retransmitted packets
from the RADIUS authorization server, you need to set the period of retaining the authorization
response when configuring the RADIUS authorization server.
----End
1.3.13 (Optional) Setting the Status Parameters of a RADIUS Server

You can configure the status parameters of a RADIUS server on the NE80E/40E to monitor the
RADIUS server status.
Context
The configuration is valid for all RADIUS servers.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server { dead-count times | dead-interval interval | dead-time time }
The parameters used to determine the status of the RADIUS server are set.
By default, the router considers that the RADIUS server is abnormal when the RADIUS server
fails to respond to 10 consecutive packets sent from the router within 5 seconds. The router waits
for 3 minutes before restoring the status of the RADIUS server
If the NE80E/40E does not receive any response packets after sending RADIUS packets for the
number of times configured in this command, and the interval between the first packet and the
last packet (specified by dead-count) that the RADIUS server fails to respond to is longer than
dead-interval, the NE80E/40E determines that the RADIUS server works abnormally and
changes the status of the RADIUS server to Down.
After setting the status of the RADIUS server to Down, the NE80E/40E waits for a certain period
configured in this command before setting the status of the RADIUS server to Up. At the same
time, the NE80E/40E attempts to reestablish a connection with the RADIUS server. If the
connection cannot be established, the NE80E/40E sets the status of the RADIUS server to Down
again.
----End
1.3.14 (Optional) Configuring the Extended Source Interfaces of a

RADIUS Server
If you do not want to use the default extended source interface to send and receive RADIUS
packets, you can change the default extended source interface of the RADIUS server.

Context
After you configure the extended source interfaces of the RADIUS server, the NE80E/40E
increases the number of packets sent to the RADIUS server in a certain period of time.
After the configuration, the NE80E/40E sends RADIUS packets by using the extended source
interfaces. The former half of extended source interfaces are used to send and receive RADIUS
authentication packets, and the latter half of extended source interfaces are used to send and
receive RADIUS accounting packets. If an odd number of extended source interfaces are
configured, the authentication interfaces outnumbers the accounting interfaces by one.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server extended-source-ports [start-port start-port-number ] port-number
port-number
The extended source interfaces of the RADIUS server are configured.
By default, no extended source interfaces of the RADIUS server are configured. In this case,
the NE80E/40E uses the default interface 1812 to send and receive RADIUS authentication
packets and the default interface 1813 to send and receive RADIUS accounting packets.
NOTE
If you do not specify the start interface number when configuring the extended source interfaces, the system
assigns a configured number of valid extended source interfaces.
----End

After configuring a RADIUS server, you can view the server configurations, RADIUS attributes
supported by the system, and statistics on RADIUS packets.
Prerequisite
All the configurations of the RADIUS server are complete.
Procedure
l Run the display radius-server authorization configuration command to check the
configuration of the RADIUS authorization server.
l Run the display radius-server configuration [ group groupname ] command to check the
configuration of the RADIUS server group.
l Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |
microsoft | redback | standard } [ attribute-number] } ] or display radius-attribute
[ attribute-name ] command to check the RADIUS attributes supported by the system.

l Run the display radius-client configuration command to check the configuration of all
RADIUS clients.
l Run the display radius-server packet ip-address ip-address [ vpn-instance ]
{ accounting | authentication } command to check the statistics about the packets on the
RADIUS server of a specified IP address.
----End
Example
Run the display radius-server authorization configuration command, and you can view the
configuration of the RADIUS authorization server.
<HUAWEI> display radius-server authorization configuration
-----------------------------------------------------------------------------
IP-Address Secret-key Group Ack-r
Reserved-interval
-----------------------------------------------------------------------------
192.168.7.100 huawei rd1 20
Vpn : --
-----------------------------------------------------------------------------
1 Radius authorization server(s) in total
Run the display radius-server configuration command, and you can view the configuration
of the RADIUS server group.
<HUAWEI> display radius-server configuration
RADIUS source interface : LoopBack20
RADIUS no response packet count : 30
RADIUS auto recover time(Min) : 100
RADIUS authentication source ports :
IPv4: 1812
IPv6: 1812
RADIUS accounting source ports :
IPv4: 1813
IPv6: 1813
-------------------------------------------------------
Server-group-name : chen
Authentication-server: IP:1.3.4.144 Port:1812 Weight[0] [UP]
Vpn: -
Accounting-server : IP:1.3.4.144 Port:1814 Weight[0] [UP]
Vpn: -
Protocol-version : radius
Shared-secret-key : huawei
Retransmission : 3
Timeout-interval(s) : 5
Acct-Stop-Packet Resend : NO
Acct-Stop-Packet Resend-Times : 0
-------------------------------------------------------
Are you sure to display next (y/n)[y]:y
-------------------------------------------------------
Server-group-name : huawei
Vpn: -
Vpn: -
Vpn: -
share-key: huawei
Shared-secret-key : huawei
Retransmission : 2
Acct-Stop-Packet Resend : YES
-------------------------------------------------------
Total 2,2 printed

Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |
microsoft | redback | standard } [ attribute-number ] } ]command, and you can view the
RADIUS attributes supported by the NE80E/40E of the current version.
<HUAWEI> display radius-attribute type standard 1
Radius Attribute Type : 1
Radius Attribute Name : User-Name
Radius Attribute Description : This Attribute indicates the name of the user to
be authenticated.
Supported Packets : Auth Request, Acct Request, Session Control, COA
Request, COA Ack
Run the display radius-client configuration command, and you can view the configuration of
all the RADIUS clients.
<HUAWEI> display radius-client configuration
--------------------------------------------------------------------------
IP-Address Secret-key Group
--------------------------------------------------------------------------
172.194.0.10 huawei sim3
172.194.0.20 huawei sim3
7.0.200.10 huawei sim3
1.1.1.1 1 xzn
Vpn : dsg
--------------------------------------------------------------------------
4 Radius client(s) in total
Run the display radius-server packet ip-address ip-address [ vpn-instance ] accounting

command, and you can view the statistics about the accounting packets on the RADIUS server
of a specified IP address.
<HUAWEI>display radius-server packet ip-address 74.1.1.2 accounting
Account Requests : 1 Account Retransmissions : 19
Account Responses : 0 Malformed Account Responses : 0
Bad Authenticators : 0 Pending Requests : 0
Timeouts : 20 Unknown Types : 0
Packets Dropped : 0
Run the display radius offline-sub-reason [ subcode subcode-number ] command to check the
user offline causes mapped to the numbers carried in the Accounting Stop packets sent to the
RADIUS server.
<HUAWEI> display radius offline-sub-reason subcode 1
------------------------------------------------------------------------------
Subcode description of offline sub reason
------------------------------------------------------------------------------
1 User request to offline
------------------------------------------------------------------------------
1.4 Configuring an HWTACACS Server

An HWTACACS server must be configured to perform authentication and accountingby using
HWTACACS.
Context
NOTE
The access-side HWTACACS server cannot be configured on the X1 or X2 models of the NE80E/40E.


Before configuring an HWTACACS server, familiarize yourself with the applicable
When the HWTACACS protocol is used for implementing AAA, you need to configure an
HWTACACS server.
NOTE
l The HWTACACS server template can be modified regardless of whether it is in use.

l By default, no authentication key is configured for an HWTACACS server.
None.
Data Preparation
To configure an HWTACACS server, you need the following data.
No. Data
1 Name of the HWTACACS server template
2 IP address and interface number of the primary HWTACACS server for

authentication, authorization, and accounting and VPN instance to be bound
3 IP address and interface number of the secondary HWTACACS server for

authentication, authorization, and accounting
4 Number of retransmission attempts of accounting stop packets or whether

retransmission is disabled
5 Source IP address of the HWTACACS server
6 (Optional) Key of the HWTACACS server
7 (Optional) Format of the user name supported by the HWTACACS server
8 (Optional) Traffic unit of the HWTACACS server
9 (Optional) Response timeout period of the HWTACACS server
10 (Optional) Time for the primary HWTACACS server to restore to the active state
1.4.2 Creating an HWTACACS Server Template

You must create an HWTACACS server template before configuring an HWTACACS server.

Context
Up to 128 HWTACACS server templates can be configured on the NE80E/40E.
Procedure
Step 1 Run:
system-view
Step 2 Run:
An HWTACACS server template is created and the HWTACACS server template view is
displayed.
If the HWTACACS server template already exists, this command directly displays the
HWTACACS server template view.
----End
1.4.3 Configuring HWTACACS Authentication/Authorization/

Accounting Servers
Either the IP address of the primary authentication server must be different from that of the
secondary authentication server or the VPN instance bound to the primary authentication server
must be different from that bound to the secondary authentication server; otherwise, the
configuration of the HWTACACS server fails.
Context
Procedure
l Configure an HWTACACS authentication server.
1. Run:
system-view

2. Run:

3. Run:
hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpn-
instance-name ]
The primary HWTACACS authentication server is configured.
By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0,

and no VPN instance is bound to the primary HWTACACS authentication server.

4. Run:
hwtacacs-server authentication ip-address[ port ] [ vpn-instance vpn-
instance-name ] secondary
The secondary HWTACACS authentication server is configured.
By default, the IP address of the secondary HWTACACS authentication server is

0.0.0.0, and no VPN instance is bound to the secondary HWTACACS authentication
server.
l Configure an HWTACACS authorization server.
1. Run:
system-view

2. Run:

3. Run:
hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpn-
instance-name ]
The primary HWTACACS authorization server is configured.
By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0,

and no VPN instance is bound to the primary HWTACACS authorization server.
4. Run:
hwtacacs-server authorization ip-address [ port ] [ vpn-instance vpn-
instance-name ] secondary
The secondary HWTACACS authorization server is configured.
By default, the IP address of the secondary HWTACACS authorization server is

0.0.0.0, and no VPN instance is bound to the secondary HWTACACS authorization
server.
l Configure an HWTACACS accounting server.
1. Run:
system-view

2. Run:

3. Run:
hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instance-
name ]
The primary HWTACACS accounting server is configured.
By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0,

and no VPN instance is bound to the primary HWTACACS accounting server.
4. Run:
hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instance-
name ] secondary

The secondary HWTACACS accounting server is configured.

By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0,
and no VPN instance is bound to the secondary HWTACACS accounting server.
----End
1.4.4 Configuring the Source IP Address of an HWTACACS Server

The source IP address of an HWTACACS server is the source IP address of the packet sent by
the NE80E/40E to the HWTACACS server.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
hwtacacs-server source-ip ip-address
The source IP address of the HWTACACS server is configured.

By default, the source IP address of the HWTACACS server is 0.0.0.0. In this case, the NE80E/
40E uses the IP address of the outbound interface as the source IP address of HWTACACS
packets.
After you specify a source IP address of HWTACACS packets, the specified address is used for
the communication between the NE80E/40E and the HWTACACS server.
----End
1.4.5 (Optional) Setting the Negotiated Parameters of the

HWTACACS Server
An HWTACACS server and the NE80E/40E must use the same HWTACACS parameters and
message format to communicate.
Context
The negotiated parameters specify the conventions of the HWTACACS protocol and message
format used for communication between the HWTACACS server and the NE80E/40E. The
negotiated parameters are as follows:
l Key
The key improves security of communication between the NE80E/40E and the
HWTACACS server.

The key on the NE80E/40E must be the same as that on the HWTACACS server so that
both parties of the authentication identify each other.
The key is case sensitive.
l User name format
On the NE80E/40E, a user name is in the format of user@domain. When the HWTACACS
server does not identify the user name that contains the domain name, the NE80E/40E sends
the user name without the domain name to the HWTACACS server.
l Traffic unit
The NE80E/40E supports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meet
requirements of various HWTACACS servers.
Procedure
l (Optional) Configure the key for the HWTACACS server.
1. Run:
system-view

2. Run:

3. Run:
hwtacacs-server shared-key key-string
The key is configured for the HWTACACS server.

By default, the key of the HWTACACS server is null.
Setting the key of the HWTACACS server improves the security of the
communication between the NE80E/40E and the HWTACACS server.
NOTE
To guarantee the validity of the authenticator and the authenticated, the router and the
HWTACACS server must be set with the same key.
l (Optional) Configure the user name format for the HWTACACS server.
1. Run:
system-view

2. Run:

3. Run:
hwtacacs-server user-name domain-included
The user name format is configured for the HWTACACS server.

By default, the user name supported by the HWTACACS server contains the domain
name.

When the HWTACACS server does not identify the user name that contains the
domain name, you can configure the router to remove the domain name from the user
name before sending the user name to the HWTACACS server.
NOTE
The format of a user name is "user name@domain name."

l (Optional) Set the traffic unit for the HWTACACS server.
1. Run:
system-view

2. Run:
hwtacacs-server templatetemplate-name

3. Run:
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit is set for the HWTACACS server.

By default, the traffic unit of the NE80E/40E is byte.
----End
1.4.6 (Optional) Configuring the Timers for the HWTACACS

Server
You can configure the timers for the HWTACACS server to check whether the server works
properly. This configuration is required for network optimization.
Context
If the NE80E/40E sends a packet to the HWTACACS server but does not receive any response
within the specified time, the NE80E/40E considers the connection broken. The specified time
is the response timeout period of the HWTACACS server.
NOTE
HWTACACS is implemented based on TCP; therefore, the server response timeout or TCP timeout may
cause disconnection of the NE80E/40E from the HWTACACS server.
If the NE80E/40E determines that its connection with the primary HWTACACS server is
broken, the NE80E/40E waits for a period of time, and then re-connects to the primary server.
The specified time is the time for the primary HWTACACS server to restore to the active state.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The HWTACACS view is displayed.
Step 3 Run:
hwtacacs-server timer response-timeout value
The response timeout period of the HWTACACS server is set.
By default, the response timeout period of the HWTACACS server is 5 seconds.
Step 4 Run:
hwtacacs-server timer quiet value
The time for the primary HWTACACS server to restore to the active state is set.
By default, the time for the primary HWTACACS server to restore to the active state is 5 minutes.
----End
1.4.7 (Optional) Configuring Retransmission of Accounting Stop

Packets
Retransmission of accounting stop packets needs to be configured only when the network quality
is unsatisfactory.
Context
If HWTACACS accounting is used, the NE80E/40E generates an accounting stop packet after
a user logs out and then sends the packet to the HWTACACS server. If the connectivity of the
network is less than satisfactory, you can enable retransmission of accounting stop packets to
prevent the loss of accounting information.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hwtacacs-server accounting-stop-packet resend { disable | enable number }
Retransmission of accounting stop packets is configured.
You can enable or disable retransmission of accounting stop packets and set the number of
retransmission times. By default, retransmission of accounting stop packets is enabled on the
NE80E/40E and the number of retransmission times is set to 100.
An accounting stop packet is used to instruct the HWTACACS server to stop accounting. If the
accounting server fails to receive the packet, it continues accounting.
In this case, the NE80E/40E can retransmit the accounting stop packets until the server receives
the packets or until the number of retransmission times reaches the threshold.
----End

1.4.8 (Optional) Configuring HWTACACS Users to Change

Passwords
You can authorize HWTACACS users to change their passwords to simplify management.
Context
Procedure
Step 1 Run:
hwtacacs-user change-password hwtacacs-server template-name
The HWTACACS user is authorized to change the password.
NOTE
l Users can successfully log in to the device only when they pass HWTACACS authentication and also
the HWTACACS server template has been configured.
l Users can modify passwords only when the user names and passwords saved on the HWTACACS
server are still applicable.
l When the users with expired passwords log in to the device, the HWTACACS server returns an
authentication failure packet and these users cannot modify their passwords.
----End

After configuring an HWTACACS server, you can view the configurations of the HWTACACS
server.
Prerequisite
All the configurations of the server template are complete.
Procedure
l Run the display hwtacacs-server template [ template-name [ verbose ] ] command to
check the configuration of the HWTACACS server template.
l Run the display hwtacacs-server accounting-stop-packet { all | number | ip ip-
address } command to check information about the accounting stop packets on the
HWTACACS server.
----End
Example
Run the display hwtacacs-server template command, and you can view information about the
HWTACACS server.
<HUAWEI> display hwtacacs-server template
-----------------------------------------------------------
HWTACACS-server template name : 123
Primary-authentication-server : 0.0.0.0:0:-
Primary-authorization-server : 0.0.0.0:0:-

Primary-accounting-server : 0.0.0.0:0:-
Secondary-authentication-server : 0.0.0.0:0:-
Secondary-authorization-server : 0.0.0.0:0:-
Secondary-accounting-server : 0.0.0.0:0:-
Current-authentication-server : 0.0.0.0:0:-
Current-authorization-server : 0.0.0.0:0:-
Current-accounting-server : 0.0.0.0:0:-
Source-IP-address : 0.0.0.0
Shared-key : -
Quiet-interval(min) : 5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit : B
-------------------------------------------------------------
Are you sure to display more information (y/n)[y]:y
-------------------------------------------------------------
HWTACACS-server template name : test1
Primary-authentication-server : 1.1.11.1:49:vpna
Primary-authorization-server : 0.0.0.0:0:-
Primary-accounting-server : 1.1.1.1:49:vpna
Secondary-authentication-server : 0.0.0.0:0:-
Secondary-authorization-server : 1.1.1.1:12:vpna
Current-authentication-server : 1.1.11.1:49:vpna
Current-authorization-server : 1.1.1.1:12:vpna
Current-accounting-server : 1.1.1.1:49:vpna
Shared-key : -
Traffic-unit : B
-------------------------------------------------------------
Total 2,2 printed
1.5 Configuring Bill Saving

Saving bills to the local device is to back up the bills on the remote accounting server. In this
case, when the remote server fails, there is still accounting information.
Context
NOTE
Bill saving cannot be configured on the X1 or X2 models of the NE80E/40E.

Before configuring bill saving on the local device, familiarize yourself with the applicable
The accounting information on the NE80E/40E is a backup of the accounting information on
the remote server. When an error occurs on the remote server, the CDRs are stored on the NE80E/
40E. In this manner, the accounting information will not be lost.
After bill saving is configured on the local device, the NE80E/40E saves the generated CDRs
to the cache first. Then, the cached CDRs are saved to either the CF card or the bill server by
using TFTP. The CDRs saved in the CF card can also be backed up to the bill server.

On the NE80E/40E, you can create or delete local CDR pools by using commands. Bill saving
can be configured on the local device only after a local CDR pool is created. If the local CDR
pool does not exist, this function does not take effect, and CDRs will not be backed up.
None.
Data Preparation
To configure bill saving on the local device, you need the following data.
No. Data
1 IP address of the CDR server and name of the CDR file
2 (Optional) Alarm thresholds for CDRs in the CF card and the cache
3 (Optional) Intervals for automatic backup of CDRs in the CF card and the cache
4 (Optional) Mode of backing up the cached CDRs
1.5.2 Creating a Local CDR Pool

You must create a local CDR pool before saving the bills to the local device.
Context
You can create or delete local CDR pools by running commands on the NE80E/40E. The local
CDRs can be saved only after a local CDR pool is created. When the local CDR pool is deleted,
the local CDRs in the pool are also deleted. Therefore, back up the local CDRs before deleting
the local CDR pool.
Procedure
Step 1 Run:
system-view

Step 2 Run:
local-aaa-server
The local AAA server view is displayed.

Step 3 Run:
local-bill-pool enable
A local CDR pool is created.

By default, no local CDR pool exists on the NE80E/40E.
----End

1.5.3 Configuring the Backup Mode of Cached Bills

By default, the cached bills are backed up to the CF card. Due to limited capacity of the CF card,
the system allows you to back up the cached bills to another path.
Context
The cached bills can be backed up to the CF card or the bill server by using TFTP, or not backed
up.
Procedure
Step 1 Run:
system-view

Step 2 Run:
local-aaa-server

Step 3 Run:
local-bill cache backup-mode { cfcard | none | tftp }
The backup mode of the cached bills is configured.

By default, the cached bills are backed up to the CF card. When the number of cached bills
exceeds the alarm threshold, the system automatically backs up the cached bills to the CF card
and then clears the bills in the cache. Due to the limited capacity of the CF card, the system has
to back up the bills in the CF card to the bill server after a period of time. Directly backing up
cached bills to the bill server is recommended.
----End
1.5.4 (Optional) Backing up Bills in the CF Card to the Bill Server

Due to limited capacity of the CF card, it is recommended that you back up bills in the CF card
to the bill server to prevent the bills in the CF card from exceeding the alarm threshold and thus
causing accounting information loss.
Context
NOTE
By default, the cached bills are automatically backed up to the CF card. Due to limited capacity of the CF
card, you must back up the bills in the CF card to the bill server.
Procedure
l Configure the bill server.
1. Run:
system-view


2. Run:
local-aaa-server

3. Run:
bill-server ip-address filename file-name
The bill server is configured.

When configuring the bill server on the NE80E/40E, you need to specify the IP address
of the bill server and the prefix of the bill file names. The bill file names are in the
form of "prefix-time-sequence number.lam." Assume that the prefix of the bill file
names is "backupfile", the bills are backed up at 15:26 on 2005-03-15, and 10 bill files
are generated. The name of the fifth bill file is then
"backupfile-200503151526-5.lam."
NOTE
You need to use TFTP to log in to the NE80E/40E, which functions as a bill server, to back up
bills. Hence, you must run the TFTP server program and specify a working directory on the
NE80E/40E.
l Set the alarm threshold for the CF card usage.
1. Run:
system-view

2. Run:
local-aaa-server

3. Run:
local-bill cfcard alarm-threshold threshold
The alarm threshold of the CF card usage is set.

The default alarm threshold of the CF card usage is 75%.
When the CF card usage exceeds the alarm threshold, the bills in the CF card need to be
backed up to the bill server either automatically or manually. By default, the bills are backed
up to the bill server automatically. This means that the system backs up the bills in the CF
card to the bill server automatically after a certain interval. If you intend to back up the
bills manually, run the local-bill cfcard backup [ file-name ] command. After that, when
the usage of the CF card exceeds the alarm threshold, the system sends an alarm to the
NMS and the terminal instructing you to manually back up the bills to the bill server.
l Set the intervals at which bills are backed up automatically.
1. Run:
system-view

2. Run:
local-aaa-server

3. Run:

local-bill cfcard backup-interval interval
The intervals at which bills are backed up automatically are set.

By default, the bills in the CF card are backed up at intervals of 1440 minutes.
l Back up the bills in the CF card to the bill server manually.
1. Run:
system-view

2. Run:
local-aaa-server

3. Run:
local-bill cfcard backup [ file-name ]
The bills in the CF card are backed up to the bill server manually
l (Optional) Clear all the bills in the CF card.
1. Run:
system-view

2. Run:
local-aaa-server

3. Run:
local-bill cfcard reset
All the bills in the CF card are cleared.

After this command is used, all the bills in the CF card are cleared and cannot be
restored.
----End
1.5.5 (Optional) Backing up the Bills in the Cache to the Bill Server
The capacities of the cache and the CF card are small; therefore, it is recommended that you
back up bills in the cache to the bill server.
Context
You need to use TFTP to log in to the NE80E/40E, which functions as a bill server, to back up
bills. Hence, you must run the TFTP server program and specify a working directory on the
NE80E/40E.
Procedure
l Configure the bill server.
1. Run:
system-view


2. Run:
local-aaa-server

3. Run:
bill-server ip-address filename file-name
The bill server is configured.

When configuring the bill server on the NE80E/40E, you need to specify the IP address
of the bill server and the prefix of the bill file names. On the NE80E/40E, the bill file
names are in the form of "prefix-time-sequence number.lam."
Assume that the prefix of the bill file names is "backupfile", the bills are backed up
at 15:26 on 2005-03-15, and 10 bill files are generated. The name of the fifth bill file
is then "backupfile-200503151526-5.lam."
l Set the alarm threshold for the cache usage.
1. Run:
system-view

2. Run:
local-aaa-server

3. Run:
local-bill cache alarm-threshold threshold
The alarm threshold for the cache usage is set.

The default alarm threshold for the cache usage is 75%.
The capacity of the cache is limited. Hence, when the cache usage exceeds the alarm
threshold, the bills in the cache need to be backed up to another location according to the
configured backup mode either automatically or manually. By default, the bills are backed
up automatically. This means that the system automatically backs up the bills to a specific
location after a certain period. If you intend to back up the bills manually, run the local-
bill cache backup command. After that, when the cache usage exceeds the alarm threshold,
the system sends an alarm to the NMS and the terminal instructing you to manually back
up the bills to the bill server or CF card.
l Set the intervals at which bills are backed up automatically.
1. Run:
system-view

2. Run:
local-aaa-server

3. Run:
local-bill cache backup-interval interval
The intervals at which bills are backed up automatically are set.

By default, the bills in the cache are backed up at intervals of 1440 minutes.
l Back up the bills in the cache to the bill server manually.
1. Run:
system-view

2. Run:
local-aaa-server

3. Run:
local-bill cache backup
The bills in the cache are manually backed up.

----End

After bill saving is configured, you can view the configurations of this feature.
Procedure
l Run the display local-bill { cache start-no count | configuration | information } command
to check the configuration of bill saving.
----End
Example
Run the display local-bill { cache start-no count | configuration | information } command,
and you can view the configuration of bill saving.
<HUAWEI> display local-bill cache 0 2
Contents of Bill 1:
--------------------------------------------------------------
Bill-No : 1
Session-Id: NE80E/40E-1007002000000100ee7075000024
User-name : user1@huawei
Start-Time: 2007/11/24 18:04:42
Stop-Time : 2007/11/24 18:06:17 Elapse : 0:01:35
IP-Addr : 192.168.7.186 MAC : 0016-ecb7-a879
IPv6-Addr : ::
Auth-Type : PPP Access-Type: PPPoE
Port-No : 1/0/2 VLAN : 100
Status : 2(offline) Code : 6, Ref: 98
Acc Data before Tariff Switch,
1 Priority :
0 : User-received: Bytes=0 , Pkts=0
User-sent: Bytes=0 , Pkts=0
Acc Data after Tariff Switch,
1 Priority :
0 : User-received: Bytes=0 , Pkts=0
User-sent: Bytes=0 , Pkts=0
--------------------------------------------------------------
Total printed 1 bills from cache.
1.6 Configuring a Domain

The NE80E/40E supports domain-based management for local users and access users.

