H3C SecPath Series Скачать руководство пользователя

Страница: 7 / 41

Operation Manual – User Access
H3C SecPath Series Security Products

Chapter 1 PPP Configuration

1-5

If a received username includes a domain name, this domain name is used for

authentication (if the name does not exist, authentication is denied). Otherwise, the

domain name configured for PPP authentication applies.

II. Configuring the local to authenticate the peer using CHAP

Table 1-4

Configure the local to authenticate the peer with the CHAP approach

Operation

Command

Configure the local to authenticate the
peer in CHAP mode (in interface view)

ppp

authentication-mode

chap

[ [

call-in

]

domain isp-name

]

Disable the configured PPP
authentication, i.e. performing no PPP
authentication (in interface view)

undo ppp authentication-mode

Configure the local username (in
interface view)

ppp

chap

user

username

Delete the configured local username (in
interface view)

undo ppp chap user

Create a local user and enter the
corresponding view (in system view)

local-user

username

Configure the password for the local
user (in local user view)

password

{

simple

cipher

}

password

Cancel the password of the local user (in
local user view)

undo password

Set the callback and caller number
attributes of the PPP user (in local user
view)

service-type ppp

[

callback-nocheck

callback-number callback-number

call-number call-number

[

:subcall-number

] ]

Restore the default callback and caller
number attributes of the PPP user (in
local user view)

undo service-type ppp

[

callback-nocheck

callback-number

call-number

]

Create an ISP domain or enter the view
of a created domain (in system view)

domain

{

isp-name

default

{

disable

enable isp-name

} }

Configure the user in the domain to use
the local authentication scheme (in
domain view)

scheme local

By default, PPP authentication is disabled.

For authentication on a dial interface, you are recommended to configure

authentication on both the physical interface and the dialer interface. When the

physical interface receives a DCC call request, it first initiates PPP negotiation and

authenticates the dial-in user, and then it passes the call to the upper layer protocol.

Содержание SecPath Series

Страница 1: ...ging PPP Link Efficiency Mechanism 1 16 1 4 Typical PPP Configuration Example 1 17 1 4 1 PAP Authentication 1 17 1 4 2 CHAP Authentication 1 18 1 5 Troubleshooting PPP 1 19 Chapter 2 PPPoE Server Configuration 2 1 2 1 Introduction to PPPoE 2 1 2 2 PPPoE Server Configuration 2 1 2 2 1 Creating a Virtual Template 2 1 2 2 2 Enabling Disabling PPPoE Server 2 2 2 2 3 Configuring PPPoE Server Parameters...

Страница 2: ...ts Table of Contents ii 3 4 2 Connecting a LAN to the Internet Through an ADSL Modem 3 7 Chapter 4 VLAN Configuration 4 1 4 1 Introduction to VLAN 4 1 4 2 Basic VLAN Configuration 4 3 4 3 Displaying and Debugging VLAN 4 3 4 4 Typical VLAN Configuration Example 4 4 ...

Страница 3: ...word to the authenticating party z The authenticator will check if the username and password are correct according to local user list and then return different responses Acknowledge or Not Acknowledge 2 CHAP authentication CHAP Challenge Handshake Authentication Protocol is a 3 way handshake authentication protocol and the password is sent encrypted The process of CHAP authentication is as follows...

Страница 4: ...red it enters the Authenticate phase and starts the CHAP PAP authentication 4 If the authentication fails it will enter the Terminate phase to remove the link and the LCP will go down If the authentication succeeds it will proceed to start the network negotiation NCP In this case the LCP state is still Opened while the state of IP control protocol IPCP is changed from Initial to Request 5 NCP nego...

Страница 5: ...w Table 1 1 Configure PPP encapsulation on the interface Operation Command Configure PPP encapsulation on the interface link protocol ppp The link layer protocol encapsulated on the dialer and virtual template interfaces defaults to PPP 1 2 2 Configuring the Polling Interval Data link protocols such as PPP FR and HDLC use a timer to monitor the status of the link periodically The polling interval ...

Страница 6: ...ter the corresponding view in system view local user username Configure the password for the local user in local user view password simple cipher password Cancel the password of the local user in local user view undo password Set the callback and caller number attributes of the PPP user in local user view service type ppp callback nocheck callback number callback number call number call number sub...

