Configuration Guide - User Access(V600R003C00_02)

HUAWEI NetEngine80E/40E RouterV600R003C00

Configuration Guide - User Access

Issue 02

Date 2011-09-10

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 02 (2011-09-10) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

PurposeThis document is a guide to configuring the user access service. It describes the basic principles,configuration procedures, and configuration methods of AAA, user management, DHCPv4,DHCPv6, .

NOTE

l This document takes interface numbers and link types of the NE40E-X8 as an example. In workingsituations, the actual interface numbers and link types may be different from those used in thisdocument.

l On NE80E/40E series excluding NE80E/40E-X1 and NE80E/40E-X2, line processing boards arecalled Line Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units(SFUs). On the NE80E/40E-X1 and NE80E/40E-X2, there are no LPUs and SFUs, and NPUsimplement the same functions of LPUs and SFUs to exchange and forward packets.

Related VersionsThe following table lists the product versions related to this document.

Product Name Version

HUAWEI NetEngine80E/40ERouter

V600R003C00

Intended AudienceThis document is intended for:

l Commissioning engineers

l Data configuration engineers

l Network monitoring engineers

l System maintenance engineers

HUAWEI NetEngine80E/40E RouterConfiguration Guide - User Access About This Document


ii

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERAlerts you to a high risk hazard that could, if not avoided,result in serious injury or death.

WARNINGAlerts you to a medium or low risk hazard that could, ifnot avoided, result in moderate or minor injury.

CAUTIONAlerts you to a potentially hazardous situation that could,if not avoided, result in equipment damage, data loss,performance deterioration, or unanticipated results.

TIP Provides a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize orsupplement important points in the main text.

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.



iii

Change History

Changes in Issue 02 (2011-09-10)The second commercial release has the following updates.

l BRAS Access Configuration– As defined in 4.3.4 Configuring a BAS Interface, DHCP users can be filtered based

on the ACL rule configured on a BAS interface.l DHCPv4 Configuration

– As defined in 2.4.2 Creating a DHCPv4 Server Group, the polling mechanism canbe used to select a DHCPv4 server.

Changes in Issue 01 (2011-06-30)Initial commercial release.



iv

Contents

About This Document.....................................................................................................................ii

1 AAA Configuration.......................................................................................................................11.1 AAA Overview...................................................................................................................................................2

1.1.1 Introduction to AAA..................................................................................................................................21.1.2 AAA Supported by the NE80E/40E..........................................................................................................3

1.2 Configuring AAA Schemes................................................................................................................................41.2.1 Establishing the Configuration Task.........................................................................................................41.2.2 (Optional) Enabling RADIUS or HWTACACS.......................................................................................51.2.3 Configuring an Authentication Scheme....................................................................................................51.2.4 (Optional) Configuring an Authorization Scheme....................................................................................71.2.5 Configuring an Accounting Scheme..........................................................................................................81.2.6 (Optional) Configuring a Recording Scheme..........................................................................................101.2.7 Checking the Configuration.....................................................................................................................11

1.3 Configuring a RADIUS Server.........................................................................................................................131.3.1 Establishing the Configuration Task.......................................................................................................131.3.2 Creating a RADIUS Server Group..........................................................................................................141.3.3 Configuring RADIUS Authentication and Accounting Servers..............................................................151.3.4 (Optional) Configuring the Algorithm for Selecting a RADIUS Server.................................................161.3.5 (Optional) Configuring Negotiated Parameters of the RADIUS Server.................................................161.3.6 (Optional) Disabling RADIUS Attributes...............................................................................................181.3.7 (Optional) Configuring RADIUS Attribute Translation.........................................................................191.3.8 (Optional) Configuring the Tunnel Password Delivery Mode................................................................201.3.9 (Optional) Configuring the Class Attribute to Carry the CAR Value.....................................................211.3.10 (Optional) Configuring the Format of the NAS-Port Attribute.............................................................221.3.11 (Optional) Configuring the Source Interface of a RADIUS Server......................................................221.3.12 (Optional) Configuring a RADIUS Authorization Server.....................................................................231.3.13 (Optional) Setting the Status Parameters of a RADIUS Server............................................................241.3.14 (Optional) Configuring the Extended Source Interfaces of a RADIUS Server.....................................241.3.15 Checking the Configuration...................................................................................................................25

1.4 Configuring an HWTACACS Server...............................................................................................................271.4.1 Establishing the Configuration Task.......................................................................................................281.4.2 Creating an HWTACACS Server Template............................................................................................281.4.3 Configuring HWTACACS Authentication/Authorization/Accounting Servers.....................................29

HUAWEI NetEngine80E/40E RouterConfiguration Guide - User Access Contents


v

1.4.4 Configuring the Source IP Address of an HWTACACS Server.............................................................311.4.5 (Optional) Setting the Negotiated Parameters of the HWTACACS Server............................................311.4.6 (Optional) Configuring the Timers for the HWTACACS Server...........................................................331.4.7 (Optional) Configuring Retransmission of Accounting Stop Packets.....................................................341.4.8 (Optional) Configuring HWTACACS Users to Change Passwords.......................................................351.4.9 Checking the Configuration.....................................................................................................................35

1.5 Configuring Bill Saving....................................................................................................................................361.5.1 Establishing the Configuration Task.......................................................................................................361.5.2 Creating a Local CDR Pool.....................................................................................................................371.5.3 Configuring the Backup Mode of Cached Bills......................................................................................381.5.4 (Optional) Backing up Bills in the CF Card to the Bill Server................................................................381.5.5 (Optional) Backing up the Bills in the Cache to the Bill Server.............................................................401.5.6 Checking the Configuration.....................................................................................................................42

1.6 Configuring a Domain......................................................................................................................................421.6.1 Establishing the Configuration Task.......................................................................................................431.6.2 Creating a Domain...................................................................................................................................441.6.3 Configuring an AAA Scheme for a Domain...........................................................................................441.6.4 Configuring Servers for a Domain..........................................................................................................451.6.5 Specifying an IPv4 Address Pool for a Domain......................................................................................461.6.6 (Optional) Setting the Maximum Number of Access Users for a Domain..............................................471.6.7 (Optional) Setting the Maximum Number of Sessions for an Account..................................................481.6.8 (Optional) Setting the Priority of a Domain User....................................................................................481.6.9 (Optional) Configuring Additional Functions for a Domain...................................................................491.6.10 (Optional) Activating a Domain............................................................................................................521.6.11 Checking the Configuration...................................................................................................................53

1.7 Maintaining AAA.............................................................................................................................................541.7.1 Clearing AAA Statistics..........................................................................................................................54

1.8 Configuration Examples...................................................................................................................................551.8.1 Example for Performing Authentication and Accounting for Users by Using RADIUS........................551.8.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting.....................591.8.3 Example for Configuring HWTACACS Authentication and Authorization on the MPLS VPN...........62

2 DHCPv4 Configuration..............................................................................................................742.1 Introduction to DHCPv4...................................................................................................................................752.2 DHCPv4 Supported by the NE80E/40E...........................................................................................................752.3 Configuring an IPv4 Address Pool...................................................................................................................75

2.3.1 Establishing the Configuration Task.......................................................................................................752.3.2 Creating an Address Pool........................................................................................................................782.3.3 (Optional) Configuring Static IP Address Binding.................................................................................802.3.4 (Optional) Configuring DNS Services for the DHCPv4 Client..............................................................802.3.5 (Optional) Configuring NetBIOS Services for the DHCPv4 Client........................................................812.3.6 (Optional) Configuring SIP Services for the DHCPv4 Client.................................................................822.3.7 (Optional) Configuring DHCPv4 Self-Defined Options.........................................................................83



vi

2.3.8 (Optional) Configuring Address Protection............................................................................................842.3.9 Checking the Configuration.....................................................................................................................85

2.4 Configuring a DHCPv4 Server Group..............................................................................................................862.4.1 Establishing the Configuration Task.......................................................................................................862.4.2 Creating a DHCPv4 Server Group..........................................................................................................872.4.3 Associating the IP Address Pool and the DHCPv4 Server Group..........................................................882.4.4 Checking the Configuration.....................................................................................................................89

2.5 Configuring DHCPv4 Relay.............................................................................................................................892.5.1 Establishing the Configuration Task.......................................................................................................902.5.2 Configuring Relay...................................................................................................................................902.5.3 Checking the Configuration.....................................................................................................................92

2.6 Adjusting DHCPv4 Service Parameters...........................................................................................................932.6.1 Establishing the Configuration Task.......................................................................................................932.6.2 Configuring Global DHCPv4 Parameters...............................................................................................932.6.3 Configuring Transparent Transmission of DHCPv4 Packets..................................................................942.6.4 Enabling a DHCPv4 Server to Detect Unauthorized DHCPv4 Servers..................................................952.6.5 Enabling the Detection of an IP Address Conflict..................................................................................952.6.6 Saving DHCPv4 Data..............................................................................................................................962.6.7 Restoring DHCPv4 Data.........................................................................................................................972.6.8 Checking the Configuration.....................................................................................................................97

2.7 Maintaining DHCPv4.......................................................................................................................................982.7.1 Clearing DHCPv4 Statistics....................................................................................................................982.7.2 Monitoring DHCPv4 Operation Status....................................................................................................99

2.8 Configuration Examples...................................................................................................................................992.8.1 Example for Configuring Address Assignment Based on the Local Address Pool..............................1002.8.2 Example for Configuring Address Assignment Based on the Remote Address Pool...........................1032.8.3 Example for Configuring Layer 3 DHCPv4 User Access.....................................................................1072.8.4 Example for Configuring IP Address Assignment for Ethernet Users (with No Relay Agent)............1112.8.5 Example for Configuring IP Address Assignment for Ethernet Users (with a Relay Agent Deployed)........................................................................................................................................................................114

3 DHCPv6 Configuration............................................................................................................1183.1 Introduction to DHCPv6.................................................................................................................................119

3.1.1 DHCPv6 Overview................................................................................................................................1193.1.2 DHCPv6 Features Supported by the NE80E/40E.................................................................................119

3.2 Configuring a DHCPv6 Relay Agent.............................................................................................................1193.2.1 Establishing the Configuration Task.....................................................................................................1203.2.2 Enabling DHCPv6 Relay.......................................................................................................................1203.2.3 Enabling DHCPv6 on Network-side Interfaces.....................................................................................1223.2.4 Checking the Configuration...................................................................................................................122

4 BRAS Access Configuration....................................................................................................1244.1 Introduction....................................................................................................................................................125

4.1.1 Overview of BRAS Authentication.......................................................................................................125



vii

4.1.2 Access Authentication Supported by the NE80E/40E..........................................................................1254.2 Configuring the Authentication Mode............................................................................................................126

4.2.1 Establishing the Configuration Task.....................................................................................................1264.2.2 Configuring Web Authentication or Fast Authentication......................................................................1274.2.3 Configuring Other Authentication Modes.............................................................................................1294.2.4 Checking the Configuration...................................................................................................................130

4.3 Configuring the IPoX Access Service............................................................................................................1324.3.1 Establishing the Configuration Task.....................................................................................................1324.3.2 Creating a Static User............................................................................................................................1344.3.3 Binding Sub-interfaces to a VLAN.......................................................................................................1354.3.4 Configuring a BAS Interface.................................................................................................................1364.3.5 Checking the Configuration...................................................................................................................139

4.4 Configuring and Managing Users...................................................................................................................1404.4.1 Establishing the Configuration Task.....................................................................................................1404.4.2 Configuring User Account Parsing........................................................................................................1414.4.3 Creating a Local User Account.............................................................................................................1424.4.4 Configuring the User Name Format and Password...............................................................................1444.4.5 Configuring the Local User Status........................................................................................................1454.4.6 Configuring the Limit on the Number of Access Users........................................................................1464.4.7 Disconnecting Online Users..................................................................................................................1474.4.8 Generating Offline Records and Online Failure Records......................................................................1484.4.9 Tracing Services of Users......................................................................................................................1494.4.10 Checking the Configuration.................................................................................................................149

4.5 Maintaining BRAS Access.............................................................................................................................1514.5.1 Displaying BRAS Access Information..................................................................................................1514.5.2 Clearing BRAS Access Information......................................................................................................151

4.6 Configuration Examples.................................................................................................................................1524.6.1 Example for Configuring the IPoE Access Service for VPN Users by Using Web Authentication........................................................................................................................................................................1524.6.2 Example for Configuring the IPoEoVLAN Access Service..................................................................1574.6.3 Example for Configuring the IPoEoQ Access Service..........................................................................1604.6.4 Example for Configuring Remote Authentication for Static Users.......................................................1634.6.5 Example for Configuring Local Authentication for Static Users..........................................................167

A Glossary......................................................................................................................................171

B Acronyms and Abbreviations.................................................................................................174



viii

1 AAA Configuration

About This Chapter

This chapter describes how to configure authentication, authorization, and accounting (AAA)to implement local or remote authentication, authorization, and accounting.

1.1 AAA OverviewThis section describes concepts related to AAA, including the AAA scheme, RADIUS servertemplate, HWTACAS server template, and domain attribute.

1.2 Configuring AAA SchemesBy configuring AAA schemes, you can determine the authentication, authorization, andaccounting modes for a user.

1.3 Configuring a RADIUS ServerA RADIUS server must be configured to perform authentication and accounting by usingRADIUS.

1.4 Configuring an HWTACACS ServerAn HWTACACS server must be configured to perform authentication and accountingby usingHWTACACS.

1.5 Configuring Bill SavingSaving bills to the local device is to back up the bills on the remote accounting server. In thiscase, when the remote server fails, there is still accounting information.

1.6 Configuring a DomainThe NE80E/40E supports domain-based management for local users and access users.

1.7 Maintaining AAAThis section describes how to maintain AAA by clearing HWTACACS statistics and debuggingRADIUS or HWTACACS.

1.8 Configuration ExamplesThis section provides configuration examples of AAA, including networking requirements,configuration notes, and configuration roadmap.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - User Access 1 AAA Configuration


1

1.1 AAA OverviewThis section describes concepts related to AAA, including the AAA scheme, RADIUS servertemplate, HWTACAS server template, and domain attribute.

1.1.1 Introduction to AAAAAA can be performed for domain users by using a remote RADIUS or HWTACACS server.

AAAAAA provides security functions for user authentication, authorization, and accounting.

l Authentication: determines the users who can access the network.l Authorization: authorizes users to use specific services.l Accounting: records usage of network resources of users.

AAA adopts the client/server model. This model has good extensibility and facilitatesconcentrated management over user information.

AAA supports three types of authentication modes: non-authentication, local authentication, andremote authentication. Remote authentication is implemented through either the RemoteAuthentication Dial In User Service (RADIUS) and Huawei Terminal Access Controller AccessControl System (HWTACACS).

AAA supports four types of authorization modes: direct authorization, local authorization,HWTACACS authorization, and if-authenticated authorization.

NOTE

l RADIUS integrates authentication and authorization. Therefore, RADIUS authorization accompanieswith RADIUS authentication.

l Users that have passed HWTACACS authentication can actively modify the passwords saved on theHWTACACS server.

AAA supports four types of accounting modes: non-accounting, remote accounting.

All user authentication, authorization, and accounting should be performed in the domain view.

Domain-based User ManagementThe network access server (NAS) can manage users in two ways.

l Managing users based on domains: You can configure the default authorization, RADIUS/HWTACACS template, and authentication and accounting schemes in the domain.

l Managing users based on user accounts.

In current AAA implementations, users are categorized into different domains. The domain towhich a user belongs depends on the character string that follows "@" of a user name. Forexample, the user "user@hua" belongs to the domain "hua". If there is no "@" in the user name,the user belongs to the default0 domain, default1 domain or default_admin domain.

In the AAA view, users can create a maximum of 1021 domains except the default0 domain,default1 domain, or default_admin domain.



2

To perform AAA for users, you need to configure authentication, authorization, and accountingmodes in the AAA view, and then apply the authentication, authorization, and accountingschemes in the domain view.

The authorization configured in the domain view has a lower priority than the authorizationdelivered by an AAA server. That is, the authorization delivered by an AAA server is preferred.When the AAA server does not have or support the authorization, the authorization configuredin the domain view takes effect. In this manner, you can increase services flexibly by means ofdomain management, regardless of the authorization by the AAA server.

1.1.2 AAA Supported by the NE80E/40EThe NE80E/40E supports AAA implemented through a local or remote server. HWTACACSusers can change passwords on the NE80E/40E.

The NE80E/40E supports the following authentication, authorization, and accounting schemes,and manages users based on domains.

1. Authentication

The authentication modes supported by AAA include non-authentication, localauthentication, and remote authentication. Remote authentication can be performedthrough either RADIUS or HWTACACS.

The authentication modes can be used in combination, which is configured throughcommands. If the first authentication mode fails (including the situation where the remoteserver does not respond), you can adopt another authentication mode according to theconfigured sequence of authentication modes. For example, you can configureauthentication to be performed in the sequence of RADIUS authentication, localauthentication, and non-authentication.

2. Authorization

The authorization modes supported by AAA include direct authorization, localauthorization, HWTACACS authorization, and if-authenticated authorization.

NOTE

RADIUS integrates authorization and authentication . Therefore, RADIUS authorizationaccompanies with RADIUS authentication.

The NE80E/40E supports Change of Authorization (CoA). Authorization information about onlineusers can be dynamically changed. While maintaining the online status of users, the networkadministrator can modify the service attributes on the RADIUS server and then send CoA packetsto dynamically change the services used by users. This authorization mode is referred to as dynamicauthorization.

3. Accounting

The accounting modes supported by AAA include non-accounting and remote accounting.

After being authenticated and authorized, users successfully go online, and accountingstarts with the access of services. Accounting is performed based on online time, user traffic,or both. The accounting process is as follows: The NE80E/40E collects statistics on theonline time and the upstream and downstream traffic, and then sends the statistics to theRADIUS or HWTACACS server in the format specified by the RADIUS or HWTACACSprotocol. At last, the server returns a message to the NE80E/40E indicating whetheraccounting succeeds.

NOTE

User authentication, authorization, and accounting must be performed in the domain view.



3

The NE80E/40E supports two methods of modifying passwords of users after they pass throughHWTACACS authentication:l The HWTACACS server enables users to modify passwords.l Users actively modify their passwords through commands.

HWTACACS supports VPN instance-based forwarding. When the HWTACACS server of anoperator is deployed in a VPN and the NE80E/40E is deployed in the public network, the NE80E/40E communicates with an HWTACACS server by using VPN instances to implementauthentication, authorization, and accounting for users.

1.2 Configuring AAA SchemesBy configuring AAA schemes, you can determine the authentication, authorization, andaccounting modes for a user.

1.2.1 Establishing the Configuration TaskBefore configuring AAA schemes, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

Applicable EnvironmentTo provide access services for authorized users and protect sensitive network devices againstunauthorized access, configure AAA on the router.

NOTE

AAA is always enabled on the NAS.

Addresses, such as Class A addresses XXX.255.255.255 and XXX.0.0.0, Class B addressesXXX.XXX.255.255 and XXX.XXX.0.0, and Class C addresses XXX.XXX.XXX.255 andXXX.XXX.XXX.0, must not be configured as valid start or end addresses in an address pool.These addresses in an address pool cannot be allocated.

NOTE

IP address negotiation needs to be configured on the client and server respectively.

Pre-configuration TasksBefore configuring AAA schemes, complete the following tasks:

Configuring parameters of the link layer protocol and IP addresses for the interfaces, ensuringthat the status of the link layer protocol on the interfaces is Up

Data PreparationTo configure AAA schemes, you need the following data.

No. Data

1 Name of the authentication scheme and authentication mode



4

No. Data

2 (Optional) Name of the authorization scheme, authorization mode, level of theHWTACACS user to be authorized through command lines, and timeout period ofcommand-line-based authorization

3 Name of the accounting scheme, accounting mode, interval for real-time accounting,accounting-start failure policy, real-time accounting failure policy, and number ofreal-time accounting failures

4 (Optional) Name of the recording scheme, name of the HWTACACS server templateassociated with the recording mode, and events to be recorded

5 Interface type and interface number of the server and client, ID and IP address rangeof the address pool, and IP addresses to be allocated to users when no address poolis used

1.2.2 (Optional) Enabling RADIUS or HWTACACSAfter RADIUS or HWTACACS is enabled, AAA requests sent from users are forwarded. AfterRADIUS or HWTACACS is disabled, AAA requests sent from users are discarded.

ContextDo as follows on the router:

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 (Optional) Run the following command as required.l To enable RADIUS, run:

radius enable

l To enable HWTACACS, run:hwtacacs enable

RADIUS or HWTACACS is enabled by default.

----End

1.2.3 Configuring an Authentication SchemeAfter configuring an authentication mode, you need to configure relevant user information onthe authentication server; if user information is not configured, users cannot pass theauthentication.




5

Procedure



Step 2 Run:aaa

The AAA view is displayed.

Step 3 Run:authentication-scheme scheme-name

An authentication scheme is created.

Step 4 Run:authentication-mode { hwtacacs | radius | local } *[ none ]

An authentication mode is set.

The NE80E/40E supports RADIUS authentication, HWTACACS authentication, localauthentication, and non-authentication. In addition, the NE80E/40E supports secondaryauthentication. This means that if there is no response from the first authentication (the remoteserver does not respond or user information is not configured on the local device), the NE80E/40E performs authentication in another mode.

The authentication schemes named default, default0, and default1 are set by default on theNE80E/40E. They can be modified but cannot be deleted.l By default, the authentication mode of default0 is non-authentication.l By default, the authentication mode of default1 is RADIUS authentication.l By default, the authentication mode of default is local radius authentication.

Step 5 (Optional) Run:authening authen-fail { offline | online authen-domain domain-name }

The policy for handling the authentication failure is configured.

The policy for handling the authentication failure refers to the policy used by the NE80E/40Eafter the user fails the authentication. By default, if the authentication fails, the NE80E/40Eforces the user to log out. If you enable the secondary authentication function for the user (forexample, after the PPP authentication fails, the Web authentication is used), the NE80E/40Ekeeps the user online when the first authentication fails. In this case, the user is added to a defaultdomain (default 0 by default).

NOTE

The policy for handling the authentication failure cannot be configured on the X1 or X2 models of theNE80E/40E.

Step 6 (Optional) Run:authentication-super { [ hwtacacs | super ] * | none } *

The method of changing the administrative level of an operator is configured.

If users want to change their administrative levels online, for example, a Telnet user of level 2wants to change the administrative level to 3, the user must pass the authentication.



6

The NE80E/40E supports non-authentication, HWTACACS authentication, and superauthentication for changing the administrative level of an operator. The NE80E/40E supportssecondary authentication. If the super password is not configured for super authentication, orthe HWTACACS server does not respond in HWTACACS authentication, you can adopt anotherauthentication scheme according to the configuration.

Step 7 (Optional) Run:authening authen-redirect online authen-domain domain-name

The redirection domain is configured.

After you configure the redirection domain, the users that pass the authentication and the usersthat actually fail the authentication go online from different domains.

By configuring a private IP address pool, UCL-based access control, and security domain in theredirection domain, you can differentiate the functions of address allocation (private addressesand public addresses), access control, for different user domains. In this manner, users indifferent domains are separated by differentiated configurations. This solution effectively savesInternet IP addresses and prevents unauthorized users from occupying many Internet IPaddresses.

NOTE

The redirection domain cannot be configured on the X1 or X2 models of the NE80E/40E.

----End

1.2.4 (Optional) Configuring an Authorization SchemeThe default authorization mode is local authorization. RADIUS integrates authentication andauthorization. HWTACACS separates authentication and authorization. HWTACACS allowsuser-based authorization and command-line authorization.

ContextDo as follow on the router:

NOTE

l You can configure command-line authorization for users of a certain level only when HWTACACS isadopted.

l Command-line authorization of HWTACACS is irrelevant to the authorization mode configured byusing the authorization-mode command.

Procedure



Step 2 Run:aaa


Step 3 Run:authorization-scheme authorization-scheme-name



7

An authorization scheme is created and the authorization scheme view is displayed.

By default, an authorization scheme named default exists. This scheme can be modified butcannot be deleted.

Step 4 Run:authorization-mode { hwtacacs | if-authenticated | local }* [ none ]

The authorization mode is configured.

By default, the authorization mode is set to local.

If the authorization mode is set to HWTACACS, you must configure an HWTACACS servertemplate and apply the template in the view of the domain to which the user belongs.

Step 5 Run:authorization-cmd privilege-level hwtacacs [ local ]

Command-line authorization is enabled.

By default, command-line authorization is disabled.

If command-line authorization is enabled, you must configure an HWTACACS template andapply the template in the view of the domain to which the user belongs.

Step 6 Run:authorization-cmd no-response-policy { online | offline [ max-times max-times-value ] }

The policy for authorization failures in the case where the HWTACACS server is unavailableor no user is locally configured is set.

Step 7 Run:quit

Return to the AAA view.

Step 8 Run:quit

Return to the system view.

Step 9 Run:hwtacacs-server template template-name

The HWTACACS server template view is displayed.

Step 10 Run:hwtacacs-server timer response-timeout timeout-value

The timeout period of the authorization response is set.

----End

1.2.5 Configuring an Accounting SchemeYou need to configure an accounting scheme before implementing accounting for users.




8

Procedure



Step 2 Run:aaa


Step 3 Run:accounting-scheme scheme-name

An accounting scheme is created.

The authentication schemes named default0 and default1 are set by default on the NE80E/40E. They can be modified but cannot be deleted.

l By default, the accounting mode of default0 is non-accounting.l By default, the accounting mode of default1, and a user-defined accounting scheme is

RADIUS accounting.

Step 4 Run:accounting-mode { hwtacacs | none | radius }

An accounting mode is set.

The NE80E/40E supports RADIUS accounting, HWTACACS accounting, and non-accounting.

Step 5 (Optional) Run:accounting interim interval interval [ second ]

Real-time accounting is configured.

Real-time accounting indicates that the NE80E/40E periodically generates accounting packetsand send them to the remote accounting server when a user is online. Real-time accountingminimizes loss of accounting information when the communication between the NE80E/40Eand the remote server is interrupted.

The interval for real-time accounting can be in minutes or seconds. By default, the unit of theinterval is minute.

Step 6 (Optional) Run:accounting start-fail { offline | online }

The policy for handling the accounting start failure is configured.

If the NE80E/40E does not receive any response after sending an accounting start packet to theremote accounting server, the NE80E/40E adopts the policy for the accounting start failure. Thispolicy may keep the user online or log the user out.

By default, the NE80E/40E logs the user out when the accounting fails to start.

Step 7 (Optional) Run:accounting interim-fail [ max-times times ] { offline | online }

The policy for the real-time accounting failure is configured.



9

If the NE80E/40E does not receive any response after re-sending the real-time accountingpackets to the remote accounting server for certain times, the NE80E/40E adopts the policy forthe real-time accounting failure. This policy may keep the user online or log the user out.

By default, the number of retransmission times for real-time accounting packets is 3. When thereal-time accounting fails, the NE80E/40E keeps the user online.

Step 8 (Optional) Run:accounting send-update

The NE80E/40E is configured to send real-time accounting packets immediately after receivingthe accounting start response.

After receiving the accounting response, the NE80E/40E determines whether to send the real-time accounting packet immediately according to the configuration.

By default, the NE80E/40E does not send any real-time accounting packet immediately afterreceiving an accounting response.

----End

1.2.6 (Optional) Configuring a Recording SchemeThe recording function is applicable only when HWTACACS is adopted. The commands thathave been used, number of connection times, and system events can be recorded.


Procedure



Step 2 Run:aaa


Step 3 Run:recording-scheme recording-scheme-name

A recording scheme is created and the recording scheme view is displayed.

By default, no recording scheme exists.

Step 4 Run:recording-mode hwtacacs template-name

The recording mode is configured.

By default, the recording scheme is not associated with the HWTACACS template.

Step 5 Run:quit



10

Return to the AAA view.

Step 6 (Optional) Run:cmd recording-scheme recording-scheme-name

The commands that have been used on the router are recorded.

Step 7 (Optional) Run:outbound recording-scheme recording-scheme-name

Information about the connections is recorded.

Step 8 Run:system recording-scheme recording-scheme-name

The system events are recorded.

----End

1.2.7 Checking the ConfigurationWhen an AAA scheme is configured, you can view the configuration of AAA, the recordingscheme, and basic information about online users.

PrerequisiteThe configurations of the AAA schemes are complete.

Procedurel Run the display aaa configuration command to check brief information about AAA.l Run the display accounting-scheme [ accounting-scheme-name ] command to check the

configuration about the accounting scheme.l Run the display authentication-scheme [ authentication-scheme-name ] command to

check the configuration about the authentication scheme.l Run the display authorization-scheme [ authorization-scheme-name ] command to check

the configuration about the authorization scheme.l Run the display recording-scheme [ recording-scheme-name ] command to check the

configuration about the recording scheme.l Run the display ip pool global | domain domain-name } command to check the usage of

the address pool.

----End

ExampleRun the display aaa configuration command. If brief information about AAA is displayed, itmeans that the configuration succeeds. For example:

<HUAWEI> display aaa configuration --------------------------------------------------------------------------- AAA configuration information : --------------------------------------------------------------------------- Domain : total: 255 used: 2 Authentication-scheme : total: 16 used: 2 Authorization-scheme : total: 16 used: 2 Accounting-scheme : total: 128 used: 2



11

Recording-scheme : total: 128 used: 0 AAA-access-user : total: 384 used: 0 Access-user-state : authen: 0 author: 0 accounting: 0 ---------------------------------------------------------------------------

Run the display authentication-scheme command. If information about the authenticationscheme is displayed, it means that the configuration succeeds. For example:

<HUAWEI> display authentication-scheme scheme0 --------------------------------------------------------------------------- Authentication-scheme-name : scheme0 Authentication-method : Local authentication Authentication-super method : Super authentication-super ---------------------------------------------------------------------------

Run the display authorization-scheme command. If information about the authorizationscheme is displayed, it means that the configuration succeeds. For example:

<HUAWEI> display authorization-scheme scheme0--------------------------------------------------------------------------- Authorization-scheme-name : scheme0 Authorization-method : Local authorization Authorization-cmd level 0 : disabled Authorization-cmd level 1 : disabled Authorization-cmd level 2 : enabled ( Hwtacacs ) Authorization-cmd level 3 : disabled Authorization-cmd level 4 : disabled Authorization-cmd level 5 : disabled Authorization-cmd level 6 : disabled Authorization-cmd level 7 : disabled Authorization-cmd level 8 : disabled Authorization-cmd level 9 : disabled Authorization-cmd level 10 : disabled Authorization-cmd level 11 : disabled Authorization-cmd level 12 : disabled Authorization-cmd level 13 : disabled Authorization-cmd level 14 : disabled Authorization-cmd level 15 : disabled Authorization-cmd no-response-policy : Online---------------------------------------------------------------------------

Run the display accounting-scheme command. If information about the accounting scheme isdisplayed, it means that the configuration succeeds. For example:

<HUAWEI> display accounting-scheme scheme0 --------------------------------------------------------------------------- Accounting-scheme-name : scheme0 Accounting-method : RADIUS accounting Realtime-accounting-switch : Open Realtime-accounting-interval(min) : 5 Start-accounting-fail-policy : Cut user Realtime-accounting-fail-policy : Cut user Realtime-accounting-failure-retries : 3 ---------------------------------------------------------------------------

Run the display recording-scheme command. If information about the recording scheme isdisplayed, it means that the configuration succeeds. For example:

<HUAWEI> display recording-scheme scheme0--------------------------------------------------------------------------- Recording-scheme-name : scheme0 HWTACACAS-template-name : template0---------------------------------------------------------------------------

Run the display ip pool global command. If brief information about usage of the address poolis displayed, it means that the configuration succeeds. For example:

<HUAWEI> display ip pool global



12

---------------------------------------------------------------------------- Pool-number Pool-start-addr Pool-end-addr Pool-length Used-addr-number ---------------------------------------------------------------------------- 2 10.1.1.1 10.1.1.10 10 0 ---------------------------------------------------------------------------- Total pool number: 1

1.3 Configuring a RADIUS ServerA RADIUS server must be configured to perform authentication and accounting by usingRADIUS.

ContextNOTE

The access-side RADIUS server cannot be configured on the X1 or X2 models of the NE80E/40E.

1.3.1 Establishing the Configuration TaskBefore configuring a RADIUS server, you need to familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentWhen the RADIUS protocol is used for implementing AAA, you need to configure a RADIUSserver.

The NE80E/40E uses RADIUS server groups to manage RADIUS servers. A RADIUS servergroup is a set of RADIUS servers that have the same attributes (except IP addresses and portnumbers) and work in either primary/secondary or load balancing mode.

NOTE

l There are default values for all RADIUS configurations. You can configure RADIUS as required.

l The RADIUS server group can be modified or deleted regardless of whether it is in use. Modifying ordeleting a RADIUS server group does not affect existing users.

Pre-configuration TasksNone.

Data PreparationTo configure a RADIUS server, you need the following data.

No. Data

1 Name of the RADIUS server group

2 (Optional) Algorithm for selecting a RADIUS server

3 IP address and port number of the RADIUS authentication server

4 IP address and port number of the RADIUS accounting server



13

No. Data

5 (Optional) Protocol version of the RADIUS server

6 (Optional) Key of the RADIUS server

7 (Optional) User name format adopted by the RADIUS server

8 (Optional) Traffic unit of the RADIUS server

9 (Optional) Response timeout period for the RADIUS server and number of theretransmission times for RADIUS packets

10 (Optional) RADIUS attributes to be disabled

11 (Optional) Source RADIUS attributes, target RADIUS attributes in translation, andoption of enabling the RADIUS attribute translation function

12 (Optional) Option of carrying the CAR value in the Class attribute of RADIUSpackets

13 (Optional) IP address of the RADIUS authorization server, VPN instance, sharedkey, RADIUS server group to which the RADIUS authorization server belongs, andtime of retaining the authorization response

14 (Optional) Number of response failures used to determine whether the RADIUSserver is abnormal and time before the RADIUS server is restored to the Up state

15 (Optional) Number of extended source ports of the RADIUS server and number ofthe start extended source port

1.3.2 Creating a RADIUS Server GroupA RADIUS server group is composed of RADIUS servers with the same attributes (excludingthe IP addresses and port numbers). These RADIUS servers work in either master/slave or loadbalancing mode.