Context
NOTE
The access-side domain cannot be configured on the X1 or X2 models of the NE80E/40E.

Before configuring a domain, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the data required for the configuration. This will help
you complete the configuration task quickly and accurately.
You need to configure a domain to perform AAA management on access users.
Before configuring a domain, complete the following tasks:
l Configuring authentication, authorization, and accounting schemes

l Configuring a RADIUS server group if RADIUS authentication and accounting are adopted
l Configuring an HWTACACS server template if HWTACACS authentication,
authorization, and accountingauthentication and authorization are adopted
l Configuring an IPv4 address pool
Data Preparation
To configure a domain, you need the following data.
No. Data
1 Domain name
2 Names of authentication, authorization, and accounting schemes
3 Names of the RADIUS server group, HWTACACS server template,and IP address

of the DNS server
4 Name of the IPv4 address pool
5 (Optional) Maximum number of access users and maximum connection setup rate
NOTE
User attributes of the domain include the user priority, user group, idle-cut parameter, time-specific QoS
guarantee, QoS profile, queue profile, VAS policy, policy-based routing, multicast parameter, and
maximum re-authentication time period. These attributes are valid for only the users that newly go online.
The online users have to go online again to make these attributes valid.

1.6.2 Creating a Domain

User management is implemented based on domains. It is recommended that a domain be named
after an ISP or a service.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
A domain is created and the domain view is displayed.
Up to 1024 domains can be created on the NE80E/40E. The NE80E/40E has three default
domains: default0, default1, and default_admin.
l default0 is the default domain to which unauthenticated users belong. When users have
accessed the NE80E/40E but have not been authenticated, the NE80E/40E does not know
which domain the users belong to and defaults the users to default0. The NE80E/40E then
performs the authentication scheme of default0 and the accounting scheme of default0 on
the users in this domain.
l default1 is the default domain to which the users being authenticated belong. If the user
name entered for authentication does not contain any domain name, the NE80E/40E defaults
the user to default1. The NE80E/40E performs the authentication scheme of default1 and
the accounting scheme of default1 on the users in this domain.
l default_admin is the default domain to which the administrator belongs. When the
administrator logs in to the NE80E/40E by using Telnet or SSH, the NE80E/40E defaults
the administrator to default_admin, if the user name entered for authentication does not
contain any domain name. The NE80E/40E performs the authentication scheme of default
and the accounting scheme of default0 to the users in this domain.
----End
1.6.3 Configuring an AAA Scheme for a Domain

You must configure an AAA scheme for a domain before you perform AAA on users in this
domain.
Context

Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
The domain view is displayed.
Step 4 Run:
authentication-scheme scheme-name
An authentication scheme is specified for the domain.
By default, the default1 authentication scheme is used for user-defined domains, the default1
domain, or the default authentication scheme is used for the default_admin domain; the default0
authentication scheme is used for the default0 domain. You can run the display authentication-
scheme command to view detailed information about the default authentication schemes.
Step 5 Run:
accounting-scheme scheme-name
An accounting scheme is specified for the domain.
By default, the default1 accounting scheme is used for user-defined domains and the default1
domain; the default0 accounting scheme is used for the default0 domain and default_admin
domain.
Step 6 (optional)Run:
accounting dual-stack { separate | identical }
The accounting mode for IPv4/IPv6 dual-stack users is configured.
When separate is configured, traffic of IPv4 and IPv6 users is sent to the server separately;
when identical is configured, traffic of IPv4 and IPv6 users is sent to the server together.
By default, accounting is performed separately for IPv4 users and IPv6 users.
Step 7 Run:
authorization-scheme scheme-name
An authorization scheme is specified for the domain.
By default, no authorization scheme is specified for the domain.
----End
1.6.4 Configuring Servers for a Domain

You can configure a RADIUS server, an HWTACACS serverfor a domain as required.

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name

Step 4 Run the following command as required:
l To configure an HWTACACS server template for the domain, run:
hwtacacs-server template-name
l To configure a RADIUS server group for the domain, run:

l To specify a forcible Web authentication server for the domain, run:

web-server { ip-address | mode { get | post } | redirect-key { mscg-ip mscg-ip-
key | user-ip-address user-ip-key | user-location user-location-key } | url url
| user-first-url-key { key-name | default-name } }
l To specify a primary or secondary DNS server for the domain, run:

dns { primary-ip |second-ip } ip-address
NOTE
If a primary or secondary DNS server is also configured in an address pool, the DNS server configured
in the address pool takes precedence over the DNS server configured by using this command.
By default, no HWTACACS server template, RADIUS server groupfor a domain.
----End
1.6.5 Specifying an IPv4 Address Pool for a Domain

An IPv4 address pool configured for a domain is used to assign IPv4 addresses to all users in
this domain.
Context
The IPv4 address pool for a domain can be a local or remote address pool.
A maximum of 1024 IPv4 address pools can be specified for a domain, and one IPv4 address
pool can be used for multiple domains. The IPv4 address pools configured for a domain can be
moved. The range in which the IPv4 address pool can be moved is associated with the number
of address pools configured in the domain. For example, if 10 address pools are configured in
the domain, the address pool can move in the range between 1 and 10.

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name

Step 4 Run:
ip-pool pool-name [ move-to position ]
IPv4 address pools are specified for the domain.
----End
1.6.6 (Optional) Setting the Maximum Number of Access Users for

a Domain
You can set the maximum number of access users for a domain.
Context
To guarantee the processing capability of the NE80E/40E, you can limit the total number of
access users for a domain. If the number of users reaches the limit, additional access users are
denied.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name

Step 4 Run:
access-limit max-number
The maximum number of access users is specified for the domain.

The default maximum number of access users for a domain is 279552.
----End
1.6.7 (Optional) Setting the Maximum Number of Sessions for an

Account
You can set the maximum number of sessions for an account. This means that you can limit the
number of sessions allowed for users of the same user account. Users of the same user account
share QoS resources.
Context
To guarantee the processing capability of the NE80E/40E, you can limit the maximum number
of sessions for an account. If the number of sessions reaches the limit, additional access users
are denied.
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
Step 4 Run:
user-max-session max-session-number
The maximum number of sessions for an account is set.
By default, the number of sessions is not limited for an account.
----End
1.6.8 (Optional) Setting the Priority of a Domain User

You can set a priority for each domain user so that users or services of different priorities are
offered with different classes of services.
Context

Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
user-priority { upstream | downstream } { priority | trust-8021p-inner |
trust-8021p-outer | trust-dscp | trust-dscp-inner | trust-dscp-outer |
unchangeable | trust-exp-inner | trust-exp-outer }
The priority of the domain user is set.
Currently, one domain can be configured with only one user priority.
l priority: user priority. The value ranges from 0 to 7.

l trust-8021p-inner: The 802.1p priority in the inner tag of a Layer 2 user packets is used as
the user priority.
l trust-8021p-outer: The 802.1p priority in the outer tag of a Layer 2 user packet is used as
the user priority.
l trust-dscp: The DSCP value of a user packet is used as the user priority.
l trust-dscp-inner: The DSCP value in the inner tag of a user packet is used as the user priority.
l trust-dscp-outer: The DSCP value in the outer tag of a user packet is used as the user priority.
l unchangeable: The user priority is fixed.
l trust-exp-inner: The EXP value in the inner tag of an MPLS packet is used as the user
priority.
l trust-exp-outer: The EXP value in the outer tag of an MPLS packet is used as the user
priority.
By default, the priorities of the incoming and outgoing traffic of users are both 0.
----End
1.6.9 (Optional) Configuring Additional Functions for a Domain

A domain has additional functions such as captive portal, time-based control, policy-based
routing, traffic statistics, or IP address usage alarm.
Context
NOTE
Additional functions for a domain cannot be configured on the X1 or X2 models of the NE80E/40E.
A domain has the following additional functions:
l Forced portal
Forced portal means that when a user accesses the Internet for the first time after passing
the authentication, the NE80E/40E forcibly redirects the user's access request to a certain

server, which is usually the portal server of a carrier. In this manner, the user needs to accept
a service at the carrier's portal immediately after accessing the Internet.
l Time-based control
Time-based control means that a domain is automatically blocked in a specified period.
During this period, the users of this domain cannot access the NE80E/40E and the online
users are disconnected. After the period, the domain is reactivated automatically, and the
domain users are allowed to log in again.
l Idle cut
When the traffic volume of a user keeps being lower than a threshold in a period, the NE80E/
40E considers the user idle and disconnects the user. To perform the idle cut function, you
need to set the idle time and the traffic threshold.
The idle cut function configured for a domain controls only the basic traffic of a user. The
multicast traffic and the VAS traffic that is not configured with the summary feature are
not included in the basic traffic. Therefore, the idle cut function is invalid for them.
l Mandatory PPP authentication
Generally, the authentication mode (PAP, CHAP, or MSCHAP) of a PPP user is negotiated
by the PPP client and the virtual template. After the mandatory authentication mode of a
PPP user is configured for a domain, the users in the domain are authenticated in the
configured mode.
l Policy-based routing
In packet forwarding, the NE80E/40E determines the forwarding egress according to the
destination addresses of the packets. With the policy-based routing function, however, the
NE80E/40E determines the forwarding egress according to the address specified in the user
domain.
l IP address usage alarm
After the alarm threshold for the usage (in percentage) of IP addresses is set in a domain,
the NE80E/40E sends a trap to the network management system (NMS) when the usage of
IP addresses exceeds the threshold. If no alarm threshold is set, the NE80E/40E does not
send any trap to the NMS, regardless of the usage of IP addresses.
l Traffic statistics
The traffic statistics function collects the total traffic of a domain and the upstream and
downstream traffic of users.
l Accounting packet copy
This function is used to send accounting packet copies to two RADIUS servers.
You can perform this function when multiple copies of original accounting information are
required (for example, multiple ISPs cooperate in the networking). In this case, accounting
packet copies need to be sent to two RADIUS servers at the same time, and will be used
as the original accounting information in future settlement.
l Re-authentication timeout
The re-authentication timeout is valid for Layer 3 pre-authentication users. If a Layer 3 pre-
authentication user does not pass the authentication within the maximum re-authentication
time, the NE80E/40E disconnects this user.
l Policy used for online users when the quota is used up
The NE80E/40E uses a policy after the quota (traffic or session time) of an online user is
used up. The NE80E/40E may forcibly log out the user, keep the user online, or redirect
the user to a specified portal.

Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
Step 4 Run:
portal-server { ip-address | redirect-limit times | url url-string } and pppoe-url
url-string
Forced portal is configured.
By default, forced portal is disabled.
Step 5 Run:
time-range domain-block { range-name | enable }
Time-based control is configured.
You can configure up to four time ranges, which have equal priority.
By default, time-based control is disabled.
Step 6 Run:
idle-cut idle-time-length idle-rate
The idle cut function is configured.
By default, the idle time is 0. This means that the idle cut function is disabled.
Step 7 Run:
policy-route next-hop-ip-address
Policy-based routing is configured.
By default, policy-based routing is disabled.
Step 8 Run:
ip-warning-threshold threshold
The IP address usage alarm function is configured.
By default, the IP address usage alarm function is not configured.
Step 9 Run:
flow-bill
The function of collecting the statistics about the total traffic is enabled.
By default, the function of collecting the total traffic statistics is disabled.

Step 10 Run:
flow-statistic { down | up } *
The function of collecting the upstream or downstream traffic statistics of the domain users is
enabled.
By default, the function of collecting the upstream and downstream traffic statistics of the domain
users is enabled.
Step 11 Run:
accounting-copy radius-server radius-name
The function of sending accounting packet copies is enabled.
By default, the function of sending accounting packet copies is disabled.
Step 12 Run:
max-ipuser-reauthtime time-value
The re-authentication timeout is configured.
By default, the re-authentication timeout is 300 seconds.
Step 13 Run:
quota-out { offline | online | redirect url url-string }
The policy used for online users when the quota is used up is configured.
By default, the NE80E/40E disconnects the user when the quota of a user is used up.
If the RADIUS protocol type is set to non-standard, a real-time accounting packet is sent to
the RADIUS server to apply for a new quota when user's quota is used up. If the RADIUS server
responds with zero quota, the user is redirected based on the configured quota-out redirect
url url-string command.
If you want a user to be directly redirected when its quota is used, you must first set the RADIUS
protocol type to standard and configure the quota-out redirect url url-string .
Step 14 Run:
radius-no-response lease-time time
The extended lease in case of no response from the RADIUS server is set for DHCP users.
By default, DHCP users will be logged out if there is no response from the RADIUS server.
----End
1.6.10 (Optional) Activating a Domain

Users cannot access a blocked domain. When a domain is not to be used, you can block the
domain.
Context
NOTE
Activating a domain cannot be configured on the X1 or X2 models of the NE80E/40E.

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name

Step 4 Run:
block
The status of the domain is set to the blocked state.

By default, a domain is activated after being created.
----End

After configuring a domain, you can view the domain configuration.
Prerequisite
All the configurations of the domain are complete.
Procedure
Step 1 Run the display domain [ domain-name ] command to check the configuration of the domain.
----End
Example
Run the display domain command, and you can view the summaries of configurations of all
the domains.
<HUAWEI> display domain
------------------------------------------------------------------------------
Domain name State CAR Access-limit Online BODNum RptVSMNum
------------------------------------------------------------------------------
default0 Active 0 279552 0 0 0
default1 Active 0 279552 0 0 0
default_admin Active 0 279552 0 0 0
default Active 0 279552 0 0 0
isp1 Active 0 279552 0 0 0
------------------------------------------------------------------------------
Total 5,5 printed
<HUAWEI> display domain default
------------------------------------------------------------------------------
Domain-name : default
Domain-state : Active
Authentication-scheme-name : default1

Accounting-scheme-name : default1
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Web-server-URL-parameter : No
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service :
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
mscg-name-portal-key : -
Portal-user-first-url-key : -
Ancp auto qos adapt : Disable
Service-type : STB
RADIUS-server-template : -
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Qos-profile-name inbound : -
Qos-profile-name outbound : -
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Quota-out : Offline
1.7 Maintaining AAA

This section describes how to maintain AAA by clearing HWTACACS statistics and debugging
RADIUS or HWTACACS.
1.7.1 Clearing AAA Statistics

Clearing AAA statistics includes clearing statistics on the AAA server and accounting stop
packets.
Context
CAUTION
Statistics cannot be restored after you clear them. Exercise caution when running the command.

Procedure
l Run the reset hwtacacs-server statistics { all | accounting | authentication |
authorization } command in the user view to clear the statistics about the HWTACACS
server.
l Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command
in the user view to clear the statistics about the accounting stop packets on the HWTACACS
server.
----End

This section provides configuration examples of AAA, including networking requirements,
Context
NOTE
Examples in this document use interface numbers and link types of the NE40E-X8. In real world situations,
interface numbers and link types may be different from those used in this document.
1.8.1 Example for Performing Authentication and Accounting for

Users by Using RADIUS
This section provides an example for performing authentication and accounting by using
RADIUS, including networking requirements, configuration roadmap, configuration procedure,
and configuration files.
Networking Requirements
NOTE
This example is not supported on the X1 or X2 models of the NE80E/40E.
As shown in Figure 1-1, the users access the network through Router A and the users belong to
the domain named huawei. Router B functions as the access server for the destination network.
To access the destination network, the users have to traverse the network where Router A and
Router B reside and pass remote authentication of the access server. After that, the users can
access the network through Router B. Remote authentication is implemented on the Router B
as follows:
l The RADIUS server performs authentication and accounting for access users.
l The RADIUS server at 129.7.66.66/24 functions as the primary authentication and
accounting server. The RADIUS server at 129.7.66.67/24 functions as the secondary
authentication and accounting server. The default port numbers for authentication and
accounting are 1812 and 1813 respectively.

Figure 1-1 Networking diagram of performing authentication and accounting for users by using
RADIUS
Domain huawei
RouterB
Network
129.7.66.66/24
RouterA
Destination 129.7.66.67/24
network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a RADIUS server group, an authentication scheme, and an accounting scheme
on Router B.
2. Apply the RADIUS server group, authentication scheme, and accounting scheme on Router
B to the domain.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the primary (secondary) RADIUS authentication server
l IP address of the primary (secondary) RADIUS accounting server
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, and an accounting scheme.
# Configure a RADIUS server group named shiva.
<HUAWEI> system-view
[HUAWEI] radius-server group shiva
# Configure the IP addresses and interface numbers of the primary RADIUS authentication and
accounting servers.
[HUAWEI-radius-shiva] radius-server authentication 129.7.66.66 1812

[HUAWEI-radius-shiva] radius-server accounting 129.7.66.66 1813
# Configure the IP addresses and interface numbers of the secondary RADIUS authentication
and accounting servers.
[HUAWEI-radius-shiva] radius-server authentication 129.7.66.67 1812
[HUAWEI-radius-shiva] radius-server accounting 129.7.66.67 1813
# Set the key and the number of retransmission attempts for the RADIUS server.
[HUAWEI-radius-shiva] radius-server shared-key it-is-my-secret
[HUAWEI-radius-shiva] radius-server retransmit 2
[HUAWEI-radius-shiva] quit
# Enter the AAA view.

[HUAWEI] aaa
# Configure authentication scheme 1, with the authentication mode being RADIUS.

[HUAWEI-aaa] authentication-scheme 1
[HUAWEI-aaa-authen-1] authentication-mode radius
[HUAWEI-aaa-authen-1] quit
# Configure accounting scheme 1, with the accounting mode being RADIUS.

[HUAWEI-aaa] accounting-scheme 1
[HUAWEI-aaa-accounting-1] accounting-mode radius
[HUAWEI-aaa-accounting-1] quit
Step 2 Configure a domain named huawei and apply authentication scheme 1, accounting scheme 1,
and RADIUS server group shiva in the domain.
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] authentication-scheme 1
[HUAWEI-aaa-domain-huawei] accounting-scheme 1
[HUAWEI-aaa-domain-huawei] radius-server group shiva
Step 3 Verify the configuration.

Generally, RADIUS authentication and accounting apply to BRAS access. If the access
configuration is correct, users can pass authentication and go online properly. Then, user
accounting can be performed normally.
Run the display radius-server configuration group shiva command on the router, and you can
see that the configurations of the RADIUS server group meet the requirements.
<HUAWEI> display radius-server configuration group shiva
-------------------------------------------------------
Server-group-name : shiva
Vpn: -
Vpn: -
Authentication-server: -
Vpn: -
Vpn: -
Accounting-server : -

Shared-secret-key : it-is-my-secret
Retransmission : 2
Acct-Stop-Packet Resend : NO
Traffic-unit : B
ClassAsCar : NO
User-name-format : Domain-included
Option82 parse mode : -
Attribute-translation: NO
Packet send algorithm: Master-Backup
Tunnel password : cipher
Run the display domain domain-name command on the router, and you can view the
configurations of the domain.
<HUAWEI> display domain huawei
------------------------------------------------------------------------------
Domain-name : huawei
Authentication-scheme-name : 1
Accounting-scheme-name : 1
User-group-name : -
Value-added-service : COPS
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
Service-type : STB
RADIUS-server-template : shiva
Bill Flow : Disable
Flow Statistic:
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI

#
aaa
authentication-scheme 1
authentication-mode radius
#
authorization-scheme default
#
accounting-scheme 1
accounting-mode radius
#
domain huawei
authentication-scheme 1
accounting-scheme 1
radius-server group shiva
#
radius-server group shiva
radius-server authentication 129.7.66.66 1812 weight 0
radius-server accounting 129.7.66.66 1813 weight 0
radius-server shared-key it-is-my-secret
radius-server retransmit 2
#
return
1.8.2 Example for Configuring HWTACACS Authentication,

Authorization, and Accounting
This section describes how to apply HWTACACS authentication, authorization, and accounting
to a real network. HWTACACS authentication, authorization, and accounting are implemented
on users in the domain named huawei.
As shown in Figure 1-2, users belong to the domain huawei and access the network through
Router A. Router B functions as the access server of the destination network. If users need to
access the destination network, they should first traverse the network between Router A and
Router B and then access the destination network through Router B after they pass remote
authentication. In such a case, you can configure the authentication mode on Router B as follows:
l Local authentication is first performed on access users. If local authentication fails,
HWTACACS authentication is performed.
l To upgrade the level of an access user, HWTACACS authentication is used first. If the
HWTACACS server does not respond, the local authentication is performed.
l HWTACACS authorization is performed on access users.
l Accounting is necessary for all users.
l The HWTACACS server at 129.7.66.66/24 functions as the primary server and its default
authentication port number, authorization port number, and accounting port number are all
49. The HWTACACS server at 129.7.66.67/24 functions as the secondary server and its
default authentication port number, authorization port number, and accounting port number
are all 49.

Figure 1-2 Networking diagram of local authentication and HWTACACS authentication,

authorization, and accounting
Domain huawei
RouterB
Network
129.7.66.66/24
RouterA
Destination 129.7.66.67/24
network
1. Configure a HWTACACS server template.
2. Configure authentication, authorization, and accounting schemes.
3. Apply the configured template and schemes to the domain.
Data Preparation
l IP address of the primary (secondary) HWTACACS authentication server
l IP address of the primary (secondary) HWTACACS authorization server
l IP address of the primary (secondary) HWTACACS accounting server
Procedure
Step 1 Configure an HWTACACS server template.
# Create an HWTACACS server template named ht.
[RouterA] hwtacacs-server template ht
# Configure the IP addresses and interface numbers of the primary HWTACACS authentication,
authorization, and accounting server.
[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49
[RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49

[RouterA-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP addresses and interface numbers of the secondary HWTACACS

authentication, authorization, and accounting server.
[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary
[RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary
[RouterA-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the shared key of the HWTACACS server.

[RouterA-hwtacacs-ht] hwtacacs-server shared-key it-is-my-secret
[RouterA-hwtacacs-ht] quit
Step 2 Configure AAA schemes.