Страница 7: ...em view local user username Configure the password for the local user in local user view password simple cipher password Cancel the password of the local user in local user view undo password Set the callback and caller number attributes of the PPP user in local user view service type ppp callback nocheck callback number callback number call number call number subcall number Restore the default ca...

Страница 8: ...l firewall are null IV Configuring the local to be authenticated by the peer using CHAP Table 1 6 Configure the local to be authenticated by the peer with the CHAP approach Operation Command Create a local user and enter the local user view system view local user username Set a password for the local user in local user view password simple cipher password Cancel the password for the local user in ...

Страница 9: ...ameters of NCP such as the configuration of local IP address and the IP address assigned to the peer refer to the Network Protocol Configuration part in this manual For example the ip address ppp negotiate command can be used to ask the peer to assign IP address for the local while the remote address command can be used to designate the local to assign IP address for the peer Perform the following...

Страница 10: ...on the interface When PPP is disabled the negotiated IP address will be deleted z If the interface has an IP address the original IP address is deleted after you configure the interface to negotiate IP addresses z After you configure the interface to negotiate IP addresses you are not allowed to assign an IP address for the interface The negotiation can generate an IP address z After you configure...

Страница 11: ...igh ip address Remove the configuration undo ip pool pool number Use the global address pool to assign an IP address for the PPP user remote address pool pool number Remove the configuration undo remote address By default if the remote address pool command and the domain address pool are not configured the IP address is not assigned for the peer When you configure the remote address pool command b...

Страница 12: ...ered IP address is used z If the server delivers an IP address pool instead of an IP address the system searches for the IP address pool in turn in domain view and assigns an IP address for the PPP user z If the system assigns no IP address using the above two methods or the local authentication is adopted the system searches for the address pool in turn in domain view and assigns an IP address fo...

Страница 13: ...ialup for example the firewall should allocate a DNS server address to the PC so that the PC can use its domain name to access the Internet When connected using PPP to the network access server NAS of the service provider the firewall should be able to request the NAS for a DNS server address or accept the unsolicited DNS server address for revolving domain names Perform the following configuratio...

Страница 14: ...terface the PPP interface sends link quality reports LQRs instead for monitoring the link When the quality of the link is normal the system calculates link quality based on each LQR and shuts down the link if the results of two consecutive calculations are below the forbidden percentage After shutting down the link the system calculates link quality every ten LQRs and brings the link up again if t...

Страница 15: ...nd link fragmentation and interleaving LFI I IP header compression IPHC is a host to host protocol that applies to transmit multimedia services such as voice and video over IP networks To decrease the bandwidth consumed by headers you may enable IP header compression on PP links to compress RTP including IP UDP and RTP headers or TCP headers The following describes how compression operates taking ...

Страница 16: ... long each The information in some fields of these headers however is unchanged through the lifetime of the connection and needs sending only once while the information in some other fields changes but regularly and within a definite range Based on this idea VJ TCP header compression may compress a 40 byte TCP IP header to 3 to 5 bytes It can significantly improve the transmission speed of some ap...

Страница 17: ...s sion enabled TCP connections ppp compression iphc tcp connections number Restore the default undo ppp compression iphc tcp connections The parameter number indicates the maximum connection number from 3 to 256 of TCP compression mode on the interface It is 16 by default III Configuring maximum number of compression enabled RTP connections You can configure maximum number of compression enabled R...

Страница 18: ...pression on the PPP interface ip tcp vjcompress Disable VJ TCP header compression on the PPP interface undo ip tcp vjcompress By default VJ TCP header compression is disabled on the PPP interface 1 3 4 Displaying and Debugging PPP Link Efficiency Mechanism Table 1 21 Display and debug PPP link efficiency mechanism Operation Command Display statistics about TCP header compression display ppp compre...

Страница 19: ...h the PAP approach II Network diagram SecPath1 SecPath 2 Ethernet1 0 0 Ethernet1 0 0 Figure 1 3 Network diagram of PAP and CHAP authentication III Configuration procedure 1 Configure SecPath1 Add a PPPoE user H3C local user secpath2 H3C luser secpath2 password simple pwd H3C luser secpath2 service type ppp Configure virtual template parameters on SecPath1 H3C interface virtual template 1 H3C Virtu...

