Professional Documents
Culture Documents
V600R003C00
Issue 02
Date 2011-09-10
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Purpose
This document is a guide to configuring the user access service. It describes the basic principles,
configuration procedures, and configuration methods of AAA, user management, DHCPv4,
DHCPv6, .
NOTE
l This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this
document.
l On NE80E/40E series excluding NE80E/40E-X1 and NE80E/40E-X2, line processing boards are
called Line Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units
(SFUs). On the NE80E/40E-X1 and NE80E/40E-X2, there are no LPUs and SFUs, and NPUs
implement the same functions of LPUs and SFUs to exchange and forward packets.
Related Versions
The following table lists the product versions related to this document.
Intended Audience
This document is intended for:
l Commissioning engineers
l Data configuration engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
&<1-n> The parameter before the & sign can be repeated 1 to n times.
Change History
Changes in Issue 02 (2011-09-10)
The second commercial release has the following updates.
l BRAS Access Configuration
As defined in 4.3.4 Configuring a BAS Interface, DHCP users can be filtered based
on the ACL rule configured on a BAS interface.
l DHCPv4 Configuration
As defined in 2.4.2 Creating a DHCPv4 Server Group, the polling mechanism can
be used to select a DHCPv4 server.
Contents
2 DHCPv4 Configuration..............................................................................................................74
2.1 Introduction to DHCPv4...................................................................................................................................75
2.2 DHCPv4 Supported by the NE80E/40E...........................................................................................................75
2.3 Configuring an IPv4 Address Pool...................................................................................................................75
2.3.1 Establishing the Configuration Task.......................................................................................................75
2.3.2 Creating an Address Pool........................................................................................................................78
2.3.3 (Optional) Configuring Static IP Address Binding.................................................................................80
2.3.4 (Optional) Configuring DNS Services for the DHCPv4 Client..............................................................80
2.3.5 (Optional) Configuring NetBIOS Services for the DHCPv4 Client........................................................81
2.3.6 (Optional) Configuring SIP Services for the DHCPv4 Client.................................................................82
2.3.7 (Optional) Configuring DHCPv4 Self-Defined Options.........................................................................83
3 DHCPv6 Configuration............................................................................................................118
3.1 Introduction to DHCPv6.................................................................................................................................119
3.1.1 DHCPv6 Overview................................................................................................................................119
3.1.2 DHCPv6 Features Supported by the NE80E/40E.................................................................................119
3.2 Configuring a DHCPv6 Relay Agent.............................................................................................................119
3.2.1 Establishing the Configuration Task.....................................................................................................120
3.2.2 Enabling DHCPv6 Relay.......................................................................................................................120
3.2.3 Enabling DHCPv6 on Network-side Interfaces.....................................................................................122
3.2.4 Checking the Configuration...................................................................................................................122
A Glossary......................................................................................................................................171
B Acronyms and Abbreviations.................................................................................................174
1 AAA Configuration
This chapter describes how to configure authentication, authorization, and accounting (AAA)
to implement local or remote authentication, authorization, and accounting.
AAA
AAA provides security functions for user authentication, authorization, and accounting.
l Authentication: determines the users who can access the network.
l Authorization: authorizes users to use specific services.
l Accounting: records usage of network resources of users.
AAA adopts the client/server model. This model has good extensibility and facilitates
concentrated management over user information.
AAA supports three types of authentication modes: non-authentication, local authentication, and
remote authentication. Remote authentication is implemented through either the Remote
Authentication Dial In User Service (RADIUS) and Huawei Terminal Access Controller Access
Control System (HWTACACS).
AAA supports four types of authorization modes: direct authorization, local authorization,
HWTACACS authorization, and if-authenticated authorization.
NOTE
To perform AAA for users, you need to configure authentication, authorization, and accounting
modes in the AAA view, and then apply the authentication, authorization, and accounting
schemes in the domain view.
The authorization configured in the domain view has a lower priority than the authorization
delivered by an AAA server. That is, the authorization delivered by an AAA server is preferred.
When the AAA server does not have or support the authorization, the authorization configured
in the domain view takes effect. In this manner, you can increase services flexibly by means of
domain management, regardless of the authorization by the AAA server.
The NE80E/40E supports the following authentication, authorization, and accounting schemes,
and manages users based on domains.
1. Authentication
The authentication modes supported by AAA include non-authentication, local
authentication, and remote authentication. Remote authentication can be performed
through either RADIUS or HWTACACS.
The authentication modes can be used in combination, which is configured through
commands. If the first authentication mode fails (including the situation where the remote
server does not respond), you can adopt another authentication mode according to the
configured sequence of authentication modes. For example, you can configure
authentication to be performed in the sequence of RADIUS authentication, local
authentication, and non-authentication.
2. Authorization
The authorization modes supported by AAA include direct authorization, local
authorization, HWTACACS authorization, and if-authenticated authorization.
NOTE
User authentication, authorization, and accounting must be performed in the domain view.
The NE80E/40E supports two methods of modifying passwords of users after they pass through
HWTACACS authentication:
l The HWTACACS server enables users to modify passwords.
l Users actively modify their passwords through commands.
Applicable Environment
To provide access services for authorized users and protect sensitive network devices against
unauthorized access, configure AAA on the router.
NOTE
NOTE
Pre-configuration Tasks
Before configuring AAA schemes, complete the following tasks:
Configuring parameters of the link layer protocol and IP addresses for the interfaces, ensuring
that the status of the link layer protocol on the interfaces is Up
Data Preparation
To configure AAA schemes, you need the following data.
No. Data
No. Data
3 Name of the accounting scheme, accounting mode, interval for real-time accounting,
accounting-start failure policy, real-time accounting failure policy, and number of
real-time accounting failures
4 (Optional) Name of the recording scheme, name of the HWTACACS server template
associated with the recording mode, and events to be recorded
5 Interface type and interface number of the server and client, ID and IP address range
of the address pool, and IP addresses to be allocated to users when no address pool
is used
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
authentication-scheme scheme-name
Step 4 Run:
authentication-mode { hwtacacs | radius | local } *[ none ]
The authentication schemes named default, default0, and default1 are set by default on the
NE80E/40E. They can be modified but cannot be deleted.
l By default, the authentication mode of default0 is non-authentication.
l By default, the authentication mode of default1 is RADIUS authentication.
l By default, the authentication mode of default is local radius authentication.
The policy for handling the authentication failure refers to the policy used by the NE80E/40E
after the user fails the authentication. By default, if the authentication fails, the NE80E/40E
forces the user to log out. If you enable the secondary authentication function for the user (for
example, after the PPP authentication fails, the Web authentication is used), the NE80E/40E
keeps the user online when the first authentication fails. In this case, the user is added to a default
domain (default 0 by default).
NOTE
The policy for handling the authentication failure cannot be configured on the X1 or X2 models of the
NE80E/40E.
If users want to change their administrative levels online, for example, a Telnet user of level 2
wants to change the administrative level to 3, the user must pass the authentication.
NOTE
----End
Context
Do as follow on the router:
NOTE
l You can configure command-line authorization for users of a certain level only when HWTACACS is
adopted.
l Command-line authorization of HWTACACS is irrelevant to the authorization mode configured by
using the authorization-mode command.
Procedure
Step 1 Run:
system-view
The policy for authorization failures in the case where the HWTACACS server is unavailable
or no user is locally configured is set.
Step 7 Run:
quit
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
accounting-scheme scheme-name
The authentication schemes named default0 and default1 are set by default on the NE80E/
40E. They can be modified but cannot be deleted.
Step 4 Run:
accounting-mode { hwtacacs | none | radius }
Real-time accounting indicates that the NE80E/40E periodically generates accounting packets
and send them to the remote accounting server when a user is online. Real-time accounting
minimizes loss of accounting information when the communication between the NE80E/40E
and the remote server is interrupted.
The interval for real-time accounting can be in minutes or seconds. By default, the unit of the
interval is minute.
If the NE80E/40E does not receive any response after sending an accounting start packet to the
remote accounting server, the NE80E/40E adopts the policy for the accounting start failure. This
policy may keep the user online or log the user out.
By default, the NE80E/40E logs the user out when the accounting fails to start.
If the NE80E/40E does not receive any response after re-sending the real-time accounting
packets to the remote accounting server for certain times, the NE80E/40E adopts the policy for
the real-time accounting failure. This policy may keep the user online or log the user out.
By default, the number of retransmission times for real-time accounting packets is 3. When the
real-time accounting fails, the NE80E/40E keeps the user online.
The NE80E/40E is configured to send real-time accounting packets immediately after receiving
the accounting start response.
After receiving the accounting response, the NE80E/40E determines whether to send the real-
time accounting packet immediately according to the configuration.
By default, the NE80E/40E does not send any real-time accounting packet immediately after
receiving an accounting response.
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
recording-scheme recording-scheme-name
Step 4 Run:
recording-mode hwtacacs template-name
By default, the recording scheme is not associated with the HWTACACS template.
Step 5 Run:
quit
The commands that have been used on the router are recorded.
Step 7 (Optional) Run:
outbound recording-scheme recording-scheme-name
----End
Prerequisite
The configurations of the AAA schemes are complete.
Procedure
l Run the display aaa configuration command to check brief information about AAA.
l Run the display accounting-scheme [ accounting-scheme-name ] command to check the
configuration about the accounting scheme.
l Run the display authentication-scheme [ authentication-scheme-name ] command to
check the configuration about the authentication scheme.
l Run the display authorization-scheme [ authorization-scheme-name ] command to check
the configuration about the authorization scheme.
l Run the display recording-scheme [ recording-scheme-name ] command to check the
configuration about the recording scheme.
l Run the display ip pool global | domain domain-name } command to check the usage of
the address pool.
----End
Example
Run the display aaa configuration command. If brief information about AAA is displayed, it
means that the configuration succeeds. For example:
<HUAWEI> display aaa configuration
---------------------------------------------------------------------------
AAA configuration information :
---------------------------------------------------------------------------
Domain : total: 255 used: 2
Authentication-scheme : total: 16 used: 2
Authorization-scheme : total: 16 used: 2
Accounting-scheme : total: 128 used: 2
Run the display accounting-scheme command. If information about the accounting scheme is
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display accounting-scheme scheme0
---------------------------------------------------------------------------
Accounting-scheme-name : scheme0
Accounting-method : RADIUS accounting
Realtime-accounting-switch : Open
Realtime-accounting-interval(min) : 5
Start-accounting-fail-policy : Cut user
Realtime-accounting-fail-policy : Cut user
Realtime-accounting-failure-retries : 3
---------------------------------------------------------------------------
Run the display recording-scheme command. If information about the recording scheme is
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display recording-scheme scheme0
---------------------------------------------------------------------------
Recording-scheme-name : scheme0
HWTACACAS-template-name : template0
---------------------------------------------------------------------------
Run the display ip pool global command. If brief information about usage of the address pool
is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display ip pool global
----------------------------------------------------------------------------
Pool-number Pool-start-addr Pool-end-addr Pool-length Used-addr-number
----------------------------------------------------------------------------
2 10.1.1.1 10.1.1.10 10 0
----------------------------------------------------------------------------
Total pool number: 1
Context
NOTE
The access-side RADIUS server cannot be configured on the X1 or X2 models of the NE80E/40E.
Applicable Environment
When the RADIUS protocol is used for implementing AAA, you need to configure a RADIUS
server.
The NE80E/40E uses RADIUS server groups to manage RADIUS servers. A RADIUS server
group is a set of RADIUS servers that have the same attributes (except IP addresses and port
numbers) and work in either primary/secondary or load balancing mode.
NOTE
l There are default values for all RADIUS configurations. You can configure RADIUS as required.
l The RADIUS server group can be modified or deleted regardless of whether it is in use. Modifying or
deleting a RADIUS server group does not affect existing users.
Pre-configuration Tasks
None.
Data Preparation
To configure a RADIUS server, you need the following data.
No. Data
No. Data
9 (Optional) Response timeout period for the RADIUS server and number of the
retransmission times for RADIUS packets
12 (Optional) Option of carrying the CAR value in the Class attribute of RADIUS
packets
15 (Optional) Number of extended source ports of the RADIUS server and number of
the start extended source port
Context
You can create up to 128 RADIUS server groups on the router.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server group group-name
After the RADIUS server group is created, the system displays the RADIUS server group view.
If a RADIUS server group already exists, you can enter the RADIUS server group view directly.
----End
Context
To configure RADIUS authentication and accounting servers, you need to set the following
parameters:
The RADIUS authentication and accounting servers can use the same IP address. This means that a server
can function as both an authentication server and an accounting server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server groupgroup-name
Step 3 Run:
radius-server authentication { ip-address [ vpn-instance instance-name ] | ipv6-
address } port [ weightweight-value ]
Step 4 Run:
radius-server accounting { ip-address [ vpn-instance instance-name ] | ipv6-
address } port [ weightweight-value ]
----End
Context
When multiple authentication or accounting servers are configured in the RADIUS server group,
you can configure the algorithm for selecting the RADIUS servers. The algorithm of selecting
the RADIUS server can be load balancing or master/backup.
l Load balancing: The NE80E/40E allocates the load according to the weight of each server.
l Master/backup: The first configured server functions as the master server, and the others
function as slave servers.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server group group-name
Step 3 Run:
radius-server algorithm { loading-share | master-backup }
----End
Context
The negotiated parameters specify the conventions of the RADIUS protocol and message format
used for communication between the RADIUS server and the NE80E/40E. The negotiated
parameters are as follows:
Procedure
Step 1 Run:
system-view
The format of the user name contained in the RADIUS packets is configured.
By default, the user name on the RADIUS server contains the domain name.
Step 6 Run:
radius-server traffic-unit { byte | gbyte | kbyte | mbyte }
The ID format of the circuit through which RADIUS packets are transmitted to the upstream
device is set.
By default, the packets that inform the upstream device of the link ID are in the cn format.
Step 10 Run:
radius-server calling-station-id include option82
----End
Context
This function is configured for a RADIUS server group and takes effect on only the RADIUS
servers in this group. You can disable up to 64 attributes in a RADIUS server group.
You can disable the RADIUS attributes of both the sender and receiver on the NE80E/40E.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server group group-name
Step 3 Run:
radius-server attribute translate
Step 4 Run:
radius-attribute disable attribute-name { { access-accept | access-request |
account } * | { receive | send } * }
Or, run:
radius-attribute disable extend attribute-description { access-accept | { access-
request | account } * }
----End
Context
RADIUS servers from various vendors support different RADIUS attributes, and the vendors
also define RADIUS attributes in different manners. This makes interconnection between the
NE80E/40E and RADIUS servers more difficult.
To address this problem, the NE80E/40E provides the attribute translation function. After the
attribute translation function is configured, the NE80E/40E can encapsulate or parse src-
attribute by using the format of dest-attribute when transmitting or receiving RADIUS packets.
By doing this, the NE80E/40E can communicate with different types of RADIUS servers.
This function is usually applied when one attribute has multiple formats. For example, the nas-
port-id attribute has a new format and an old format. The NE80E/40E uses the new format. If
the RADIUS server uses the old format, you can run the radius-attribute translate nas-port-
id nas-port-identify-old receive send command on the NE80E/40E. Do as follows on the
router:
Procedure
Step 1 Run:
system-view
Or, run:
radius-attribute translate extend src-attr-description dest-attr-description{
access-accept | { access-request | account } * }
NOTE
----End
Context
The RADIUS protocol specifies that the RADIUS server must deliver the tunnel password in
cipher text. Most RADIUS servers, however, do not conform to this specification. Therefore,
the NE80E/40E supports configuration of the tunnel password delivery mode so that the NE80E/
40E can communicate with various types of RADIUS servers.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 3 Run:
radius-attribute tunnel-password { cipher | simple }
The mode in which the RADIUS server delivers the tunnel password is configured.
By default, the NE80E/40E requires the RADIUS server to deliver the tunnel password in cipher
text.
----End
Context
As specified in the standard RADIUS protocol, the Class attribute carried in an access accept
packet sent from the RADIUS server to the client must be returned to the accounting server
without any change in an accounting request packet.
The NE80E/40E extends the standard RADIUS protocol by adding the CAR value to the Class
attribute (RADIUS attribute 25).
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server group group-name
Step 3 Run:
radius-server class-as-car [ enable-pir ]
By default, the Class attribute does not carry any CAR value.
NOTE
To meet the requirements of various RADIUS servers, the NE80E/40E can use the RADIUS attribute 25
or RADIUS attribute 26 to send the CAR value to the RADIUS server. The preceding commands configure
how to use the RADIUS attribute 25 to send the CAR value to the RADIUS server.
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The format of the NAS-Port attribute and format of the NAS-Port-Id attribute are configured.
NOTE
When configuring the format of the NAS-Port-Id attribute, note the following:
l If the vendor ID is 2352, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the default
format defined by Redback.
l If the vendor ID is 2636, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the default
format defined by Juniper.
l If the vendor ID is 9, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the default format
defined by Cisco.
l For other vendors, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the original format.
----End
Context
On the NE80E/40E, you can configure the interface that connects to a RADIUS server as the
source interface of the RADIUS server. On the NE80E/40E, you can configure the source
interface in the system view or in the view of a RADIUS server group. Thus, the RADIUS servers
in the RADIUS server group use this source interface to interact with the NE80E/40E. If the
source interface of the RADIUS server group is not configured, the RADIUS servers use the
global source interface.