[RouterA] aaa
# Configure an authentication scheme named l-h with the authentication mode being local
hwtacacs. To upgrade the user level, configure the authentication mode as hwtacacs super.
[RouterA-aaa] authentication-scheme l-h
[RouterA-aaa-authen-l-h] authentication-mode local hwtacacs
[HUAWEI-aaa-authen-l-h] authentication-super hwtacacs super
[RouterA-aaa-authen-l-h] quit
# Configure an authorization scheme named hwtacacs with the authorization mode being
HWTACACS.
[RouterA-aaa] authorization-scheme hwtacacs
[RouterA-aaa-author-hwtacacs] authorization-mode hwtacacs
[RouterA-aaa-author-hwtacacs] quit
# Configure an accounting scheme named hwtacacs with the accounting mode being
HWTACACS.
[RouterA-aaa] accounting-scheme hwtacacs
[RouterA-aaa-accounting-hwtacacs] accounting-mode hwtacacs
Step 3 Create a domain named huawei and apply the authentication scheme l-h, authorization scheme
hwtacacs, accounting scheme hwtacacs, and HWTACACS server template ht to the domain
huawei.
[RouterA-aaa] domain huawei
[RouterA-aaa-domain-huawei] authentication-scheme l-h
[RouterA-aaa-domain-huawei] authorization-scheme hwtacacs
[RouterA-aaa-domain-huawei] accounting-scheme hwtacacs
[RouterA-aaa-domain-huawei] hwtacacs-server ht

Run the display hwtacacs-server template command on the router, and you can view
information about the HWTACACS server template.
<HUAWEI> display hwtacacs-server template ht
--------------------------------------------------------------------------
HWTACACS-server template name : ht
Primary-authentication-server : 129.7.66.66:49
Primary-authorization-server : 129.7.66.66:49
Primary-accounting-server : 129.7.66.66:49
Secondary-authentication-server : 129.7.66.67:49
Secondary-authorization-server : 129.7.66.67:49
Secondary-accounting-server : 129.7.66.67:49
Current-authentication-server : 129.7.66.66:49
Current-authorization-server : 129.7.66.66:49

Current-accounting-server : 129.7.66.66:49
Shared-key : it-is-my-secret
Quiet-interval (min) : 5
Response-timeout-Interval (sec) : 5
Traffic-unit : B
--------------------------------------------------------------------------
Run the display domain command on the router, and you can view information about the
domain.
<HUAWEI>display domain huawei
----End
Configuration Files
#
hwtacacs-server template ht
hwtacacs-server authentication 129.7.66.66 49
hwtacacs-server authentication 129.7.66.67 49 secondary
hwtacacs-server authorization 129.7.66.66 49
hwtacacs-server authorization 129.7.66.67 49 secondary
hwtacacs-server accounting 129.7.66.66 49
hwtacacs-server accounting 129.7.66.67 49 secondary
hwtacacs-server shared-key it-is-my-secret
#
aaa
authentication-scheme default
authentication-scheme l-h
authentication-mode local hwtacacs
authentication-super hwtacacs super
#
authorization-scheme hwtacacs
authorization-mode hwtacacs
#
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
#
domain default
domain huawei
accounting-scheme hwtacacs
hwtacacs-server ht
#
return
1.8.3 Example for Configuring HWTACACS Authentication and

Authorization on the MPLS VPN
This section describes how to enable HWTACACS authentication, authorization, and
accounting packets to traverse a VPN. This enables an administrator on the Internet to perform
authorization and accounting on a server on the VPN.
As shown in Figure 1-3, CE1 and CE2 all belong to VPN-A. The VPN target attribute used by
VPN-A is 111:1. On the public network, the administrator logs in to PE2 through the console
port or logs in to PE2 through a PC, another router, or a Telnet client. After the administrator is
authorized, the administrator manages PE2 and the system events and records of administrator

operations on PE2 are sent to the TACACS server. The TACACS server is deployed on the
VPN. Thus, PE2 needs to forward HWTACACS packets based on VPN instances.
l PE2 authenticates administrators through HWTACACS.

l PE2 authorizes administrators through HWTACACS.
l The TACACS server 160.1.1.100/24 is the primary server, with authentication port 49,
authorization port 49, and accounting port 49. The TACACS server 160.1.1.101/24 is the
secondary server, with authentication port 49, authorization port 49, and accounting port
49 by default.
Figure 1-3 Diagram of configuring HWTACACS authentication and authorization of

administrators
Main Backup
TACACS TACACS
server server
Loopback1 Loopback1 Loopback1
GE2/0/0 GE1/0/0 GE1/0/0 GE1/0/0 GE1/0/1
GE2/0/0
GE1/0/1 GE1/0/0 P GE2/0/0 PE2
CE1 PE1 Backbone CE2
AS65410 AS100 AS65430
VPNA VPNA
Administrator
Device Interface IP address
CE1 GE1/0/1 10.1.1.2/24
PE1 Loopback1 1.1.1.9/32
GE2/0/0 10.1.1.1/24
GE1/0/0 100.1.1.1/24
P Loopback1 3.3.3.9/32
GE1/0/0 100.1.1.2/24
GE2/0/0 200.1.1.1/24
PE2 Loopback1 2.2.2.9/32
GE2/0/0 10.2.1.2/24
GE1/0/0 200.1.1.2/24
CE2 GE1/0/0 10.2.1.1/24
GE1/0/1 160.1.1.1/24
Main TACACS server 160.1.1.100/24

Backup TACACS server 160.1.1.101/24
1. Configure BGP/MPLS IP VPN for interworking.
2. Configure a HWTACACS server template.
3. Configure the authentication scheme and authorization scheme.
4. Apply the HWTACACS server template, the authentication scheme, and the authorization
scheme.
Data Preparation
l IP address of the primary (secondary) HWTACACS authentication server
l IP address of the primary (secondary) HWTACACS authorization server
l IP address of the primary (secondary) HWTACACS accounting server
Procedure
Step 1 Configure BGP MPLS IP VPN
Configure the IGP protocol on the network to enable the communication between PE and P on
the backbone network and to advertise the IP address of CE.
# Configure PE1.
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitEthernet1/0/0
[PE1-GigabitEthernet1/0/0] ip address 100.1.1.1 24
[PE1-GigabitEthernet1/0/0] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 3.3.3.9 32
[P-LoopBack1] quit
[P] interface gigabitEthernet 1/0/0
[P-GigabitEthernet1/0/0] ip address 100.1.1.2 24
[P-GigabitEthernet1/0/0] quit
[P-GigabitEthernet2/0/0] ip address 200.1.1.1 24

[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] interface gigabitEthernet 1/0/0
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# Configure CE1.
[HUAWEI] sysname CE1
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24
[CE1-GigabitEthernet1/0/1] quit
# Configure CE2.
[HUAWEI] sysname CE1
[CE2] ospf
[CE2-ospf-1] area 0
[CE2-ospf-1-area-0.0.0.0] network 160.1.1.0 0.0.0.255
[CE2-ospf-1-area-0.0.0.0] quit
[CE2-ospf-1] quit
After the configuration, OSPF neighbor relationship should be set up between PE1, P1, and PE2.
Run the display ospf peer command, and you can view that the neighbor relationship is Full.
Run the display ip routing-table command, and you can view that PEs learn the routes to the
Loopback1 interfaces on their peers.
Take the display of PE1 as example:
[PE1] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0
2.2.2.9/32 OSPF 10 3125 D 100.1.1.2 GigabitEthernet1/0/0
100.1.1.0/24 Direct 0 0 D 100.1.1.1 GigabitEthernet1/0/0

100.1.1.2/32 Direct 0 0 D 100.1.1.2 GigabitEthernet1/0/0

[PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 100.1.1.1(GigabitEthernet1/0/0)'s neighbors
Router ID: 3.3.3.9 Address: 100.1.1.2 GR State: Normal
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 1500
Dead timer due in 38 sec
Neighbor is up for 00:02:44
Authentication Sequence: [ 0 ]
Configure basic MPLS functions and MPLS LDP on the MPLS backbone network and set up
LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] lsp-trigger all
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-GigabitEthernet3/0/0] mpls
[PE1-GigabitEthernet3/0/0] mpls ldp
# Configure P.
[P] mpls lsr-id 3.3.3.9
[P] mpls
[P-mpls] lsp-trigger all
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] lsp-trigger all
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-GigabitEthernet3/0/0] mpls
[PE2-GigabitEthernet3/0/0] mpls ldp
After the configuration, LDP sessions should be set up between PE1 and P, P and PE2. Run the
display mpls ldp session command, and you can view that the Status field displays
Operational. Run the display mpls ldp lsp command, and you can view whether LDP LSPs
are set up.
Take the display of PE1 as example:
[PE1] display mpls ldp session
LDP Session(s) in Public Network
-------------------------------------------------------------------------

Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv

-------------------------------------------------------------------------
3.3.3.9:0 Operational DU Passive 000:00:01 7/7
-------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM
[PE1] display mpls ldp lsp
LDP LSP Information
------------------------------------------------------------------
SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface
------------------------------------------------------------------
1 1.1.1.9/32 3/NULL 127.0.0.1 GigabitEthernet1/0/0/InLoop0
2 2.2.2.9/32 NULL/1027 100.1.1.2 -------/GigabitEthernet1/0/0
3 3.3.3.9/32 NULL/3 100.1.1.2 -------/GigabitEthernet1/0/0
------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 0 Liberal LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
Configure VPN instances on PEs so that CEs can access PEs.

# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna] vpn-target 111:1 both
[PE1-vpn-instance-vpna] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna] vpn-target 111:1 both
[PE2-vpn-instance-vpna] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna
After the configuration, run the display ip vpn-instance verbose command on PEs, and you
can view the configurations of VPN instances. Each PE can ping its connected CE.
NOTE
When PE has multiple interfaces that are bound to the same VPN, you must specify the source IP address,
namely, the -a source-ip-address if running the ping -vpn-instance vpn-instance-name -a source-ip-
address dest-ip-address command. Otherwise, the ping may fail.
Take PE1 and CE1 as example:

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpna, 1
Create date : 2008/09/27 15:24:40
Up time : 0 days, 00 hours, 05 minutes and 19 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label policy: label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
Interfaces : GigabitEthernet1/0/0
[PE1] ping -vpn-instance vpna 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break

Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=56 ms

--- 10.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/23/56 ms
Set up EBGP peer relationship between PEs and CEs and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.1 as-number 100
[CE1-bgp] import-route direct
NOTE
The configuration of CE2 is similar to that of CE1. Thus, it is omitted.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.2 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
NOTE
The configuration of PE2 is similar with that of PE1. Thus, it is omitted.
After the configuration, run the display bgp vpnv4 vpn-instance peer command on PE, and
you can view that the BGP peer relationship between PE and the connected CE is in the
Established state.
Take the peer relationship between PE1 and CE1 as example:

[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.2 4 65410 11 9 0 00:06:37 Established 1
Set up MP-IBGP peer relationship between PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit

After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on
a PE, and you can view that the BGP peer relationship between PEs is in the Established state.
[PE1] display bgp peer
2.2.2.9 4 100 2 6 0 00:00:12 Established 0
[PE1] display bgp vpnv4 all peer
2.2.2.9 4 100 12 18 0 00:09:38 Established 0
Peer of vpn instance:
vpn instance vpna :
10.1.1.2 4 65410 25 25 0 00:17:57 Established 1
Step 2 Configuring a template of the HWTACACS server on PE2

# Configure the HWTACACS server template ht.
<PE2> system-view
[PE2] hwtacacs-server template ht
# Configure the IP address and ports of the primary HWTACACS authentication, authorization,
and accounting servers, and bind the VPN instances to these servers.
[PE2-hwtacacs-ht] hwtacacs-server authentication 160.1.1.100 49 vpn-instance vpna
[PE2-hwtacacs-ht] hwtacacs-server authorization 160.1.1.100 49 vpn-instance vpna
# Configure the IP address and ports of the secondary HWTACACS authentication,

authorization, and accounting servers, and bind the VPN instances to these servers.
[PE2-hwtacacs-ht] hwtacacs-server authentication 160.1.1.101 49 vpn-instance vpna
secondary
[PE2-hwtacacs-ht] hwtacacs-server authorization 160.1.1.101 49 vpn-instance vpna
secondary
# Configure the key of the TACACS server.

[PE2-hwtacacs-ht] hwtacacs-server shared-key it-is-my-secret
[PE2-hwtacacs-ht] quit
Step 3 Configure the authentication scheme, the authorization scheme, and the accounting scheme.
[PE2] aaa
# Configure the authentication mode as l-h and the authentication mode as HWTACACS.
[PE2-aaa] authentication-scheme l-h
[PE2-aaa-authen-l-h] authentication-mode hwtacacs
[PE2-aaa-authen-l-h] quit
# Configure the authorization scheme as hwtacacs and the authorization scheme as

HWTACACS.
[PE2-aaa] authorization-scheme hwtacacs
[PE2-aaa-author-hwtacacs] authorization-mode hwtacacs
[PE2-aaa-author-hwtacacs] quit
Step 4 Configure the huawei domain. Use the l-h authentication scheme, the HWTACACS
authorization scheme, the HWTACACS accounting scheme, and the ht HWTACACS template
in the domain.
[PE2-aaa] domain huawei

[PE2-aaa-domain-huawei] authentication-scheme l-h

[PE2-aaa-domain-huawei] authorization-scheme hwtacacs
[PE2-aaa-domain-huawei] hwtacacs-server ht
[PE2-aaa-domain-huawei] quit
[PE2-aaa] quit

After running the display hwtacacs-server template command on the router, you can check
whether the configuration of the template on the hwtacacs server matches the requirements.
<PE2> display hwtacacs-server template ht
--------------------------------------------------------------------------
HWTACACS-server template name : ht
Primary-authentication-server : 160.1.1.100:49:vpna
Primary-authorization-server : 160.1.1.100:49:vpna
Primary-accounting-server : 0.0.0.0:0:-
Secondary-authentication-server : 160.1.1.101:49:vpna
Secondary-authorization-server : 160.1.1.101:49:vpna
Current-authentication-server : 160.1.1.100:49:vpna
Current-authorization-server : 160.1.1.100:49:vpna
Current-accounting-server : 0.0.0.0:0:-
Shared-key : it-is-my-secret
Traffic-unit : B
--------------------------------------------------------------------------
After running the display domain command on the router, you can check whether the
configuration of the domain matches the requirements.
<CE1> display domain huawei
-------------------------------------------------------------------
Domain-name : huawei
Authentication-scheme-name : l-h
Accounting-scheme-name : default
Authorization-scheme-name : hwtacacs
User-CAR : -
Web-IP-address : -
Next-hop : -
Acl-number : -
User-priority : -
Online-number : 0
HWTACACS-server-template : ht
-------------------------------------------------------------------
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpna
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity

vpn-target 111:1 import-extcommunity

#
mpls lsr-id 1.1.1.9
mpls
lsp-trigger all
#
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of P
#
sysname P
#
mpls lsr-id 3.3.3.9
mpls
lsp-trigger all
#
mpls ldp
#
undo shutdown
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 200.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#

ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 200.1.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpna
#
hwtacacs-server template ht
hwtacacs-server authentication 160.1.1.100 49 vpn-instance vpna
hwtacacs-server authentication 160.1.1.101 49 vpn-instance vpna secondary
hwtacacs-server authorization 160.1.1.100 vpn-instance vpna
hwtacacs-server authorization 160.1.1.101 vpn-instance vpna secondary
hwtacacs-server shared-key it-is-my-secret
#
mpls lsr-id 2.2.2.9
mpls
lsp-trigger all
#
mpls ldp
#
undo shutdown
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
undo shutdown
ip address 200.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
aaa
authentication-scheme default
authentication-mode hwtacacs
#
authorization-mode hwtacacs
#
accounting-scheme default

#
domain default
domain huawei
hwtacacs-server ht
#
ospf 1
area 0.0.0.0
network 200.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
l Configuration file of CE1

#
sysname CE1
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
bgp 65410
#
ipv4-family unicast
import-route direct
peer 10.1.1.1 enable
#
return
l Configuration file of CE2

#
sysname CE2
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
undo shutdown
ip address 160.1.1.1 255.255.255.0
#
bgp 65430
#
ipv4-family unicast
import-route direct
peer 10.2.1.2 enable
#
ospf 1
area 0.0.0.0
network 160.1.1.0 0.0.0.255
#
return

Configuration Guide - User Access 2 DHCPv4 Configuration
2 DHCPv4 Configuration
About This Chapter
On an IPv4 network, DHCPv4 must be enabled for users to dynamically obtain IP addresses.
Context
NOTE
The access-side DHCPv4 cannot be configured on the X1 or X2 models of the NE80E/40E.
2.1 Introduction to DHCPv4

DHCPv4 enables a client to dynamically obtain a valid IPv4 address.
2.2 DHCPv4 Supported by the NE80E/40E
The NE80E/40E can be configured as a DHCP server to allocate IP addresses to users or as a
DHCP relay agent to relay the IP addresses assigned by a remote DHCP server to users.
2.3 Configuring an IPv4 Address Pool
After an IPv4 address pool is configured, users can obtain IPv4 addresses from the IPv4 address
pool.
2.4 Configuring a DHCPv4 Server Group
A DHCPv4 server group is required only when a remote address pool is used to assign IP
addresses to users that use a BAS interface for access.
2.5 Configuring DHCPv4 Relay
When a client and a DHCPv4 server reside on different network segments, a DHCPv4 relay
agent must be configured to relay the IP address assigned by the DHCPv4 server to the client.
2.6 Adjusting DHCPv4 Service Parameters
You can adjust DHCPv4 service parameters to enhance the security of the DHCPv4 service.
2.7 Maintaining DHCPv4
You can maintain DHCPv4 by clearing DHCPv4 statistics, monitoring DHCPv4 operation
status, and debugging DHCPv4.
This section provides configuration examples of DHCPv4, including networking requirements,


DHCPv4 enables a client to dynamically obtain a valid IPv4 address.
With the rapid growth in network scale and complexity, network configuration becomes more
difficult. The location of hosts (such as laptops and wireless terminals) changes and the number
of hosts has exceeded that of the available IP addresses. The Dynamic Host Configuration
Protocol Version 4 (DHCPv4) is developed to solve these problems.
2.2 DHCPv4 Supported by the NE80E/40E

The NE80E/40E can be configured as a DHCP server to allocate IP addresses to users or as a
DHCP relay agent to relay the IP addresses assigned by a remote DHCP server to users.
The NE80E/40E supports the DHCPv4 application based on the global address pool, and can
be configured as a DHCPv4 relay agent or a DHCPv4 server and provide measures to ensure
the security of the DHCPv4 service. Users can obtain IP addresses from the NE80E/40E that
functions as a DHCPv4 server or from a remote DHCPv4 server through the NE80E/40E that
functions as a DHCPv4 relay agent.
The NE80E/40E also supports extended DHCPv4 functions, including DHCPv4 option and
DHCPv4 broadcast.
2.3 Configuring an IPv4 Address Pool

After an IPv4 address pool is configured, users can obtain IPv4 addresses from the IPv4 address
pool.

Before configuring an IPv4 address pool, familiarize yourself with the applicable environment,
On a large network, if the PCs cannot be directly connected to the routing device by using
Ethernet interfaces but have to be connected to the routing device through other devices, a
network-side DHCPv4 server needs to be configured so that the PCs can dynamically obtain IP
addresses from the routing device, as shown in Figure 2-1.

Figure 2-1 IP address assignment for Ethernet users (without any relay agent in the networking)
NetBIOSserver DHCPclient DHCPclient DHCPclient
DHCPserver
DNSserver DHCPclient DHCPclient DHCPclient
A network-side DHCPv4 server usually works with a DHCPv4 relay agent, as shown in Figure
2-2.
Figure 2-2 IP address assignment for Ethernet users (with a relay agent in the networking)
DNSserver NetBIOSserver
DHCPRelay DHCPserver
RouterA RouterB
DHCPclient DHCPclient
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
A BAS-side address pool needs to be configured to assign IP addresses to access users. If the
NE80E/40E needs to allocate IP addresses to users, you must configure a local address pool on
the NE80E/40E, as shown in Figure 2-3; if a DHCPv4 or BOOTP server needs to allocate IP
addresses to users, you must configure a remote address pool on the NE80E/40E, as shown in
Figure 2-4.

Figure 2-3 Networking diagram for address assignment from the local address pool
DNS Server
Internet
subscriber@isp1 Switch DHCP Server
Figure 2-4 Networking diagram for address assignment from the remote address pool
DHCPServer
Access
Internet
Network
subscriber@isp2 DHCPRelay
Before configuring an IP address pool, complete the following task:
l Configuring the DHCPv4 Server if a remote address pool is used

NOTE
If two remote address pools are bound to the same DHCP server, whereas configurations of the DHCP
server are not consistent with both remote address pools, either of the remote address pools becomes invalid.
Therefore, ensure that configurations of the DHCP server and two address pools are consistent, or each
remote address pool is bound to an DHCP server.
Data Preparation
To configure an IP address pool, you need the following data.
No. Data
1 Name and gateway address of the address pool
2 Number of address segments and start and end addresses of each address segment

No. Data
3 (Optional) Address lease of the address pool, IP address lease extension, and VPN
instance
4 (Optional) IP addresses and the MAC addresses that need to be bound statically
5 (Optional) IP address of the DNS server, DNS suffix, IP address of the NetBIOS
server, and IP address of the SIP server
6 (Optional) Self-defined DHCPv4 options
7 (Optional) Excluded or conflicted IP addresses in the address pool and IP addresses

to be reclaimed
2.3.2 Creating an Address Pool

It is essential to configure the type, name, gateway, and address segment of an address pool.
Context
NOTE
The access-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip pool pool-name [ bas { local | remote } | server ]
An address pool is created and the address pool view is displayed.
Up to 4096 address pools can be configured in the system,The address pool names must be
unique.
Step 3 Run:
gateway ip-address mask
The gateway address of the pool is configured.
The subnet mask and gateway address are used to determine whether the IP addresses in the
address segments are in the same subnet with the gateway. Therefore, you must configure the
gateway address and mask before configuring the address segments.
Step 4 Run:
section section-num start-ip-address [ end-ip-address ]
An address segment is configured.

Up to eight address segments can be configured in an address pool. An address segment contains
at most 65536 IP addresses. The address segments cannot overlap each other.
lease days [ hours [ minutes ] ]
The lease of the address pool is configured.

By default, the lease of the IP addresses in an address pool is three days. If the lease is set to 0,
the lease of the IP addresses is not limited.
rebinding-time days [ hours [ minutes ] ]
The rebinding time of IP addresses is set.

By default, the rebinding time of IP addresses is 87.5% the lease of the address pool.
renewal-time days [ hours [ minutes ] ]
The renewal time of IP addresses is set.

By default, the renewal time of IP addresses is 50% the lease of the address pool.
recycle start-ip-address [ end-ip-address ]
The status of these IP addresses is set to Idle.

When the user is not online, you can reclaim the occupied IP address manually by running this
command.
reserved ip-address { lease | mac }
The reservation type of an IP address for a user is configured.

By default, IP addresses are not reserved. When a user goes offline, the IP address is reclaimed.
If a user is assigned a lease of four days during the first login, the user can still use the originally-
allocated IP address provided that he goes online for the second time within four days. This is
called lease-based IP address reservation.
If a user's MAC address and the allocated IP address are recorded during the first login, the user
can still use the originally-allocated IP address when he goes online for the second time. This is
called MAC-address-based IP address reservation.
vpn-instance instance-name
A VPN instance is bound to the address pool.

warning-threshold threshold-value
The alarm threshold for the address usage of an address pool is set.If the address usage exceeds
the threshold, an alarm is generated on the router.
By default, the alarm threshold for the address usage of an address pool is set to 100.
----End

2.3.3 (Optional) Configuring Static IP Address Binding

The IP address pool configured for static address bindings contain special IP addresses, which
are generally assigned to servers in need of fixed IP addresses or users with particular
requirements.
Context
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of NE80E/40E.
Based on the clients' needs, you can adopt either static address binding or dynamic address
assignment.
When dynamic address assignment is used, a range of IP addresses to be assigned needs to be

specified; when static address binding is used, it can be considered to be a special DHCPv4
address pool with only one address.
Do as follows on the router that functions as a DHCPv4 server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip pool pool-name bas local
An IP address pool is created and the IP address pool view is displayed.

excluded-ip-address start-ip-address [ end-ip-address ]
Some IP addresses are disabled so that they cannot be assigned to clients.

static-bind ip-address ip-address mac-address mac-address
Certain IP-MAC addresses are statically bound.
----End
Follow-up Procedure
Some clients may need fixed IP addresses that are bound to their MAC addresses. When the
client with a specific MAC address uses DHCPv4 to apply for an IP address, the DHCPv4 server
finds out the fixed IP address bound to the MAC address and assigns it to the client.
2.3.4 (Optional) Configuring DNS Services for the DHCPv4 Client

You can configure DNS server parameters for the DHCPv4 client. This allows the DHCPv4
client to automatically obtain DNS services automatically. Then, users can use easy-to-
memorize domain names that mean a lot to them rather than complicated IP addresses.