Context

You can create up to 128 RADIUS server groups on the router.

Do as follows on the router:

Procedure



Step 2 Run:radius-server group group-name

A RADIUS server group is created.



14

After the RADIUS server group is created, the system displays the RADIUS server group view.If a RADIUS server group already exists, you can enter the RADIUS server group view directly.

----End

1.3.3 Configuring RADIUS Authentication and Accounting ServersIf one server is used for both authentication and accounting, different interfaces should be usedfor authentication and accounting.

Context

To configure RADIUS authentication and accounting servers, you need to set the followingparameters:

l IP addresses of the authentication and accounting serversl VPN instance to which the authentication and accounting servers belong (public being the

default value for the VPN instance)l Port numbers of the authentication and accounting servers (1812 and 1813 by default)l Weights of the authentication and accounting servers (applicable only to the load balancing

mode with the default value being 0)

NOTE

The RADIUS authentication and accounting servers can use the same IP address. This means that a servercan function as both an authentication server and an accounting server.


Procedure



Step 2 Run:radius-server groupgroup-name

The RADIUS server group view is displayed.

Step 3 Run:radius-server authentication { ip-address [ vpn-instance instance-name ] | ipv6-address } port [ weightweight-value ]

A RADIUS authentication server is configured.

Step 4 Run:radius-server accounting { ip-address [ vpn-instance instance-name ] | ipv6-address } port [ weightweight-value ]

A RADIUS accounting server is configured.

Step 5 (Optional) Run:radius-server accounting-stop-packet resend [ resend-times ]

The number of times the accounting-stop packet is retransmitted is configured.



15

By default, accounting-stop packets are not retransmitted.

----End

1.3.4 (Optional) Configuring the Algorithm for Selecting a RADIUSServer

When there are more than one authentication or accounting server in a RADIUS server group,you can specify either the load balancing or master/backup mode for these RADIUS servers.

ContextWhen multiple authentication or accounting servers are configured in the RADIUS server group,you can configure the algorithm for selecting the RADIUS servers. The algorithm of selectingthe RADIUS server can be load balancing or master/backup.

l Load balancing: The NE80E/40E allocates the load according to the weight of each server.l Master/backup: The first configured server functions as the master server, and the others

function as slave servers.


Procedure





Step 3 Run:radius-server algorithm { loading-share | master-backup }

The algorithm for selecting the RADIUS server is configured.

By default, the algorithm for selecting the RADIUS server is master/backup.

----End

1.3.5 (Optional) Configuring Negotiated Parameters of the RADIUSServer

A RADIUS server and the NE80E/40E must use the same RADIUS parameters and messageformat to communicate.

ContextThe negotiated parameters specify the conventions of the RADIUS protocol and message formatused for communication between the RADIUS server and the NE80E/40E. The negotiatedparameters are as follows:



16

l RADIUS protocol versionThe NE80E/40E supports the standard RADIUS protocol, RADIUS+1.0, and RADIUS+1.1.– The IP Hotel server supports RADIUS+1.0.– The Portal server supports RADIUS+1.1.

l KeyThe key is used to encrypt user passwords and generate the response authenticator. TheRADIUS server encrypts the user password into an authentication packet by using the MD5algorithm before sending the packet. This ensures the security of authentication data overthe network.The key on the NE80E/40E must be the same as that on the RADIUS server so that bothparties of the authentication identify each other. The key is case sensitive.

l User name formatOn the NE80E/40E, a user name is in the format of user@domain. Certain RADIUS serversdo not support the user names that contain domain names. Therefore, you must set theformat of the user name that the NE80E/40E sends to the RADIUS server according towhether the user name containing the domain name is supported on the RADIUS server.

l Traffic unitThe traffic units used by different RADIUS servers may be different. The NE80E/40Esupports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meet requirements of variousRADIUS servers.

l Retransmission parametersAfter sending a packet to the RADIUS server, if no response is returned within the specifiedtime, the NE80E/40E resends the packet. In this manner, authentication or accountinginformation will not be lost due to temporary congestion on the network.Retransmission parameters of the RADIUS server include the timeout period and thenumber of retransmission times.


Procedure





Step 3 Run:radius-server type { standard | plus10 | plus11 }

The protocol version of the RADIUS server is configured.

By default, the RADIUS server uses the standard RADIUS protocol.

Step 4 Run:radius-server shared-key key-string [ authentication | accounting ] ip-address [ vpn-instance instance-name ] port-number [ weight weight ]



17

The key of the RADIUS server is configured.

You can configure a key on the NE80E/40E for each RADIUS server.

By default, the key of the RADIUS server is huawei.

Step 5 Run:radius-server user-name { domain-included | original }

The format of the user name contained in the RADIUS packets is configured.

By default, the user name on the RADIUS server contains the domain name.

Step 6 Run:radius-server traffic-unit { byte | gbyte | kbyte | mbyte }

The traffic unit of the RADIUS packets is configured.

This command is invalid for the RADIUS servers that do not measure traffic by bytes and theRADIUS servers that use the standard RADIUS protocol.

By default, the traffic unit used by the RADIUS server is byte.

Step 7 Run:radius-server timeout timeout-value

The retransmission parameters of the RADIUS packets are set.

By default, the response timeout period is 5 seconds.

Step 8 Run:radius-server retransmit retry-times

The retransmission parameters of the RADIUS packets are set.

By default, the number of retransmission times is 3.

Step 9 Run:radius-attribute agent-circuit-id format { cn | tr-101 }

The ID format of the circuit through which RADIUS packets are transmitted to the upstreamdevice is set.

By default, the packets that inform the upstream device of the link ID are in the cn format.

Step 10 Run:radius-server calling-station-id include option82

The method of constructing the No. 31 RADIUS public attribute is set.

By default, no method of constructing the No. 31 RADIUS public attribute is configured.

----End

1.3.6 (Optional) Disabling RADIUS AttributesYou must enable RADIUS attribute translation before disabling RADIUS attributes.

ContextThis function is configured for a RADIUS server group and takes effect on only the RADIUSservers in this group. You can disable up to 64 attributes in a RADIUS server group.



18

You can disable the RADIUS attributes of both the sender and receiver on the NE80E/40E.


Procedure





Step 3 Run:radius-server attribute translate

RADIUS attribute translation is enabled.

Step 4 Run:radius-attribute disable attribute-name { { access-accept | access-request | account } * | { receive | send } * }

The RADIUS attributes are disabled.

Or, run:

radius-attribute disable extend attribute-description { access-accept | { access-request | account } * }

The extend RADIUS attributes are disabled.

----End

1.3.7 (Optional) Configuring RADIUS Attribute TranslationThe NE80E/40E can communicate with RADIUS servers from different vendors through theRADIUS attribute translation function.

Context

RADIUS servers from various vendors support different RADIUS attributes, and the vendorsalso define RADIUS attributes in different manners. This makes interconnection between theNE80E/40E and RADIUS servers more difficult.

To address this problem, the NE80E/40E provides the attribute translation function. After theattribute translation function is configured, the NE80E/40E can encapsulate or parse src-attribute by using the format of dest-attribute when transmitting or receiving RADIUS packets.By doing this, the NE80E/40E can communicate with different types of RADIUS servers.

This function is usually applied when one attribute has multiple formats. For example, the nas-port-id attribute has a new format and an old format. The NE80E/40E uses the new format. Ifthe RADIUS server uses the old format, you can run the radius-attribute translate nas-port-id nas-port-identify-old receive send command on the NE80E/40E. Do as follows on therouter:



19

Procedure





Step 3 Run:radius-server attribute translate

RADIUS attribute translation is enabled.

Step 4 Run:radius-attribute translate src-attr-descriptiondest-attr-description { { access-accept | access-request | account } * | { receive | send } * }

Or, run:

radius-attribute translate extend src-attr-description dest-attr-description{ access-accept | { access-request | account } * }

RADIUS attribute translation is configured.

Using the radius-attribute translate extend command configures translation of privateRADIUS attributes.

NOTE

You can configure translation of up to 64 attributes on the NE80E/40E.

----End

1.3.8 (Optional) Configuring the Tunnel Password Delivery ModeThe RADIUS server supports a tunnel password in cipher text or plain text.

ContextThe RADIUS protocol specifies that the RADIUS server must deliver the tunnel password incipher text. Most RADIUS servers, however, do not conform to this specification. Therefore,the NE80E/40E supports configuration of the tunnel password delivery mode so that the NE80E/40E can communicate with various types of RADIUS servers.


Procedure






20


Step 3 Run:radius-attribute tunnel-password { cipher | simple }

The mode in which the RADIUS server delivers the tunnel password is configured.

By default, the NE80E/40E requires the RADIUS server to deliver the tunnel password in ciphertext.

----End

1.3.9 (Optional) Configuring the Class Attribute to Carry the CARValue

You can configure the Class attribute to carry or not to carry the committed access rate (CAR)value to ensure the communication between the NE80E/40E and RADIUS servers from differentvendors.

Context

As specified in the standard RADIUS protocol, the Class attribute carried in an access acceptpacket sent from the RADIUS server to the client must be returned to the accounting serverwithout any change in an accounting request packet.

The NE80E/40E extends the standard RADIUS protocol by adding the CAR value to the Classattribute (RADIUS attribute 25).


Procedure





Step 3 Run:radius-server class-as-car [ enable-pir ]

The Class attribute is configured to carry the CAR value.

By default, the Class attribute does not carry any CAR value.

NOTE

To meet the requirements of various RADIUS servers, the NE80E/40E can use the RADIUS attribute 25or RADIUS attribute 26 to send the CAR value to the RADIUS server. The preceding commands configurehow to use the RADIUS attribute 25 to send the CAR value to the RADIUS server.

----End



21

1.3.10 (Optional) Configuring the Format of the NAS-Port AttributeYou can configure different formats of the NAS-Port attribute so that the NE80E/40E cancommunicate with RADIUS servers from different vendors.


Procedure



Step 2 Run:radius-server groupgroup-name


Step 3 Run:radius-server format-attribute { nas-port format-string | nas-port-idvendor vendor-id }

The format of the NAS-Port attribute and format of the NAS-Port-Id attribute are configured.

NOTE

When configuring the format of the NAS-Port-Id attribute, note the following:

l If the vendor ID is 2352, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the defaultformat defined by Redback.

l If the vendor ID is 2636, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the defaultformat defined by Juniper.

l If the vendor ID is 9, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the default formatdefined by Cisco.

l For other vendors, the NE80E/40E encapsulates the NAS-Port-Id attribute by using the original format.

----End

1.3.11 (Optional) Configuring the Source Interface of a RADIUSServer

When the NE80E/40E connects to multiple RADIUS servers, you can configure the sourceinterface of each RADIUS server on the NE80E/40E to identify the route between the NE80E/40E and each RADIUS server.

ContextOn the NE80E/40E, you can configure the interface that connects to a RADIUS server as thesource interface of the RADIUS server. On the NE80E/40E, you can configure the sourceinterface in the system view or in the view of a RADIUS server group. Thus, the RADIUS serversin the RADIUS server group use this source interface to interact with the NE80E/40E. If thesource interface of the RADIUS server group is not configured, the RADIUS servers use theglobal source interface.



22


Procedurel Configure the global source interface of all RADIUS servers in all RADIUS server groups.

1. Run:system-view

The system view is displayed.2. Run:

radius-server source interface interface-type interface-number

The global source interface of all the RADIUS servers is configured.l Configure the source interface of a specified RADIUS server group.

1. Run:system-view


radius-server group group-name

The RADIUS server group view is displayed.3. Run:

radius-server source interface interface-type interface-number

The source interface of the RADIUS server group is configured.

----End

1.3.12 (Optional) Configuring a RADIUS Authorization ServerYou can configure multiple RADIUS authorization servers to authorize users who use dynamicservices.

Context

You need to configure a RADIUS authorization server for a dynamic service so that the RADIUSserver can dynamically authorize a user when the user uses the dynamic service.


Procedure



Step 2 Run:radius-server authorization ip-address [ vpn-instance instance-name ] { shared-key key | server-group groupname } * [ ack-reserved-interval interval ]

The global RADIUS authorization server is configured.



23

To retain the RADIUS authorization response packet to respond to the retransmitted packetsfrom the RADIUS authorization server, you need to set the period of retaining the authorizationresponse when configuring the RADIUS authorization server.

----End

1.3.13 (Optional) Setting the Status Parameters of a RADIUS ServerYou can configure the status parameters of a RADIUS server on the NE80E/40E to monitor theRADIUS server status.

Context

The configuration is valid for all RADIUS servers.


Procedure



Step 2 Run:radius-server { dead-count times | dead-interval interval | dead-time time }

The parameters used to determine the status of the RADIUS server are set.

By default, the router considers that the RADIUS server is abnormal when the RADIUS serverfails to respond to 10 consecutive packets sent from the router within 5 seconds. The router waitsfor 3 minutes before restoring the status of the RADIUS server

If the NE80E/40E does not receive any response packets after sending RADIUS packets for thenumber of times configured in this command, and the interval between the first packet and thelast packet (specified by dead-count) that the RADIUS server fails to respond to is longer thandead-interval, the NE80E/40E determines that the RADIUS server works abnormally andchanges the status of the RADIUS server to Down.

After setting the status of the RADIUS server to Down, the NE80E/40E waits for a certain periodconfigured in this command before setting the status of the RADIUS server to Up. At the sametime, the NE80E/40E attempts to reestablish a connection with the RADIUS server. If theconnection cannot be established, the NE80E/40E sets the status of the RADIUS server to Downagain.

----End

1.3.14 (Optional) Configuring the Extended Source Interfaces of aRADIUS Server

If you do not want to use the default extended source interface to send and receive RADIUSpackets, you can change the default extended source interface of the RADIUS server.



24

Context

After you configure the extended source interfaces of the RADIUS server, the NE80E/40Eincreases the number of packets sent to the RADIUS server in a certain period of time.

After the configuration, the NE80E/40E sends RADIUS packets by using the extended sourceinterfaces. The former half of extended source interfaces are used to send and receive RADIUSauthentication packets, and the latter half of extended source interfaces are used to send andreceive RADIUS accounting packets. If an odd number of extended source interfaces areconfigured, the authentication interfaces outnumbers the accounting interfaces by one.


Procedure



Step 2 Run:radius-server extended-source-ports [start-port start-port-number ] port-number port-number

The extended source interfaces of the RADIUS server are configured.

By default, no extended source interfaces of the RADIUS server are configured. In this case,the NE80E/40E uses the default interface 1812 to send and receive RADIUS authenticationpackets and the default interface 1813 to send and receive RADIUS accounting packets.

NOTE

If you do not specify the start interface number when configuring the extended source interfaces, the systemassigns a configured number of valid extended source interfaces.

----End

1.3.15 Checking the ConfigurationAfter configuring a RADIUS server, you can view the server configurations, RADIUS attributessupported by the system, and statistics on RADIUS packets.

PrerequisiteAll the configurations of the RADIUS server are complete.

Procedurel Run the display radius-server authorization configuration command to check the

configuration of the RADIUS authorization server.

l Run the display radius-server configuration [ group groupname ] command to check theconfiguration of the RADIUS server group.

l Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |microsoft | redback | standard } [ attribute-number] } ] or display radius-attribute[ attribute-name ] command to check the RADIUS attributes supported by the system.



25

l Run the display radius-client configuration command to check the configuration of allRADIUS clients.

l Run the display radius-server packet ip-address ip-address [ vpn-instance ]{ accounting | authentication } command to check the statistics about the packets on theRADIUS server of a specified IP address.

----End

ExampleRun the display radius-server authorization configuration command, and you can view theconfiguration of the RADIUS authorization server.<HUAWEI> display radius-server authorization configuration ----------------------------------------------------------------------------- IP-Address Secret-key Group Ack-rReserved-interval ----------------------------------------------------------------------------- 192.168.7.100 huawei rd1 20 Vpn : -- ----------------------------------------------------------------------------- 1 Radius authorization server(s) in total

Run the display radius-server configuration command, and you can view the configurationof the RADIUS server group.<HUAWEI> display radius-server configuration RADIUS source interface : LoopBack20 RADIUS no response packet count : 30 RADIUS auto recover time(Min) : 100 RADIUS authentication source ports : IPv4: 1812 IPv6: 1812 RADIUS accounting source ports : IPv4: 1813 IPv6: 1813 ------------------------------------------------------- Server-group-name : chen Authentication-server: IP:1.3.4.144 Port:1812 Weight[0] [UP] Vpn: - Accounting-server : IP:1.3.4.144 Port:1814 Weight[0] [UP] Vpn: - Protocol-version : radius Shared-secret-key : huawei Retransmission : 3 Timeout-interval(s) : 5 Acct-Stop-Packet Resend : NO Acct-Stop-Packet Resend-Times : 0 ------------------------------------------------------- Are you sure to display next (y/n)[y]:y ------------------------------------------------------- Server-group-name : huawei Authentication-server: IP:10.1.1.1 Port:1820 Weight[50] [UP] Vpn: - Accounting-server : IP:10.1.1.1 Port:1823 Weight[0] [UP] Vpn: - Accounting-server : IP:10.1.1.2 Port:20 Weight[20] [UP] Vpn: - share-key: huawei Protocol-version : radius Shared-secret-key : huawei Retransmission : 2 Timeout-interval(s) : 8 Acct-Stop-Packet Resend : YES Acct-Stop-Packet Resend-Times : 100 ------------------------------------------------------- Total 2,2 printed



26

Run the display radius-attribute [ name attribute-name | { type { 3gpp | dsl | huawei |microsoft | redback | standard } [ attribute-number ] } ]command, and you can view theRADIUS attributes supported by the NE80E/40E of the current version.

<HUAWEI> display radius-attribute type standard 1 Radius Attribute Type : 1 Radius Attribute Name : User-Name Radius Attribute Description : This Attribute indicates the name of the user to be authenticated. Supported Packets : Auth Request, Acct Request, Session Control, COA Request, COA Ack

Run the display radius-client configuration command, and you can view the configuration ofall the RADIUS clients.

<HUAWEI> display radius-client configuration-------------------------------------------------------------------------- IP-Address Secret-key Group-------------------------------------------------------------------------- 172.194.0.10 huawei sim3 172.194.0.20 huawei sim3 7.0.200.10 huawei sim3 1.1.1.1 1 xzn Vpn : dsg-------------------------------------------------------------------------- 4 Radius client(s) in total

Run the display radius-server packet ip-address ip-address [ vpn-instance ] accountingcommand, and you can view the statistics about the accounting packets on the RADIUS serverof a specified IP address.

<HUAWEI>display radius-server packet ip-address 74.1.1.2 accounting Account Requests : 1 Account Retransmissions : 19 Account Responses : 0 Malformed Account Responses : 0 Bad Authenticators : 0 Pending Requests : 0 Timeouts : 20 Unknown Types : 0 Packets Dropped : 0

Run the display radius offline-sub-reason [ subcode subcode-number ] command to check theuser offline causes mapped to the numbers carried in the Accounting Stop packets sent to theRADIUS server.

<HUAWEI> display radius offline-sub-reason subcode 1------------------------------------------------------------------------------Subcode description of offline sub reason------------------------------------------------------------------------------1 User request to offline------------------------------------------------------------------------------

1.4 Configuring an HWTACACS ServerAn HWTACACS server must be configured to perform authentication and accountingby usingHWTACACS.

ContextNOTE

The access-side HWTACACS server cannot be configured on the X1 or X2 models of the NE80E/40E.



27

1.4.1 Establishing the Configuration TaskBefore configuring an HWTACACS server, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.

Applicable Environment

When the HWTACACS protocol is used for implementing AAA, you need to configure anHWTACACS server.

NOTE

l The HWTACACS server template can be modified regardless of whether it is in use.

l By default, no authentication key is configured for an HWTACACS server.

Pre-configuration Tasks

None.

Data Preparation

To configure an HWTACACS server, you need the following data.

No. Data

1 Name of the HWTACACS server template

2 IP address and interface number of the primary HWTACACS server forauthentication, authorization, and accounting and VPN instance to be bound

3 IP address and interface number of the secondary HWTACACS server forauthentication, authorization, and accounting

4 Number of retransmission attempts of accounting stop packets or whetherretransmission is disabled

5 Source IP address of the HWTACACS server

6 (Optional) Key of the HWTACACS server

7 (Optional) Format of the user name supported by the HWTACACS server

8 (Optional) Traffic unit of the HWTACACS server

9 (Optional) Response timeout period of the HWTACACS server

10 (Optional) Time for the primary HWTACACS server to restore to the active state

1.4.2 Creating an HWTACACS Server TemplateYou must create an HWTACACS server template before configuring an HWTACACS server.



28

ContextUp to 128 HWTACACS server templates can be configured on the NE80E/40E.


Procedure




An HWTACACS server template is created and the HWTACACS server template view isdisplayed.

If the HWTACACS server template already exists, this command directly displays theHWTACACS server template view.

----End

1.4.3 Configuring HWTACACS Authentication/Authorization/Accounting Servers

Either the IP address of the primary authentication server must be different from that of thesecondary authentication server or the VPN instance bound to the primary authentication servermust be different from that bound to the secondary authentication server; otherwise, theconfiguration of the HWTACACS server fails.


Procedurel Configure an HWTACACS authentication server.

1. Run:system-view


hwtacacs-server template template-name

The HWTACACS server template view is displayed.3. Run:

hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpn-instance-name ]

The primary HWTACACS authentication server is configured.

By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0,and no VPN instance is bound to the primary HWTACACS authentication server.



29

4. Run:hwtacacs-server authentication ip-address[ port ] [ vpn-instance vpn-instance-name ] secondary

The secondary HWTACACS authentication server is configured.

By default, the IP address of the secondary HWTACACS authentication server is0.0.0.0, and no VPN instance is bound to the secondary HWTACACS authenticationserver.

l Configure an HWTACACS authorization server.1. Run:

system-view




hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpn-instance-name ]

The primary HWTACACS authorization server is configured.

By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0,and no VPN instance is bound to the primary HWTACACS authorization server.

4. Run:hwtacacs-server authorization ip-address [ port ] [ vpn-instance vpn-instance-name ] secondary

The secondary HWTACACS authorization server is configured.

By default, the IP address of the secondary HWTACACS authorization server is0.0.0.0, and no VPN instance is bound to the secondary HWTACACS authorizationserver.

l Configure an HWTACACS accounting server.1. Run:

system-view




hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instance-name ]

The primary HWTACACS accounting server is configured.

By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0,and no VPN instance is bound to the primary HWTACACS accounting server.

4. Run:hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instance-name ] secondary



30

The secondary HWTACACS accounting server is configured.

By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0,and no VPN instance is bound to the secondary HWTACACS accounting server.

----End

1.4.4 Configuring the Source IP Address of an HWTACACS ServerThe source IP address of an HWTACACS server is the source IP address of the packet sent bythe NE80E/40E to the HWTACACS server.


ProcedureStep 1 Run:

system-view



The HWTACACS server template view is displayed.

Step 3 Run:hwtacacs-server source-ip ip-address

The source IP address of the HWTACACS server is configured.

By default, the source IP address of the HWTACACS server is 0.0.0.0. In this case, the NE80E/40E uses the IP address of the outbound interface as the source IP address of HWTACACSpackets.

After you specify a source IP address of HWTACACS packets, the specified address is used forthe communication between the NE80E/40E and the HWTACACS server.

----End

1.4.5 (Optional) Setting the Negotiated Parameters of theHWTACACS Server

An HWTACACS server and the NE80E/40E must use the same HWTACACS parameters andmessage format to communicate.

ContextThe negotiated parameters specify the conventions of the HWTACACS protocol and messageformat used for communication between the HWTACACS server and the NE80E/40E. Thenegotiated parameters are as follows:

l KeyThe key improves security of communication between the NE80E/40E and theHWTACACS server.



31

The key on the NE80E/40E must be the same as that on the HWTACACS server so thatboth parties of the authentication identify each other.The key is case sensitive.

l User name formatOn the NE80E/40E, a user name is in the format of user@domain. When the HWTACACSserver does not identify the user name that contains the domain name, the NE80E/40E sendsthe user name without the domain name to the HWTACACS server.

l Traffic unitThe NE80E/40E supports four traffic units of byte, Kbyte, Mbyte, and Gbyte to meetrequirements of various HWTACACS servers.


Procedurel (Optional) Configure the key for the HWTACACS server.

1. Run:system-view




hwtacacs-server shared-key key-string

The key is configured for the HWTACACS server.

By default, the key of the HWTACACS server is null.

Setting the key of the HWTACACS server improves the security of thecommunication between the NE80E/40E and the HWTACACS server.

NOTE

To guarantee the validity of the authenticator and the authenticated, the router and theHWTACACS server must be set with the same key.

l (Optional) Configure the user name format for the HWTACACS server.1. Run:

system-view




hwtacacs-server user-name domain-included

The user name format is configured for the HWTACACS server.

By default, the user name supported by the HWTACACS server contains the domainname.



32

When the HWTACACS server does not identify the user name that contains thedomain name, you can configure the router to remove the domain name from the username before sending the user name to the HWTACACS server.

NOTE

The format of a user name is "user name@domain name."

l (Optional) Set the traffic unit for the HWTACACS server.1. Run:

system-view


hwtacacs-server templatetemplate-name


hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

The traffic unit is set for the HWTACACS server.

By default, the traffic unit of the NE80E/40E is byte.

----End

1.4.6 (Optional) Configuring the Timers for the HWTACACSServer

You can configure the timers for the HWTACACS server to check whether the server worksproperly. This configuration is required for network optimization.

ContextIf the NE80E/40E sends a packet to the HWTACACS server but does not receive any responsewithin the specified time, the NE80E/40E considers the connection broken. The specified timeis the response timeout period of the HWTACACS server.

NOTE

HWTACACS is implemented based on TCP; therefore, the server response timeout or TCP timeout maycause disconnection of the NE80E/40E from the HWTACACS server.

If the NE80E/40E determines that its connection with the primary HWTACACS server isbroken, the NE80E/40E waits for a period of time, and then re-connects to the primary server.The specified time is the time for the primary HWTACACS server to restore to the active state.


Procedure






33

The HWTACACS view is displayed.

Step 3 Run:hwtacacs-server timer response-timeout value

The response timeout period of the HWTACACS server is set.

By default, the response timeout period of the HWTACACS server is 5 seconds.

Step 4 Run:hwtacacs-server timer quiet value

The time for the primary HWTACACS server to restore to the active state is set.

By default, the time for the primary HWTACACS server to restore to the active state is 5 minutes.

----End

1.4.7 (Optional) Configuring Retransmission of Accounting StopPackets

Retransmission of accounting stop packets needs to be configured only when the network qualityis unsatisfactory.

Context

If HWTACACS accounting is used, the NE80E/40E generates an accounting stop packet aftera user logs out and then sends the packet to the HWTACACS server. If the connectivity of thenetwork is less than satisfactory, you can enable retransmission of accounting stop packets toprevent the loss of accounting information.


Procedure



Step 2 Run:hwtacacs-server accounting-stop-packet resend { disable | enable number }

Retransmission of accounting stop packets is configured.

You can enable or disable retransmission of accounting stop packets and set the number ofretransmission times. By default, retransmission of accounting stop packets is enabled on theNE80E/40E and the number of retransmission times is set to 100.

An accounting stop packet is used to instruct the HWTACACS server to stop accounting. If theaccounting server fails to receive the packet, it continues accounting.

In this case, the NE80E/40E can retransmit the accounting stop packets until the server receivesthe packets or until the number of retransmission times reaches the threshold.

----End



34

1.4.8 (Optional) Configuring HWTACACS Users to ChangePasswords

You can authorize HWTACACS users to change their passwords to simplify management.


Procedure

Step 1 Run:hwtacacs-user change-password hwtacacs-server template-name

The HWTACACS user is authorized to change the password.

NOTE

l Users can successfully log in to the device only when they pass HWTACACS authentication and alsothe HWTACACS server template has been configured.

l Users can modify passwords only when the user names and passwords saved on the HWTACACSserver are still applicable.

l When the users with expired passwords log in to the device, the HWTACACS server returns anauthentication failure packet and these users cannot modify their passwords.

----End

1.4.9 Checking the ConfigurationAfter configuring an HWTACACS server, you can view the configurations of the HWTACACSserver.

PrerequisiteAll the configurations of the server template are complete.

Procedurel Run the display hwtacacs-server template [ template-name [ verbose ] ] command to

check the configuration of the HWTACACS server template.l Run the display hwtacacs-server accounting-stop-packet { all | number | ip ip-

address } command to check information about the accounting stop packets on theHWTACACS server.

----End

ExampleRun the display hwtacacs-server template command, and you can view information about theHWTACACS server.

<HUAWEI> display hwtacacs-server template ----------------------------------------------------------- HWTACACS-server template name : 123 Primary-authentication-server : 0.0.0.0:0:- Primary-authorization-server : 0.0.0.0:0:-



35

Primary-accounting-server : 0.0.0.0:0:- Secondary-authentication-server : 0.0.0.0:0:- Secondary-authorization-server : 0.0.0.0:0:- Secondary-accounting-server : 0.0.0.0:0:- Current-authentication-server : 0.0.0.0:0:- Current-authorization-server : 0.0.0.0:0:- Current-accounting-server : 0.0.0.0:0:- Source-IP-address : 0.0.0.0 Shared-key : - Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ------------------------------------------------------------- Are you sure to display more information (y/n)[y]:y ------------------------------------------------------------- HWTACACS-server template name : test1 Primary-authentication-server : 1.1.11.1:49:vpna Primary-authorization-server : 0.0.0.0:0:- Primary-accounting-server : 1.1.1.1:49:vpna Secondary-authentication-server : 0.0.0.0:0:- Secondary-authorization-server : 1.1.1.1:12:vpna Secondary-accounting-server : 0.0.0.0:0:- Current-authentication-server : 1.1.11.1:49:vpna Current-authorization-server : 1.1.1.1:12:vpna Current-accounting-server : 1.1.1.1:49:vpna Source-IP-address : 1.1.1.1 Shared-key : - Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ------------------------------------------------------------- Total 2,2 printed

1.5 Configuring Bill SavingSaving bills to the local device is to back up the bills on the remote accounting server. In thiscase, when the remote server fails, there is still accounting information.

ContextNOTE

Bill saving cannot be configured on the X1 or X2 models of the NE80E/40E.

1.5.1 Establishing the Configuration TaskBefore configuring bill saving on the local device, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.


The accounting information on the NE80E/40E is a backup of the accounting information onthe remote server. When an error occurs on the remote server, the CDRs are stored on the NE80E/40E. In this manner, the accounting information will not be lost.

After bill saving is configured on the local device, the NE80E/40E saves the generated CDRsto the cache first. Then, the cached CDRs are saved to either the CF card or the bill server byusing TFTP. The CDRs saved in the CF card can also be backed up to the bill server.



36

On the NE80E/40E, you can create or delete local CDR pools by using commands. Bill savingcan be configured on the local device only after a local CDR pool is created. If the local CDRpool does not exist, this function does not take effect, and CDRs will not be backed up.


Data PreparationTo configure bill saving on the local device, you need the following data.

No. Data

1 IP address of the CDR server and name of the CDR file

2 (Optional) Alarm thresholds for CDRs in the CF card and the cache

3 (Optional) Intervals for automatic backup of CDRs in the CF card and the cache

4 (Optional) Mode of backing up the cached CDRs

1.5.2 Creating a Local CDR PoolYou must create a local CDR pool before saving the bills to the local device.

ContextYou can create or delete local CDR pools by running commands on the NE80E/40E. The localCDRs can be saved only after a local CDR pool is created. When the local CDR pool is deleted,the local CDRs in the pool are also deleted. Therefore, back up the local CDRs before deletingthe local CDR pool.


Procedure



Step 2 Run:local-aaa-server

The local AAA server view is displayed.

Step 3 Run:local-bill-pool enable

A local CDR pool is created.

By default, no local CDR pool exists on the NE80E/40E.

----End



37

1.5.3 Configuring the Backup Mode of Cached BillsBy default, the cached bills are backed up to the CF card. Due to limited capacity of the CF card,the system allows you to back up the cached bills to another path.

ContextThe cached bills can be backed up to the CF card or the bill server by using TFTP, or not backedup.


Procedure



Step 2 Run:local-aaa-server

The local AAA server view is displayed.

Step 3 Run:local-bill cache backup-mode { cfcard | none | tftp }

The backup mode of the cached bills is configured.

By default, the cached bills are backed up to the CF card. When the number of cached billsexceeds the alarm threshold, the system automatically backs up the cached bills to the CF cardand then clears the bills in the cache. Due to the limited capacity of the CF card, the system hasto back up the bills in the CF card to the bill server after a period of time. Directly backing upcached bills to the bill server is recommended.

----End

1.5.4 (Optional) Backing up Bills in the CF Card to the Bill ServerDue to limited capacity of the CF card, it is recommended that you back up bills in the CF cardto the bill server to prevent the bills in the CF card from exceeding the alarm threshold and thuscausing accounting information loss.

ContextNOTE

By default, the cached bills are automatically backed up to the CF card. Due to limited capacity of the CFcard, you must back up the bills in the CF card to the bill server.


Procedurel Configure the bill server.

