manualshive.com logo in svg

H3C SR8800-F, Configuration Manual, Page: 313 / 502

Share
Download
H3C SR8800-F Configuration Manual Download Page 313

 

297 

websites. After passing authentication, the user can access other network resources. The process of 
direct authentication is simpler than that of re-DHCP authentication. 

Re-DHCP authentication 

Before a user passes authentication, DHCP allocates an IP address (a private IP address) to the 
user. The user can access only the portal Web server and predefined authentication-free websites. 
After the user passes authentication, DHCP reallocates an IP address (a public IP address) to the 
user. The user then can access other network resources. No public IP address is allocated to users 
who fail authentication. Re-DHCP authentication saves public IP addresses. For example, an ISP 
can allocate public IP addresses to broadband users only when they access networks beyond the 
residential community network. 

Only the H3C iNode client supports re-DHCP authentication. IPv6 portal authentication does not 
support the re-DHCP authentication mode. 

Cross-subnet authentication 

Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding 
devices to exist between the authentication client and the access device. 

In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP 
address uniquely identifies the user. After a user passes authentication, the access device generates 
an ACL for the user based on the user's IP address to control forwarding of the packets from the user. 
Because no Layer 3 forwarding device exists between authentication clients and the access device 
in direct authentication and re-DHCP authentication, the access device can learn the user MAC 
addresses. The access device can enhance its capability of controlling packet forwarding by using 
the learned MAC addresses. 

Portal authentication process 

Direct authentication and cross-subnet authentication share the same authentication process. 
Re-DHCP authentication has a different process as it has two address allocation procedures. 

Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) 

Figure 97 Direct authentication/cross-subnet authentication process 

 

 

The direct/cross-subnet authentication process is as follows: 

1. 

A portal user access the Internet through HTTP or HTTPS, and the HTTP or HTTPS packet 
arrives at the access device. 

{

 

If the packet matches a portal free rule, the access device allows the packet to pass. 

AAA server

Authentication 

client

Portal 

authentication 

server

Access 

device

1) Initiate a connection

3) CHAP authentication

  4) Authentication request

6) Authentication reply

5) RADIUS 

authentication

7) Notify login 

success

8) Authentication reply 

acknowledgment

Security 

policy server

10) Authorization

Timer

 9) Security check

Portal Web

server

2) User information

Summary of Contents for SR8800-F

Page 1: ...H3C SR8800 F Routers Comware 7 User Access Configuration Guide New H3C Technologies Co Ltd http www h3c com hk Software version SR8800FS CMW710 R7655P05 or later Document version 6W100 20170825...

Page 2: ...SecPath SecCenter SecBlade Comware ITCMM and HUASAN are trademarks of New H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners...

Page 3: ...words or arguments that are optional x y Braces enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choic...

Page 4: ...Represents a generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3...

Page 5: ...cumentation To access the most up to date H3C product documentation go to the H3C website at http www h3c com hk To obtain information about installation configuration and maintenance click http www h...

Page 6: ...the maximum number of real time accounting attempts 28 Configuring RADIUS stop accounting packet buffering 28 Setting the maximum number of pending RADIUS requests 29 Setting the status of RADIUS serv...

Page 7: ...domain 60 Configuring accounting methods for an ISP domain 62 Display and maintenance commands for ISP domains 64 Setting the maximum number of concurrent login users 65 Configuring the local bill ca...

Page 8: ...g a DHCP address pool to a VPN instance 108 Applying an address pool on an interface 108 Configuring a DHCP policy for dynamic address assignment 109 Allocating different IP addresses to DHCP clients...

Page 9: ...nabling client offline detection on the DHCP relay agent 141 Configuring the DHCP relay agent to release an IP address 141 Configuring Option 82 141 Setting the DSCP value for DHCP packets sent by the...

Page 10: ...uration examples 169 Example Configuring BOOTP client 169 DHCPv6 overview 170 DHCPv6 address prefix assignment 170 Rapid assignment involving two messages 170 Assignment involving four messages 170 Ad...

Page 11: ...ction 200 Enabling the DHCPv6 relay agent to advertise IPv6 prefixes 201 Display and maintenance commands for DHCPv6 relay agent 201 DHCPv6 relay agent configuration examples 202 Example Configuring D...

Page 12: ...About PPP 230 PPP protocols 230 PPP link establishment process 230 PPP authentication 231 PPP for IPv4 231 PPP for IPv6 232 Protocols and standards 233 PPP tasks at a glance 233 Configuring a VT inte...

Page 13: ...iguring optional L2TP parameters 264 Configuring L2TP tunnel authentication 264 Setting the Hello interval 265 Setting the DSCP value of L2TP packets 265 Setting the TSA ID of the LTS 265 Enabling L2T...

Page 14: ...rule for URL redirection 304 Configuring a local portal Web service 304 Restrictions and guidelines for configuring a local portal Web service 304 Customizing authentication pages 304 Configuring par...

Page 15: ...ication 353 Example Configuring portal server detection and portal user synchronization 356 Example Configuring cross subnet portal authentication for MPLS L3VPNs 364 Example Configuring direct portal...

Page 16: ...user configuration tasks at a glance 404 Configuring interface leased users 405 Configuring subnet leased users 405 Configuring L2VPN leased users 406 Configuring ISP domains for leased users 406 Con...

Page 17: ...trols user access The server maintains user information centrally See Figure 1 Figure 1 AAA network diagram To access networks or resources beyond the NAS a user sends its identity information to the...

Page 18: ...ocess 1 Receives authentication authorization and accounting requests from RADIUS clients 2 Performs user authentication authorization or accounting 3 Returns user access control information for examp...

Page 19: ...password If the authentication succeeds the server sends back an Access Accept packet that contains the user s authorization information If the authentication fails the server returns an Access Rejec...

Page 20: ...cation fails and the server sends an Access Reject response 4 Accounting Reques t From the client to the server A packet of this type includes user information for the server to start or stop accounti...

Page 21: ...upports RADIUS subattributes with a vendor ID of 25506 For more information see Appendix C RADIUS subattributes vendor ID 25506 Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller A...

Page 22: ...he authentication process Supports authorization of configuration commands Access to commands depends on both the user s roles and authorization A user can use only commands that are permitted by the...

Page 23: ...sponse to request the login password 8 Upon receipt of the response the HWTACACS client prompts the user for the login password 9 The user enters the password Host HWTACACS client HWTACACS server 1 Th...

Page 24: ...ot often change The protocol is used to store user information For example LDAP server software Active Directory Server is used in Microsoft Windows operating systems The software stores the user info...

Page 25: ...basic LDAP authentication process 1 A Telnet user initiates a connection request and sends the username and password to the LDAP client 2 After receiving the request the LDAP client establishes a TCP...

Page 26: ...8 Basic LDAP authorization process for a Telnet user The following shows the basic LDAP authorization process 1 A Telnet user initiates a connection request and sends the username and password to the...

Page 27: ...omain for a user by username AAA manages users in the same ISP domain based on the users access types The device supports the following user access types LAN LAN users must pass MAC authentication to...

Page 28: ...gin users is the root directory of the NAS However the users do not have permission to access the root directory Local authorization The NAS performs authorization according to the user attributes loc...

Page 29: ...LS backbone acts as a NAS The NAS transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication Authentication packets of privat...

Page 30: ...domains 1 Required Creating an ISP domain 2 Optional Configuring ISP domain attributes 3 Required Perform a minimum one of the following tasks to configure AAA authentication authorization and accoun...

Page 31: ...ibutes of the group The attributes include the password control attributes and authorization attributes For more information about local user group see Configuring user group attributes Binding attrib...

Page 32: ...vice management user Step Command Remarks 1 Enter system view system view N A 2 Add a local user and enter device management user view local user user name class manage By default no local users exist...

Page 33: ...to take if there is a login failure password control login attempt login times exceed lock lock time time unlock By default the local user uses password control attributes of the user group to which t...

Page 34: ...te call number call number subcall number location interface interface type interface number mac mac address vlan vlan id By default no binding attributes are configured for a local user 8 Optional Co...

Page 35: ...onsor name is specified for a local guest 10 Specify the sponsor department for the local guest sponsor department department string By default no sponsor department is specified for a local guest 11...

Page 36: ...es subscriber id subscriber id url url string user profile user profile name vlan vlan id vpn instance vpn instance name work directory directory name By default no authorization attributes are config...

Page 37: ...al guests after the guest registration information is approved by a guest manager Email notification The device notifies the local guests guest sponsors or guest managers by email of the guest account...

Page 38: ...t local guest account information to a csv file in the specified path local user export class network guest url url string N A 10 Optional Enable the guest auto delete feature local guest auto delete...

Page 39: ...ional Configuring the RADIUS accounting on feature Optional Interpreting the RADIUS class attribute as CAR parameters Optional Configuring the Login Service attribute check method for SSH FTP and term...

Page 40: ...servers radius server test profile profile name username name interval interval By default no test profiles exist You can configure multiple test profiles in the system Creating a RADIUS scheme Creat...

Page 41: ...etect the server status Two authentication servers in a scheme primary or secondary cannot have the same combination of IP address port number and VPN instance The weight weight value option takes eff...

Page 42: ...se the same key for each type of communication A key configured in this task is for all servers of the same type accounting or authentication in the scheme The key has a lower priority than a key conf...

Page 43: ...he format for usernames sent to the RADIUS servers user name format keep original with domain without domain By default the ISP domain name is included in a username 4 Optional Set the data flow and p...

Page 44: ...ive a response for a stop accounting request in a single transmission Enable the device to buffer RADIUS stop accounting requests that have not received responses from the accounting server The device...

Page 45: ...nter decreases by 1 each time the device receives a respond from the server or the respond timeout timer for a request expires 3 The device buffers the subsequent requests when the counter reaches the...

Page 46: ...s status accordingly in all RADIUS schemes in which this server is specified When a RADIUS server is manually set to blocked server detection is disabled for the server regardless of whether a test pr...

Page 47: ...it then searches for the secondary servers in the order they are configured The first secondary server in active state is used for communication In this process the workload is always placed on the a...

Page 48: ...em view The IP address specified in RADIUS scheme view applies only to one RADIUS scheme The IP address specified in system view applies to all RADIUS schemes in which the RADIUS servers are in a VPN...

Page 49: ...uch as Telnet can time out When the client connections have a short timeout period a large number of secondary servers can cause the initial authentication or accounting attempt to fail In this case r...

Page 50: ...ting on packet to the RADIUS server after a card reboot The packet contains the card identifier Upon receiving the accounting on packet the RADIUS server logs out all online users that access the devi...

Page 51: ...Command Remarks 1 Enter system view system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Configure the Login Service attribute check method for SSH FTP and terminal users...

Page 52: ...interface type delimiter port delimiter s vid delimiter slot delimiter string string delimiter subslot delimiter vendor vendor id By default no format is configured for RADIUS attribute 87 and the de...

Page 53: ...Attribute rejection Rejects RADIUS attributes based on RADIUS attribute rejection rules When the RADIUS attribute translation feature is enabled the device processes RADIUS packets as follows For the...

Page 54: ...sent By default no RADIUS attribute rejection rules exist Repeat this command to add multiple RADIUS attribute rejection rules Configuring the RADIUS attribute translation feature for a RADIUS DAS Ste...

Page 55: ...session control enable By default the session control feature is disabled 3 Specify a session control client radius session control client ip ipv4 address ipv6 ipv6 address key cipher simple string v...

Page 56: ...the DSCP priority is 0 for RADIUS packets Configuring the device to preferentially process RADIUS authentication requests About configuring the device to preferentially process RADIUS authentication r...

Page 57: ...you must also configure SNMP on the device For more information about SNMP configuration see Network Management and Monitoring Configuration Guide To enable SNMP notifications for RADIUS Step Command...

Page 58: ...es An HWTACACS scheme can be used by multiple ISP domains To create an HWTACACS scheme Step Command Remarks 1 Enter system view system view N A 2 Create an HWTACACS scheme and enter HWTACACS scheme vi...