Context
NOTE
Do as follows on the DHCPv4 server that provides DNS services for the DHCPv4 clients:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dns-suffix suffix-name
The DNS suffix of the IP address pool is configured.
NOTE
This command is valid for only the local address pool and server address pool.
Step 4 Run:
dns-server ip-address &<1-8>
The IP address of the DNS server of the address pool is configured.
----End
Follow-up Procedure
On the DHCPv4 server, designate a DNS suffix for each address pool used to assign IP addresses
to clients.
When a host accesses the Internet by using the DNS suffix, the DNS server resolves the DNS
suffix into an IP address. Therefore, to ensure that the client successfully accesses the Internet,
the DHCPv4 server also needs to specify the DNS server address for the client when it assigns
IP addresses.
To improve network reliability, you can configure several DNS servers.
2.3.5 (Optional) Configuring NetBIOS Services for the DHCPv4

Client
You can configure NetBIOS services for the DHCPv4 client to enable users to obtain NetBIOS
services automatically. Then, users can use easy-to-memorize host names rather than
complicated IP addresses.
Context
NOTE

Do as follows on the router that provides NetBIOS services for the DHCPv4 clients:
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
netbios-name-server ip-address &<1-8>
The IP address of the NetBIOS server of the DHCPv4 client is configured.
Step 4 Run:
netbios-type { b-node | h-node | m-node | p-node }
The NetBIOS node type of the DHCPv4 client is configured.
By default, the node type of the DHCPv4 client is not specified.
----End
Follow-up Procedure
For the client using the operating system of Microsoft, Windows Internet Naming Service
(WINS) server provides resolution from the host name to the IP address. This is given to the
host that uses NetBIOS protocol for communication. Most of the Windows clients need to be
configured with WINS.
When a DHCPv4 client communicates in a WAN by adopting the NetBIOS protocol, a mapping
between the host name and the IP address should be set up. The following lists the types of
NetBIOS nodes for obtaining mappings:
l Type b nodes (b-node): "b" stands for broadcast. That is, type b nodes obtain the mapping
relationship by means of broadcast.
l Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the
"peer-to-peer" communicating mechanism.
l Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes owning
part of the broadcasting features.
l Type p nodes (p-node): "p" stands for peer-to-peer. That is, type p nodes obtain the mapping
by communicating with NetBIOS servers.
2.3.6 (Optional) Configuring SIP Services for the DHCPv4 Client

You can configure SIP services for the DHCPv4 client to implement multimedia
communications such as multimedia conferences, Internet phones, distance education, and
distance medical treatment.

Context
NOTE
BAS-side address pools cannot be configured on the X1 or X2 models of the NE80E/40E.
Do as follows on the router that provides SIP services for the DHCPv4 clients:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip pool pool-name [ bas local | server ]

sip-server { { ip-address ip-address } &<1~2> | { list server-name } &<1~2> }
The IP address or name of the SIP server is specified.

By default, no SIP server is specified.
----End
2.3.7 (Optional) Configuring DHCPv4 Self-Defined Options

You can configure DHCPv4 self-defined options to provide more control information and
parameters for the clients.
Context
NOTE
Do as follows on the router that functions as a DHCPv4 server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip pool pool-name [ bas local | server ]

Step 3 Run:
option code { ip ip-address | string string }
An DHCPv4 option is configured.
----End

Follow-up Procedure
The Option field in DHCPv4 packets carries control information and parameters that are not
defined in common protocols. If the DHCPv4 server is configured with an Option, the DHCPv4
client obtains the configuration information saved in the Option field of DHCPv4 response
packets.
You need to add the options to the attribute list of the DHCPv4 servers. For example,
l To configure the IP address of a log server to 10.110.204.1, use the option 7 ip

10.110.204.1 command.
l To configure the Option 129 field to represent "huawei", use the option 129 string
huawei command.
NOTE
The value of a common option for the DNS or lease, is determinate. The common option codes include 3,
6, 15, 44, 46, 50 to 54, and 57 to 59. When the value is re-set, the system prompts that re-setting the value
is not allowed.
The option command enables DHCPv4 response packets to carry specific options.
Before using this command, you need to know the function of each option. Option 77 identifies client types
or applications of DHCPv4 clients. Based on User Class in the Option field, the DHCPv4 server selects a
proper address pool and configuration parameters. Option 77 is commonly configured on the client.
2.3.8 (Optional) Configuring Address Protection

Address protection is implemented in special circumstances by locking an IP address pool,
excluding an IP address or an IP address segment, setting a conflict flag, or reclaiming an IP
address.
Context
NOTE
Methods of protecting addresses in an address pool are as follows:
l Locking the IP address pool

You can lock an IP address pool by running commands. When an IP address pool is locked,
IP addresses in the address pool cannot be assigned to users.
This method is usually used when the address pool needs to be deleted but there are users
using IP addresses in the address pool. If you lock the address pool, no more IP addresses
will be assigned. After all users log out and the occupied IP addresses are released, you can
delete the address pool.
l Excluding the IP address
You can use this method on a complex network to exclude certain IP addresses.
l Reclaiming the IP address
If an IP address in the address pool is in the Occupied state but no user is using it, you can
reclaim the IP address by running the related command.

Procedure
Step 1 Run:
system-view

Step 2 Run:
ip pool pool-name [ server ]

Step 3 Run:
lock
The address pool is locked.

Or run:
excluded-ip-address start-ip-address [ end-ip-address ]
An IP address or an address segment is excluded.
NOTE
This command is required when you configure static IP addresses.
Or run:
recycle start-ip-address [ end-ip-address ]
An IP address or an address segment is reclaimed.
----End

After configuring IP address pools, you can view the configurations of all IP address pools or a
specified IP address pool.
Prerequisite
All configurations of the IP address pool are complete.
Procedure
l Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-
address ] ] | all | used ] ] [ vpn-instance instance-name ] command to check the
configuration of the IP address pool.
----End
Example
Run the display ip pool command, and you can view information about all the address pools
configured in the system.
<HUAWEI> display ip pool
-----------------------------------------------------------------------
Pool-Name : test
Pool-No : 1

Position : Local Status : Unlocked

Gateway : 89.0.0.1 Mask : 255.0.0.0
Vpn instance : --
-----------------------------------------------------------------------
Pool-Name : test1
Pool-No : 6
Gateway : 40.50.60.1 Mask : 255.255.255.0
Vpn instance : --
IP address pool Statistic
Local :2 Remote :0 Relay :0
IP address Statistic
Total :51695
Used :0 Free :51695
Conflicted :0 Disable :0
Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-address ] ]

| all | used ] ] [ vpn-instance instance-name ] command, and you can view detailed information
about the specified address pool.
<HUAWEI> display ip pool name huawei
Pool-Name : huawei
Pool-No : 0
Lease : 3 Days 0 Hours 0 Minutes
NetBois Type : N-Node
DNS-Suffix : -
DNS1 :10.10.10.1
Gateway : 10.10.10.2 Mask : 255.255.255.0
Vpn instance : --
Profile-Name : - Server-Name : -
Codes: CFLCT(conflicted)
------------------------------------------------------------------------------
---------
ID start end total used idle CFLCT disable reserved st
atic-bind
------------------------------------------------------------------------------
---------
0 10.10.10.3 10.10.10.100 98 0 98 0 0 0
0
------------------------------------------------------------------------------
---------
2.4 Configuring a DHCPv4 Server Group

A DHCPv4 server group is required only when a remote address pool is used to assign IP
addresses to users that use a BAS interface for access.
Context
NOTE
DHCPv4 server groups cannot be configured on the X1 or X2 models of the NE80E/40E.

Before configuring a DHCPv4 server group, familiarize yourself with the applicable

The NE80E/40E can be used as a DHCPv4 server to assign IP addresses to users. A remote
DHCPv4 server can also be used with the NE80E/40E functioning as a DHCPv4 relay agent to
assign IP addresses to users.
When IP addresses are allocated by a remote DHCPv4 server, as shown in Figure 2-4, you need
to configure the IP address of the remote DHCPv4 server on the NE80E/40E. This allows the
NE80E/40E to communicate with the DHCPv4 server. The NE80E/40E manages DHCPv4
servers by using DHCPv4 server groups.
NOTE
A DHCPv4 server group is required only when the remote address pool is used to assign IP addresses to
BAS-side users.
None.
Data Preparation
To configure a DHCPv4 server group, you need the following data.
No. Data
1 Name of the DHCPv4 server group
2 IP addresses, VPN instances, and weights of the primary and secondary DHCPv4
servers
3 (Optional) Status of the DHCPv4 release agent function (enabled or disabled)
2.4.2 Creating a DHCPv4 Server Group

DHCPv4 servers can work in either load balancing or master/backup mode.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp-server group group-name
A DHCPv4 server group is created and the DHCPv4 server group view is displayed.
Step 3 Run:
dhcp-server ip-address [ vpn-instance vpn-instance ] [ weight weight-value ]

The DHCPv4 servers are configured.

A primary DHCPv4 server and a secondary DHCPv4 server can be configured in a DHCPv4
server group.
dhcp-server algorithm { loading-share | master-backup | polling }
The algorithm for selecting DHCPv4 servers is set.

When there are two servers in a DHCPv4 server group, you can specify the algorithm from the
load balancing, master/backup mode, or pollingfor selecting DHCPv4 servers.
l Load balancing: The NE80E/40E distributes the load according to the weights of servers.
l Master/backup: The NE80E/40E specifies one server as the master server and the other as
the backup server.
l Polling: The NE80E/40E sends request packets to all servers and selects the server that
receives the packets first. Subsequent packets are sent to only the selected server, except the
discover and select request packets.
By default, the algorithm for selecting DHCPv4 servers is master/backup.
release-agent
The DHCPv4 release agent function is configured.

By default, the DHCPv4 release agent function is enabled.
With the DHCPv4 release agent function, the NE80E/40E, instead of the user, sends a DHCPv4
release packet to the DHCPv4 server when the user goes offline.
----End
2.4.3 Associating the IP Address Pool and the DHCPv4 Server

Group
Only the remote IP address pool needs to be associated with the DHCPv4 server group.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip pool pool-name bas remote
The remote address pool view is displayed.

Step 3 Run:
dhcp-server group group-name

The address pool is associated with a DHCPv4 server group.
----End

After configuring DHCPv4 server groups, you can view the configurations of all DHCPv4 server
groups.
Prerequisite
The configurations of the DHCPv4 server groups are complete.
Procedure
l Run the display dhcp-server group [ group-name ] command to check the configuration
of the DHCPv4 server group.
----End
Example
Run the display dhcp-server group command, and you can view information about all DHCPv4
server groups.
<HUAWEI> display dhcp-server group
Group-Name : remote
Release-Agent : Support
Primary-Server : -
Vpn instance : --
Weight : 0
Status : -
Secondary-Server : -
Vpn instance : --
Weight : 0
Status : -
Algorithm : master-backup
Source : --
Giaddr : --
Group-Name : g1
Primary-Server : -
Vpn instance : --
Weight : 0
Status : -
Secondary-Server : -
Vpn instance : --
Weight : 0
Status : -
Source : --
Giaddr : --
2 DHCP server group(s) in total
2.5 Configuring DHCPv4 Relay

When a client and a DHCPv4 server reside on different network segments, a DHCPv4 relay
agent must be configured to relay the IP address assigned by the DHCPv4 server to the client.


Before configuring DHCPv4 relay, familiarize yourself with the applicable environment,
If no DHCPv4 server is configured on the local network, the DHCPv4 relay function can be
enabled on other devices on the same network segment. Thus, the DHCPv4 request from the
client can be forwarded to the DHCPv4 server by the configured relay agent, as shown in Figure
2-2.
NOTE
There should be not more than four relay agents between the DHCPv4 server and client; otherwise,
DHCPv4 packets are discarded.
Before configuring DHCPv4 relay, complete the following tasks:
l Configuring a DHCPv4 server
l Configuring the interface where DHCPv4 relay needs to be enabled
l Configuring the routes from the relay agent to the DHCPv4 server
Data Preparation
To configure DHCPv4 relay, you need the following data.
No. Data
1 IP address of the DHCPv4 server
2 Number of the interface where DHCPv4 relay needs to be enabled
3 Number of the VLAN where DHCPv4 relay needs to be enabled
4 (Optional) IP address to be released and MAC address bound to the IP address
5 (Optional) Code of the DHCP option
6 IP address of the relay agent
2.5.2 Configuring Relay

You can configure DHCPv4 relay by enabling DHCPv4 relay, configuring the IP address of the
DHCPv4 server, and enabling the DHCP server to assign IP addresses on different network
segments to clients of different types.
Context
When a client and a DHCPv4 server reside on different network segments, you can configure
an interface to function as the DHCPv4 relay agent and the DHCPv4 server address to be relayed

to. In this manner, the DHCPv4 relay agent can relay the request packet sent from the client to
the DHCPv4 server, and then the client can be assigned an IP address.
You can configure relay in the interface view or system view.
NOTE
Because the DHCPv4 client may send broadcast packets during DHCPv4 configuration, the interface where
DHCPv4 relay is enabled must be able to transmit broadcast packets. The IP address of the interface must
be on the same network segment with the IP addresses in the address pool on the DHCPv4 server. Up to
20 DHCPv4 server addresses can be configured on an interface that relays packets to the DHCPv4 servers.
Do as follows on the router that functions as the DHCPv4 relay agent:
Procedure
l Configure DHCPv4 relay in the interface view.
1. Run:
system-view
2. Run:
interface interface-type interface-number
The interface view is displayed.
3. Run:
ip address ip-address { mask | mask-length }
The primary IP address of the interface is configured.
4. Run:
dhcp select relay
DHCPv4 relay is enabled on the interface.
5. Run:
ip relay address ip-address [ dhcp-option { 60 [ option-text ] | code } ]
The IP address of the DHCPv4 server for which the interface functions as the relay
agent is configured.
6. Run:
ip relay giaddr ip-address [ dhcp-option { 60 [ option-text ] | code } ]
The DHCP option is associated with the IP address of the relay agent. This allows the
DHCP server to assign the IP addresses on different network segments to the clients
of different types.
l Configure DHCPv4 relay in the system view.
1. Run:
system-view
2. Run:
ip relay address ip-address { all | interface interface-type interface-number.sub-
interface-number1 [ to interface-type interface-number.sub-interface-number2 ] |
interface interface-type interface-number | vlan vlan-id }

The IP addresses of the DHCPv4 servers for which multiple interfaces function as the
relay agent are configured.
----End

After configuring DHCPv4 relay, you can view information about the DHCPv4 relay
configurations and statistics.
Prerequisite
All configurations of the DHCPv4 relay are complete.
Procedure
l Run the display dhcp relay statistics command to check statistics on DHCPv4 relay.
l Run the display dhcp relay address { all | interface interface-type interface-number |
vlan vlan-id } command to check the DHCPv4 configuration of the interface enabled with
DHCPv4 relay.
----End
Example
Run the display dhcp relay address command, and you can view the DHCPv4 configurations
of all interfaces.
<HUAWEI> display dhcp relay address all
** GigabitEthernet0/0/0 DHCP Relay Address **
Dhcp Option Relay Agent IP Server IP
* - 10.10.1.2

* - 10.10.1.2
** GigabitEthernet2/0/0.100 DHCP Relay Address **

* - 10.10.1.2

* - 10.10.1.2
Run the display dhcp relay statistics command. If statistics on DHCPv4 relay, such as the
number of incorrect DHCPv4 packets and the number of various DHCPv4 packets, are displayed,
it means that the configuration succeeds.
<HUAWEI> display dhcp relay statistics
Bad Packets received: 0
DHCPv4 packets received from clients: 2
DHCPv4 DISCOVER packets received: 1
DHCPv4 REQUEST packets received: 1
DHCPv4 INFORM packets received: 0
DHCPv4 DECLINE packets received: 0
DHCPv4 packets received from servers: 2
DHCPv4 OFFER packets received: 1
DHCPv4 ACK packets received: 1
DHCPv4 NAK packets received: 0
DHCPv4 packets sent to servers: 1

DHCPv4 packets sent to clients: 1

Unicast packets sent to clients: 0
Broadcast packets sent to clients: 0
2.6 Adjusting DHCPv4 Service Parameters

You can adjust DHCPv4 service parameters to enhance the security of the DHCPv4 service.

Before adjusting DHCPv4 parameters, familiarize yourself with the applicable environment,
After configuring a DHCPv4 server, you need to configure the security function of the DHCPv4
service. This enhances security of the DHCPv4 service and prevents other unauthorized
DHCPv4 servers from assigning invalid IP addresses to clients. By viewing logs, the
administrator determines whether there are unauthorized DHCPv4 servers assigning invalid IP
addresses to clients.
Before adjusting DHCPv4 parameters, complete the following task:
l Configuring a DHCPv4 server
Data Preparation
To adjust DHCPv4 parameters, you need the following data.
No. Data
1 Maximum number of DHCPv4 users that are allowed to access a specified board
2 IP address of the DHCPv4 server
3 Number of packets that are allowed to be sent in a specified time period
4 Status of the function of detecting unauthorized DHCPv4 servers (enabled or

disabled) and detection interval if the function is enabled
5 Interval at which ping packets are sent and number of ping packets
6 Interval at which DHCPv4 data is saved
2.6.2 Configuring Global DHCPv4 Parameters

Global DHCPv4 parameters include the maximum number of DHCPv4 access users allowed for
a specified board and the limit on the packet transmission rate of a DHCPv4 server group.

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp slot-id max-sessions user-number
The maximum number of DHCPv4 access users allowed for a specified board is set.
By default, the maximum number of DHCPv4 access users allowed for a specified board is
determined by the license file.
Step 3 Run:
dhcp-server ip-address [ vpn-instance vpn-instance ] send-discover-speed packet-
number time
The limit on the packet transmission rate of a DHCPv4 server group is set.
By default, the packet transmission rate of a DHCPv4 server group is not limited.
----End
2.6.3 Configuring Transparent Transmission of DHCPv4 Packets

You need to configure transparent transmission of DHCPv4 packets when STB users send only
one DHCPv4 Discover packet after they restart.
Context
When a user shuts down the STB and then restarts it immediately, the NE80E/40E cannot detect
that the user goes offline and retains the user entry. When receiving the DHCPv4 Discover packet
that the STB sends after restart, the NE80E/40E forces the user to go offline and waits until the
user sends a DHCPv4 Discover packet to obtain the address through DHCPv4.
Some STBs, however, send only one DHCPv4 Discover packet after they restart. In this case,
the users cannot go online after shutting down their STBs.
You can configure the function of transparently transmitting DHCPv4 packets to solve this
problem. Do as follows on the router:
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp through-packet
The function of transparently transmitting DHCPv4 packets is configured.

By default, the device does not transparently transmit DHCPv4 packets.
----End
2.6.4 Enabling a DHCPv4 Server to Detect Unauthorized DHCPv4

Servers
Enabling a DHCPv4 server to detect unauthorized DHCPv4 servers help prevent unauthorized
DHCPv4 servers from allocating invalid IP addresses to clients.
Context
If a private DHCPv4 server exists on the network, clients cannot obtain correct IP addresses and
thus cannot log in to the network because this private DHCPv4 server will interact with the
DHCPv4 clients during address application. Such a private DHCPv4 server is an unauthorized
DHCPv4 server.
The logs contain IP addresses of all the DHCPv4 servers that allocate IP addresses to clients.
By viewing these logs, the administrator can determine whether an unauthorized DHCPv4 server
exists.
Do as follows on the NE80E/40E that functions as a DHCPv4 server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server detect
The DHCPv4 server is enabled to detect unauthorized DHCPv4 server.

By default, this function is disabled.
NOTE
This function can be configured on only network-side devices.
Step 3 Run:
dhcp invalid-server-detecting [ interval ]
The interval at which unauthorized DHCPv4 servers are detected is configured.

If the interval at which unauthorized DHCPv4 servers are detected is 0, the NE80E/40E does
not detect unauthorized DHCPv4 servers.
NOTE
You can perform this function on only the devices at the BAS side.
----End
2.6.5 Enabling the Detection of an IP Address Conflict

The DHCPv4 server sends ping packets to detect the usage of an IP address to prevent an IP
address conflict.

Context
Before assigning an IP address to a client, the DHCPv4 server needs to detect whether the IP
address is used by another client. This prevents an IP address conflict.
NOTE
Detection of an IP address conflict can be configured on only network-side devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server ping timeout milliseconds
The longest time for the DHCPv4 server to wait for a ping response is configured.
Step 3 Run:
dhcp server ping packets number
The maximum number of ping packets sent by the DHCPv4 server is configured.
By default, a maximum of two ping packets are sent and the DHCPv4 server waits for at most
500 ms for a ping response.
----End
Follow-up Procedure
The ping command is used to check whether there is a ping response from the IP address to be
assigned to a client within a specific time. If there is no response after a specific time, the
DHCPv4 server re-send a ping packet to this IP address until the allowed maximum number of
ping packets are sent. If there is still no response, the DHCPv4 server considers that the IP address
is not in use. This ensures that a unique IP address is assigned to the client.
2.6.6 Saving DHCPv4 Data

After DHCPv4 data is saved to the storage device, the data can be restored from the storage
device when the NE80E/40E fails.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server database enable
Saving DHCPv4 data to the hard disk is enabled.

dhcp server database write-delay seconds
The delay for saving the data is set.
By default, DHCPv4 data is not saved to the storage device. If the function is enabled, by default,
DHCPv4 data is saved to the storage device every 300s and the new data overwrites the previous
data.
----End
Follow-up Procedure
The NE80E/40E can save the current DHCPv4 data to the storage device and restore the data
from the storage device when the NE80E/40E fails.
DHCPv4 data is saved with a fixed file name on the storage device. Normally, the IP leasing
information is saved in the lease.txt file and the address conflict information is saved in the
conflict.txt file. Back up these two files to other directories because information in these files
is replaced regularly.
2.6.7 Restoring DHCPv4 Data

Information about the address lease and address conflict can be restored.
Context
NOTE
Only the saved DHCP data can be restored.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server database recover
DHCPv4 data is restored from the storage device.
----End

After adjusting DHCPv4 parameters, you can view information about a DHCPv4 server and the
storage path of the DHCPv4 data.

Prerequisite
All the configurations for the adjustment of DHCPv4 parameters are complete.
Procedure
l Run the display dhcp-server item ip-address [ vpn-instance vpn-instance ] command to
check information about a DHCPv4 server.
l Run the display dhcp server database command to check the storage path and file
information of the DHCPv4 data.
----End
Example
Run the display dhcp-server item ip-address command, and you can view information about
a DHCPv4 server.
<HUAWEI> display dhcp-server item 1.2.3.4
IPAddress : 1.2.3.4
State : UP
Speed Limit : 0 packets / 0 seconds
Run the display dhcp server database command, and you can view the saved path of the
DHCPv4 data.
<HUAWEI> display dhcp server database
Status: disable
Recover from files after reboot: disable
File saving lease items: cfcard:/dhcp/lease.txt
File saving conflict items: cfcard:/dhcp/conflict.txt
Save Interval: 300 (seconds)
2.7 Maintaining DHCPv4

You can maintain DHCPv4 by clearing DHCPv4 statistics, monitoring DHCPv4 operation
status, and debugging DHCPv4.
2.7.1 Clearing DHCPv4 Statistics

You can clear DHCPv4 statistics by clearing the DHCPv4 relay statistics.
Context
CAUTION
DHCPv4 statistics cannot be restored after you clear them. Exercise caution when running the
commands.

Procedure
l Run the reset dhcp relay statistics command in the user view to clear the DHCPv4 relay
statistics.
----End
2.7.2 Monitoring DHCPv4 Operation Status

You can monitor the DHCPv4 operation status by checking the configurations of an IPv4 address
pool, a DHCPv4 server, and the path at which DHCPv4 data is saved and file information about
the data.
Prerequisite
In routine maintenance, you can run the following command in any view to check the DHCPv4
operation status.
Procedure
l Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-
address ] ] | all | used ] ] [ vpn-instance vpn-instance-name ] command to check the
configuration of the IP address pool.
l Run the display dhcp-server group [ group-name ] command to check the configuration
of the DHCPv4 server group.
l Run the display dhcp-server item ip-address [ vpn-instance vpn-instance ] command to
check information about a DHCPv4 server.
l Run the display dhcp-server statistics ip-address [ vpn-instance vpn-instance ] command
to check the statistics on a DHCPv4 server.
l Run the display dhcp server database command to check the path at which DHCPv4 data
is saved and file information.
l Run the display dhcp relay address { all | interface interface-type interface-number |
vlan vlan-id } [ | count ] [ | { begin | exclude | include } regular-expression ] command
to check configurations about interfaces where DHCPv4 relay is enabled.
----End

This section provides configuration examples of DHCPv4, including networking requirements,
Context
NOTE
Examples in this document use interface numbers and link types of the NE40E-X8. In real world situations,
the interface numbers and link types may be different from those used in this document.
In actual networking, the license needs to be loaded. For details, see the HUAWEI NetEngine80E/40E
Router Configuration Guide - System Management.