Procedure
l Configure the global source interface of all RADIUS servers in all RADIUS server groups.
1. Run:
system-view
----End
Context
You need to configure a RADIUS authorization server for a dynamic service so that the RADIUS
server can dynamically authorize a user when the user uses the dynamic service.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server authorization ip-address [ vpn-instance instance-name ] { shared-key
key | server-group groupname } * [ ack-reserved-interval interval ]
To retain the RADIUS authorization response packet to respond to the retransmitted packets
from the RADIUS authorization server, you need to set the period of retaining the authorization
response when configuring the RADIUS authorization server.
----End
Context
The configuration is valid for all RADIUS servers.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server { dead-count times | dead-interval interval | dead-time time }
The parameters used to determine the status of the RADIUS server are set.
By default, the router considers that the RADIUS server is abnormal when the RADIUS server
fails to respond to 10 consecutive packets sent from the router within 5 seconds. The router waits
for 3 minutes before restoring the status of the RADIUS server
If the NE80E/40E does not receive any response packets after sending RADIUS packets for the
number of times configured in this command, and the interval between the first packet and the
last packet (specified by dead-count) that the RADIUS server fails to respond to is longer than
dead-interval, the NE80E/40E determines that the RADIUS server works abnormally and
changes the status of the RADIUS server to Down.
After setting the status of the RADIUS server to Down, the NE80E/40E waits for a certain period
configured in this command before setting the status of the RADIUS server to Up. At the same
time, the NE80E/40E attempts to reestablish a connection with the RADIUS server. If the
connection cannot be established, the NE80E/40E sets the status of the RADIUS server to Down
again.
----End
Context
After you configure the extended source interfaces of the RADIUS server, the NE80E/40E
increases the number of packets sent to the RADIUS server in a certain period of time.
After the configuration, the NE80E/40E sends RADIUS packets by using the extended source
interfaces. The former half of extended source interfaces are used to send and receive RADIUS
authentication packets, and the latter half of extended source interfaces are used to send and
receive RADIUS accounting packets. If an odd number of extended source interfaces are
configured, the authentication interfaces outnumbers the accounting interfaces by one.
Procedure
Step 1 Run:
system-view
Step 2 Run:
radius-server extended-source-ports [start-port start-port-number ] port-number
port-number
By default, no extended source interfaces of the RADIUS server are configured. In this case,
the NE80E/40E uses the default interface 1812 to send and receive RADIUS authentication
packets and the default interface 1813 to send and receive RADIUS accounting packets.
NOTE
If you do not specify the start interface number when configuring the extended source interfaces, the system
assigns a configured number of valid extended source interfaces.
----End
Prerequisite
All the configurations of the RADIUS server are complete.
Procedure
l Run the display radius-server authorization configuration command to check the
configuration of the RADIUS authorization server.
l Run the display radius-server configuration [ group groupname ] command to check the
configuration of the RADIUS server group.
l Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |
microsoft | redback | standard } [ attribute-number] } ] or display radius-attribute
[ attribute-name ] command to check the RADIUS attributes supported by the system.
l Run the display radius-client configuration command to check the configuration of all
RADIUS clients.
l Run the display radius-server packet ip-address ip-address [ vpn-instance ]
{ accounting | authentication } command to check the statistics about the packets on the
RADIUS server of a specified IP address.
----End
Example
Run the display radius-server authorization configuration command, and you can view the
configuration of the RADIUS authorization server.
<HUAWEI> display radius-server authorization configuration
-----------------------------------------------------------------------------
IP-Address Secret-key Group Ack-r
Reserved-interval
-----------------------------------------------------------------------------
192.168.7.100 huawei rd1 20
Vpn : --
-----------------------------------------------------------------------------
1 Radius authorization server(s) in total
Run the display radius-server configuration command, and you can view the configuration
of the RADIUS server group.
<HUAWEI> display radius-server configuration
RADIUS source interface : LoopBack20
RADIUS no response packet count : 30
RADIUS auto recover time(Min) : 100
RADIUS authentication source ports :
IPv4: 1812
IPv6: 1812
RADIUS accounting source ports :
IPv4: 1813
IPv6: 1813
-------------------------------------------------------
Server-group-name : chen
Authentication-server: IP:1.3.4.144 Port:1812 Weight[0] [UP]
Vpn: -
Accounting-server : IP:1.3.4.144 Port:1814 Weight[0] [UP]
Vpn: -
Protocol-version : radius
Shared-secret-key : huawei
Retransmission : 3
Timeout-interval(s) : 5
Acct-Stop-Packet Resend : NO
Acct-Stop-Packet Resend-Times : 0
-------------------------------------------------------
Are you sure to display next (y/n)[y]:y
-------------------------------------------------------
Server-group-name : huawei
Authentication-server: IP:10.1.1.1 Port:1820 Weight[50] [UP]
Vpn: -
Accounting-server : IP:10.1.1.1 Port:1823 Weight[0] [UP]
Vpn: -
Accounting-server : IP:10.1.1.2 Port:20 Weight[20] [UP]
Vpn: -
share-key: huawei
Protocol-version : radius
Shared-secret-key : huawei
Retransmission : 2
Timeout-interval(s) : 8
Acct-Stop-Packet Resend : YES
Acct-Stop-Packet Resend-Times : 100
-------------------------------------------------------
Total 2,2 printed
Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |
microsoft | redback | standard } [ attribute-number ] } ]command, and you can view the
RADIUS attributes supported by the NE80E/40E of the current version.
<HUAWEI> display radius-attribute type standard 1
Radius Attribute Type : 1
Radius Attribute Name : User-Name
Radius Attribute Description : This Attribute indicates the name of the user to
be authenticated.
Supported Packets : Auth Request, Acct Request, Session Control, COA
Request, COA Ack
Run the display radius-client configuration command, and you can view the configuration of
all the RADIUS clients.
<HUAWEI> display radius-client configuration
--------------------------------------------------------------------------
IP-Address Secret-key Group
--------------------------------------------------------------------------
172.194.0.10 huawei sim3
172.194.0.20 huawei sim3
7.0.200.10 huawei sim3
1.1.1.1 1 xzn
Vpn : dsg
--------------------------------------------------------------------------
4 Radius client(s) in total
Run the display radius offline-sub-reason [ subcode subcode-number ] command to check the
user offline causes mapped to the numbers carried in the Accounting Stop packets sent to the
RADIUS server.
<HUAWEI> display radius offline-sub-reason subcode 1
------------------------------------------------------------------------------
Subcode description of offline sub reason
------------------------------------------------------------------------------
1 User request to offline
------------------------------------------------------------------------------
Context
NOTE
The access-side HWTACACS server cannot be configured on the X1 or X2 models of the NE80E/40E.
Applicable Environment
When the HWTACACS protocol is used for implementing AAA, you need to configure an
HWTACACS server.
NOTE
Pre-configuration Tasks
None.
Data Preparation
To configure an HWTACACS server, you need the following data.
No. Data
10 (Optional) Time for the primary HWTACACS server to restore to the active state
Context
Up to 128 HWTACACS server templates can be configured on the NE80E/40E.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template view is
displayed.
If the HWTACACS server template already exists, this command directly displays the
HWTACACS server template view.
----End
Context
Do as follows on the router:
Procedure
l Configure an HWTACACS authentication server.
1. Run:
system-view
4. Run:
hwtacacs-server authentication ip-address[ port ] [ vpn-instance vpn-
instance-name ] secondary
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
----End
Context
The negotiated parameters specify the conventions of the HWTACACS protocol and message
format used for communication between the HWTACACS server and the NE80E/40E. The
negotiated parameters are as follows:
l Key
The key improves security of communication between the NE80E/40E and the
HWTACACS server.
The key on the NE80E/40E must be the same as that on the HWTACACS server so that
both parties of the authentication identify each other.
The key is case sensitive.
l User name format
On the NE80E/40E, a user name is in the format of user@domain. When the HWTACACS
server does not identify the user name that contains the domain name, the NE80E/40E sends
the user name without the domain name to the HWTACACS server.
l Traffic unit
The NE80E/40E supports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meet
requirements of various HWTACACS servers.
Do as follows on the router:
Procedure
l (Optional) Configure the key for the HWTACACS server.
1. Run:
system-view
NOTE
To guarantee the validity of the authenticator and the authenticated, the router and the
HWTACACS server must be set with the same key.
l (Optional) Configure the user name format for the HWTACACS server.
1. Run:
system-view
When the HWTACACS server does not identify the user name that contains the
domain name, you can configure the router to remove the domain name from the user
name before sending the user name to the HWTACACS server.
NOTE
Context
If the NE80E/40E sends a packet to the HWTACACS server but does not receive any response
within the specified time, the NE80E/40E considers the connection broken. The specified time
is the response timeout period of the HWTACACS server.
NOTE
HWTACACS is implemented based on TCP; therefore, the server response timeout or TCP timeout may
cause disconnection of the NE80E/40E from the HWTACACS server.
If the NE80E/40E determines that its connection with the primary HWTACACS server is
broken, the NE80E/40E waits for a period of time, and then re-connects to the primary server.
The specified time is the time for the primary HWTACACS server to restore to the active state.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 3 Run:
hwtacacs-server timer response-timeout value
Step 4 Run:
hwtacacs-server timer quiet value
The time for the primary HWTACACS server to restore to the active state is set.
By default, the time for the primary HWTACACS server to restore to the active state is 5 minutes.
----End
Context
If HWTACACS accounting is used, the NE80E/40E generates an accounting stop packet after
a user logs out and then sends the packet to the HWTACACS server. If the connectivity of the
network is less than satisfactory, you can enable retransmission of accounting stop packets to
prevent the loss of accounting information.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hwtacacs-server accounting-stop-packet resend { disable | enable number }
You can enable or disable retransmission of accounting stop packets and set the number of
retransmission times. By default, retransmission of accounting stop packets is enabled on the
NE80E/40E and the number of retransmission times is set to 100.
An accounting stop packet is used to instruct the HWTACACS server to stop accounting. If the
accounting server fails to receive the packet, it continues accounting.
In this case, the NE80E/40E can retransmit the accounting stop packets until the server receives
the packets or until the number of retransmission times reaches the threshold.
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
hwtacacs-user change-password hwtacacs-server template-name
NOTE
l Users can successfully log in to the device only when they pass HWTACACS authentication and also
the HWTACACS server template has been configured.
l Users can modify passwords only when the user names and passwords saved on the HWTACACS
server are still applicable.
l When the users with expired passwords log in to the device, the HWTACACS server returns an
authentication failure packet and these users cannot modify their passwords.
----End
Prerequisite
All the configurations of the server template are complete.
Procedure
l Run the display hwtacacs-server template [ template-name [ verbose ] ] command to
check the configuration of the HWTACACS server template.
l Run the display hwtacacs-server accounting-stop-packet { all | number | ip ip-
address } command to check information about the accounting stop packets on the
HWTACACS server.
----End
Example
Run the display hwtacacs-server template command, and you can view information about the
HWTACACS server.
<HUAWEI> display hwtacacs-server template
-----------------------------------------------------------
HWTACACS-server template name : 123
Primary-authentication-server : 0.0.0.0:0:-
Primary-authorization-server : 0.0.0.0:0:-
Primary-accounting-server : 0.0.0.0:0:-
Secondary-authentication-server : 0.0.0.0:0:-
Secondary-authorization-server : 0.0.0.0:0:-
Secondary-accounting-server : 0.0.0.0:0:-
Current-authentication-server : 0.0.0.0:0:-
Current-authorization-server : 0.0.0.0:0:-
Current-accounting-server : 0.0.0.0:0:-
Source-IP-address : 0.0.0.0
Shared-key : -
Quiet-interval(min) : 5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit : B
-------------------------------------------------------------
Are you sure to display more information (y/n)[y]:y
-------------------------------------------------------------
HWTACACS-server template name : test1
Primary-authentication-server : 1.1.11.1:49:vpna
Primary-authorization-server : 0.0.0.0:0:-
Primary-accounting-server : 1.1.1.1:49:vpna
Secondary-authentication-server : 0.0.0.0:0:-
Secondary-authorization-server : 1.1.1.1:12:vpna
Secondary-accounting-server : 0.0.0.0:0:-
Current-authentication-server : 1.1.11.1:49:vpna
Current-authorization-server : 1.1.1.1:12:vpna
Current-accounting-server : 1.1.1.1:49:vpna
Source-IP-address : 1.1.1.1
Shared-key : -
Quiet-interval(min) : 5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit : B
-------------------------------------------------------------
Total 2,2 printed
Context
NOTE
Applicable Environment
The accounting information on the NE80E/40E is a backup of the accounting information on
the remote server. When an error occurs on the remote server, the CDRs are stored on the NE80E/
40E. In this manner, the accounting information will not be lost.
After bill saving is configured on the local device, the NE80E/40E saves the generated CDRs
to the cache first. Then, the cached CDRs are saved to either the CF card or the bill server by
using TFTP. The CDRs saved in the CF card can also be backed up to the bill server.
On the NE80E/40E, you can create or delete local CDR pools by using commands. Bill saving
can be configured on the local device only after a local CDR pool is created. If the local CDR
pool does not exist, this function does not take effect, and CDRs will not be backed up.
Pre-configuration Tasks
None.
Data Preparation
To configure bill saving on the local device, you need the following data.
No. Data
2 (Optional) Alarm thresholds for CDRs in the CF card and the cache
3 (Optional) Intervals for automatic backup of CDRs in the CF card and the cache
Context
You can create or delete local CDR pools by running commands on the NE80E/40E. The local
CDRs can be saved only after a local CDR pool is created. When the local CDR pool is deleted,
the local CDRs in the pool are also deleted. Therefore, back up the local CDRs before deleting
the local CDR pool.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
----End
Context
The cached bills can be backed up to the CF card or the bill server by using TFTP, or not backed
up.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
----End
Context
NOTE
By default, the cached bills are automatically backed up to the CF card. Due to limited capacity of the CF
card, you must back up the bills in the CF card to the bill server.
Procedure
l Configure the bill server.
1. Run:
system-view
NOTE
You need to use TFTP to log in to the NE80E/40E, which functions as a bill server, to back up
bills. Hence, you must run the TFTP server program and specify a working directory on the
NE80E/40E.
l Set the alarm threshold for the CF card usage.
1. Run:
system-view
The bills in the CF card are backed up to the bill server manually
l (Optional) Clear all the bills in the CF card.
1. Run:
system-view
1.5.5 (Optional) Backing up the Bills in the Cache to the Bill Server
The capacities of the cache and the CF card are small; therefore, it is recommended that you
back up bills in the cache to the bill server.
Context
You need to use TFTP to log in to the NE80E/40E, which functions as a bill server, to back up
bills. Hence, you must run the TFTP server program and specify a working directory on the
NE80E/40E.
Do as follows on the router:
Procedure
l Configure the bill server.
1. Run:
system-view
By default, the bills in the cache are backed up at intervals of 1440 minutes.
l Back up the bills in the cache to the bill server manually.
1. Run:
system-view
Procedure
l Run the display local-bill { cache start-no count | configuration | information } command
to check the configuration of bill saving.
----End
Example
Run the display local-bill { cache start-no count | configuration | information } command,
and you can view the configuration of bill saving.
<HUAWEI> display local-bill cache 0 2
Contents of Bill 1:
--------------------------------------------------------------
Bill-No : 1
Session-Id: NE80E/40E-1007002000000100ee7075000024
User-name : user1@huawei
Start-Time: 2007/11/24 18:04:42
Stop-Time : 2007/11/24 18:06:17 Elapse : 0:01:35
IP-Addr : 192.168.7.186 MAC : 0016-ecb7-a879
IPv6-Addr : ::
Auth-Type : PPP Access-Type: PPPoE
Port-No : 1/0/2 VLAN : 100
Status : 2(offline) Code : 6, Ref: 98
Acc Data before Tariff Switch,
1 Priority :
0 : User-received: Bytes=0 , Pkts=0
User-sent: Bytes=0 , Pkts=0
Acc Data after Tariff Switch,
1 Priority :
0 : User-received: Bytes=0 , Pkts=0
User-sent: Bytes=0 , Pkts=0
--------------------------------------------------------------
Total printed 1 bills from cache.
Context
NOTE
Applicable Environment
You need to configure a domain to perform AAA management on access users.
Pre-configuration Tasks
Before configuring a domain, complete the following tasks:
Data Preparation
To configure a domain, you need the following data.
No. Data
1 Domain name
5 (Optional) Maximum number of access users and maximum connection setup rate
NOTE
User attributes of the domain include the user priority, user group, idle-cut parameter, time-specific QoS
guarantee, QoS profile, queue profile, VAS policy, policy-based routing, multicast parameter, and
maximum re-authentication time period. These attributes are valid for only the users that newly go online.
The online users have to go online again to make these attributes valid.