Page 59: ...the secondary servers in the order they are configured The first secondary server in active state is used for communication If redundancy is not required specify only the primary server An HWTACACS se...

Page 60: ...ddress ipv6 ipv6 address port number key cipher simple string single connection vpn instance vpn instance name Specify a secondary HWTACACS accounting server secondary accounting ipv4 address ipv6 ipv...

Page 61: ...rmat where the isp name argument represents the user s ISP domain name By default the ISP domain name is included in a username If HWTACACS servers do not recognize usernames that contain ISP domain n...

Page 62: ...address for outgoing HWTACACS packets About source IP address for outgoing HWTACACS packets The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured...

Page 63: ...es the following timers to control communication with an HWTACACS server Server response timeout timer response timeout Defines the HWTACACS server response timeout timer The device starts this timer...

Page 64: ...en one or more servers are in active state the device tries to communicate with these servers only even if they are unavailable When an HWTACACS server s status changes automatically the device change...

Page 65: ...ance Configuring an LDAP server Required Creating an LDAP server Required Configuring the IP address of the LDAP server Optional Specifying the LDAP version Optional Setting the LDAP server timeout pe...

Page 66: ...d A Microsoft LDAP server supports only LDAPv3 Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server without receiving the server s response within the...

Page 67: ...user attributes of the LDAP client The LDAP user attributes include Search base DN Search scope Username attribute Username format User object class If the LDAP server contains many directory levels...

Page 68: ...s to include important LDAP attributes that should not be ignored An LDAP attribute can be mapped only to one AAA attribute Different LDAP attributes can be mapped to the same AAA attribute To configu...

Page 69: ...ion server is specified Specifying an LDAP attribute map for LDAP authorization Specify an LDAP attribute map for LDAP authorization to convert LDAP attributes obtained from the LDAP authorization ser...

Page 70: ...ort for the authentication domain configuration depends on the access module 2 The ISP domain in the username 3 The default ISP domain of the device If the chosen domain does not exist on the device t...

Page 71: ...fied direction in the domain at the idle timeout interval The device logs out an online user if the user s total traffic in the idle timeout period at the specified direction is less than the specifie...

Page 72: ...sers Portal users might have both the preauthentication IP address pool and the authorization IP address pool The two DHCP address pools must both have the export route keyword specified or not specif...

Page 73: ...ly the authorization user priority only to upstream packets of users The user profile attribute takes effect only on CSPEX cards The session group profile attribute does not take effect Including the...

Page 74: ...the ISP domain ita policy policy name By default no ITA policy is applied Configuring authentication methods for an ISP domain Restrictions and guidelines When configuring authentication methods foll...

Page 75: ...e ldap scheme name local none local radius scheme radius scheme name hwtacacs scheme hwtacacs scheme name none local ldap scheme ldap scheme name none none radius scheme radius scheme name hwtacacs sc...

Page 76: ...se a RADIUS scheme as the authorization method specify the name of the RADIUS scheme that is configured as the authentication method for the ISP domain If an invalid RADIUS scheme is specified as the...

Page 77: ...eme name local none By default the default authorization method is used for IPoE users This command takes effect only on CSPEX cards 6 Specify authorization methods for LAN users authorization lan acc...

Page 78: ...e uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons An exception occurs in the AAA process The user disconnects from the device The us...

Page 79: ...d takes effect only on CSPEX cards 6 Specify accounting methods for LAN users accounting lan access broadcast radius scheme radius scheme name1 radius scheme radius scheme name2 local none local radiu...

Page 80: ...iled all their accounting update attempts accounting update fail max times max times offline online By default the device allows users that have failed all their accounting update attempts to stay onl...

Page 81: ...mation Accounting traffic statistics Local accounting bills can be exported to a storage directory by using FTP or TFTP When an accounting server becomes available it can download the accounting bills...

Page 82: ...ID to set the NAS Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users You can configure a NAS ID in NAS ID profile view in interface view or in...

Page 83: ...face the NAS and VLAN binding in the NAS ID profile has higher priority To set the NAS ID on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 3 interface view interf...

Page 84: ...es Example Configuring authentication and authorization for SSH users by a RADIUS server Network configuration As shown in Figure 12 configure the router to meet the following requirements Use the RAD...

Page 85: ...Use the default values for other parameters and click OK The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the router The sou...

Page 86: ...line vty0 63 authentication mode scheme Router line vty0 63 quit Enable the default user role feature to assign authenticated SSH users the default user role network operator Router role default role...

Page 87: ...rk operator user role Details not shown Example Configuring local authentication and authorization for SSH users Network configuration As shown in Figure 15 configure the router to meet the following...

Page 88: ...fy that the user can use the commands permitted by the network admin user role Details not shown Example Configuring AAA for SSH users by an HWTACACS server Network configuration As shown in Figure 16...

Page 89: ...login hwtacacs scheme hwtac Router isp bbb authorization login hwtacacs scheme hwtac Router isp bbb accounting login hwtacacs scheme hwtac Router isp bbb quit Create local RSA and DSA key pairs Route...

Page 90: ...TE In this example the LDAP server runs Microsoft Windows 2003 Server Active Directory Add a user named aaa and set the password to ldap 123456 a On the LDAP server select Start Control Panel Administ...

Page 91: ...and click Next Figure 19 Setting the user s password g Click OK Add user aaa to group Users a From the navigation tree click Users under the ldap com node b In the right pane right click user aaa and...

Page 92: ...ser aaa is added to group Users Figure 21 Adding user aaa to group Users Set the administrator password to admin 123456 a In the right pane right click user Administrator and select Set Password b In...

Page 93: ...the administrator password Router ldap server ldap1 login password simple admin 123456 Configure the base DN for user search Router ldap server ldap1 search base dn dc ldap dc com Router ldap server l...

Page 94: ...tac Configure the primary HWTACACS server at 10 1 1 1 Set the authentication authorization and accounting ports to 49 Configure the router to establish only one TCP connection with the server RouterA...

Page 95: ...ion to userb and plaintext passb respectively RouterB Serial2 1 0 1 0 ppp pap local user userb password simple passb Verifying the configuration Use the display interface serial command to display inf...

Page 96: ...The link between the NAS and the RADIUS server works well at both the physical and data link layers The IP address of the RADIUS server is correctly configured on the NAS The authentication and accou...

Page 97: ...igured Some user attributes for example the username attribute configured on the NAS are not consistent with those configured on the server No user search base DN is specified for the LDAP scheme Solu...

Page 98: ...ing 54 unassigned 11 Filter ID 55 Event Timestamp 12 Framed MTU 56 59 unassigned 13 Framed Compression 60 CHAP Challenge 14 Login IP Host 61 NAS Port Type 15 Login Service 62 Port Limit 16 Login TCP P...

Page 99: ...sword for CHAP authentication only present in Access Request packets when CHAP authentication is used 4 NAS IP Address IP address for the server to use to identify the client Typically a client is ide...

Page 100: ...Generation Partnership Project 9 to 14 Reserved for tunnel accounting 15 Reserved for failed 45 Acct Authentic Authentication method used by the user Possible values include 1 RADIUS 2 Local 3 Remote...

Page 101: ...verage Rate Average rate in the direction from the NAS to the user in bps 6 Output Basic Rate Basic rate in the direction from the NAS to the user in bps 15 Remanent_Volume Total amount of data availa...

Page 102: ...that the user belongs to multiple multicast groups 101 MLD Access Limit Maximum number of MLD multicast groups that the user can join concurrently 102 local name L2TP local tunnel name 103 IGMP Acces...

Page 103: ...ther network resources the device redirects it to the URL specified by subattribute 250 2 The broadband lease of the subscriber expires The device redirects the subscriber to the URL specified by suba...

Page 104: ...or more information about the DHCP relay agent see Configuring the DHCP relay agent Figure 23 A typical DHCP application DHCP address allocation Allocation mechanisms DHCP supports the following alloc...

Page 105: ...cated to the client Returns a DHCP NAK message to deny the IP address allocation After receiving the DHCP ACK message the client verifies the following details before using the assigned IP address The...

Page 106: ...0 flags The leftmost bit is defined as the BROADCAST B flag If this flag is set to 0 the DHCP server sent a reply back by unicast If this flag is set to 1 the DHCP server sent a reply back by broadcas...

Page 107: ...tion It is used by a DHCP client to request specified configuration parameters The option includes values that correspond to the parameters requested by the client Option 60 Vendor class identifier op...

Page 108: ...at Figure 27 Option 43 format Network configuration parameters are carried in different sub options of Option 43 as shown in Figure 27 Sub option type The field value can be 0x01 ACS parameter sub opt...

Page 109: ...D interface number and interface type of the interface that receives the client s request Remote ID has the following padding modes String padding mode Includes a character string specified by the use...

Page 110: ...SIP user when both the primary and backup calling processors are unreachable Protocols and standards RFC 2131 Dynamic Host Configuration Protocol RFC 2132 DHCP Options and BOOTP Vendor Extensions RFC...

Page 111: ...ss in the address range of the user class for the client A user class can include multiple matching rules and a client matches the user class as long as it matches any of the rules In address pool vie...

Page 112: ...the address pool with the longest matching secondary subnet Client on a different subnet than the server The DHCP server compares the IP address in the giaddr field of the DHCP request with the primar...

Page 113: ...IP addresses can be assigned to other DHCP clients only after the addresses are in conflict for an hour DHCP server tasks at a glance Tasks at a glance Optional Creating a DHCP user class Required Co...

Page 114: ...umber hardware address hardware address mask hardware address mask option option code ascii ascii string offset offset partial hex hex string mask mask offset offset length length partial relay agent...

Page 115: ...ss pool If you execute the network or address range command multiple times for the same address pool the most recent configuration takes effect If you execute the forbidden ip command multiple times y...

Page 116: ...DHCP address pool If an address pool has a primary subnet and multiple secondary subnets the server assigns IP addresses on a secondary subnet when the primary subnet has no assignable IP addresses Fo...

Page 117: ...s pool When the client requests an IP address the DHCP server assigns the IP address in the static binding to the client Follow these guidelines when you configure a static binding One IP address can...

Page 118: ...ys in the DHCP address pool Step Command Remarks 1 Enter system view system view N A 2 Enter DHCP address pool view dhcp server ip pool pool name By default no DHCP address pool exists 3 Specify gatew...

Page 119: ...tion name in a unicast message to the WINS server The WINS server returns the destination IP address m mixed node An m node client broadcasts the destination name If it receives no response it unicast...

Page 120: ...ile name If the configuration file is on an HTTP server specify the configuration file URL The DHCP client uses the obtained parameters to contact the TFTP server or the HTTP server to get the configu...

Page 121: ...ep Command Remarks 1 Enter system view system view N A 2 Enter DHCP address pool view dhcp server ip pool pool name By default no DHCP address pool exists 3 Specify the IP address of the primary netwo...

Page 122: ...me domain name ascii 44 NetBIOS over TCP IP Name Server Option nbns list ip address 46 NetBIOS over TCP IP Node Type Option netbios type hex 66 TFTP server name tftp server ascii 67 Boot file name boo...

Page 123: ...user class whitelist The DHCP user class whitelist allows the DHCP server to process requests only from clients on the DHCP user class whitelist The whitelist does not take effect on clients who reque...

Page 124: ...in authentication modules such as IPoE The VPN information of the DHCP server s interface that receives DHCP packets from the client If both VPN instances can be obtained the VPN information from aut...

Page 125: ...e order that they are configured If a matching user class is found and the bound address pool has assignable IP addresses the server assigns an IP address and other parameters from the address pool If...

Page 126: ...mation of the receiving interface To allocate different IP addresses to DHCP clients with the same MAC address Step Command Remarks 1 Enter system view system view N A 2 Enable allocation of different...

Page 127: ...a DHCP request that contains Option 82 the DHCP server adds Option 82 into the DHCP response If you disable the DHCP to handle Option 82 it does not add Option 82 into the response message You must en...