1. Run:system-view



38


local-aaa-server

The local AAA server view is displayed.3. Run:

bill-server ip-address filename file-name

The bill server is configured.

When configuring the bill server on the NE80E/40E, you need to specify the IP addressof the bill server and the prefix of the bill file names. The bill file names are in theform of "prefix-time-sequence number.lam." Assume that the prefix of the bill filenames is "backupfile", the bills are backed up at 15:26 on 2005-03-15, and 10 bill filesare generated. The name of the fifth bill file is then"backupfile-200503151526-5.lam."

NOTE

You need to use TFTP to log in to the NE80E/40E, which functions as a bill server, to back upbills. Hence, you must run the TFTP server program and specify a working directory on theNE80E/40E.

l Set the alarm threshold for the CF card usage.1. Run:

system-view


local-aaa-server


local-bill cfcard alarm-threshold threshold

The alarm threshold of the CF card usage is set.

The default alarm threshold of the CF card usage is 75%.

When the CF card usage exceeds the alarm threshold, the bills in the CF card need to bebacked up to the bill server either automatically or manually. By default, the bills are backedup to the bill server automatically. This means that the system backs up the bills in the CFcard to the bill server automatically after a certain interval. If you intend to back up thebills manually, run the local-bill cfcard backup [ file-name ] command. After that, whenthe usage of the CF card exceeds the alarm threshold, the system sends an alarm to theNMS and the terminal instructing you to manually back up the bills to the bill server.

l Set the intervals at which bills are backed up automatically.1. Run:

system-view


local-aaa-server




39

local-bill cfcard backup-interval interval

The intervals at which bills are backed up automatically are set.

By default, the bills in the CF card are backed up at intervals of 1440 minutes.l Back up the bills in the CF card to the bill server manually.

1. Run:system-view


local-aaa-server


local-bill cfcard backup [ file-name ]

The bills in the CF card are backed up to the bill server manuallyl (Optional) Clear all the bills in the CF card.

1. Run:system-view


local-aaa-server


local-bill cfcard reset

All the bills in the CF card are cleared.

After this command is used, all the bills in the CF card are cleared and cannot berestored.

----End

1.5.5 (Optional) Backing up the Bills in the Cache to the Bill ServerThe capacities of the cache and the CF card are small; therefore, it is recommended that youback up bills in the cache to the bill server.

ContextYou need to use TFTP to log in to the NE80E/40E, which functions as a bill server, to back upbills. Hence, you must run the TFTP server program and specify a working directory on theNE80E/40E.


Procedurel Configure the bill server.

1. Run:system-view



40


local-aaa-server


bill-server ip-address filename file-name

The bill server is configured.

When configuring the bill server on the NE80E/40E, you need to specify the IP addressof the bill server and the prefix of the bill file names. On the NE80E/40E, the bill filenames are in the form of "prefix-time-sequence number.lam."

Assume that the prefix of the bill file names is "backupfile", the bills are backed upat 15:26 on 2005-03-15, and 10 bill files are generated. The name of the fifth bill fileis then "backupfile-200503151526-5.lam."

l Set the alarm threshold for the cache usage.1. Run:

system-view


local-aaa-server


local-bill cache alarm-threshold threshold

The alarm threshold for the cache usage is set.

The default alarm threshold for the cache usage is 75%.

The capacity of the cache is limited. Hence, when the cache usage exceeds the alarmthreshold, the bills in the cache need to be backed up to another location according to theconfigured backup mode either automatically or manually. By default, the bills are backedup automatically. This means that the system automatically backs up the bills to a specificlocation after a certain period. If you intend to back up the bills manually, run the local-bill cache backup command. After that, when the cache usage exceeds the alarm threshold,the system sends an alarm to the NMS and the terminal instructing you to manually backup the bills to the bill server or CF card.

l Set the intervals at which bills are backed up automatically.1. Run:

system-view


local-aaa-server


local-bill cache backup-interval interval

The intervals at which bills are backed up automatically are set.



41

By default, the bills in the cache are backed up at intervals of 1440 minutes.l Back up the bills in the cache to the bill server manually.

1. Run:system-view


local-aaa-server


local-bill cache backup

The bills in the cache are manually backed up.

----End

1.5.6 Checking the ConfigurationAfter bill saving is configured, you can view the configurations of this feature.

Procedurel Run the display local-bill { cache start-no count | configuration | information } command

to check the configuration of bill saving.

----End

ExampleRun the display local-bill { cache start-no count | configuration | information } command,and you can view the configuration of bill saving.<HUAWEI> display local-bill cache 0 2 Contents of Bill 1: -------------------------------------------------------------- Bill-No : 1 Session-Id: NE80E/40E-1007002000000100ee7075000024 User-name : user1@huawei Start-Time: 2007/11/24 18:04:42 Stop-Time : 2007/11/24 18:06:17 Elapse : 0:01:35 IP-Addr : 192.168.7.186 MAC : 0016-ecb7-a879 IPv6-Addr : :: Auth-Type : PPP Access-Type: PPPoE Port-No : 1/0/2 VLAN : 100 Status : 2(offline) Code : 6, Ref: 98 Acc Data before Tariff Switch, 1 Priority : 0 : User-received: Bytes=0 , Pkts=0 User-sent: Bytes=0 , Pkts=0 Acc Data after Tariff Switch, 1 Priority : 0 : User-received: Bytes=0 , Pkts=0 User-sent: Bytes=0 , Pkts=0 -------------------------------------------------------------- Total printed 1 bills from cache.

1.6 Configuring a DomainThe NE80E/40E supports domain-based management for local users and access users.



42

ContextNOTE

The access-side domain cannot be configured on the X1 or X2 models of the NE80E/40E.

1.6.1 Establishing the Configuration TaskBefore configuring a domain, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the data required for the configuration. This will helpyou complete the configuration task quickly and accurately.


You need to configure a domain to perform AAA management on access users.


Before configuring a domain, complete the following tasks:

l Configuring authentication, authorization, and accounting schemes

l Configuring a RADIUS server group if RADIUS authentication and accounting are adopted

l Configuring an HWTACACS server template if HWTACACS authentication,authorization, and accountingauthentication and authorization are adopted

l Configuring an IPv4 address pool

Data Preparation

To configure a domain, you need the following data.

No. Data

1 Domain name

2 Names of authentication, authorization, and accounting schemes

3 Names of the RADIUS server group, HWTACACS server template,and IP addressof the DNS server

4 Name of the IPv4 address pool

5 (Optional) Maximum number of access users and maximum connection setup rate

NOTE

User attributes of the domain include the user priority, user group, idle-cut parameter, time-specific QoSguarantee, QoS profile, queue profile, VAS policy, policy-based routing, multicast parameter, andmaximum re-authentication time period. These attributes are valid for only the users that newly go online.The online users have to go online again to make these attributes valid.



43

1.6.2 Creating a DomainUser management is implemented based on domains. It is recommended that a domain be namedafter an ISP or a service.

Context


Procedure



Step 2 Run:aaa


Step 3 Run:domain domain-name

A domain is created and the domain view is displayed.

Up to 1024 domains can be created on the NE80E/40E. The NE80E/40E has three defaultdomains: default0, default1, and default_admin.l default0 is the default domain to which unauthenticated users belong. When users have

accessed the NE80E/40E but have not been authenticated, the NE80E/40E does not knowwhich domain the users belong to and defaults the users to default0. The NE80E/40E thenperforms the authentication scheme of default0 and the accounting scheme of default0 onthe users in this domain.

l default1 is the default domain to which the users being authenticated belong. If the username entered for authentication does not contain any domain name, the NE80E/40E defaultsthe user to default1. The NE80E/40E performs the authentication scheme of default1 andthe accounting scheme of default1 on the users in this domain.

l default_admin is the default domain to which the administrator belongs. When theadministrator logs in to the NE80E/40E by using Telnet or SSH, the NE80E/40E defaultsthe administrator to default_admin, if the user name entered for authentication does notcontain any domain name. The NE80E/40E performs the authentication scheme of defaultand the accounting scheme of default0 to the users in this domain.

----End

1.6.3 Configuring an AAA Scheme for a DomainYou must configure an AAA scheme for a domain before you perform AAA on users in thisdomain.

Context




44

Procedure



Step 2 Run:aaa



The domain view is displayed.

Step 4 Run:authentication-scheme scheme-name

An authentication scheme is specified for the domain.

By default, the default1 authentication scheme is used for user-defined domains, the default1domain, or the default authentication scheme is used for the default_admin domain; the default0authentication scheme is used for the default0 domain. You can run the display authentication-scheme command to view detailed information about the default authentication schemes.

Step 5 Run:accounting-scheme scheme-name

An accounting scheme is specified for the domain.

By default, the default1 accounting scheme is used for user-defined domains and the default1domain; the default0 accounting scheme is used for the default0 domain and default_admindomain.

Step 6 (optional)Run:accounting dual-stack { separate | identical }

The accounting mode for IPv4/IPv6 dual-stack users is configured.

When separate is configured, traffic of IPv4 and IPv6 users is sent to the server separately;when identical is configured, traffic of IPv4 and IPv6 users is sent to the server together.

By default, accounting is performed separately for IPv4 users and IPv6 users.

Step 7 Run:authorization-scheme scheme-name

An authorization scheme is specified for the domain.

By default, no authorization scheme is specified for the domain.

----End

1.6.4 Configuring Servers for a DomainYou can configure a RADIUS server, an HWTACACS serverfor a domain as required.



45


ProcedureStep 1 Run:

system-view


Step 2 Run:aaa




Step 4 Run the following command as required:l To configure an HWTACACS server template for the domain, run:

hwtacacs-server template-namel To configure a RADIUS server group for the domain, run:

radius-server group group-namel To specify a forcible Web authentication server for the domain, run:

web-server { ip-address | mode { get | post } | redirect-key { mscg-ip mscg-ip-key | user-ip-address user-ip-key | user-location user-location-key } | url url | user-first-url-key { key-name | default-name } }

l To specify a primary or secondary DNS server for the domain, run:dns { primary-ip |second-ip } ip-address

NOTE

If a primary or secondary DNS server is also configured in an address pool, the DNS server configuredin the address pool takes precedence over the DNS server configured by using this command.

By default, no HWTACACS server template, RADIUS server groupfor a domain.

----End

1.6.5 Specifying an IPv4 Address Pool for a DomainAn IPv4 address pool configured for a domain is used to assign IPv4 addresses to all users inthis domain.

ContextThe IPv4 address pool for a domain can be a local or remote address pool.

A maximum of 1024 IPv4 address pools can be specified for a domain, and one IPv4 addresspool can be used for multiple domains. The IPv4 address pools configured for a domain can bemoved. The range in which the IPv4 address pool can be moved is associated with the numberof address pools configured in the domain. For example, if 10 address pools are configured inthe domain, the address pool can move in the range between 1 and 10.




46

Procedure



Step 2 Run:aaa




Step 4 Run:ip-pool pool-name [ move-to position ]

IPv4 address pools are specified for the domain.

----End

1.6.6 (Optional) Setting the Maximum Number of Access Users fora Domain

You can set the maximum number of access users for a domain.

ContextTo guarantee the processing capability of the NE80E/40E, you can limit the total number ofaccess users for a domain. If the number of users reaches the limit, additional access users aredenied.


Procedure



Step 2 Run:aaa




Step 4 Run:access-limit max-number

The maximum number of access users is specified for the domain.



47

The default maximum number of access users for a domain is 279552.

----End

1.6.7 (Optional) Setting the Maximum Number of Sessions for anAccount

You can set the maximum number of sessions for an account. This means that you can limit thenumber of sessions allowed for users of the same user account. Users of the same user accountshare QoS resources.

Context

To guarantee the processing capability of the NE80E/40E, you can limit the maximum numberof sessions for an account. If the number of sessions reaches the limit, additional access usersare denied.


Procedure



Step 2 Run:aaa




Step 4 Run:user-max-session max-session-number

The maximum number of sessions for an account is set.

By default, the number of sessions is not limited for an account.

----End

1.6.8 (Optional) Setting the Priority of a Domain UserYou can set a priority for each domain user so that users or services of different priorities areoffered with different classes of services.

Context




48

Procedure



Step 2 Run:aaa


Step 3 Run:user-priority { upstream | downstream } { priority | trust-8021p-inner | trust-8021p-outer | trust-dscp | trust-dscp-inner | trust-dscp-outer | unchangeable | trust-exp-inner | trust-exp-outer }

The priority of the domain user is set.

Currently, one domain can be configured with only one user priority.

l priority: user priority. The value ranges from 0 to 7.l trust-8021p-inner: The 802.1p priority in the inner tag of a Layer 2 user packets is used as

the user priority.l trust-8021p-outer: The 802.1p priority in the outer tag of a Layer 2 user packet is used as

the user priority.l trust-dscp: The DSCP value of a user packet is used as the user priority.l trust-dscp-inner: The DSCP value in the inner tag of a user packet is used as the user priority.l trust-dscp-outer: The DSCP value in the outer tag of a user packet is used as the user priority.l unchangeable: The user priority is fixed.l trust-exp-inner: The EXP value in the inner tag of an MPLS packet is used as the user

priority.l trust-exp-outer: The EXP value in the outer tag of an MPLS packet is used as the user

priority.

By default, the priorities of the incoming and outgoing traffic of users are both 0.

----End

1.6.9 (Optional) Configuring Additional Functions for a DomainA domain has additional functions such as captive portal, time-based control, policy-basedrouting, traffic statistics, or IP address usage alarm.

ContextNOTE

Additional functions for a domain cannot be configured on the X1 or X2 models of the NE80E/40E.

A domain has the following additional functions:

l Forced portalForced portal means that when a user accesses the Internet for the first time after passingthe authentication, the NE80E/40E forcibly redirects the user's access request to a certain



49

server, which is usually the portal server of a carrier. In this manner, the user needs to accepta service at the carrier's portal immediately after accessing the Internet.

l Time-based controlTime-based control means that a domain is automatically blocked in a specified period.During this period, the users of this domain cannot access the NE80E/40E and the onlineusers are disconnected. After the period, the domain is reactivated automatically, and thedomain users are allowed to log in again.

l Idle cutWhen the traffic volume of a user keeps being lower than a threshold in a period, the NE80E/40E considers the user idle and disconnects the user. To perform the idle cut function, youneed to set the idle time and the traffic threshold.The idle cut function configured for a domain controls only the basic traffic of a user. Themulticast traffic and the VAS traffic that is not configured with the summary feature arenot included in the basic traffic. Therefore, the idle cut function is invalid for them.

l Mandatory PPP authenticationGenerally, the authentication mode (PAP, CHAP, or MSCHAP) of a PPP user is negotiatedby the PPP client and the virtual template. After the mandatory authentication mode of aPPP user is configured for a domain, the users in the domain are authenticated in theconfigured mode.

l Policy-based routingIn packet forwarding, the NE80E/40E determines the forwarding egress according to thedestination addresses of the packets. With the policy-based routing function, however, theNE80E/40E determines the forwarding egress according to the address specified in the userdomain.

l IP address usage alarmAfter the alarm threshold for the usage (in percentage) of IP addresses is set in a domain,the NE80E/40E sends a trap to the network management system (NMS) when the usage ofIP addresses exceeds the threshold. If no alarm threshold is set, the NE80E/40E does notsend any trap to the NMS, regardless of the usage of IP addresses.

l Traffic statisticsThe traffic statistics function collects the total traffic of a domain and the upstream anddownstream traffic of users.

l Accounting packet copyThis function is used to send accounting packet copies to two RADIUS servers.You can perform this function when multiple copies of original accounting information arerequired (for example, multiple ISPs cooperate in the networking). In this case, accountingpacket copies need to be sent to two RADIUS servers at the same time, and will be usedas the original accounting information in future settlement.

l Re-authentication timeoutThe re-authentication timeout is valid for Layer 3 pre-authentication users. If a Layer 3 pre-authentication user does not pass the authentication within the maximum re-authenticationtime, the NE80E/40E disconnects this user.

l Policy used for online users when the quota is used upThe NE80E/40E uses a policy after the quota (traffic or session time) of an online user isused up. The NE80E/40E may forcibly log out the user, keep the user online, or redirectthe user to a specified portal.




50

Procedure



Step 2 Run:aaa




Step 4 Run:portal-server { ip-address | redirect-limit times | url url-string } and pppoe-url url-string

Forced portal is configured.

By default, forced portal is disabled.

Step 5 Run:time-range domain-block { range-name | enable }

Time-based control is configured.

You can configure up to four time ranges, which have equal priority.

By default, time-based control is disabled.

Step 6 Run:idle-cut idle-time-length idle-rate

The idle cut function is configured.

By default, the idle time is 0. This means that the idle cut function is disabled.

Step 7 Run:policy-route next-hop-ip-address

Policy-based routing is configured.

By default, policy-based routing is disabled.

Step 8 Run:ip-warning-threshold threshold

The IP address usage alarm function is configured.

By default, the IP address usage alarm function is not configured.

Step 9 Run:flow-bill

The function of collecting the statistics about the total traffic is enabled.

By default, the function of collecting the total traffic statistics is disabled.



51

Step 10 Run:flow-statistic { down | up } *

The function of collecting the upstream or downstream traffic statistics of the domain users isenabled.

By default, the function of collecting the upstream and downstream traffic statistics of the domainusers is enabled.

Step 11 Run:accounting-copy radius-server radius-name

The function of sending accounting packet copies is enabled.

By default, the function of sending accounting packet copies is disabled.

Step 12 Run:max-ipuser-reauthtime time-value

The re-authentication timeout is configured.

By default, the re-authentication timeout is 300 seconds.

Step 13 Run:quota-out { offline | online | redirect url url-string }

The policy used for online users when the quota is used up is configured.

By default, the NE80E/40E disconnects the user when the quota of a user is used up.

If the RADIUS protocol type is set to non-standard, a real-time accounting packet is sent tothe RADIUS server to apply for a new quota when user's quota is used up. If the RADIUS serverresponds with zero quota, the user is redirected based on the configured quota-out redirecturl url-string command.

If you want a user to be directly redirected when its quota is used, you must first set the RADIUSprotocol type to standard and configure the quota-out redirect url url-string .

Step 14 Run:radius-no-response lease-time time

The extended lease in case of no response from the RADIUS server is set for DHCP users.

By default, DHCP users will be logged out if there is no response from the RADIUS server.

----End

1.6.10 (Optional) Activating a DomainUsers cannot access a blocked domain. When a domain is not to be used, you can block thedomain.

ContextNOTE

Activating a domain cannot be configured on the X1 or X2 models of the NE80E/40E.




52

Procedure



Step 2 Run:aaa




Step 4 Run:block

The status of the domain is set to the blocked state.

By default, a domain is activated after being created.

----End

1.6.11 Checking the ConfigurationAfter configuring a domain, you can view the domain configuration.

PrerequisiteAll the configurations of the domain are complete.

Procedure

Step 1 Run the display domain [ domain-name ] command to check the configuration of the domain.

----End

ExampleRun the display domain command, and you can view the summaries of configurations of allthe domains.

<HUAWEI> display domain ------------------------------------------------------------------------------ Domain name State CAR Access-limit Online BODNum RptVSMNum ------------------------------------------------------------------------------ default0 Active 0 279552 0 0 0 default1 Active 0 279552 0 0 0 default_admin Active 0 279552 0 0 0 default Active 0 279552 0 0 0 isp1 Active 0 279552 0 0 0 ------------------------------------------------------------------------------ Total 5,5 printed<HUAWEI> display domain default ------------------------------------------------------------------------------ Domain-name : default Domain-state : Active Authentication-scheme-name : default1



53

Accounting-scheme-name : default1 Authorization-scheme-name : Primary-DNS-IP-address : - Second-DNS-IP-address : - Web-server-URL-parameter : No Portal-server-URL-parameter : No Primary-NBNS-IP-address : - Second-NBNS-IP-address : - User-group-name : - Idle-data-attribute (time,flow) : 0, 60 Install-BOD-Count : 0 Report-VSM-User-Count : 0 Value-added-service : User-access-limit : 279552 Online-number : 0 Web-IP-address : - Web-URL : - Portal-server-IP : - Portal-URL : - Portal-force-times : 2 PPPoE-user-URL : Disable IPUser-ReAuth-Time(second) : 300 mscg-name-portal-key : - Portal-user-first-url-key : - Ancp auto qos adapt : Disable Service-type : STB RADIUS-server-template : - Two-acct-template : - HWTACACS-server-template : - Bill Flow : Disable Tunnel-acct-2867 : Disabled Qos-profile-name inbound : - Qos-profile-name outbound : -

Flow Statistic: Flow-Statistic-Up : Yes Flow-Statistic-Down : Yes Source-IP-route : Disable IP-warning-threshold : - Multicast Forwarding : Yes Multicast Virtual : No Max-multilist num : 4 Multicast-profile : - Quota-out : Offline

1.7 Maintaining AAAThis section describes how to maintain AAA by clearing HWTACACS statistics and debuggingRADIUS or HWTACACS.

1.7.1 Clearing AAA StatisticsClearing AAA statistics includes clearing statistics on the AAA server and accounting stoppackets.

Context

CAUTIONStatistics cannot be restored after you clear them. Exercise caution when running the command.



54

Procedurel Run the reset hwtacacs-server statistics { all | accounting | authentication |

authorization } command in the user view to clear the statistics about the HWTACACSserver.

l Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } commandin the user view to clear the statistics about the accounting stop packets on the HWTACACSserver.

----End

1.8 Configuration ExamplesThis section provides configuration examples of AAA, including networking requirements,configuration notes, and configuration roadmap.

ContextNOTE

Examples in this document use interface numbers and link types of the NE40E-X8. In real world situations,interface numbers and link types may be different from those used in this document.

1.8.1 Example for Performing Authentication and Accounting forUsers by Using RADIUS

This section provides an example for performing authentication and accounting by usingRADIUS, including networking requirements, configuration roadmap, configuration procedure,and configuration files.

Networking RequirementsNOTE

This example is not supported on the X1 or X2 models of the NE80E/40E.

As shown in Figure 1-1, the users access the network through Router A and the users belong tothe domain named huawei. Router B functions as the access server for the destination network.To access the destination network, the users have to traverse the network where Router A andRouter B reside and pass remote authentication of the access server. After that, the users canaccess the network through Router B. Remote authentication is implemented on the Router Bas follows:

l The RADIUS server performs authentication and accounting for access users.l The RADIUS server at 129.7.66.66/24 functions as the primary authentication and

accounting server. The RADIUS server at 129.7.66.67/24 functions as the secondaryauthentication and accounting server. The default port numbers for authentication andaccounting are 1812 and 1813 respectively.



55

Figure 1-1 Networking diagram of performing authentication and accounting for users by usingRADIUS

Network

RouterA

RouterB

129.7.66.66/24

129.7.66.67/24

Domain huawei

Destinationnetwork

Configuration RoadmapThe configuration roadmap is as follows:

1. Configure a RADIUS server group, an authentication scheme, and an accounting schemeon Router B.

2. Apply the RADIUS server group, authentication scheme, and accounting scheme on RouterB to the domain.

Data PreparationTo complete the configuration, you need the following data:

l IP address of the primary (secondary) RADIUS authentication serverl IP address of the primary (secondary) RADIUS accounting server

Procedure

Step 1 Configure a RADIUS server group, an authentication scheme, and an accounting scheme.

# Configure a RADIUS server group named shiva.

<HUAWEI> system-view[HUAWEI] radius-server group shiva

# Configure the IP addresses and interface numbers of the primary RADIUS authentication andaccounting servers.

[HUAWEI-radius-shiva] radius-server authentication 129.7.66.66 1812



56

[HUAWEI-radius-shiva] radius-server accounting 129.7.66.66 1813

# Configure the IP addresses and interface numbers of the secondary RADIUS authenticationand accounting servers.

[HUAWEI-radius-shiva] radius-server authentication 129.7.66.67 1812[HUAWEI-radius-shiva] radius-server accounting 129.7.66.67 1813

# Set the key and the number of retransmission attempts for the RADIUS server.

[HUAWEI-radius-shiva] radius-server shared-key it-is-my-secret[HUAWEI-radius-shiva] radius-server retransmit 2[HUAWEI-radius-shiva] quit

# Enter the AAA view.

[HUAWEI] aaa

# Configure authentication scheme 1, with the authentication mode being RADIUS.

[HUAWEI-aaa] authentication-scheme 1[HUAWEI-aaa-authen-1] authentication-mode radius[HUAWEI-aaa-authen-1] quit

# Configure accounting scheme 1, with the accounting mode being RADIUS.

[HUAWEI-aaa] accounting-scheme 1[HUAWEI-aaa-accounting-1] accounting-mode radius[HUAWEI-aaa-accounting-1] quit

Step 2 Configure a domain named huawei and apply authentication scheme 1, accounting scheme 1,and RADIUS server group shiva in the domain.[HUAWEI-aaa] domain huawei[HUAWEI-aaa-domain-huawei] authentication-scheme 1[HUAWEI-aaa-domain-huawei] accounting-scheme 1[HUAWEI-aaa-domain-huawei] radius-server group shiva

Step 3 Verify the configuration.

Generally, RADIUS authentication and accounting apply to BRAS access. If the accessconfiguration is correct, users can pass authentication and go online properly. Then, useraccounting can be performed normally.

Run the display radius-server configuration group shiva command on the router, and you cansee that the configurations of the RADIUS server group meet the requirements.

<HUAWEI> display radius-server configuration group shiva ------------------------------------------------------- Server-group-name : shiva Authentication-server: IP:129.7.66.66 Port:1812 Weight[0] [UP] Vpn: - Authentication-server: IP:129.7.66.67 Port:1812 Weight[0] [UP] Vpn: - Authentication-server: - Authentication-server: - Authentication-server: - Authentication-server: - Authentication-server: - Authentication-server: - Accounting-server : IP:129.7.66.66 Port:1813 Weight[0] [UP] Vpn: - Accounting-server : IP:129.7.66.67 Port:1813 Weight[0] [UP] Vpn: - Accounting-server : - Accounting-server : - Accounting-server : - Accounting-server : - Accounting-server : -



57

Accounting-server : - Protocol-version : radius Shared-secret-key : it-is-my-secret Retransmission : 2 Timeout-interval(s) : 5 Acct-Stop-Packet Resend : NO Acct-Stop-Packet Resend-Times : 0 Traffic-unit : B ClassAsCar : NO User-name-format : Domain-included Option82 parse mode : - Attribute-translation: NO Packet send algorithm: Master-Backup Tunnel password : cipher

Run the display domain domain-name command on the router, and you can view theconfigurations of the domain.

<HUAWEI> display domain huawei ------------------------------------------------------------------------------ Domain-name : huawei Domain-state : Active Authentication-scheme-name : 1 Accounting-scheme-name : 1 Authorization-scheme-name : Primary-DNS-IP-address : - Second-DNS-IP-address : - Primary-NBNS-IP-address : - Second-NBNS-IP-address : - User-group-name : - Idle-data-attribute (time,flow) : 0, 60 Install-BOD-Count : 0 Report-VSM-User-Count : 0 Value-added-service : COPS User-access-limit : 279552 Online-number : 0 Web-IP-address : - Web-URL : - Portal-server-IP : - Portal-URL : - Portal-force-times : 2 PPPoE-user-URL : Disable IPUser-ReAuth-Time(second) : 300 Ancp auto qos adapt : Disable Service-type : STB RADIUS-server-template : shiva Two-acct-template : - HWTACACS-server-template : - Bill Flow : Disable Tunnel-acct-2867 : Disabled

Flow Statistic: Flow-Statistic-Up : Yes Flow-Statistic-Down : Yes Source-IP-route : Disable IP-warning-threshold : - Multicast Forwarding : Yes Multicast Virtual : No Max-multilist num : 4 Multicast-profile : - Quota-out : Offline ------------------------------------------------------------------------------

----End

Configuration Files#sysname HUAWEI



58

# aaa authentication-scheme 1 authentication-mode radius # authorization-scheme default # accounting-scheme 1 accounting-mode radius # domain huawei authentication-scheme 1 accounting-scheme 1 radius-server group shiva # radius-server group shiva radius-server authentication 129.7.66.66 1812 weight 0 radius-server authentication 129.7.66.67 1812 weight 0 radius-server accounting 129.7.66.66 1813 weight 0 radius-server accounting 129.7.66.67 1813 weight 0 radius-server shared-key it-is-my-secret radius-server retransmit 2 #return

1.8.2 Example for Configuring HWTACACS Authentication,Authorization, and Accounting

This section describes how to apply HWTACACS authentication, authorization, and accountingto a real network. HWTACACS authentication, authorization, and accounting are implementedon users in the domain named huawei.

Networking RequirementsAs shown in Figure 1-2, users belong to the domain huawei and access the network throughRouter A. Router B functions as the access server of the destination network. If users need toaccess the destination network, they should first traverse the network between Router A andRouter B and then access the destination network through Router B after they pass remoteauthentication. In such a case, you can configure the authentication mode on Router B as follows:

l Local authentication is first performed on access users. If local authentication fails,HWTACACS authentication is performed.

l To upgrade the level of an access user, HWTACACS authentication is used first. If theHWTACACS server does not respond, the local authentication is performed.

l HWTACACS authorization is performed on access users.l Accounting is necessary for all users.l The HWTACACS server at 129.7.66.66/24 functions as the primary server and its default

authentication port number, authorization port number, and accounting port number are all49. The HWTACACS server at 129.7.66.67/24 functions as the secondary server and itsdefault authentication port number, authorization port number, and accounting port numberare all 49.



59

Figure 1-2 Networking diagram of local authentication and HWTACACS authentication,authorization, and accounting

Network

RouterA

RouterB

129.7.66.66/24

129.7.66.67/24

Domain huawei

Destinationnetwork


1. Configure a HWTACACS server template.2. Configure authentication, authorization, and accounting schemes.3. Apply the configured template and schemes to the domain.


l IP address of the primary (secondary) HWTACACS authentication serverl IP address of the primary (secondary) HWTACACS authorization serverl IP address of the primary (secondary) HWTACACS accounting server

Procedure

Step 1 Configure an HWTACACS server template.

# Create an HWTACACS server template named ht.

[RouterA] hwtacacs-server template ht

# Configure the IP addresses and interface numbers of the primary HWTACACS authentication,authorization, and accounting server.

[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49[RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49



60

[RouterA-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49

# Configure the IP addresses and interface numbers of the secondary HWTACACSauthentication, authorization, and accounting server.

[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary[RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary[RouterA-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary

# Configure the shared key of the HWTACACS server.

[RouterA-hwtacacs-ht] hwtacacs-server shared-key it-is-my-secret[RouterA-hwtacacs-ht] quit

Step 2 Configure AAA schemes.


[RouterA] aaa

# Configure an authentication scheme named l-h with the authentication mode being localhwtacacs. To upgrade the user level, configure the authentication mode as hwtacacs super.

[RouterA-aaa] authentication-scheme l-h[RouterA-aaa-authen-l-h] authentication-mode local hwtacacs[HUAWEI-aaa-authen-l-h] authentication-super hwtacacs super[RouterA-aaa-authen-l-h] quit

# Configure an authorization scheme named hwtacacs with the authorization mode beingHWTACACS.

[RouterA-aaa] authorization-scheme hwtacacs[RouterA-aaa-author-hwtacacs] authorization-mode hwtacacs

[RouterA-aaa-author-hwtacacs] quit

# Configure an accounting scheme named hwtacacs with the accounting mode beingHWTACACS.

[RouterA-aaa] accounting-scheme hwtacacs[RouterA-aaa-accounting-hwtacacs] accounting-mode hwtacacs

Step 3 Create a domain named huawei and apply the authentication scheme l-h, authorization schemehwtacacs, accounting scheme hwtacacs, and HWTACACS server template ht to the domainhuawei.[RouterA-aaa] domain huawei[RouterA-aaa-domain-huawei] authentication-scheme l-h[RouterA-aaa-domain-huawei] authorization-scheme hwtacacs[RouterA-aaa-domain-huawei] accounting-scheme hwtacacs[RouterA-aaa-domain-huawei] hwtacacs-server ht


Run the display hwtacacs-server template command on the router, and you can viewinformation about the HWTACACS server template.

<HUAWEI> display hwtacacs-server template ht -------------------------------------------------------------------------- HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49 Primary-authorization-server : 129.7.66.66:49 Primary-accounting-server : 129.7.66.66:49 Secondary-authentication-server : 129.7.66.67:49 Secondary-authorization-server : 129.7.66.67:49 Secondary-accounting-server : 129.7.66.67:49 Current-authentication-server : 129.7.66.66:49 Current-authorization-server : 129.7.66.66:49



61

Current-accounting-server : 129.7.66.66:49 Source-IP-address : 0.0.0.0 Shared-key : it-is-my-secret Quiet-interval (min) : 5 Response-timeout-Interval (sec) : 5 Domain-included : Yes Traffic-unit : B--------------------------------------------------------------------------

Run the display domain command on the router, and you can view information about thedomain.

<HUAWEI>display domain huawei

----End

Configuration Files#hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 49 hwtacacs-server authentication 129.7.66.67 49 secondary hwtacacs-server authorization 129.7.66.66 49 hwtacacs-server authorization 129.7.66.67 49 secondary hwtacacs-server accounting 129.7.66.66 49 hwtacacs-server accounting 129.7.66.67 49 secondary hwtacacs-server shared-key it-is-my-secret#aaa authentication-scheme default authentication-scheme l-h authentication-mode local hwtacacs authentication-super hwtacacs super # authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs # accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs # domain default domain huawei authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht #return

1.8.3 Example for Configuring HWTACACS Authentication andAuthorization on the MPLS VPN

This section describes how to enable HWTACACS authentication, authorization, andaccounting packets to traverse a VPN. This enables an administrator on the Internet to performauthorization and accounting on a server on the VPN.