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
Up to 1024 domains can be created on the NE80E/40E. The NE80E/40E has three default
domains: default0, default1, and default_admin.
l default0 is the default domain to which unauthenticated users belong. When users have
accessed the NE80E/40E but have not been authenticated, the NE80E/40E does not know
which domain the users belong to and defaults the users to default0. The NE80E/40E then
performs the authentication scheme of default0 and the accounting scheme of default0 on
the users in this domain.
l default1 is the default domain to which the users being authenticated belong. If the user
name entered for authentication does not contain any domain name, the NE80E/40E defaults
the user to default1. The NE80E/40E performs the authentication scheme of default1 and
the accounting scheme of default1 on the users in this domain.
l default_admin is the default domain to which the administrator belongs. When the
administrator logs in to the NE80E/40E by using Telnet or SSH, the NE80E/40E defaults
the administrator to default_admin, if the user name entered for authentication does not
contain any domain name. The NE80E/40E performs the authentication scheme of default
and the accounting scheme of default0 to the users in this domain.
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
Step 4 Run:
authentication-scheme scheme-name
By default, the default1 authentication scheme is used for user-defined domains, the default1
domain, or the default authentication scheme is used for the default_admin domain; the default0
authentication scheme is used for the default0 domain. You can run the display authentication-
scheme command to view detailed information about the default authentication schemes.
Step 5 Run:
accounting-scheme scheme-name
By default, the default1 accounting scheme is used for user-defined domains and the default1
domain; the default0 accounting scheme is used for the default0 domain and default_admin
domain.
Step 6 (optional)Run:
accounting dual-stack { separate | identical }
When separate is configured, traffic of IPv4 and IPv6 users is sent to the server separately;
when identical is configured, traffic of IPv4 and IPv6 users is sent to the server together.
By default, accounting is performed separately for IPv4 users and IPv6 users.
Step 7 Run:
authorization-scheme scheme-name
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
NOTE
If a primary or secondary DNS server is also configured in an address pool, the DNS server configured
in the address pool takes precedence over the DNS server configured by using this command.
----End
Context
The IPv4 address pool for a domain can be a local or remote address pool.
A maximum of 1024 IPv4 address pools can be specified for a domain, and one IPv4 address
pool can be used for multiple domains. The IPv4 address pools configured for a domain can be
moved. The range in which the IPv4 address pool can be moved is associated with the number
of address pools configured in the domain. For example, if 10 address pools are configured in
the domain, the address pool can move in the range between 1 and 10.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
----End
Context
To guarantee the processing capability of the NE80E/40E, you can limit the total number of
access users for a domain. If the number of users reaches the limit, additional access users are
denied.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
----End
Context
To guarantee the processing capability of the NE80E/40E, you can limit the maximum number
of sessions for an account. If the number of sessions reaches the limit, additional access users
are denied.
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
Step 4 Run:
user-max-session max-session-number
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
user-priority { upstream | downstream } { priority | trust-8021p-inner |
trust-8021p-outer | trust-dscp | trust-dscp-inner | trust-dscp-outer |
unchangeable | trust-exp-inner | trust-exp-outer }
Currently, one domain can be configured with only one user priority.
By default, the priorities of the incoming and outgoing traffic of users are both 0.
----End
Context
NOTE
Additional functions for a domain cannot be configured on the X1 or X2 models of the NE80E/40E.
l Forced portal
Forced portal means that when a user accesses the Internet for the first time after passing
the authentication, the NE80E/40E forcibly redirects the user's access request to a certain
server, which is usually the portal server of a carrier. In this manner, the user needs to accept
a service at the carrier's portal immediately after accessing the Internet.
l Time-based control
Time-based control means that a domain is automatically blocked in a specified period.
During this period, the users of this domain cannot access the NE80E/40E and the online
users are disconnected. After the period, the domain is reactivated automatically, and the
domain users are allowed to log in again.
l Idle cut
When the traffic volume of a user keeps being lower than a threshold in a period, the NE80E/
40E considers the user idle and disconnects the user. To perform the idle cut function, you
need to set the idle time and the traffic threshold.
The idle cut function configured for a domain controls only the basic traffic of a user. The
multicast traffic and the VAS traffic that is not configured with the summary feature are
not included in the basic traffic. Therefore, the idle cut function is invalid for them.
l Mandatory PPP authentication
Generally, the authentication mode (PAP, CHAP, or MSCHAP) of a PPP user is negotiated
by the PPP client and the virtual template. After the mandatory authentication mode of a
PPP user is configured for a domain, the users in the domain are authenticated in the
configured mode.
l Policy-based routing
In packet forwarding, the NE80E/40E determines the forwarding egress according to the
destination addresses of the packets. With the policy-based routing function, however, the
NE80E/40E determines the forwarding egress according to the address specified in the user
domain.
l IP address usage alarm
After the alarm threshold for the usage (in percentage) of IP addresses is set in a domain,
the NE80E/40E sends a trap to the network management system (NMS) when the usage of
IP addresses exceeds the threshold. If no alarm threshold is set, the NE80E/40E does not
send any trap to the NMS, regardless of the usage of IP addresses.
l Traffic statistics
The traffic statistics function collects the total traffic of a domain and the upstream and
downstream traffic of users.
l Accounting packet copy
This function is used to send accounting packet copies to two RADIUS servers.
You can perform this function when multiple copies of original accounting information are
required (for example, multiple ISPs cooperate in the networking). In this case, accounting
packet copies need to be sent to two RADIUS servers at the same time, and will be used
as the original accounting information in future settlement.
l Re-authentication timeout
The re-authentication timeout is valid for Layer 3 pre-authentication users. If a Layer 3 pre-
authentication user does not pass the authentication within the maximum re-authentication
time, the NE80E/40E disconnects this user.
l Policy used for online users when the quota is used up
The NE80E/40E uses a policy after the quota (traffic or session time) of an online user is
used up. The NE80E/40E may forcibly log out the user, keep the user online, or redirect
the user to a specified portal.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
domain domain-name
Step 4 Run:
portal-server { ip-address | redirect-limit times | url url-string } and pppoe-url
url-string
Step 5 Run:
time-range domain-block { range-name | enable }
You can configure up to four time ranges, which have equal priority.
Step 6 Run:
idle-cut idle-time-length idle-rate
By default, the idle time is 0. This means that the idle cut function is disabled.
Step 7 Run:
policy-route next-hop-ip-address
Step 8 Run:
ip-warning-threshold threshold
Step 9 Run:
flow-bill
The function of collecting the statistics about the total traffic is enabled.
Step 10 Run:
flow-statistic { down | up } *
The function of collecting the upstream or downstream traffic statistics of the domain users is
enabled.
By default, the function of collecting the upstream and downstream traffic statistics of the domain
users is enabled.
Step 11 Run:
accounting-copy radius-server radius-name
Step 12 Run:
max-ipuser-reauthtime time-value
Step 13 Run:
quota-out { offline | online | redirect url url-string }
The policy used for online users when the quota is used up is configured.
By default, the NE80E/40E disconnects the user when the quota of a user is used up.
If the RADIUS protocol type is set to non-standard, a real-time accounting packet is sent to
the RADIUS server to apply for a new quota when user's quota is used up. If the RADIUS server
responds with zero quota, the user is redirected based on the configured quota-out redirect
url url-string command.
If you want a user to be directly redirected when its quota is used, you must first set the RADIUS
protocol type to standard and configure the quota-out redirect url url-string .
Step 14 Run:
radius-no-response lease-time time
The extended lease in case of no response from the RADIUS server is set for DHCP users.
By default, DHCP users will be logged out if there is no response from the RADIUS server.
----End
Context
NOTE
Procedure
Step 1 Run:
system-view
----End
Prerequisite
All the configurations of the domain are complete.
Procedure
Step 1 Run the display domain [ domain-name ] command to check the configuration of the domain.
----End
Example
Run the display domain command, and you can view the summaries of configurations of all
the domains.
<HUAWEI> display domain
------------------------------------------------------------------------------
Domain name State CAR Access-limit Online BODNum RptVSMNum
------------------------------------------------------------------------------
default0 Active 0 279552 0 0 0
default1 Active 0 279552 0 0 0
default_admin Active 0 279552 0 0 0
default Active 0 279552 0 0 0
isp1 Active 0 279552 0 0 0
------------------------------------------------------------------------------
Total 5,5 printed
<HUAWEI> display domain default
------------------------------------------------------------------------------
Domain-name : default
Domain-state : Active
Authentication-scheme-name : default1
Accounting-scheme-name : default1
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Web-server-URL-parameter : No
Portal-server-URL-parameter : No
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service :
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
mscg-name-portal-key : -
Portal-user-first-url-key : -
Ancp auto qos adapt : Disable
Service-type : STB
RADIUS-server-template : -
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Qos-profile-name inbound : -
Qos-profile-name outbound : -
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Quota-out : Offline
Context
CAUTION
Statistics cannot be restored after you clear them. Exercise caution when running the command.
Procedure
l Run the reset hwtacacs-server statistics { all | accounting | authentication |
authorization } command in the user view to clear the statistics about the HWTACACS
server.
l Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command
in the user view to clear the statistics about the accounting stop packets on the HWTACACS
server.
----End
Context
NOTE
Examples in this document use interface numbers and link types of the NE40E-X8. In real world situations,
interface numbers and link types may be different from those used in this document.
Networking Requirements
NOTE
As shown in Figure 1-1, the users access the network through Router A and the users belong to
the domain named huawei. Router B functions as the access server for the destination network.
To access the destination network, the users have to traverse the network where Router A and
Router B reside and pass remote authentication of the access server. After that, the users can
access the network through Router B. Remote authentication is implemented on the Router B
as follows:
l The RADIUS server performs authentication and accounting for access users.
l The RADIUS server at 129.7.66.66/24 functions as the primary authentication and
accounting server. The RADIUS server at 129.7.66.67/24 functions as the secondary
authentication and accounting server. The default port numbers for authentication and
accounting are 1812 and 1813 respectively.
Figure 1-1 Networking diagram of performing authentication and accounting for users by using
RADIUS
Domain huawei
RouterB
Network
129.7.66.66/24
RouterA
Destination 129.7.66.67/24
network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a RADIUS server group, an authentication scheme, and an accounting scheme
on Router B.
2. Apply the RADIUS server group, authentication scheme, and accounting scheme on Router
B to the domain.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the primary (secondary) RADIUS authentication server
l IP address of the primary (secondary) RADIUS accounting server
Procedure
Step 1 Configure a RADIUS server group, an authentication scheme, and an accounting scheme.
# Configure a RADIUS server group named shiva.
<HUAWEI> system-view
[HUAWEI] radius-server group shiva
# Configure the IP addresses and interface numbers of the primary RADIUS authentication and
accounting servers.
[HUAWEI-radius-shiva] radius-server authentication 129.7.66.66 1812
# Configure the IP addresses and interface numbers of the secondary RADIUS authentication
and accounting servers.
[HUAWEI-radius-shiva] radius-server authentication 129.7.66.67 1812
[HUAWEI-radius-shiva] radius-server accounting 129.7.66.67 1813
# Set the key and the number of retransmission attempts for the RADIUS server.
[HUAWEI-radius-shiva] radius-server shared-key it-is-my-secret
[HUAWEI-radius-shiva] radius-server retransmit 2
[HUAWEI-radius-shiva] quit
Step 2 Configure a domain named huawei and apply authentication scheme 1, accounting scheme 1,
and RADIUS server group shiva in the domain.
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] authentication-scheme 1
[HUAWEI-aaa-domain-huawei] accounting-scheme 1
[HUAWEI-aaa-domain-huawei] radius-server group shiva
Accounting-server : -
Protocol-version : radius
Shared-secret-key : it-is-my-secret
Retransmission : 2
Timeout-interval(s) : 5
Acct-Stop-Packet Resend : NO
Acct-Stop-Packet Resend-Times : 0
Traffic-unit : B
ClassAsCar : NO
User-name-format : Domain-included
Option82 parse mode : -
Attribute-translation: NO
Packet send algorithm: Master-Backup
Tunnel password : cipher
Run the display domain domain-name command on the router, and you can view the
configurations of the domain.
<HUAWEI> display domain huawei
------------------------------------------------------------------------------
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : 1
Accounting-scheme-name : 1
Authorization-scheme-name :
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
User-group-name : -
Idle-data-attribute (time,flow) : 0, 60
Install-BOD-Count : 0
Report-VSM-User-Count : 0
Value-added-service : COPS
User-access-limit : 279552
Online-number : 0
Web-IP-address : -
Web-URL : -
Portal-server-IP : -
Portal-URL : -
Portal-force-times : 2
PPPoE-user-URL : Disable
IPUser-ReAuth-Time(second) : 300
Ancp auto qos adapt : Disable
Service-type : STB
RADIUS-server-template : shiva
Two-acct-template : -
HWTACACS-server-template : -
Bill Flow : Disable
Tunnel-acct-2867 : Disabled
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
#
aaa
authentication-scheme 1
authentication-mode radius
#
authorization-scheme default
#
accounting-scheme 1
accounting-mode radius
#
domain huawei
authentication-scheme 1
accounting-scheme 1
radius-server group shiva
#
radius-server group shiva
radius-server authentication 129.7.66.66 1812 weight 0
radius-server authentication 129.7.66.67 1812 weight 0
radius-server accounting 129.7.66.66 1813 weight 0
radius-server accounting 129.7.66.67 1813 weight 0
radius-server shared-key it-is-my-secret
radius-server retransmit 2
#
return
Networking Requirements
As shown in Figure 1-2, users belong to the domain huawei and access the network through
Router A. Router B functions as the access server of the destination network. If users need to
access the destination network, they should first traverse the network between Router A and
Router B and then access the destination network through Router B after they pass remote
authentication. In such a case, you can configure the authentication mode on Router B as follows:
l Local authentication is first performed on access users. If local authentication fails,
HWTACACS authentication is performed.
l To upgrade the level of an access user, HWTACACS authentication is used first. If the
HWTACACS server does not respond, the local authentication is performed.
l HWTACACS authorization is performed on access users.
l Accounting is necessary for all users.
l The HWTACACS server at 129.7.66.66/24 functions as the primary server and its default
authentication port number, authorization port number, and accounting port number are all
49. The HWTACACS server at 129.7.66.67/24 functions as the secondary server and its
default authentication port number, authorization port number, and accounting port number
are all 49.
Domain huawei
RouterB
Network
129.7.66.66/24
RouterA
Destination 129.7.66.67/24
network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a HWTACACS server template.
2. Configure authentication, authorization, and accounting schemes.
3. Apply the configured template and schemes to the domain.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the primary (secondary) HWTACACS authentication server
l IP address of the primary (secondary) HWTACACS authorization server
l IP address of the primary (secondary) HWTACACS accounting server
Procedure
Step 1 Configure an HWTACACS server template.
# Create an HWTACACS server template named ht.
[RouterA] hwtacacs-server template ht
# Configure the IP addresses and interface numbers of the primary HWTACACS authentication,
authorization, and accounting server.
[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49
[RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49
# Configure an authentication scheme named l-h with the authentication mode being local
hwtacacs. To upgrade the user level, configure the authentication mode as hwtacacs super.
[RouterA-aaa] authentication-scheme l-h
[RouterA-aaa-authen-l-h] authentication-mode local hwtacacs
[HUAWEI-aaa-authen-l-h] authentication-super hwtacacs super
[RouterA-aaa-authen-l-h] quit
# Configure an authorization scheme named hwtacacs with the authorization mode being
HWTACACS.
[RouterA-aaa] authorization-scheme hwtacacs
[RouterA-aaa-author-hwtacacs] authorization-mode hwtacacs
[RouterA-aaa-author-hwtacacs] quit
# Configure an accounting scheme named hwtacacs with the accounting mode being
HWTACACS.
[RouterA-aaa] accounting-scheme hwtacacs
[RouterA-aaa-accounting-hwtacacs] accounting-mode hwtacacs
Step 3 Create a domain named huawei and apply the authentication scheme l-h, authorization scheme
hwtacacs, accounting scheme hwtacacs, and HWTACACS server template ht to the domain
huawei.
[RouterA-aaa] domain huawei
[RouterA-aaa-domain-huawei] authentication-scheme l-h
[RouterA-aaa-domain-huawei] authorization-scheme hwtacacs
[RouterA-aaa-domain-huawei] accounting-scheme hwtacacs
[RouterA-aaa-domain-huawei] hwtacacs-server ht
Current-accounting-server : 129.7.66.66:49
Source-IP-address : 0.0.0.0
Shared-key : it-is-my-secret
Quiet-interval (min) : 5
Response-timeout-Interval (sec) : 5
Domain-included : Yes
Traffic-unit : B
--------------------------------------------------------------------------
Run the display domain command on the router, and you can view information about the
domain.
<HUAWEI>display domain huawei
----End
Configuration Files
#
hwtacacs-server template ht
hwtacacs-server authentication 129.7.66.66 49
hwtacacs-server authentication 129.7.66.67 49 secondary
hwtacacs-server authorization 129.7.66.66 49
hwtacacs-server authorization 129.7.66.67 49 secondary
hwtacacs-server accounting 129.7.66.66 49
hwtacacs-server accounting 129.7.66.67 49 secondary
hwtacacs-server shared-key it-is-my-secret
#
aaa
authentication-scheme default
authentication-scheme l-h
authentication-mode local hwtacacs
authentication-super hwtacacs super
#
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs
#
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
#
domain default
domain huawei
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
#
return
Networking Requirements
As shown in Figure 1-3, CE1 and CE2 all belong to VPN-A. The VPN target attribute used by
VPN-A is 111:1. On the public network, the administrator logs in to PE2 through the console
port or logs in to PE2 through a PC, another router, or a Telnet client. After the administrator is
authorized, the administrator manages PE2 and the system events and records of administrator
operations on PE2 are sent to the TACACS server. The TACACS server is deployed on the
VPN. Thus, PE2 needs to forward HWTACACS packets based on VPN instances.