Page 128: ...packet from a client MAC address it creates a DHCP flood attack entry in check state If the number of DHCP packets from the same MAC address reaches the upper limit in the detection duration the serv...

Page 129: ...haddr field of a received DHCP request with the source MAC address in the frame header If they are the same the DHCP server verifies this request as legal and processes it If they are not the same the...

Page 130: ...e DHCP server to return DHCP NAK messages if the client notions of their IP addresses are incorrect After receiving the DHCP NAK message the DHCP client will request an IP address again Procedure To e...

Page 131: ...1048 By default the DHCP server directly copies the Vend field of such requests into the responses Setting the DSCP value for DHCP packets sent by the DHCP server The DSCP value of a packet specifies...

Page 132: ...immediately and runs auto backup 3 Optional Manually save the DHCP bindings to the backup file dhcp server database update now N A 4 Optional Set the waiting time after a DHCP binding change for the D...

Page 133: ...ature enables the route management module to advertise subnets assigned to DHCP clients This feature achieves symmetric routing for traffic of the same host As shown in Figure 31 Router A and Router B...

Page 134: ...etect By default client offline detection is disabled on the DHCP server Configuring SNMP notifications for the DHCP server Perform this task to configure the DHCP module to send SNMP notifications to...

Page 135: ...uration Guide As a best practice disable this feature if the log generation affects the device performance or reduces the address allocation efficiency For example this situation might occur when a la...

Page 136: ...n instance vpn instance name pool pool name Clear information about assigned IP addresses reset dhcp server ip in use ip ip address vpn instance vpn instance name pool pool name Clear DHCP server stat...

Page 137: ...1 2 RouterA dhcp pool 0 gateway list 10 1 1 126 RouterA dhcp pool 0 quit RouterA Verifying the configuration Verify that Router B can obtain IP address 10 1 1 5 and all other network parameters from...

Page 138: ...DHCP server on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 dhcp select server RouterA GigabitEthernet1 0 1 quit RouterA interfa...

Page 139: ...ned to the clients RouterA display dhcp server ip in use IP address Client identifier Lease expiration Type Hardware address 10 1 1 3 0031 3865 392e 6262 Jan 14 22 25 03 2015 Auto C 3363 2e30 3230 352...

Page 140: ...DHCP server on the interface GigabitEthernet1 0 1 RouterB interface gigabitethernet 1 0 1 RouterB GigabitEthernet1 0 1 dhcp select server RouterB GigabitEthernet1 0 1 quit Create DHCP user class tt a...

Page 141: ...address Client identifier Lease expiration Type Hardware address 10 10 1 2 0031 3865 392e 6262 Jan 14 22 25 03 2015 Auto C 3363 2e30 3230 352d 4745 302f 30 10 10 1 11 aabb aabb aab1 Jan 14 22 25 03 2...

Page 142: ...e clients RouterB display dhcp server ip in use IP address Client identifier Lease expiration Type Hardware address 10 1 1 2 aabb aabb ab01 Jan 14 22 25 03 2015 Auto C Example Configuring primary and...

Page 143: ...rA dhcp pool aa secondary quit RouterA dhcp pool aa quit Verifying the configuration Verify that the DHCP server assigns clients IP addresses and gateway address from the secondary subnet when no assi...

Page 144: ...erver Enable DHCP RouterA system view RouterA dhcp enable Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aa...

Page 145: ...Create an address pool specify the subnet 10 1 1 0 24 and configure the address lease duration as ten days Specify the gateway address and the DNS server address as 10 1 1 1 and 20 1 1 1 Configure Opt...

Page 146: ...subnet as 10 1 1 0 24 and the address lease duration as ten days Device dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 Device dhcp pool 0 expired day 10 Specify the gateway address as 10 1 1 1 and th...

Page 147: ...dhcp server forbidden ip command on the DHCP server to exclude the IP address from dynamic allocation 3 Enable the network adapter or connect the network cable release the IP address and obtain anoth...

Page 148: ...ss of whether the relay agent exists For the interaction details see IP address allocation process The following only describes steps related to the DHCP relay agent 1 After receiving a DHCP DISCOVER...

Page 149: ...n 82 before forwarding the response to the client Table 7 Handling strategies of the DHCP relay agent If a DHCP request has Handling strategy The DHCP relay agent Option 82 Drop Drops the message Keep...

Page 150: ...guring forwarding DHCP replies based on Option 82 Enabling DHCP You must enable DHCP to validate other DHCP relay agent settings To enable DHCP Step Command Remarks 1 Enter system view system view N A...

Page 151: ...relay agent connects to clients of the same access type but classified into different types by their locations In this case the relay interface typically has no IP address configured You can use the...

Page 152: ...forwards the subsequent DHCP requests to a backup DHCP server If the backup DHCP server is not available the relay agent selects the next backup DHCP server and so on If no backup DHCP server is avai...

Page 153: ...selecting algorithm in DHCP address pool view Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable the DHCP relay age...

Page 154: ...running on synchronous asynchronous serial interfaces To enable the DHCP relay agent to record relay entries Step Command Remarks 1 Enter system view system view N A 2 Enable the relay agent to recor...

Page 155: ...es later the DHCP relay agent will create a flood attack entry and count the number of incoming DHCP packets for that client again Procedure To configure DHCP flood attack protection Step Command Rema...

Page 156: ...ntry To enable MAC address check Step Command Remarks 1 Enter system view system view N A 2 Set the aging time for MAC address check entries dhcp relay check mac address aging time time The default ag...

Page 157: ...nabled an interface operates in the DHCP server mode 5 Enable client offline detection dhcp client detect By default client offline detection is disabled on the DHCP relay agent Configuring the DHCP r...

Page 158: ...terface vlan interface format ascii hex By default the padding mode for Circuit ID sub option is normal and the padding format is hex The device name sysname must not include spaces if it is configure...

Page 159: ...ws you to specify the IP addresses to be encapsulated to the giaddr field of the DHCP requests If you do not specify any DHCP relay agent address the primary IP address of the DHCP relay interface is...

Page 160: ...r field in a common network Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable the DHCP relay agent dhcp select rela...

Page 161: ...ress on the same subnet as the specified IP address in the giaddr field As a result the client might not be on the same subnet as the DHCP relay interface the gateway To avoid this problem you must co...

Page 162: ...broadcast or unicast a response Configuring forwarding DHCP replies based on Option 82 Configure this feature if the DHCP relay agent is required to forward DHCP replies to DHCP clients based on Optio...

Page 163: ...padding mode to bas normal or verbose and specify the sub interface vlan keyword for this command 5 Configure the DHCP relay agent to forward DHCP replies based on Option 82 dhcp relay forward reply b...

Page 164: ...interfaces Details not shown Enable DHCP RouterA system view RouterA dhcp enable Enable the DHCP relay agent on GigabitEthernet 1 0 1 RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1...

Page 165: ...e Option 82 and perform Option 82 related configuration RouterA GigabitEthernet1 0 1 dhcp relay information enable RouterA GigabitEthernet1 0 1 dhcp relay information strategy replace RouterA GigabitE...

Page 166: ...thernet1 0 1 dhcp relay server address algorithm master backup Configure the DHCP relay agent to switch back to the master DHCP server 3 minutes after it switches to the backup DHCP server RouterA Gig...

Page 167: ...nt or server configuration To locate the problem enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information Check that D...

Page 168: ...s enabled with the DHCP client If the interface obtains an IP address on the same segment as another interface on the device the interface does not use the assigned address Instead it requests a new I...

Page 169: ...face generates the DHCP client ID based on its MAC address If the interface has no MAC address it uses the MAC address of the first Ethernet interface to generate its client ID Enabling duplicated add...

Page 170: ...tion The DHCP client s IP address resides on subnet 10 1 1 0 24 The DNS server address is 20 1 1 1 The next hop of the static route to subnet 20 1 1 0 24 is 10 1 1 2 The DHCP server uses Option 121 to...

Page 171: ...nterface gigabitethernet 1 0 1 RouterB GigabitEthernet1 0 1 ip address dhcp alloc RouterB GigabitEthernet1 0 1 quit Verifying the configuration Display the IP address and other network parameters assi...

Page 172: ...24 Static 70 0 10 1 1 2 GE1 0 1 10 1 1 255 32 Direct 0 0 10 1 1 3 GE1 0 1 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 1...

Page 173: ...ng entry includes the MAC and IP addresses of a client the port that connects to the DHCP client and the VLAN The following features need to use DHCP snooping entries ARP attack detection Uses DHCP sn...

Page 174: ...about Option 82 see Relay agent option Option 82 DHCP snooping uses the same strategies as the DHCP relay agent to handle Option 82 for DHCP request messages as shown in Table 8 If a response returned...

Page 175: ...authorized DHCP servers as trusted ports to make sure that DHCP clients can obtain valid IP addresses The trusted ports and the ports connected to DHCP clients must be in the same VLAN You can specify...

Page 176: ...gy is replace configure a padding mode and padding format for Option 82 If the handling strategy is keep or drop you do not need to configure any padding mode or padding format for Option 82 The setti...

Page 177: ...uto backup The auto backup feature saves DHCP snooping entries to a backup file and allows the DHCP snooping device to download the entries from the backup file at device reboot The entries on the DHC...

Page 178: ...s contain different sender MAC addresses use the mac address max mac count command to set the MAC learning limit on a Layer 2 port For more information about the command see Layer 2 LAN Switching Comm...

Page 179: ...terface interface type interface number N A 3 Enable DHCP REQUEST check dhcp snooping check request message By default DHCP REQUEST check is disabled Setting the maximum number of DHCP snooping entrie...

Page 180: ...d Display DHCP snooping entries display dhcp snooping binding ip ip address vlan vlan id verbose Display Option 82 configuration information on the DHCP snooping device display dhcp snooping informati...

Page 181: ...DHCP REQUEST messages Figure 47 Network diagram Procedure Enable DHCP snooping SwitchB system view SwitchB dhcp snooping enable Configure GigabitEthernet 1 0 1 as a trusted port SwitchB interface gig...

Page 182: ...a trusted port SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust SwitchB GigabitEthernet1 0 1 quit Configure Option 82 on GigabitEthernet 1 0 2 SwitchB interface...

Page 183: ...167 Verifying the configuration Display Option 82 configuration information on GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 on the DHCP snooping device SwitchB display dhcp snooping information...

Page 184: ...s dynamically A BOOTP client dynamically obtains an IP address from a BOOTP server as follows 1 The BOOTP client broadcasts a BOOTP request which contains its own MAC address 2 Upon receiving the requ...

Page 185: ...wn in Figure 33 GigabitEthernet 1 0 1 of Router B connects to the LAN to obtain an IP address from the DHCP server by using BOOTP To make the BOOTP client obtain an IP address from the DHCP server per...

Page 186: ...ges Assignment involving four messages As shown in Figure 50 four message assignment operates using the following steps 1 The DHCPv6 client sends a Solicit message to request an IPv6 address prefix an...

Page 187: ...essage informing the client whether the lease is renewed Figure 52 Using the Rebind message for address prefix lease renewal As shown in Figure 52 If the DHCPv6 client does not receive a response from...

Page 188: ...equested configuration parameters 2 The DHCPv6 server returns to the client a Reply message containing the requested configuration parameters 3 The client checks the Reply message If the obtained conf...

Page 189: ...is used to identify the client The DHCPv6 snooping device adds Option 37 to the received DHCPv6 request message before forwarding it to the DHCPv6 server This option provides client information about...

Page 190: ...amic Host Configuration Protocol DHCP Service for IPv6 RFC 3315 Dynamic Host Configuration Protocol for IPv6 DHCPv6 RFC 2462 IPv6 Stateless Address Autoconfiguration RFC 3633 IPv6 Prefix Options for D...

Page 191: ...include the following types Temporary IPv6 addresses Frequently changed without lease renewal Non temporary IPv6 addresses Correctly used by DHCPv6 clients with lease renewal Figure 56 IPv6 address a...