Networking RequirementsAs shown in Figure 1-3, CE1 and CE2 all belong to VPN-A. The VPN target attribute used byVPN-A is 111:1. On the public network, the administrator logs in to PE2 through the consoleport or logs in to PE2 through a PC, another router, or a Telnet client. After the administrator isauthorized, the administrator manages PE2 and the system events and records of administrator



62

operations on PE2 are sent to the TACACS server. The TACACS server is deployed on theVPN. Thus, PE2 needs to forward HWTACACS packets based on VPN instances.

l PE2 authenticates administrators through HWTACACS.

l PE2 authorizes administrators through HWTACACS.

l The TACACS server 160.1.1.100/24 is the primary server, with authentication port 49,authorization port 49, and accounting port 49. The TACACS server 160.1.1.101/24 is thesecondary server, with authentication port 49, authorization port 49, and accounting port49 by default.

Figure 1-3 Diagram of configuring HWTACACS authentication and authorization ofadministrators

VPNA

CE1AS65410

PE1 PE2P CE2AS65430

Administrator

VPNA

MainTACACS

server

BackupTACACS

server

BackboneAS100

Loopback1 Loopback1 Loopback1

GE1/0/1

GE2/0/0

GE1/0/0

GE1/0/0

GE2/0/0

GE1/0/0

GE2/0/0

GE1/0/0 GE1/0/1

Device Interface IP address

CE1 GE1/0/1 10.1.1.2/24

PE1 Loopback1 1.1.1.9/32

GE2/0/0 10.1.1.1/24

GE1/0/0 100.1.1.1/24

P Loopback1 3.3.3.9/32

GE1/0/0 100.1.1.2/24

GE2/0/0 200.1.1.1/24

PE2 Loopback1 2.2.2.9/32

GE2/0/0 10.2.1.2/24

GE1/0/0 200.1.1.2/24

CE2 GE1/0/0 10.2.1.1/24

GE1/0/1 160.1.1.1/24

Main TACACS server 160.1.1.100/24



63

Backup TACACS server 160.1.1.101/24


1. Configure BGP/MPLS IP VPN for interworking.2. Configure a HWTACACS server template.3. Configure the authentication scheme and authorization scheme.4. Apply the HWTACACS server template, the authentication scheme, and the authorization

scheme.


l IP address of the primary (secondary) HWTACACS authentication serverl IP address of the primary (secondary) HWTACACS authorization serverl IP address of the primary (secondary) HWTACACS accounting server

Procedure

Step 1 Configure BGP MPLS IP VPN

Configure the IGP protocol on the network to enable the communication between PE and P onthe backbone network and to advertise the IP address of CE.

# Configure PE1.

<HUAWEI> system-view[HUAWEI] sysname PE1[PE1] interface loopback 1[PE1-LoopBack1] ip address 1.1.1.9 32[PE1-LoopBack1] quit[PE1] interface gigabitEthernet1/0/0[PE1-GigabitEthernet1/0/0] ip address 100.1.1.1 24[PE1-GigabitEthernet1/0/0] quit[PE1] ospf[PE1-ospf-1] area 0[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0[PE1-ospf-1-area-0.0.0.0] quit[PE1-ospf-1] quit

# Configure P.

<HUAWEI> system-view[HUAWEI] sysname P[P] interface loopback 1[P-LoopBack1] ip address 3.3.3.9 32[P-LoopBack1] quit[P] interface gigabitEthernet 1/0/0[P-GigabitEthernet1/0/0] ip address 100.1.1.2 24[P-GigabitEthernet1/0/0] quit[P] interface gigabitEthernet 2/0/0[P-GigabitEthernet2/0/0] ip address 200.1.1.1 24[P-GigabitEthernet2/0/0] quit



64

[P] ospf[P-ospf-1] area 0[P-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255[P-ospf-1-area-0.0.0.0] network 200.1.1.0 0.0.0.255[P-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0[P-ospf-1-area-0.0.0.0] quit[P-ospf-1] quit

# Configure PE2.

<HUAWEI> system-view[HUAWEI] sysname PE2[PE2] interface loopback 1[PE2-LoopBack1] ip address 2.2.2.9 32[PE2-LoopBack1] quit[PE2] interface gigabitEthernet 1/0/0[PE2-GigabitEthernet1/0/0] ip address 200.1.1.2 24[PE2-GigabitEthernet1/0/0] quit[PE2] ospf[PE2-ospf-1] area 0[PE2-ospf-1-area-0.0.0.0] network 200.1.1.0 0.0.0.255[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0[PE2-ospf-1-area-0.0.0.0] quit[PE2-ospf-1] quit

# Configure CE1.

<HUAWEI> system-view[HUAWEI] sysname CE1[CE1] interface gigabitethernet 1/0/1[CE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24[CE1-GigabitEthernet1/0/1] quit

# Configure CE2.

<HUAWEI> system-view[HUAWEI] sysname CE1[CE1] interface gigabitethernet 1/0/0[CE1-GigabitEthernet1/0/0] ip address 10.2.1.1 24[CE1-GigabitEthernet1/0/0] quit[CE2] interface gigabitethernet 1/0/1[CE2-GigabitEthernet1/0/1] ip address 160.1.1.1 24[CE2-GigabitEthernet1/0/1] quit[CE2] ospf[CE2-ospf-1] area 0[CE2-ospf-1-area-0.0.0.0] network 160.1.1.0 0.0.0.255[CE2-ospf-1-area-0.0.0.0] quit[CE2-ospf-1] quit

After the configuration, OSPF neighbor relationship should be set up between PE1, P1, and PE2.Run the display ospf peer command, and you can view that the neighbor relationship is Full.Run the display ip routing-table command, and you can view that PEs learn the routes to theLoopback1 interfaces on their peers.

Take the display of PE1 as example:

[PE1] display ip routing-tableRoute Flags: R - relied, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 9 Routes : 9Destination/Mask Proto Pre Cost Flags NextHop Interface 1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 2.2.2.9/32 OSPF 10 3125 D 100.1.1.2 GigabitEthernet1/0/0 3.3.3.9/32 OSPF 10 1563 D 100.1.1.2 GigabitEthernet1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.1.1.0/24 Direct 0 0 D 100.1.1.1 GigabitEthernet1/0/0 100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0



65

100.1.1.2/32 Direct 0 0 D 100.1.1.2 GigabitEthernet1/0/0 200.1.1.0/24 OSPF 10 3124 D 100.1.1.2 GigabitEthernet1/0/0[PE1] display ospf peer OSPF Process 1 with Router ID 1.1.1.9 Neighbors Area 0.0.0.0 interface 100.1.1.1(GigabitEthernet1/0/0)'s neighbors Router ID: 3.3.3.9 Address: 100.1.1.2 GR State: Normal State: Full Mode:Nbr is Master Priority: 1 DR: None BDR: None MTU: 1500 Dead timer due in 38 sec Neighbor is up for 00:02:44 Authentication Sequence: [ 0 ]

Configure basic MPLS functions and MPLS LDP on the MPLS backbone network and set upLDP LSPs.

# Configure PE1.[PE1] mpls lsr-id 1.1.1.9[PE1] mpls[PE1-mpls] lsp-trigger all[PE1-mpls] quit[PE1] mpls ldp[PE1-mpls-ldp] quit[PE1] interface gigabitEthernet 1/0/0[PE1-GigabitEthernet3/0/0] mpls[PE1-GigabitEthernet3/0/0] mpls ldp[PE1-GigabitEthernet3/0/0] quit

# Configure P.[P] mpls lsr-id 3.3.3.9[P] mpls[P-mpls] lsp-trigger all[P-mpls] quit[P] mpls ldp[P-mpls-ldp] quit[P] interface gigabitEthernet 1/0/0[P-GigabitEthernet1/0/0] mpls[P-GigabitEthernet1/0/0] mpls ldp[P-GigabitEthernet1/0/0] quit[P] interface gigabitEthernet 2/0/0[P-GigabitEthernet2/0/0] mpls[P-GigabitEthernet2/0/0] mpls ldp[P-GigabitEthernet2/0/0] quit

# Configure PE2.[PE2] mpls lsr-id 2.2.2.9[PE2] mpls[PE2-mpls] lsp-trigger all[PE2-mpls] quit[PE2] mpls ldp[PE2-mpls-ldp] quit[PE2] interface gigabitEthernet 1/0/0[PE2-GigabitEthernet3/0/0] mpls[PE2-GigabitEthernet3/0/0] mpls ldp[PE2-GigabitEthernet3/0/0] quit

After the configuration, LDP sessions should be set up between PE1 and P, P and PE2. Run thedisplay mpls ldp session command, and you can view that the Status field displaysOperational. Run the display mpls ldp lsp command, and you can view whether LDP LSPsare set up.

Take the display of PE1 as example:[PE1] display mpls ldp session LDP Session(s) in Public Network -------------------------------------------------------------------------



66

Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv ------------------------------------------------------------------------- 3.3.3.9:0 Operational DU Passive 000:00:01 7/7 ------------------------------------------------------------------------- TOTAL: 1 session(s) Found. LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM[PE1] display mpls ldp lsp LDP LSP Information ------------------------------------------------------------------ SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface ------------------------------------------------------------------ 1 1.1.1.9/32 3/NULL 127.0.0.1 GigabitEthernet1/0/0/InLoop0 2 2.2.2.9/32 NULL/1027 100.1.1.2 -------/GigabitEthernet1/0/0 3 3.3.3.9/32 NULL/3 100.1.1.2 -------/GigabitEthernet1/0/0 ------------------------------------------------------------------ TOTAL: 3 Normal LSP(s) Found. TOTAL: 0 Liberal LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale

Configure VPN instances on PEs so that CEs can access PEs.

# Configure PE1.

[PE1] ip vpn-instance vpna[PE1-vpn-instance-vpna] route-distinguisher 100:1[PE1-vpn-instance-vpna] vpn-target 111:1 both[PE1-vpn-instance-vpna] quit[PE1] interface gigabitethernet 2/0/0[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna[PE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24[PE1-GigabitEthernet1/0/0] quit

# Configure PE2.

[PE2] ip vpn-instance vpna[PE2-vpn-instance-vpna] route-distinguisher 200:1[PE2-vpn-instance-vpna] vpn-target 111:1 both[PE2-vpn-instance-vpna] quit[PE2] interface gigabitethernet 2/0/0[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna[PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24[PE2-GigabitEthernet2/0/0] quit

After the configuration, run the display ip vpn-instance verbose command on PEs, and youcan view the configurations of VPN instances. Each PE can ping its connected CE.

NOTE

When PE has multiple interfaces that are bound to the same VPN, you must specify the source IP address,namely, the -a source-ip-address if running the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command. Otherwise, the ping may fail.

Take PE1 and CE1 as example:

[PE1] display ip vpn-instance verbose Total VPN-Instances configured : 1 VPN-Instance Name and ID : vpna, 1 Create date : 2008/09/27 15:24:40 Up time : 0 days, 00 hours, 05 minutes and 19 seconds Route Distinguisher : 100:1 Export VPN Targets : 111:1 Import VPN Targets : 111:1 Label policy: label per route The diffserv-mode Information is : uniform The ttl-mode Information is : pipe Interfaces : GigabitEthernet1/0/0[PE1] ping -vpn-instance vpna 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break



67

Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=56 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=52 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=3 ms --- 10.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/23/56 ms

Set up EBGP peer relationship between PEs and CEs and import VPN routes.

# Configure CE1.

[CE1] bgp 65410[CE1-bgp] peer 10.1.1.1 as-number 100[CE1-bgp] import-route direct

NOTE

The configuration of CE2 is similar to that of CE1. Thus, it is omitted.

# Configure PE1.

[PE1] bgp 100[PE1-bgp] ipv4-family vpn-instance vpna[PE1-bgp-vpna] peer 10.1.1.2 as-number 65410[PE1-bgp-vpna] import-route direct[PE1-bgp-vpna] quit

NOTE

The configuration of PE2 is similar with that of PE1. Thus, it is omitted.

After the configuration, run the display bgp vpnv4 vpn-instance peer command on PE, andyou can view that the BGP peer relationship between PE and the connected CE is in theEstablished state.

Take the peer relationship between PE1 and CE1 as example:

[PE1] display bgp vpnv4 vpn-instance vpna peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.2 4 65410 11 9 0 00:06:37 Established 1

Set up MP-IBGP peer relationship between PEs.

# Configure PE1.

[PE1] bgp 100[PE1-bgp] peer 2.2.2.9 as-number 100[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1[PE1-bgp] ipv4-family vpnv4[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable[PE1-bgp-af-vpnv4] quit[PE1-bgp] quit

# Configure PE2.

[PE2] bgp 100[PE2-bgp] peer 1.1.1.9 as-number 100[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1[PE2-bgp] ipv4-family vpnv4[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable[PE2-bgp-af-vpnv4] quit



68

After the configuration, run the display bgp peer or display bgp vpnv4 all peer command ona PE, and you can view that the BGP peer relationship between PEs is in the Established state.

[PE1] display bgp peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2.2.2.9 4 100 2 6 0 00:00:12 Established 0[PE1] display bgp vpnv4 all peerBGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 2 Peers in established state : 2 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2.2.2.9 4 100 12 18 0 00:09:38 Established 0 Peer of vpn instance: vpn instance vpna : 10.1.1.2 4 65410 25 25 0 00:17:57 Established 1

Step 2 Configuring a template of the HWTACACS server on PE2

# Configure the HWTACACS server template ht.

<PE2> system-view[PE2] hwtacacs-server template ht

# Configure the IP address and ports of the primary HWTACACS authentication, authorization,and accounting servers, and bind the VPN instances to these servers.

[PE2-hwtacacs-ht] hwtacacs-server authentication 160.1.1.100 49 vpn-instance vpna[PE2-hwtacacs-ht] hwtacacs-server authorization 160.1.1.100 49 vpn-instance vpna

# Configure the IP address and ports of the secondary HWTACACS authentication,authorization, and accounting servers, and bind the VPN instances to these servers.

[PE2-hwtacacs-ht] hwtacacs-server authentication 160.1.1.101 49 vpn-instance vpna secondary[PE2-hwtacacs-ht] hwtacacs-server authorization 160.1.1.101 49 vpn-instance vpna secondary

# Configure the key of the TACACS server.

[PE2-hwtacacs-ht] hwtacacs-server shared-key it-is-my-secret[PE2-hwtacacs-ht] quit

Step 3 Configure the authentication scheme, the authorization scheme, and the accounting scheme.


[PE2] aaa

# Configure the authentication mode as l-h and the authentication mode as HWTACACS.

[PE2-aaa] authentication-scheme l-h[PE2-aaa-authen-l-h] authentication-mode hwtacacs[PE2-aaa-authen-l-h] quit

# Configure the authorization scheme as hwtacacs and the authorization scheme asHWTACACS.

[PE2-aaa] authorization-scheme hwtacacs[PE2-aaa-author-hwtacacs] authorization-mode hwtacacs[PE2-aaa-author-hwtacacs] quit

Step 4 Configure the huawei domain. Use the l-h authentication scheme, the HWTACACSauthorization scheme, the HWTACACS accounting scheme, and the ht HWTACACS templatein the domain.[PE2-aaa] domain huawei



69

[PE2-aaa-domain-huawei] authentication-scheme l-h[PE2-aaa-domain-huawei] authorization-scheme hwtacacs[PE2-aaa-domain-huawei] hwtacacs-server ht[PE2-aaa-domain-huawei] quit[PE2-aaa] quit


After running the display hwtacacs-server template command on the router, you can checkwhether the configuration of the template on the hwtacacs server matches the requirements.

<PE2> display hwtacacs-server template ht -------------------------------------------------------------------------- HWTACACS-server template name : ht Primary-authentication-server : 160.1.1.100:49:vpna Primary-authorization-server : 160.1.1.100:49:vpna Primary-accounting-server : 0.0.0.0:0:- Secondary-authentication-server : 160.1.1.101:49:vpna Secondary-authorization-server : 160.1.1.101:49:vpna Secondary-accounting-server : 0.0.0.0:0:- Current-authentication-server : 160.1.1.100:49:vpna Current-authorization-server : 160.1.1.100:49:vpna Current-accounting-server : 0.0.0.0:0:- Source-IP-address : 0.0.0.0 Shared-key : it-is-my-secret Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B--------------------------------------------------------------------------

After running the display domain command on the router, you can check whether theconfiguration of the domain matches the requirements.

<CE1> display domain huawei ------------------------------------------------------------------- Domain-name : huawei Domain-state : Active Authentication-scheme-name : l-h Accounting-scheme-name : default Authorization-scheme-name : hwtacacs User-CAR : - Web-IP-address : - Next-hop : - Primary-DNS-IP-address : - Second-DNS-IP-address : - Primary-NBNS-IP-address : - Second-NBNS-IP-address : - Acl-number : - Idle-data-attribute (time,flow) : 0, 60 User-priority : - User-access-limit : 384 Online-number : 0 RADIUS-server-template : - HWTACACS-server-template : ht -------------------------------------------------------------------

----End

Configuration Filesl Configuration file of PE1

# sysname PE1#ip vpn-instance vpna route-distinguisher 100:1 vpn-target 111:1 export-extcommunity



70

vpn-target 111:1 import-extcommunity# mpls lsr-id 1.1.1.9 mpls lsp-trigger all#mpls ldp#interface GigabitEthernet2/0/0 undo shutdown ip binding vpn-instance vpna ip address 10.1.1.1 255.255.255.0#interface GigabitEthernet1/0/0undo shutdownip address 100.1.1.1 255.255.255.0mplsmpls ldp#interface LoopBack1 ip address 1.1.1.9 255.255.255.255#bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable# ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable # ipv4-family vpn-instance vpna import-route direct peer 10.1.1.2 as-number 65410#ospf 1 area 0.0.0.0 network 100.1.1.0 0.0.0.255 network 1.1.1.9 0.0.0.0#return

l Configuration file of P# sysname P# mpls lsr-id 3.3.3.9 mpls lsp-trigger all#mpls ldp#interface GigabitEthernet1/0/0 undo shutdown ip address 100.1.1.2 255.255.255.0 mpls mpls ldp#interface GigabitEthernet2/0/0 undo shutdown ip address 200.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 3.3.3.9 255.255.255.255#



71

ospf 1 area 0.0.0.0 network 100.1.1.0 0.0.0.255 network 200.1.1.0 0.0.0.255 network 3.3.3.9 0.0.0.0#return

l Configuration file of PE2# sysname PE2#ip vpn-instance vpna route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity#hwtacacs-server template ht hwtacacs-server authentication 160.1.1.100 49 vpn-instance vpna hwtacacs-server authentication 160.1.1.101 49 vpn-instance vpna secondary hwtacacs-server authorization 160.1.1.100 vpn-instance vpna hwtacacs-server authorization 160.1.1.101 vpn-instance vpna secondary hwtacacs-server shared-key it-is-my-secret# mpls lsr-id 2.2.2.9 mpls lsp-trigger all#mpls ldp#interface GigabitEthernet2/0/0 undo shutdown ip binding vpn-instance vpna ip address 10.2.1.2 255.255.255.0#interface GigabitEthernet1/0/0 undo shutdown ip address 200.1.1.2 255.255.255.0 mpls mpls ldp#interface LoopBack1 ip address 2.2.2.9 255.255.255.255#bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpna peer 10.2.1.1 as-number 65430 import-route direct#aaa authentication-scheme default authentication-scheme l-h authentication-mode hwtacacs# authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs# accounting-scheme default



72

# domain default domain huawei authentication-scheme l-h authorization-scheme hwtacacs hwtacacs-server ht #ospf 1 area 0.0.0.0 network 200.1.1.0 0.0.0.255 network 2.2.2.9 0.0.0.0 #return

l Configuration file of CE1# sysname CE1#interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.2 255.255.255.0#bgp 65410 peer 10.1.1.1 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.1.1 enable#return

l Configuration file of CE2# sysname CE2#interface GigabitEthernet1/0/0 undo shutdown ip address 10.2.1.1 255.255.255.0#interface GigabitEthernet1/0/1 undo shutdown ip address 160.1.1.1 255.255.255.0#bgp 65430 peer 10.2.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.2.1.2 enable #ospf 1 area 0.0.0.0 network 160.1.1.0 0.0.0.255#return



73

2 DHCPv4 Configuration

About This Chapter

On an IPv4 network, DHCPv4 must be enabled for users to dynamically obtain IP addresses.

ContextNOTE

The access-side DHCPv4 cannot be configured on the X1 or X2 models of the NE80E/40E.

2.1 Introduction to DHCPv4DHCPv4 enables a client to dynamically obtain a valid IPv4 address.

2.2 DHCPv4 Supported by the NE80E/40EThe NE80E/40E can be configured as a DHCP server to allocate IP addresses to users or as aDHCP relay agent to relay the IP addresses assigned by a remote DHCP server to users.

2.3 Configuring an IPv4 Address PoolAfter an IPv4 address pool is configured, users can obtain IPv4 addresses from the IPv4 addresspool.

2.4 Configuring a DHCPv4 Server GroupA DHCPv4 server group is required only when a remote address pool is used to assign IPaddresses to users that use a BAS interface for access.

2.5 Configuring DHCPv4 RelayWhen a client and a DHCPv4 server reside on different network segments, a DHCPv4 relayagent must be configured to relay the IP address assigned by the DHCPv4 server to the client.

2.6 Adjusting DHCPv4 Service ParametersYou can adjust DHCPv4 service parameters to enhance the security of the DHCPv4 service.

2.7 Maintaining DHCPv4You can maintain DHCPv4 by clearing DHCPv4 statistics, monitoring DHCPv4 operationstatus, and debugging DHCPv4.

2.8 Configuration ExamplesThis section provides configuration examples of DHCPv4, including networking requirements,configuration notes, and configuration roadmap.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - User Access 2 DHCPv4 Configuration


74

2.1 Introduction to DHCPv4DHCPv4 enables a client to dynamically obtain a valid IPv4 address.

With the rapid growth in network scale and complexity, network configuration becomes moredifficult. The location of hosts (such as laptops and wireless terminals) changes and the numberof hosts has exceeded that of the available IP addresses. The Dynamic Host ConfigurationProtocol Version 4 (DHCPv4) is developed to solve these problems.

2.2 DHCPv4 Supported by the NE80E/40EThe NE80E/40E can be configured as a DHCP server to allocate IP addresses to users or as aDHCP relay agent to relay the IP addresses assigned by a remote DHCP server to users.

The NE80E/40E supports the DHCPv4 application based on the global address pool, and canbe configured as a DHCPv4 relay agent or a DHCPv4 server and provide measures to ensurethe security of the DHCPv4 service. Users can obtain IP addresses from the NE80E/40E thatfunctions as a DHCPv4 server or from a remote DHCPv4 server through the NE80E/40E thatfunctions as a DHCPv4 relay agent.

The NE80E/40E also supports extended DHCPv4 functions, including DHCPv4 option andDHCPv4 broadcast.

2.3 Configuring an IPv4 Address PoolAfter an IPv4 address pool is configured, users can obtain IPv4 addresses from the IPv4 addresspool.

2.3.1 Establishing the Configuration TaskBefore configuring an IPv4 address pool, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

Applicable EnvironmentOn a large network, if the PCs cannot be directly connected to the routing device by usingEthernet interfaces but have to be connected to the routing device through other devices, anetwork-side DHCPv4 server needs to be configured so that the PCs can dynamically obtain IPaddresses from the routing device, as shown in Figure 2-1.



75

Figure 2-1 IP address assignment for Ethernet users (without any relay agent in the networking)

DHCP client

DHCP server

NetBIOS server

DHCP clientDNS server

DHCP client

DHCP clientDHCP client

DHCP client

A network-side DHCPv4 server usually works with a DHCPv4 relay agent, as shown in Figure2-2.

Figure 2-2 IP address assignment for Ethernet users (with a relay agent in the networking)

DNS server

DHCP client

DHCP RelayRouterB

NetBIOS server

RouterADHCP server

DHCP client

NOTE

The BAS-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.

A BAS-side address pool needs to be configured to assign IP addresses to access users. If theNE80E/40E needs to allocate IP addresses to users, you must configure a local address pool onthe NE80E/40E, as shown in Figure 2-3; if a DHCPv4 or BOOTP server needs to allocate IPaddresses to users, you must configure a remote address pool on the NE80E/40E, as shown inFigure 2-4.



76

Figure 2-3 Networking diagram for address assignment from the local address pool

Internet

subscriber@isp1 DHCP Server

DNS Server

Switch

Figure 2-4 Networking diagram for address assignment from the remote address pool

AccessNetwork Internet

subscriber@isp2 DHCP Relay

DHCP Server


Before configuring an IP address pool, complete the following task:

l Configuring the DHCPv4 Server if a remote address pool is used

NOTE

If two remote address pools are bound to the same DHCP server, whereas configurations of the DHCPserver are not consistent with both remote address pools, either of the remote address pools becomes invalid.Therefore, ensure that configurations of the DHCP server and two address pools are consistent, or eachremote address pool is bound to an DHCP server.

Data Preparation

To configure an IP address pool, you need the following data.

No. Data

1 Name and gateway address of the address pool

2 Number of address segments and start and end addresses of each address segment



77

No. Data

3 (Optional) Address lease of the address pool, IP address lease extension, and VPNinstance

4 (Optional) IP addresses and the MAC addresses that need to be bound statically

5 (Optional) IP address of the DNS server, DNS suffix, IP address of the NetBIOSserver, and IP address of the SIP server

6 (Optional) Self-defined DHCPv4 options

7 (Optional) Excluded or conflicted IP addresses in the address pool and IP addressesto be reclaimed

2.3.2 Creating an Address PoolIt is essential to configure the type, name, gateway, and address segment of an address pool.

ContextNOTE

The access-side address pool cannot be configured on the X1 or X2 models of the NE80E/40E.


Procedure



Step 2 Run:ip pool pool-name [ bas { local | remote } | server ]

An address pool is created and the address pool view is displayed.

Up to 4096 address pools can be configured in the system,The address pool names must beunique.

Step 3 Run:gateway ip-address mask

The gateway address of the pool is configured.

The subnet mask and gateway address are used to determine whether the IP addresses in theaddress segments are in the same subnet with the gateway. Therefore, you must configure thegateway address and mask before configuring the address segments.

Step 4 Run:section section-num start-ip-address [ end-ip-address ]

An address segment is configured.



78

Up to eight address segments can be configured in an address pool. An address segment containsat most 65536 IP addresses. The address segments cannot overlap each other.

Step 5 (Optional) Run:lease days [ hours [ minutes ] ]

The lease of the address pool is configured.

By default, the lease of the IP addresses in an address pool is three days. If the lease is set to 0,the lease of the IP addresses is not limited.

Step 6 (Optional) Run:rebinding-time days [ hours [ minutes ] ]

The rebinding time of IP addresses is set.

By default, the rebinding time of IP addresses is 87.5% the lease of the address pool.

Step 7 (Optional) Run:renewal-time days [ hours [ minutes ] ]

The renewal time of IP addresses is set.

By default, the renewal time of IP addresses is 50% the lease of the address pool.

Step 8 (Optional) Run:recycle start-ip-address [ end-ip-address ]

The status of these IP addresses is set to Idle.

When the user is not online, you can reclaim the occupied IP address manually by running thiscommand.

Step 9 (Optional) Run:reserved ip-address { lease | mac }

The reservation type of an IP address for a user is configured.

By default, IP addresses are not reserved. When a user goes offline, the IP address is reclaimed.

If a user is assigned a lease of four days during the first login, the user can still use the originally-allocated IP address provided that he goes online for the second time within four days. This iscalled lease-based IP address reservation.

If a user's MAC address and the allocated IP address are recorded during the first login, the usercan still use the originally-allocated IP address when he goes online for the second time. This iscalled MAC-address-based IP address reservation.

Step 10 (Optional) Run:vpn-instance instance-name

A VPN instance is bound to the address pool.

Step 11 (Optional) Run:warning-threshold threshold-value

The alarm threshold for the address usage of an address pool is set.If the address usage exceedsthe threshold, an alarm is generated on the router.

By default, the alarm threshold for the address usage of an address pool is set to 100.

----End



79

2.3.3 (Optional) Configuring Static IP Address BindingThe IP address pool configured for static address bindings contain special IP addresses, whichare generally assigned to servers in need of fixed IP addresses or users with particularrequirements.

ContextNOTE

The BAS-side address pool cannot be configured on the X1 or X2 models of NE80E/40E.

Based on the clients' needs, you can adopt either static address binding or dynamic addressassignment.

When dynamic address assignment is used, a range of IP addresses to be assigned needs to bespecified; when static address binding is used, it can be considered to be a special DHCPv4address pool with only one address.

Do as follows on the router that functions as a DHCPv4 server:

Procedure



Step 2 Run:ip pool pool-name bas local

An IP address pool is created and the IP address pool view is displayed.

Step 3 (Optional) Run:excluded-ip-address start-ip-address [ end-ip-address ]

Some IP addresses are disabled so that they cannot be assigned to clients.

Step 4 (Optional) Run:static-bind ip-address ip-address mac-address mac-address

Certain IP-MAC addresses are statically bound.

----End

Follow-up Procedure

Some clients may need fixed IP addresses that are bound to their MAC addresses. When theclient with a specific MAC address uses DHCPv4 to apply for an IP address, the DHCPv4 serverfinds out the fixed IP address bound to the MAC address and assigns it to the client.

2.3.4 (Optional) Configuring DNS Services for the DHCPv4 ClientYou can configure DNS server parameters for the DHCPv4 client. This allows the DHCPv4client to automatically obtain DNS services automatically. Then, users can use easy-to-memorize domain names that mean a lot to them rather than complicated IP addresses.



80

ContextNOTE


Do as follows on the DHCPv4 server that provides DNS services for the DHCPv4 clients:

Procedure





Step 3 Run:dns-suffix suffix-name

The DNS suffix of the IP address pool is configured.

NOTE

This command is valid for only the local address pool and server address pool.

Step 4 Run:dns-server ip-address &<1-8>

The IP address of the DNS server of the address pool is configured.

----End

Follow-up ProcedureOn the DHCPv4 server, designate a DNS suffix for each address pool used to assign IP addressesto clients.

When a host accesses the Internet by using the DNS suffix, the DNS server resolves the DNSsuffix into an IP address. Therefore, to ensure that the client successfully accesses the Internet,the DHCPv4 server also needs to specify the DNS server address for the client when it assignsIP addresses.

To improve network reliability, you can configure several DNS servers.

2.3.5 (Optional) Configuring NetBIOS Services for the DHCPv4Client

You can configure NetBIOS services for the DHCPv4 client to enable users to obtain NetBIOSservices automatically. Then, users can use easy-to-memorize host names rather thancomplicated IP addresses.

ContextNOTE




81

Do as follows on the router that provides NetBIOS services for the DHCPv4 clients:

Procedure





Step 3 Run:netbios-name-server ip-address &<1-8>

The IP address of the NetBIOS server of the DHCPv4 client is configured.

Step 4 Run:netbios-type { b-node | h-node | m-node | p-node }

The NetBIOS node type of the DHCPv4 client is configured.

By default, the node type of the DHCPv4 client is not specified.

----End

Follow-up Procedure

For the client using the operating system of Microsoft, Windows Internet Naming Service(WINS) server provides resolution from the host name to the IP address. This is given to thehost that uses NetBIOS protocol for communication. Most of the Windows clients need to beconfigured with WINS.

When a DHCPv4 client communicates in a WAN by adopting the NetBIOS protocol, a mappingbetween the host name and the IP address should be set up. The following lists the types ofNetBIOS nodes for obtaining mappings:

l Type b nodes (b-node): "b" stands for broadcast. That is, type b nodes obtain the mappingrelationship by means of broadcast.

l Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the"peer-to-peer" communicating mechanism.

l Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes owningpart of the broadcasting features.

l Type p nodes (p-node): "p" stands for peer-to-peer. That is, type p nodes obtain the mappingby communicating with NetBIOS servers.

2.3.6 (Optional) Configuring SIP Services for the DHCPv4 ClientYou can configure SIP services for the DHCPv4 client to implement multimediacommunications such as multimedia conferences, Internet phones, distance education, anddistance medical treatment.



82

ContextNOTE

BAS-side address pools cannot be configured on the X1 or X2 models of the NE80E/40E.

Do as follows on the router that provides SIP services for the DHCPv4 clients:

Procedure



Step 2 Run:ip pool pool-name [ bas local | server ]


Step 3 (Optional) Run:sip-server { { ip-address ip-address } &<1~2> | { list server-name } &<1~2> }

The IP address or name of the SIP server is specified.

By default, no SIP server is specified.

----End

2.3.7 (Optional) Configuring DHCPv4 Self-Defined OptionsYou can configure DHCPv4 self-defined options to provide more control information andparameters for the clients.

ContextNOTE


Do as follows on the router that functions as a DHCPv4 server:

Procedure



Step 2 Run:ip pool pool-name [ bas local | server ]


Step 3 Run:option code { ip ip-address | string string }

An DHCPv4 option is configured.

----End



83

Follow-up Procedure

The Option field in DHCPv4 packets carries control information and parameters that are notdefined in common protocols. If the DHCPv4 server is configured with an Option, the DHCPv4client obtains the configuration information saved in the Option field of DHCPv4 responsepackets.

You need to add the options to the attribute list of the DHCPv4 servers. For example,

l To configure the IP address of a log server to 10.110.204.1, use the option 7 ip10.110.204.1 command.

l To configure the Option 129 field to represent "huawei", use the option 129 stringhuawei command.

NOTE

The value of a common option for the DNS or lease, is determinate. The common option codes include 3,6, 15, 44, 46, 50 to 54, and 57 to 59. When the value is re-set, the system prompts that re-setting the valueis not allowed.