Main Backup
TACACS TACACS
server server
GE2/0/0
GE1/0/1 GE1/0/0 P GE2/0/0 PE2
CE1 PE1 Backbone CE2
AS65410 AS100 AS65430
VPNA VPNA
Administrator
GE2/0/0 10.1.1.1/24
GE1/0/0 100.1.1.1/24
P Loopback1 3.3.3.9/32
GE1/0/0 100.1.1.2/24
GE2/0/0 200.1.1.1/24
GE2/0/0 10.2.1.2/24
GE1/0/0 200.1.1.2/24
GE1/0/1 160.1.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure BGP/MPLS IP VPN for interworking.
2. Configure a HWTACACS server template.
3. Configure the authentication scheme and authorization scheme.
4. Apply the HWTACACS server template, the authentication scheme, and the authorization
scheme.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the primary (secondary) HWTACACS authentication server
l IP address of the primary (secondary) HWTACACS authorization server
l IP address of the primary (secondary) HWTACACS accounting server
Procedure
Step 1 Configure BGP MPLS IP VPN
Configure the IGP protocol on the network to enable the communication between PE and P on
the backbone network and to advertise the IP address of CE.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitEthernet1/0/0
[PE1-GigabitEthernet1/0/0] ip address 100.1.1.1 24
[PE1-GigabitEthernet1/0/0] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 3.3.3.9 32
[P-LoopBack1] quit
[P] interface gigabitEthernet 1/0/0
[P-GigabitEthernet1/0/0] ip address 100.1.1.2 24
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitEthernet 2/0/0
[P-GigabitEthernet2/0/0] ip address 200.1.1.1 24
[P-GigabitEthernet2/0/0] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 200.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] interface gigabitEthernet 1/0/0
[PE2-GigabitEthernet1/0/0] ip address 200.1.1.2 24
[PE2-GigabitEthernet1/0/0] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 200.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24
[CE1-GigabitEthernet1/0/1] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.2.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE2] interface gigabitethernet 1/0/1
[CE2-GigabitEthernet1/0/1] ip address 160.1.1.1 24
[CE2-GigabitEthernet1/0/1] quit
[CE2] ospf
[CE2-ospf-1] area 0
[CE2-ospf-1-area-0.0.0.0] network 160.1.1.0 0.0.0.255
[CE2-ospf-1-area-0.0.0.0] quit
[CE2-ospf-1] quit
After the configuration, OSPF neighbor relationship should be set up between PE1, P1, and PE2.
Run the display ospf peer command, and you can view that the neighbor relationship is Full.
Run the display ip routing-table command, and you can view that PEs learn the routes to the
Loopback1 interfaces on their peers.
Take the display of PE1 as example:
[PE1] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0
2.2.2.9/32 OSPF 10 3125 D 100.1.1.2 GigabitEthernet1/0/0
3.3.3.9/32 OSPF 10 1563 D 100.1.1.2 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.1.1.0/24 Direct 0 0 D 100.1.1.1 GigabitEthernet1/0/0
100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Configure basic MPLS functions and MPLS LDP on the MPLS backbone network and set up
LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] lsp-trigger all
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitEthernet 1/0/0
[PE1-GigabitEthernet3/0/0] mpls
[PE1-GigabitEthernet3/0/0] mpls ldp
[PE1-GigabitEthernet3/0/0] quit
# Configure P.
[P] mpls lsr-id 3.3.3.9
[P] mpls
[P-mpls] lsp-trigger all
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitEthernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitEthernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] lsp-trigger all
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitEthernet 1/0/0
[PE2-GigabitEthernet3/0/0] mpls
[PE2-GigabitEthernet3/0/0] mpls ldp
[PE2-GigabitEthernet3/0/0] quit
After the configuration, LDP sessions should be set up between PE1 and P, P and PE2. Run the
display mpls ldp session command, and you can view that the Status field displays
Operational. Run the display mpls ldp lsp command, and you can view whether LDP LSPs
are set up.
Take the display of PE1 as example:
[PE1] display mpls ldp session
LDP Session(s) in Public Network
-------------------------------------------------------------------------
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna] vpn-target 111:1 both
[PE2-vpn-instance-vpna] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24
[PE2-GigabitEthernet2/0/0] quit
After the configuration, run the display ip vpn-instance verbose command on PEs, and you
can view the configurations of VPN instances. Each PE can ping its connected CE.
NOTE
When PE has multiple interfaces that are bound to the same VPN, you must specify the source IP address,
namely, the -a source-ip-address if running the ping -vpn-instance vpn-instance-name -a source-ip-
address dest-ip-address command. Otherwise, the ping may fail.
Set up EBGP peer relationship between PEs and CEs and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.1 as-number 100
[CE1-bgp] import-route direct
NOTE
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.2 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
NOTE
After the configuration, run the display bgp vpnv4 vpn-instance peer command on PE, and
you can view that the BGP peer relationship between PE and the connected CE is in the
Established state.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on
a PE, and you can view that the BGP peer relationship between PEs is in the Established state.
[PE1] display bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 2 6 0 00:00:12 Established 0
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 12 18 0 00:09:38 Established 0
Peer of vpn instance:
vpn instance vpna :
10.1.1.2 4 65410 25 25 0 00:17:57 Established 1
# Configure the IP address and ports of the primary HWTACACS authentication, authorization,
and accounting servers, and bind the VPN instances to these servers.
[PE2-hwtacacs-ht] hwtacacs-server authentication 160.1.1.100 49 vpn-instance vpna
[PE2-hwtacacs-ht] hwtacacs-server authorization 160.1.1.100 49 vpn-instance vpna
Step 3 Configure the authentication scheme, the authorization scheme, and the accounting scheme.
# Enter the AAA view.
[PE2] aaa
# Configure the authentication mode as l-h and the authentication mode as HWTACACS.
[PE2-aaa] authentication-scheme l-h
[PE2-aaa-authen-l-h] authentication-mode hwtacacs
[PE2-aaa-authen-l-h] quit
Step 4 Configure the huawei domain. Use the l-h authentication scheme, the HWTACACS
authorization scheme, the HWTACACS accounting scheme, and the ht HWTACACS template
in the domain.
[PE2-aaa] domain huawei
After running the display domain command on the router, you can check whether the
configuration of the domain matches the requirements.
<CE1> display domain huawei
-------------------------------------------------------------------
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : l-h
Accounting-scheme-name : default
Authorization-scheme-name : hwtacacs
User-CAR : -
Web-IP-address : -
Next-hop : -
Primary-DNS-IP-address : -
Second-DNS-IP-address : -
Primary-NBNS-IP-address : -
Second-NBNS-IP-address : -
Acl-number : -
Idle-data-attribute (time,flow) : 0, 60
User-priority : -
User-access-limit : 384
Online-number : 0
RADIUS-server-template : -
HWTACACS-server-template : ht
-------------------------------------------------------------------
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpna
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 200.1.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpna
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
hwtacacs-server template ht
hwtacacs-server authentication 160.1.1.100 49 vpn-instance vpna
hwtacacs-server authentication 160.1.1.101 49 vpn-instance vpna secondary
hwtacacs-server authorization 160.1.1.100 vpn-instance vpna
hwtacacs-server authorization 160.1.1.101 vpn-instance vpna secondary
hwtacacs-server shared-key it-is-my-secret
#
mpls lsr-id 2.2.2.9
mpls
lsp-trigger all
#
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 200.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65430
import-route direct
#
aaa
authentication-scheme default
authentication-scheme l-h
authentication-mode hwtacacs
#
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs
#
accounting-scheme default
#
domain default
domain huawei
authentication-scheme l-h
authorization-scheme hwtacacs
hwtacacs-server ht
#
ospf 1
area 0.0.0.0
network 200.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
2 DHCPv4 Configuration
On an IPv4 network, DHCPv4 must be enabled for users to dynamically obtain IP addresses.
Context
NOTE
Applicable Environment
On a large network, if the PCs cannot be directly connected to the routing device by using
Ethernet interfaces but have to be connected to the routing device through other devices, a
network-side DHCPv4 server needs to be configured so that the PCs can dynamically obtain IP
addresses from the routing device, as shown in Figure 2-1.
Figure 2-1 IP address assignment for Ethernet users (without any relay agent in the networking)
DHCPserver
A network-side DHCPv4 server usually works with a DHCPv4 relay agent, as shown in Figure
2-2.
Figure 2-2 IP address assignment for Ethernet users (with a relay agent in the networking)
DNSserver NetBIOSserver
DHCPRelay DHCPserver
RouterA RouterB
DHCPclient DHCPclient
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
A BAS-side address pool needs to be configured to assign IP addresses to access users. If the
NE80E/40E needs to allocate IP addresses to users, you must configure a local address pool on
the NE80E/40E, as shown in Figure 2-3; if a DHCPv4 or BOOTP server needs to allocate IP
addresses to users, you must configure a remote address pool on the NE80E/40E, as shown in
Figure 2-4.
Figure 2-3 Networking diagram for address assignment from the local address pool
DNS Server
Internet
Figure 2-4 Networking diagram for address assignment from the remote address pool
DHCPServer
Access
Internet
Network
subscriber@isp2 DHCPRelay
Pre-configuration Tasks
Before configuring an IP address pool, complete the following task:
If two remote address pools are bound to the same DHCP server, whereas configurations of the DHCP
server are not consistent with both remote address pools, either of the remote address pools becomes invalid.
Therefore, ensure that configurations of the DHCP server and two address pools are consistent, or each
remote address pool is bound to an DHCP server.
Data Preparation
To configure an IP address pool, you need the following data.
No. Data
2 Number of address segments and start and end addresses of each address segment
No. Data
3 (Optional) Address lease of the address pool, IP address lease extension, and VPN
instance
4 (Optional) IP addresses and the MAC addresses that need to be bound statically
5 (Optional) IP address of the DNS server, DNS suffix, IP address of the NetBIOS
server, and IP address of the SIP server
Context
NOTE
The access-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip pool pool-name [ bas { local | remote } | server ]
Up to 4096 address pools can be configured in the system,The address pool names must be
unique.
Step 3 Run:
gateway ip-address mask
The subnet mask and gateway address are used to determine whether the IP addresses in the
address segments are in the same subnet with the gateway. Therefore, you must configure the
gateway address and mask before configuring the address segments.
Step 4 Run:
section section-num start-ip-address [ end-ip-address ]
Up to eight address segments can be configured in an address pool. An address segment contains
at most 65536 IP addresses. The address segments cannot overlap each other.
Step 5 (Optional) Run:
lease days [ hours [ minutes ] ]
The alarm threshold for the address usage of an address pool is set.If the address usage exceeds
the threshold, an alarm is generated on the router.
By default, the alarm threshold for the address usage of an address pool is set to 100.
----End
Context
NOTE
Based on the clients' needs, you can adopt either static address binding or dynamic address
assignment.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip pool pool-name bas local
----End
Follow-up Procedure
Some clients may need fixed IP addresses that are bound to their MAC addresses. When the
client with a specific MAC address uses DHCPv4 to apply for an IP address, the DHCPv4 server
finds out the fixed IP address bound to the MAC address and assigns it to the client.
Context
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Do as follows on the DHCPv4 server that provides DNS services for the DHCPv4 clients:
Procedure
Step 1 Run:
system-view
NOTE
This command is valid for only the local address pool and server address pool.
Step 4 Run:
dns-server ip-address &<1-8>
----End
Follow-up Procedure
On the DHCPv4 server, designate a DNS suffix for each address pool used to assign IP addresses
to clients.
When a host accesses the Internet by using the DNS suffix, the DNS server resolves the DNS
suffix into an IP address. Therefore, to ensure that the client successfully accesses the Internet,
the DHCPv4 server also needs to specify the DNS server address for the client when it assigns
IP addresses.
To improve network reliability, you can configure several DNS servers.
Context
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Do as follows on the router that provides NetBIOS services for the DHCPv4 clients:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip pool pool-name [ bas { local | remote } | server ]
Step 3 Run:
netbios-name-server ip-address &<1-8>
Step 4 Run:
netbios-type { b-node | h-node | m-node | p-node }
----End
Follow-up Procedure
For the client using the operating system of Microsoft, Windows Internet Naming Service
(WINS) server provides resolution from the host name to the IP address. This is given to the
host that uses NetBIOS protocol for communication. Most of the Windows clients need to be
configured with WINS.
When a DHCPv4 client communicates in a WAN by adopting the NetBIOS protocol, a mapping
between the host name and the IP address should be set up. The following lists the types of
NetBIOS nodes for obtaining mappings:
l Type b nodes (b-node): "b" stands for broadcast. That is, type b nodes obtain the mapping
relationship by means of broadcast.
l Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the
"peer-to-peer" communicating mechanism.
l Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes owning
part of the broadcasting features.
l Type p nodes (p-node): "p" stands for peer-to-peer. That is, type p nodes obtain the mapping
by communicating with NetBIOS servers.
Context
NOTE
Do as follows on the router that provides SIP services for the DHCPv4 clients:
Procedure
Step 1 Run:
system-view
----End
Context
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Procedure
Step 1 Run:
system-view
----End
Follow-up Procedure
The Option field in DHCPv4 packets carries control information and parameters that are not
defined in common protocols. If the DHCPv4 server is configured with an Option, the DHCPv4
client obtains the configuration information saved in the Option field of DHCPv4 response
packets.
You need to add the options to the attribute list of the DHCPv4 servers. For example,
The value of a common option for the DNS or lease, is determinate. The common option codes include 3,
6, 15, 44, 46, 50 to 54, and 57 to 59. When the value is re-set, the system prompts that re-setting the value
is not allowed.
The option command enables DHCPv4 response packets to carry specific options.
Before using this command, you need to know the function of each option. Option 77 identifies client types
or applications of DHCPv4 clients. Based on User Class in the Option field, the DHCPv4 server selects a
proper address pool and configuration parameters. Option 77 is commonly configured on the client.
Context
NOTE
The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.
Procedure
Step 1 Run:
system-view
NOTE
Or run:
recycle start-ip-address [ end-ip-address ]
----End
Prerequisite
All configurations of the IP address pool are complete.
Procedure
l Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-
address ] ] | all | used ] ] [ vpn-instance instance-name ] command to check the
configuration of the IP address pool.
----End
Example
Run the display ip pool command, and you can view information about all the address pools
configured in the system.
<HUAWEI> display ip pool
-----------------------------------------------------------------------
Pool-Name : test
Pool-No : 1
DNS1 :10.10.10.1
Position : Local Status : Unlocked
Gateway : 10.10.10.2 Mask : 255.255.255.0
Vpn instance : --
Profile-Name : - Server-Name : -
Codes: CFLCT(conflicted)
------------------------------------------------------------------------------
---------
ID start end total used idle CFLCT disable reserved st
atic-bind
------------------------------------------------------------------------------
---------
0 10.10.10.3 10.10.10.100 98 0 98 0 0 0
0
------------------------------------------------------------------------------
---------
Context
NOTE
Applicable Environment
The NE80E/40E can be used as a DHCPv4 server to assign IP addresses to users. A remote
DHCPv4 server can also be used with the NE80E/40E functioning as a DHCPv4 relay agent to
assign IP addresses to users.
When IP addresses are allocated by a remote DHCPv4 server, as shown in Figure 2-4, you need
to configure the IP address of the remote DHCPv4 server on the NE80E/40E. This allows the
NE80E/40E to communicate with the DHCPv4 server. The NE80E/40E manages DHCPv4
servers by using DHCPv4 server groups.
NOTE
A DHCPv4 server group is required only when the remote address pool is used to assign IP addresses to
BAS-side users.
Pre-configuration Tasks
None.
Data Preparation
To configure a DHCPv4 server group, you need the following data.
No. Data
2 IP addresses, VPN instances, and weights of the primary and secondary DHCPv4
servers
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
A DHCPv4 server group is created and the DHCPv4 server group view is displayed.
Step 3 Run:
dhcp-server ip-address [ vpn-instance vpn-instance ] [ weight weight-value ]
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
----End
Prerequisite
The configurations of the DHCPv4 server groups are complete.
Procedure
l Run the display dhcp-server group [ group-name ] command to check the configuration
of the DHCPv4 server group.
----End
Example
Run the display dhcp-server group command, and you can view information about all DHCPv4
server groups.
<HUAWEI> display dhcp-server group
Group-Name : remote
Release-Agent : Support
Primary-Server : -
Vpn instance : --
Weight : 0
Status : -
Secondary-Server : -
Vpn instance : --
Weight : 0
Status : -
Algorithm : master-backup
Source : --
Giaddr : --
Group-Name : g1
Release-Agent : Support
Primary-Server : -
Vpn instance : --
Weight : 0
Status : -
Secondary-Server : -
Vpn instance : --
Weight : 0
Status : -
Algorithm : master-backup
Source : --
Giaddr : --
2 DHCP server group(s) in total
Applicable Environment
If no DHCPv4 server is configured on the local network, the DHCPv4 relay function can be
enabled on other devices on the same network segment. Thus, the DHCPv4 request from the
client can be forwarded to the DHCPv4 server by the configured relay agent, as shown in Figure
2-2.