2.8.1 Example for Configuring Address Assignment Based on the

Local Address Pool
This section provides an example for assigning IPv4 addresses from a local IP address pool,
including the networking requirements, configuration roadmap, configuration procedure, and
configuration files.
NOTE
Address assignment cannot be configured on the X1 or X2 models of the NE80E/40E.
As shown in Figure 2-5, it is required that a local address pool be configured to assign IP
addresses to access users and the following requirements be met:
l The local address pool is used to assign IP addresses to users in the domain isp1.
l The IP addresses in the address pool range from 10.10.10.3 to 10.10.10.100, and the
gateway address is 10.10.10.2.
l The IP address of the DNS server is 10.10.10.1
l Non-authentication and non-accounting are adopted by the user.
Figure 2-5 Networking diagram for address assignment based on the local address pool
DNS Server
10.10.10.1
GE1/0/0.1 GE2/0/0
Internet
10.1.1.1
DHCP
subscriber@isp1 Switch
Server
1. Configure the local address pool, including its gateway address, address range, and the IP
address of the DNS server.
2. Configure the domain isp1 to which the users belong, including the authentication mode
and the accounting mode.
3. Configure the BAS interface, including the user access mode.
Data Preparation

l Name of the address pool, range of the addresses in the pool, and IP addresses of the gateway
and the DNS server
l Name of the user domain
l Authentication mode and accounting mode
Procedure
Step 1 Configure the DHCPv4 server.
# Configure an address pool.
[HUAWEI] ip pool pool1 bas local
[HUAWEI-ip-pool-pool1] gateway 10.10.10.2 255.255.255.0
[HUAWEI-ip-pool-pool1] section 0 10.10.10.3 10.10.10.100
[HUAWEI-ip-pool-pool1] dns-server 10.10.10.1
[HUAWEI-ip-pool-pool1] quit
# Configure a domain named isp1.

[HUAWEI] aaa
[HUAWEI-aaa] domain isp1
[HUAWEI-aaa-domain-isp1] authentication-scheme default0
[HUAWEI-aaa-domain-isp1] accounting-scheme default0
[HUAWEI-aaa-domain-isp1] ip-pool pool1
[HUAWEI-aaa-domain-isp1] quit
[HUAWEI-aaa] quit
# Configure a BAS interface.

[HUAWEI] interface gigabitEthernet 1/0/0.1
[HUAWEI-GigabitEthernet1/0/0.1] user-vlan 1
[HUAWEI-GigabitEthernet1/0/0.1-vlan-1-1] bas
[HUAWEI-GigabitEthernet1/0/0.1-bas] access-type layer2-subscriber
[HUAWEI-GigabitEthernet1/0/0.1-bas] authentication-method bind
[HUAWEI-GigabitEthernet1/0/0.1-bas] default-domain authentication isp1
[HUAWEI-GigabitEthernet1/0/0.1-bas] quit
[HUAWEI-GigabitEthernet1/0/0.1] quit

# Check the configuration of the local address pool pool1.
[HUAWEI] display ip pool name pool1
Pool-Name : pool1
Pool-No : 19
DNS-Suffix : -,
DNS1 :10.10.10.1
Gateway : 10.10.10.2 Mask : 255.255.255.0
Vpn instance : --
Codes: CFLCT (conflicted)
----------------------------------------------------------------------------------
-----
ID start end total used idle CFLCT disable reserved static-
bind
----------------------------------------------------------------------------------
-----
0 10.10.10.3 10.10.10.100 98 0 98 0 0 0

----------------------------------------------------------------------------------
-----
# Check the configuration of the domain isp1.

[HUAWEI] display domain isp1
------------------------------------------------------------------------------
Domain-name : isp1
Web-server-URL-parameter : No
Portal-server-URL-parameter : No
User-group-name : -
Idle-data-attribute (time, flow) : 0,60
Value-added-service :
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
IPUser-ReAuth-Time (second) : 300
mscg-name-portal-key : -
Portal-user-first-url-key : -
Service-type : STB
Bill Flow : Disable
Flow Statistic:
IP-address-pool-name : pool1
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
Configuration file of HUAWEI
#
sysname HUAWEI
#
ip pool pool1 bas local
gateway 10.10.10.2 255.255.255.0
section 0 10.10.10.3 10.10.10.100
dns-server 10.10.10.1

#
aaa
authentication-scheme default0
#
accounting-scheme default0
#
domain isp1
ip-pool pool1
#
interface GigabitEthernet1/0/0.1
user-vlan 1
bas
#
access-type layer2-subscriber default-domain authentication isp
1
authentication-method bind
#
return
2.8.2 Example for Configuring Address Assignment Based on the

Remote Address Pool
This section provides an example for assigning IPv4 addresses from a remote IP address pool,
NOTE
Address assignment based on the remote address pool cannot be configured on the X1 or X2 models of the
NE80E/40E.
As shown in Figure 2-6, it is required that a remote address pool be configured to assign IP
addresses to access users and the following requirements be met:
l The remote address pool is used to assign IP addresses to users in the domain isp2.
l The router, functioning as a relay agent, is connected to the DHCPv4 server through GE
3/0/0 whose IP address is 10.1.1.2/24.
l The IP address of the DHCPv4 server bound to the remote address pool is 10.1.1.1, and no
standby DHCPv4 server is deployed.
l Non-authentication and non-accounting are adopted by the user.

Figure 2-6 Networking diagram for address assignment based on the remote address pool
DHCP
Server
10.1.1.1
10.1.1.2/24
GE3/0/0
Access GE1/0/0.1 GE2/0/0
Internet
Network
subscriber@isp2 Router
1. Create a DHCPv4 server group and a remote address pool, and bind the address pool to the
DHCPv4 server group.
2. Configure the domain isp2 to which the user belongs, including the authentication mode
Data Preparation
l Name of the address pool
l IP address of the gateway
l IP address of the interface that connects the router to the DHCPv4 server
l User access mode
Procedure
Step 1 Configure the router.
# Create a DHCPv4 server group.
[HUAWEI] dhcp-server group group1
[HUAWEI-dhcp-server-group-group1] dhcp-server 10.1.1.1
[HUAWEI-dhcp-server-group-group1] quit
# Create a remote address pool, and bind the pool to the DHCPv4 server group.
[HUAWEI] ip pool pool2 bas remote
[HUAWEI-ip-pool-pool2] gateway 10.10.10.1 24
[HUAWEI-ip-pool-pool2] dhcp-server group group1

[HUAWEI] quit

[HUAWEI] aaa
[HUAWEI-aaa-domain-isp2] authentication-scheme default0
[HUAWEI-aaa] quit
# Configure the router interface for user access.

[HUAWEI] interface gigabitEthernet1/0/0.1
[HUAWEI-GigabitEthernet1/0/0.1-vlan-1-1] bas
# Configure the router interface to connect to the DHCPv4 server.

[HUAWEI] interface GigabitEthernet 3/0/0
[HUAWEI-GigabitEthernet3/0/0] ip address 10.1.1.2 255.255.255.0

# Check the configurations of the DHCPv4 server group group1.
[HUAWEI] display dhcp-server group group1
Group-Name : group1
Primary-Server : 10.1.1.1
Vpn instance : --
Weight : 0
Status : up
Secondary-Server : --
Vpn instance : --
Weight : 0
Status : up
Source : --
Giaddr : --
# Check the configurations of the remote address pool pool2.

[HUAWEI] display ip pool name pool2
Pool-Name : pool2
Pool-No : 0
DHCP-Group : group1
Position : Remote Status : Unlocked
Gateway : 10.10.10.1 Mask : 255.255.255.0
Vpn instance : --
----------------------------------------------------------------------------------
-----
ID start end total used idle CFLCT disable reserved static-
bind
----------------------------------------------------------------------------------
-----
0 10.10.10.0 10.10.10.255 256 0 256 0 0 0

----------------------------------------------------------------------------------
-----
# Check the configurations of the domain isp2.

[HUAWEI] display domain isp2
------------------------------------------------------------------------------
Domain-name : isp2
User-group-name : -
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
Service-type : STB
Bill Flow : Disable
Flow Statistic:
IP-address-pool-name : pool2
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
Configuration file of router
#
sysname HUAWEI
#
dhcp-server group group1
dhcp-server 10.1.1.1
#
ip pool pool2 bas remote
gateway 10.10.10.1 255.255.255.0
dhcp-server group group1
#

aaa
#
#
domain isp2
ip-pool pool2
#
undo shutdown
user-vlan 1
bas
#
access-type layer2-subscriber default-domain authentication
isp2
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
return
2.8.3 Example for Configuring Layer 3 DHCPv4 User Access

This section provides an example for configuring Layer 3 DHCPv4 user access, including
networking requirements, configuration roadmap, configuration procedure, and configuration
files.
NOTE
Layer 3 DHCPv4 user access cannot be configured on the X1 or X2 models of the NE80E/40E.
As shown in Figure 2-7, the networking requirements are as follows:

l The user belongs to the domain isp4 and accesses Router B through Router A by connecting
to GE 1/0/0 on Router A.
l Router B, functions as a DHCPv4 server, is connected to Router A through GE 3/0/0.1.
The IP address of GE 3/0/0.1 is 10.2.1.2/24.
l The user adopts Web authentication, RADIUS authentication, and RADIUS accounting.
l The IP address of the RADIUS server is 10.1.1.2; ports 1812 and 1813 are used for
authentication and accounting respectively; the standard RADIUS protocol is adopted and
the key is hello.

Figure 2-7 Networking diagram for configuring Layer 3 DHCPv4 user access
Radius Server
10.1.1.2
2
.2 .1. 0.1
10 3/0/ Internet
GE 1
RouterB
GE1/0/0 / 0/1.
1 .1 DHCP Server
1.1.1.1 GE .2.1
10
subscriber@isp4 Switch RouterA
DHCP Relay
1. Configure the address pool, including the IP address of the gateway and the range of IP
addresses in the pool.
2. Configure the authentication and accounting schemes.
3. Configure the RADIUS server group, including the IP address of the RADIUS server,
authentication port, and accounting port.
4. Configure the domain isp4 to which the user belongs, including the authentication mode
Data Preparation
l Name of the address pool, range of IP addresses in the pool, and IP address of the gateway
l Authentication scheme and accounting scheme
l IP address of the RADIUS server, authentication port, and accounting port
Procedure
Step 1 Configure Router A.
# Configure GE 1/0/0.
[HUAWEI] sysname RouterA
[RouterA] interface gigabitEthernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24
[RouterA-GigabitEthernet1/0/0] ip relay address 10.2.1.2

[RouterA-GigabitEthernet1/0/0] dhcp select relay

[RouterA-GigabitEthernet1/0/0] quit
# Configure interface GE1/0/1.1.

[RouterA] interface gigabitEthernet 1/0/1.1
[RouterA-GigabitEthernet1/0/1.1] undo shutdown
[RouterA-GigabitEthernet1/0/1.1] vlan-type dot1q 1
[RouterA-GigabitEthernet1/0/1.1] ip address 10.2.1.1 24
Step 2 Configure Router B.

# Configure an address pool.
[HUAWEI] sysname RouterB
[RouterB] ip pool pool4 bas local
[RouterB-ip-pool-pool4] gateway 1.1.1.1 255.255.255.0
[RouterB-ip-pool-pool4] section 0 1.1.1.2 10.1.1.200
[RouterB-ip-pool-pool4] quit
# Configure an authentication scheme.

[RouterB] aaa
[RouterB-aaa] authentication-scheme auth4
[RouterB-aaa-authen-auth4] authentication-mode radius
[RouterB-aaa-authen-auth4] quit
# Configure an accounting scheme.

[RouterB-aaa] accounting-scheme acct4
[RouterB-aaa-accounting-acct4] accounting-mode radius
[RouterB-aaa-accounting-acct4] quit
[RouterB-aaa] quit
# Configure a RADIUS server group.

[RouterB] radius-server group rd4
[RouterB-radius-rd4] radius-server authentication 10.1.1.2 1812
[RouterB-radius-rd4] radius-server accounting 10.1.1.2 1813
[RouterB-radius-rd4] radius-server type standard
[RouterB-radius-rd4] radius-server shared-key hello
[RouterB-radius-rd4] quit

[RouterB] aaa
[RouterB-aaa] domain isp4
[RouterB-aaa-domain-isp4] authentication-scheme auth4
[RouterB-aaa-domain-isp4] accounting-scheme acct4
[RouterB-aaa-domain-isp4] radius-server group rd4
[RouterB-aaa-domain-isp4] quit
[RouterB-aaa] quit

[RouterB] interface gigabitEthernet 3/0/0.1
[RouterB-GigabitEthernet3/0/0.1] undo shutdown
[RouterB-GigabitEthernet3/0/0.1] ip address 10.2.1.2 24
[RouterB-GigabitEthernet3/0/0.1] vlan-type dot1q 1
[RouterB-GigabitEthernet3/0/0.1] bas
[RouterB-GigabitEthernet3/0/0.1-bas] access-type layer3-subscriber
[RouterB-GigabitEthernet3/0/0.1-bas] default-domain authentication isp4
[RouterB-GigabitEthernet3/0/0.1-bas] quit
[RouterB-GigabitEthernet3/0/0.1] quit
[RouterB] ip route-static 1.1.1.1 255.255.255.255 10.2.1.1

# Check the configurations of the local address pool pool4.

[RouterB] display ip pool name pool4

Pool-Name : pool4
Pool-No : 0
DNS-Suffix : -
Gateway : 1.1.1.1 Mask : 255.255.255.0
Vpn instance : --
---------------------------------------------------------------------------
ID start end total used idle CFLCT disable reserved
---------------------------------------------------------------------------
0 1.1.1.2 1.1.1.200 199 0 199 0 0 0
---------------------------------------------------------------------------
[RouterB] display domain isp4
------------------------------------------------------------------------------
Domain-name : isp4
Authentication-scheme-name : auth4
Accounting-scheme-name : acct4
User-group-name : -
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-URL : -
IPUser-ReAuth-Time (second) : 300
RADIUS-server-template : rd4
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
ip relay address 10.2.1.2
dhcp select relay
#
undo shutdown
vlan-type dot1q 1

ip address 10.2.1.1 255.255.255.0

#
Configuration file of Router B

#
sysname RouterB
#
radius-server group rd4
radius-server shared-key hello
#
gateway 1.1.1.1 255.255.255.0
section 0 1.1.1.2 10.1.1.200
#
aaa
authentication-scheme auth4
authentication-mode radius
#
accounting-scheme acct4
accounting-mode radius
#
domain isp4
#
vlan-type dot1q 1
ip address 10.2.1.2 255.255.255.0
bas
#
access-type layer3-subscriber default-domain authentication isp4
authentication-method web
ip-trigger
#
ip route-static 1.1.1.1 255.255.255.255 10.2.1.1
#
return
2.8.4 Example for Configuring IP Address Assignment for Ethernet

Users (with No Relay Agent)
This section provides an example for assigning IPv4 addresses to Ethernet users (with no relay
agent), including the networking requirements, configuration roadmap, configuration procedure,
and configuration files.
On a large network, if the PCs cannot be directly connected to the routing device using Ethernet
interfaces, but have to be connected to the routing device through other devices, a network-side
DHCPv4 server needs to be configured. This allows the PCs to dynamically obtain IP addresses
from the routing device.
As shown in Figure 2-8, a DHCPv4 server assigns IP addresses to the clients on the same network
segment. The network segment of the address pool, 10.1.1.0/24, includes two subnet segments,
10.1.1.0/25 and 10.1.1.128/25. The IP addresses of the two GE interfaces on the DHCPv4 server
are 10.1.1.1/25 and 10.1.1.129/25.
The lease of the IP addresses on the network segment 10.1.1.0/25 is 10 days and 12 hours; the
domain name suffix of the DNS server is huawei.com; the IP address of the DNS server is
10.1.1.2; there is no NetBIOS address; the IP address of the gateway is 10.1.1.1.

The lease of the IP addresses on the network segment 10.1.1.128/25 is 5 days; the domain name
suffix of the DNS server is huawei.com; the IP address of the DNS server is 10.1.1.2; the
NetBIOS address is 10.1.1.4; the IP address of the gateway is 10.1.1.129.
Figure 2-8 Networking diagram for IP address assignment for Ethernet users (with no relay
agent)
NetBIOS
server DHCPclient DHCPclient DHCPclient
GE1/0/0 GE1/0/1
10.1.1.1/25 10.1.1.129/25
DHCPserver
DHCPclient DHCPclient
DNSserver DHCPclient
Network:10.1.1.0/25 Network:10.1.1.128/25
1. Assign IP addresses to interfaces.
2. Configure the address pool, including the IP address of the gateway, range of IP addresses
in the pool, domain name suffix of the DNS server, allowed lease of IP addresses, and IP
addresses not automatically assigned, which include the IP addresses of the DNS server,
NetBIOS, and gateway.
In this example, it is required that two address pools be configured.
Data Preparation
l IP address of each interface
l Numbers of address pools and range of IP addresses in the pools
l IP addresses not allowed for assignment
l Domain name suffix, IP address of the DNS server, and the address lease
Procedure
# Assign an IP address to GE 1/0/0.

[HUAWEI] interface gigabitethernet 1/0/0

[HUAWEI-GigabitEthernet1/0/0] undo shutdown
[HUAWEI-GigabitEthernet1/0/0] quit

[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo shutdown
# Configure the attributes of DHCPv4 address pool 1, including the IP addresses of the gateway
and DNS server, range of IP addresses in the pool, domain name suffix of the DNS server, and
address lease.
[HUAWEI] ip pool 1 server
[HUAWEI-ip-pool-1] gateway 10.1.1.1 255.255.255.128
[HUAWEI-ip-pool-1] section 0 10.1.1.2 10.1.1.126
[HUAWEI-ip-pool-1] excluded-ip-address 10.1.1.2
[HUAWEI-ip-pool-1] excluded-ip-address 10.1.1.4
[HUAWEI-ip-pool-1] dns-suffix huawei.com
[HUAWEI-ip-pool-1] dns-server 10.1.1.2
[HUAWEI-ip-pool-1] lease 10 12
[HUAWEI-ip-pool-1] quit
# Configure the attributes of DHCPv4 address pool 2, including the range of IP addresses in the
pool, IP addresses of the gateway and NetBIOS, and the address lease.
[HUAWEI] ip pool 2 server
[HUAWEI-ip-pool-2] gateway 10.1.1.129 255.255.255.128
[HUAWEI-ip-pool-2] section 0 10.1.1.130 10.1.1.254
[HUAWEI-ip-pool-2] dns-suffix huawei.com
[HUAWEI-ip-pool-2] dns-server 10.1.1.2
[HUAWEI-ip-pool-2] lease 5
[HUAWEI-ip-pool-2] netbios-name-server 10.1.1.4
[HUAWEI-ip-pool-2] quit

After the configuration is complete, run the display ip pool command on the DHCPv4 server
to view information about the DHCPv4 address pools.
[HUAWEI] display ip pool
-----------------------------------------------------------------------
Pool-Name : 1
Pool-No : 1
Position : Server Status : Unlocked
Gateway : 10.1.1.1 Mask : 255.255.255.128
Vpn instance : --
-----------------------------------------------------------------------
Pool-Name : 2
Pool-No : 2
Gateway : 10.1.1.129 Mask : 255.255.255.128
Vpn instance : --

Local :0 Remote :0 Server :2
Total :152
Used :0 Free :152
Designated :0
----End

Configuration Files
Configuration file of the HUAWEI
#
sysname HUAWEI
#
ip pool 1 server
gateway 10.1.1.1 255.255.255.128
secton 0 10.1.1.2 10.1.1.126
excluded-ip-address 10.1.1.2
dns-server 10.1.1.2
dns-suffix huawei.com
lease 10 12
#
ip pool 2 server
gateway 10.1.1.129 255.255.255.128
secton 0 10.1.1.130 10.1.1.254
dns-server 10.1.1.2
netbios-name-server 10.1.1.4
lease 5
#
undo shutdown
ip address 10.1.1.1 255.255.255.128
#
undo shutdown
ip address 10.1.1.129 255.255.255.128
#
return
2.8.5 Example for Configuring IP Address Assignment for Ethernet

Users (with a Relay Agent Deployed)
This section provides an example for assigning IPv4 addresses to Ethernet users (with a relay
agent deployed), including the networking requirements, configuration roadmap, configuration
procedure, and configuration files.
A network-side DHCPv4 server usually works with a DHCPv4 relay agent. As shown in Figure
2-9, DHCPv4 clients reside on the network segment 10.100.0.0/16; the DHCPv4 server resides
on the network segment 202.40.0.0/16. It is required that the DHCPv4 packet be relayed through
the device enabled with the DHCPv4 relay function. In this manner, the DHCPv4 client can
apply for an IP address from the DHCPv4 server.
The DHCPv4 server must be configured with a network-side IP address pool. The IP address of
the DNS server is 10.100.1.2/16; the IP address of the NetBIOS server is 10.100.1.3/16; the IP
address of the gateway is 10.100.1.1; there is a route from the DHCPv4 server to 10.100.0.0/16.

Figure 2-9 Networking diagram for IP address assignment for Ethernet users (with a relay agent
deployed)
DNS NetBIOS
server server
10.100.1.2/16 10.100.1.3/16
DHCP Relay DHCP server

GE1/0/0 RouterA RouterB
10.100.1.1/16
GE2/0/0 GE1/0/0
202.40.1.1/16 202.40.1.2/16
DHCP DHCP
client client
1. Configure GE 2/0/0, which implements the DHCPv4 relay function.
2. Configure the address of the DHCP server for which the interface functions as the relay
agent for GE 1/0/0 and enable DHCP relay on GE 1/0/0.
3. Configure a route from Router B to GE 1/0/0 on Router A.
4. Configure the clients connected to GE 1/0/0 on Router B to obtain IP addresses from the
address pool.
5. Configure the network-side address pool on Router B.
Data Preparation
l IP address of the interface to be configured with DHCPv4 relay
l IP address of the DHCPv4 server
l Attributes of the DHCPv4 address pool, including the IP address of the gateway, range of
IP addresses in the address pool, IP addresses not allowed to be automatically assigned,
domain name suffix of the DNS server, IP address of the DNS server, and address lease
Procedure
Step 1 Configure the DHCPv4 relay agent.
[HUAWEI] sysname RouterA
[RouterA] interface GigabitEthernet 2/0/0

[RouterA-GigabitEthernet2/0/0] ip address 202.40.1.1 255.255.0.0

# Enter the view of the interface to be configured with DHCPv4 relay and configure the IP
address, subnet mask, and corresponding DHCPv4 server address on the interface.
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 10.100.1.1 255.255.0.0
[RouterA-GigabitEthernet1/0/0] ip relay address 202.40.1.2
[RouterA-GigabitEthernet1/0/0] dhcp select relay
# Configure the route from Router B to GE 1/0/0 on Router A that connects to the client.
[HUAWEI] sysname RouterB
[RouterB] ip route-static 10.100.0.0 255.255.0.0 202.40.1.1

[RouterB] interface GigabitEthernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ip address 202.40.1.2 255.255.0.0
[RouterB-GigabitEthernet1/0/0] undo shutdown
[RouterB-GigabitEthernet1/0/0] quit
# Configure the attributes of the DHCPv4 address pool pool 1, including the IP address of the
gateway, range of IP addresses in the address pool, IP addresses not allowed to be automatically
assigned, domain name suffix of the DNS server, IP address of the DNS server, and address
lease.
[RouterB] ip pool 1 server
[RouterB-ip-pool-1] gateway 10.100.1.1 255.255.0.0
[RouterB-ip-pool-1] section 0 10.100.1.5 10.100.1.100
[RouterB-ip-pool-1] dns-suffix huawei.com
[RouterB-ip-pool-1] dns-server 10.100.1.2
[RouterB-ip-pool-1] netbios-name-server 10.100.1.3
[RouterB-ip-pool-1] lease 10 12
[RouterB-ip-pool-1] quit
Run the display ip pool command on the DHCPv4 server, and you can view information about
the DHCPv4 address pool, including DNS, IP address lease, and Option parameters.
[RouterB] display ip pool
-----------------------------------------------------------------------
Pool-Name : 1
Pool-No : 1
Gateway : 10.100.1.1 Mask : 255.255.0.0
Vpn instance : --
-----------------------------------------------------------------------

Local :0 Remote :0 Server :1
Total :96
Used :0 Free :96
Designated :0

Run the display dhcp relay address command on the DHCPv4 relay agent, and you can view
the DHCPv4 configurations.
[RouterA] display dhcp relay address all
* - 202.40.1.2
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
undo shutdown
ip address 10.100.1.1 255.255.0.0
ip relay address 202.40.1.2
dhcp select relay
#
interface GigabitEthernet 2/0/0
undo shutdown
ip address 202.40.1.1 255.255.0.0
#
return
l Configuration file of Router B

#
sysname RouterB
#
ip pool 1 server
gateway 10.100.1.1 255.255.0.0
section 0 10.100.1.5 10.100.1.100
dns-server 10.100.1.2
netbios-name-server 10.100.1.3
lease 10 12
#
interface GigabitEthernet 1/0/0
undo shutdown
ip address 202.40.1.2 255.255.0.0
#
ip route-static 10.100.0.0 255.255.0.0 202.40.1.1
#
return

3 DHCPv6 Configuration
About This Chapter
On the IPv6 network, DHCPv6 must be enabled before users dynamically obtain IP addresses.