Page 192: ...evice supports the hardware type of Ethernet with the value of 0x0001 Link layer address Takes the value of the bridge MAC address of the device IA Identified by an IAID an identity association IA pro...

Page 193: ...for a client 1 If there is an address pool where an IPv6 address is statically bound to the DUID or IAID of the client the DHCPv6 server selects this address pool It assigns the statically bound IPv6...

Page 194: ...a DHCPv6 policy for IPv6 address and prefix assignment Configuring the DHCPv6 server on an interface Optional Allocating different IPv6 addresses to DHCPv6 clients with the same MAC Optional Setting t...

Page 195: ...ixes in the prefix pool are excluded from dynamic assignment If the excluded IPv6 prefix is in a static binding the prefix still can be assigned to the client To exclude multiple IPv6 prefix ranges re...

Page 196: ...ed by the address range command If no non temporary address range is specified the server selects addresses on the subnet specified by the network command Temporary address assignment The server selec...

Page 197: ...range address range start ipv6 address end ipv6 address preferred lifetime preferred lifetime valid lifetime valid lifetime By default no non temporary IPv6 address range is specified and all unicast...

Page 198: ...erver ipv6 address By default no DNS server address is specified 5 Specify a domain name domain name domain name By default no domain name is specified 6 Specify an AFTR domain name aftr name aftr nam...

Page 199: ...ser classes in the order that they are configured If a match is found and the bound address pool has assignable IPv6 addresses or prefixes the server uses the address pool for assignment If the bound...

Page 200: ...to assign an IPv6 address prefix to a client Configure global address assignment on the interface The DHCPv6 server selects an IPv6 address prefix in the global DHCPv6 address pool that matches the s...

Page 201: ...e following methods to identify the DHCPv6 clients that have the same MAC address If a DHCPv6 snooping device or a DHCPv6 relay agent exist you must enable the DHCPv6 snooping device or the DHCPv6 rel...

Page 202: ...name filename url url username username password cipher simple string By default the DHCPv6 server does not back up the DHCPv6 bindings With this command executed the DHCPv6 server backs up its bindin...

Page 203: ...assigns IPv6 addresses in this address pool to clients in the VPN instance Addresses in this address pool will not be assigned to clients on the public network The DHCPv6 server can obtain the VPN ins...

Page 204: ...rver will create a flood attack entry and count the number of incoming DHCPv6 packets for that client again This feature is not applicable to a DHCPv6 server if a DHCPv6 relay agent exists in the netw...

Page 205: ...ter For information about the log destination and output rule configuration in the information center see Network Management and Monitoring Configuration Guide As a best practice disable this feature...

Page 206: ...vpn instance vpn instance name Clear information about expired IPv6 address bindings reset ipv6 dhcp server expired address ipv6 address vpn instance vpn instance name pool pool name Clear information...

Page 207: ...ix 2001 0410 32 with assigned prefix length 48 Router ipv6 dhcp prefix pool 1 prefix 2001 0410 32 assign len 48 Create address pool 1 Router ipv6 dhcp pool 1 In address pool 1 specify subnet 1 64 wher...

Page 208: ...on about address pool 1 Router GigabitEthernet1 0 1 display ipv6 dhcp pool 1 DHCPv6 pool 1 Network 1 64 Preferred lifetime 604800 valid lifetime 2592000 Prefix pool 1 Preferred lifetime 86400 valid li...

Page 209: ...0 0 2 96 The lease duration of the addresses on subnet 1 2 0 0 0 96 is 432000 seconds five days the valid time is 864000 seconds ten days the domain name is aabbcc com and the DNS server address is 1...

Page 210: ...rnet1 0 2 ipv6 dhcp select server RouterA GigabitEthernet1 0 2 quit Exclude the DNS server addresses from dynamic assignment RouterA ipv6 dhcp server forbidden address 1 1 0 0 2 RouterA ipv6 dhcp serv...

Page 211: ...a Solicit message containing the Rapid Commit option to the multicast address FF02 1 2 of all the DHCPv6 servers and relay agents After receiving the Solicit message the DHCPv6 relay agent encapsulate...

Page 212: ...an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable DHCPv6 relay agent on the interface ipv6 dhcp selec...

Page 213: ...list command to specify the gateway addresses for clients matching the same DHCPv6 address pool Upon receiving a DHCPv6 Solicit or Request from a client that matches a DHCPv6 address pool the relay ag...

Page 214: ...y address on the relay agent for DHCPv6 clients The DHCPv6 relay agent uses the specified gateway address to fill the link address field of DHCPv6 Solicit and Request packets To specify a gateway addr...

Page 215: ...inding between a client s hardware address and IPv6 address or prefix Some security features such as IP source guard use DHCPv6 relay entries to check incoming packets and block packets that do not ma...

Page 216: ...es a DHCPv6 flood attack entry in check state If the number of DHCPv6 packets from the same MAC address reaches the upper limit in the detection duration the relay agent determines that the client is...

Page 217: ...id Display DHCPv6 relay entries that record clients IPv6 address information display ipv6 dhcp relay client information address interface interface type interface number ipv6 ipv6 address vpn instance...

Page 218: ...2 quit RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 ipv6 address 1 1 64 Disable RA message suppression on GigabitEthernet 1 0 1 RouterA GigabitEthernet1 0 1 undo ipv6 nd ra ha...

Page 219: ...y packet statistics on the DHCPv6 relay agent RouterA GigabitEthernet1 0 1 display ipv6 dhcp relay statistics Packets dropped 0 Packets received 14 Solicit 0 Request 0 Confirm 0 Renew 0 Rebind 0 Relea...

Page 220: ...HCPv6 snooping reads DHCP ACK messages received from trusted ports and DHCP REQUEST messages to create DHCPv6 snooping entries A DHCPv6 snooping entry includes the MAC and IP addresses of a client the...

Page 221: ...elines when you configure basic DHCPv6 snooping To make sure DHCPv6 clients can obtain valid IPv6 addresses specify the ports connected to authorized DHCPv6 servers as trusted ports The trusted ports...

Page 222: ...oping option remote id enable By default Option 37 is not supported 4 Optional Specify the content as the remote ID ipv6 dhcp snooping option remote id vlan vlan id string remote id By default the DHC...

Page 223: ...ified waiting period is reached All changed entries during the period will be saved to the backup file If no DHCPv6 snooping entry changes the backup file is not updated Setting the maximum number of...

Page 224: ...port Perform this task to configure a port as a DHCPv6 packet blocking port The DHCPv6 packet blocking port drops all incoming DHCP requests To configure a DHCPv6 packet blocking port Step Command Re...

Page 225: ...number slot slot number Clear DHCPv6 snooping entries reset ipv6 dhcp snooping binding all address ipv6 address vlan vlan id In standalone mode Clear DHCPv6 packet statistics for DHCPv6 snooping reset...

Page 226: ...Enable the recording of DHCPv6 snooping entries on GigabitEthernet 1 0 2 SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 ipv6 dhcp snooping binding record SwitchB GigabitEthernet1...

Page 227: ...quiet time The quiet mechanism avoids repeated authentication during a short time User account policies MAC authentication supports the following user account policies One MAC based user account for...

Page 228: ...server for authentication VLAN assignment Authorization VLAN The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources The device suppor...

Page 229: ...are server for downloading software and system patches A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member After the assignment do not reconfigure the port as a t...

Page 230: ...address of the user to the PVID of the access port ACL assignment You can specify an authorization ACL in the user account for a MAC authentication user to control the user s access to network resour...

Page 231: ...C authentication is exclusive with link aggregation group or service loopback group You cannot enable MAC authentication on a port already in a link aggregation group or a service loopback group You c...

Page 232: ...authentication By default MAC authentication is disabled globally 3 Enter interface view interface interface type interface number N A 4 Enable MAC authentication on the port mac authentication By de...

Page 233: ...address is in the hexadecimal notation without hyphens and letters are in lower case Configuring MAC authentication timers About MAC authentication timers MAC authentication uses the following timers...

Page 234: ...view N A 2 Enter Ethernet interface view interface interface type interface number N A 3 Enable MAC authentication offline detection mac authentication offline detect enable By default MAC authenticat...

Page 235: ...off and reauthenticates the user Configuring MAC authentication delay Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 En...

Page 236: ...4 Optional Set the authentication interval for users in the MAC authentication guest VLAN mac authentication guest vlan auth period period value The default setting is 30 seconds Configuring a MAC aut...

Page 237: ...one MAC authentication critical VLAN on a port Configuring the keep online feature By default the device logs off online MAC authentication users if no server is reachable for MAC reauthentication The...

Page 238: ...n of the user is valid The server will record the IP MAC combination of the user If the user IP address is changed at the next authentication the user cannot pass authentication Restrictions and guide...

Page 239: ...guest VLAN on a port reset mac authentication guest vlan interface interface type interface number mac address mac address MAC authentication configuration examples Example Configuring local MAC auth...

Page 240: ...in the hexadecimal notation with hyphens and letters are in lower case Device mac authentication user name format mac address with hyphen lowercase Enable MAC authentication globally Device mac authe...

Page 241: ...Ethernet 1 0 1 Configure the device to detect whether a user has gone offline every 180 seconds Configure the device to deny a user for 180 seconds if the user fails MAC authentication Configure all u...

Page 242: ...ication timer offline detect 180 Device mac authentication timer quiet 180 Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users Device mac authenti...

Page 243: ...based user accounts for MAC authentication users Each MAC address is in the hexadecimal notation with hyphens and letters are in lower case Use an ACL to deny authenticated users to access the FTP ser...

Page 244: ...rnet 1 0 1 Device GigabitEthernet1 0 1 mac authentication Device GigabitEthernet1 0 1 quit Enable MAC authentication globally Device mac authentication 3 Configure the RADIUS servers Add a user accoun...

Page 245: ...users 1 MAC address Auth state 00e0 fc12 3456 Authenticated Verify that you cannot ping the FTP server from the host C ping 10 0 0 1 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request t...

Page 246: ...Establishment phase the LCP negotiation is performed The LCP configuration options include Authentication Protocol Async Control Character Map ACCM Maximum Receive Unit MRU Magic Number Protocol Fiel...

Page 247: ...s the result calculated from the password and random packet ID by using the MD5 algorithm It is more secure than PAP The authenticator may or may not be configured with a username As a best practice c...

Page 248: ...s the server to assign the DNS server IP address to the host When the device is connected to an ISP access server configure the device as the client Then the device can obtain the DNS server IP addres...

Page 249: ...equired Configuring a VT interface Required Configuring PPP authentication Optional Configuring the polling feature Optional Enabling fast reply for keepalive packets Required Configuring PPP negotiat...

Page 250: ...ceeds If the response packet from the peer carries a recommended authentication mode the authenticator directly uses the authentication mode if it finds the mode configured Configuring PAP authenticat...

Page 251: ...ate the peer by using CHAP ppp authentication mode chap domain isp name default enable isp name By default PPP authentication is disabled 4 Configure a username for the CHAP authenticator ppp chap use...

Page 252: ...icator name is not configured To configure the authenticator Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure t...

Page 253: ...entication method for PPP users to none when MS CHAP V2 authentication is used Configuring MS CHAP or MS CHAP V2 authentication authenticator name is configured Step Command Remarks 1 Enter system vie...

Page 254: ...the polling feature The polling feature checks PPP link state On an interface that uses PPP encapsulation the link layer sends keepalives at keepalive intervals to detect the availability of the peer...

Page 255: ...match DNS server IP address negotiation ACCM negotiation ACFC negotiation PFC negotiation Configuring the PPP negotiation timeout time The device starts the PPP negotiation timeout timer after sending...

Page 256: ...ts requiring no authentication you can use either method 1 or method 2 When both method 1 and method 2 are configured the most recent configuration takes effect For clients requiring authentication yo...

Page 257: ...ter interface view interface interface type interface number N A 7 Configure the interface to assign an IP address from the configured PPP address pool to the peer remote address pool pool name By def...