The option command enables DHCPv4 response packets to carry specific options.

Before using this command, you need to know the function of each option. Option 77 identifies client typesor applications of DHCPv4 clients. Based on User Class in the Option field, the DHCPv4 server selects aproper address pool and configuration parameters. Option 77 is commonly configured on the client.

2.3.8 (Optional) Configuring Address ProtectionAddress protection is implemented in special circumstances by locking an IP address pool,excluding an IP address or an IP address segment, setting a conflict flag, or reclaiming an IPaddress.

ContextNOTE


Methods of protecting addresses in an address pool are as follows:

l Locking the IP address pool

You can lock an IP address pool by running commands. When an IP address pool is locked,IP addresses in the address pool cannot be assigned to users.

This method is usually used when the address pool needs to be deleted but there are usersusing IP addresses in the address pool. If you lock the address pool, no more IP addresseswill be assigned. After all users log out and the occupied IP addresses are released, you candelete the address pool.

l Excluding the IP address

You can use this method on a complex network to exclude certain IP addresses.

l Reclaiming the IP address

If an IP address in the address pool is in the Occupied state but no user is using it, you canreclaim the IP address by running the related command.




84

Procedure



Step 2 Run:ip pool pool-name [ server ]


Step 3 Run:lock

The address pool is locked.

Or run:

excluded-ip-address start-ip-address [ end-ip-address ]

An IP address or an address segment is excluded.

NOTE

This command is required when you configure static IP addresses.

Or run:

recycle start-ip-address [ end-ip-address ]

An IP address or an address segment is reclaimed.

----End

2.3.9 Checking the ConfigurationAfter configuring IP address pools, you can view the configurations of all IP address pools or aspecified IP address pool.

PrerequisiteAll configurations of the IP address pool are complete.

Procedurel Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-

address ] ] | all | used ] ] [ vpn-instance instance-name ] command to check theconfiguration of the IP address pool.

----End

ExampleRun the display ip pool command, and you can view information about all the address poolsconfigured in the system.

<HUAWEI> display ip pool ----------------------------------------------------------------------- Pool-Name : test Pool-No : 1



85

Position : Local Status : Unlocked Gateway : 89.0.0.1 Mask : 255.0.0.0 Vpn instance : -- ----------------------------------------------------------------------- Pool-Name : test1 Pool-No : 6 Position : Local Status : Unlocked Gateway : 40.50.60.1 Mask : 255.255.255.0 Vpn instance : -- IP address pool Statistic Local :2 Remote :0 Relay :0 IP address Statistic Total :51695 Used :0 Free :51695Conflicted :0 Disable :0

Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-address ] ]| all | used ] ] [ vpn-instance instance-name ] command, and you can view detailed informationabout the specified address pool.

<HUAWEI> display ip pool name huaweiPool-Name : huawei Pool-No : 0 Lease : 3 Days 0 Hours 0 Minutes NetBois Type : N-Node DNS-Suffix : -

DNS1 :10.10.10.1 Position : Local Status : Unlocked Gateway : 10.10.10.2 Mask : 255.255.255.0 Vpn instance : -- Profile-Name : - Server-Name : - Codes: CFLCT(conflicted) --------------------------------------------------------------------------------------- ID start end total used idle CFLCT disable reserved static-bind --------------------------------------------------------------------------------------- 0 10.10.10.3 10.10.10.100 98 0 98 0 0 0 0 ---------------------------------------------------------------------------------------

2.4 Configuring a DHCPv4 Server GroupA DHCPv4 server group is required only when a remote address pool is used to assign IPaddresses to users that use a BAS interface for access.

ContextNOTE

DHCPv4 server groups cannot be configured on the X1 or X2 models of the NE80E/40E.

2.4.1 Establishing the Configuration TaskBefore configuring a DHCPv4 server group, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.



86

Applicable EnvironmentThe NE80E/40E can be used as a DHCPv4 server to assign IP addresses to users. A remoteDHCPv4 server can also be used with the NE80E/40E functioning as a DHCPv4 relay agent toassign IP addresses to users.

When IP addresses are allocated by a remote DHCPv4 server, as shown in Figure 2-4, you needto configure the IP address of the remote DHCPv4 server on the NE80E/40E. This allows theNE80E/40E to communicate with the DHCPv4 server. The NE80E/40E manages DHCPv4servers by using DHCPv4 server groups.

NOTE

A DHCPv4 server group is required only when the remote address pool is used to assign IP addresses toBAS-side users.


Data PreparationTo configure a DHCPv4 server group, you need the following data.

No. Data

1 Name of the DHCPv4 server group

2 IP addresses, VPN instances, and weights of the primary and secondary DHCPv4servers

3 (Optional) Status of the DHCPv4 release agent function (enabled or disabled)

2.4.2 Creating a DHCPv4 Server GroupDHCPv4 servers can work in either load balancing or master/backup mode.


Procedure



Step 2 Run:dhcp-server group group-name

A DHCPv4 server group is created and the DHCPv4 server group view is displayed.

Step 3 Run:dhcp-server ip-address [ vpn-instance vpn-instance ] [ weight weight-value ]



87

The DHCPv4 servers are configured.

A primary DHCPv4 server and a secondary DHCPv4 server can be configured in a DHCPv4server group.

Step 4 (Optional) Run:dhcp-server algorithm { loading-share | master-backup | polling }

The algorithm for selecting DHCPv4 servers is set.

When there are two servers in a DHCPv4 server group, you can specify the algorithm from theload balancing, master/backup mode, or pollingfor selecting DHCPv4 servers.

l Load balancing: The NE80E/40E distributes the load according to the weights of servers.l Master/backup: The NE80E/40E specifies one server as the master server and the other as

the backup server.l Polling: The NE80E/40E sends request packets to all servers and selects the server that

receives the packets first. Subsequent packets are sent to only the selected server, except thediscover and select request packets.

By default, the algorithm for selecting DHCPv4 servers is master/backup.

Step 5 (Optional) Run:release-agent

The DHCPv4 release agent function is configured.

By default, the DHCPv4 release agent function is enabled.

With the DHCPv4 release agent function, the NE80E/40E, instead of the user, sends a DHCPv4release packet to the DHCPv4 server when the user goes offline.

----End

2.4.3 Associating the IP Address Pool and the DHCPv4 ServerGroup

Only the remote IP address pool needs to be associated with the DHCPv4 server group.


Procedure



Step 2 Run:ip pool pool-name bas remote

The remote address pool view is displayed.

Step 3 Run:dhcp-server group group-name



88

The address pool is associated with a DHCPv4 server group.

----End

2.4.4 Checking the ConfigurationAfter configuring DHCPv4 server groups, you can view the configurations of all DHCPv4 servergroups.

PrerequisiteThe configurations of the DHCPv4 server groups are complete.

Procedurel Run the display dhcp-server group [ group-name ] command to check the configuration

of the DHCPv4 server group.

----End

Example

Run the display dhcp-server group command, and you can view information about all DHCPv4server groups.

<HUAWEI> display dhcp-server group Group-Name : remote Release-Agent : Support Primary-Server : - Vpn instance : -- Weight : 0 Status : - Secondary-Server : - Vpn instance : -- Weight : 0 Status : - Algorithm : master-backup Source : -- Giaddr : -- Group-Name : g1 Release-Agent : Support Primary-Server : - Vpn instance : -- Weight : 0 Status : - Secondary-Server : - Vpn instance : -- Weight : 0 Status : - Algorithm : master-backup Source : -- Giaddr : -- 2 DHCP server group(s) in total

2.5 Configuring DHCPv4 RelayWhen a client and a DHCPv4 server reside on different network segments, a DHCPv4 relayagent must be configured to relay the IP address assigned by the DHCPv4 server to the client.



89

2.5.1 Establishing the Configuration TaskBefore configuring DHCPv4 relay, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

Applicable EnvironmentIf no DHCPv4 server is configured on the local network, the DHCPv4 relay function can beenabled on other devices on the same network segment. Thus, the DHCPv4 request from theclient can be forwarded to the DHCPv4 server by the configured relay agent, as shown in Figure2-2.

NOTE

There should be not more than four relay agents between the DHCPv4 server and client; otherwise,DHCPv4 packets are discarded.

Pre-configuration TasksBefore configuring DHCPv4 relay, complete the following tasks:

l Configuring a DHCPv4 serverl Configuring the interface where DHCPv4 relay needs to be enabledl Configuring the routes from the relay agent to the DHCPv4 server

Data PreparationTo configure DHCPv4 relay, you need the following data.

No. Data

1 IP address of the DHCPv4 server

2 Number of the interface where DHCPv4 relay needs to be enabled

3 Number of the VLAN where DHCPv4 relay needs to be enabled

4 (Optional) IP address to be released and MAC address bound to the IP address

5 (Optional) Code of the DHCP option

6 IP address of the relay agent

2.5.2 Configuring RelayYou can configure DHCPv4 relay by enabling DHCPv4 relay, configuring the IP address of theDHCPv4 server, and enabling the DHCP server to assign IP addresses on different networksegments to clients of different types.

ContextWhen a client and a DHCPv4 server reside on different network segments, you can configurean interface to function as the DHCPv4 relay agent and the DHCPv4 server address to be relayed



90

to. In this manner, the DHCPv4 relay agent can relay the request packet sent from the client tothe DHCPv4 server, and then the client can be assigned an IP address.

You can configure relay in the interface view or system view.

NOTE

Because the DHCPv4 client may send broadcast packets during DHCPv4 configuration, the interface whereDHCPv4 relay is enabled must be able to transmit broadcast packets. The IP address of the interface mustbe on the same network segment with the IP addresses in the address pool on the DHCPv4 server. Up to20 DHCPv4 server addresses can be configured on an interface that relays packets to the DHCPv4 servers.

Do as follows on the router that functions as the DHCPv4 relay agent:

Procedurel Configure DHCPv4 relay in the interface view.

1. Run:system-view


interface interface-type interface-number

The interface view is displayed.3. Run:

ip address ip-address { mask | mask-length }

The primary IP address of the interface is configured.4. Run:

dhcp select relay

DHCPv4 relay is enabled on the interface.5. Run:

ip relay address ip-address [ dhcp-option { 60 [ option-text ] | code } ]

The IP address of the DHCPv4 server for which the interface functions as the relayagent is configured.

6. Run:ip relay giaddr ip-address [ dhcp-option { 60 [ option-text ] | code } ]

The DHCP option is associated with the IP address of the relay agent. This allows theDHCP server to assign the IP addresses on different network segments to the clientsof different types.

l Configure DHCPv4 relay in the system view.1. Run:

system-view


ip relay address ip-address { all | interface interface-type interface-number.sub-interface-number1 [ to interface-type interface-number.sub-interface-number2 ] |interface interface-type interface-number | vlan vlan-id }



91

The IP addresses of the DHCPv4 servers for which multiple interfaces function as therelay agent are configured.

----End

2.5.3 Checking the ConfigurationAfter configuring DHCPv4 relay, you can view information about the DHCPv4 relayconfigurations and statistics.

PrerequisiteAll configurations of the DHCPv4 relay are complete.

Procedurel Run the display dhcp relay statistics command to check statistics on DHCPv4 relay.l Run the display dhcp relay address { all | interface interface-type interface-number |

vlan vlan-id } command to check the DHCPv4 configuration of the interface enabled withDHCPv4 relay.

----End

ExampleRun the display dhcp relay address command, and you can view the DHCPv4 configurationsof all interfaces.

<HUAWEI> display dhcp relay address all** GigabitEthernet0/0/0 DHCP Relay Address ** Dhcp Option Relay Agent IP Server IP * - 10.10.1.2

** GigabitEthernet2/0/0 DHCP Relay Address ** Dhcp Option Relay Agent IP Server IP * - 10.10.1.2

** GigabitEthernet2/0/0.100 DHCP Relay Address ** Dhcp Option Relay Agent IP Server IP * - 10.10.1.2

** GigabitEthernet2/0/1 DHCP Relay Address ** Dhcp Option Relay Agent IP Server IP * - 10.10.1.2

Run the display dhcp relay statistics command. If statistics on DHCPv4 relay, such as thenumber of incorrect DHCPv4 packets and the number of various DHCPv4 packets, are displayed,it means that the configuration succeeds.

<HUAWEI> display dhcp relay statistics Bad Packets received: 0 DHCPv4 packets received from clients: 2 DHCPv4 DISCOVER packets received: 1 DHCPv4 REQUEST packets received: 1 DHCPv4 INFORM packets received: 0 DHCPv4 DECLINE packets received: 0 DHCPv4 packets received from servers: 2 DHCPv4 OFFER packets received: 1 DHCPv4 ACK packets received: 1 DHCPv4 NAK packets received: 0 DHCPv4 packets sent to servers: 1



92

DHCPv4 packets sent to clients: 1 Unicast packets sent to clients: 0 Broadcast packets sent to clients: 0

2.6 Adjusting DHCPv4 Service ParametersYou can adjust DHCPv4 service parameters to enhance the security of the DHCPv4 service.

2.6.1 Establishing the Configuration TaskBefore adjusting DHCPv4 parameters, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.


After configuring a DHCPv4 server, you need to configure the security function of the DHCPv4service. This enhances security of the DHCPv4 service and prevents other unauthorizedDHCPv4 servers from assigning invalid IP addresses to clients. By viewing logs, theadministrator determines whether there are unauthorized DHCPv4 servers assigning invalid IPaddresses to clients.


Before adjusting DHCPv4 parameters, complete the following task:

l Configuring a DHCPv4 server

Data Preparation

To adjust DHCPv4 parameters, you need the following data.

No. Data

1 Maximum number of DHCPv4 users that are allowed to access a specified board

2 IP address of the DHCPv4 server

3 Number of packets that are allowed to be sent in a specified time period

4 Status of the function of detecting unauthorized DHCPv4 servers (enabled ordisabled) and detection interval if the function is enabled

5 Interval at which ping packets are sent and number of ping packets

6 Interval at which DHCPv4 data is saved

2.6.2 Configuring Global DHCPv4 ParametersGlobal DHCPv4 parameters include the maximum number of DHCPv4 access users allowed fora specified board and the limit on the packet transmission rate of a DHCPv4 server group.



93


Procedure



Step 2 Run:dhcp slot-id max-sessions user-number

The maximum number of DHCPv4 access users allowed for a specified board is set.

By default, the maximum number of DHCPv4 access users allowed for a specified board isdetermined by the license file.

Step 3 Run:dhcp-server ip-address [ vpn-instance vpn-instance ] send-discover-speed packet-number time

The limit on the packet transmission rate of a DHCPv4 server group is set.

By default, the packet transmission rate of a DHCPv4 server group is not limited.

----End

2.6.3 Configuring Transparent Transmission of DHCPv4 PacketsYou need to configure transparent transmission of DHCPv4 packets when STB users send onlyone DHCPv4 Discover packet after they restart.

ContextWhen a user shuts down the STB and then restarts it immediately, the NE80E/40E cannot detectthat the user goes offline and retains the user entry. When receiving the DHCPv4 Discover packetthat the STB sends after restart, the NE80E/40E forces the user to go offline and waits until theuser sends a DHCPv4 Discover packet to obtain the address through DHCPv4.

Some STBs, however, send only one DHCPv4 Discover packet after they restart. In this case,the users cannot go online after shutting down their STBs.

You can configure the function of transparently transmitting DHCPv4 packets to solve thisproblem. Do as follows on the router:

Procedure



Step 2 Run:dhcp through-packet

The function of transparently transmitting DHCPv4 packets is configured.



94

By default, the device does not transparently transmit DHCPv4 packets.

----End

2.6.4 Enabling a DHCPv4 Server to Detect Unauthorized DHCPv4Servers

Enabling a DHCPv4 server to detect unauthorized DHCPv4 servers help prevent unauthorizedDHCPv4 servers from allocating invalid IP addresses to clients.

ContextIf a private DHCPv4 server exists on the network, clients cannot obtain correct IP addresses andthus cannot log in to the network because this private DHCPv4 server will interact with theDHCPv4 clients during address application. Such a private DHCPv4 server is an unauthorizedDHCPv4 server.

The logs contain IP addresses of all the DHCPv4 servers that allocate IP addresses to clients.By viewing these logs, the administrator can determine whether an unauthorized DHCPv4 serverexists.

Do as follows on the NE80E/40E that functions as a DHCPv4 server:

Procedure



Step 2 Run:dhcp server detect

The DHCPv4 server is enabled to detect unauthorized DHCPv4 server.

By default, this function is disabled.

NOTE

This function can be configured on only network-side devices.

Step 3 Run:dhcp invalid-server-detecting [ interval ]

The interval at which unauthorized DHCPv4 servers are detected is configured.

If the interval at which unauthorized DHCPv4 servers are detected is 0, the NE80E/40E doesnot detect unauthorized DHCPv4 servers.

NOTE

You can perform this function on only the devices at the BAS side.

----End

2.6.5 Enabling the Detection of an IP Address ConflictThe DHCPv4 server sends ping packets to detect the usage of an IP address to prevent an IPaddress conflict.



95

ContextBefore assigning an IP address to a client, the DHCPv4 server needs to detect whether the IPaddress is used by another client. This prevents an IP address conflict.

NOTE

Detection of an IP address conflict can be configured on only network-side devices.


Procedure



Step 2 Run:dhcp server ping timeout milliseconds

The longest time for the DHCPv4 server to wait for a ping response is configured.

Step 3 Run:dhcp server ping packets number

The maximum number of ping packets sent by the DHCPv4 server is configured.

By default, a maximum of two ping packets are sent and the DHCPv4 server waits for at most500 ms for a ping response.

----End

Follow-up ProcedureThe ping command is used to check whether there is a ping response from the IP address to beassigned to a client within a specific time. If there is no response after a specific time, theDHCPv4 server re-send a ping packet to this IP address until the allowed maximum number ofping packets are sent. If there is still no response, the DHCPv4 server considers that the IP addressis not in use. This ensures that a unique IP address is assigned to the client.

2.6.6 Saving DHCPv4 DataAfter DHCPv4 data is saved to the storage device, the data can be restored from the storagedevice when the NE80E/40E fails.

ContextDo as follows on the NE80E/40E that functions as a DHCPv4 server:

Procedure





96

Step 2 Run:dhcp server database enable

Saving DHCPv4 data to the hard disk is enabled.

Step 3 (Optional) Run:dhcp server database write-delay seconds

The delay for saving the data is set.

By default, DHCPv4 data is not saved to the storage device. If the function is enabled, by default,DHCPv4 data is saved to the storage device every 300s and the new data overwrites the previousdata.

----End

Follow-up Procedure

The NE80E/40E can save the current DHCPv4 data to the storage device and restore the datafrom the storage device when the NE80E/40E fails.

DHCPv4 data is saved with a fixed file name on the storage device. Normally, the IP leasinginformation is saved in the lease.txt file and the address conflict information is saved in theconflict.txt file. Back up these two files to other directories because information in these filesis replaced regularly.

2.6.7 Restoring DHCPv4 DataInformation about the address lease and address conflict can be restored.

Context


NOTE

Only the saved DHCP data can be restored.

Procedure



Step 2 Run:dhcp server database recover

DHCPv4 data is restored from the storage device.

----End

2.6.8 Checking the ConfigurationAfter adjusting DHCPv4 parameters, you can view information about a DHCPv4 server and thestorage path of the DHCPv4 data.



97

Prerequisite

All the configurations for the adjustment of DHCPv4 parameters are complete.

Procedurel Run the display dhcp-server item ip-address [ vpn-instance vpn-instance ] command to

check information about a DHCPv4 server.

l Run the display dhcp server database command to check the storage path and fileinformation of the DHCPv4 data.

----End

Example

Run the display dhcp-server item ip-address command, and you can view information abouta DHCPv4 server.

<HUAWEI> display dhcp-server item 1.2.3.4 IPAddress : 1.2.3.4 State : UP Speed Limit : 0 packets / 0 seconds

Run the display dhcp server database command, and you can view the saved path of theDHCPv4 data.

<HUAWEI> display dhcp server databaseStatus: disable Recover from files after reboot: disable File saving lease items: cfcard:/dhcp/lease.txt File saving conflict items: cfcard:/dhcp/conflict.txt Save Interval: 300 (seconds)

2.7 Maintaining DHCPv4You can maintain DHCPv4 by clearing DHCPv4 statistics, monitoring DHCPv4 operationstatus, and debugging DHCPv4.

2.7.1 Clearing DHCPv4 StatisticsYou can clear DHCPv4 statistics by clearing the DHCPv4 relay statistics.

Context

CAUTIONDHCPv4 statistics cannot be restored after you clear them. Exercise caution when running thecommands.



98

Procedurel Run the reset dhcp relay statistics command in the user view to clear the DHCPv4 relay

statistics.

----End

2.7.2 Monitoring DHCPv4 Operation StatusYou can monitor the DHCPv4 operation status by checking the configurations of an IPv4 addresspool, a DHCPv4 server, and the path at which DHCPv4 data is saved and file information aboutthe data.

PrerequisiteIn routine maintenance, you can run the following command in any view to check the DHCPv4operation status.

Procedurel Run the display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-

address ] ] | all | used ] ] [ vpn-instance vpn-instance-name ] command to check theconfiguration of the IP address pool.

l Run the display dhcp-server group [ group-name ] command to check the configurationof the DHCPv4 server group.

l Run the display dhcp-server item ip-address [ vpn-instance vpn-instance ] command tocheck information about a DHCPv4 server.

l Run the display dhcp-server statistics ip-address [ vpn-instance vpn-instance ] commandto check the statistics on a DHCPv4 server.

l Run the display dhcp server database command to check the path at which DHCPv4 datais saved and file information.

l Run the display dhcp relay address { all | interface interface-type interface-number |vlan vlan-id } [ | count ] [ | { begin | exclude | include } regular-expression ] commandto check configurations about interfaces where DHCPv4 relay is enabled.

----End

2.8 Configuration ExamplesThis section provides configuration examples of DHCPv4, including networking requirements,configuration notes, and configuration roadmap.

ContextNOTE

Examples in this document use interface numbers and link types of the NE40E-X8. In real world situations,the interface numbers and link types may be different from those used in this document.

In actual networking, the license needs to be loaded. For details, see the HUAWEI NetEngine80E/40ERouter Configuration Guide - System Management.



99

2.8.1 Example for Configuring Address Assignment Based on theLocal Address Pool

This section provides an example for assigning IPv4 addresses from a local IP address pool,including the networking requirements, configuration roadmap, configuration procedure, andconfiguration files.


Address assignment cannot be configured on the X1 or X2 models of the NE80E/40E.

As shown in Figure 2-5, it is required that a local address pool be configured to assign IPaddresses to access users and the following requirements be met:

l The local address pool is used to assign IP addresses to users in the domain isp1.l The IP addresses in the address pool range from 10.10.10.3 to 10.10.10.100, and the

gateway address is 10.10.10.2.l The IP address of the DNS server is 10.10.10.1l Non-authentication and non-accounting are adopted by the user.

Figure 2-5 Networking diagram for address assignment based on the local address pool

Internet

subscriber@isp1 DHCPServer

GE1/0/0.1 GE2/0/0

DNS Server10.10.10.1

10.1.1.1

Switch

Configuration Roadmap

The configuration roadmap is as follows:

1. Configure the local address pool, including its gateway address, address range, and the IPaddress of the DNS server.

2. Configure the domain isp1 to which the users belong, including the authentication modeand the accounting mode.

3. Configure the BAS interface, including the user access mode.

Data Preparation

To complete the configuration, you need the following data:



100

l Name of the address pool, range of the addresses in the pool, and IP addresses of the gatewayand the DNS server

l Name of the user domainl Authentication mode and accounting mode

Procedure

Step 1 Configure the DHCPv4 server.

# Configure an address pool.

<HUAWEI> system-view[HUAWEI] ip pool pool1 bas local[HUAWEI-ip-pool-pool1] gateway 10.10.10.2 255.255.255.0[HUAWEI-ip-pool-pool1] section 0 10.10.10.3 10.10.10.100[HUAWEI-ip-pool-pool1] dns-server 10.10.10.1[HUAWEI-ip-pool-pool1] quit

# Configure a domain named isp1.

[HUAWEI] aaa[HUAWEI-aaa] domain isp1[HUAWEI-aaa-domain-isp1] authentication-scheme default0[HUAWEI-aaa-domain-isp1] accounting-scheme default0[HUAWEI-aaa-domain-isp1] ip-pool pool1[HUAWEI-aaa-domain-isp1] quit[HUAWEI-aaa] quit

# Configure a BAS interface.

[HUAWEI] interface gigabitEthernet 1/0/0.1[HUAWEI-GigabitEthernet1/0/0.1] user-vlan 1[HUAWEI-GigabitEthernet1/0/0.1-vlan-1-1] bas[HUAWEI-GigabitEthernet1/0/0.1-bas] access-type layer2-subscriber[HUAWEI-GigabitEthernet1/0/0.1-bas] authentication-method bind[HUAWEI-GigabitEthernet1/0/0.1-bas] default-domain authentication isp1[HUAWEI-GigabitEthernet1/0/0.1-bas] quit[HUAWEI-GigabitEthernet1/0/0.1] quit


# Check the configuration of the local address pool pool1.

[HUAWEI] display ip pool name pool1

Pool-Name : pool1 Pool-No : 19 Lease : 3 Days 0 Hours 0 Minutes NetBois Type : N-Node DNS-Suffix : -, DNS1 :10.10.10.1 Position : Local Status : Unlocked Gateway : 10.10.10.2 Mask : 255.255.255.0 Vpn instance : -- Profile-Name : - Server-Name : - Codes: CFLCT (conflicted)

--------------------------------------------------------------------------------------- ID start end total used idle CFLCT disable reserved static-bind --------------------------------------------------------------------------------------- 0 10.10.10.3 10.10.10.100 98 0 98 0 0 0



101

0 ---------------------------------------------------------------------------------------

# Check the configuration of the domain isp1.[HUAWEI] display domain isp1 ------------------------------------------------------------------------------ Domain-name : isp1 Domain-state : Active Authentication-scheme-name : default0 Accounting-scheme-name : default0 Authorization-scheme-name : Primary-DNS-IP-address : - Second-DNS-IP-address : - Web-server-URL-parameter : No Portal-server-URL-parameter : No Primary-NBNS-IP-address : - Second-NBNS-IP-address : - User-group-name : - Idle-data-attribute (time, flow) : 0,60 Install-BOD-Count : 0 Report-VSM-User-Count : 0 Value-added-service : User-access-limit : 279552 Online-number : 0 Web-IP-address : - Web-URL : - Portal-server-IP : - Portal-URL : - Portal-force-times : 2 PPPoE-user-URL : Disable IPUser-ReAuth-Time (second) : 300 mscg-name-portal-key : - Portal-user-first-url-key : - Ancp auto qos adapt : Disable Service-type : STB RADIUS-server-template : - Two-acct-template : - HWTACACS-server-template : - Bill Flow : Disable Tunnel-acct-2867 : Disabled Flow Statistic: Flow-Statistic-Up : Yes Flow-Statistic-Down : Yes Source-IP-route : Disable IP-warning-threshold : - Multicast Forwarding : Yes Multicast Virtual : No Max-multilist num : 4 Multicast-profile : - IP-address-pool-name : pool1 Quota-out : Offline ------------------------------------------------------------------------------

----End

Configuration FilesConfiguration file of HUAWEI# sysname HUAWEI#ip pool pool1 bas local gateway 10.10.10.2 255.255.255.0 section 0 10.10.10.3 10.10.10.100 dns-server 10.10.10.1



102

#aaa authentication-scheme default0 # accounting-scheme default0 #domain isp1 authentication-scheme default0 accounting-scheme default0 ip-pool pool1 #interface GigabitEthernet1/0/0.1 user-vlan 1 bas # access-type layer2-subscriber default-domain authentication isp1 authentication-method bind#return

2.8.2 Example for Configuring Address Assignment Based on theRemote Address Pool

This section provides an example for assigning IPv4 addresses from a remote IP address pool,including the networking requirements, configuration roadmap, configuration procedure, andconfiguration files.


Address assignment based on the remote address pool cannot be configured on the X1 or X2 models of theNE80E/40E.

As shown in Figure 2-6, it is required that a remote address pool be configured to assign IPaddresses to access users and the following requirements be met:

l The remote address pool is used to assign IP addresses to users in the domain isp2.l The router, functioning as a relay agent, is connected to the DHCPv4 server through GE

3/0/0 whose IP address is 10.1.1.2/24.l The IP address of the DHCPv4 server bound to the remote address pool is 10.1.1.1, and no

standby DHCPv4 server is deployed.l Non-authentication and non-accounting are adopted by the user.



103

Figure 2-6 Networking diagram for address assignment based on the remote address pool


subscriber@isp2

GE2/0/0GE1/0/0.1

Router

DHCPServer

10.1.1.1

GE

3/0/

010

.1.1

.2/2

4


1. Create a DHCPv4 server group and a remote address pool, and bind the address pool to theDHCPv4 server group.

2. Configure the domain isp2 to which the user belongs, including the authentication modeand the accounting mode.

3. Configure the BAS interface, including the user access mode.


l Name of the address pooll IP address of the gatewayl Name of the user domainl IP address of the interface that connects the router to the DHCPv4 serverl User access mode

Procedure

Step 1 Configure the router.

# Create a DHCPv4 server group.

<HUAWEI> system-view[HUAWEI] dhcp-server group group1[HUAWEI-dhcp-server-group-group1] dhcp-server 10.1.1.1[HUAWEI-dhcp-server-group-group1] quit

# Create a remote address pool, and bind the pool to the DHCPv4 server group.

[HUAWEI] ip pool pool2 bas remote[HUAWEI-ip-pool-pool2] gateway 10.10.10.1 24[HUAWEI-ip-pool-pool2] dhcp-server group group1



104

[HUAWEI] quit


[HUAWEI] aaa[HUAWEI-aaa] domain isp2[HUAWEI-aaa-domain-isp2] authentication-scheme default0[HUAWEI-aaa-domain-isp2] accounting-scheme default0[HUAWEI-aaa-domain-isp2] ip-pool pool2[HUAWEI-aaa-domain-isp2] quit[HUAWEI-aaa] quit

# Configure the router interface for user access.

[HUAWEI] interface gigabitEthernet1/0/0.1[HUAWEI-GigabitEthernet1/0/0.1] user-vlan 1[HUAWEI-GigabitEthernet1/0/0.1-vlan-1-1] bas[HUAWEI-GigabitEthernet1/0/0.1-bas] access-type layer2-subscriber[HUAWEI-GigabitEthernet1/0/0.1-bas] authentication-method bind[HUAWEI-GigabitEthernet1/0/0.1-bas] default-domain authentication isp2[HUAWEI-GigabitEthernet1/0/0.1-bas] quit[HUAWEI-GigabitEthernet1/0/0.1] quit

# Configure the router interface to connect to the DHCPv4 server.

[HUAWEI] interface GigabitEthernet 3/0/0[HUAWEI-GigabitEthernet3/0/0] ip address 10.1.1.2 255.255.255.0


# Check the configurations of the DHCPv4 server group group1.

[HUAWEI] display dhcp-server group group1

Group-Name : group1 Release-Agent : Support Primary-Server : 10.1.1.1 Vpn instance : -- Weight : 0 Status : up Secondary-Server : -- Vpn instance : -- Weight : 0 Status : up Algorithm : master-backup Source : -- Giaddr : --

# Check the configurations of the remote address pool pool2.

[HUAWEI] display ip pool name pool2

Pool-Name : pool2 Pool-No : 0 DHCP-Group : group1 Position : Remote Status : Unlocked Gateway : 10.10.10.1 Mask : 255.255.255.0 Vpn instance : -- Profile-Name : - Server-Name : - Codes: CFLCT (conflicted)

--------------------------------------------------------------------------------------- ID start end total used idle CFLCT disable reserved static-bind --------------------------------------------------------------------------------------- 0 10.10.10.0 10.10.10.255 256 0 256 0 0 0



105

0 ---------------------------------------------------------------------------------------

# Check the configurations of the domain isp2.[HUAWEI] display domain isp2 ------------------------------------------------------------------------------ Domain-name : isp2 Domain-state : Active Authentication-scheme-name : default0 Accounting-scheme-name : default0 Authorization-scheme-name : Primary-DNS-IP-address : - Second-DNS-IP-address : - Primary-NBNS-IP-address : - Second-NBNS-IP-address : - User-group-name : - Idle-data-attribute (time,flow) : 0, 60 Install-BOD-Count : 0 Report-VSM-User-Count : 0 Value-added-service : COPS User-access-limit : 279552 Online-number : 0 Web-IP-address : - Web-URL : - Portal-server-IP : - Portal-URL : - Portal-force-times : 2 PPPoE-user-URL : Disable IPUser-ReAuth-Time(second) : 300 Ancp auto qos adapt : Disable Service-type : STB RADIUS-server-template : - Two-acct-template : - HWTACACS-server-template : - Bill Flow : Disable Tunnel-acct-2867 : Disabled

Flow Statistic: Flow-Statistic-Up : Yes Flow-Statistic-Down : Yes Source-IP-route : Disable IP-warning-threshold : - Multicast Forwarding : Yes Multicast Virtual : No Max-multilist num : 4 Multicast-profile : - IP-address-pool-name : pool2 Quota-out : Offline ------------------------------------------------------------------------------

----End

Configuration FilesConfiguration file of router# sysname HUAWEI#dhcp-server group group1 dhcp-server 10.1.1.1#ip pool pool2 bas remote gateway 10.10.10.1 255.255.255.0 dhcp-server group group1#



106

aaa authentication-scheme default0 # accounting-scheme default0 #domain isp2 authentication-scheme default0 accounting-scheme default0 ip-pool pool2 #interface GigabitEthernet1/0/0.1 undo shutdown user-vlan 1 bas # access-type layer2-subscriber default-domain authentication isp2 authentication-method bind#interface GigabitEthernet3/0/0 undo shutdown ip address 10.1.1.2 255.255.255.0#return

2.8.3 Example for Configuring Layer 3 DHCPv4 User AccessThis section provides an example for configuring Layer 3 DHCPv4 user access, includingnetworking requirements, configuration roadmap, configuration procedure, and configurationfiles.