Страница 20: ...a PPPoE user H3C local user secpath2 H3C luser secpath2 password simple pwd Configure virtual template parameters on SecPath1 H3C interface virtual template 1 H3C Virtual Template1 ppp authentication mode chap H3C Virtual Template1 ppp chap user secpath1 H3C Virtual Template1 ip address 1 1 1 1 255 0 0 0 H3C Virtual Template1 remote address 1 1 1 2 Configure the PPPoE parameter on SecPath1 H3C int...

Страница 21: ... up state Problem solving This problem may arise from the PPP authentication failure due to the incorrect configuration of PPP authentication parameters Enable the debugging of PPP and you will see the information describing that LCP went up with a successful LCP negotiation but went down after the PAP or CHAP negotiation Fault 2 The physical link fails to go up Problem solving Execute the display...

Страница 22: ...PPPoE This is the very purpose of the Discovery phase After entering the Session phase of PPPoE the system can encapsulate the PPP packet as the payload of PPPoE frame into an Ethernet frame and then send the Ethernet frame to the peer In the frame the SESSION ID must be the one determined at the Discovery phase MAC address must be the address of the peer and the PPP packet section begins with the...

Страница 23: ...erface view The commands in the following table concern Ethernet interfaces and are only valid for corresponding Ethernet interfaces More specifically While PPPoE is enabled on an Ethernet interface it is not accordingly enabled on other Ethernet interfaces Likewise when PPPoE is disabled on an Ethernet interface it is not necessarily disabled on other Ethernet interfaces Note Before beginning the...

Страница 24: ...current system is allowed to set up pppoe server max sessions total number Restore the default maximum number of PPPoE sessions that the current system is allowed to set up undo pppoe server max sessions total 2 2 4 Enabling Disabling the PPPoE Server to Output PPP Related Log To avoid decreased device performance due to excessive log output you can disable the PPPoE server to output log informati...

Страница 25: ...Configuration Example I Network requirements In Figure 2 1 the hosts access the Internet through the firewall SecPath by making use of PPPoE II Network diagram Firewall SecPath is connected to the Ethernet through the interface Ethernet 1 0 0 and the Internet through Serial3 0 0 Internet Host Host SecPath Ethernet 1 0 0 Ethernet 3 0 0 Figure 2 1 PPPoE network diagram III Configuration procedure Ad...

Страница 26: ...ain to use the local authentication scheme H3C domain system H3C isp system scheme local Add a local IP address pool containing nine IP addresses H3C isp system ip pool 1 1 1 1 2 1 1 1 10 When installed with PPPoE client software and configured with user name and password every host on the Ethernet can access the Internet through the firewall with PPPoE If radius scheme or hwtacacs scheme is confi...

Страница 27: ...eate a PPPoE Session ID Whereas PPP establishes a peer correlation PPPoE however establishes a client server correlation in the Discovery phase During the Discovery phase a host client can discover an access concentrator server After the Discovery phase the host and the concentrator can establish PPPoE session via the MAC address and session ID z PPP Session phase At the beginning of the PPP Sessi...

Страница 28: ...nally installing PPPoE client dialing software by the user 3 2 Configuring the PPPoE Client Fundamental PPPoE configuration tasks include z Configure a dialer interface z Configure a PPPoE session Advanced PPP configuration task includes z Terminate a PPPoE session 3 2 1 Configuring a Dialer Interface Before configuring PPPoE session you should first configure a dialer interface and configure a di...

Страница 29: ...e refer to the chapter discussing DDD configurations in the Dial up part of this manual 3 2 2 Configuring a PPPoE Session PPPoE session can be configured on a physical Ethernet interface or a virtual Ethernet VE interface created on an ADSL interface When a firewall is to be linked to the Internet through an ADSL interface it is necessary to configure PPPoE session on the virtual Ethernet interfac...

Страница 30: ... Only when there is data transmission requirement will the firewall initiate PPPoE call to create a PPPoE session If the free time of a PPPoE link exceeds the value set by user the firewall will automatically terminate the PPPoE session 3 2 3 Resetting Deleting a PPPoE Session Execute the reset pppoe client command and the reset pppoe server command in user view and the undo pppoe client command i...

Страница 31: ...ure it 3 3 Displaying and Debugging the PPPoE Client Execute the display command in all views and the debugging command in user view Table 3 5 Displaying and Debugging the PPPoE client Operation Command Display the status and statistics of a PPPoE session display pppoe client session summary packet dial bundle number number Enable the PPPoE client debugging debugging pppoe client all data error ev...