NOTE
There should be not more than four relay agents between the DHCPv4 server and client; otherwise,
DHCPv4 packets are discarded.
Pre-configuration Tasks
Before configuring DHCPv4 relay, complete the following tasks:
l Configuring a DHCPv4 server
l Configuring the interface where DHCPv4 relay needs to be enabled
l Configuring the routes from the relay agent to the DHCPv4 server
Data Preparation
To configure DHCPv4 relay, you need the following data.
No. Data
Context
When a client and a DHCPv4 server reside on different network segments, you can configure
an interface to function as the DHCPv4 relay agent and the DHCPv4 server address to be relayed
to. In this manner, the DHCPv4 relay agent can relay the request packet sent from the client to
the DHCPv4 server, and then the client can be assigned an IP address.
You can configure relay in the interface view or system view.
NOTE
Because the DHCPv4 client may send broadcast packets during DHCPv4 configuration, the interface where
DHCPv4 relay is enabled must be able to transmit broadcast packets. The IP address of the interface must
be on the same network segment with the IP addresses in the address pool on the DHCPv4 server. Up to
20 DHCPv4 server addresses can be configured on an interface that relays packets to the DHCPv4 servers.
Procedure
l Configure DHCPv4 relay in the interface view.
1. Run:
system-view
The system view is displayed.
2. Run:
interface interface-type interface-number
The interface view is displayed.
3. Run:
ip address ip-address { mask | mask-length }
The primary IP address of the interface is configured.
4. Run:
dhcp select relay
DHCPv4 relay is enabled on the interface.
5. Run:
ip relay address ip-address [ dhcp-option { 60 [ option-text ] | code } ]
The IP address of the DHCPv4 server for which the interface functions as the relay
agent is configured.
6. Run:
ip relay giaddr ip-address [ dhcp-option { 60 [ option-text ] | code } ]
The DHCP option is associated with the IP address of the relay agent. This allows the
DHCP server to assign the IP addresses on different network segments to the clients
of different types.
l Configure DHCPv4 relay in the system view.
1. Run:
system-view
The system view is displayed.
2. Run:
ip relay address ip-address { all | interface interface-type interface-number.sub-
interface-number1 [ to interface-type interface-number.sub-interface-number2 ] |
interface interface-type interface-number | vlan vlan-id }
The IP addresses of the DHCPv4 servers for which multiple interfaces function as the
relay agent are configured.
----End
Prerequisite
All configurations of the DHCPv4 relay are complete.
Procedure
l Run the display dhcp relay statistics command to check statistics on DHCPv4 relay.
l Run the display dhcp relay address { all | interface interface-type interface-number |
vlan vlan-id } command to check the DHCPv4 configuration of the interface enabled with
DHCPv4 relay.
----End
Example
Run the display dhcp relay address command, and you can view the DHCPv4 configurations
of all interfaces.
<HUAWEI> display dhcp relay address all
** GigabitEthernet0/0/0 DHCP Relay Address **
Dhcp Option Relay Agent IP Server IP
* - 10.10.1.2
Run the display dhcp relay statistics command. If statistics on DHCPv4 relay, such as the
number of incorrect DHCPv4 packets and the number of various DHCPv4 packets, are displayed,
it means that the configuration succeeds.
<HUAWEI> display dhcp relay statistics
Bad Packets received: 0
DHCPv4 packets received from clients: 2
DHCPv4 DISCOVER packets received: 1
DHCPv4 REQUEST packets received: 1
DHCPv4 INFORM packets received: 0
DHCPv4 DECLINE packets received: 0
DHCPv4 packets received from servers: 2
DHCPv4 OFFER packets received: 1
DHCPv4 ACK packets received: 1
DHCPv4 NAK packets received: 0
DHCPv4 packets sent to servers: 1
Applicable Environment
After configuring a DHCPv4 server, you need to configure the security function of the DHCPv4
service. This enhances security of the DHCPv4 service and prevents other unauthorized
DHCPv4 servers from assigning invalid IP addresses to clients. By viewing logs, the
administrator determines whether there are unauthorized DHCPv4 servers assigning invalid IP
addresses to clients.
Pre-configuration Tasks
Before adjusting DHCPv4 parameters, complete the following task:
Data Preparation
To adjust DHCPv4 parameters, you need the following data.
No. Data
1 Maximum number of DHCPv4 users that are allowed to access a specified board
5 Interval at which ping packets are sent and number of ping packets
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The maximum number of DHCPv4 access users allowed for a specified board is set.
By default, the maximum number of DHCPv4 access users allowed for a specified board is
determined by the license file.
Step 3 Run:
dhcp-server ip-address [ vpn-instance vpn-instance ] send-discover-speed packet-
number time
The limit on the packet transmission rate of a DHCPv4 server group is set.
By default, the packet transmission rate of a DHCPv4 server group is not limited.
----End
Context
When a user shuts down the STB and then restarts it immediately, the NE80E/40E cannot detect
that the user goes offline and retains the user entry. When receiving the DHCPv4 Discover packet
that the STB sends after restart, the NE80E/40E forces the user to go offline and waits until the
user sends a DHCPv4 Discover packet to obtain the address through DHCPv4.
Some STBs, however, send only one DHCPv4 Discover packet after they restart. In this case,
the users cannot go online after shutting down their STBs.
You can configure the function of transparently transmitting DHCPv4 packets to solve this
problem. Do as follows on the router:
Procedure
Step 1 Run:
system-view
----End
Context
If a private DHCPv4 server exists on the network, clients cannot obtain correct IP addresses and
thus cannot log in to the network because this private DHCPv4 server will interact with the
DHCPv4 clients during address application. Such a private DHCPv4 server is an unauthorized
DHCPv4 server.
The logs contain IP addresses of all the DHCPv4 servers that allocate IP addresses to clients.
By viewing these logs, the administrator can determine whether an unauthorized DHCPv4 server
exists.
Do as follows on the NE80E/40E that functions as a DHCPv4 server:
Procedure
Step 1 Run:
system-view
NOTE
Step 3 Run:
dhcp invalid-server-detecting [ interval ]
NOTE
You can perform this function on only the devices at the BAS side.
----End
Context
Before assigning an IP address to a client, the DHCPv4 server needs to detect whether the IP
address is used by another client. This prevents an IP address conflict.
NOTE
Procedure
Step 1 Run:
system-view
The longest time for the DHCPv4 server to wait for a ping response is configured.
Step 3 Run:
dhcp server ping packets number
The maximum number of ping packets sent by the DHCPv4 server is configured.
By default, a maximum of two ping packets are sent and the DHCPv4 server waits for at most
500 ms for a ping response.
----End
Follow-up Procedure
The ping command is used to check whether there is a ping response from the IP address to be
assigned to a client within a specific time. If there is no response after a specific time, the
DHCPv4 server re-send a ping packet to this IP address until the allowed maximum number of
ping packets are sent. If there is still no response, the DHCPv4 server considers that the IP address
is not in use. This ensures that a unique IP address is assigned to the client.
Context
Do as follows on the NE80E/40E that functions as a DHCPv4 server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server database enable
By default, DHCPv4 data is not saved to the storage device. If the function is enabled, by default,
DHCPv4 data is saved to the storage device every 300s and the new data overwrites the previous
data.
----End
Follow-up Procedure
The NE80E/40E can save the current DHCPv4 data to the storage device and restore the data
from the storage device when the NE80E/40E fails.
DHCPv4 data is saved with a fixed file name on the storage device. Normally, the IP leasing
information is saved in the lease.txt file and the address conflict information is saved in the
conflict.txt file. Back up these two files to other directories because information in these files
is replaced regularly.
Context
Do as follows on the NE80E/40E that functions as a DHCPv4 server:
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server database recover
----End
Prerequisite
All the configurations for the adjustment of DHCPv4 parameters are complete.
Procedure
l Run the display dhcp-server item ip-address [ vpn-instance vpn-instance ] command to
check information about a DHCPv4 server.
l Run the display dhcp server database command to check the storage path and file
information of the DHCPv4 data.
----End
Example
Run the display dhcp-server item ip-address command, and you can view information about
a DHCPv4 server.
<HUAWEI> display dhcp-server item 1.2.3.4
IPAddress : 1.2.3.4
State : UP
Speed Limit : 0 packets / 0 seconds
Run the display dhcp server database command, and you can view the saved path of the
DHCPv4 data.
<HUAWEI> display dhcp server database
Status: disable
Recover from files after reboot: disable
File saving lease items: cfcard:/dhcp/lease.txt
File saving conflict items: cfcard:/dhcp/conflict.txt
Save Interval: 300 (seconds)
Context
CAUTION
DHCPv4 statistics cannot be restored after you clear them. Exercise caution when running the
commands.
Procedure
l Run the reset dhcp relay statistics command in the user view to clear the DHCPv4 relay
statistics.
----End
Prerequisite
In routine maintenance, you can run the following command in any view to check the DHCPv4
operation status.
Procedure
l Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-
address ] ] | all | used ] ] [ vpn-instance vpn-instance-name ] command to check the
configuration of the IP address pool.
l Run the display dhcp-server group [ group-name ] command to check the configuration
of the DHCPv4 server group.
l Run the display dhcp-server item ip-address [ vpn-instance vpn-instance ] command to
check information about a DHCPv4 server.
l Run the display dhcp-server statistics ip-address [ vpn-instance vpn-instance ] command
to check the statistics on a DHCPv4 server.
l Run the display dhcp server database command to check the path at which DHCPv4 data
is saved and file information.
l Run the display dhcp relay address { all | interface interface-type interface-number |
vlan vlan-id } [ | count ] [ | { begin | exclude | include } regular-expression ] command
to check configurations about interfaces where DHCPv4 relay is enabled.
----End
Context
NOTE
Examples in this document use interface numbers and link types of the NE40E-X8. In real world situations,
the interface numbers and link types may be different from those used in this document.
In actual networking, the license needs to be loaded. For details, see the HUAWEI NetEngine80E/40E
Router Configuration Guide - System Management.
Networking Requirements
NOTE
As shown in Figure 2-5, it is required that a local address pool be configured to assign IP
addresses to access users and the following requirements be met:
l The local address pool is used to assign IP addresses to users in the domain isp1.
l The IP addresses in the address pool range from 10.10.10.3 to 10.10.10.100, and the
gateway address is 10.10.10.2.
l The IP address of the DNS server is 10.10.10.1
l Non-authentication and non-accounting are adopted by the user.
Figure 2-5 Networking diagram for address assignment based on the local address pool
DNS Server
10.10.10.1
GE1/0/0.1 GE2/0/0
Internet
10.1.1.1
DHCP
subscriber@isp1 Switch
Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the local address pool, including its gateway address, address range, and the IP
address of the DNS server.
2. Configure the domain isp1 to which the users belong, including the authentication mode
and the accounting mode.
3. Configure the BAS interface, including the user access mode.
Data Preparation
To complete the configuration, you need the following data:
l Name of the address pool, range of the addresses in the pool, and IP addresses of the gateway
and the DNS server
l Name of the user domain
l Authentication mode and accounting mode
Procedure
Step 1 Configure the DHCPv4 server.
# Configure an address pool.
<HUAWEI> system-view
[HUAWEI] ip pool pool1 bas local
[HUAWEI-ip-pool-pool1] gateway 10.10.10.2 255.255.255.0
[HUAWEI-ip-pool-pool1] section 0 10.10.10.3 10.10.10.100
[HUAWEI-ip-pool-pool1] dns-server 10.10.10.1
[HUAWEI-ip-pool-pool1] quit
Pool-Name : pool1
Pool-No : 19
Lease : 3 Days 0 Hours 0 Minutes
NetBois Type : N-Node
DNS-Suffix : -,
DNS1 :10.10.10.1
Position : Local Status : Unlocked
Gateway : 10.10.10.2 Mask : 255.255.255.0
Vpn instance : --
Profile-Name : - Server-Name : -
Codes: CFLCT (conflicted)
----------------------------------------------------------------------------------
-----
ID start end total used idle CFLCT disable reserved static-
bind
----------------------------------------------------------------------------------
-----
0 10.10.10.3 10.10.10.100 98 0 98 0 0 0
----------------------------------------------------------------------------------
-----
----End
Configuration Files
Configuration file of HUAWEI
#
sysname HUAWEI
#
ip pool pool1 bas local
gateway 10.10.10.2 255.255.255.0
section 0 10.10.10.3 10.10.10.100
dns-server 10.10.10.1
#
aaa
authentication-scheme default0
#
accounting-scheme default0
#
domain isp1
authentication-scheme default0
accounting-scheme default0
ip-pool pool1
#
interface GigabitEthernet1/0/0.1
user-vlan 1
bas
#
access-type layer2-subscriber default-domain authentication isp
1
authentication-method bind
#
return
Networking Requirements
NOTE
Address assignment based on the remote address pool cannot be configured on the X1 or X2 models of the
NE80E/40E.
As shown in Figure 2-6, it is required that a remote address pool be configured to assign IP
addresses to access users and the following requirements be met:
l The remote address pool is used to assign IP addresses to users in the domain isp2.
l The router, functioning as a relay agent, is connected to the DHCPv4 server through GE
3/0/0 whose IP address is 10.1.1.2/24.
l The IP address of the DHCPv4 server bound to the remote address pool is 10.1.1.1, and no
standby DHCPv4 server is deployed.
l Non-authentication and non-accounting are adopted by the user.
Figure 2-6 Networking diagram for address assignment based on the remote address pool
DHCP
Server
10.1.1.1
10.1.1.2/24
GE3/0/0
Access GE1/0/0.1 GE2/0/0
Internet
Network
subscriber@isp2 Router
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a DHCPv4 server group and a remote address pool, and bind the address pool to the
DHCPv4 server group.
2. Configure the domain isp2 to which the user belongs, including the authentication mode
and the accounting mode.
3. Configure the BAS interface, including the user access mode.
Data Preparation
To complete the configuration, you need the following data:
l Name of the address pool
l IP address of the gateway
l Name of the user domain
l IP address of the interface that connects the router to the DHCPv4 server
l User access mode
Procedure
Step 1 Configure the router.
# Create a DHCPv4 server group.
<HUAWEI> system-view
[HUAWEI] dhcp-server group group1
[HUAWEI-dhcp-server-group-group1] dhcp-server 10.1.1.1
[HUAWEI-dhcp-server-group-group1] quit
# Create a remote address pool, and bind the pool to the DHCPv4 server group.
[HUAWEI] ip pool pool2 bas remote
[HUAWEI-ip-pool-pool2] gateway 10.10.10.1 24
[HUAWEI-ip-pool-pool2] dhcp-server group group1
[HUAWEI] quit
Group-Name : group1
Release-Agent : Support
Primary-Server : 10.1.1.1
Vpn instance : --
Weight : 0
Status : up
Secondary-Server : --
Vpn instance : --
Weight : 0
Status : up
Algorithm : master-backup
Source : --
Giaddr : --
Pool-Name : pool2
Pool-No : 0
DHCP-Group : group1
Position : Remote Status : Unlocked
Gateway : 10.10.10.1 Mask : 255.255.255.0
Vpn instance : --
Profile-Name : - Server-Name : -
Codes: CFLCT (conflicted)
----------------------------------------------------------------------------------
-----
ID start end total used idle CFLCT disable reserved static-
bind
----------------------------------------------------------------------------------
-----
0 10.10.10.0 10.10.10.255 256 0 256 0 0 0
----------------------------------------------------------------------------------
-----
Flow Statistic:
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Source-IP-route : Disable
IP-warning-threshold : -
Multicast Forwarding : Yes
Multicast Virtual : No
Max-multilist num : 4
Multicast-profile : -
IP-address-pool-name : pool2
Quota-out : Offline
------------------------------------------------------------------------------
----End
Configuration Files
Configuration file of router
#
sysname HUAWEI
#
dhcp-server group group1
dhcp-server 10.1.1.1
#
ip pool pool2 bas remote
gateway 10.10.10.1 255.255.255.0
dhcp-server group group1
#
aaa
authentication-scheme default0
#
accounting-scheme default0
#
domain isp2
authentication-scheme default0
accounting-scheme default0
ip-pool pool2
#
interface GigabitEthernet1/0/0.1
undo shutdown
user-vlan 1
bas
#
access-type layer2-subscriber default-domain authentication
isp2
authentication-method bind
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
return
Networking Requirements
NOTE
Layer 3 DHCPv4 user access cannot be configured on the X1 or X2 models of the NE80E/40E.
Figure 2-7 Networking diagram for configuring Layer 3 DHCPv4 user access
Radius Server
10.1.1.2
2
.2 .1. 0.1
10 3/0/ Internet
GE 1
RouterB
GE1/0/0 / 0/1.
1 .1 DHCP Server
1.1.1.1 GE .2.1
10
subscriber@isp4 Switch RouterA
DHCP Relay
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the address pool, including the IP address of the gateway and the range of IP
addresses in the pool.
2. Configure the authentication and accounting schemes.
3. Configure the RADIUS server group, including the IP address of the RADIUS server,
authentication port, and accounting port.