Layer 3 DHCPv4 user access cannot be configured on the X1 or X2 models of the NE80E/40E.

As shown in Figure 2-7, the networking requirements are as follows:

l The user belongs to the domain isp4 and accesses Router B through Router A by connectingto GE 1/0/0 on Router A.

l Router B, functions as a DHCPv4 server, is connected to Router A through GE 3/0/0.1.The IP address of GE 3/0/0.1 is 10.2.1.2/24.

l The user adopts Web authentication, RADIUS authentication, and RADIUS accounting.l The IP address of the RADIUS server is 10.1.1.2; ports 1812 and 1813 are used for

authentication and accounting respectively; the standard RADIUS protocol is adopted andthe key is hello.



107

Figure 2-7 Networking diagram for configuring Layer 3 DHCPv4 user access

Internet

subscriber@isp4 RouterADHCP Relay

RouterBDHCP Server

Radius Server10.1.1.2

GE1/0/0GE3/0/0.1

Switch

1.1.1.1

10.2.1.2

GE1/0/1.1

10.2.1.1


1. Configure the address pool, including the IP address of the gateway and the range of IPaddresses in the pool.

2. Configure the authentication and accounting schemes.3. Configure the RADIUS server group, including the IP address of the RADIUS server,

authentication port, and accounting port.4. Configure the domain isp4 to which the user belongs, including the authentication mode

and the accounting mode.5. Configure the BAS interface, including the user access mode.


l Name of the address pool, range of IP addresses in the pool, and IP address of the gatewayl Authentication scheme and accounting schemel IP address of the RADIUS server, authentication port, and accounting portl Name of the user domain

Procedure

Step 1 Configure Router A.

# Configure GE 1/0/0.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] interface gigabitEthernet 1/0/0[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24[RouterA-GigabitEthernet1/0/0] ip relay address 10.2.1.2



108

[RouterA-GigabitEthernet1/0/0] dhcp select relay[RouterA-GigabitEthernet1/0/0] quit

# Configure interface GE1/0/1.1.

[RouterA] interface gigabitEthernet 1/0/1.1[RouterA-GigabitEthernet1/0/1.1] undo shutdown[RouterA-GigabitEthernet1/0/1.1] vlan-type dot1q 1[RouterA-GigabitEthernet1/0/1.1] ip address 10.2.1.1 24

Step 2 Configure Router B.

# Configure an address pool.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] ip pool pool4 bas local[RouterB-ip-pool-pool4] gateway 1.1.1.1 255.255.255.0[RouterB-ip-pool-pool4] section 0 1.1.1.2 10.1.1.200[RouterB-ip-pool-pool4] quit

# Configure an authentication scheme.

[RouterB] aaa[RouterB-aaa] authentication-scheme auth4[RouterB-aaa-authen-auth4] authentication-mode radius[RouterB-aaa-authen-auth4] quit

# Configure an accounting scheme.

[RouterB-aaa] accounting-scheme acct4[RouterB-aaa-accounting-acct4] accounting-mode radius[RouterB-aaa-accounting-acct4] quit[RouterB-aaa] quit

# Configure a RADIUS server group.

[RouterB] radius-server group rd4[RouterB-radius-rd4] radius-server authentication 10.1.1.2 1812[RouterB-radius-rd4] radius-server accounting 10.1.1.2 1813[RouterB-radius-rd4] radius-server type standard[RouterB-radius-rd4] radius-server shared-key hello[RouterB-radius-rd4] quit


[RouterB] aaa[RouterB-aaa] domain isp4[RouterB-aaa-domain-isp4] authentication-scheme auth4[RouterB-aaa-domain-isp4] accounting-scheme acct4[RouterB-aaa-domain-isp4] radius-server group rd4[RouterB-aaa-domain-isp4] quit[RouterB-aaa] quit


[RouterB] interface gigabitEthernet 3/0/0.1[RouterB-GigabitEthernet3/0/0.1] undo shutdown[RouterB-GigabitEthernet3/0/0.1] ip address 10.2.1.2 24[RouterB-GigabitEthernet3/0/0.1] vlan-type dot1q 1[RouterB-GigabitEthernet3/0/0.1] bas[RouterB-GigabitEthernet3/0/0.1-bas] access-type layer3-subscriber[RouterB-GigabitEthernet3/0/0.1-bas] default-domain authentication isp4[RouterB-GigabitEthernet3/0/0.1-bas] quit[RouterB-GigabitEthernet3/0/0.1] quit[RouterB] ip route-static 1.1.1.1 255.255.255.255 10.2.1.1


# Check the configurations of the local address pool pool4.



109

[RouterB] display ip pool name pool4 Pool-Name : pool4 Pool-No : 0 Lease : 3 Days 0 Hours 0 Minutes NetBois Type : N-Node DNS-Suffix : - Position : Local Status : Unlocked Gateway : 1.1.1.1 Mask : 255.255.255.0 Vpn instance : -- Profile-Name : - Server-Name : - Codes: CFLCT (conflicted) --------------------------------------------------------------------------- ID start end total used idle CFLCT disable reserved --------------------------------------------------------------------------- 0 1.1.1.2 1.1.1.200 199 0 199 0 0 0 --------------------------------------------------------------------------- [RouterB] display domain isp4 ------------------------------------------------------------------------------ Domain-name : isp4 Domain-state : Active Authentication-scheme-name : auth4 Accounting-scheme-name : acct4 Authorization-scheme-name : Primary-DNS-IP-address : - Second-DNS-IP-address : - Primary-NBNS-IP-address : - Second-NBNS-IP-address : - User-group-name : - Idle-data-attribute (time,flow) : 0, 60 Install-BOD-Count : 0 Report-VSM-User-Count : 0 Value-added-service : COPS User-access-limit : 279552 Online-number : 0 Web-IP-address : - Web-URL : - Portal-server-IP : - Portal-URL : - Portal-force-times : 2 PPPoE-user-URL : Disable IPUser-ReAuth-Time (second) : 300 Ancp auto qos adapt : Disable RADIUS-server-template : rd4 Two-acct-template : - HWTACACS-server-template : - IP-warning-threshold : - Max-multilist num : 4 Multicast-profile : - Quota-out : Offline ------------------------------------------------------------------------------

----End

Configuration FilesConfiguration file of RouterA# sysname RouterA#interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0 ip relay address 10.2.1.2 dhcp select relay#interface GigabitEthernet1/0/1.1 undo shutdown vlan-type dot1q 1



110

ip address 10.2.1.1 255.255.255.0#

Configuration file of Router B# sysname RouterB#radius-server group rd4 radius-server authentication 10.1.1.2 1812 weight 0 radius-server accounting 10.1.1.2 1813 weight 0 radius-server shared-key hello#ip pool pool4 bas local gateway 1.1.1.1 255.255.255.0 section 0 1.1.1.2 10.1.1.200#aaa authentication-scheme auth4 authentication-mode radius # accounting-scheme acct4 accounting-mode radius #domain isp4 authentication-scheme auth4 accounting-scheme acct4 radius-server group rd4#interface GigabitEthernet3/0/0.1 vlan-type dot1q 1 ip address 10.2.1.2 255.255.255.0 bas # access-type layer3-subscriber default-domain authentication isp4 authentication-method web ip-trigger#ip route-static 1.1.1.1 255.255.255.255 10.2.1.1#return

2.8.4 Example for Configuring IP Address Assignment for EthernetUsers (with No Relay Agent)

This section provides an example for assigning IPv4 addresses to Ethernet users (with no relayagent), including the networking requirements, configuration roadmap, configuration procedure,and configuration files.

Networking RequirementsOn a large network, if the PCs cannot be directly connected to the routing device using Ethernetinterfaces, but have to be connected to the routing device through other devices, a network-sideDHCPv4 server needs to be configured. This allows the PCs to dynamically obtain IP addressesfrom the routing device.

As shown in Figure 2-8, a DHCPv4 server assigns IP addresses to the clients on the same networksegment. The network segment of the address pool, 10.1.1.0/24, includes two subnet segments,10.1.1.0/25 and 10.1.1.128/25. The IP addresses of the two GE interfaces on the DHCPv4 serverare 10.1.1.1/25 and 10.1.1.129/25.

The lease of the IP addresses on the network segment 10.1.1.0/25 is 10 days and 12 hours; thedomain name suffix of the DNS server is huawei.com; the IP address of the DNS server is10.1.1.2; there is no NetBIOS address; the IP address of the gateway is 10.1.1.1.



111

The lease of the IP addresses on the network segment 10.1.1.128/25 is 5 days; the domain namesuffix of the DNS server is huawei.com; the IP address of the DNS server is 10.1.1.2; theNetBIOS address is 10.1.1.4; the IP address of the gateway is 10.1.1.129.

Figure 2-8 Networking diagram for IP address assignment for Ethernet users (with no relayagent)

DHCP client

DHCP server

NetBIOSserver

DHCP clientDNS server

DHCP client

DHCP clientDHCP client

DHCP client

GE1/0/010.1.1.1/25

GE1/0/110.1.1.129/25

Network: 10.1.1.0/25 Network: 10.1.1.128/25


1. Assign IP addresses to interfaces.2. Configure the address pool, including the IP address of the gateway, range of IP addresses

in the pool, domain name suffix of the DNS server, allowed lease of IP addresses, and IPaddresses not automatically assigned, which include the IP addresses of the DNS server,NetBIOS, and gateway.In this example, it is required that two address pools be configured.


l IP address of each interfacel Numbers of address pools and range of IP addresses in the poolsl IP addresses not allowed for assignmentl Domain name suffix, IP address of the DNS server, and the address lease

Procedure


# Assign an IP address to GE 1/0/0.



112

[HUAWEI] interface gigabitethernet 1/0/0[HUAWEI-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.255.128[HUAWEI-GigabitEthernet1/0/0] undo shutdown[HUAWEI-GigabitEthernet1/0/0] quit

# Assign an IP address to GE 1/0/1.[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] ip address 10.1.1.129 255.255.255.128[HUAWEI-GigabitEthernet1/0/1] undo shutdown[HUAWEI-GigabitEthernet1/0/1] quit

# Configure the attributes of DHCPv4 address pool 1, including the IP addresses of the gatewayand DNS server, range of IP addresses in the pool, domain name suffix of the DNS server, andaddress lease.[HUAWEI] ip pool 1 server[HUAWEI-ip-pool-1] gateway 10.1.1.1 255.255.255.128[HUAWEI-ip-pool-1] section 0 10.1.1.2 10.1.1.126[HUAWEI-ip-pool-1] excluded-ip-address 10.1.1.2[HUAWEI-ip-pool-1] excluded-ip-address 10.1.1.4[HUAWEI-ip-pool-1] dns-suffix huawei.com[HUAWEI-ip-pool-1] dns-server 10.1.1.2[HUAWEI-ip-pool-1] lease 10 12[HUAWEI-ip-pool-1] quit

# Configure the attributes of DHCPv4 address pool 2, including the range of IP addresses in thepool, IP addresses of the gateway and NetBIOS, and the address lease.[HUAWEI] ip pool 2 server[HUAWEI-ip-pool-2] gateway 10.1.1.129 255.255.255.128[HUAWEI-ip-pool-2] section 0 10.1.1.130 10.1.1.254[HUAWEI-ip-pool-2] dns-suffix huawei.com[HUAWEI-ip-pool-2] dns-server 10.1.1.2[HUAWEI-ip-pool-2] lease 5[HUAWEI-ip-pool-2] netbios-name-server 10.1.1.4[HUAWEI-ip-pool-2] quit


After the configuration is complete, run the display ip pool command on the DHCPv4 serverto view information about the DHCPv4 address pools.[HUAWEI] display ip pool ----------------------------------------------------------------------- Pool-Name : 1 Pool-No : 1 Position : Server Status : Unlocked Gateway : 10.1.1.1 Mask : 255.255.255.128 Vpn instance : -- ----------------------------------------------------------------------- Pool-Name : 2 Pool-No : 2 Position : Server Status : Unlocked Gateway : 10.1.1.129 Mask : 255.255.255.128 Vpn instance : -- IP address pool Statistic Local :0 Remote :0 Server :2 IP address Statistic Total :152 Used :0 Free :152 Conflicted :0 Disable :0 Designated :0

----End



113

Configuration FilesConfiguration file of the HUAWEI

# sysname HUAWEI#ip pool 1 server gateway 10.1.1.1 255.255.255.128 secton 0 10.1.1.2 10.1.1.126 excluded-ip-address 10.1.1.2 excluded-ip-address 10.1.1.4 dns-server 10.1.1.2 dns-suffix huawei.com lease 10 12#ip pool 2 server gateway 10.1.1.129 255.255.255.128 secton 0 10.1.1.130 10.1.1.254 dns-server 10.1.1.2 dns-suffix huawei.com netbios-name-server 10.1.1.4 lease 5#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.128#interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.129 255.255.255.128#return

2.8.5 Example for Configuring IP Address Assignment for EthernetUsers (with a Relay Agent Deployed)

This section provides an example for assigning IPv4 addresses to Ethernet users (with a relayagent deployed), including the networking requirements, configuration roadmap, configurationprocedure, and configuration files.

Networking RequirementsA network-side DHCPv4 server usually works with a DHCPv4 relay agent. As shown in Figure2-9, DHCPv4 clients reside on the network segment 10.100.0.0/16; the DHCPv4 server resideson the network segment 202.40.0.0/16. It is required that the DHCPv4 packet be relayed throughthe device enabled with the DHCPv4 relay function. In this manner, the DHCPv4 client canapply for an IP address from the DHCPv4 server.

The DHCPv4 server must be configured with a network-side IP address pool. The IP address ofthe DNS server is 10.100.1.2/16; the IP address of the NetBIOS server is 10.100.1.3/16; the IPaddress of the gateway is 10.100.1.1; there is a route from the DHCPv4 server to 10.100.0.0/16.



114

Figure 2-9 Networking diagram for IP address assignment for Ethernet users (with a relay agentdeployed)

DNSserver

DHCPclient

DHCP RelayGE1/0/0

10.100.1.1/16

GE1/0/0202.40.1.2/16

RouterB

GE2/0/0202.40.1.1/16

NetBIOSserver

10.100.1.2/16 10.100.1.3/16

RouterADHCP server

DHCPclient


1. Configure GE 2/0/0, which implements the DHCPv4 relay function.2. Configure the address of the DHCP server for which the interface functions as the relay

agent for GE 1/0/0 and enable DHCP relay on GE 1/0/0.3. Configure a route from Router B to GE 1/0/0 on Router A.4. Configure the clients connected to GE 1/0/0 on Router B to obtain IP addresses from the

address pool.5. Configure the network-side address pool on Router B.


l IP address of the interface to be configured with DHCPv4 relayl IP address of the DHCPv4 serverl Attributes of the DHCPv4 address pool, including the IP address of the gateway, range of

IP addresses in the address pool, IP addresses not allowed to be automatically assigned,domain name suffix of the DNS server, IP address of the DNS server, and address lease

Procedure

Step 1 Configure the DHCPv4 relay agent.


<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] interface GigabitEthernet 2/0/0



115

[RouterA-GigabitEthernet2/0/0] ip address 202.40.1.1 255.255.0.0[RouterA-GigabitEthernet2/0/0] undo shutdown[RouterA-GigabitEthernet2/0/0] quit

# Enter the view of the interface to be configured with DHCPv4 relay and configure the IPaddress, subnet mask, and corresponding DHCPv4 server address on the interface.

[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] ip address 10.100.1.1 255.255.0.0[RouterA-GigabitEthernet1/0/0] ip relay address 202.40.1.2[RouterA-GigabitEthernet1/0/0] dhcp select relay[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] quit


# Configure the route from Router B to GE 1/0/0 on Router A that connects to the client.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] ip route-static 10.100.0.0 255.255.0.0 202.40.1.1


[RouterB] interface GigabitEthernet 1/0/0[RouterB-GigabitEthernet1/0/0] ip address 202.40.1.2 255.255.0.0[RouterB-GigabitEthernet1/0/0] undo shutdown[RouterB-GigabitEthernet1/0/0] quit

# Configure the attributes of the DHCPv4 address pool pool 1, including the IP address of thegateway, range of IP addresses in the address pool, IP addresses not allowed to be automaticallyassigned, domain name suffix of the DNS server, IP address of the DNS server, and addresslease.

[RouterB] ip pool 1 server[RouterB-ip-pool-1] gateway 10.100.1.1 255.255.0.0[RouterB-ip-pool-1] section 0 10.100.1.5 10.100.1.100[RouterB-ip-pool-1] dns-suffix huawei.com[RouterB-ip-pool-1] dns-server 10.100.1.2[RouterB-ip-pool-1] netbios-name-server 10.100.1.3[RouterB-ip-pool-1] lease 10 12[RouterB-ip-pool-1] quit


Run the display ip pool command on the DHCPv4 server, and you can view information aboutthe DHCPv4 address pool, including DNS, IP address lease, and Option parameters.

[RouterB] display ip pool ----------------------------------------------------------------------- Pool-Name : 1 Pool-No : 1 Position : Server Status : Unlocked Gateway : 10.100.1.1 Mask : 255.255.0.0 Vpn instance : -- ----------------------------------------------------------------------- IP address pool Statistic Local :0 Remote :0 Server :1 IP address Statistic Total :96 Used :0 Free :96 Conflicted :0 Disable :0 Designated :0



116

Run the display dhcp relay address command on the DHCPv4 relay agent, and you can viewthe DHCPv4 configurations.

[RouterA] display dhcp relay address all ** GigabitEthernet1/0/0 DHCP Relay Address ** Dhcp Option Relay Agent IP Server IP * - 202.40.1.2

----End

Configuration Filesl Configuration file of Router A

# sysname RouterA#interface GigabitEthernet1/0/0 undo shutdown ip address 10.100.1.1 255.255.0.0 ip relay address 202.40.1.2 dhcp select relay#interface GigabitEthernet 2/0/0 undo shutdown ip address 202.40.1.1 255.255.0.0#return

l Configuration file of Router B# sysname RouterB#ip pool 1 server gateway 10.100.1.1 255.255.0.0 section 0 10.100.1.5 10.100.1.100 dns-server 10.100.1.2 dns-suffix huawei.com netbios-name-server 10.100.1.3 lease 10 12#interface GigabitEthernet 1/0/0 undo shutdownip address 202.40.1.2 255.255.0.0#ip route-static 10.100.0.0 255.255.0.0 202.40.1.1#return



117

3 DHCPv6 Configuration

About This Chapter

On the IPv6 network, DHCPv6 must be enabled before users dynamically obtain IP addresses.

3.1 Introduction to DHCPv6DHCPv6 mainly describes the stateful configuration of IPv6 addresses on an IPv6 network.

3.2 Configuring a DHCPv6 Relay AgentWhen the client and DHCPv6 server reside on different network segments, you need to configurea DHCPv6 relay agent.



118

3.1 Introduction to DHCPv6DHCPv6 mainly describes the stateful configuration of IPv6 addresses on an IPv6 network.

3.1.1 DHCPv6 OverviewDHCPv6 is similar to DHCPv4 on the IPv4 network. The client can obtain IPv6 addresses fromthe DHCPv6 server.

In an IPv6 network, two methods are available for a client to obtain an IPv6 address: statelessaddress autoconfiguration and stateful configuration.

l With the stateless address autoconfiguration, no DHCPv6 server is required. After beingconnected to an IPv6 network, the client can automatically configure itself an IPv6 addressusing neighbor discovery (ND) messages.

l With the stateful configuration, the Dynamic Host Configuration Protocol for IPv6(DHCPv6) is used to configure IPv6 addresses for clients. This mechanism is similar tohow DHCPv4 functions in an IPv4 network.

DHCPv6 mainly describes the stateful configuration of IPv6 addresses in an IPv6 network. Inan IPv6 network, three roles are involved: client, relay agent, and server. A client interacts witha relay agent or server to apply for an IPv6 address.

RFC 3633 defines a mechanism for automated delegation of IPv6 prefixes using DHCPv6(DHCPv6-PD). In this mechanism, two roles, that is, a requesting router and a delegating routerare involved. A requesting router functions as a client, whereas a delegating router functions asa server. The requesting router obtains IPv6 prefixes from the delegating router and delivers theobtained IPv6 prefixes as its local resources to IPv6 clients.

3.1.2 DHCPv6 Features Supported by the NE80E/40EThe NE80E/40E can be a DHCPv6 relay agent.

NE80E/40E Functioning as the DHCPv6 Relay Agent

Three roles are involved in this networking mode: client, relay agent, and server. A client canbe a network device such as a PC or a set-top box. One or more DHCPv6 servers are requiredfor the entire network. The NE80E/40E functions as a relay agent to forward packets from aclient to the server, which then implements AAA of the client.

In this scenario, a separate DHCPv6 server is required, which implements uniform addressmanagement and dynamically assigns addresses to clients.

3.2 Configuring a DHCPv6 Relay AgentWhen the client and DHCPv6 server reside on different network segments, you need to configurea DHCPv6 relay agent.



119

3.2.1 Establishing the Configuration TaskBefore configuring a DHCPv6 relay agent, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

Applicable EnvironmentIf a client is connected to the DHCPv6 server through a Layer 3 access device, the Layer 3 accessdevice is a DHCPv6 relay agent. The DHCPv6 relay agent receives packets from the client orother relay agents, encapsulates the received packets, and then forwards the encapsulated packetsto the DHCPv6 server or another relay agent.

You can configure the NE80E/40E so that it can function as a relay agent.

Pre-configuration TasksBefore configuring a DHCPv6 relay agent, complete the following tasks:

l Enabling the IPv6 function. For details, refer to the HUAWEI NetEngine80E/40E RouterConfiguration Guide - IP Service

l Configuring the DHCPv6 server as required

Data PreparationTo configure a DHCPv6 relay agent, you need the following data.

No. Data

1 Type and number of the inbound interface

2 IP address of the destination DHCPv6 server, or the type and number of the network-side outbound interface

3.2.2 Enabling DHCPv6 RelayYou need to configure DHCPv6 relay before configuring DHCPv6.

ContextDo as follows on the NE80E/40E:

Procedure



Step 2 Run:interface interface-type interface-number

The interface view is displayed.



120

The interface is the inbound interface on the relay agent.

Step 3 Run:ipv6 enable

IPv6 is enabled on the interface.

Step 4 Run:ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

An IPv6 global unicast address is configured for the interface.

NOTE

To ensure connectivity between the client and the relay agent, IPv6 address prefixes on the interface of the relayagent that connects it to the client must be same with the IPv6 address prefixes in the address pool that isconfigured on the DHCPv6 server.

Step 5 Run:ipv6 address auto link-local

An automatically-generated link-local address is configured for the interface.

Step 6 Run:undo ipv6 nd ra halt

The advertising of RA packets is enabled.

By default, the network-side interface of the relay agent does not advertise RA packets. As aresult, a client connected to the relay agent cannot receive RA packets with the M and O valuesbeing 1. Consequently, the client cannot send DHCPv6 packets, and therefore cannot be loggedin. This is why you need to run the undo ipv6 nd ra halt command to enable the advertising ofRA packets.

NOTEThis command is required only for the interface connecting to clients on the relay agent.

Step 7 Run:ipv6 nd autoconfig managed-address-flag

The flag field indicating that routable IPv6 addresses can be obtained through the statefulautoconfiguration is set.


Step 8 Run:ipv6 nd autoconfig other-flag

The flag field indicating the other information about the stateful autoconfiguration is set.


Step 9 Run:dhcpv6 relay { interface { interface-name | interface-type interface-number } | destination ipv6-address }

The DHCPv6 relay function is enabled on an inbound interface and the IP address of theoutbound interface for DHCPv6 messages or the IP address of the destination DHCPv6 serveris specified.



121

By default, DHCPv6 relay is disabled on interfaces. Up to four IP addresses of outboundinterfaces or destination DHCPv6 servers can be configured on an interface.

----End

3.2.3 Enabling DHCPv6 on Network-side InterfacesAfter DHCPv6 is enabled on a network-side interface, only the requests from users on theinterface can be responded to.

ContextDo as follows on the NE80E/40E:

NOTE

The inbound interface and the outbound interface of the relay agent are both network-side interfaces. Youneed to configure DHCPv6 on both interfaces.

Procedure





Step 3 Run:dhcpv6 enable

DHCPv6 is enabled on the network-side interfaces.

----End

3.2.4 Checking the ConfigurationAfter configuring a DHCPv6 relay agent, you can view the configurations of the relay interface.

Procedurel Run the display this command in the interface view to check the current effective

configurations of the relay interface.

----End

ExampleRun the display this command in the view of GE 2/0/1 to view the current effectiveconfigurations on the interface. If the preceding DHCPv6 relay configurations are successful,configurations of the relay interface are displayed.

[HUAWEI-GigabitEthernet2/0/1] display this#interface GigabitEthernet2/0/1



122

ipv6 enableipv6 address auto link-local ipv6 address 2660:2321::101:112:2:201/64 undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag dhcpv6 enable dhcpv6 relay interface GigabitEthernet1/0/2#



123

4 BRAS Access Configuration

About This Chapter

This chapter describes how to control and manage various types of access services by usingBRAS access.

NOTE

BRAS access cannot be configured on the X1 or X2 models of the NE80E/40E.

4.1 IntroductionIn BRAS access, users are identified based on the protocol stack of user packets. Differentauthentication modes are applicable to different users.

4.2 Configuring the Authentication ModeYou can use authentication technologies to exchange authentication packets, user names andpasswords between user terminals and the NE80E/40E. The NE80E/40E supports multipleauthentication technologies.

4.3 Configuring the IPoX Access ServiceIn IPoX access, users can access the Internet by sending packets without using the client dial-in software for dialing in.

4.4 Configuring and Managing UsersThe BRAS manages users either through the domain to which users belong or user accounts.

4.5 Maintaining BRAS AccessMaintaining BRAS access includes monitoring the operation status of the BRAS, clearing thestatistics about login and logout users, and debugging in the case of failures.

4.6 Configuration ExamplesThis section provides examples for configuring the BRAS access service, including networkingrequirements, configuration notes, and configuration roadmap.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - User Access 4 BRAS Access Configuration


124

4.1 IntroductionIn BRAS access, users are identified based on the protocol stack of user packets. Differentauthentication modes are applicable to different users.

4.1.1 Overview of BRAS AuthenticationBefore configuring BRAS access, familiarize yourself with basic concepts such as Webauthentication,binding authentication, and fast authentication. This will help you complete theconfiguration task quickly and accurately.

The differences in physical connections are obscured by access devices and are irrelevant to theNE80E/40E. The NE80E/40E knows only the encapsulation formats of packets anddifferentiates users by using the protocol stacks of packets.

Currently, there are the following user authentication modes:

l Web authentication: It refers to an interactive authentication mode in which the user opensthe authentication page on the Web authentication server, and enters the user name andpassword to be authenticated.

l Fast authentication: It is the simplified Web authentication. The user opens the Web pagefor authentication but does not need to enter the user name and password. The NE80E/40E generates the user name and password vlan according to information about theBroadband Access Server (BAS) interface from which the user logs in.

l Mandatory Web authentication: If the user that requires Web authentication or fastauthentication attempts to access an unauthorized address before authentication, theNE80E/40E redirects the access request to the mandatory Web authentication server forthe user to be authenticated.

l Binding authentication: The NE80E/40E automatically generates the user name andpassword based on the user's physical location.

4.1.2 Access Authentication Supported by the NE80E/40EThe NE80E/40E supports user access identification and user authentication modes.

The NE80E/40E allows individual users or leased line users to access the Internet by using anyaccess mode. For details about the access mode for individual users, see the HUAWEINetEngine80E/40E Router Feature Description - BRAS Services. The access protocols areclassified into the following types:

l IPoX, including Internet Protocol over Ethernet (IPoE), IP over Ethernet over Virtual LocalAreas Network (IPoEoVLAN), IP over Ethernet over QinQ (IPoEoQ)

The NE80E/40E supports the following authentication modes:

l Web authentication

l Fast authentication

l Mandatory Web authentication

l Binding authentication



125

4.2 Configuring the Authentication ModeYou can use authentication technologies to exchange authentication packets, user names andpasswords between user terminals and the NE80E/40E. The NE80E/40E supports multipleauthentication technologies.

4.2.1 Establishing the Configuration TaskBefore configuring an authentication mode, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentWeb authentication is an interactive authentication mode in which the user opens theauthentication page on the web authentication server, and enters the user name and password tobe authenticated.

Fast authentication is the simplified web authentication. The user opens the web page forauthentication but does not need to enter the user name and password. The NE80E/40E generatesthe user name and password (vlan) according to information about the BAS interface from whichthe user logs in.

Binding authentication means that the NE80E/40E automatically generates the user name andpassword based on the user's physical location.

Pre-configuration TasksBefore configuring the authentication mode, complete the following tasks:

l Loading the BRAS license (For details, refer to the HUAWEI NetEngine80E/40E RouterConfiguration Guide - System Management.)

l Configuring an ACL (applied in web authentication)

Data PreparationTo configure the authentication mode, you need the following data.

No. Data

1IP address, port number, VPN instance, and shared key of the web authenticationserver

2 Portal protocol version, listen port number, and source interface of the NE80E/40E

3Whether to transparently transmit RADIUS packets to the web authenticationserver

4 Default pre-authentication domain of the BAS interface

5 (Optional) Whether to use the mandatory web authentication



126

4.2.2 Configuring Web Authentication or Fast AuthenticationWeb authentication refers to an interactive authentication mode in which a user opens theauthentication page on the Web authentication server, and enters the user name and passwordfor authentication. Fast authentication refers to an authentication mode in which a user opensthe authentication page on the Web authentication server for authentication, without enteringthe user name and password.

ContextWhen configuring Web authentication or fast authentication, you need the following parameters:

l IP address and VPN instance of the serverl Port number of the serverl Shared key of the serverl Whether the NE80E/40E reports its own IP address to the serverl Portal protocol version, listening port number, and source interface sending portal packetsl Pages to which users are redirected

Do as follows on the NE80E/40E:

Procedurel Configuring the Web Authentication Server

1. Run:system-view


web-auth-server ip-address [ vpn-instance instance-name ] [ port port-number ] [ key key-string ] [ nas-ip-address ]

The Web authentication server is configured.

By default, no Web authentication server is configured on the NE80E/40E. If the Webauthentication server is configured, the default port number is 50100, the defaultshared key is null, and the NE80E/40E does not send its IP address to the Webauthentication server.

l (Optional) Configuring the Portal Protocol1. Run:

system-view

The system view is displayed.2. (Optional) Run:

web-auth-server version v2

The portal protocol version is set.

By default, the NE80E/40E supports both V1 and V2.3. (Optional) run:

web-auth-server listening-port port

The number of the listening port on the NE80E/40E is specified.



127

By default, the NE80E/40E uses port 2000 to listen to the messages sent from the Webauthentication server.

4. (Optional) run:web-auth-server source interface interface-type interface-number

The source interface for sending packets is configured on the NE80E/40E.

By default, the source interface for sending portal packets is not configured on theNE80E/40E. The NE80E/40E uses the IP address of the outbound interface for thepackets as the source IP address.

5. (Optional) run:web-auth-server reply-message

The NE80E/40E is configured to transparently transmit Remote Authentication Dialin User Service (RADIUS) packets.

By default, the NE80E/40E transparently transmits RADIUS packets to the Webauthentication server.

l (Optional) Configuring Mandatory Web AuthenticationMandatory web authentication means that the NE80E/40E redirects the access request ofa user to the specified web server for authentication if the user accesses a URL withoutpermission before the authentication.1. (Optional) Run:

aaa

The AAA view is displayed.2. Run:

domain domain-name

The view of the default pre-authentication domain is displayed.3. (Optional) Run:

web-server url url

The redirection URL address for forced web authentication is configured.

– Or Run:web-server url-parameterThe protocol adopted by Web authentication is set to the extension Portal protocolsupported by the ISP.

– Or Run:web-server ip-addressThe IP address of web authentication server is configured.

– Or Run:web-server mode { get | post }The HTTP mode of forced web authentication is configured.

– Or Run:web-server redirect-key { mscg-ip mscg-ip-key | mscg-name mscg-name-key | user-ip-address user-ip-key | user-location user-location-key }The keyword for attributes of a customized portal is configured.

– Or Run:web-server user-first-url-key { key-name | default-name }



128

The keywords for tracing the main page is configured.

The mandatory Web authentication server is configured.

The format of the Universal Resource Locator (URL) to which access requests areredirected in the mandatory Web authentication is http://www.isp.com/index.html.The NE80E/40E supports two modes for accessing the Hypertext Transfer Protocol(HTTP) page: get and post. The two modes define different formats of packetsexchanged between the NE80E/40E and the HTTP page.

4. Run:quit


l Configuring the Authentication Domain and Authentication Method on the BAS Interface

1. Run:interface interface-type interface-number


2. Run:bas

The BAS interface view is displayed.

3. Run:access-type layer2-subscriber

The user access type is set to Layer 2 subscriber access.

4. Run:default-domain pre-authentication domain-name

The default pre-authentication domain is specified.

By default, the pre-authentication domain of the BAS interface is default0.

5. Run:default-domain authentication [ force | replace ] domain-name

The default authentication domain is specified.

By default, the authentication domain of the BAS interface is default1.

6. Run:authentication-method { web | fast }

The Web authentication or fast authentication is configured.