Page 258: ...ble new IP address allocation ip pool pool name allocate new ip enable By default new IP address allocation is disabled 4 Optional Configure a gateway address for the PPP address pool ip pool pool nam...

Page 259: ...e AAA commands in User Access Command Reference 5 Return to system view quit N A 6 Enter interface view interface interface type interface number N A 7 Configure an IP address for the interface ip add...

Page 260: ...to accept the DNS server IP addresses assigned by the peer even though it does not request the peer for the DNS server IP addresses ppp ipcp dns admit any By default a device does not accept the DNS s...

Page 261: ...ep Command Remarks 1 Enter system view system view N A 2 Enable logging for PPP users ppp access user log enable successful login failed login normal logout abnormal logout By default logging is disab...

Page 262: ...tem view N A 2 Enable PPP user blocking ppp authentication chasten auth failure auth period blocking period By default PPP user blocking is disabled Configuring the NAS Port Type attribute The NAS Por...

Page 263: ...e suppress By default this feature is disabled Configuring the traffic accounting frequency mode for online PPP users The device supports the following frequency modes fast This mode can be configured...

Page 264: ...er In IRF mode Display PPP chasten statistics display ppp chasten user auth failed blocked username user name chassis chassis number slot slot number In standalone mode Display blocking information ab...

Page 265: ...um username user name user type lac lns pppoe vpn instance vpn name chassis chassis number slot slot number In standalone mode Clear offline reason statistics about PPP users reset ppp offline reason...

Page 266: ...s to access the private network LAC An L2TP access concentrator LAC is both PPP and L2TP capable It is usually a network access server NAS located at a local ISP which provides access services mainly...

Page 267: ...oint to point connection between an LAC and an LNS Multiple L2TP tunnels can be established between an LNS and an LAC An L2TP tunnel can carry one or more L2TP sessions Each L2TP session corresponds t...

Page 268: ...ing to the username or the ISP domain to which the user belongs 7 If tunnel authentication is needed the LAC and LNS send CHAP challenge messages to authenticate each other before successfully establi...

Page 269: ...er security because it is established between a remote system and the LNS The remote system must support L2TP and be able to communicate with the LNS This causes poor expandability As shown in Figure...

Page 270: ...unnel is similar to that for establishing a NAS initiated tunnel Details not shown Figure 81 Establishment process for LAC auto initiated tunnels L2TP features Flexible identity authentication mechani...

Page 271: ...unnel attributes Table 15 Tunnel attributes that can be issued by the RADIUS server Attribute number Attribute name Description 64 Tunnel Type Tunnel type which can only be L2TP 65 Tunnel Medium Type...

Page 272: ...nds the IP address of the CAMS IMC server to the iNode client The server IP address is permitted by the isolation ACLs 3 The CAMS IMC server authenticates the iNode client and performs security check...

Page 273: ...ish an L2TP tunnel The first and fifth tasks are required for NAS initiated mode and unnecessary for LAC auto initiated mode The last task is required for LAC auto initiated mode and unnecessary for N...

Page 274: ...view l2tp group group number mode lac lns By default no L2TP group exists Specify the mode as lac on the LAC side and as lns on the LNS side 4 Specify the local tunnel name tunnel name name Optional...

Page 275: ...as the source IP address of L2TP tunnel packets on the LAC If equal cost routing paths exist between the LAC and LNS you must use the IP address of a loopback interface as the source IP address of L2...

Page 276: ...authentication on an LAC You can configure AAA authentication an LAC to authenticate the remote dialup users and initiate a tunneling request only for qualified users A tunnel will not be established...

Page 277: ...number By default an LAC does not establish an L2TP tunnel An L2TP tunnel automatically established in LAC auto initiated mode exists until you remove the tunnel by using the undo l2tp auto client or...

Page 278: ...from an LAC and specify the VT interface to be used for tunnel setup If the L2TP group number is 1 allow l2tp virtual template virtual template number remote remote name If the L2TP group number is no...

Page 279: ...tp group group number mode lns N A 3 Configure mandatory CHAP authentication mandatory chap By default CHAP authentication is not performed on an LNS This command is effective only on NAS initiated L2...

Page 280: ...NS can process per second Step Command Remarks 1 Enter system view system view N A 2 Set the maximum number of ICRQ packets that the LNS can process per second l2tp icrq limit number By default the ma...

Page 281: ...system view system view N A 2 Enter L2TP group view l2tp group group number mode lac lns N A 3 Set the Hello interval tunnel timer hello hello interval The default setting is 60 seconds Setting the DS...

Page 282: ...AAA RADIUS L2TP firewalls and PPP are configured as required before you enable L2TP based EAD For more information about portal see Configuring portal authentication For more information about AAA and...

Page 283: ...and maintenance commands for L2TP Execute display commands in any view and reset commands in user view Task Command Display L2TP tunnel information display l2tp tunnel statistics Display L2TP session...

Page 284: ...it Enable the PPPoE server on GigabitEthernet 3 1 1 and bind the interface to Virtual Template 1 LAC interface gigabitethernet 3 1 1 LAC GigabitEthernet3 1 1 pppoe server bind virtual template 1 LAC G...

Page 285: ...l template 1 remote LAC Enable tunnel authentication and specify the tunnel authentication key as aabbcc LNS l2tp1 tunnel authentication LNS l2tp1 tunnel password simple aabbcc LNS l2tp1 quit 3 On the...

Page 286: ...for PPP users in ISP domain system LNS domain system LNS isp system authentication ppp local LNS isp system quit Enable L2TP LNS l2tp enable Create a PPP address pool LNS ip pool aaa 192 168 0 10 192...

Page 287: ...C address IP address IPv6 address IPv6 PDPrefix BAS0 vpdnuser 192 168 0 10 On the remote host initiate the L2TP connection After the connection is established verify that the remote host can obtain th...

Page 288: ...1 for receiving tunneling requests from an LAC LNS l2tp1 tunnel name LNS LNS l2tp1 allow l2tp virtual template 1 remote LAC Enable tunnel authentication and configure the authentication key as aabbcc...

Page 289: ...524 Established 1 3 3 3 1 1701 LAC On the LNS verify that you can ping 10 2 0 1 a private network address on the LAC side This indicates that hosts on 10 2 0 0 16 and those on 10 1 0 0 16 can communi...

Page 290: ...ice versa If no route is available configure a static route or a dynamic routing protocol 2 Increase the link bandwidth to enhance the link availability Internet backbone congestion and high packet lo...

Page 291: ...etworks For more information about PPPoE see RFC 2516 PPPoE network structure PPPoE uses the client server model The PPPoE client initiates a connection request to the PPPoE server After session negot...

Page 292: ...erfaces subinterfaces L3VE interfaces subinterfaces Restrictions and guidelines PPPoE configuration The device can only act as a PPPoE server Make sure the statistics polling interval is 300 seconds w...

Page 293: ...ticator 4 Return to system view quit N A 5 Enter interface view interface interface type interface number N A 6 Enable the PPPoE server on the interface and bind this interface to the specified VT int...

Page 294: ...PPoE sessions for a VLAN on an interface pppoe server session limit per vlan number By default the number of PPPoE sessions for a VLAN on an interface is not limited 5 Set the maximum number of PPPoE...

Page 295: ...tes To limit the PPPoE access rate Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number The PPPoE server is enabled on the interfac...

Page 296: ...ault format is a string of characters Enabling PPPoE users to come online despite the PPPoE NAT444 collaboration failure If a card that supports NAT444 collaboration fails the PPPoE NAT444 collaborati...

Page 297: ...te limit MPU model PADI packet receiving rate limit CSR07SRPUD3 500 Other MPUs 200 Configuring PPPoE user blocking About PPPoE user blocking You can use this feature to prevent multiple PPPoE users fr...

Page 298: ...end them to the information center Logs are generated when the following requirements are met The number of PPPoE sessions reaches the upper limit for an interface user VLAN or the system New users re...

Page 299: ...nterface type interface number In standalone mode Display packet statistics for PPPoE sessions display pppoe server session packet slot slot number interface interface type interface number In IRF mod...

Page 300: ...able IP addresses and configure a gateway address for the PPP address pool Router ip pool 1 1 1 1 2 1 1 1 10 Router ip pool 1 gateway 1 1 1 1 Enable the PPPoE server on GigabitEthernet 3 1 1 and bind...

Page 301: ...pool1 dns list 8 8 8 8 Exclude the IP address 1 1 1 1 from dynamic allocation in DHCP address pool pool1 Router dhcp pool pool1 forbidden ip 1 1 1 1 Router dhcp pool pool1 quit Create a PPPoE user Ro...

Page 302: ...the relay agent RouterA dhcp relay client information record Create DHCP relay address pool pool1 RouterA dhcp server ip pool pool1 Specify a gateway address for the clients in pool1 RouterA dhcp poo...

Page 303: ...hcp relay client information Total number of client information items 1 Total number of dynamic items 1 Total number of temporary items 0 IP address MAC address Type Interface VPN name 2 2 2 3 00e0 00...

Page 304: ...1 1 pppoe server bind virtual template 10 Router GigabitEthernet3 1 1 quit Create a DHCPv6 address pool named pool1 and specify DNS server IPv6 address 2 2 3 Router ipv6 dhcp pool pool1 Router dhcp6...

Page 305: ...autoconfig managed address flag Enable the DHCPv6 server feature Router Virtual Template10 ipv6 dhcp select server Router Virtual Template10 quit Enable the PPPoE sever on GigabitEthernet 3 1 1 and b...

Page 306: ...tem Configure an IPv6 address for Virtual Template 10 RouterB Virtual Template10 ipv6 address 2001 1 64 Enable Virtual Template 10 to advertise RA messages RouterB Virtual Template10 undo ipv6 nd ra h...

Page 307: ...n Router A can assign the prefix 4001 1 42 to the host who uses the prefix to generate an IPv6 global unicast address Example Configuring PPPoE server RADIUS based IP address assignment Network config...

Page 308: ...uthentication and use ISP domain dm1 as the authentication domain RouterA system view RouterA interface virtual template 1 RouterA Virtual Template1 ppp authentication mode chap domain dm1 RouterA Vir...

Page 309: ...ounting for users based on scheme rs1 RouterA isp dm1 authentication ppp radius scheme rs1 RouterA isp dm1 authorization ppp radius scheme rs1 RouterA isp dm1 accounting ppp radius scheme rs1 RouterA...

Page 310: ...ish information on the authentication page Supports multiple authentication modes For example re DHCP authentication implements a flexible address assignment scheme and saves public IP addresses Cross...

Page 311: ...r receives authentication requests from authentication clients and interacts with the access device to authenticate users The portal Web server is typically integrated with the portal authentication s...

Page 312: ...local portal Web service for the authentication client The authentication client can only be a Web browser and it cannot be a user host that runs a portal client Therefore extended portal functions a...

Page 313: ...r a user passes authentication the access device generates an ACL for the user based on the user s IP address to control forwarding of the packets from the user Because no Layer 3 forwarding device ex...

Page 314: ...the portal authentication server to notify authentication success or failure 7 The portal authentication server sends an authentication success or failure packet to the client 8 If the authentication...

Page 315: ...of portal filtering rules First category The rule permits user packets that are destined for the portal Web server and packets that match the portal free rules to pass through Second category For an a...

Page 316: ...rm normal portal authentication for the user If the user fails portal authentication an authentication failure message is returned to the user The whole process is finished If the user passes portal a...

Page 317: ...permit feature N A Optional Configuring portal detection features Configuring online detection of portal users Configuring portal authentication server detection Configuring portal Web server detectio...

Page 318: ...portal authentication server Configure this feature when user authentication uses a remote portal authentication server With portal authentication enabled the device searches for a portal authenticat...

Page 319: ...ortal Web server Step Command Remarks 1 Enter system view system view N A 2 Create a portal Web server and enter its view portal web server server name By default no portal Web servers exist You can c...

Page 320: ...em view N A 2 Create a portal Web server and enter its view portal web server server name By default no portal Web servers exist 3 Configure a match rule for URL redirection if match original url url...