4. Configure the domain isp4 to which the user belongs, including the authentication mode
and the accounting mode.
5. Configure the BAS interface, including the user access mode.
Data Preparation
To complete the configuration, you need the following data:
l Name of the address pool, range of IP addresses in the pool, and IP address of the gateway
l Authentication scheme and accounting scheme
l IP address of the RADIUS server, authentication port, and accounting port
l Name of the user domain
Procedure
Step 1 Configure Router A.
# Configure GE 1/0/0.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface gigabitEthernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24
[RouterA-GigabitEthernet1/0/0] ip relay address 10.2.1.2
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
ip relay address 10.2.1.2
dhcp select relay
#
interface GigabitEthernet1/0/1.1
undo shutdown
vlan-type dot1q 1
Networking Requirements
On a large network, if the PCs cannot be directly connected to the routing device using Ethernet
interfaces, but have to be connected to the routing device through other devices, a network-side
DHCPv4 server needs to be configured. This allows the PCs to dynamically obtain IP addresses
from the routing device.
As shown in Figure 2-8, a DHCPv4 server assigns IP addresses to the clients on the same network
segment. The network segment of the address pool, 10.1.1.0/24, includes two subnet segments,
10.1.1.0/25 and 10.1.1.128/25. The IP addresses of the two GE interfaces on the DHCPv4 server
are 10.1.1.1/25 and 10.1.1.129/25.
The lease of the IP addresses on the network segment 10.1.1.0/25 is 10 days and 12 hours; the
domain name suffix of the DNS server is huawei.com; the IP address of the DNS server is
10.1.1.2; there is no NetBIOS address; the IP address of the gateway is 10.1.1.1.
The lease of the IP addresses on the network segment 10.1.1.128/25 is 5 days; the domain name
suffix of the DNS server is huawei.com; the IP address of the DNS server is 10.1.1.2; the
NetBIOS address is 10.1.1.4; the IP address of the gateway is 10.1.1.129.
Figure 2-8 Networking diagram for IP address assignment for Ethernet users (with no relay
agent)
NetBIOS
server DHCPclient DHCPclient DHCPclient
GE1/0/0 GE1/0/1
10.1.1.1/25 10.1.1.129/25
DHCPserver
DHCPclient DHCPclient
DNSserver DHCPclient
Network:10.1.1.0/25 Network:10.1.1.128/25
Configuration Roadmap
The configuration roadmap is as follows:
1. Assign IP addresses to interfaces.
2. Configure the address pool, including the IP address of the gateway, range of IP addresses
in the pool, domain name suffix of the DNS server, allowed lease of IP addresses, and IP
addresses not automatically assigned, which include the IP addresses of the DNS server,
NetBIOS, and gateway.
In this example, it is required that two address pools be configured.
Data Preparation
To complete the configuration, you need the following data:
l IP address of each interface
l Numbers of address pools and range of IP addresses in the pools
l IP addresses not allowed for assignment
l Domain name suffix, IP address of the DNS server, and the address lease
Procedure
Step 1 Configure the DHCPv4 server.
# Assign an IP address to GE 1/0/0.
# Configure the attributes of DHCPv4 address pool 1, including the IP addresses of the gateway
and DNS server, range of IP addresses in the pool, domain name suffix of the DNS server, and
address lease.
[HUAWEI] ip pool 1 server
[HUAWEI-ip-pool-1] gateway 10.1.1.1 255.255.255.128
[HUAWEI-ip-pool-1] section 0 10.1.1.2 10.1.1.126
[HUAWEI-ip-pool-1] excluded-ip-address 10.1.1.2
[HUAWEI-ip-pool-1] excluded-ip-address 10.1.1.4
[HUAWEI-ip-pool-1] dns-suffix huawei.com
[HUAWEI-ip-pool-1] dns-server 10.1.1.2
[HUAWEI-ip-pool-1] lease 10 12
[HUAWEI-ip-pool-1] quit
# Configure the attributes of DHCPv4 address pool 2, including the range of IP addresses in the
pool, IP addresses of the gateway and NetBIOS, and the address lease.
[HUAWEI] ip pool 2 server
[HUAWEI-ip-pool-2] gateway 10.1.1.129 255.255.255.128
[HUAWEI-ip-pool-2] section 0 10.1.1.130 10.1.1.254
[HUAWEI-ip-pool-2] dns-suffix huawei.com
[HUAWEI-ip-pool-2] dns-server 10.1.1.2
[HUAWEI-ip-pool-2] lease 5
[HUAWEI-ip-pool-2] netbios-name-server 10.1.1.4
[HUAWEI-ip-pool-2] quit
-----------------------------------------------------------------------
Pool-Name : 2
Pool-No : 2
Position : Server Status : Unlocked
Gateway : 10.1.1.129 Mask : 255.255.255.128
Vpn instance : --
IP address Statistic
Total :152
Used :0 Free :152
Conflicted :0 Disable :0
Designated :0
----End
Configuration Files
Configuration file of the HUAWEI
#
sysname HUAWEI
#
ip pool 1 server
gateway 10.1.1.1 255.255.255.128
secton 0 10.1.1.2 10.1.1.126
excluded-ip-address 10.1.1.2
excluded-ip-address 10.1.1.4
dns-server 10.1.1.2
dns-suffix huawei.com
lease 10 12
#
ip pool 2 server
gateway 10.1.1.129 255.255.255.128
secton 0 10.1.1.130 10.1.1.254
dns-server 10.1.1.2
dns-suffix huawei.com
netbios-name-server 10.1.1.4
lease 5
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.128
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.129 255.255.255.128
#
return
Networking Requirements
A network-side DHCPv4 server usually works with a DHCPv4 relay agent. As shown in Figure
2-9, DHCPv4 clients reside on the network segment 10.100.0.0/16; the DHCPv4 server resides
on the network segment 202.40.0.0/16. It is required that the DHCPv4 packet be relayed through
the device enabled with the DHCPv4 relay function. In this manner, the DHCPv4 client can
apply for an IP address from the DHCPv4 server.
The DHCPv4 server must be configured with a network-side IP address pool. The IP address of
the DNS server is 10.100.1.2/16; the IP address of the NetBIOS server is 10.100.1.3/16; the IP
address of the gateway is 10.100.1.1; there is a route from the DHCPv4 server to 10.100.0.0/16.
Figure 2-9 Networking diagram for IP address assignment for Ethernet users (with a relay agent
deployed)
DNS NetBIOS
server server
10.100.1.2/16 10.100.1.3/16
GE2/0/0 GE1/0/0
202.40.1.1/16 202.40.1.2/16
DHCP DHCP
client client
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GE 2/0/0, which implements the DHCPv4 relay function.
2. Configure the address of the DHCP server for which the interface functions as the relay
agent for GE 1/0/0 and enable DHCP relay on GE 1/0/0.
3. Configure a route from Router B to GE 1/0/0 on Router A.
4. Configure the clients connected to GE 1/0/0 on Router B to obtain IP addresses from the
address pool.
5. Configure the network-side address pool on Router B.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the interface to be configured with DHCPv4 relay
l IP address of the DHCPv4 server
l Attributes of the DHCPv4 address pool, including the IP address of the gateway, range of
IP addresses in the address pool, IP addresses not allowed to be automatically assigned,
domain name suffix of the DNS server, IP address of the DNS server, and address lease
Procedure
Step 1 Configure the DHCPv4 relay agent.
# Assign an IP address to GE 2/0/0.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface GigabitEthernet 2/0/0
# Enter the view of the interface to be configured with DHCPv4 relay and configure the IP
address, subnet mask, and corresponding DHCPv4 server address on the interface.
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 10.100.1.1 255.255.0.0
[RouterA-GigabitEthernet1/0/0] ip relay address 202.40.1.2
[RouterA-GigabitEthernet1/0/0] dhcp select relay
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] quit
# Configure the route from Router B to GE 1/0/0 on Router A that connects to the client.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] ip route-static 10.100.0.0 255.255.0.0 202.40.1.1
# Configure the attributes of the DHCPv4 address pool pool 1, including the IP address of the
gateway, range of IP addresses in the address pool, IP addresses not allowed to be automatically
assigned, domain name suffix of the DNS server, IP address of the DNS server, and address
lease.
[RouterB] ip pool 1 server
[RouterB-ip-pool-1] gateway 10.100.1.1 255.255.0.0
[RouterB-ip-pool-1] section 0 10.100.1.5 10.100.1.100
[RouterB-ip-pool-1] dns-suffix huawei.com
[RouterB-ip-pool-1] dns-server 10.100.1.2
[RouterB-ip-pool-1] netbios-name-server 10.100.1.3
[RouterB-ip-pool-1] lease 10 12
[RouterB-ip-pool-1] quit
Run the display ip pool command on the DHCPv4 server, and you can view information about
the DHCPv4 address pool, including DNS, IP address lease, and Option parameters.
[RouterB] display ip pool
-----------------------------------------------------------------------
Pool-Name : 1
Pool-No : 1
Position : Server Status : Unlocked
Gateway : 10.100.1.1 Mask : 255.255.0.0
Vpn instance : --
-----------------------------------------------------------------------
IP address Statistic
Total :96
Used :0 Free :96
Conflicted :0 Disable :0
Designated :0
Run the display dhcp relay address command on the DHCPv4 relay agent, and you can view
the DHCPv4 configurations.
[RouterA] display dhcp relay address all
** GigabitEthernet1/0/0 DHCP Relay Address **
Dhcp Option Relay Agent IP Server IP
* - 202.40.1.2
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.100.1.1 255.255.0.0
ip relay address 202.40.1.2
dhcp select relay
#
interface GigabitEthernet 2/0/0
undo shutdown
ip address 202.40.1.1 255.255.0.0
#
return
3 DHCPv6 Configuration
On the IPv6 network, DHCPv6 must be enabled before users dynamically obtain IP addresses.
In an IPv6 network, two methods are available for a client to obtain an IPv6 address: stateless
address autoconfiguration and stateful configuration.
l With the stateless address autoconfiguration, no DHCPv6 server is required. After being
connected to an IPv6 network, the client can automatically configure itself an IPv6 address
using neighbor discovery (ND) messages.
l With the stateful configuration, the Dynamic Host Configuration Protocol for IPv6
(DHCPv6) is used to configure IPv6 addresses for clients. This mechanism is similar to
how DHCPv4 functions in an IPv4 network.
DHCPv6 mainly describes the stateful configuration of IPv6 addresses in an IPv6 network. In
an IPv6 network, three roles are involved: client, relay agent, and server. A client interacts with
a relay agent or server to apply for an IPv6 address.
RFC 3633 defines a mechanism for automated delegation of IPv6 prefixes using DHCPv6
(DHCPv6-PD). In this mechanism, two roles, that is, a requesting router and a delegating router
are involved. A requesting router functions as a client, whereas a delegating router functions as
a server. The requesting router obtains IPv6 prefixes from the delegating router and delivers the
obtained IPv6 prefixes as its local resources to IPv6 clients.
In this scenario, a separate DHCPv6 server is required, which implements uniform address
management and dynamically assigns addresses to clients.
Applicable Environment
If a client is connected to the DHCPv6 server through a Layer 3 access device, the Layer 3 access
device is a DHCPv6 relay agent. The DHCPv6 relay agent receives packets from the client or
other relay agents, encapsulates the received packets, and then forwards the encapsulated packets
to the DHCPv6 server or another relay agent.
You can configure the NE80E/40E so that it can function as a relay agent.
Pre-configuration Tasks
Before configuring a DHCPv6 relay agent, complete the following tasks:
l Enabling the IPv6 function. For details, refer to the HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Service
l Configuring the DHCPv6 server as required
Data Preparation
To configure a DHCPv6 relay agent, you need the following data.
No. Data
2 IP address of the destination DHCPv6 server, or the type and number of the network-
side outbound interface
Context
Do as follows on the NE80E/40E:
Procedure
Step 1 Run:
system-view
NOTE
To ensure connectivity between the client and the relay agent, IPv6 address prefixes on the interface of the relay
agent that connects it to the client must be same with the IPv6 address prefixes in the address pool that is
configured on the DHCPv6 server.
Step 5 Run:
ipv6 address auto link-local
NOTE
This command is required only for the interface connecting to clients on the relay agent.
Step 7 Run:
ipv6 nd autoconfig managed-address-flag
The flag field indicating that routable IPv6 addresses can be obtained through the stateful
autoconfiguration is set.
NOTE
This command is required only for the interface connecting to clients on the relay agent.
Step 8 Run:
ipv6 nd autoconfig other-flag
The flag field indicating the other information about the stateful autoconfiguration is set.
NOTE
This command is required only for the interface connecting to clients on the relay agent.
Step 9 Run:
dhcpv6 relay { interface { interface-name | interface-type interface-number } |
destination ipv6-address }
The DHCPv6 relay function is enabled on an inbound interface and the IP address of the
outbound interface for DHCPv6 messages or the IP address of the destination DHCPv6 server
is specified.
----End
Context
Do as follows on the NE80E/40E:
NOTE
The inbound interface and the outbound interface of the relay agent are both network-side interfaces. You
need to configure DHCPv6 on both interfaces.
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display this command in the interface view to check the current effective
configurations of the relay interface.
----End
Example
Run the display this command in the view of GE 2/0/1 to view the current effective
configurations on the interface. If the preceding DHCPv6 relay configurations are successful,
configurations of the relay interface are displayed.
[HUAWEI-GigabitEthernet2/0/1] display this
#
interface GigabitEthernet2/0/1
ipv6 enable
ipv6 address auto link-local
ipv6 address 2660:2321::101:112:2:201/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 enable
dhcpv6 relay interface GigabitEthernet1/0/2
#
This chapter describes how to control and manage various types of access services by using
BRAS access.
NOTE
4.1 Introduction
In BRAS access, users are identified based on the protocol stack of user packets. Different
authentication modes are applicable to different users.
4.2 Configuring the Authentication Mode
You can use authentication technologies to exchange authentication packets, user names and
passwords between user terminals and the NE80E/40E. The NE80E/40E supports multiple
authentication technologies.
4.3 Configuring the IPoX Access Service
In IPoX access, users can access the Internet by sending packets without using the client dial-
in software for dialing in.
4.4 Configuring and Managing Users
The BRAS manages users either through the domain to which users belong or user accounts.
4.5 Maintaining BRAS Access
Maintaining BRAS access includes monitoring the operation status of the BRAS, clearing the
statistics about login and logout users, and debugging in the case of failures.
4.6 Configuration Examples
This section provides examples for configuring the BRAS access service, including networking
requirements, configuration notes, and configuration roadmap.
4.1 Introduction
In BRAS access, users are identified based on the protocol stack of user packets. Different
authentication modes are applicable to different users.
The differences in physical connections are obscured by access devices and are irrelevant to the
NE80E/40E. The NE80E/40E knows only the encapsulation formats of packets and
differentiates users by using the protocol stacks of packets.
l Web authentication: It refers to an interactive authentication mode in which the user opens
the authentication page on the Web authentication server, and enters the user name and
password to be authenticated.
l Fast authentication: It is the simplified Web authentication. The user opens the Web page
for authentication but does not need to enter the user name and password. The NE80E/
40E generates the user name and password vlan according to information about the
Broadband Access Server (BAS) interface from which the user logs in.
l Mandatory Web authentication: If the user that requires Web authentication or fast
authentication attempts to access an unauthorized address before authentication, the
NE80E/40E redirects the access request to the mandatory Web authentication server for
the user to be authenticated.
l Binding authentication: The NE80E/40E automatically generates the user name and
password based on the user's physical location.
The NE80E/40E allows individual users or leased line users to access the Internet by using any
access mode. For details about the access mode for individual users, see the HUAWEI
NetEngine80E/40E Router Feature Description - BRAS Services. The access protocols are
classified into the following types:
l IPoX, including Internet Protocol over Ethernet (IPoE), IP over Ethernet over Virtual Local
Areas Network (IPoEoVLAN), IP over Ethernet over QinQ (IPoEoQ)
l Web authentication
l Fast authentication
l Mandatory Web authentication
l Binding authentication
Applicable Environment
Web authentication is an interactive authentication mode in which the user opens the
authentication page on the web authentication server, and enters the user name and password to
be authenticated.
Fast authentication is the simplified web authentication. The user opens the web page for
authentication but does not need to enter the user name and password. The NE80E/40E generates
the user name and password (vlan) according to information about the BAS interface from which
the user logs in.
Binding authentication means that the NE80E/40E automatically generates the user name and
password based on the user's physical location.
Pre-configuration Tasks
Before configuring the authentication mode, complete the following tasks:
l Loading the BRAS license (For details, refer to the HUAWEI NetEngine80E/40E Router
Configuration Guide - System Management.)
l Configuring an ACL (applied in web authentication)
Data Preparation
To configure the authentication mode, you need the following data.
No. Data
IP address, port number, VPN instance, and shared key of the web authentication
1 server
2 Portal protocol version, listen port number, and source interface of the NE80E/40E
Context
When configuring Web authentication or fast authentication, you need the following parameters:
l IP address and VPN instance of the server
l Port number of the server
l Shared key of the server
l Whether the NE80E/40E reports its own IP address to the server
l Portal protocol version, listening port number, and source interface sending portal packets
l Pages to which users are redirected
Do as follows on the NE80E/40E:
Procedure
l Configuring the Web Authentication Server
1. Run:
system-view
By default, the NE80E/40E uses port 2000 to listen to the messages sent from the Web
authentication server.