----End

4.2.3 Configuring Other Authentication ModesIn addition to Web authentication, users can also be authenticated using binding authentication.

Context




129

Procedure





Step 3 Run:bas

The BAS interface view is displayed.

Step 4 Run:access-type layer2-subscriber

The user access type is set to Layer 2 subscriber access.

Step 5 Run:default-domain pre-authentication domain-name

The default pre-authentication domain is specified.

By default, the pre-authentication domain of the BAS interface is default0.

Step 6 Run:default-domain authentication [ force | replace ] domain-name

The default authentication domain is specified.

By default, the authentication domain of the BAS interface is default1.

Step 7 Run:authentication-method { { ppp | dot1x } * | bind }

binding authentication is configured.

You can set the authentication mode for only Layer 2 users on the BAS interface. Multipleauthentication modes can be configured on an interface except for the following:

l Web authentication conflicts with fast authentication.l Binding authentication conflicts with the other authentication modes.

----End

4.2.4 Checking the ConfigurationAfter an authentication mode is configured, you can view the authentication mode by checkingthe domain configuration.

Procedurel Run the display web-auth-server configuration command to check the configuration of

the Web authentication server.



130

l Run the display domain [ domain-name ] command to check the configuration of thedomain.

----End

ExampleAfter the configuration is complete, you can run the display web-auth-server configurationcommand to view the configuration of the Web authentication server.

<HUAWEI> display web-auth-server configuration Source interface : - Listening port : 2000 Portal : version 1, version 2 Display reply message : enabled ------------------------------------------------------------------------ Server Share-Password Port NAS-IP Vpn-instance ------------------------------------------------------------------------ 192.168.3.140 huawei 50100 NO ------------------------------------------------------------------------ 1 Web authentication server(s) in total

After the configuration is complete, you can run the display domain domain-name commandto view information about the binding between the domain and user group.

<HUAWEI> display domain isp1 Domain-name : isp1 Domain-state : Active Domain-type : Normal domain Service-type : HSI Authentication-scheme-name : default1 Accounting-scheme-name : default1 Authorization-scheme-name : - RADIUS-server-group : - Accounting-copy-RADIUS-group : - Hwtacacs-server-template : - Tunnel-acct-2867 : Disabled User-group-name : - Policy-route : Disabled Policy-route-nexthop : - AdminUser-priority : - Web-server-IP-address : - Web-URL : - Web-server-work-mode : Get Primary dns-IP-address : - Secondary dns-IP-address : - Queue-profile-name : - User-priority-up : 0 User-priority-down : 0 PPPoe-URL : Disabled Portal-server-URL : - Portal-server-IP-Address : - Portal-force-times : 2 Quota-out : Offline Force-Auth-Type : - Idle-data-attribute (time,rate) : 3 minute, 100 Kbyte/minute User-access-limit : 147456 Online-user-total : 0 User-session-limit : - Flow-Statistic-Up : Yes Flow-Statistic-Down : Yes Time-range : Disabled GRE-group-name : - L2TP-group-name : - L2TP-user RADIUS Force : Disabled Dot1x-template-index : 1 Realloc-IP-address : Disabled



131

Bill Flow : Disabled Multicast flow statistic : Disabled VPN-instance-name : -- Value-service-name : - DPI-policy-group : - Multicast-profile : - IPUser-ReAuth-Time : 300 second IP-Warning-Percent : - Qos-profile-name : default Zone-name : - Ancp auto qos adapt : Disabled TimeRange-Qos : Disabled Val-added-srv-account : Default Multicast Forwarding : Yes Multicast Virtual : No Multivirtual cir : - Multivirtual pir : - Max-multilist num : 4 L2TP-QosProfile-inbind : - L2TP-QosProfile-outbind : -

4.3 Configuring the IPoX Access ServiceIn IPoX access, users can access the Internet by sending packets without using the client dial-in software for dialing in.

4.3.1 Establishing the Configuration TaskBefore configuring IPoX access, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the data required for the configuration. This will helpyou complete the configuration task quickly and accurately.


The IPoX access service is an access authentication service. In IPoX access, a user accesses theInternet by using the Ethernet or asymmetric digital subscriber line (ADSL). The user uses afixed IP address or obtains an IP address by using the Dynamic Host Configuration Protocol(DHCP). The system then authenticates the user by using Web authentication, fastauthentication, or binding authentication.

The IPoX services can be classified into the IPoE service, IPoEoVLAN service, IPoEoQ servicein different networking.

NOTE

When an IPoEoQ user attempts to access the network, if the SMAC field in the Layer 2 header is differentfrom the CHADDR field in a DHCP request packet, the user cannot get online.


Before configuring the IPoX access service, complete the following tasks:

l Loading the BRAS license (For details, see the HUAWEI NetEngine80E/40E RouterConfiguration Guide - System Management.)

l Configuring Authorization, Authentication, and Accounting (AAA) schemesl Configuring a RADIUS server group or an HWTACACS server templatel Configuring an IPv4 address pool



132

l Configuring a domain

Data PreparationTo configure the IPoX access service, you need the following data.

No. Data

1 (Optional) Domain name of the static user

2IP address, VPN instance (optional), MAC address (optional), and number of theaccess interface on the NE80E/40E (optional)

3Names of the authentication scheme, accounting scheme, and authorization scheme(applied in the HWTACACS authentication)

4 Name of the RADIUS server group or HWTACACS server template

5 Name of the IPv4 address pool

6 User domain

7 (Optional) Parameters of the Web authentication server

8 User VLAN ID (applied in IPoEoVLAN access and IPoEoQ access)

9 Parameters of the BAS interface

Configuration ProceduresTo configure the IPoX access service, perform the following procedures.

NOTE

Configuring an AAA scheme, 1.3 Configuring a RADIUS Server, Configuring an IPv4 addresspool, and Configuring a domain are not provided here because all the procedures are described in otherchapters.



133

Figure 4-1 Configuration procedures for IPoX

Configuring a servertemplate

Configuring AAASchemes

Configuring an IPv4address pool

Configuring adomain

Configuring the BASinterface

IPoE IPoEoVLANIPoEoQ

Configuring a servertemplate

Configuring AAASchemes

Configuring an IPv4address pool

Configuring adomain

Binding a Sub-interface to a VLAN

Configuring the BASinterface

Mandatory procedure

Optional procedure

Configuring the webauthentication

Configuring the ACL

Configuring the webauthentication

Configuring the ACL

4.3.2 Creating a Static UserA user that requires a fixed IP address can be configured as a static user.


Procedure



Step 2 Run:static-user start-ip-address [ end-ip-address ] gateway ip-address [ vpn-instance instance-name ] [ domain-name domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan ] | pvc vpi/vci ] | mac-address mac-address | detect ] *



134

A static user is created.

When creating a static user, you can specify the IP address (including the VPN instance to whichthe IP address belongs), interface (FE, GE, Eth-Trunk, or VE interface) through which the useris connected to the NE80E/40E, domain, and MAC address.

If detect is configured, it indicates that the NE80E/40E actively detects whether the static useris online. If detect is not configured, the user can go online only after sending ARP packets.

The arp-trigger command must be configured on the BAS interface through which the staticuser goes online.

By default, no static user is created on the NE80E/40E.

----End

4.3.3 Binding Sub-interfaces to a VLANThe NE80E/40E processes received tagged user packets from different types of users in differentmanners to ensure that different types of packets are properly forwarded.

ContextIf users access the network by using a sub-interface, the sub-interface needs to be bound to aVLAN.

You can bind a sub-interface to a VLAN or configure QinQ on a sub-interface. When bindinga sub-interface to a VLAN, you need the following parameters:

l Sub-interface numberl VLAN IDl QinQ ID

NOTE

l On each main interface, you can set the any-other parameter on only one sub-interface. On one sub-interface, any-other cannot be set together with start-vlan nor qinq.

l If dot1q termination, QinQ termination, QinQ stacking, or vlan-type dot1q has been configured on asub-interface, the user-vlan cannot be configured on this sub-interface.

l Different sub-interfaces cannot be configured with user-side VLANs with the same VLAN ID.

l If an interface on an LPUA, LPUF-10, LPUF-21, LPUF-40 is bound to a VSI or configured with VLLtransparent transmission, users whose packets carry double VLAN tags cannot get online after theuser-vlan command is run on its sub-interfaces.


Procedure



Step 2 Run:interface interface-type interface-number.subinterface-number

A sub-interface is created and the sub-interface view is displayed.



135

Step 3 For Layer 2 subscriber access, run:

user-vlan { start-vlan [ end-vlan ] [ dot1q start-qinq-id [ end-qinq-id ] ] | any-other }

A user-side VLAN is created.

For Layer 3 subscriber access, run:

vlan-type dot1q vlan-id

A user-side VLAN is created.

----End

4.3.4 Configuring a BAS InterfaceWhen an interface is used for broadband access, you need to configure it as a BAS interface,and then specify the user access type and attributes for the interface.

ContextWhen configuring a BAS interface, you need the following parameters:

l BAS interface numberl Access type and authentication schemel (Optional) Maximum number of users that are allowed to access through the BAS interface

and maximum number of users that are allowed to access through a specified VLANl (Optional) Default domain, roaming domain, and domains that users are allowed to accessl (Optional) Whether to enable the functions of proxy ARP, DHCP broadcast, accounting

packet copy, IP packet trigger-online, user-based multicast replicationl (Optional) Whether to trust the DHCP Option 82 field, user detection parameters, VPN

instances of non-PPP users, BAS interface name, and access device type


Procedure



Step 2 Run:interface interface-type interface-number [ .subinterface-number ]


Step 3 Run:bas

A BAS interface is created and the BAS interface view is displayed.

You can configure an interface as the BAS interface by running the bas command in the interfaceview. You can configure a Fast Ethernet (FE) interface or its sub-interface, a Gigabit Ethernet(GE) interface or its sub-interface, a VE interface or its sub-interface, or an Eth-Trunk interface



136

or its sub-interface , an ATM interface or its sub-interface, or a VE interface or its sub-interface as a BAS interface.

Step 4 Run:access-type layer2-subscriber [ default-domain { [ authentication [ force | replace ] dname ] [ pre-authentication predname ] } ]

The access type is set to Layer 2 subscriber access and the attributes of this access type areconfigured.

Or run:

access-type layer3-subscriber [ default-domain { [ pre-authentication predname ] authentication [ force | replace ] dname } ]

The access type is set to Layer 3 subscriber access and the attributes of this access type areconfigured.

When setting the access type on the BAS interface, you can set the service attributes of the accessusers at the same time. You can also set these attributes in later configurations.

The access type cannot be configured on the Ethernet interface that is added to an Eth-Trunkinterface. You can configure the access type of such an Ethernet interface only on the associatedEth-Trunk interface.

Step 5 (Optional) Run:access-limit number

The number of users that are allowed to access through the interface is configured.

By default, the number of users that are allowed to access through the BAS interface is notlimited.

Step 6 (Optional) Run:default-domain pre-authentication domain-name

The pre-authentication domain is specified. By default, the pre-authentication domain of theBAS interface is default0.

l Or run:default-domain authentication [ force | replace ] domain-nameThe default authentication domain is specified. By default, the authentication domain of theBAS interface is default1.

l Or run:permit-domain domain-name &<1-4>The domain in which users are allowed to access is specified.By default, no domain for user access is specified on a BAS interface. This means that usersfrom all domains are allowed to access.The permit-domain-list command , deny-domain-list, deny-domain, or permit-domaincommand cannot be configured together on one BAS interface.

Step 7 (Optional) Run:client-option82 [ basinfo-insert cn-telecom ]

The Option 82 field (for a DHCP user) reported by a client is trusted by the router.

Or run:

vbas



137

The function of locating a user through the virtual BAS (VBAS) is enabled. By default, thefunction of locating a user through the VBAS is disabled.

Step 8 (Optional) Run:client-option60

The Option 60 field reported by a client is trusted by the router.

Step 9 (Optional) Run:accounting-copy radius-server radius-name

The accounting packet copy function is enabled.

By default, the accounting packet copy function is disabled on a BAS interface.

Step 10 (Optional) Run:ip-trigger

User access triggered by IP packets is enabled.

By default, this function is disabled on a BAS interface.

Or run:

arp-trigger

User access triggered by ARP packets is enabled.

By default, this function is disabled on a BAS interface.

Step 11 (Optional) Run:user detect retransmit number interval time

The user detection parameters are configured.

By default, the number of detection times is 5 and the detection interval is 30 seconds.

Step 12 (Optional) Run:block

The BAS interface is blocked.

Step 13 (Optional) Run:dhcp-forcerenew

DHCPv4 forcerenew is enabled.

When the abnormal logoff of a user is not initiated by the user, enable DHCP Forcerenew sothat the BRAS instructs the client to send a DHCP Request packet to apply new address.

Step 14 (Optional) Run:filter-policy acl acl-number dhcp

The function of filter DHCP users that attempt to get online based on ACL rules on a BASinterface is configured.

By default, ACL rules are not used to filter DHCP users that attempt to get online on a BASinterface.

Step 15 Run:authentication-method { { web | fast } | bind }

The Web authentication, bind authentication or fast authentication is configured.



138

You can set the authentication mode for only Layer 2 users on the BAS interface. Multipleauthentication modes can be configured on an interface except for the following:

l Web authentication conflicts with fast authentication.l Binding authentication conflicts with the other authentication modes.

----End

4.3.5 Checking the ConfigurationAfter configuring IPoX access, you can view information about the IPoX access service.

Procedurel Run the display web-auth-server configuration command to check the configuration of

the Web authentication server.l Run the display domain command to check the configuration of the domain.l Run the display acl command to check the configuration of the ACL.

----End

ExampleAfter the configuration is complete, you can run the display web-auth-server configurationcommand to view the configuration of the Web authentication server.

<HUAWEI> display web-auth-server configuration Source interface : - Listening port : 2000 Portal : version 1, version 2 Display reply message : enabled ------------------------------------------------------------------------ Server Share-Password Port NAS-IP Vpn-instance ------------------------------------------------------------------------ 192.168.3.140 huawei 50100 NO ------------------------------------------------------------------------ 1 Web authentication server(s) in total

After the configuration is complete, you can run the display domain command to viewinformation about the binding between the domain and user group.

<HUAWEI> display domain isp1 Domain-name : isp1 Domain-state : Active Domain-type : Normal domain Service-type : HSI Authentication-scheme-name : default1 Accounting-scheme-name : default1 Authorization-scheme-name : - RADIUS-server-group : - Accounting-copy-RADIUS-group : - Hwtacacs-server-template : - Tunnel-acct-2867 : Disabled User-group-name : - Policy-route : Disabled Policy-route-nexthop : - AdminUser-priority : - Web-server-IP-address : - Web-URL : - Web-server-work-mode : Get Primary dns-IP-address : - Secondary dns-IP-address : -



139

Queue-profile-name : - User-priority-up : 0 User-priority-down : 0 PPPoe-URL : Disabled Portal-server-URL : - Portal-server-IP-Address : - Portal-force-times : 2 Quota-out : Offline Force-Auth-Type : - Idle-data-attribute (time,rate) : 3 minute, 100 Kbyte/minute User-access-limit : 147456 Online-user-total : 0 User-session-limit : - Flow-Statistic-Up : Yes Flow-Statistic-Down : Yes Time-range : Disabled GRE-group-name : - L2TP-group-name : - L2TP-user RADIUS Force : Disabled Dot1x-template-index : 1 Realloc-IP-address : Disabled Bill Flow : Disabled Multicast flow statistic : Disabled VPN-instance-name : -- Value-service-name : - DPI-policy-group : - Multicast-profile : - IPUser-ReAuth-Time : 300 second IP-Warning-Percent : - Qos-profile-name : default Zone-name : - Ancp auto qos adapt : Disabled TimeRange-Qos : Disabled Val-added-srv-account : Default Multicast Forwarding : Yes Multicast Virtual : No Multivirtual cir : - Multivirtual pir : - Max-multilist num : 4 L2TP-QosProfile-inbind : - L2TP-QosProfile-outbind : -

After the configuration is complete, you can run the display acl command to view theconfiguration of the ACL.

<HUAWEI> display acl 3100Advanced ACL 3100, 3 rules, rule 0 permit icmp (2 times matched) rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 (0 times matched) rule 2 permit tcp source 10.110.0.0 0.0.255.255 (0 times matched)

4.4 Configuring and Managing UsersThe BRAS manages users either through the domain to which users belong or user accounts.

4.4.1 Establishing the Configuration TaskBefore configuring and managing users, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.



140

Applicable EnvironmentThe NE80E/40E can parse the user name and domain name from a user account according tothe domain name delimiter and realm name delimiter. With this function, the NE80E/40E canparse the user name and domain name as required.

The administrator can manage online users on the NE80E/40E, including viewing online usersand disconnecting users.

Pre-configuration TasksBefore configuring and managing users, complete the following tasks:

l Loading the BRAS license (For details, see the HUAWEI NetEngine80E/40E RouterConfiguration Guide - System Management.)

l Configuring the access method and authentication method for the BAS interface

Data PreparationTo configure and manage users, you need the following data.

No. Data

1 Domain name delimiter, location of the domain name, and parsing direction ofthe domain name

2 (Optional) Realm name delimiter, location of the realm name, and parsingdirection of the realm name

3 Parsing priority

4 User name, domain name, interface name or interface type/interface number,VLAN ID, IP address, IP address pool to which the IP address belongs, VPNinstance, MAC address, user ID, and slot number of an online user

4.4.2 Configuring User Account ParsingThe sequence of a domain name and a user name can be flexibly configured to meet differentrequirements.


Procedure



Step 2 Run:aaa



141


Step 3 Run:domain-name-delimiter delimiter

The domain name delimiter is configured.

By default, the domain name delimiter is @.

Step 4 Run:domain-location{ after-delimiter | before-delimiter }

The location of the domain name is configured.

By default, the domain name is placed behind the domain name delimiter.

Step 5 Run:domainname-parse-direction { left-to-right | right-to-left }

The parsing direction of the domain name is configured.

By default, the domain name is parsed from left to right.

Step 6 (Optional) Run:realm-name-delimiter delimiter

The realm name delimiter is configured.

By default, the realm name delimiter is not configured.

Step 7 (Optional) Run:realm-location { after-delimiter | before-delimiter }

The location of the realm name is configured.

By default, the realm name is placed before the realm name delimiter.

Step 8 (Optional) Run:realmname-parse-direction { left-to-right | right-to-left }

The parsing direction of the realm name is configured.

By default, the realm name is parsed from left to right.

Step 9 Run:parse-priority { domain-first | realm-first }

The parsing priority is configured.

If the parsing priority is set to domain-first, the realm domain name is excluded from the useraccount.

By default, the parsing priority is domain-first.

----End

4.4.3 Creating a Local User AccountYou can create a user in the AAA view. The user can carry a domain name. If the user does notcarry a domain name, the local user belongs to the default domain by default.



142

ContextIf the user-security-policy enable command has been run, the following rules must be obeyedduring password configuration:l A local user name must be longer than six characters.l For passwords:

– A password must be longer than eight characters.– A password must consist of digits, upper-case and lower-case letters, and special

characters (not including spaces or question marks).– A password cannot be the same as the user name, nor can it be the reverse of the user

name.l A message indicating that the user name or password is incorrect is displayed if an

administrator does not enter the user name or password or enters an incorrect user name orpassword.


Procedurel local AAA view

1. Run:system-view


local-aaa-server

The local AAA view is displayed.3. Run:

user username { password {simple simple-password | cipher cipher-password } | authentication-type type-mask | block [ fail-times fail-times-value interval interval-value ] | ftp-directory ftp-directory | ip-address ip-address [ vpn-instance instance-name ] | level level | callback-nocheck | callback-number callback-number | idle-cut | qos-profile qos-profile } *

A local user account is created.

After a new user account is added, it adopts the following default attributes:

– The access restriction is off and the access mode is A (all access modes).– The status is Active.– The idle cut function is disabled.– The group number for intergroup access is 0.– The maximum number of connections is 24.– The MAC restriction is disabled.– The password is "vlan".– The UCL group number is 0.– The flow control is disabled.– The user priority is 0.



143

l AAA view1. Run:

system-view


aaa


local-user user-name password { simple | cipher } password

A local user account is created.

If the user name contains @, the character before @ is the user name and the characterafter @ is the domain name. If the user name does not contain @, the whole characterstring represents the user name and the domain name is default.

4. (optional)Run:prompt last-info

Recording the latest administrator login is disabled

By default, recording the latest administrator login is disabled.

If information about the latest administrator login, such as the last successful logintime, IP address, and number of login failures, needs to be recorded, run the promptlast-info command to enable the system to record the information.

The prompt last-info command is valid to local users configured in the AAA view,but invalid to local users configured in the local AAA server view.

----End

4.4.4 Configuring the User Name Format and PasswordThe NE80E/40E supports the configuration of the user name format and password. No user nameor password needs to be entered for users that attempt to get online through binding or fastauthentication.


Procedure



Step 2 Run:aaa


Step 3 Run:



144

default-user-name [ template template-name ] include { gateway-address | ip-address | mac-address | option12 | option60 | option61 | option82 | sysname } *

The router is configured to generate the IPoX user name according to information carried in theuser access request packet.

Or run:

vlanpvc-to-username { standard | turkey | version10 | version20 }

Or run:

vlanpvc-to-username standard trust { pevlan | cevlan }

The router is configured to generate the IPoX user name by using the original format.

By default, the original format of the IPoX user name is defined in version20.

Step 4 Run:default-password { cipher cipher-password | simple simple-password }

The password of the IPoX user is configured.

The differences between cipher and simple are as follows:

l If cipher is configured, the password is displayed in cipher text in the configuration file,regardless of whether the entered password is encrypted or not.

l If simple is configured, the password is displayed in plain text in the configuration file.

----End

4.4.5 Configuring the Local User StatusThe local user can be in the active or blocked state. An active user can be authenticated; a blockeduser cannot be authenticated.


Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name state { active | block }

The local user status is configured.

By default, the local user is in the active state.

----End



145

Follow-up ProcedureThe authentication request from a local user in the active or blocked state is processed in adifferent manner.

l If the local user is in the active state, the authentication request from this user is allowedfor further processing.

l If the local user is in the blocked state, the authentication request from this user is denied.

4.4.6 Configuring the Limit on the Number of Access UsersLimiting the number of access users can prevent unauthorized users from accessing the network.


Procedurel Restricting the access of local users

1. Run:system-view


aaa


local-user user-name access-limit max-number

The local user access limit is configured.

By default, the number of access users with the same user name is not restricted.l Restricting the access of DHCP users

1. Run:system-view


dhcp-user-slot-warning-threshold

The alarm threshold for DHCP users allowed to access an LPU is configured. If thepercentage of DHCP users currently accessing the LPU exceeds the threshold, analarm is generated.

3. Run:dhcp-user-warning-threshold

The alarm threshold for DHCP users allowed to access the entire NE80E/40E isconfigured. If the percentage of DHCP users currently accessing the entire NE80E/40E exceeds the threshold, an alarm is generated.

4. Run:dhcp connection chasten request-sessions request-period blocking-period



146

The number of DHCP access attempts is limited.

– display dhcp chasten-number

You can view the number of users whose attempts to set up DHCP connectionsare limited.

– display dhcp chasten-user

You can view information about users whose attempts to set up DHCP connectionsare limited.

– display dhcp connection-chasten

You can view settings of the limit on attempts to set up a DHCP connection.– dhcp reset chasten-number

You can reset the statistics on user attempts to set up a DHCP connection.l Restricting the access of users allowed to access an LPU

1. Run:system-view


slot-warning-threshold

The alarm threshold for users allowed to access an LPU is configured. If the percentageof users currently accessing the LPU exceeds the threshold, an alarm is generated onthe router.

----End

4.4.7 Disconnecting Online UsersThe NE80E/40E supports the disconnection of online users by the IP address, MAC address,access port, or domain.


Procedure



Step 2 Run:aaa


Step 3 Run:cut access-user username user-name { all | hwtacacs | local | none| radius }

The online user with the specified user name is disconnected.

Or run:



147

cut access-user domain domain-name

The online users in the specified domain are disconnected.

Or run:

cut access-user mac-address mac-address

The online user with the specified MAC address is disconnected.

Or run:

cut access-user ipv6-address ipv6-address [ vpn-instance instance-name ]

The online user with the specified IPv6 address is disconnected.

Or run:

cut access-user ip-address ip-address [ vpn-instance instance-name ]

The online user with the specified IP address is disconnected.

Or run:

cut access-user interface interface-type interface-number [ pevlan vlan-id ] [ cevlan vlan-id ]

The online users on the specified interface are disconnected.

Or run:

cut access-user user-id start-no [ end-no ]

The online user with the specified user ID is disconnected.

Or run:

cut access-user ip-pool pool-name

The online users using the IP addresses in the specified IP address pool are disconnected.

Or run:

cut access-user slot slot-id

All users on the board in the specified slot are disconnected.

----End

4.4.8 Generating Offline Records and Online Failure Records


Procedure



Step 2 Run:



148

aaa offline-record

Offline records are generated.

By default, offline records are generated.

Step 3 Run:aaa online-fail-record

Online failure records are generated.

By default, online failure records are generated.

Step 4 Run:aaa_abnormal-offline-record

The records of abnormal logout are generated.

By default, the system generates the records of abnormal logout.

----End

4.4.9 Tracing Services of Users


Procedure

Step 1 Run:trace access-user object object-id { access-mode mode | user-name username | interface interface-type interface-number | ip-address ip-address | mac-address mac-address | ce-vlan ce-vlan-id | pe-vlan pe-vlan-id } * [ output [ file file-name | syslog-server ip-address | vty ] | -t time ] *

Service tracing is enabled.

By default, service tracing is enabled. Tracing information is output to the VTY terminal, andthe tracing time is 15 minutes.

Using the service tracing function decreases the performance of the NE80E/40E. Therefore, youare recommended to use this function only when you need to locate faults. Disable this functionwhen the NE80E/40E runs normally. If the status of a great number of users changes, you needto configure the objects to be traced accurately when using the service tracing function.Otherwise, a great number of resources are wasted and user services are affected.

----End

4.4.10 Checking the ConfigurationAfter user management is configured, you can view configuration of the user name format anduser account parsing.

Procedurel Run the display static-user command to check information about static users.



149

l Run the display aaa configuration command to check the configuration of the user accountparsing function.

l Run the display vlanpvc-to-username command to check the configuration of the formatof the IPoX user name.

l Run the display call rate command to check the put-through rate of all type of users.

----End

ExampleAfter the configuration is complete, you can run the display static-user command to viewinformation about static users.

<HUAWEI> display static-user --------------------------------------------------------------------------- Interface VLAN-ID/PVC IP-address MAC-address VPN --------------------------------------------------------------------------- - - 10.10.10.2 - -- GE1/0/2 - 10.10.10.5 - -- --------------------------------------------------------------------------- Total 2 item(s) matched

After the configuration is complete, you can run the display aaa configuration command toview the configuration of the user account parsing function.

<HUAWEI> display aaa configuration --------------------------------------------------------------------------- AAA configuration information : --------------------------------------------------------------------------- Parse Priority : Domain first Domain Name Delimiter : @ Domainname parse direction : Left to right Domainname location : After-delimiter Realm name delimiter : - Realmname parse direction : Left to right Realmname location : Before-delimiter Domain : total: 1024 used: 7 Authentication-scheme : total: 32 used: 4 Authorization-scheme : total: 16 used: 2 Accounting-scheme : total: 128 used: 4 Recording-scheme : total: 128 used: 1 AAA-access-user : total: 279552 used: 0 Access-user-state : authen: 0 author: 0 accounting: 0 Transition-step : - Min-Delay-time : - Max-Delay-time : - Access speed : - Account-session-id-version : Version1 ---------------------------------------------------------------------------

After the configuration is complete, you can run the display vlanpvc-to-username commandto view the configuration of the format of the IPoX user name.

<HUAWEI> display vlanpvc-to-username Version of vlan and pvc model in username : Version2.0

After the configuration is complete, you can run the display call rate command to view the theput-through rate of all type of users.

<HUAWEI> display call rateUser callrate: -------------------------------------------------------- Usertype Calltime Callcompletion Rate -------------------------------------------------------- PPP 127 127 100.00%



150

Dot1X 324 324 100.00% Web/Fast 7 7 100.00% Bind 0 0 0.00% Total 458 458 100.00%

4.5 Maintaining BRAS AccessMaintaining BRAS access includes monitoring the operation status of the BRAS, clearing thestatistics about login and logout users, and debugging in the case of failures.

4.5.1 Displaying BRAS Access InformationYou can view BRAS access information, including user login and logout records.

Context

After the preceding configurations, run the following display commands in any view to checkthe BRAS configurations. For details, see the HUAWEI NetEngine80E/40E Router - CommandReference.

Procedure

Step 1 Run the display web-auth-server configuration command to check the configuration of theWeb authentication server.

Step 2 Run the display bas-interface command to check the configuration of the BAS interface.

Step 3 Run the display aaa online-fail-record command to check the login failure records.

Step 4 Run the display aaa offline-record command to check the logout records.

Step 5 Run the display aaa abnormal-offline-record command to check the abnormal logout records.

Step 6 Run the display access-user command in any view to check information about online users.

----End

4.5.2 Clearing BRAS Access InformationIf there are too many login and logout records, you can delete the BRAS access authenticationinformation.

Context

CAUTIONBRAS access information cannot be restored after it is cleared. Exercise caution when runningthe commands.

To clear BRAS access information, run the following reset commands.



151

Procedure

Step 1 Run the reset aaa online-fail-record command in the user view to clear the login failure records.

Step 2 Run the reset aaa offline-record command in the user view to clear the logout records.

Step 3 Run the reset aaa abnormal offline-record command in the user view to clear the abnormallogout records.

Step 4 Run the reset call ratecommand in the user view to clear the call rate statistics of users.

----End

4.6 Configuration ExamplesThis section provides examples for configuring the BRAS access service, including networkingrequirements, configuration notes, and configuration roadmap.

4.6.1 Example for Configuring the IPoE Access Service for VPNUsers by Using Web Authentication

This section provides an example for configuring IPoE access to a VPN by Using WebAuthentication, including the networking requirements, configuration roadmap, configurationprocedure, and configuration files.

Networking RequirementsThe networking is shown in Figure 4-2. The requirements are as follows:

l The user belongs to domain isp2 and accesses the Internet by using GE 1/0/2 on therouter in IPoE mode.

l The user adopts Web authentication, RADIUS authentication, and RADIUS accounting.l The IP address of the RADIUS server is 192.168.8.249. The authentication port number is

1812 and the accounting port number is 1813. The standard RADIUS protocol is used. Theshared key is hello.

l The user is a VPN user and belongs to a VPN instance named vpn1.l The IP address of the DNS server is 192.168.8.252.l The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.l The network-side interface is GE 1/0/1.



152

Figure 4-2 Networking for configuring the IPoE access service

DNS server192.168.8.252

RADIUS server192.168.8.249

WEB server192.168.8.251

GE1/0/2 GE1/0/1

Routersubscriber@isp2


192.168.8.1



1. Configure a VPN instance.

2. Configure authentication and accounting schemes.

3. Configure a RADIUS server group.

4. Configure an address pool.

5. Configure a pre-authentication domain and an authentication domain for Webauthentication.

6. Configure the Web authentication server.

7. Configure ACL rules and traffic policies.

8. Configure a BAS interface and an upstream interface.

Data Preparation


l VPN instance name, RD, and VPN target

l Authentication template name and authentication mode

l Accounting template name and accounting mode

l RADIUS server group name, and IP addresses and port numbers of the RADIUSauthentication server and accounting server

l IP address pool name, gateway address, and DNS sever address

l Domain name

l Web authentication server address

l ACL rules

l Traffic policy

l BAS interface parameters



153

Procedure

Step 1 Configure a VPN instance.<HUAWEI> system-view[HUAWEI] ip vpn-instance vpn1[HUAWEI-vpn-instance-vpn1] route-distinguisher 100:1[HUAWEI-vpn-instance-vpn1] vpn-target 100:1 both[HUAWEI-vpn-instance-vpn1] quit



<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] authentication-scheme auth2[HUAWEI-aaa-authen-auth2] authentication-mode radius[HUAWEI-aaa-authen-auth2] quit


[HUAWEI-aaa] accounting-scheme acct2[HUAWEI-aaa-accounting-acct2] accounting-mode radius[HUAWEI-aaa-accounting-acct2] quit[HUAWEI-aaa] quit

Step 3 Configure a RADIUS server group.[HUAWEI] radius-server group rd2[HUAWEI-radius-rd2] radius-server authentication 192.168.8.249 1812[HUAWEI-radius-rd2] radius-server accounting 192.168.8.249 1813[HUAWEI-radius-rd2] radius-server type standard[HUAWEI-radius-rd2] radius-server shared-key hello[HUAWEI-radius-rd2] quit

Step 4 Configure an address pool.[HUAWEI] ip pool pool2 bas local[HUAWEI-ip-pool-pool2] gateway 172.82.1.1 255.255.255.0[HUAWEI-ip-pool-pool2] section 0 172.82.1.2 172.82.1.200[HUAWEI-ip-pool-pool2] dns-server 192.168.8.252[HUAWEI-ip-pool-pool2] vpn-instance vpn1[HUAWEI-ip-pool-pool2] quit

Step 5 Configure a domain.