Страница 32: ...H3C Dialer1 dialer group 1 H3C Dialer1 dialer bundle 1 H3C Dialer1 ip address ppp negotiate H3C Dialer1 ppp pap local user secpath2 password simple pwd Configure a PPPoE session H3C interface ethernet 1 0 0 H3C Ethernet1 0 0 pppoe client dial bundle number 1 When CHAP authentication applies configure the firewalls as follows 1 Configure SecPath1 Add a PPPoE user H3C local user secpath2 H3C luser s...

Страница 33: ...ber 1 3 4 2 Connecting a LAN to the Internet Through an ADSL Modem I Network requirements The PCs in the LAN access the Internet through SecPath A which connects to the DSLAM using an ADSL line in always on mode The ADSL account has a username of adsluser and a password of 123456 As the PPPoE server SecPath B connects to DSLAM through the Eth2 0 0 interface and provides RADIUS authentication and a...

Страница 34: ...1 If the IP addresses of the PCs in the LAN are private addresses it is necessary to configure NAT Network Address Translation on the firewall The NAT configuration will not be elaborated here For details refer to the part about NAT configuration in the Security module of this manual 2 Configure SecPath B Add a PPPoE user H3C local user adsluser H3C luser adsluser password simple 123456 H3C luser ...

Страница 35: ...e RADIUS scheme H3C radius scheme cams H3C radius cams primary authentication 10 110 91 146 1812 H3C radius cams primary accounting 10 110 91 146 1813 H3C radius cams key authentication expert H3C radius cams key accounting expert H3C radius cams server type extended H3C radius cams user name format with domain H3C radius cams quit See related materials for detailed configuration of RADIUS server ...

Страница 36: ...AC addresses in the mapping table If it can find a match it will only send the frames to the corresponding ports if not it will forward them to all ports except for the receiving port In this way the collision domains are separated in their own ports and will not extend to other ports The switch as a kind of transparent device does not change the source and destination addresses of the Ethernet fr...

Страница 37: ...d frames from one VLAN to another except that it is a layer 3 switch z It can enhance the security of LAN VLANs cannot directly communicate with one another that is the users in one VLAN cannot directly access those in other VLANs They need help of such layer 3 devices as routers or Layer 3 switches to fulfill the access z It provides virtual workgroups VLAN can be used to group different users to...

Страница 38: ...figuration Operation Command Create an Ethernet subinterface and enter its view in system view interface subinterface type interface number Set the IP address of an Ethernet subinterface in interface view ip address ip address ip mask Set the encapsulation type of an Ethernet subinterface or a gigabit Ethernet subinterface and related VLAN ID in interface view vlan type dot1q vid vid Set the maxim...

Страница 39: ... via subinterfaces As shown in the following figure the VLAN attributes of ports are specified on Switch 1 and Switch 2 thus the workstations A B C and D connected to these Switches belong to VLAN 10 or VLAN 20 The following is required z The addresses of subinterfaces Ethernet 3 0 0 1 Ethernet3 0 0 2 Ethernet4 0 0 1 and Ethernet4 0 0 2 are 1 0 0 1 2 0 0 1 3 0 0 1 and 4 0 0 1 respectively z Commun...

Страница 40: ...P addresses Set the encapsulation type of each subinterface The encapsulation type of the Ethernet subinterface must keep consistent with what configured on the switch port and the associated VLAN ID Note After configuring the encapsulation type of the Ethernet subinterface the subinterface is set as permitted trunk H3C system view H3C interface ethernet 3 0 0 1 H3C Ethernet3 0 0 1 ip address 1 0 ...

Страница 41: ... Security Products Chapter 4 VLAN Configuration 4 6 Set the maximum number of packets that VLAN10 can process into 100000 per second and that VLAN20 can process into 200000 per second H3C max packet process 100000 10 H3C max packet process 200000 20 ...

Результаты поиска

Содержание SecPath Series

Отзывы:

Похожие инструкции для SecPath Series

Бренды по названию

Популярные бренды

H3C SecPath Series, Руководство по эксплуатации

Результаты поиска

Содержание SecPath Series

Отзывы:

Похожие инструкции для SecPath Series

Бренды по названию

Популярные бренды