4. (Optional) run:
web-auth-server source interface interface-type interface-number
Or Run:
web-server url-parameter
The protocol adopted by Web authentication is set to the extension Portal protocol
supported by the ISP.
Or Run:
web-server ip-address
The format of the Universal Resource Locator (URL) to which access requests are
redirected in the mandatory Web authentication is http://www.isp.com/index.html.
The NE80E/40E supports two modes for accessing the Hypertext Transfer Protocol
(HTTP) page: get and post. The two modes define different formats of packets
exchanged between the NE80E/40E and the HTTP page.
4. Run:
quit
----End
Context
Do as follows on the NE80E/40E:
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
bas
Step 4 Run:
access-type layer2-subscriber
Step 5 Run:
default-domain pre-authentication domain-name
Step 6 Run:
default-domain authentication [ force | replace ] domain-name
Step 7 Run:
authentication-method { { ppp | dot1x } * | bind }
You can set the authentication mode for only Layer 2 users on the BAS interface. Multiple
authentication modes can be configured on an interface except for the following:
----End
Procedure
l Run the display web-auth-server configuration command to check the configuration of
the Web authentication server.
l Run the display domain [ domain-name ] command to check the configuration of the
domain.
----End
Example
After the configuration is complete, you can run the display web-auth-server configuration
command to view the configuration of the Web authentication server.
<HUAWEI> display web-auth-server configuration
Source interface : -
Listening port : 2000
Portal : version 1, version 2
Display reply message : enabled
------------------------------------------------------------------------
Server Share-Password Port NAS-IP Vpn-instance
------------------------------------------------------------------------
192.168.3.140 huawei 50100 NO
------------------------------------------------------------------------
1 Web authentication server(s) in total
After the configuration is complete, you can run the display domain domain-name command
to view information about the binding between the domain and user group.
<HUAWEI> display domain isp1
Domain-name : isp1
Domain-state : Active
Domain-type : Normal domain
Service-type : HSI
Authentication-scheme-name : default1
Accounting-scheme-name : default1
Authorization-scheme-name : -
RADIUS-server-group : -
Accounting-copy-RADIUS-group : -
Hwtacacs-server-template : -
Tunnel-acct-2867 : Disabled
User-group-name : -
Policy-route : Disabled
Policy-route-nexthop : -
AdminUser-priority : -
Web-server-IP-address : -
Web-URL : -
Web-server-work-mode : Get
Primary dns-IP-address : -
Secondary dns-IP-address : -
Queue-profile-name : -
User-priority-up : 0
User-priority-down : 0
PPPoe-URL : Disabled
Portal-server-URL : -
Portal-server-IP-Address : -
Portal-force-times : 2
Quota-out : Offline
Force-Auth-Type : -
Idle-data-attribute (time,rate) : 3 minute, 100 Kbyte/minute
User-access-limit : 147456
Online-user-total : 0
User-session-limit : -
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Time-range : Disabled
GRE-group-name : -
L2TP-group-name : -
L2TP-user RADIUS Force : Disabled
Dot1x-template-index : 1
Realloc-IP-address : Disabled
Applicable Environment
The IPoX access service is an access authentication service. In IPoX access, a user accesses the
Internet by using the Ethernet or asymmetric digital subscriber line (ADSL). The user uses a
fixed IP address or obtains an IP address by using the Dynamic Host Configuration Protocol
(DHCP). The system then authenticates the user by using Web authentication, fast
authentication, or binding authentication.
The IPoX services can be classified into the IPoE service, IPoEoVLAN service, IPoEoQ service
in different networking.
NOTE
When an IPoEoQ user attempts to access the network, if the SMAC field in the Layer 2 header is different
from the CHADDR field in a DHCP request packet, the user cannot get online.
Pre-configuration Tasks
Before configuring the IPoX access service, complete the following tasks:
l Loading the BRAS license (For details, see the HUAWEI NetEngine80E/40E Router
Configuration Guide - System Management.)
l Configuring Authorization, Authentication, and Accounting (AAA) schemes
l Configuring a RADIUS server group or an HWTACACS server template
l Configuring an IPv4 address pool
l Configuring a domain
Data Preparation
To configure the IPoX access service, you need the following data.
No. Data
IP address, VPN instance (optional), MAC address (optional), and number of the
2 access interface on the NE80E/40E (optional)
6 User domain
Configuration Procedures
To configure the IPoX access service, perform the following procedures.
NOTE
Configuring an AAA scheme, 1.3 Configuring a RADIUS Server, Configuring an IPv4 address
pool, and Configuring a domain are not provided here because all the procedures are described in other
chapters.
Configuring a Configuring a
domain domain
Mandatory procedure
Optional procedure
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
When creating a static user, you can specify the IP address (including the VPN instance to which
the IP address belongs), interface (FE, GE, Eth-Trunk, or VE interface) through which the user
is connected to the NE80E/40E, domain, and MAC address.
If detect is configured, it indicates that the NE80E/40E actively detects whether the static user
is online. If detect is not configured, the user can go online only after sending ARP packets.
The arp-trigger command must be configured on the BAS interface through which the static
user goes online.
----End
Context
If users access the network by using a sub-interface, the sub-interface needs to be bound to a
VLAN.
You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When binding
a sub-interface to a VLAN, you need the following parameters:
l Sub-interface number
l VLAN ID
l QinQ ID
NOTE
l On each main interface, you can set the any-other parameter on only one sub-interface. On one sub-
interface, any-other cannot be set together with start-vlan nor qinq.
l If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on a
sub-interface, the user-vlan cannot be configured on this sub-interface.
l Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.
l If an interface on an LPUA, LPUF-10, LPUF-21, LPUF-40 is bound to a VSI or configured with VLL
transparent transmission, users whose packets carry double VLAN tags cannot get online after the
user-vlan command is run on its sub-interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number.subinterface-number
----End
Context
When configuring a BAS interface, you need the following parameters:
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [ .subinterface-number ]
Step 3 Run:
bas
You can configure an interface as the BAS interface by running the bas command in the interface
view. You can configure a Fast Ethernet (FE) interface or its sub-interface, a Gigabit Ethernet
(GE) interface or its sub-interface, a VE interface or its sub-interface, or an Eth-Trunk interface
The access type is set to Layer 2 subscriber access and the attributes of this access type are
configured.
Or run:
access-type layer3-subscriber [ default-domain { [ pre-authentication predname ]
authentication [ force | replace ] dname } ]
The access type is set to Layer 3 subscriber access and the attributes of this access type are
configured.
When setting the access type on the BAS interface, you can set the service attributes of the access
users at the same time. You can also set these attributes in later configurations.
The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunk
interface. You can configure the access type of such an Ethernet interface only on the associated
Eth-Trunk interface.
Step 5 (Optional) Run:
access-limit number
The number of users that are allowed to access through the interface is configured.
By default, the number of users that are allowed to access through the BAS interface is not
limited.
Step 6 (Optional) Run:
default-domain pre-authentication domain-name
The default authentication domain is specified. By default, the authentication domain of the
BAS interface is default1.
l Or run:
permit-domain domain-name &<1-4>
The Option 82 field (for a DHCP user) reported by a client is trusted by the router.
Or run:
vbas
The function of locating a user through the virtual BAS (VBAS) is enabled. By default, the
function of locating a user through the VBAS is disabled.
Step 8 (Optional) Run:
client-option60
The function of filter DHCP users that attempt to get online based on ACL rules on a BAS
interface is configured.
By default, ACL rules are not used to filter DHCP users that attempt to get online on a BAS
interface.
Step 15 Run:
authentication-method { { web | fast } | bind }
You can set the authentication mode for only Layer 2 users on the BAS interface. Multiple
authentication modes can be configured on an interface except for the following:
l Web authentication conflicts with fast authentication.
l Binding authentication conflicts with the other authentication modes.
----End
Procedure
l Run the display web-auth-server configuration command to check the configuration of
the Web authentication server.
l Run the display domain command to check the configuration of the domain.
l Run the display acl command to check the configuration of the ACL.
----End
Example
After the configuration is complete, you can run the display web-auth-server configuration
command to view the configuration of the Web authentication server.
<HUAWEI> display web-auth-server configuration
Source interface : -
Listening port : 2000
Portal : version 1, version 2
Display reply message : enabled
------------------------------------------------------------------------
Server Share-Password Port NAS-IP Vpn-instance
------------------------------------------------------------------------
192.168.3.140 huawei 50100 NO
------------------------------------------------------------------------
1 Web authentication server(s) in total
After the configuration is complete, you can run the display domain command to view
information about the binding between the domain and user group.
<HUAWEI> display domain isp1
Domain-name : isp1
Domain-state : Active
Domain-type : Normal domain
Service-type : HSI
Authentication-scheme-name : default1
Accounting-scheme-name : default1
Authorization-scheme-name : -
RADIUS-server-group : -
Accounting-copy-RADIUS-group : -
Hwtacacs-server-template : -
Tunnel-acct-2867 : Disabled
User-group-name : -
Policy-route : Disabled
Policy-route-nexthop : -
AdminUser-priority : -
Web-server-IP-address : -
Web-URL : -
Web-server-work-mode : Get
Primary dns-IP-address : -
Secondary dns-IP-address : -
Queue-profile-name : -
User-priority-up : 0
User-priority-down : 0
PPPoe-URL : Disabled
Portal-server-URL : -
Portal-server-IP-Address : -
Portal-force-times : 2
Quota-out : Offline
Force-Auth-Type : -
Idle-data-attribute (time,rate) : 3 minute, 100 Kbyte/minute
User-access-limit : 147456
Online-user-total : 0
User-session-limit : -
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Time-range : Disabled
GRE-group-name : -
L2TP-group-name : -
L2TP-user RADIUS Force : Disabled
Dot1x-template-index : 1
Realloc-IP-address : Disabled
Bill Flow : Disabled
Multicast flow statistic : Disabled
VPN-instance-name : --
Value-service-name : -
DPI-policy-group : -
Multicast-profile : -
IPUser-ReAuth-Time : 300 second
IP-Warning-Percent : -
Qos-profile-name : default
Zone-name : -
Ancp auto qos adapt : Disabled
TimeRange-Qos : Disabled
Val-added-srv-account : Default
Multicast Forwarding : Yes
Multicast Virtual : No
Multivirtual cir : -
Multivirtual pir : -
Max-multilist num : 4
L2TP-QosProfile-inbind : -
L2TP-QosProfile-outbind : -
After the configuration is complete, you can run the display acl command to view the
configuration of the ACL.
<HUAWEI> display acl 3100
Advanced ACL 3100, 3 rules,
rule 0 permit icmp (2 times matched)
rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 (0 times matched)
rule 2 permit tcp source 10.110.0.0 0.0.255.255 (0 times matched)
Applicable Environment
The NE80E/40E can parse the user name and domain name from a user account according to
the domain name delimiter and realm name delimiter. With this function, the NE80E/40E can
parse the user name and domain name as required.
The administrator can manage online users on the NE80E/40E, including viewing online users
and disconnecting users.
Pre-configuration Tasks
Before configuring and managing users, complete the following tasks:
l Loading the BRAS license (For details, see the HUAWEI NetEngine80E/40E Router
Configuration Guide - System Management.)
l Configuring the access method and authentication method for the BAS interface
Data Preparation
To configure and manage users, you need the following data.
No. Data
1 Domain name delimiter, location of the domain name, and parsing direction of
the domain name
2 (Optional) Realm name delimiter, location of the realm name, and parsing
direction of the realm name
3 Parsing priority
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Step 3 Run:
domain-name-delimiter delimiter
Step 4 Run:
domain-location{ after-delimiter | before-delimiter }
By default, the domain name is placed behind the domain name delimiter.
Step 5 Run:
domainname-parse-direction { left-to-right | right-to-left }
By default, the realm name is placed before the realm name delimiter.
Step 9 Run:
parse-priority { domain-first | realm-first }
If the parsing priority is set to domain-first, the realm domain name is excluded from the user
account.
----End
Context
If the user-security-policy enable command has been run, the following rules must be obeyed
during password configuration:
l A local user name must be longer than six characters.
l For passwords:
A password must be longer than eight characters.
A password must consist of digits, upper-case and lower-case letters, and special
characters (not including spaces or question marks).
A password cannot be the same as the user name, nor can it be the reverse of the user
name.
l A message indicating that the user name or password is incorrect is displayed if an
administrator does not enter the user name or password or enters an incorrect user name or
password.
Procedure
l local AAA view
1. Run:
system-view
After a new user account is added, it adopts the following default attributes:
The access restriction is off and the access mode is A (all access modes).
The status is Active.
The idle cut function is disabled.
The group number for intergroup access is 0.
The maximum number of connections is 24.
The MAC restriction is disabled.
The password is "vlan".
The UCL group number is 0.
The flow control is disabled.
The user priority is 0.
l AAA view
1. Run:
system-view
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The router is configured to generate the IPoX user name according to information carried in the
user access request packet.
Or run:
vlanpvc-to-username { standard | turkey | version10 | version20 }
Or run:
vlanpvc-to-username standard trust { pevlan | cevlan }
The router is configured to generate the IPoX user name by using the original format.
By default, the original format of the IPoX user name is defined in version20.
Step 4 Run:
default-password { cipher cipher-password | simple simple-password }
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
----End
Follow-up Procedure
The authentication request from a local user in the active or blocked state is processed in a
different manner.
l If the local user is in the active state, the authentication request from this user is allowed
for further processing.
l If the local user is in the blocked state, the authentication request from this user is denied.
Context
Do as follows on the router:
Procedure
l Restricting the access of local users
1. Run:
system-view
The alarm threshold for DHCP users allowed to access an LPU is configured. If the
percentage of DHCP users currently accessing the LPU exceeds the threshold, an
alarm is generated.
3. Run:
dhcp-user-warning-threshold
The alarm threshold for DHCP users allowed to access the entire NE80E/40E is
configured. If the percentage of DHCP users currently accessing the entire NE80E/
40E exceeds the threshold, an alarm is generated.
4. Run:
dhcp connection chasten request-sessions request-period blocking-period
You can view the number of users whose attempts to set up DHCP connections
are limited.
display dhcp chasten-user
You can view information about users whose attempts to set up DHCP connections
are limited.
display dhcp connection-chasten
You can view settings of the limit on attempts to set up a DHCP connection.
dhcp reset chasten-number
You can reset the statistics on user attempts to set up a DHCP connection.
l Restricting the access of users allowed to access an LPU
1. Run:
system-view
The alarm threshold for users allowed to access an LPU is configured. If the percentage
of users currently accessing the LPU exceeds the threshold, an alarm is generated on
the router.
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The online users using the IP addresses in the specified IP address pool are disconnected.
Or run:
cut access-user slot slot-id
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
aaa offline-record
Step 3 Run:
aaa online-fail-record
Step 4 Run:
aaa_abnormal-offline-record
----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
trace access-user object object-id { access-mode mode | user-name username |
interface interface-type interface-number | ip-address ip-address | mac-address
mac-address | ce-vlan ce-vlan-id | pe-vlan pe-vlan-id } * [ output [ file file-
name | syslog-server ip-address | vty ] | -t time ] *
By default, service tracing is enabled. Tracing information is output to the VTY terminal, and
the tracing time is 15 minutes.
Using the service tracing function decreases the performance of the NE80E/40E. Therefore, you
are recommended to use this function only when you need to locate faults. Disable this function
when the NE80E/40E runs normally. If the status of a great number of users changes, you need
to configure the objects to be traced accurately when using the service tracing function.
Otherwise, a great number of resources are wasted and user services are affected.
----End
Procedure
l Run the display static-user command to check information about static users.
l Run the display aaa configuration command to check the configuration of the user account
parsing function.
l Run the display vlanpvc-to-username command to check the configuration of the format
of the IPoX user name.
l Run the display call rate command to check the put-through rate of all type of users.
----End
Example
After the configuration is complete, you can run the display static-user command to view
information about static users.
<HUAWEI> display static-user
---------------------------------------------------------------------------
Interface VLAN-ID/PVC IP-address MAC-address VPN
---------------------------------------------------------------------------
- - 10.10.10.2 - --
GE1/0/2 - 10.10.10.5 - --
---------------------------------------------------------------------------
Total 2 item(s) matched
After the configuration is complete, you can run the display aaa configuration command to
view the configuration of the user account parsing function.
<HUAWEI> display aaa configuration
---------------------------------------------------------------------------
AAA configuration information :
---------------------------------------------------------------------------
Parse Priority : Domain first
Domain Name Delimiter : @
Domainname parse direction : Left to right
Domainname location : After-delimiter
Realm name delimiter : -
Realmname parse direction : Left to right
Realmname location : Before-delimiter
Domain : total: 1024 used: 7
Authentication-scheme : total: 32 used: 4
Authorization-scheme : total: 16 used: 2
Accounting-scheme : total: 128 used: 4
Recording-scheme : total: 128 used: 1
AAA-access-user : total: 279552 used: 0
Access-user-state : authen: 0 author: 0 accounting: 0
Transition-step : -
Min-Delay-time : -
Max-Delay-time : -
Access speed : -
Account-session-id-version : Version1
---------------------------------------------------------------------------
After the configuration is complete, you can run the display vlanpvc-to-username command
to view the configuration of the format of the IPoX user name.