Page 321: ...if file Logon htm includes contents that perform Get action on file ca htm file ca htm cannot include any reference to file Logon htm Post requests Used when users submit username and password pairs...

Page 322: ...53 44 ssid4 zip 2540 KB total 1319 KB free Redirecting authenticated users to a specific webpage To make the device automatically redirect authenticated users to a specific webpage do the following in...

Page 323: ...ort number By default the HTTP service listening port number is 80 and the HTTPS service listening port number is 443 Specifying a portal authentication domain About portal authentication domains An a...

Page 324: ...ributes such as ACL user profile and CAR After the users pass portal authentication they are assigned new attributes by the AAA server After the users go offline they are re assigned user attributes i...

Page 325: ...ser uses the following IP address If the client is configured to obtain an IP address automatically through DHCP the user obtains an address from the specified IP address pool If the client is configu...

Page 326: ...rface enabled with portal authentication to an aggregation group Otherwise portal authentication does not take effect As a best practice do not apply a QoS policy to an interface enabled with portal a...

Page 327: ...6 attribute use the portal bas ip bas ipv6 command An IPv6 portal server does not support re DHCP portal authentication Procedure To enable portal authentication on an interface Step Command Remarks 1...

Page 328: ...s for configuring a portal free rule When you configure a portal free rule follow these restrictions and guidelines If you specify both a VLAN and an interface the interface must belong to the VLAN If...

Page 329: ...tcp tcp port number udp udp port number interface interface type interface number By default no IPv6 based portal free rule exists Configuring a source based portal free rule Step Command Remarks 1 En...

Page 330: ...IPv4 portal authentication source subnet portal layer3 source ipv4 network address mask length mask By default no IPv4 portal authentication source subnet is configured and users from any subnets must...

Page 331: ...s temporarily when an active standby MPU switchover finishes and it resumes after user information synchronization completes between the global active MPU and service modules You can use the display d...

Page 332: ...y IPv6 addresses to access the IPv6 network and will fail portal authentication This configuration does not affect the online portal users Procedure To allow only users with DHCP assigned IP addresses...

Page 333: ...s within the failure detection period All authentication requests from the user are dropped by the device till the blocking times out The blocked portal user can perform portal authentication again wh...

Page 334: ...rtal authentication server or portal Web server is unreachable it allows users on the interface to have network access without portal authentication If you enable fail permit for both a portal authent...

Page 335: ...refreshed within the maximum number of detection attempts the device considers that the user is online and stops detecting the user s ARP or ND entry Then the device resets the idle timer and repeats...

Page 336: ...on feature takes effect only when the device has a portal enabled interface Only the IMC portal authentication server supports sending heartbeat packets To test server reachability by detecting heartb...

Page 337: ...n configure the device to take one or more of the following actions when the server reachability status changes Sending a trap message to the NMS The trap message contains the name and current state o...

Page 338: ...ent the portal user synchronization feature you also need to configure the user heartbeat function on the portal authentication server Make sure the user heartbeat interval configured on the portal au...

Page 339: ...A 2 Enter interface view interface interface type interface number N A 3 Configure the BAS IP attribute portal bas ip ipv4 address By default The BAS IP attribute of an IPv4 portal reply packet sent t...

Page 340: ...ace By default the device sends its device name in the NAS Identifier attribute of all RADIUS requests A NAS ID profile enables you to send different NAS Identifier attribute strings in RADIUS request...

Page 341: ...m view system view N A 2 Create a MAC binding server and enter its view portal mac trigger server server name By default no MAC binder servers exist 3 Specify the IP address of the MAC binding server...

Page 342: ...r interface view interface interface type interface number The interface must be a Layer 3 interface 3 Specify a MAC binding server on the interface portal apply mac trigger server server name By defa...

Page 343: ...nting processes Set a proper threshold to balance between service performance and traffic backup accuracy Procedure To set the user traffic backup threshold Step Command Remarks 1 Enter system view sy...

Page 344: ...cation but is directly redirected to the specified URL on the first Web access attempt in a browser After the specified redirect interval the user is redirected from the visiting website to the specif...

Page 345: ...tack defense display portal http defense monitored ip slot slot number In IRF mode Display statistics for monitored destination IP addresses in portal HTTP attack defense display portal http defense m...

Page 346: ...web redirect rule interface interface type interface number chassis chassis number slot slot number Portal configuration examples Example Configuring direct portal authentication Network configuration...

Page 347: ...example uses the default values d Click OK Figure 100 Portal authentication server configuration 2 Configure the IP address group a Select Access Service Portal Service Management IP Group from the na...

Page 348: ...cation This example uses direct portal authentication and therefore select No from the Reallocate IP list g Set whether to support the portal server heartbeat and user heartbeat functions In this exam...

Page 349: ...alidate the configurations Configuring the portal authentication server on IMC PLAT 5 0 In this example the portal server runs on IMC PLAT 5 0 E0101 and IMC UAM 5 0 E0101 1 Configure the portal authen...

Page 350: ...group configuration page b Click Add to open the page as shown in Figure 106 c Enter the IP group name d Enter the start IP address and end IP address of the IP group Make sure the host IP address is...

Page 351: ...st g Select whether to support server heartbeat and user heartbeat functions In this example select No for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 107 Adding a porta...

Page 352: ...counting simple radius Exclude the ISP domain name from the username sent to the RADIUS server Router radius rs1 user name format without domain Router radius rs1 quit Enable RADIUS session control Ro...

Page 353: ...hernet 1 0 2 to the portal authentication server Router GigabitEthernet1 0 2 portal bas ip 2 2 2 1 Router GigabitEthernet1 0 2 quit Verifying the configuration Verify that the portal configuration has...

Page 354: ...e following command to display information about the portal user Router display portal user interface gigabitethernet 1 0 2 Total portal users 1 Username abc Portal server newpt State Online VPN insta...

Page 355: ...portal server is the public IP address 20 20 20 1 of the router s interface connecting the host The private IP address range for the IP address group associated with the portal device is the private...

Page 356: ...t1 0 2 dhcp relay server address 192 168 0 112 Enable authorized ARP Router GigabitEthernet1 0 2 arp authorized enable Router GigabitEthernet1 0 2 quit 4 Configure portal authentication Configure a po...

Page 357: ...method Disabled Portal web server Not configured Authentication domain Not configured Pre auth policy Not configured User dhcp only Disabled Pre auth IP pool Not configured Max Portal users Not confi...

Page 358: ...rtal Web server A RADIUS server acts as the authentication accounting server Configure Router A for cross subnet portal authentication Before passing the authentication the host can access only the po...

Page 359: ...us scheme rs1 RouterA isp dm1 accounting portal radius scheme rs1 RouterA isp dm1 quit Configure domain dm1 as the default ISP domain If a user enters the username without the ISP domain name at login...

Page 360: ...ed Pre auth policy Not configured User dhcp only Disabled Pre auth IP pool Not configured Max Portal users Not configured Bas ip 20 20 20 1 User detection Not configured Action for server detection Se...

Page 361: ...IP VLAN Interface 0015 e9a6 7cfe 8 8 8 2 GigabitEthernet1 0 2 Authorization information DHCP IP pool N A User profile N A Session group profile N A ACL N A Inbound CAR N A Outbound CAR N A Inbound pri...

Page 362: ...s rs1 user name format without domain Enable RADIUS session control Router radius session control enable Specify a session control client with IP address 192 168 0 113 and shared key 12345 in plain te...

Page 363: ...vr newpt url http 192 168 0 111 8080 portal Router portal websvr newpt quit Enable direct portal authentication on GigabitEthernet 1 0 2 Router interface gigabitethernet 1 0 2 Router GigabitEthernet1...

Page 364: ...Destination authenticate subnet IP address Prefix length Before passing portal authentication a user that uses the H3C iNode client can access only the authentication page http 192 168 0 111 8080 por...

Page 365: ...accepts security check If the host fails the security check it can access only subnet 192 168 0 0 24 After passing the security check the host can access other network resources Figure 113 Network dia...

Page 366: ...ify a session control client with IP address 192 168 0 114 and shared key 12345 in plain text Router radius session control client ip 192 168 0 114 key simple 12345 2 Configure an authentication domai...

Page 367: ...outer portal websvr newpt quit Enable re DHCP portal authentication on GigabitEthernet 1 0 2 Router interface gigabitethernet 1 0 2 Router GigabitEthernet1 0 2 portal enable method redhcp Reference th...

Page 368: ...x length Before passing portal authentication a user that uses the H3C iNode client can access only the authentication page http 192 168 0 111 8080 portal All Web requests from the user will be redire...

Page 369: ...check the host can access other network resources Figure 114 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the router and servers as shown in Figure 114 and ma...

Page 370: ...1 as the default ISP domain If a user enters the username without the ISP domain name at login the authentication and accounting methods of the default domain are used for the user RouterA domain defa...

Page 371: ...itEthernet 1 0 2 NAS ID profile Not configured Authorization Strict checking ACL Disabled User profile Disabled IPv4 Portal status Enabled Portal authentication method Layer3 Portal web server newpt A...

Page 372: ...r newpt State Online VPN instance N A MAC IP VLAN Interface 0015 e9a6 7cfe 8 8 8 2 GigabitEthernet1 0 2 Authorization information DHCP IP pool N A User profile N A Session group profile N A ACL 3001 I...

Page 373: ...e portal authentication server a Log in to IMC and click the Service tab b Select Access Service Portal Service Management Server from the navigation tree to open the portal server configuration page...

Page 374: ...ice configuration page b Click Add to open the page as shown in Figure 118 c Enter the device name NAS d Enter the IP address of the router s interface connected to the host e Enter the key which must...

Page 375: ...values for other parameters f Click OK 5 Select Access Service Service Parameters Validate System Configuration from the navigation tree to validate the configurations Configuring the portal authentic...

Page 376: ...address group configuration page b Click Add to open the page as shown in Figure 122 c Enter the IP group name d Enter the start IP address and end IP address of the IP group Make sure the host IP add...

Page 377: ...st g Select whether to support server heartbeat and user heartbeat functions In this example select Yes for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 123 Adding a port...

Page 378: ...counting simple radius Exclude the ISP domain name from the username sent to the RADIUS server Router radius rs1 user name format without domain Router radius rs1 quit Enable RADIUS session control Ro...

Page 379: ...thentication on GigabitEthernet 1 0 2 Router interface gigabitethernet 1 0 2 Router GigabitEthernet1 0 2 portal enable method direct Enable portal fail permit for the portal authentication server newp...

Page 380: ...on the user side PE For information about MPLS L3VPN configurations see MPLS Configuration Guide Configure the RADIUS server correctly to provide authentication and accounting functions Procedure Per...

Page 381: ...l server newpt RouterA portal server newpt ip 192 168 0 111 vpn instance vpn3 key simple portal RouterA portal server newpt port 50100 RouterA portal server newpt quit Configure a portal Web server Ro...

Page 382: ...re direct portal authentication so the host can access only subnet 192 168 0 0 24 before passing the authentication and access other network resources after passing the authentication Figure 127 Netwo...

Page 383: ...authentication Configure a portal authentication server Router portal server newpt Router portal server newpt ip 192 168 0 111 key simple portal Router portal server newpt port 50100 Router portal ser...

Page 384: ...he authentication the host gets a public IP address and can access other network resources Figure 128 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the router a...

Page 385: ...3010 Router pre auth abc quit In ACL 3010 configure a rule to permit access to the subnet 192 168 0 0 24 Router acl advanced 3010 Router acl ipv4 adv 3010 rule 1 permit ip destination 192 168 0 0 24...

Page 386: ...e auth interface gigabitethernet 1 0 2 MAC IP VLAN Interface 0015 e9a6 7cfe 10 10 10 4 GigabitEthernet1 0 2 State Online VPN instance N A DHCP IP pool N A User profile N A Session group profile N A AC...

Page 387: ...gure an authentication domain Create an ISP domain named dm1 and enter its view Router domain dm1 Configure AAA methods for the ISP domain Router isp dm1 authentication portal radius scheme rs1 Router...