# Configure domain default0 as the pre-authentication domain for Web authentication.

[HUAWEI] user-group huawei[HUAWEI] aaa[HUAWEI-aaa] domain default0[HUAWEI-aaa-domain-default0] ip-pool pool2[HUAWEI-aaa-domain-default0] user-group huawei[HUAWEI-aaa-domain-default0] service-type hsi[HUAWEI-aaa-domain-default0] web-server 192.168.8.251[HUAWEI-aaa-domain-default0] web-server url http://192.168.8.251[HUAWEI-aaa-domain-default0] vpn-instance vpn1[HUAWEI-aaa-domain-default0] quit

# Configure domain isp2 as the authentication domain for Web authentication.

[HUAWEI-aaa] domain isp2[HUAWEI-aaa-domain-isp2] authentication-scheme auth2[HUAWEI-aaa-domain-isp2] accounting-scheme acct2[HUAWEI-aaa-domain-isp2] radius-server group rd2[HUAWEI-aaa-domain-isp2] service-type hsi[HUAWEI-aaa-domain-isp2] vpn-instance vpn1[HUAWEI-aaa-domain-isp2] quit[HUAWEI-aaa] quit



154

Step 6 Configure the Web authentication server.[HUAWEI] web-auth-server 192.168.8.251 key webvlan

Step 7 Configure an ACL.

# Configure ACL rules.

[HUAWEI] acl number 6000[HUAWEI-acl-ucl-6000] rule deny ip source user-group huawei[HUAWEI-acl-ucl-6000] acl number 6001[HUAWEI-acl-ucl-6001] rule permit ip source user-group huawei destination ip-address 192.168.8.251 0[HUAWEI-acl-ucl-6001] rule permit ip source user-group huawei destination ip-address 192.168.8.252 0[HUAWEI-acl-ucl-6001] quit

# Configure a traffic policy.

[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 6000[HUAWEI-classifier-c2] quit[HUAWEI] traffic classifier c2[HUAWEI-classifier-c2] if-match acl 6001[HUAWEI-classifier-c2] quit[HUAWEI] traffic behavior deny1[HUAWEI-behavior-deny1] deny[HUAWEI-behavior-deny1] traffic behavior perm1[HUAWEI-behavior-perm1] permit[HUAWEI-behavior-perm1] quit[HUAWEI] traffic policy action1[HUAWEI-policy-action1] classifier c2 behavior perm1[HUAWEI-policy-action1] classifier c1 behavior deny1[HUAWEI-policy-action1] quit

# Apply the traffic policy globally.

[HUAWEI] traffic-policy action1 inbound[HUAWEI] traffic-policy action1 outbound

Step 8 Configure interfaces.


[HUAWEI-GigabitEthernet1/0/2] bas[HUAWEI-GigabitEthernet1/0/2-bas] access-type layer2-subscriber[HUAWEI-GigabitEthernet1/0/2-bas] authentication-method web[HUAWEI-GigabitEthernet1/0/2-bas] default-domain authentication isp2[HUAWEI-GigabitEthernet1/0/2-bas] quit[HUAWEI-GigabitEthernet1/0/2] quit

# Configure an upstream interface.

NOTE

The upstream interface connected to MPLS network, the configuration is not mentioned here. For details,refer to the chapter BGP/MPLS IP VPN of the HUAWEI NetEngine80E/40E Router Configuration Guide- VPN


----End

Configuration Files# sysname HUAWEI# user-group huawei



155

#ip vpn-instance vpn1 route-distinguisher 100:1 vpn-target 100:1 export-extcommunity vpn-target 100:1 import-extcommunity# radius-server group rd2 radius-server authentication 192.168.8.249 1812 weight 0 radius-server accounting 192.168.8.249 1813 weight 0 radius-server shared-key hello##acl number 6000#acl number 6001 rule 5 permit ip source user-group huawei destination ip-address 192.168.8.251 0 rule 10 permit ip source user-group huawei destination ip-address 192.168.8.252 0#traffic classifier c2 operator and if-match acl 6001traffic classifier c1 operator and if-match acl 6000#traffic behavior perm1traffic behavior deny1 deny#traffic policy action1 classifier c2 behavior perm1 classifier c1 behavior deny1traffic-policy action1 inboundtraffic-policy action1 outbound#interface GigabitEthernet1/0/2 bas access-type layer2-subscriber default-domain authentication isp2 authentication-method web#interface GigabitEthernet1/0/1 ip address 192.168.8.1 255.255.255.0#ip pool pool2 bas local vpn-instance vpn1 gateway 172.82.1.1 255.255.255.0 section 0 172.82.1.2 172.82.1.200 dns-server 192.168.8.252#aaa authentication-scheme auth2 accounting-scheme acct2 domain default0 service-type hsi web-server 192.168.8.251 web-server url http://192.168.8.251 user-group huawei vpn-instance vpn1 ip-pool pool2 domain isp2 authentication-scheme auth2 accounting-scheme acct2 service-type hsi radius-server group rd2#return



156

4.6.2 Example for Configuring the IPoEoVLAN Access ServiceThis section provides an example for configuring the IPoEoVLAN access service, including thenetworking requirements, configuration roadmap, configuration procedure, and configurationfiles.

Networking Requirements

The networking is shown in Figure 4-3. The requirements are as follows:

l The user belongs to domain isp3 and accesses the Internet by using GE 1/0/2.1 on therouter in IPoEoVLAN mode. The LAN switch tags user packets with VLAN 1 and VLAN2.

l The user adopts binding authentication, RADIUS authentication, and RADIUS accounting.

l The IP address of the RADIUS server is 192.168.8.249. The authentication port number is1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted.The shared key is hello.

l The IP address of the DNS server is 192.168.8.252.

l The network-side interface is GE 1/0/1.

Figure 4-3 Networking for configuring the IPoEoVLAN access service

DNS server192.168.8.252


GE1/0/2.1 GE1/0/1

Router

subscriber1@isp3 Internet

192.168.8.1

subscriber2@isp3

Switch






4. Configure an authentication domain.




157

Data Preparation


l Authentication template name and authentication model Accounting template name and accounting model RADIUS server group name, and IP addresses and port numbers of the RADIUS

authentication server and accounting serverl IP address pool, gateway address, and DNS server addressl Domain namel BAS interface parameters

Procedure



<HUAWEI> system-view[HUAWEI] aaa[HUAWEI-aaa] authentication-scheme auth3[HUAWEI-aaa-authen-auth3] authentication-mode radius[HUAWEI-aaa-authen-auth3] quit




Step 3 Configure an address pool.[HUAWEI] ip pool pool3 bas local[HUAWEI-ip-pool-pool3] gateway 172.82.2.1 255.255.255.0[HUAWEI-ip-pool-pool3] section 0 172.82.2.2 172.82.2.200[HUAWEI-ip-pool-pool3] dns-server 192.168.8.252[HUAWEI-ip-pool-pool3] quit

NOTE

The configured address pool is used for the authentication domain. The pre-authentication domain is notrequired because a user that adopts binding authentication can be authenticated automatically when theuser goes online.

Step 4 Configure an authentication domain.[HUAWEI] aaa[HUAWEI-aaa] domain isp3[HUAWEI-aaa-domain-isp3] authentication-scheme auth3[HUAWEI-aaa-domain-isp3] accounting-scheme acct3[HUAWEI-aaa-domain-isp3] radius-server group rd3[HUAWEI-aaa-domain-isp3] ip-pool pool3[HUAWEI-aaa-domain-isp3] quit[HUAWEI-aaa] quit



158

NOTE

When a user obtains an IP address in binding authentication, the router authenticates the user automatically.Therefore, you do not need to configure the ACL to control the network access rights of the user beforeauthentication. Instead, you need to configure the ACL to control the network access rights of the user afterauthentication.

Step 5 Configure interfaces.


[HUAWEI] interface GigabitEthernet 1/0/2.1[HUAWEI-GigabitEthernet1/0/2.1] user-vlan 1 2[HUAWEI-GigabitEthernet1/0/2.1-vlan-1-2] quit[HUAWEI-GigabitEthernet1/0/2.1] bas[HUAWEI-GigabitEthernet1/0/2.1-bas] access-type layer2-subscriber[HUAWEI-GigabitEthernet1/0/2.1-bas] authentication-method bind[HUAWEI-GigabitEthernet1/0/2.1-bas] default-domain authentication isp3[HUAWEI-GigabitEthernet1/0/2.1-bas] quit[HUAWEI-GigabitEthernet1/0/2.1] quit

NOTE

l The user name for binding authentication is automatically generated based on the location where theuser accesses the NE80E/40E. Therefore, the user name on the RADIUS server must be configuredaccording to the name generation rule. The password is vlan.

l For details about the user name format used in binding authentication, see the description of thevlanpvc-to-username command in the HUAWEI NetEngine80E/40E Router Command Reference.

# Configure an upstream interface.


----End

Configuration Files# sysname HUAWEI#radius-server group rd3 radius-server authentication 192.168.8.249 1812 weight 0 radius-server accounting 192.168.8.249 1813 weight 0 radius-server shared-key hello#interface GigabitEthernet1/0/2.1 user-vlan 1 2 bas access-type layer2-subscriber default-domain authentication isp3 authentication-method bind#interface GigabitEthernet1/0/1 ip address 192.168.8.1 255.255.255.0#ip pool pool3 bas local gateway 172.82.2.1 255.255.255.0 section 0 172.82.2.2 172.82.2.200 dns-server 192.168.8.252#aaaauthentication-scheme auth3accounting-scheme acct3domain isp3 authentication-scheme auth3 accounting-scheme acct3 radius-server group rd3 ip-pool pool3



159

#return

4.6.3 Example for Configuring the IPoEoQ Access ServiceThis section provides an example for configuring the IPoEoQ access service, including thenetworking requirements, configuration roadmap, configuration procedure, and configurationfiles.



l The user accesses the Internet by using GE 1/0/2.2 on the router in IPoEoQ mode. LANswitch 1 tags user packets with VLAN 1 and VLAN 2. LAN switch 2 tags user packetswith QinQ 100 (outer VLAN 100).

l The user belongs to domain isp1 and adopts bind authentication and RADIUS accounting.

l The IP address of the RADIUS server is 192.168.7.249. The authentication port number is1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted.The shared key is itellin.

l The IP address of the DNS server is 192.168.7.252.

Figure 4-4 Networking for configuring the IPoEoQ access service

DNS server192.168.8.252


GE1/0/2.2 GE1/0/1

Router

user1@isp1 Internet

192.168.7.1

user2@isp1

Lanswitch2Lanswitch1

QinQ100VLAN1

VLAN2






4. Configure an authentication domain.




160


l Authentication template name and authentication model Accounting template name and accounting model RADIUS server group name, and IP addresses and port numbers of the RADIUS

authentication server and accounting serverl IP address pool name, gateway address, and DNS sever addressl Domain namel BAS interface parameters

Procedure



[HUAWEI] aaa[HUAWEI-aaa] authentication-scheme auth1[HUAWEI-aaa-authen-auth1] authentication-mode radius[HUAWEI-aaa-authen-auth1] quit



Step 2 Configure a RADIUS server group.[HUAWEI] radius-server group rd1[HUAWEI-radius-rd1] radius-server authentication 192.168.7.249 1812[HUAWEI-radius-rd1] radius-server accounting 192.168.7.249 1813 [HUAWEI-radius-rd1] radius-server shared-key itellin[HUAWEI-radius-rd1] quit

Step 3 Configure an address pool.[HUAWEI] ip pool pool1 bas local[HUAWEI-ip-pool-pool1] gateway 172.82.0.1 255.255.255.0[HUAWEI-ip-pool-pool1] section 0 172.82.0.2 172.82.0.200[HUAWEI-ip-pool-pool1] dns-server 192.168.7.252[HUAWEI-ip-pool-pool1] quit

Step 4 Configure an authentication domain.[HUAWEI] aaa[HUAWEI-aaa] domain isp1[HUAWEI-aaa-domain-isp1] authentication-scheme auth1[HUAWEI-aaa-domain-isp1] accounting-scheme acct1[HUAWEI-aaa-domain-isp1] radius-server group rd1[HUAWEI-aaa-domain-isp1] ip-pool pool1[HUAWEI-aaa-domain-isp1] service-type hsi[HUAWEI-aaa-domain-isp1] quit[HUAWEI-aaa] quit

Step 5 Configure Ethernet interfaces.

# Configure the user VLAN.

[HUAWEI] interface GigabitEthernet 1/0/2.2[HUAWEI-GigabitEthernet1/0/2.2] user-vlan 1 2 qinq 100[HUAWEI-GigabitEthernet1/0/2.2] quit



161

# Configure a BAS interface.[HUAWEI-GigabitEthernet1/0/2.2] bas[HUAWEI-GigabitEthernet1/0/2.2-bas] access-type layer2-subscriber[HUAWEI-GigabitEthernet1/0/2.2-bas] default-domain authentication isp1[HUAWEI-GigabitEthernet1/0/2.2-bas] authentication-method bind[HUAWEI-GigabitEthernet1/0/2.2-bas] quit[HUAWEI-GigabitEthernet1/0/2.2] quit

# Configure an upstream interface.[HUAWEI] interface GigabitEthernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] ip address 192.168.7.1 255.255.255.0


After the configuration is complete, you can run the command display access-user domain toview information about the online users in the domain.<HUAWEI> display access-user domain isp1------------------------------------------------------------------------------ UserID Username Interface IP address MAC IPv6 address ------------------------------------------------------------------------------ 20 user1@isp1 GE1/0/2.2 172.82.0.5 0002-0101-0101 - 21 user2@isp1 GE1/0/2.2 172.82.0.6 0002-0101-0102 - ------------------------------------------------------------------------------ Total users : 2

----End

Configuration Files# sysname HUAWEI#radius-server group rd1 radius-server authentication 192.168.7.249 1812 weight 0 radius-server accounting 192.168.7.249 1813 weight 0 radius-server shared-key itellin#interface GigabitEthernet1/0/2.2 user-vlan 1 2 qinq 100 bas access-type layer2-subscriber default-domain authentication isp1 authentication-method bind#interface GigabitEthernet1/0/1 ip address 192.168.7.1 255.255.255.0#ip pool pool1 bas local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252#aaaauthentication-scheme auth1accounting-scheme acct1domain default0domain default1domain default_admindomain isp1 authentication-scheme auth1 accounting-scheme acct1 service-type hsi



162

radius-server group rd1 ip-pool pool1#return

4.6.4 Example for Configuring Remote Authentication for StaticUsers

This section provides an example for configuring remote authentication for static users,including the networking requirements, configuration roadmap, configuration procedure, andconfiguration files.



l Users user1@isp1 and user2@isp1 belong to the same domain isp1 and they access theInternet by using GE 1/0/2.1 on the router as static users. The LAN switch labels userpackets with VLAN 1 and VLAN 2.

l The two users adopt Web authentication. The RADIUS authentication and RADIUSaccounting are used.

l The IP address of user1@isp1 is 172.82.1.100; the IP address of user2@isp1 is172.82.2.200.

l The two static users are VPN users and belong to the same VPN instance named VPN1.l The IP address of the RADIUS server is 192.168.7.249. The authentication port number is

1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted.The shared key is hello.

l The IP address of the Web authentication server is 192.168.8.251 and the key is webvlan.

Figure 4-5 Networking for configuring remote authentication for static users

DNS server192.168.8.252


WEB server192.168.8.251

GE1/0/2.1 GE1/0/1

Router

user1@isp1 Internet

192.168.8.1VLAN1

VLAN2user2@isp1

Switch





163

1. Configure a VPN instance.2. Configure authentication and accounting schemes.3. Configure a Web authentication server.4. Configure a RADIUS server group.5. Configure a DHCP server group.6. Configure ACL rules and traffic policies.7. Configure an address pool.8. Configure an authentication domain.9. Configure a BAS interface and an upstream interface.10. Configure static users.


l VPN instance name, Router Distinguisher (RD), and VPN targetl Authentication template name and authentication model Accounting template name and accounting model Web authentication server addressl RADIUS server group name, and IP addresses and port numbers of the RADIUS

authentication server and accounting serverl DHCP server addressl ACL rulesl Traffic policyl IP address pool name, gateway address, and DNS sever addressl Domain namel BAS interface parameters

Procedure

Step 1 Configure a VPN instance.<HUAWEI> system-view[HUAWEI] ip vpn-instance vpn1[HUAWEI-vpn-instance-vpn1] route-distinguisher 100:1[HUAWEI-vpn-instance-vpn1] vpn-target 100:1 both[HUAWEI-vpn-instance-vpn1] quit

Step 2 Configure an authentication scheme.[HUAWEI] aaa[HUAWEI-aaa] authentication-scheme auth1[HUAWEI-aaa-authen-auth1] authentication-mode radius[HUAWEI-aaa-authen-auth1] quit

Step 3 Configure an accounting scheme.[HUAWEI-aaa] accounting-scheme acct1[HUAWEI-aaa-accounting-acct1] accounting-mode radius[HUAWEI-aaa-accounting-acct1] quit[HUAWEI-aaa] quit

Step 4 Configure a Web authentication server.



164

[HUAWEI] web-auth-server 192.168.8.251 key webvlan


Step 6 Configure an ACL to allow the user to access only the Web server before Web authenticationis implemented.

# Configure a user group.

[HUAWEI] user-group Huawei

# Configure ACL rules.

[HUAWEI] acl 6000 match-order auto[HUAWEI-acl-ucl-6000] rule deny ip source user-group huawei destination ip-address any[HUAWEI-acl-ucl-6000] rule permit ip source user-group huawei destination ip-addRess 192.168.8.251 0.0.0.255[HUAWEI-acl-ucl-6000] quit

# Configure a traffic classifier.

[HUAWEI] traffic classifier c1[HUAWEI-classifier-c1] if-match acl 6000[HUAWEI-classifier-c1] quit

# Configure a traffic behavior.

[HUAWEI] traffic behavior b1[HUAWEI-behavior-b1] permit[HUAWEI-behavior-b1] quit

# Configure a traffic policy.

[HUAWEI] traffic policy policy[HUAWEI-trafficpolicy-policy] classifier c1 behavior b1[HUAWEI-trafficpolicy-policy] quit

# Apply the traffic policy globally.

[HUAWEI] traffic-policy policy inbound[HUAWEI] traffic-policy policy outbound

Step 7 Configure an address pool.[HUAWEI] ip pool pool1 bas local[HUAWEI-ip-pool-pool1] gateway 172.82.1.1 255.255.255.0[HUAWEI-ip-pool-pool1] section 0 172.82.1.2 172.82.1.200[HUAWEI-ip-pool-pool1] excluded-ip-address 172.82.1.100[HUAWEI-ip-pool-pool1] vpn-instance vpn1[HUAWEI-ip-pool-pool1] quit[HUAWEI] ip pool pool2 bas local[HUAWEI-ip-pool-pool2] gateway 172.82.2.1 255.255.255.0[HUAWEI-ip-pool-pool2] section 0 172.82.2.2 172.82.2.200[HUAWEI-ip-pool-pool2] vpn-instance vpn1[HUAWEI-ip-pool-pool2] quit

Step 8 Configure a domain.

# Configure the pre-authentication domain default0.

[HUAWEI] aaa[HUAWEI-aaa] domain default0[HUAWEI-aaa-domain-default0] ip-pool pool1



165

[HUAWEI-aaa-domain-default0] ip-pool pool2[HUAWEI-aaa-domain-default0] user-group huawei[HUAWEI-aaa-domain-default0] vpn-instance vpn1[HUAWEI-aaa-domain-default0] quit

# Configure the user domain isp1.

[HUAWEI-aaa] domain isp1[HUAWEI-aaa-domain-isp1] authentication-scheme auth1[HUAWEI-aaa-domain-isp1] accounting-scheme acct1[HUAWEI-aaa-domain-isp1] radius-server group rd1[HUAWEI-aaa-domain-isp1] vpn-instance vpn1[HUAWEI-aaa-domain-isp1] quit[HUAWEI-aaa] quit

Step 9 Configure a BAS interface.[HUAWEI] interface GigabitEthernet 1/0/2.1[HUAWEI-GigabitEthernet1/0/2.1] user-vlan 1 2[HUAWEI-GigabitEthernet1/0/2.1-vlan-1-2] quit[HUAWEI-GigabitEthernet1/0/2.1] bas[HUAWEI-GigabitEthernet1/0/2.1-bas] access-type layer2-subscriber default-domain authentication isp1[HUAWEI-GigabitEthernet1/0/2.1-bas] authentication-method web[HUAWEI-GigabitEthernet1/0/2.1-bas] vpn-instance vpn1[HUAWEI-GigabitEthernet1/0/2.1-bas] ip-trigger[HUAWEI-GigabitEthernet1/0/2.1-bas] arp-trigger[HUAWEI-GigabitEthernet1/0/2.1-bas] quit[HUAWEI-GigabitEthernet1/0/2.1] quit

Step 10 Configure static users.[HUAWEI] static-user 172.82.1.100 172.82.1.100 vpn-instance vpn1 interface GigabitEthernet1/0/2.1 vlan 1 detect domain-name isp1[HUAWEI] static-user 172.82.2.200 172.82.2.200 vpn-instance vpn1 interface GigabitEthernet1/0/2.1 vlan 2 domain-name isp1

Step 11 Configure an upstream interface.[HUAWEI] interface GigabitEthernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0

----End

Configuration Files# sysname HUAWEI# user-group huawei#ip vpn-instance vpn1 route-distinguisher 100:1 vpn-target 100:1 export-extcommunity vpn-target 100:1 import-extcommunity#radius-server group rd1 radius-server authentication 192.168.8.249 1812 weight 0 radius-server accounting 192.168.8.249 1813 weight 0 radius-server shared-key hello#acl number 6000 match-order auto rule 5 permit ip source user-group huawei destination ip-address 192.168.8.0 0.0.0.255 rule 10 deny ip source user-group huawei destination ip-address any#traffic classifier c1 operator or if-match acl 6000#traffic behavior b1#



166

traffic policy policy classifier c1 behavior b1traffic-policy policy inboundtraffic-policy policy outbound#interface GigabitEthernet1/0/2.1 user-vlan 1 2 bas access-type layer2-subscriber default-domain authentication isp1 authentication-method web vpn-instance vpn1 ip-trigger arp-trigger#interface GigabitEthernet1/0/1 ip address 192.168.8.1 255.255.255.0#ip pool pool1 bas local vpn-instance vpn1 gateway 172.82.1.1 255.255.255.0 section 0 172.82.1.2 172.82.1.200 excluded-ip-address 172.82.1.100#ip pool pool2 bas local vpn-instance vpn1 gateway 172.82.2.1 255.255.255.0 section 0 172.82.2.2 172.82.2.200#aaaauthentication-scheme auth1accounting-scheme acct1domain default0 user-group huawei vpn-instance vpn1 ip-pool pool1 ip-pool pool2domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 vpn-instance vpn1# web-auth-server 192.168.8.251 port 50100 key webvlan# static-user 172.82.1.100 172.82.1.100 vpn-instance vpn1 interface GigabitEthernet1/0/2.1 vlan 1 detect domain-name isp1 static-user 172.82.2.200 172.82.2.200 vpn-instance vpn1 interface GigabitEthernet1/0/2.1 vlan 2 domain-name isp1#return

4.6.5 Example for Configuring Local Authentication for Static UsersThis section provides an example for configuring local authentication for static users, includingthe networking requirements, configuration roadmap, configuration procedure, andconfiguration files.



l The user accesses the Internet by using GE 1/0/2.1 on the router as a static user and the IPaddress of the user is 172.192.0.8.

l The user adopts local authentication.



167

l The system uses the IP address carried in the user packet as the user name.

Figure 4-6 Networking for configuring local authentication for static users

GE1/0/2.1 GE1/0/1

Router

Internet

192.168.8.1


1. Configure an authentication scheme.2. Configure an address pool.3. Configure an authentication domain.4. Configure a BAS interface and an upstream interface.5. Configure a static user.


l Authentication template name and authentication model IP address pool name, gateway address, and DNS sever addressl Domain namel BAS interface parameters

Procedure

Step 1 Configure an authentication scheme.[HUAWEI] aaa[HUAWEI-aaa] authentication-scheme local[HUAWEI-aaa-authen-local] authentication-mode local[HUAWEI-aaa-authen-local] quit

Step 2 Configure the user name format and password.[HUAWEI-aaa] default-user-name include ip-address.[HUAWEI-aaa] default-password simple test[HUAWEI-aaa] quit

Step 3 Configure a local account.[HUAWEI] local-aaa-server[HUAWEI-local-aaa-server] user 172.192.0.8@isp1 password simple test authentication-type b[HUAWEI-local-aaa-server] quit

Step 4 Configure an address pool.[HUAWEI] ip pool pool1 bas local[HUAWEI-ip-pool-pool1] gateway 172.192.0.1 255.255.255.0[HUAWEI-ip-pool-pool1] section 0 172.192.0.2 172.192.0.200[HUAWEI-ip-pool-pool1] excluded-ip-address 172.192.0.8



168

[HUAWEI-ip-pool-pool1] quit

Step 5 Configure a domain.[HUAWEI] aaa[HUAWEI-aaa] domain isp1[HUAWEI-aaa-domain-isp1] authentication-scheme local[HUAWEI-aaa-domain-isp1] accounting-scheme default0[HUAWEI-aaa-domain-isp1] ip-pool pool1[HUAWEI-aaa-domain-isp1] quit[HUAWEI-aaa] quit

Step 6 Configure a BAS interface.[HUAWEI-GigabitEthernet1/0/2] interface GigabitEthernet 1/0/2.1[HUAWEI-GigabitEthernet1/0/2.1] user-vlan 100[HUAWEI-GigabitEthernet8/0/2.1-vlan-1-2] quit[HUAWEI-GigabitEthernet1/0/2.1] bas[HUAWEI-GigabitEthernet1/0/2.1-bas] access-type layer2-subscriber[HUAWEI-GigabitEthernet1/0/2.1-bas] authentication-method bind[HUAWEI-GigabitEthernet1/0/2.1-bas] default-domain authentication isp1[HUAWEI-GigabitEthernet1/0/2.1-bas] ip-trigger[HUAWEI-GigabitEthernet1/0/2.1-bas] arp-trigger[HUAWEI-GigabitEthernet1/0/2.1-bas] quit[HUAWEI-GigabitEthernet1/0/2.1] quit

Step 7 Configure a static user.[HUAWEI] static-user 172.192.0.8 interface GigabitEthernet 1/0/2.1 vlan 100 detect

Step 8 Configure an upstream interface.[HUAWEI] interface GigabitEthernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0


After the configuration is complete, you can run the display access-user domain command toview information about the online users in the domain.

<HUAWEI> display access-user domain isp1------------------------------------------------------------------------------ UserID Username Interface IP address MAC IPv6 address ------------------------------------------------------------------------------ 20 172.192.0.8@isp1 GE1/0/2.1 172.192.0.8 0002-0101-0101 - ------------------------------------------------------------------------------ Total users : 1

----End

Configuration Files# sysname HUAWEI#interface GigabitEthernet1/0/1 undo shutdown ip address 192.168.8.1 255.255.255.0#interface GigabitEthernet1/0/2.1 user-vlan 100 bas access-type layer2-subscriber default-domain authentication isp1 ip-trigger arp-trigger authentication-method bind#ip pool pool1 bas local



169

gateway 172.192.0.1 255.255.255.0 section 0 172.192.0.2 172.192.0.200 excluded-ip-address 172.192.0.8#aaa default-user-name include ip-address . default-password simple test authentication-scheme local authentication-mode localdomain isp1 authentication-scheme local accounting-scheme default0 ip-pool pool1#local-aaa-server user 172.192.0.8@isp1 password simple test authentication-type B# static-user 172.192.0.8 172.192.0.8 interface GigabitEthernet1/0/2.1 vlan 100 detect#return



170

A Glossary

This appendix provides the glossary mentioned in this manual.

Glossary Description

A

access service A service providing the basic capability of network access.

B

BRAS A functional component running on the NE80E/40E, whichprovides access services for broadband subscribers.

binding authentication An authentication mode in which the NE80E/40E creates a username and a password for the user according to the location of theuser.

D

DHCP client A program that obtains IP addresses from the DHCP/BOOTPserver, and then allocates the IP addresses to PPP users.

DHCP proxy A program that transparently transmits the DHCP request of auser to the DHCP/BOOTP server, which then allocates the IPaddress to the user.

DHCP server A program that allocates the IP addresses of the local addresspool to the users at the user side and allocates the IP addresses ofthe relay address pool to the users that pass through the DHCPproxy at the network side.

direct authorization An authorization mode in which the user is fully trusted by thecarrier and is authorized directly by the carrier.

domain A group of users with the same service attributes. The NE80E/40E manages users through domains.

HUAWEI NetEngine80E/40E RouterConfiguration Guide - User Access A Glossary


171


F

fast authentication A simplified Web authentication, in which the user opens the webpage for authentication but need not enter the user name andpassword.

H

HWTACACS An enhanced security protocol of TACACS (RFC 1492), throughwhich the NE80E/40E communicates with the HWTACACSserver in the client/server mode.

HWTACACSaccounting

An accounting mode in which the NE80E/40E sends theaccounting packets to the HWTACACS server, which thenperforms accounting for the user.

HWTACACSauthentication

An authentication mode in which the NE80E/40E sends the username and the password to the HWTACACS server by using theHWTACACS protocol. The HWTACACS server authenticatesthe user, and then returns the result to the NE80E/40E0.

HWTACACSauthorization

An authorization mode in which the user is authorized by theHWTACACS server.

L

local address pool An address pool configured on the NE80E/40E and managed bythe NE80E/40E.

local authentication An authentication mode in which the user information isconfigured on the NE80E/40E, and then the NE80E/40Eauthenticates the user.

local authorization An authorization mode in which user is authorized by the NE80E/40E based on the user attributes that are configured on theNE80E/40E.

M

mandatory webauthentication

An authentication method in which the NE80E/40E redirects theaccess request of an unauthenticated user who uses the webauthentication or the fast authentication to the web authenticationserver for authentication.

O



172


Option 60 A field carrying the domain information when a terminal deviceinitiates a DHCP request. After receiving the DHCP request, theNE80E/40E allocates the IP address to the device according tothe domain information contained in the Option 60 field.

Option 82 A field carrying the physical location information of the userwhen the NE80E/40E relays a DHCP packet of the user. Thenthe DHCP server allocates an IP address to the user according tothe location information.

P

portal protocol A protocol used to exchange information between web serversand other devices. The portal protocol is based on the client/server model and uses UDP to transfer data.

R

RADIUS accounting An accounting mode in which the NE80E/40E sends theaccounting packets to the RADIUS server. Then the RADIUSserver performs accounting.

RADIUS authentication An authentication mode in which the NE80E/40E sends the username and the password to the RADIUS server by using theRADIUS protocol. The RADIUS server authenticates the user,and then returns the result to the NE80E/40E.

relay address pool An address pool providing IP addresses for the users at thenetwork side.

remote address pool A mapping of the remote DHCP or BOOTP server, which doesnot provide real IP addresses.

S

static user A user with a fixed IP address, which is configured by the user.

V

value-added service A service selected by the user when the user logs in to the portalserver of the carrier.

W

web authentication An authentication mode in which the user enters user name andpassword on the authentication page of the web authenticationserver for identity authentication.



173

B Acronyms and Abbreviations

This appendix lists the acronyms and abbreviations mentioned in this menual.

Item Description

A

AAA Authentication, Authorization and Accounting

ACL Access Control List

ADSL Asymmetric Digital Subscriber Line

AP Access Point

ARP Address Resolution Protocol

B

BAS Broadband Access Server

BOOTP Bootstrap Protocol

BRAS Broadband Remote Access Server

C

CAR Committed Access Rate

CF Compressed Flash

CHAP Challenge Handshake Authentication Protocol

CLI Command Line Interface

CMTS Cable Modem Terminal System

CoA Change of Authorization

COPS Common Open Policy Service

HUAWEI NetEngine80E/40E RouterConfiguration Guide - User Access B Acronyms and Abbreviations


174

Item Description

D

DHCP Dynamic Host Configuration Protocol

DNS Domain Name Server

DSLAM Digital Subscriber Line Access Multiplexer

E

EAP Extensible Authentication Protocol

EAPoL EAP over LAN

F

FE Fast Ethernet

G

GE Gigabit Ethernet

GRE Generic Routing Encapsulation

H

HDLC High level Data Link Control

HFC Hybrid Fiber-Coaxial

HWTACACS Huawei TACACS

I

IEEE Institute of Electrical and Electronics Engineers

IP Internet Protocol

IPCP Internet Protocol Control Protocol

IPoE IP over Ethernet

IPoEoVLAN IP over Ethernet over VLAN

IPoX IP over X

IPTN IP Telecommunication Network

ISP Internet Service Provider



175

Item Description

L

LAN Local Area Network

LCP Link Control Protocol

L2TP Layer 2 Tunneling Protocol

LTS L2TP Tunnel Switch

M

MAC Media Access Control

MSCHAP Microsoft CHAP

N

NCP Network Control Protocol

ND Neighbor Discovery

NetBIOS Network Basic Input/Output System

P

PAP Password Authentication Protocol

PDP Policy Decision Point

PEP Policy Enforcement Point

PPP Point-to-Point Protocol

PPPoE Point-to-Point Protocol over Ethernet

PPPoEoVLAN PPPoE over VLAN

PPPoX PPP over X

PSTN Public Switched Telekeywordone Network

Q

QinQ 802.1Q in 802.1Q

QoS Quality of Service

R

RADIUS Remote Authentication Dial in User Service



176

Item Description

RFC Requirement for Comments

S

SIG Safe Immunity Gateway

SIM Subscriber Identity Module

DSG Dynamic Service Gateway

SSH Secure Shell

T

TACACS Terminal Access Controller Access Control System

TCP Transmission Control Protocol

TFTP Trivial File Transfer Protocol

U

UDP User Datagram Protocol

URL Universal Resource Locator

V

VLAN Virtual LAN

VoD Video On Demand

VPN Virtual Private Network



177

Documents

Configuration Guide - User Access(V600R003C00_02)