<HUAWEI> display vlanpvc-to-username
Version of vlan and pvc model in username : Version2.0
After the configuration is complete, you can run the display call rate command to view the the
put-through rate of all type of users.
<HUAWEI> display call rate
User callrate:
--------------------------------------------------------
Usertype Calltime Callcompletion Rate
--------------------------------------------------------
PPP 127 127 100.00%
Context
After the preceding configurations, run the following display commands in any view to check
the BRAS configurations. For details, see the HUAWEI NetEngine80E/40E Router - Command
Reference.
Procedure
Step 1 Run the display web-auth-server configuration command to check the configuration of the
Web authentication server.
Step 2 Run the display bas-interface command to check the configuration of the BAS interface.
Step 3 Run the display aaa online-fail-record command to check the login failure records.
Step 4 Run the display aaa offline-record command to check the logout records.
Step 5 Run the display aaa abnormal-offline-record command to check the abnormal logout records.
Step 6 Run the display access-user command in any view to check information about online users.
----End
Context
CAUTION
BRAS access information cannot be restored after it is cleared. Exercise caution when running
the commands.
Procedure
Step 1 Run the reset aaa online-fail-record command in the user view to clear the login failure records.
Step 2 Run the reset aaa offline-record command in the user view to clear the logout records.
Step 3 Run the reset aaa abnormal offline-record command in the user view to clear the abnormal
logout records.
Step 4 Run the reset call ratecommand in the user view to clear the call rate statistics of users.
----End
4.6.1 Example for Configuring the IPoE Access Service for VPN
Users by Using Web Authentication
This section provides an example for configuring IPoE access to a VPN by Using Web
Authentication, including the networking requirements, configuration roadmap, configuration
procedure, and configuration files.
Networking Requirements
The networking is shown in Figure 4-2. The requirements are as follows:
l The user belongs to domain isp2 and accesses the Internet by using GE 1/0/2 on the
router in IPoE mode.
l The user adopts Web authentication, RADIUS authentication, and RADIUS accounting.
l The IP address of the RADIUS server is 192.168.8.249. The authentication port number is
1812 and the accounting port number is 1813. The standard RADIUS protocol is used. The
shared key is hello.
l The user is a VPN user and belongs to a VPN instance named vpn1.
l The IP address of the DNS server is 192.168.8.252.
l The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.
l The network-side interface is GE 1/0/1.
192.168.8.1
GE1/0/2 GE1/0/1
Access
Internet
Network
subscriber
Router
@isp2
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure a VPN instance.
<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1] vpn-target 100:1 both
[HUAWEI-vpn-instance-vpn1] quit
NOTE
The upstream interface connected to MPLS network, the configuration is not mentioned here. For details,
refer to the chapter BGP/MPLS IP VPN of the HUAWEI NetEngine80E/40E Router Configuration Guide
- VPN
[HUAWEI] interface GigabitEthernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0
----End
Configuration Files
#
sysname HUAWEI
#
user-group huawei
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
radius-server group rd2
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key hello
#
#
acl number 6000
#
acl number 6001
rule 5 permit ip source user-group huawei destination ip-address 192.168.8.251 0
rule 10 permit ip source user-group huawei destination ip-address 192.168.8.252 0
#
traffic classifier c2 operator and
if-match acl 6001
traffic classifier c1 operator and
if-match acl 6000
#
traffic behavior perm1
traffic behavior deny1
deny
#
traffic policy action1
classifier c2 behavior perm1
classifier c1 behavior deny1
traffic-policy action1 inbound
traffic-policy action1 outbound
#
interface GigabitEthernet1/0/2
bas
access-type layer2-subscriber default-domain authentication isp2
authentication-method web
#
interface GigabitEthernet1/0/1
ip address 192.168.8.1 255.255.255.0
#
ip pool pool2 bas local
vpn-instance vpn1
gateway 172.82.1.1 255.255.255.0
section 0 172.82.1.2 172.82.1.200
dns-server 192.168.8.252
#
aaa
authentication-scheme auth2
accounting-scheme acct2
domain default0
service-type hsi
web-server 192.168.8.251
web-server url http://192.168.8.251
user-group huawei
vpn-instance vpn1
ip-pool pool2
domain isp2
authentication-scheme auth2
accounting-scheme acct2
service-type hsi
radius-server group rd2
#
return
Networking Requirements
The networking is shown in Figure 4-3. The requirements are as follows:
l The user belongs to domain isp3 and accesses the Internet by using GE 1/0/2.1 on the
router in IPoEoVLAN mode. The LAN switch tags user packets with VLAN 1 and VLAN
2.
l The user adopts binding authentication, RADIUS authentication, and RADIUS accounting.
l The IP address of the RADIUS server is 192.168.8.249. The authentication port number is
1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted.
The shared key is hello.
l The IP address of the DNS server is 192.168.8.252.
l The network-side interface is GE 1/0/1.
192.168.8.1
GE1/0/2.1 GE1/0/1
subscriber1
Internet
@isp3
Switch Router
subscriber2
@isp3
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure AAA schemes.
NOTE
The configured address pool is used for the authentication domain. The pre-authentication domain is not
required because a user that adopts binding authentication can be authenticated automatically when the
user goes online.
NOTE
When a user obtains an IP address in binding authentication, the router authenticates the user automatically.
Therefore, you do not need to configure the ACL to control the network access rights of the user before
authentication. Instead, you need to configure the ACL to control the network access rights of the user after
authentication.
NOTE
l The user name for binding authentication is automatically generated based on the location where the
user accesses the NE80E/40E. Therefore, the user name on the RADIUS server must be configured
according to the name generation rule. The password is vlan.
l For details about the user name format used in binding authentication, see the description of the
vlanpvc-to-username command in the HUAWEI NetEngine80E/40E Router Command Reference.
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group rd3
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key hello
#
interface GigabitEthernet1/0/2.1
user-vlan 1 2
bas
access-type layer2-subscriber default-domain authentication isp3
authentication-method bind
#
interface GigabitEthernet1/0/1
ip address 192.168.8.1 255.255.255.0
#
ip pool pool3 bas local
gateway 172.82.2.1 255.255.255.0
section 0 172.82.2.2 172.82.2.200
dns-server 192.168.8.252
#
aaa
authentication-scheme auth3
accounting-scheme acct3
domain isp3
authentication-scheme auth3
accounting-scheme acct3
radius-server group rd3
ip-pool pool3
#
return
Networking Requirements
The networking is shown in Figure 4-4. The requirements are as follows:
l The user accesses the Internet by using GE 1/0/2.2 on the router in IPoEoQ mode. LAN
switch 1 tags user packets with VLAN 1 and VLAN 2. LAN switch 2 tags user packets
with QinQ 100 (outer VLAN 100).
l The user belongs to domain isp1 and adopts bind authentication and RADIUS accounting.
l The IP address of the RADIUS server is 192.168.7.249. The authentication port number is
1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted.
The shared key is itellin.
l The IP address of the DNS server is 192.168.7.252.
VLAN1
QinQ100 192.168.7.1
GE1/0/2.2 GE1/0/1
user1@isp1 Internet
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l Authentication template name and authentication mode
l Accounting template name and accounting mode
l RADIUS server group name, and IP addresses and port numbers of the RADIUS
authentication server and accounting server
l IP address pool name, gateway address, and DNS sever address
l Domain name
l BAS interface parameters
Procedure
Step 1 Configure AAA schemes.
# Configure an authentication scheme.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme auth1
[HUAWEI-aaa-authen-auth1] authentication-mode radius
[HUAWEI-aaa-authen-auth1] quit
----End
Configuration Files
#
sysname HUAWEI
#
radius-server group rd1
radius-server authentication 192.168.7.249 1812 weight 0
radius-server accounting 192.168.7.249 1813 weight 0
radius-server shared-key itellin
#
interface GigabitEthernet1/0/2.2
user-vlan 1 2 qinq 100
bas
access-type layer2-subscriber default-domain authentication isp1
authentication-method bind
#
interface GigabitEthernet1/0/1
ip address 192.168.7.1 255.255.255.0
#
ip pool pool1 bas local
gateway 172.82.0.1 255.255.255.0
section 0 172.82.0.2 172.82.0.200
dns-server 192.168.7.252
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain default0
domain default1
domain default_admin
domain isp1
authentication-scheme auth1
accounting-scheme acct1
service-type hsi
Networking Requirements
The networking is shown in Figure 4-5. The requirements are as follows:
l Users user1@isp1 and user2@isp1 belong to the same domain isp1 and they access the
Internet by using GE 1/0/2.1 on the router as static users. The LAN switch labels user
packets with VLAN 1 and VLAN 2.
l The two users adopt Web authentication. The RADIUS authentication and RADIUS
accounting are used.
l The IP address of user1@isp1 is 172.82.1.100; the IP address of user2@isp1 is
172.82.2.200.
l The two static users are VPN users and belong to the same VPN instance named VPN1.
l The IP address of the RADIUS server is 192.168.7.249. The authentication port number is
1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted.
The shared key is hello.
l The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.
Figure 4-5 Networking for configuring remote authentication for static users
DNS server WEB server RADIUS server
192.168.8.252 192.168.8.251 192.168.8.249
VLAN1
192.168.8.1
GE1/0/2.1 GE1/0/1
user1@isp1 Internet
Switch Router
VLAN2
user2@isp1
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure a VPN instance.
<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1] vpn-target 100:1 both
[HUAWEI-vpn-instance-vpn1] quit
Step 6 Configure an ACL to allow the user to access only the Web server before Web authentication
is implemented.
# Configure a user group.
[HUAWEI] user-group Huawei
----End
Configuration Files
#
sysname HUAWEI
#
user-group huawei
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
radius-server group rd1
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key hello
#
acl number 6000 match-order auto
rule 5 permit ip source user-group huawei destination ip-address 192.168.8.0 0.
0.0.255
rule 10 deny ip source user-group huawei destination ip-address any
#
traffic classifier c1 operator or
if-match acl 6000
#
traffic behavior b1
#
Networking Requirements
The networking is shown in Figure 4-6. The requirements are as follows:
l The user accesses the Internet by using GE 1/0/2.1 on the router as a static user and the IP
address of the user is 172.192.0.8.
l The user adopts local authentication.
l The system uses the IP address carried in the user packet as the user name.
Figure 4-6 Networking for configuring local authentication for static users
192.168.8.1
GE1/0/2.1 GE1/0/1
Internet
Router
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an authentication scheme.
2. Configure an address pool.
3. Configure an authentication domain.
4. Configure a BAS interface and an upstream interface.
5. Configure a static user.
Data Preparation
To complete the configuration, you need the following data:
l Authentication template name and authentication mode
l IP address pool name, gateway address, and DNS sever address
l Domain name
l BAS interface parameters
Procedure
Step 1 Configure an authentication scheme.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme local
[HUAWEI-aaa-authen-local] authentication-mode local
[HUAWEI-aaa-authen-local] quit
[HUAWEI-ip-pool-pool1] quit
----End
Configuration Files
#
sysname HUAWEI
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.8.1 255.255.255.0
#
interface GigabitEthernet1/0/2.1
user-vlan 100
bas
access-type layer2-subscriber default-domain authentication isp1
ip-trigger
arp-trigger
authentication-method bind
#
ip pool pool1 bas local
A Glossary
Glossary Description
A
access service A service providing the basic capability of network access.
B
BRAS A functional component running on the NE80E/40E, which
provides access services for broadband subscribers.
binding authentication An authentication mode in which the NE80E/40E creates a user
name and a password for the user according to the location of the
user.
D
DHCP client A program that obtains IP addresses from the DHCP/BOOTP
server, and then allocates the IP addresses to PPP users.
DHCP proxy A program that transparently transmits the DHCP request of a
user to the DHCP/BOOTP server, which then allocates the IP
address to the user.
DHCP server A program that allocates the IP addresses of the local address
pool to the users at the user side and allocates the IP addresses of
the relay address pool to the users that pass through the DHCP
proxy at the network side.
direct authorization An authorization mode in which the user is fully trusted by the
carrier and is authorized directly by the carrier.
domain A group of users with the same service attributes. The NE80E/
40E manages users through domains.
Glossary Description
F
fast authentication A simplified Web authentication, in which the user opens the web
page for authentication but need not enter the user name and
password.
H
HWTACACS An enhanced security protocol of TACACS (RFC 1492), through
which the NE80E/40E communicates with the HWTACACS
server in the client/server mode.
HWTACACS An accounting mode in which the NE80E/40E sends the
accounting accounting packets to the HWTACACS server, which then
performs accounting for the user.
HWTACACS An authentication mode in which the NE80E/40E sends the user
authentication name and the password to the HWTACACS server by using the
HWTACACS protocol. The HWTACACS server authenticates
the user, and then returns the result to the NE80E/40E0.
HWTACACS An authorization mode in which the user is authorized by the
authorization HWTACACS server.
L
local address pool An address pool configured on the NE80E/40E and managed by
the NE80E/40E.
local authentication An authentication mode in which the user information is
configured on the NE80E/40E, and then the NE80E/40E
authenticates the user.
local authorization An authorization mode in which user is authorized by the NE80E/
40E based on the user attributes that are configured on the
NE80E/40E.
M
mandatory web An authentication method in which the NE80E/40E redirects the
authentication access request of an unauthenticated user who uses the web
authentication or the fast authentication to the web authentication
server for authentication.
Glossary Description
Option 60 A field carrying the domain information when a terminal device
initiates a DHCP request. After receiving the DHCP request, the
NE80E/40E allocates the IP address to the device according to
the domain information contained in the Option 60 field.
Option 82 A field carrying the physical location information of the user
when the NE80E/40E relays a DHCP packet of the user. Then
the DHCP server allocates an IP address to the user according to
the location information.
P
portal protocol A protocol used to exchange information between web servers
and other devices. The portal protocol is based on the client/
server model and uses UDP to transfer data.
R
RADIUS accounting An accounting mode in which the NE80E/40E sends the
accounting packets to the RADIUS server. Then the RADIUS
server performs accounting.
RADIUS authentication An authentication mode in which the NE80E/40E sends the user
name and the password to the RADIUS server by using the
RADIUS protocol. The RADIUS server authenticates the user,
and then returns the result to the NE80E/40E.
relay address pool An address pool providing IP addresses for the users at the
network side.
remote address pool A mapping of the remote DHCP or BOOTP server, which does
not provide real IP addresses.
S
static user A user with a fixed IP address, which is configured by the user.
V
value-added service A service selected by the user when the user logs in to the portal
server of the carrier.
W
web authentication An authentication mode in which the user enters user name and
password on the authentication page of the web authentication
server for identity authentication.
This appendix lists the acronyms and abbreviations mentioned in this menual.
Item Description
A
AAA Authentication, Authorization and Accounting
ACL Access Control List
ADSL Asymmetric Digital Subscriber Line
AP Access Point
ARP Address Resolution Protocol
B
BAS Broadband Access Server
BOOTP Bootstrap Protocol
BRAS Broadband Remote Access Server
C
CAR Committed Access Rate
CF Compressed Flash
CHAP Challenge Handshake Authentication Protocol
CLI Command Line Interface
CMTS Cable Modem Terminal System
CoA Change of Authorization
COPS Common Open Policy Service
Item Description
D
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
DSLAM Digital Subscriber Line Access Multiplexer
E
EAP Extensible Authentication Protocol
EAPoL EAP over LAN
F
FE Fast Ethernet
G
GE Gigabit Ethernet
GRE Generic Routing Encapsulation
H
HDLC High level Data Link Control
HFC Hybrid Fiber-Coaxial
HWTACACS Huawei TACACS
I
IEEE Institute of Electrical and Electronics Engineers
IP Internet Protocol
IPCP Internet Protocol Control Protocol
IPoE IP over Ethernet
IPoEoVLAN IP over Ethernet over VLAN
IPoX IP over X
IPTN IP Telecommunication Network
ISP Internet Service Provider
Item Description
L
LAN Local Area Network
LCP Link Control Protocol
L2TP Layer 2 Tunneling Protocol
LTS L2TP Tunnel Switch
M
MAC Media Access Control
MSCHAP Microsoft CHAP
N
NCP Network Control Protocol
ND Neighbor Discovery
NetBIOS Network Basic Input/Output System
P
PAP Password Authentication Protocol
PDP Policy Decision Point
PEP Policy Enforcement Point
PPP Point-to-Point Protocol
PPPoE Point-to-Point Protocol over Ethernet
PPPoEoVLAN PPPoE over VLAN
PPPoX PPP over X
PSTN Public Switched Telekeywordone Network
Q
QinQ 802.1Q in 802.1Q
QoS Quality of Service
R
RADIUS Remote Authentication Dial in User Service
Item Description
RFC Requirement for Comments
S
SIG Safe Immunity Gateway
SIM Subscriber Identity Module
DSG Dynamic Service Gateway
SSH Secure Shell
T
TACACS Terminal Access Controller Access Control System
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
U
UDP User Datagram Protocol
URL Universal Resource Locator
V
VLAN Virtual LAN
VoD Video On Demand
VPN Virtual Private Network