DHCPv6 mainly describes the stateful configuration of IPv6 addresses on an IPv6 network.
3.2 Configuring a DHCPv6 Relay Agent
When the client and DHCPv6 server reside on different network segments, you need to configure
a DHCPv6 relay agent.


DHCPv6 mainly describes the stateful configuration of IPv6 addresses on an IPv6 network.
3.1.1 DHCPv6 Overview

DHCPv6 is similar to DHCPv4 on the IPv4 network. The client can obtain IPv6 addresses from
the DHCPv6 server.
In an IPv6 network, two methods are available for a client to obtain an IPv6 address: stateless
address autoconfiguration and stateful configuration.
l With the stateless address autoconfiguration, no DHCPv6 server is required. After being
connected to an IPv6 network, the client can automatically configure itself an IPv6 address
using neighbor discovery (ND) messages.
l With the stateful configuration, the Dynamic Host Configuration Protocol for IPv6
(DHCPv6) is used to configure IPv6 addresses for clients. This mechanism is similar to
how DHCPv4 functions in an IPv4 network.
DHCPv6 mainly describes the stateful configuration of IPv6 addresses in an IPv6 network. In
an IPv6 network, three roles are involved: client, relay agent, and server. A client interacts with
a relay agent or server to apply for an IPv6 address.
RFC 3633 defines a mechanism for automated delegation of IPv6 prefixes using DHCPv6
(DHCPv6-PD). In this mechanism, two roles, that is, a requesting router and a delegating router
are involved. A requesting router functions as a client, whereas a delegating router functions as
a server. The requesting router obtains IPv6 prefixes from the delegating router and delivers the
obtained IPv6 prefixes as its local resources to IPv6 clients.
3.1.2 DHCPv6 Features Supported by the NE80E/40E

The NE80E/40E can be a DHCPv6 relay agent.
NE80E/40E Functioning as the DHCPv6 Relay Agent

Three roles are involved in this networking mode: client, relay agent, and server. A client can
be a network device such as a PC or a set-top box. One or more DHCPv6 servers are required
for the entire network. The NE80E/40E functions as a relay agent to forward packets from a
client to the server, which then implements AAA of the client.
In this scenario, a separate DHCPv6 server is required, which implements uniform address
management and dynamically assigns addresses to clients.
3.2 Configuring a DHCPv6 Relay Agent

When the client and DHCPv6 server reside on different network segments, you need to configure
a DHCPv6 relay agent.


Before configuring a DHCPv6 relay agent, familiarize yourself with the applicable environment,
If a client is connected to the DHCPv6 server through a Layer 3 access device, the Layer 3 access
device is a DHCPv6 relay agent. The DHCPv6 relay agent receives packets from the client or
other relay agents, encapsulates the received packets, and then forwards the encapsulated packets
to the DHCPv6 server or another relay agent.
You can configure the NE80E/40E so that it can function as a relay agent.
Before configuring a DHCPv6 relay agent, complete the following tasks:
l Enabling the IPv6 function. For details, refer to the HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Service
l Configuring the DHCPv6 server as required
Data Preparation
To configure a DHCPv6 relay agent, you need the following data.
No. Data
1 Type and number of the inbound interface
2 IP address of the destination DHCPv6 server, or the type and number of the network-
side outbound interface
3.2.2 Enabling DHCPv6 Relay

You need to configure DHCPv6 relay before configuring DHCPv6.
Context
Do as follows on the NE80E/40E:
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface is the inbound interface on the relay agent.

Step 3 Run:
ipv6 enable
IPv6 is enabled on the interface.

Step 4 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
An IPv6 global unicast address is configured for the interface.
NOTE
To ensure connectivity between the client and the relay agent, IPv6 address prefixes on the interface of the relay
agent that connects it to the client must be same with the IPv6 address prefixes in the address pool that is
configured on the DHCPv6 server.
Step 5 Run:
ipv6 address auto link-local
An automatically-generated link-local address is configured for the interface.

Step 6 Run:
undo ipv6 nd ra halt
The advertising of RA packets is enabled.

By default, the network-side interface of the relay agent does not advertise RA packets. As a
result, a client connected to the relay agent cannot receive RA packets with the M and O values
being 1. Consequently, the client cannot send DHCPv6 packets, and therefore cannot be logged
in. This is why you need to run the undo ipv6 nd ra halt command to enable the advertising of
RA packets.
NOTE
This command is required only for the interface connecting to clients on the relay agent.
Step 7 Run:
ipv6 nd autoconfig managed-address-flag
The flag field indicating that routable IPv6 addresses can be obtained through the stateful
autoconfiguration is set.
NOTE
Step 8 Run:
ipv6 nd autoconfig other-flag
The flag field indicating the other information about the stateful autoconfiguration is set.
NOTE
Step 9 Run:
dhcpv6 relay { interface { interface-name | interface-type interface-number } |
destination ipv6-address }
The DHCPv6 relay function is enabled on an inbound interface and the IP address of the
outbound interface for DHCPv6 messages or the IP address of the destination DHCPv6 server
is specified.

By default, DHCPv6 relay is disabled on interfaces. Up to four IP addresses of outbound

interfaces or destination DHCPv6 servers can be configured on an interface.
----End
3.2.3 Enabling DHCPv6 on Network-side Interfaces

After DHCPv6 is enabled on a network-side interface, only the requests from users on the
interface can be responded to.
Context
NOTE
The inbound interface and the outbound interface of the relay agent are both network-side interfaces. You
need to configure DHCPv6 on both interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcpv6 enable
DHCPv6 is enabled on the network-side interfaces.
----End

After configuring a DHCPv6 relay agent, you can view the configurations of the relay interface.
Procedure
l Run the display this command in the interface view to check the current effective
configurations of the relay interface.
----End
Example
Run the display this command in the view of GE 2/0/1 to view the current effective
configurations on the interface. If the preceding DHCPv6 relay configurations are successful,
configurations of the relay interface are displayed.
[HUAWEI-GigabitEthernet2/0/1] display this
#

ipv6 enable
ipv6 address auto link-local
ipv6 address 2660:2321::101:112:2:201/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 enable
dhcpv6 relay interface GigabitEthernet1/0/2
#

Configuration Guide - User Access 4 BRAS Access Configuration
4 BRAS Access Configuration
About This Chapter
This chapter describes how to control and manage various types of access services by using
BRAS access.
NOTE
BRAS access cannot be configured on the X1 or X2 models of the NE80E/40E.
4.1 Introduction
In BRAS access, users are identified based on the protocol stack of user packets. Different
authentication modes are applicable to different users.
4.2 Configuring the Authentication Mode
You can use authentication technologies to exchange authentication packets, user names and
passwords between user terminals and the NE80E/40E. The NE80E/40E supports multiple
authentication technologies.
4.3 Configuring the IPoX Access Service
In IPoX access, users can access the Internet by sending packets without using the client dial-
in software for dialing in.
4.4 Configuring and Managing Users
The BRAS manages users either through the domain to which users belong or user accounts.
4.5 Maintaining BRAS Access
Maintaining BRAS access includes monitoring the operation status of the BRAS, clearing the
statistics about login and logout users, and debugging in the case of failures.
This section provides examples for configuring the BRAS access service, including networking
requirements, configuration notes, and configuration roadmap.

4.1 Introduction
In BRAS access, users are identified based on the protocol stack of user packets. Different
authentication modes are applicable to different users.
4.1.1 Overview of BRAS Authentication

Before configuring BRAS access, familiarize yourself with basic concepts such as Web
authentication,binding authentication, and fast authentication. This will help you complete the
configuration task quickly and accurately.
The differences in physical connections are obscured by access devices and are irrelevant to the
NE80E/40E. The NE80E/40E knows only the encapsulation formats of packets and
differentiates users by using the protocol stacks of packets.
Currently, there are the following user authentication modes:
l Web authentication: It refers to an interactive authentication mode in which the user opens
the authentication page on the Web authentication server, and enters the user name and
password to be authenticated.
l Fast authentication: It is the simplified Web authentication. The user opens the Web page
for authentication but does not need to enter the user name and password. The NE80E/
40E generates the user name and password vlan according to information about the
Broadband Access Server (BAS) interface from which the user logs in.
l Mandatory Web authentication: If the user that requires Web authentication or fast
authentication attempts to access an unauthorized address before authentication, the
NE80E/40E redirects the access request to the mandatory Web authentication server for
the user to be authenticated.
l Binding authentication: The NE80E/40E automatically generates the user name and
password based on the user's physical location.
4.1.2 Access Authentication Supported by the NE80E/40E

The NE80E/40E supports user access identification and user authentication modes.
The NE80E/40E allows individual users or leased line users to access the Internet by using any
access mode. For details about the access mode for individual users, see the HUAWEI
NetEngine80E/40E Router Feature Description - BRAS Services. The access protocols are
classified into the following types:
l IPoX, including Internet Protocol over Ethernet (IPoE), IP over Ethernet over Virtual Local
Areas Network (IPoEoVLAN), IP over Ethernet over QinQ (IPoEoQ)
The NE80E/40E supports the following authentication modes:
l Web authentication
l Fast authentication
l Mandatory Web authentication
l Binding authentication

4.2 Configuring the Authentication Mode

You can use authentication technologies to exchange authentication packets, user names and
passwords between user terminals and the NE80E/40E. The NE80E/40E supports multiple
authentication technologies.

Before configuring an authentication mode, familiarize yourself with the applicable
Web authentication is an interactive authentication mode in which the user opens the
authentication page on the web authentication server, and enters the user name and password to
be authenticated.
Fast authentication is the simplified web authentication. The user opens the web page for
authentication but does not need to enter the user name and password. The NE80E/40E generates
the user name and password (vlan) according to information about the BAS interface from which
the user logs in.
Binding authentication means that the NE80E/40E automatically generates the user name and
password based on the user's physical location.
Before configuring the authentication mode, complete the following tasks:
l Loading the BRAS license (For details, refer to the HUAWEI NetEngine80E/40E Router
Configuration Guide - System Management.)
l Configuring an ACL (applied in web authentication)
Data Preparation
To configure the authentication mode, you need the following data.
No. Data
IP address, port number, VPN instance, and shared key of the web authentication
1 server
2 Portal protocol version, listen port number, and source interface of the NE80E/40E
Whether to transparently transmit RADIUS packets to the web authentication

3 server
4 Default pre-authentication domain of the BAS interface
5 (Optional) Whether to use the mandatory web authentication

4.2.2 Configuring Web Authentication or Fast Authentication

Web authentication refers to an interactive authentication mode in which a user opens the
authentication page on the Web authentication server, and enters the user name and password
for authentication. Fast authentication refers to an authentication mode in which a user opens
the authentication page on the Web authentication server for authentication, without entering
the user name and password.
Context
When configuring Web authentication or fast authentication, you need the following parameters:
l IP address and VPN instance of the server
l Port number of the server
l Shared key of the server
l Whether the NE80E/40E reports its own IP address to the server
l Portal protocol version, listening port number, and source interface sending portal packets
l Pages to which users are redirected
Procedure
l Configuring the Web Authentication Server
1. Run:
system-view

2. Run:
web-auth-server ip-address [ vpn-instance instance-name ] [ port port-
number ] [ key key-string ] [ nas-ip-address ]
The Web authentication server is configured.

By default, no Web authentication server is configured on the NE80E/40E. If the Web
authentication server is configured, the default port number is 50100, the default
shared key is null, and the NE80E/40E does not send its IP address to the Web
authentication server.
l (Optional) Configuring the Portal Protocol
1. Run:
system-view

2. (Optional) Run:
web-auth-server version v2
The portal protocol version is set.

By default, the NE80E/40E supports both V1 and V2.
3. (Optional) run:
web-auth-server listening-port port
The number of the listening port on the NE80E/40E is specified.

By default, the NE80E/40E uses port 2000 to listen to the messages sent from the Web
4. (Optional) run:
web-auth-server source interface interface-type interface-number
The source interface for sending packets is configured on the NE80E/40E.

By default, the source interface for sending portal packets is not configured on the
NE80E/40E. The NE80E/40E uses the IP address of the outbound interface for the
packets as the source IP address.
5. (Optional) run:
web-auth-server reply-message
The NE80E/40E is configured to transparently transmit Remote Authentication Dial

in User Service (RADIUS) packets.
By default, the NE80E/40E transparently transmits RADIUS packets to the Web
l (Optional) Configuring Mandatory Web Authentication
Mandatory web authentication means that the NE80E/40E redirects the access request of
a user to the specified web server for authentication if the user accesses a URL without
permission before the authentication.
1. (Optional) Run:
aaa

2. Run:
domain domain-name
The view of the default pre-authentication domain is displayed.

3. (Optional) Run:
web-server url url
The redirection URL address for forced web authentication is configured.
Or Run:
web-server url-parameter
The protocol adopted by Web authentication is set to the extension Portal protocol
supported by the ISP.
Or Run:
web-server ip-address
The IP address of web authentication server is configured.

Or Run:
web-server mode { get | post }
The HTTP mode of forced web authentication is configured.

Or Run:
web-server redirect-key { mscg-ip mscg-ip-key | mscg-name mscg-name-
key | user-ip-address user-ip-key | user-location user-location-key }
The keyword for attributes of a customized portal is configured.

Or Run:
web-server user-first-url-key { key-name | default-name }

The keywords for tracing the main page is configured.
The mandatory Web authentication server is configured.
The format of the Universal Resource Locator (URL) to which access requests are
redirected in the mandatory Web authentication is http://www.isp.com/index.html.
The NE80E/40E supports two modes for accessing the Hypertext Transfer Protocol
(HTTP) page: get and post. The two modes define different formats of packets
exchanged between the NE80E/40E and the HTTP page.
4. Run:
quit

l Configuring the Authentication Domain and Authentication Method on the BAS Interface
1. Run:

2. Run:
bas
The BAS interface view is displayed.

3. Run:
access-type layer2-subscriber
The user access type is set to Layer 2 subscriber access.

4. Run:
default-domain pre-authentication domain-name
The default pre-authentication domain is specified.
By default, the pre-authentication domain of the BAS interface is default0.

5. Run:
default-domain authentication [ force | replace ] domain-name
The default authentication domain is specified.
By default, the authentication domain of the BAS interface is default1.

6. Run:
authentication-method { web | fast }
The Web authentication or fast authentication is configured.
----End
4.2.3 Configuring Other Authentication Modes

In addition to Web authentication, users can also be authenticated using binding authentication.
Context

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
bas
The BAS interface view is displayed.
Step 4 Run:
access-type layer2-subscriber
The user access type is set to Layer 2 subscriber access.
Step 5 Run:
The default pre-authentication domain is specified.
By default, the pre-authentication domain of the BAS interface is default0.
Step 6 Run:
The default authentication domain is specified.
By default, the authentication domain of the BAS interface is default1.
Step 7 Run:
authentication-method { { ppp | dot1x } * | bind }
binding authentication is configured.
You can set the authentication mode for only Layer 2 users on the BAS interface. Multiple
authentication modes can be configured on an interface except for the following:
l Web authentication conflicts with fast authentication.

l Binding authentication conflicts with the other authentication modes.
----End

After an authentication mode is configured, you can view the authentication mode by checking
the domain configuration.
Procedure
l Run the display web-auth-server configuration command to check the configuration of
the Web authentication server.

l Run the display domain [ domain-name ] command to check the configuration of the
domain.
----End
Example
After the configuration is complete, you can run the display web-auth-server configuration
command to view the configuration of the Web authentication server.
<HUAWEI> display web-auth-server configuration
Source interface : -
Listening port : 2000
Portal : version 1, version 2
Display reply message : enabled
------------------------------------------------------------------------
Server Share-Password Port NAS-IP Vpn-instance
------------------------------------------------------------------------
192.168.3.140 huawei 50100 NO
------------------------------------------------------------------------
1 Web authentication server(s) in total
After the configuration is complete, you can run the display domain domain-name command
to view information about the binding between the domain and user group.
<HUAWEI> display domain isp1
Domain-name : isp1
Domain-type : Normal domain
Service-type : HSI
Authorization-scheme-name : -
RADIUS-server-group : -
Accounting-copy-RADIUS-group : -
Hwtacacs-server-template : -
User-group-name : -
Policy-route : Disabled
Policy-route-nexthop : -
AdminUser-priority : -
Web-server-IP-address : -
Web-URL : -
Web-server-work-mode : Get
Primary dns-IP-address : -
Secondary dns-IP-address : -
Queue-profile-name : -
User-priority-up : 0
User-priority-down : 0
PPPoe-URL : Disabled
Portal-server-URL : -
Portal-server-IP-Address : -
Quota-out : Offline
Force-Auth-Type : -
Idle-data-attribute (time,rate) : 3 minute, 100 Kbyte/minute
Online-user-total : 0
User-session-limit : -
Time-range : Disabled
GRE-group-name : -
L2TP-group-name : -
L2TP-user RADIUS Force : Disabled
Dot1x-template-index : 1
Realloc-IP-address : Disabled

Bill Flow : Disabled

Multicast flow statistic : Disabled
VPN-instance-name : --
Value-service-name : -
DPI-policy-group : -
IPUser-ReAuth-Time : 300 second
IP-Warning-Percent : -
Qos-profile-name : default
Zone-name : -
Ancp auto qos adapt : Disabled
TimeRange-Qos : Disabled
Val-added-srv-account : Default
Multivirtual cir : -
Multivirtual pir : -
L2TP-QosProfile-inbind : -
L2TP-QosProfile-outbind : -
4.3 Configuring the IPoX Access Service

In IPoX access, users can access the Internet by sending packets without using the client dial-
in software for dialing in.

Before configuring IPoX access, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the data required for the configuration. This will help
you complete the configuration task quickly and accurately.
The IPoX access service is an access authentication service. In IPoX access, a user accesses the
Internet by using the Ethernet or asymmetric digital subscriber line (ADSL). The user uses a
fixed IP address or obtains an IP address by using the Dynamic Host Configuration Protocol
(DHCP). The system then authenticates the user by using Web authentication, fast
authentication, or binding authentication.
The IPoX services can be classified into the IPoE service, IPoEoVLAN service, IPoEoQ service
in different networking.
NOTE
When an IPoEoQ user attempts to access the network, if the SMAC field in the Layer 2 header is different
from the CHADDR field in a DHCP request packet, the user cannot get online.
Before configuring the IPoX access service, complete the following tasks:
l Loading the BRAS license (For details, see the HUAWEI NetEngine80E/40E Router
l Configuring Authorization, Authentication, and Accounting (AAA) schemes
l Configuring a RADIUS server group or an HWTACACS server template
l Configuring an IPv4 address pool

l Configuring a domain
Data Preparation
To configure the IPoX access service, you need the following data.
No. Data
1 (Optional) Domain name of the static user
IP address, VPN instance (optional), MAC address (optional), and number of the
2 access interface on the NE80E/40E (optional)
Names of the authentication scheme, accounting scheme, and authorization scheme

3 (applied in the HWTACACS authentication)
4 Name of the RADIUS server group or HWTACACS server template
5 Name of the IPv4 address pool
6 User domain
7 (Optional) Parameters of the Web authentication server
8 User VLAN ID (applied in IPoEoVLAN access and IPoEoQ access)
9 Parameters of the BAS interface
Configuration Procedures
To configure the IPoX access service, perform the following procedures.
NOTE
Configuring an AAA scheme, 1.3 Configuring a RADIUS Server, Configuring an IPv4 address
pool, and Configuring a domain are not provided here because all the procedures are described in other
chapters.

Figure 4-1 Configuration procedures for IPoX

IPoEoVLAN
IPoE
IPoEoQ
Configuring AAA Configuring AAA
Schemes Schemes
Configuring a server Configuring a server

template template
Configuring an IPv4 Configuring an IPv4

address pool address pool
Configuring a Configuring a
domain domain
Configuring the web Configuring the web

authentication authentication
Configuring the ACL Configuring the ACL
Configuring the BAS Binding a Sub-

interface interface to a VLAN
Configuring the BAS

interface
Mandatory procedure
Optional procedure
4.3.2 Creating a Static User

A user that requires a fixed IP address can be configured as a static user.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
static-user start-ip-address [ end-ip-address ] gateway ip-address [ vpn-instance
instance-name ] [ domain-name domain-name | interface interface-type interface-
number [ vlan vlan-id [ qinq qinq-vlan ] | pvc vpi/vci ] | mac-address mac-address
| detect ] *

A static user is created.
When creating a static user, you can specify the IP address (including the VPN instance to which
the IP address belongs), interface (FE, GE, Eth-Trunk, or VE interface) through which the user
is connected to the NE80E/40E, domain, and MAC address.
If detect is configured, it indicates that the NE80E/40E actively detects whether the static user
is online. If detect is not configured, the user can go online only after sending ARP packets.
The arp-trigger command must be configured on the BAS interface through which the static
user goes online.
By default, no static user is created on the NE80E/40E.
----End
4.3.3 Binding Sub-interfaces to a VLAN

The NE80E/40E processes received tagged user packets from different types of users in different
manners to ensure that different types of packets are properly forwarded.
Context
If users access the network by using a sub-interface, the sub-interface needs to be bound to a
VLAN.
You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding
a sub-interface to a VLAN, you need the following parameters:
l Sub-interface number
l VLAN ID
l QinQ ID
NOTE
l On each main interface, you can set the any-other parameter on only one sub-interface. On one sub-
interface, any-other cannot be set together with start-vlan nor qinq.
l If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on a
sub-interface, the user-vlan cannot be configured on this sub-interface.
l Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.
l If an interface on an LPUA, LPUF-10, LPUF-21, LPUF-40 is bound to a VSI or configured with VLL
transparent transmission, users whose packets carry double VLAN tags cannot get online after the
user-vlan command is run on its sub-interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number.subinterface-number
A sub-interface is created and the sub-interface view is displayed.