Page 388: ...rization Strict checking ACL Disabled User profile Disabled IPv4 Portal status Enabled Portal authentication method Direct Portal web server newpt Authentication domain Not configured Pre auth policy...

Page 389: ...State Online VPN instance N A MAC IP VLAN Interface 0015 e9a6 7cfe 2 2 2 2 GigabitEthernet1 0 2 Authorization information IP pool N A User profile N A Session group profile N A ACL N A Inbound CAR N...

Page 390: ...n this example the portal server runs on IMC PLAT 7 1 E0303 IMC EIA 7 1 F0303 and IMC EIP 7 1 F0303 1 Configure the portal authentication server a Log in to IMC and click the User tab b Select User Ac...

Page 391: ...list g Click OK Figure 132 Adding an IP address group 3 Add a portal device a Select User Access Policy Portal Service Device from the navigation tree to open the portal device configuration page b Cl...

Page 392: ...o open the port group configuration page b Click Add to open the page as shown in Figure 135 c Enter the port group name d Select the configured IP address group The IP address used by the user to acc...

Page 393: ...he MAC binding server runs on IMC PLAT 7 1 E0303 IMC EIA 7 1 F0303 and IMC EIP 7 1 F0303 1 Add an access policy a Select User Access Policy Access Policy from the navigation tree to open the access po...

Page 394: ...ree to open the access user page b Click Add to open the page as shown in Figure 138 c Select an access user d Set the password e Select a value from the Max Transparent Portal Bindings list f Click O...

Page 395: ...1 Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Router radius rs1 primary authentication 192 168 0 112 Router radius...

Page 396: ...n GigabitEthernet 1 0 2 Router GigabitEthernet1 0 2 portal apply web server newpt Configure the BAS IP as 2 2 2 1 for portal packets sent from GigabitEthernet 1 0 2 to the portal authentication server...

Page 397: ...interface gigabitethernet 1 0 2 Total portal users 1 Username Client1 Portal server newpt State Online VPN instance N A MAC IP VLAN Interface 0015 e9a6 7cfe 2 2 2 2 GigabitEthernet1 0 2 Authorization...

Page 398: ...vice uses the source port in the logout request as the destination port in the logout ACK message As a result the portal authentication server can definitely receive the logout ACK message and log out...

Page 399: ...The device performs re DHCP portal authentication for users A user enters the correct username and password and the client successfully obtains the private and public IP addresses However the authent...

Page 400: ...rough Layer 2 devices The BRAS uses MAC addresses to identify the hosts Layer 3 access mode Hosts use routing to access the BRAS The hosts connect to the BRAS directly or through Layer 3 devices When...

Page 401: ...mic IPoE sessions The BRAS disconnects a dynamic IPoE session in one of the following cases The AAA authorized service expires The AAA server logs out the user The user traffic is less than the author...

Page 402: ...Bind authentication Authenticates users by the usernames and passwords that the BRAS automatically generates based on user location information Web authentication Authenticates users by the usernames...

Page 403: ...ilure and discards the DHCP DISCOVER message 6 The DHCP server sends a DHCP OFFER message to the BRAS 7 The BRAS forwards the DHCP OFFER message to the DHCP client 8 The DHCP client sends a DHCP REQUE...

Page 404: ...r information such as the source MAC address 3 The AAA server returns an access accept that contains authorization information to the BRAS if the authentication succeeds If the authentication fails th...

Page 405: ...e 5 The BRAS assigns a user profile and marks the IPoE session state as online 6 The BRAS sends the AAA server a message to start the service accounting Access procedure for static and leased users Th...

Page 406: ...3 aggregate interfaces subinterfaces Layer 3 Ethernet interfaces subinterfaces L3VE interfaces subinterfaces Restrictions and guidelines IPoE configuration IPoE and IP source guard are mutually exclu...

Page 407: ...ation about how to configure a local user account see Configuring AAA Make sure the hosts BRAS and servers can reach each other Enabling IPoE and setting the IPoE access mode You must enable IPoE for...

Page 408: ...e the IPoE NAT collaboration failure Enabling dynamic individual users Dynamic individual users include the unclassified IP user IPv6 ND RS user and DHCP user After IPoE is enabled on an interface the...

Page 409: ...e By default no dynamic individual users are enabled Configuring authentication user naming conventions for dynamic individual users Usernames configured for dynamic individual users must be the same...

Page 410: ...ator vlan separator separator Configure an authentication user naming convention for unclassified IP users ip subscriber unclassified ip username include nas port id separator separator port separator...

Page 411: ...riber ndrs username include nas port id separator separator port separator separator second vlan separator separator slot separator separator source mac address separator address separator separator s...

Page 412: ...ring as the password for DHCP users Specify a string from DHCPv4 packet information as the password for IPv4 dynamic individual users ip subscriber dhcp password circuit id mac option60 offset offset...

Page 413: ...er dhcp unclassified ip domain domain name Configure an ISP domain for IPv6 dynamic individual users ipv6 subscriber dhcp ndrs unclassified ip domain domain name By default dynamic individual users us...

Page 414: ...tion Circuit ID DHCPv6 Option 18 DSL_AGENT_REMOTE_ID DHCPv4 Option 82 Suboption Remote ID DHCPv6 Option 37 If the BRAS trusts DHCPv4 Option 60 and DHCPv6 Option 16 or Option 17 IPoE can use the ISP do...

Page 415: ...gured Configuring trusted source IP addresses for unclassified IP users If the unclassified IP user is enabled and portal authentication is configured IPoE authentication is available only for unclass...

Page 416: ...al users Static individual user configuration tasks at a glance Tasks at a glance Required Enabling static individual users Required Perform one of the following tasks at minimum Configuring static IP...

Page 417: ...sion for the user On one interface a maximum of one static IPoE session can be configured for one IP address Per interface static IPoE sessions take precedence over global static IPoE sessions To conf...

Page 418: ...nterface interface type interface number vlan vlan id second vlan vlan id request online Configure a global static IPv6 IPoE session ipv6 subscriber session static ipv6 start ipv6 address end ipv6 add...

Page 419: ...or Configure an authentication user naming convention for IPv6 static individual users ipv6 subscriber unclassified ip username include nas port id separator separator port separator separator second...

Page 420: ...fic ISP domains For more information about how to configure the default system domain see Configuring AAA To configure an interface specific ISP domain for static individual users Step Command Remarks...

Page 421: ...ce leased username name password ciphertext plaintext string domain domain name Configure an IPv6 interface leased user ipv6 subscriber interface leased username name password ciphertext plaintext str...

Page 422: ...d user Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure an L2VPN leased user ip subscriber l2vpn leased usernam...

Page 423: ...e a service identifier ip subscriber service identify 8021p second vlan vlan dscp second vlan vlan By default no service identifier is configured for DHCPv4 users IPv4 unclassified IP users static ind...

Page 424: ...ts when number of consecutive authentication failures of a user reaches the limit in the specified period During the quiet timer period packets from the user are discarded After the quiet timer expire...

Page 425: ...r IPv6 dynamic individual users ipv6 subscriber user detect icmpv6 nd retry retries interval interval By default The BRAS uses the ARP request packet and ND NS request packet to detect IPv4 and IPv6 d...

Page 426: ...rsion2 0 Configure the NAS Port ID format for IPv6 users ipv6 subscriber nas port id format cn telecom version1 0 version2 0 The default format is version1 0 4 Optional Configure trusted DHCP options...

Page 427: ...traffic By default the traffic statistics update timer for IPoE sessions is 180000 milliseconds Enabling logging for IPoE users The IPoE logging feature enables the device to generate IPoE logs and s...

Page 428: ...c mac address user type dhcp unclassified ip static verbose chassis chassis number slot slot number For IPv6 individual users display ipv6 subscriber chasten user interface interface type interface nu...

Page 429: ...r slot slot number For IPv6 interface leased users display ipv6 subscriber interface leased interface interface type interface number chassis chassis number slot slot number In standalone mode Display...

Page 430: ...subnet leased user interface interface type interface number ipv6 ipv6 address prefix length ipv6 address chassis chassis number slot slot number verbose In standalone mode Display IPoE session inform...

Page 431: ...slot slot number In IRF mode Display IPoE session statistics for subnet leased users For IPv4 subnet leased users display ip subscriber subnet leased statistics interface interface type interface num...

Page 432: ...ress mask length ip address For IPv6 subnet leased users reset ipv6 subscriber subnet leased user interface interface type interface number ipv6 ipv6 address prefix length ipv6 address Delete dynamic...

Page 433: ...ation and accounting Device radius rs1 primary authentication 4 4 4 1 Device radius rs1 primary accounting 4 4 4 1 Device radius rs1 key authentication simple radius Device radius rs1 key accounting s...

Page 434: ...0c 29a6 b656 U Online Example Configuring a DHCP user Network configuration As shown in Figure 146 the host accesses the BRAS as a DHCP user It obtains configuration information from the DHCP server T...

Page 435: ...ISP domain This example assumes that the DHCP packets do not contain option 60 Create an ISP domain named dm1 and enter its view Device domain dm1 Configure dm1 to use RADIUS scheme rs1 Device isp dm...

Page 436: ...e client 4 4 4 2 32 ipaddr 4 4 4 2 netmask 32 secret radius Add the username password and authorized IPv6 prefix to the users user information file The username is the host MAC address the password is...

Page 437: ...ted enable Enable the IPv6 ND RS user Device GigabitEthernet3 1 2 ipv6 subscriber initiator ndrs enable Specify dm1 as the ISP domain Device GigabitEthernet3 1 2 ipv6 subscriber ndrs domain dm1 Config...

Page 438: ...ame from the username sent to the RADIUS server Device radius rs1 user name format without domain Device radius rs1 quit c Configure the ISP domain Create an ISP domain named dm1 and enter its view De...

Page 439: ...en ip 3 3 3 2 Device dhcp pool test quit Verifying the configuration Display IPoE session information to verify that the host has come online Device display ip subscriber session Type D DHCP S Static...

Page 440: ...med dm1 and enter its view Device domain dm1 Configure dm1 to use RADIUS scheme rs1 Device isp dm1 authentication ipoe radius scheme rs1 Device isp dm1 authorization ipoe radius scheme rs1 Device isp...

Page 441: ...il action Online Acct quota out action Offline Max multicast addresses 4 Multicast address list N A QoS User profile N A Session group profile N A User group acl N A Inbound CAR N A Outbound CAR N A I...

Page 442: ...group acl N A Inbound CAR N A Outbound CAR N A Inbound user priority N A Outbound user priority N A Flow statistic Uplink packets bytes 223423 28598144 Downlink packets bytes 5802626 742736000 Basic A...

Page 443: ...626 742736000 Example Configuring an interface leased user Network configuration As shown in Figure 150 three hosts access the BRAS as one interface leased user The BRAS performs AAA for the hosts thr...

Page 444: ...IUS scheme rs1 Device isp dm1 authentication ipoe radius scheme rs1 Device isp dm1 authorization ipoe radius scheme rs1 Device isp dm1 accounting ipoe radius scheme rs1 Device isp dm1 quit d Configure...

Page 445: ...y N A Flow statistic Uplink packets bytes 16734145 2141970560 Downlink packets bytes 22314327 2856233728 Example Configuring an L2VPN leased user Network configuration As shown in Figure 150 an L2VPN...

Page 446: ...et 3 1 2 the interface connected to PE 1 and enable LDP on the interface PE2 interface gigabitethernet 3 1 2 PE2 GigabitEthernet3 1 2 ip address 20 1 1 2 24 PE2 GigabitEthernet3 1 2 mpls enable PE2 Gi...

Page 447: ...pf 1 area 0 0 0 0 network 20 1 1 0 0 0 0 255 PE1 ospf 1 area 0 0 0 0 network 1 1 1 9 0 0 0 0 PE1 ospf 1 area 0 0 0 0 quit PE1 ospf 1 quit Create a VSI and configure the peer PE PE1 vsi svc PE1 vsi svc...