Step 3 For Layer 2 subscriber access, run:

user-vlan { start-vlan [ end-vlan ] [ dot1q start-qinq-id [ end-qinq-id ] ] | any-
other }
A user-side VLAN is created.
For Layer 3 subscriber access, run:

vlan-type dot1q vlan-id
A user-side VLAN is created.
----End
4.3.4 Configuring a BAS Interface

When an interface is used for broadband access, you need to configure it as a BAS interface,
and then specify the user access type and attributes for the interface.
Context
When configuring a BAS interface, you need the following parameters:
l BAS interface number

l Access type and authentication scheme
l (Optional) Maximum number of users that are allowed to access through the BAS interface
and maximum number of users that are allowed to access through a specified VLAN
l (Optional) Default domain, roaming domain, and domains that users are allowed to access
l (Optional) Whether to enable the functions of proxy ARP, DHCP broadcast, accounting
packet copy, IP packet trigger-online, user-based multicast replication
l (Optional) Whether to trust the DHCP Option 82 field, user detection parameters, VPN
instances of non-PPP users, BAS interface name, and access device type
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [ .subinterface-number ]
Step 3 Run:
bas
A BAS interface is created and the BAS interface view is displayed.
You can configure an interface as the BAS interface by running the bas command in the interface
view. You can configure a Fast Ethernet (FE) interface or its sub-interface, a Gigabit Ethernet
(GE) interface or its sub-interface, a VE interface or its sub-interface, or an Eth-Trunk interface

or its sub-interface , an ATM interface or its sub-interface, or a VE interface or its sub-

interface as a BAS interface.
Step 4 Run:
access-type layer2-subscriber [ default-domain { [ authentication [ force |
replace ] dname ] [ pre-authentication predname ] } ]
The access type is set to Layer 2 subscriber access and the attributes of this access type are
configured.
Or run:
access-type layer3-subscriber [ default-domain { [ pre-authentication predname ]
authentication [ force | replace ] dname } ]
The access type is set to Layer 3 subscriber access and the attributes of this access type are
configured.
When setting the access type on the BAS interface, you can set the service attributes of the access
users at the same time. You can also set these attributes in later configurations.
The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk
interface. You can configure the access type of such an Ethernet interface only on the associated
Eth-Trunk interface.
access-limit number
The number of users that are allowed to access through the interface is configured.
By default, the number of users that are allowed to access through the BAS interface is not
limited.
The pre-authentication domain is specified. By default, the pre-authentication domain of the

BAS interface is default0.
l Or run:
The default authentication domain is specified. By default, the authentication domain of the
BAS interface is default1.
l Or run:
permit-domain domain-name &<1-4>
The domain in which users are allowed to access is specified.

By default, no domain for user access is specified on a BAS interface. This means that users
from all domains are allowed to access.
The permit-domain-list command , deny-domain-list, deny-domain, or permit-domain
command cannot be configured together on one BAS interface.
client-option82 [ basinfo-insert cn-telecom ]
The Option 82 field (for a DHCP user) reported by a client is trusted by the router.
Or run:
vbas

The function of locating a user through the virtual BAS (VBAS) is enabled. By default, the
function of locating a user through the VBAS is disabled.
client-option60
The Option 60 field reported by a client is trusted by the router.

accounting-copy radius-server radius-name
The accounting packet copy function is enabled.

By default, the accounting packet copy function is disabled on a BAS interface.
ip-trigger
User access triggered by IP packets is enabled.

By default, this function is disabled on a BAS interface.
Or run:
arp-trigger
User access triggered by ARP packets is enabled.

By default, this function is disabled on a BAS interface.
user detect retransmit number interval time
The user detection parameters are configured.

By default, the number of detection times is 5 and the detection interval is 30 seconds.
block
The BAS interface is blocked.

dhcp-forcerenew
DHCPv4 forcerenew is enabled.

When the abnormal logoff of a user is not initiated by the user, enable DHCP Forcerenew so
that the BRAS instructs the client to send a DHCP Request packet to apply new address.
filter-policy acl acl-number dhcp
The function of filter DHCP users that attempt to get online based on ACL rules on a BAS
interface is configured.
By default, ACL rules are not used to filter DHCP users that attempt to get online on a BAS
interface.
Step 15 Run:
authentication-method { { web | fast } | bind }
The Web authentication, bind authentication or fast authentication is configured.

You can set the authentication mode for only Layer 2 users on the BAS interface. Multiple
authentication modes can be configured on an interface except for the following:
l Web authentication conflicts with fast authentication.
l Binding authentication conflicts with the other authentication modes.
----End

After configuring IPoX access, you can view information about the IPoX access service.
Procedure
l Run the display web-auth-server configuration command to check the configuration of
the Web authentication server.
l Run the display domain command to check the configuration of the domain.
l Run the display acl command to check the configuration of the ACL.
----End
Example
After the configuration is complete, you can run the display web-auth-server configuration
command to view the configuration of the Web authentication server.
<HUAWEI> display web-auth-server configuration
Source interface : -
Listening port : 2000
Portal : version 1, version 2
Display reply message : enabled
------------------------------------------------------------------------
Server Share-Password Port NAS-IP Vpn-instance
------------------------------------------------------------------------
192.168.3.140 huawei 50100 NO
------------------------------------------------------------------------
1 Web authentication server(s) in total
After the configuration is complete, you can run the display domain command to view
information about the binding between the domain and user group.
<HUAWEI> display domain isp1
Domain-name : isp1
Domain-type : Normal domain
Service-type : HSI
Authorization-scheme-name : -
RADIUS-server-group : -
Accounting-copy-RADIUS-group : -
Hwtacacs-server-template : -
User-group-name : -
Policy-route : Disabled
Policy-route-nexthop : -
AdminUser-priority : -
Web-server-IP-address : -
Web-URL : -
Web-server-work-mode : Get
Primary dns-IP-address : -
Secondary dns-IP-address : -

Queue-profile-name : -
User-priority-up : 0
User-priority-down : 0
PPPoe-URL : Disabled
Portal-server-URL : -
Portal-server-IP-Address : -
Quota-out : Offline
Force-Auth-Type : -
Idle-data-attribute (time,rate) : 3 minute, 100 Kbyte/minute
Online-user-total : 0
User-session-limit : -
Time-range : Disabled
GRE-group-name : -
L2TP-group-name : -
L2TP-user RADIUS Force : Disabled
Dot1x-template-index : 1
Realloc-IP-address : Disabled
Bill Flow : Disabled
Multicast flow statistic : Disabled
VPN-instance-name : --
Value-service-name : -
DPI-policy-group : -
IPUser-ReAuth-Time : 300 second
IP-Warning-Percent : -
Qos-profile-name : default
Zone-name : -
Ancp auto qos adapt : Disabled
TimeRange-Qos : Disabled
Val-added-srv-account : Default
Multivirtual cir : -
Multivirtual pir : -
L2TP-QosProfile-inbind : -
L2TP-QosProfile-outbind : -
After the configuration is complete, you can run the display acl command to view the
configuration of the ACL.
<HUAWEI> display acl 3100
Advanced ACL 3100, 3 rules,
rule 0 permit icmp (2 times matched)
rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 (0 times matched)
rule 2 permit tcp source 10.110.0.0 0.0.255.255 (0 times matched)
4.4 Configuring and Managing Users

The BRAS manages users either through the domain to which users belong or user accounts.

Before configuring and managing users, familiarize yourself with the applicable environment,

The NE80E/40E can parse the user name and domain name from a user account according to
the domain name delimiter and realm name delimiter. With this function, the NE80E/40E can
parse the user name and domain name as required.
The administrator can manage online users on the NE80E/40E, including viewing online users
and disconnecting users.
Before configuring and managing users, complete the following tasks:
l Loading the BRAS license (For details, see the HUAWEI NetEngine80E/40E Router
l Configuring the access method and authentication method for the BAS interface
Data Preparation
To configure and manage users, you need the following data.
No. Data
1 Domain name delimiter, location of the domain name, and parsing direction of
the domain name
2 (Optional) Realm name delimiter, location of the realm name, and parsing
direction of the realm name
3 Parsing priority
4 User name, domain name, interface name or interface type/interface number,

VLAN ID, IP address, IP address pool to which the IP address belongs, VPN
instance, MAC address, user ID, and slot number of an online user
4.4.2 Configuring User Account Parsing

The sequence of a domain name and a user name can be flexibly configured to meet different
requirements.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain-name-delimiter delimiter
The domain name delimiter is configured.
By default, the domain name delimiter is @.
Step 4 Run:
domain-location{ after-delimiter | before-delimiter }
The location of the domain name is configured.
By default, the domain name is placed behind the domain name delimiter.
Step 5 Run:
domainname-parse-direction { left-to-right | right-to-left }
The parsing direction of the domain name is configured.
By default, the domain name is parsed from left to right.

realm-name-delimiter delimiter
The realm name delimiter is configured.
By default, the realm name delimiter is not configured.

realm-location { after-delimiter | before-delimiter }
The location of the realm name is configured.
By default, the realm name is placed before the realm name delimiter.

realmname-parse-direction { left-to-right | right-to-left }
The parsing direction of the realm name is configured.
By default, the realm name is parsed from left to right.
Step 9 Run:
parse-priority { domain-first | realm-first }
The parsing priority is configured.
If the parsing priority is set to domain-first, the realm domain name is excluded from the user
account.
By default, the parsing priority is domain-first.
----End
4.4.3 Creating a Local User Account

You can create a user in the AAA view. The user can carry a domain name. If the user does not
carry a domain name, the local user belongs to the default domain by default.

Context
If the user-security-policy enable command has been run, the following rules must be obeyed
during password configuration:
l A local user name must be longer than six characters.
l For passwords:
A password must be longer than eight characters.
A password must consist of digits, upper-case and lower-case letters, and special
characters (not including spaces or question marks).
A password cannot be the same as the user name, nor can it be the reverse of the user
name.
l A message indicating that the user name or password is incorrect is displayed if an
administrator does not enter the user name or password or enters an incorrect user name or
password.
Procedure
l local AAA view
1. Run:
system-view

2. Run:
local-aaa-server
The local AAA view is displayed.

3. Run:
user username { password {simple simple-password | cipher cipher-
password } | authentication-type type-mask | block [ fail-times fail-times-
value interval interval-value ] | ftp-directory ftp-directory | ip-
address ip-address [ vpn-instance instance-name ] | level level | callback-
nocheck | callback-number callback-number | idle-cut | qos-profile qos-
profile } *
A local user account is created.
After a new user account is added, it adopts the following default attributes:
The access restriction is off and the access mode is A (all access modes).
The status is Active.
The idle cut function is disabled.
The group number for intergroup access is 0.
The maximum number of connections is 24.
The MAC restriction is disabled.
The password is "vlan".
The UCL group number is 0.
The flow control is disabled.
The user priority is 0.

l AAA view
1. Run:
system-view

2. Run:
aaa

3. Run:
local-user user-name password { simple | cipher } password
A local user account is created.

If the user name contains @, the character before @ is the user name and the character
after @ is the domain name. If the user name does not contain @, the whole character
string represents the user name and the domain name is default.
4. (optional)Run:
prompt last-info
Recording the latest administrator login is disabled

By default, recording the latest administrator login is disabled.
If information about the latest administrator login, such as the last successful login
time, IP address, and number of login failures, needs to be recorded, run the prompt
last-info command to enable the system to record the information.
The prompt last-info command is valid to local users configured in the AAA view,
but invalid to local users configured in the local AAA server view.
----End
4.4.4 Configuring the User Name Format and Password

The NE80E/40E supports the configuration of the user name format and password. No user name
or password needs to be entered for users that attempt to get online through binding or fast
authentication.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:

default-user-name [ template template-name ] include { gateway-address | ip-

address | mac-address | option12 | option60 | option61 | option82 | sysname } *
The router is configured to generate the IPoX user name according to information carried in the
user access request packet.
Or run:
vlanpvc-to-username { standard | turkey | version10 | version20 }
Or run:
vlanpvc-to-username standard trust { pevlan | cevlan }
The router is configured to generate the IPoX user name by using the original format.
By default, the original format of the IPoX user name is defined in version20.
Step 4 Run:
default-password { cipher cipher-password | simple simple-password }
The password of the IPoX user is configured.

The differences between cipher and simple are as follows:
l If cipher is configured, the password is displayed in cipher text in the configuration file,
regardless of whether the entered password is encrypted or not.
l If simple is configured, the password is displayed in plain text in the configuration file.
----End
4.4.5 Configuring the Local User Status

The local user can be in the active or blocked state. An active user can be authenticated; a blocked
user cannot be authenticated.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
local-user user-name state { active | block }
The local user status is configured.

By default, the local user is in the active state.
----End

Follow-up Procedure
The authentication request from a local user in the active or blocked state is processed in a
different manner.
l If the local user is in the active state, the authentication request from this user is allowed
for further processing.
l If the local user is in the blocked state, the authentication request from this user is denied.
4.4.6 Configuring the Limit on the Number of Access Users

Limiting the number of access users can prevent unauthorized users from accessing the network.
Context
Procedure
l Restricting the access of local users
1. Run:
system-view

2. Run:
aaa

3. Run:
local-user user-name access-limit max-number
The local user access limit is configured.

By default, the number of access users with the same user name is not restricted.
l Restricting the access of DHCP users
1. Run:
system-view

2. Run:
dhcp-user-slot-warning-threshold
The alarm threshold for DHCP users allowed to access an LPU is configured. If the
percentage of DHCP users currently accessing the LPU exceeds the threshold, an
alarm is generated.
3. Run:
dhcp-user-warning-threshold
The alarm threshold for DHCP users allowed to access the entire NE80E/40E is
configured. If the percentage of DHCP users currently accessing the entire NE80E/
40E exceeds the threshold, an alarm is generated.
4. Run:
dhcp connection chasten request-sessions request-period blocking-period

The number of DHCP access attempts is limited.
display dhcp chasten-number
You can view the number of users whose attempts to set up DHCP connections
are limited.
display dhcp chasten-user
You can view information about users whose attempts to set up DHCP connections
are limited.
display dhcp connection-chasten
You can view settings of the limit on attempts to set up a DHCP connection.
dhcp reset chasten-number
You can reset the statistics on user attempts to set up a DHCP connection.
l Restricting the access of users allowed to access an LPU
1. Run:
system-view

2. Run:
slot-warning-threshold
The alarm threshold for users allowed to access an LPU is configured. If the percentage
of users currently accessing the LPU exceeds the threshold, an alarm is generated on
the router.
----End
4.4.7 Disconnecting Online Users

The NE80E/40E supports the disconnection of online users by the IP address, MAC address,
access port, or domain.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
cut access-user username user-name { all | hwtacacs | local | none| radius }
The online user with the specified user name is disconnected.

Or run:

cut access-user domain domain-name
The online users in the specified domain are disconnected.

Or run:
cut access-user mac-address mac-address
The online user with the specified MAC address is disconnected.

Or run:
cut access-user ipv6-address ipv6-address [ vpn-instance instance-name ]
The online user with the specified IPv6 address is disconnected.

Or run:
cut access-user ip-address ip-address [ vpn-instance instance-name ]
The online user with the specified IP address is disconnected.

Or run:
cut access-user interface interface-type interface-number [ pevlan vlan-id ]
[ cevlan vlan-id ]
The online users on the specified interface are disconnected.

Or run:
cut access-user user-id start-no [ end-no ]
The online user with the specified user ID is disconnected.

Or run:
cut access-user ip-pool pool-name
The online users using the IP addresses in the specified IP address pool are disconnected.
Or run:
cut access-user slot slot-id
All users on the board in the specified slot are disconnected.
----End
4.4.8 Generating Offline Records and Online Failure Records
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

aaa offline-record
Offline records are generated.
By default, offline records are generated.
Step 3 Run:
aaa online-fail-record
Online failure records are generated.
By default, online failure records are generated.
Step 4 Run:
aaa_abnormal-offline-record
The records of abnormal logout are generated.
By default, the system generates the records of abnormal logout.
----End
4.4.9 Tracing Services of Users
Context
Procedure
Step 1 Run:
trace access-user object object-id { access-mode mode | user-name username |
interface interface-type interface-number | ip-address ip-address | mac-address
mac-address | ce-vlan ce-vlan-id | pe-vlan pe-vlan-id } * [ output [ file file-
name | syslog-server ip-address | vty ] | -t time ] *
Service tracing is enabled.
By default, service tracing is enabled. Tracing information is output to the VTY terminal, and
the tracing time is 15 minutes.
Using the service tracing function decreases the performance of the NE80E/40E. Therefore, you
are recommended to use this function only when you need to locate faults. Disable this function
when the NE80E/40E runs normally. If the status of a great number of users changes, you need
to configure the objects to be traced accurately when using the service tracing function.
Otherwise, a great number of resources are wasted and user services are affected.
----End

After user management is configured, you can view configuration of the user name format and
user account parsing.
Procedure
l Run the display static-user command to check information about static users.

l Run the display aaa configuration command to check the configuration of the user account
parsing function.
l Run the display vlanpvc-to-username command to check the configuration of the format
of the IPoX user name.
l Run the display call rate command to check the put-through rate of all type of users.
----End
Example
After the configuration is complete, you can run the display static-user command to view
information about static users.
<HUAWEI> display static-user
---------------------------------------------------------------------------
Interface VLAN-ID/PVC IP-address MAC-address VPN
---------------------------------------------------------------------------
- - 10.10.10.2 - --
GE1/0/2 - 10.10.10.5 - --
---------------------------------------------------------------------------
Total 2 item(s) matched
After the configuration is complete, you can run the display aaa configuration command to
view the configuration of the user account parsing function.
<HUAWEI> display aaa configuration
---------------------------------------------------------------------------
AAA configuration information :
---------------------------------------------------------------------------
Parse Priority : Domain first
Domain Name Delimiter : @
Domainname parse direction : Left to right
Domainname location : After-delimiter
Realm name delimiter : -
Realmname parse direction : Left to right
Realmname location : Before-delimiter
Domain : total: 1024 used: 7
Authentication-scheme : total: 32 used: 4
Authorization-scheme : total: 16 used: 2
Accounting-scheme : total: 128 used: 4
Recording-scheme : total: 128 used: 1
AAA-access-user : total: 279552 used: 0
Access-user-state : authen: 0 author: 0 accounting: 0
Transition-step : -
Min-Delay-time : -
Max-Delay-time : -
Access speed : -
Account-session-id-version : Version1
---------------------------------------------------------------------------
After the configuration is complete, you can run the display vlanpvc-to-username command
to view the configuration of the format of the IPoX user name.
<HUAWEI> display vlanpvc-to-username
Version of vlan and pvc model in username : Version2.0
After the configuration is complete, you can run the display call rate command to view the the
put-through rate of all type of users.
<HUAWEI> display call rate
User callrate:
--------------------------------------------------------
Usertype Calltime Callcompletion Rate
--------------------------------------------------------
PPP 127 127 100.00%

Dot1X 324 324 100.00%

Web/Fast 7 7 100.00%
Bind 0 0 0.00%
Total 458 458 100.00%
4.5 Maintaining BRAS Access

Maintaining BRAS access includes monitoring the operation status of the BRAS, clearing the
statistics about login and logout users, and debugging in the case of failures.
4.5.1 Displaying BRAS Access Information

You can view BRAS access information, including user login and logout records.
Context
After the preceding configurations, run the following display commands in any view to check
the BRAS configurations. For details, see the HUAWEI NetEngine80E/40E Router - Command
Reference.
Procedure
Step 1 Run the display web-auth-server configuration command to check the configuration of the
Web authentication server.
Step 2 Run the display bas-interface command to check the configuration of the BAS interface.
Step 3 Run the display aaa online-fail-record command to check the login failure records.
Step 4 Run the display aaa offline-record command to check the logout records.
Step 5 Run the display aaa abnormal-offline-record command to check the abnormal logout records.
Step 6 Run the display access-user command in any view to check information about online users.
----End
4.5.2 Clearing BRAS Access Information

If there are too many login and logout records, you can delete the BRAS access authentication
information.
Context
CAUTION
BRAS access information cannot be restored after it is cleared. Exercise caution when running
the commands.
To clear BRAS access information, run the following reset commands.

Procedure
Step 1 Run the reset aaa online-fail-record command in the user view to clear the login failure records.
Step 2 Run the reset aaa offline-record command in the user view to clear the logout records.
Step 3 Run the reset aaa abnormal offline-record command in the user view to clear the abnormal
logout records.
Step 4 Run the reset call ratecommand in the user view to clear the call rate statistics of users.
----End

This section provides examples for configuring the BRAS access service, including networking
requirements, configuration notes, and configuration roadmap.
4.6.1 Example for Configuring the IPoE Access Service for VPN
Users by Using Web Authentication
This section provides an example for configuring IPoE access to a VPN by Using Web
Authentication, including the networking requirements, configuration roadmap, configuration
procedure, and configuration files.
The networking is shown in Figure 4-2. The requirements are as follows:
l The user belongs to domain isp2 and accesses the Internet by using GE 1/0/2 on the
router in IPoE mode.
l The user adopts Web authentication, RADIUS authentication, and RADIUS accounting.
l The IP address of the RADIUS server is 192.168.8.249. The authentication port number is
1812 and the accounting port number is 1813. The standard RADIUS protocol is used. The
shared key is hello.
l The user is a VPN user and belongs to a VPN instance named vpn1.
l The IP address of the DNS server is 192.168.8.252.
l The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.
l The network-side interface is GE 1/0/1.

Figure 4-2 Networking for configuring the IPoE access service

DNS server WEB server RADIUS server
192.168.8.252 192.168.8.251 192.168.8.249
192.168.8.1
GE1/0/2 GE1/0/1
Access
Internet
Network
subscriber
Router
@isp2
1. Configure a VPN instance.

2. Configure authentication and accounting schemes.
3. Configure a RADIUS server group.
4. Configure an address pool.
5. Configure a pre-authentication domain and an authentication domain for Web
authentication.
6. Configure the Web authentication server.
7. Configure ACL rules and traffic policies.
8. Configure a BAS interface and an upstream interface.
Data Preparation
l VPN instance name, RD, and VPN target

l Authentication template name and authentication mode
l Accounting template name and accounting mode
l RADIUS server group name, and IP addresses and port numbers of the RADIUS
authentication server and accounting server
l IP address pool name, gateway address, and DNS sever address
l Domain name
l Web authentication server address
l ACL rules
l Traffic policy
l BAS interface parameters

Procedure
Step 1 Configure a VPN instance.
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1] vpn-target 100:1 both
[HUAWEI-vpn-instance-vpn1] quit

[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme auth2
[HUAWEI-aaa-authen-auth2] authentication-mode radius
[HUAWEI-aaa-authen-auth2] quit

[HUAWEI-aaa] accounting-scheme acct2
[HUAWEI-aaa-accounting-acct2] accounting-mode radius
[HUAWEI-aaa-accounting-acct2] quit
[HUAWEI-aaa] quit
Step 3 Configure a RADIUS server group.

[HUAWEI] radius-server group rd2
[HUAWEI-radius-rd2] radius-server authentication 192.168.8.249 1812
[HUAWEI-radius-rd2] radius-server accounting 192.168.8.249 1813
[HUAWEI-radius-rd2] radius-server type standard
[HUAWEI-radius-rd2] radius-server shared-key hello
[HUAWEI-radius-rd2] quit
Step 4 Configure an address pool.

[HUAWEI-ip-pool-pool2] vpn-instance vpn1
Step 5 Configure a domain.
# Configure domain default0 as the pre-authentication domain for Web authentication.

[HUAWEI] user-group huawei
[HUAWEI] aaa
[HUAWEI-aaa] domain default0
[HUAWEI-aaa-domain-default0] ip-pool pool2
[HUAWEI-aaa-domain-default0] user-group huawei
[HUAWEI-aaa-domain-default0] service-type hsi
[HUAWEI-aaa-domain-default0] web-server 192.168.8.251
[HUAWEI-aaa-domain-default0] web-server url http://192.168.8.251
[HUAWEI-aaa-domain-default0] vpn-instance vpn1
[HUAWEI-aaa-domain-default0] quit
# Configure domain isp2 as the authentication domain for Web authentication.

[HUAWEI-aaa-domain-isp2] authentication-scheme auth2
[HUAWEI-aaa-domain-isp2] accounting-scheme acct2
[HUAWEI-aaa-domain-isp2] radius-server group rd2
[HUAWEI-aaa-domain-isp2] service-type hsi
[HUAWEI-aaa-domain-isp2] vpn-instance vpn1
[HUAWEI-aaa] quit

Step 6 Configure the Web authentication server.

[HUAWEI] web-auth-server 192.168.8.251 key webvlan
Step 7 Configure an ACL.

# Configure ACL rules.
[HUAWEI] acl number 6000
[HUAWEI-acl-ucl-6000] rule deny ip source user-group huawei
[HUAWEI-acl-ucl-6000] acl number 6001
[HUAWEI-acl-ucl-6001] rule permit ip source user-group huawei destination ip-
address 192.168.8.251 0
[HUAWEI-acl-ucl-6001] rule permit ip source user-group huawei destination ip-
address 192.168.8.252 0
[HUAWEI-acl-ucl-6001] quit
# Configure a traffic policy.

[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 6000
[HUAWEI-classifier-c2] quit
[HUAWEI] traffic behavior deny1
[HUAWEI-behavior-deny1] deny
[HUAWEI-behavior-deny1] traffic behavior perm1
[HUAWEI-behavior-perm1] permit
[HUAWEI-behavior-perm1] quit
[HUAWEI] traffic policy action1
[HUAWEI-policy-action1] classifier c2 behavior perm1
[HUAWEI-policy-action1] classifier c1 behavior deny1
[HUAWEI-policy-action1] quit
# Apply the traffic policy globally.

[HUAWEI] traffic-policy action1 inbound
[HUAWEI] traffic-policy action1 outbound
Step 8 Configure interfaces.

[HUAWEI-GigabitEthernet1/0/2] bas
[HUAWEI-GigabitEthernet1/0/2-bas] access-type layer2-subscriber
[HUAWEI-GigabitEthernet1/0/2-bas] authentication-method web
[HUAWEI-GigabitEthernet1/0/2-bas] default-domain authentication isp2
[HUAWEI-GigabitEthernet1/0/2-bas] quit
# Configure an upstream interface.
NOTE
The upstream interface connected to MPLS network, the configuration is not mentioned here. For details,
refer to the chapter BGP/MPLS IP VPN of the HUAWEI NetEngine80E/40E Router Configuration Guide
- VPN
----End
Configuration Files
#
sysname HUAWEI
#
user-group huawei

#
ip vpn-instance vpn1
#
#
#
acl number 6000
#
acl number 6001
rule 5 permit ip source user-group huawei destination ip-address 192.168.8.251 0
rule 10 permit ip source user-group huawei destination ip-address 192.168.8.252 0
#
traffic classifier c2 operator and
if-match acl 6001
traffic classifier c1 operator and
if-match acl 6000
#
traffic behavior perm1
traffic behavior deny1
deny
#
traffic policy action1
classifier c2 behavior perm1
classifier c1 behavior deny1
traffic-policy action1 inbound
traffic-policy action1 outbound
#
bas
#
ip address 192.168.8.1 255.255.255.0
#
vpn-instance vpn1
gateway 172.82.1.1 255.255.255.0
section 0 172.82.1.2 172.82.1.200
dns-server 192.168.8.252
#
aaa
domain default0
service-type hsi
web-server 192.168.8.251
web-server url http://192.168.8.251
user-group huawei
vpn-instance vpn1
ip-pool pool2
domain isp2
service-type hsi
#
return

4.6.2 Example for Configuring the IPoEoVLAN Access Service

This section provides an example for configuring the IPoEoVLAN access service, including the
files.
l The user belongs to domain isp3 and accesses the Internet by using GE 1/0/2.1 on the
router in IPoEoVLAN mode. The LAN switch tags user packets with VLAN 1 and VLAN
2.
l The user adopts binding authentication, RADIUS authentication, and RADIUS accounting.
1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted.
The shared key is hello.
l The network-side interface is GE 1/0/1.
Figure 4-3 Networking for configuring the IPoEoVLAN access service

DNS server RADIUS server
192.168.8.252 192.168.8.249
192.168.8.1
GE1/0/2.1 GE1/0/1
subscriber1
Internet
@isp3
Switch Router
subscriber2
@isp3

4. Configure an authentication domain.

Data Preparation

l IP address pool, gateway address, and DNS server address
l Domain name
Procedure

[HUAWEI] aaa

[HUAWEI-aaa] quit


NOTE
The configured address pool is used for the authentication domain. The pre-authentication domain is not
required because a user that adopts binding authentication can be authenticated automatically when the
user goes online.
Step 4 Configure an authentication domain.

[HUAWEI] aaa
[HUAWEI-aaa] quit

NOTE
When a user obtains an IP address in binding authentication, the router authenticates the user automatically.
Therefore, you do not need to configure the ACL to control the network access rights of the user before
authentication. Instead, you need to configure the ACL to control the network access rights of the user after
authentication.
Step 5 Configure interfaces.

[HUAWEI] interface GigabitEthernet 1/0/2.1
[HUAWEI-GigabitEthernet1/0/2.1] user-vlan 1 2
[HUAWEI-GigabitEthernet1/0/2.1-vlan-1-2] quit
[HUAWEI-GigabitEthernet1/0/2.1] bas
NOTE
l The user name for binding authentication is automatically generated based on the location where the
user accesses the NE80E/40E. Therefore, the user name on the RADIUS server must be configured
according to the name generation rule. The password is vlan.
l For details about the user name format used in binding authentication, see the description of the
vlanpvc-to-username command in the HUAWEI NetEngine80E/40E Router Command Reference.

----End
Configuration Files
#
sysname HUAWEI
#
#
user-vlan 1 2
bas
#
ip address 192.168.8.1 255.255.255.0
#
gateway 172.82.2.1 255.255.255.0
section 0 172.82.2.2 172.82.2.200
dns-server 192.168.8.252
#
aaa
domain isp3
ip-pool pool3

#
return
4.6.3 Example for Configuring the IPoEoQ Access Service

This section provides an example for configuring the IPoEoQ access service, including the
files.
l The user accesses the Internet by using GE 1/0/2.2 on the router in IPoEoQ mode. LAN
switch 1 tags user packets with VLAN 1 and VLAN 2. LAN switch 2 tags user packets
with QinQ 100 (outer VLAN 100).
l The user belongs to domain isp1 and adopts bind authentication and RADIUS accounting.
The shared key is itellin.
Figure 4-4 Networking for configuring the IPoEoQ access service

DNS server RADIUS server
192.168.8.252 192.168.8.249
VLAN1
QinQ100 192.168.7.1
GE1/0/2.2 GE1/0/1
user1@isp1 Internet
Lanswitch1 Lanswitch2 Router

VLAN2
user2@isp1


Data Preparation
l Domain name
Procedure
[HUAWEI] aaa

[HUAWEI-aaa] quit

[HUAWEI-radius-rd1] radius-server shared-key itellin

Step 4 Configure an authentication domain.

[HUAWEI] aaa
[HUAWEI-aaa-domain-isp1] service-type hsi
[HUAWEI-aaa] quit
Step 5 Configure Ethernet interfaces.

# Configure the user VLAN.
[HUAWEI-GigabitEthernet1/0/2.2] user-vlan 1 2 qinq 100




After the configuration is complete, you can run the command display access-user domain to
view information about the online users in the domain.
<HUAWEI> display access-user domain isp1
------------------------------------------------------------------------------
UserID Username Interface IP address MAC
IPv6 address
------------------------------------------------------------------------------
20 user1@isp1 GE1/0/2.2 172.82.0.5
0002-0101-0101
-
21 user2@isp1 GE1/0/2.2 172.82.0.6
0002-0101-0102
-
------------------------------------------------------------------------------
Total users : 2
----End
Configuration Files
#
sysname HUAWEI
#
radius-server shared-key itellin
#
user-vlan 1 2 qinq 100
bas
#
ip address 192.168.7.1 255.255.255.0
#
gateway 172.82.0.1 255.255.255.0
section 0 172.82.0.2 172.82.0.200
dns-server 192.168.7.252
#
aaa
domain default0
domain default1
domain default_admin
domain isp1
service-type hsi


ip-pool pool1
#
return
4.6.4 Example for Configuring Remote Authentication for Static

Users
This section provides an example for configuring remote authentication for static users,
l Users user1@isp1 and user2@isp1 belong to the same domain isp1 and they access the
Internet by using GE 1/0/2.1 on the router as static users. The LAN switch labels user
packets with VLAN 1 and VLAN 2.
l The two users adopt Web authentication. The RADIUS authentication and RADIUS
accounting are used.
l The IP address of user1@isp1 is 172.82.1.100; the IP address of user2@isp1 is
172.82.2.200.
l The two static users are VPN users and belong to the same VPN instance named VPN1.
The shared key is hello.
l The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.
Figure 4-5 Networking for configuring remote authentication for static users
DNS server WEB server RADIUS server
192.168.8.252 192.168.8.251 192.168.8.249
VLAN1
192.168.8.1
GE1/0/2.1 GE1/0/1
user1@isp1 Internet
Switch Router
VLAN2
user2@isp1

1. Configure a VPN instance.

3. Configure a Web authentication server.
5. Configure a DHCP server group.
6. Configure ACL rules and traffic policies.
10. Configure static users.
Data Preparation
l VPN instance name, Router Distinguisher (RD), and VPN target

l Web authentication server address
l DHCP server address
l ACL rules
l Traffic policy
l Domain name
Procedure
Step 1 Configure a VPN instance.
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1] vpn-target 100:1 both
[HUAWEI-vpn-instance-vpn1] quit
Step 2 Configure an authentication scheme.

[HUAWEI] aaa
Step 3 Configure an accounting scheme.

[HUAWEI-aaa] quit
Step 4 Configure a Web authentication server.

[HUAWEI] web-auth-server 192.168.8.251 key webvlan

Step 6 Configure an ACL to allow the user to access only the Web server before Web authentication
is implemented.
# Configure a user group.
[HUAWEI] user-group Huawei
# Configure ACL rules.

[HUAWEI] acl 6000 match-order auto
[HUAWEI-acl-ucl-6000] rule deny ip source user-group huawei destination ip-add
ress any
[HUAWEI-acl-ucl-6000] rule permit ip source user-group huawei destination ip-add
Ress 192.168.8.251 0.0.0.255
[HUAWEI-acl-ucl-6000] quit
# Configure a traffic classifier.

# Configure a traffic behavior.

[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] permit
[HUAWEI-behavior-b1] quit
# Configure a traffic policy.

[HUAWEI] traffic policy policy
[HUAWEI-trafficpolicy-policy] classifier c1 behavior b1
[HUAWEI-trafficpolicy-policy] quit
# Apply the traffic policy globally.

[HUAWEI] traffic-policy policy inbound
[HUAWEI] traffic-policy policy outbound

[HUAWEI-ip-pool-pool1] excluded-ip-address 172.82.1.100

# Configure the pre-authentication domain default0.
[HUAWEI] aaa
[HUAWEI-aaa] domain default0


[HUAWEI-aaa-domain-default0] user-group huawei
[HUAWEI-aaa-domain-default0] vpn-instance vpn1
[HUAWEI-aaa-domain-default0] quit
# Configure the user domain isp1.

[HUAWEI-aaa-domain-isp1] vpn-instance vpn1
[HUAWEI-aaa] quit
Step 9 Configure a BAS interface.

[HUAWEI-GigabitEthernet1/0/2.1] user-vlan 1 2
[HUAWEI-GigabitEthernet1/0/2.1-bas] access-type layer2-subscriber default-domain
authentication isp1
[HUAWEI-GigabitEthernet1/0/2.1-bas] authentication-method web
[HUAWEI-GigabitEthernet1/0/2.1-bas] vpn-instance vpn1
[HUAWEI-GigabitEthernet1/0/2.1-bas] ip-trigger
[HUAWEI-GigabitEthernet1/0/2.1-bas] arp-trigger
Step 10 Configure static users.

[HUAWEI] static-user 172.82.1.100 172.82.1.100 vpn-instance vpn1 interface
GigabitEthernet1/0/2.1 vlan 1 detect domain-name isp1
[HUAWEI] static-user 172.82.2.200 172.82.2.200 vpn-instance vpn1 interface
GigabitEthernet1/0/2.1 vlan 2 domain-name isp1
Step 11 Configure an upstream interface.

----End
Configuration Files
#
sysname HUAWEI
#
user-group huawei
#
ip vpn-instance vpn1
#
#
acl number 6000 match-order auto
rule 5 permit ip source user-group huawei destination ip-address 192.168.8.0 0.
0.0.255
rule 10 deny ip source user-group huawei destination ip-address any
#
traffic classifier c1 operator or
if-match acl 6000
#
traffic behavior b1
#

traffic policy policy

classifier c1 behavior b1
traffic-policy policy inbound
traffic-policy policy outbound
#
user-vlan 1 2
bas
vpn-instance vpn1
ip-trigger
arp-trigger
#
ip address 192.168.8.1 255.255.255.0
#
vpn-instance vpn1
gateway 172.82.1.1 255.255.255.0
section 0 172.82.1.2 172.82.1.200
#
vpn-instance vpn1
gateway 172.82.2.1 255.255.255.0
section 0 172.82.2.2 172.82.2.200
#
aaa
domain default0
user-group huawei
vpn-instance vpn1
ip-pool pool1
ip-pool pool2
domain isp1
vpn-instance vpn1
#
web-auth-server 192.168.8.251 port 50100 key webvlan
#
static-user 172.82.1.100 172.82.1.100 vpn-instance vpn1 interface GigabitEther
net1/0/2.1 vlan 1 detect domain-name isp1
static-user 172.82.2.200 172.82.2.200 vpn-instance vpn1 interface GigabitEther
net1/0/2.1 vlan 2 domain-name isp1
#
return
4.6.5 Example for Configuring Local Authentication for Static Users

This section provides an example for configuring local authentication for static users, including
the networking requirements, configuration roadmap, configuration procedure, and
l The user accesses the Internet by using GE 1/0/2.1 on the router as a static user and the IP
address of the user is 172.192.0.8.
l The user adopts local authentication.

l The system uses the IP address carried in the user packet as the user name.
Figure 4-6 Networking for configuring local authentication for static users
192.168.8.1
GE1/0/2.1 GE1/0/1
Internet
Router
1. Configure an authentication scheme.
5. Configure a static user.
Data Preparation
l Domain name
Procedure
Step 1 Configure an authentication scheme.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme local
[HUAWEI-aaa-authen-local] authentication-mode local
[HUAWEI-aaa-authen-local] quit
Step 2 Configure the user name format and password.

[HUAWEI-aaa] default-user-name include ip-address.
[HUAWEI-aaa] default-password simple test
[HUAWEI-aaa] quit
Step 3 Configure a local account.

[HUAWEI] local-aaa-server
[HUAWEI-local-aaa-server] user 172.192.0.8@isp1 password simple test
authentication-type b
[HUAWEI-local-aaa-server] quit

[HUAWEI-ip-pool-pool1] excluded-ip-address 172.192.0.8


[HUAWEI] aaa
[HUAWEI-aaa-domain-isp1] authentication-scheme local
[HUAWEI-aaa] quit
Step 6 Configure a BAS interface.

[HUAWEI-GigabitEthernet1/0/2] interface GigabitEthernet 1/0/2.1
[HUAWEI-GigabitEthernet1/0/2.1-bas] ip-trigger
[HUAWEI-GigabitEthernet1/0/2.1-bas] arp-trigger
Step 7 Configure a static user.

[HUAWEI] static-user 172.192.0.8 interface GigabitEthernet 1/0/2.1 vlan 100 detect
Step 8 Configure an upstream interface.


After the configuration is complete, you can run the display access-user domain command to
view information about the online users in the domain.
<HUAWEI> display access-user domain isp1
------------------------------------------------------------------------------
UserID Username Interface IP address MAC
IPv6 address
------------------------------------------------------------------------------
20 172.192.0.8@isp1 GE1/0/2.1 172.192.0.8
0002-0101-0101
-
------------------------------------------------------------------------------
Total users : 1
----End
Configuration Files
#
sysname HUAWEI
#
undo shutdown
ip address 192.168.8.1 255.255.255.0
#
user-vlan 100
bas
ip-trigger
arp-trigger
#

gateway 172.192.0.1 255.255.255.0

section 0 172.192.0.2 172.192.0.200
#
aaa
default-user-name include ip-address .
default-password simple test
authentication-scheme local
authentication-mode local
domain isp1
authentication-scheme local
ip-pool pool1
#
local-aaa-server
user 172.192.0.8@isp1 password simple test authentication-type B
#
static-user 172.192.0.8 172.192.0.8 interface GigabitEthernet1/0/2.1 vlan 100
detect
#
return

Configuration Guide - User Access A Glossary
A Glossary
This appendix provides the glossary mentioned in this manual.
Glossary Description
A
access service A service providing the basic capability of network access.
B
BRAS A functional component running on the NE80E/40E, which
provides access services for broadband subscribers.
binding authentication An authentication mode in which the NE80E/40E creates a user
name and a password for the user according to the location of the
user.
D
DHCP client A program that obtains IP addresses from the DHCP/BOOTP
server, and then allocates the IP addresses to PPP users.
DHCP proxy A program that transparently transmits the DHCP request of a
user to the DHCP/BOOTP server, which then allocates the IP
address to the user.
DHCP server A program that allocates the IP addresses of the local address
pool to the users at the user side and allocates the IP addresses of
the relay address pool to the users that pass through the DHCP
proxy at the network side.
direct authorization An authorization mode in which the user is fully trusted by the
carrier and is authorized directly by the carrier.
domain A group of users with the same service attributes. The NE80E/
40E manages users through domains.

F
fast authentication A simplified Web authentication, in which the user opens the web
page for authentication but need not enter the user name and
password.
H
HWTACACS An enhanced security protocol of TACACS (RFC 1492), through
which the NE80E/40E communicates with the HWTACACS
server in the client/server mode.
HWTACACS An accounting mode in which the NE80E/40E sends the
accounting accounting packets to the HWTACACS server, which then
performs accounting for the user.
HWTACACS An authentication mode in which the NE80E/40E sends the user
authentication name and the password to the HWTACACS server by using the
HWTACACS protocol. The HWTACACS server authenticates
the user, and then returns the result to the NE80E/40E0.
HWTACACS An authorization mode in which the user is authorized by the
authorization HWTACACS server.
L
local address pool An address pool configured on the NE80E/40E and managed by
the NE80E/40E.
local authentication An authentication mode in which the user information is
configured on the NE80E/40E, and then the NE80E/40E
authenticates the user.
local authorization An authorization mode in which user is authorized by the NE80E/
40E based on the user attributes that are configured on the
NE80E/40E.
M
mandatory web An authentication method in which the NE80E/40E redirects the
authentication access request of an unauthenticated user who uses the web
authentication or the fast authentication to the web authentication
server for authentication.

Option 60 A field carrying the domain information when a terminal device
initiates a DHCP request. After receiving the DHCP request, the
NE80E/40E allocates the IP address to the device according to
the domain information contained in the Option 60 field.
Option 82 A field carrying the physical location information of the user
when the NE80E/40E relays a DHCP packet of the user. Then
the DHCP server allocates an IP address to the user according to
the location information.
P
portal protocol A protocol used to exchange information between web servers
and other devices. The portal protocol is based on the client/
server model and uses UDP to transfer data.
R
RADIUS accounting An accounting mode in which the NE80E/40E sends the
accounting packets to the RADIUS server. Then the RADIUS
server performs accounting.
RADIUS authentication An authentication mode in which the NE80E/40E sends the user
name and the password to the RADIUS server by using the
RADIUS protocol. The RADIUS server authenticates the user,
and then returns the result to the NE80E/40E.
relay address pool An address pool providing IP addresses for the users at the
network side.
remote address pool A mapping of the remote DHCP or BOOTP server, which does
not provide real IP addresses.
S
static user A user with a fixed IP address, which is configured by the user.
V
value-added service A service selected by the user when the user logs in to the portal
server of the carrier.
W
web authentication An authentication mode in which the user enters user name and
password on the authentication page of the web authentication
server for identity authentication.

Configuration Guide - User Access B Acronyms and Abbreviations
B Acronyms and Abbreviations
This appendix lists the acronyms and abbreviations mentioned in this menual.
Item Description
A
AAA Authentication, Authorization and Accounting
ACL Access Control List
ADSL Asymmetric Digital Subscriber Line
AP Access Point
ARP Address Resolution Protocol
B
BAS Broadband Access Server
BOOTP Bootstrap Protocol
BRAS Broadband Remote Access Server
C
CAR Committed Access Rate
CF Compressed Flash
CHAP Challenge Handshake Authentication Protocol
CLI Command Line Interface
CMTS Cable Modem Terminal System
CoA Change of Authorization
COPS Common Open Policy Service

Item Description
D
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
DSLAM Digital Subscriber Line Access Multiplexer
E
EAP Extensible Authentication Protocol
EAPoL EAP over LAN
F
FE Fast Ethernet
G
GE Gigabit Ethernet
GRE Generic Routing Encapsulation
H
HDLC High level Data Link Control
HFC Hybrid Fiber-Coaxial
HWTACACS Huawei TACACS
I
IEEE Institute of Electrical and Electronics Engineers
IP Internet Protocol
IPCP Internet Protocol Control Protocol
IPoE IP over Ethernet
IPoEoVLAN IP over Ethernet over VLAN
IPoX IP over X
IPTN IP Telecommunication Network
ISP Internet Service Provider

Item Description
L
LAN Local Area Network
LCP Link Control Protocol
L2TP Layer 2 Tunneling Protocol
LTS L2TP Tunnel Switch
M
MAC Media Access Control
MSCHAP Microsoft CHAP
N
NCP Network Control Protocol
ND Neighbor Discovery
NetBIOS Network Basic Input/Output System
P
PAP Password Authentication Protocol
PDP Policy Decision Point
PEP Policy Enforcement Point
PPP Point-to-Point Protocol
PPPoE Point-to-Point Protocol over Ethernet
PPPoEoVLAN PPPoE over VLAN
PPPoX PPP over X
PSTN Public Switched Telekeywordone Network
Q
QinQ 802.1Q in 802.1Q
QoS Quality of Service
R
RADIUS Remote Authentication Dial in User Service

Item Description
RFC Requirement for Comments
S
SIG Safe Immunity Gateway
SIM Subscriber Identity Module
DSG Dynamic Service Gateway
SSH Secure Shell
T
TACACS Terminal Access Controller Access Control System
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
U
UDP User Datagram Protocol
URL Universal Resource Locator
V
VLAN Virtual LAN
VoD Video On Demand
VPN Virtual Private Network


Configuration Guide - User Access (V600R003C00 - 02) PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Guide - User Access (V600R003C00 - 02) PDF

Uploaded by

Copyright:

Available Formats

HUAWEI NetEngine80E/40E Router

Configuration Guide - User Access

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 02 (2011-09-10) Huawei Proprietary and Confidential i

About This Document

Product Name Version

HUAWEI NetEngine80E/40E V600R003C00

Issue 02 (2011-09-10) Huawei Proprietary and Confidential ii

Alerts you to a high risk hazard that could, if not avoided,

Alerts you to a medium or low risk hazard that could, if

Alerts you to a potentially hazardous situation that could,

NOTE Provides additional information to emphasize or

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

# A line starting with the # sign is comments.

Issue 02 (2011-09-10) Huawei Proprietary and Confidential iii

Changes in Issue 01 (2011-06-30)

Issue 02 (2011-09-10) Huawei Proprietary and Confidential iv

About This Document.....................................................................................................................ii

Issue 02 (2011-09-10) Huawei Proprietary and Confidential v

1.4.4 Configuring the Source IP Address of an HWTACACS Server.............................................................31

Issue 02 (2011-09-10) Huawei Proprietary and Confidential vi

2.3.8 (Optional) Configuring Address Protection............................................................................................84

4 BRAS Access Configuration....................................................................................................124

Issue 02 (2011-09-10) Huawei Proprietary and Confidential vii

4.1.2 Access Authentication Supported by the NE80E/40E..........................................................................125

Issue 02 (2011-09-10) Huawei Proprietary and Confidential viii

About This Chapter

1.1 AAA Overview

Issue 02 (2011-09-10) Huawei Proprietary and Confidential 1

1.1 AAA Overview

1.1.1 Introduction to AAA

l RADIUS integrates authentication and authorization. Therefore, RADIUS authorization accompanies

AAA supports four types of accounting modes: non-accounting, remote accounting.

Domain-based User Management

Issue 02 (2011-09-10) Huawei Proprietary and Confidential 2

1.1.2 AAA Supported by the NE80E/40E

RADIUS integrates authorization and authentication . Therefore, RADIUS authorization

Issue 02 (2011-09-10) Huawei Proprietary and Confidential 3

HWTACACS supports VPN instance-based forwarding. When the HWTACACS server of an

1.2 Configuring AAA Schemes

1.2.1 Establishing the Configuration Task

AAA is always enabled on the NAS.

Addresses, such as Class A addresses XXX.255.255.255 and XXX.0.0.0, Class B addresses

IP address negotiation needs to be configured on the client and server respectively.

1 Name of the authentication scheme and authentication mode

Issue 02 (2011-09-10) Huawei Proprietary and Confidential 4

2 (Optional) Name of the authorization scheme, authorization mode, level of the

1.2.2 (Optional) Enabling RADIUS or HWTACACS

The system view is displayed.

Step 2 (Optional) Run the following command as required.

l To enable HWTACACS, run:

RADIUS or HWTACACS is enabled by default.

1.2.3 Configuring an Authentication Scheme

Issue 02 (2011-09-10) Huawei Proprietary and Confidential 5

The system view is displayed.