Page 448: ...r 3 access mode on GigabitEthernet 3 1 1 PE1 interface gigabitethernet 3 1 1 PE1 GigabitEthernet3 1 1 ip subscriber routed enable Configure the L2VPN leased user and specify the username password and...

Page 449: ...ation As shown in Figure 152 the host in a VPN accesses the BRAS as a DHCP user The BRAS performs AAA for the host through the RADIUS server Figure 152 Network diagram Procedure 1 Configure the RADIUS...

Page 450: ...d accounting Device radius rs1 primary authentication 4 4 4 1 Device radius rs1 primary accounting 4 4 4 1 Device radius rs1 key authentication simple radius Device radius rs1 key accounting simple ra...

Page 451: ...et3 1 2 proxy arp enable Device GigabitEthernet3 1 2 quit g Configure a static route to direct the DHCP request from vpn1 to the DHCP server Device ip route static vpn instance vpn1 4 4 4 0 24 4 4 4 3...

Page 452: ...e Acct update fail action Online Acct quota out action Offline Max multicast addresses 4 Multicast address list N A Accounting start time Sep 14 18 09 28 2014 QoS User profile N A Session group profil...

Page 453: ...a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Device system view Device radius scheme rs1 Configure primary servers and keys for authentication and accounting Device radius rs1 p...

Page 454: ...ry 2 interval 30 Device GigabitEthernet3 1 2 quit Verifying the configuration Use the display ip subscriber session command to verify that the BRAS deletes the IPoE session after the user goes offline...

Page 455: ...ain creation 54 ISP domain creation restrictions 54 ISP domain display 64 ISP domain idle timeout period include in user online duration 57 ISP domain method 54 ISP domain user address type 57 ISP dom...

Page 456: ...et portal authentication configuration 342 direct portal authentication configuration 330 direct portal authentication configuration local portal Web service 370 extended cross subnet portal authentic...

Page 457: ...addresses allocation to clients with same MAC 185 DHCPv6 dynamic address allocation 177 DHCPv6 dynamic prefix allocation 177 DHCPv6 IPv6 address prefix allocation sequence 177 DHCPv6 static address al...

Page 458: ...online detection configuration 436 IPoE static user configuration ARP based 421 IPoE subnet leased user configuration 423 IPoE unclassified IP user configuration 416 IPoE VPN DHCP user configuration 4...

Page 459: ...16 IPoE VPN DHCP user configuration 433 broadcast DHCP relay agent broadcast response 146 DHCP server broadcast response 113 buffering AAA HWTACACS stop accounting packet buffering 46 AAA RADIUS stop...

Page 460: ...user attributes 17 AAA RADIUS 23 AAA RADIUS accounting on 34 AAA RADIUS attribute 31 MAC address format 35 AAA RADIUS attribute 87 format 36 AAA RADIUS attribute translation 37 AAA RADIUS attribute t...

Page 461: ...ortal authentication local portal Web service 370 direct portal authentication preauthentication policy 366 extended cross subnet portal authentication 353 extended direct portal authentication 345 ex...

Page 462: ...356 portal authentication source subnet 313 portal authentication user online detection 319 portal authentication user online detection IPv4 319 portal authentication user online detection IPv6 319 p...

Page 463: ...304 304 304 D DAE AAA RADIUS attribute translation DAS 38 AAA RADIUS DAS 39 data L2TP AVP data transfer in hidden mode 260 L2TP data message type 250 delaying MAC authentication delay 219 destination...

Page 464: ...30 direct portal authentication configuration local portal Web service 370 direct portal authentication preauthentication policy configuration 366 extended cross subnet portal authentication configura...

Page 465: ...91 Option 53 Option 053 91 Option 55 Option 055 91 Option 6 Option 006 91 Option 60 encapsulation Option 060 encapsulation 111 Option 60 Option 060 91 Option 66 Option 066 91 Option 67 Option 067 91...

Page 466: ...oting IPoE client authentication failure 438 troubleshooting portal authentication users cannot log in re DHCP 383 user class creation 98 user class whitelist configuration 107 voice client Option 184...

Page 467: ...b redirect 328 directory AAA LDAP directory service 8 disabling DHCP Option 60 encapsulation 111 displaying AAA HWTACACS 48 AAA ISP domain 64 AAA LDAP 53 AAA local bill cache 66 AAA local users user g...

Page 468: ...t duplicated address detection 153 DHCP different IP addresses allocation to clients with the same MAC 110 DHCP Option 82 handling 111 DHCP random IP address allocation 110 DHCP relay agent 134 DHCP r...

Page 469: ...IPoE IPv6 ND RS user configuration 420 IPoE L2VPN leased user configuration 429 IPoE online detection configuration 436 IPoE static user configuration ARP based 421 IPoE subnet leased user configurati...

Page 470: ...ng ISP domain 67 AAA NAS ID profile configuration 66 DHCPv6 relay agent Interface ID option padding mode 199 L2TP LTS TSA ID setting 265 identity association See IA association ID See IAID ignoring DH...

Page 471: ...DHCPv6 client subnet advertisement 186 DHCPv6 different IPv6 addresses allocation to clients with same MAC 185 DHCPv6 overview 170 DHCPv6 server configuration 172 175 190 DHCPv6 server configuration o...

Page 472: ...DHCP relay agent Option 82 configuration 141 149 DHCP relay agent Option 82 support 133 DHCP relay agent relay entry recording 138 DHCP relay agent security features 138 DHCP relay agent server 135 DH...

Page 473: ...183 DHCPv6 server IPv6 prefix assignment 178 DHCPv6 server logging 189 DHCPv6 server maintain 189 DHCPv6 server security features 188 DHCPv6 snooping basics 205 DHCPv6 snooping configuration 204 209...

Page 474: ...server interface 311 PPP IPCP negotiation 231 PPPoE NAT444 collaboration failure user enable 280 IPv6 DHCPv6 See DHCPv6 IPoE IPv6 ND RS user configuration 420 IPoE IPv6 ND RS users access procedure 38...

Page 475: ...g mode NAS initiated 251 LAC L2TP automatic tunnel establishment 260 L2TP LAC AAA authentication 260 L2TP LAC configuration 258 L2TP LAC tunnel exclusive use 259 L2TP LAC tunnel request initiation 258...

Page 476: ...ing method 11 AAA local authentication 11 AAA local authentication configuration 14 AAA local authorization method 11 AAA local user 15 AAA SSH user authentication authorization 71 local portal Web se...

Page 477: ...ing AAA local guests 21 manual AAA local bill cache 65 matching PPP IPCP IP segment match enable 243 MCE relay agent support 133 message DHCP format 90 DHCP REQUEST message attack protection 162 DHCPv...

Page 478: ...7 AAA network access user 15 AAA RADIUS configuration 23 AAA RADIUS implementation 2 AAA RADIUS server SSH user authentication authorization 68 allowing only DHCP users to pass portal authorization 31...

Page 479: ...206 DHCPv6 snooping entry max 207 DHCPv6 snooping Option 18 support 206 DHCPv6 snooping Option 37 support 206 DHCPv6 snooping packet blocking port 208 DHCPv6 REQUEST check 207 direct portal authentic...

Page 480: ...erver 302 portal authentication server detection 320 portal authentication source subnet 313 portal authentication system 294 portal authentication system component interaction 295 portal authenticati...

Page 481: ...le 218 online IPoE online detection configuration 436 IPoE user online detection 408 MAC authentication keep online 221 portal authentication user online detection 319 option DHCP field 91 DHCP option...

Page 482: ...MAC authentication user account policies 211 portal authentication extended functions 294 portal authentication policy server 295 portal preauthentication policy 308 polling PPP polling 238 pool DHCP...

Page 483: ...des 296 NAS Port Id attribute format 324 online user logout 327 packet filtering rules 299 page customization 304 page file compression saving rules 306 page request rules 305 policy configuration 308...

Page 484: ...access rate limit 278 configuration 275 283 configuration restrictions 276 display 282 logging enable 282 maintain 282 NAT444 collaboration failure user enable 280 network structure 275 network struct...

Page 485: ...ocal user 15 configuring AAA NAS ID 66 configuring AAA network access user attributes 17 configuring AAA RADIUS 23 configuring AAA RADIUS accounting on 34 configuring AAA RADIUS attribute 31 MAC addre...

Page 486: ...server IPv6 prefix assignment 178 configuring DHCPv6 server network parameters address pool 182 configuring DHCPv6 server network parameters option group 182 configuring DHCPv6 server network paramet...

Page 487: ...cation 266 configuring L2TP LNS LAC tunneling request acceptance 262 configuring L2TP LNS LCP renegotiation 263 configuring L2TP LNS mandatory CHAP authentication 263 configuring L2TP LNS user authent...

Page 488: ...g PPPoE server IP address assignment local DHCP server 284 configuring PPPoE server IP address assignment RADIUS based 291 configuring PPPoE server IP address assignment remote DHCP server 285 configu...

Page 489: ...tification 199 enabling DHCPv6 relay agent on interface 196 enabling DHCPv6 relay agent to record relay entries 199 enabling DHCPv6 server flood attack protection 188 enabling DHCPv6 server logging 18...

Page 490: ...ax 218 setting PADI packets max 281 setting portal authentication users max 314 setting portal authentication users max global 314 setting portal authentication users max interface 315 setting PPPoE s...

Page 491: ...IUS authentication failure 79 troubleshooting AAA RADIUS packet delivery failure 80 troubleshooting DHCP address conflict 130 troubleshooting L2TP data transmission failure 274 troubleshooting L2TP re...

Page 492: ...rocessing RADIUS authentication requests 40 protocols and standards 13 real time accounting attempts max 28 Remanent_Volume attribute data measurement unit 36 request transmission attempts max 27 sche...

Page 493: ...uration parameters 151 releasing DHCP relay agent IP address release 141 remote AAA remote accounting method 11 AAA remote authentication 11 AAA remote authentication configuration 14 AAA remote autho...

Page 494: ...n 13 AAA protocols and standards 13 AAA RADIUS attribute translation 37 AAA RADIUS configuration 23 AAA RADIUS DAS 39 AAA RADIUS implementation 2 AAA RADIUS information exchange security mechanism 2 A...

Page 495: ...thentication user account format 217 MAC authentication user account policies 211 MAC authentication user profile assignment 214 MAC authentication VLAN assignment 212 MAC based quick portal authentic...

Page 496: ...ent gateway specification 102 DHCP client NetBIOS node type 103 DHCP client offline detection 118 DHCP client server specification 105 DHCP client WINS server 103 DHCP compatibility configuration 113...

Page 497: ...measurement unit 36 AAA RADIUS request transmission attempts max 27 AAA RADIUS server status 29 AAA RADIUS timer 33 AAA RADIUS traffic statistics unit 27 AAA RADIUS username format 27 DHCP client pack...

Page 498: ...03 DHCP relay agent address 143 DHCP relay agent server 135 DHCP relay agent server selection algorithm 136 DHCP relay agent source IP address 145 DHCP server address pool IP address range 99 DHCPv6 c...

Page 499: ...175 terminal AAA RADIUS Login Service attribute check method 35 testing AAA RADIUS server status detection test profile 23 timeout MAC authentication server timeout 217 PPP negotiation 239 PPP negoti...

Page 500: ...surement unit 36 untrusted DHCP snooping untrusted port 157 DHCPv6 snooping port 204 updating IPoE traffic statistics update timer 411 user AAA concurrent login user max 65 AAA local user 15 AAA manag...

Page 501: ...ver IP address dynamic assignment 121 DHCP server IP address static assignment 120 DHCP server option customization 127 DHCP server user class configuration 123 DHCP snooping basic configuration 165 D...

Page 502: ...route table 247 troubleshooting L2TP 273 troubleshooting L2TP data transmission failure 274 troubleshooting L2TP remote system network access failure 273 troubleshooting L2TP user offline 274 Web cros...

Reviews:

No comments