H3C SR8800-F Скачать руководство пользователя страница 276 | Manualshive

Страница: 276 / 502

H3C SR8800-F Скачать руководство пользователя страница 276

260

Step Command

Remarks

2.

Enter L2TP group view in
LAC mode.

l2tp-group

group-number

[

mode

lac

]

N/A

3.

Configure each L2TP user to
use an L2TP tunnel
exclusively.

tunnel-per-user

By default, an L2TP tunnel can be
used by multiple L2TP users.

Enabling transferring AVP data in hidden mode

L2TP uses Attribute Value Pairs (AVPs) to transmit tunnel negotiation parameters, session
negotiation parameters, and user authentication information. Transferring AVP data in hidden mode
can hide sensitive AVP data such as user passwords. This feature encrypts AVP data with the key
configured by using the

tunnel password

command before transmission.

This configuration takes effect only when the tunnel authentication feature is enabled. For more
information about configuring tunnel authentication, see "

Configuring L2TP tunnel authentication

."

To enable transferring AVP data in hidden mode:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter L2TP group view in
LAC mode.

l2tp-group

group-number

[

mode

lac

]

N/A

3.

Enable transferring AVP data
in hidden mode.

tunnel avp-hidden

By default, AVP data is
transferred in plain text.

Configuring AAA authentication on an LAC

You can configure AAA authentication an LAC to authenticate the remote dialup users and initiate a
tunneling request only for qualified users. A tunnel will not be established for unqualified users.

The device supports both local AAA authentication and remote AAA authentication.

•

For local AAA authentication, create a local user and configure a password for each remote
user on the LAC. The LAC then authenticates a remote user by matching the provided
username and password with those configured locally.

•

For remote AAA authentication, configure the username and password of each user on the
RADIUS/HWTACACS server. The LAC then sends the remote user's username and password
to the server for authentication.

For more information, see "

Configuring AAA

."

To enable AAA authentication on an LAC, you also need to configure PAP or CHAP authentication for
PPP users on the user access interfaces. For information about configuring PAP or CHAP, see
"

Configuring PPP

Configuring an LAC to automatically establish an L2TP
tunnel

To configure an LAC to automatically establish an L2TP tunnel, perform the following tasks:

•

Create a virtual PPP interface and configure an IP address for the interface.

•

In virtual PPP interface view, use the

ppp

pap

or

ppp

chap

command to configure the side to

be authenticated by PPP as follows:

«
...
274
275
276
277
278
...
»

Содержание SR8800-F

Страница 1: ...H3C SR8800 F Routers Comware 7 User Access Configuration Guide New H3C Technologies Co Ltd http www h3c com hk Software version SR8800FS CMW710 R7655P05 or later Document version 6W100 20170825...

Страница 2: ...SecPath SecCenter SecBlade Comware ITCMM and HUASAN are trademarks of New H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners...

Страница 3: ...words or arguments that are optional x y Braces enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choic...

Страница 4: ...Represents a generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3...

Страница 5: ...cumentation To access the most up to date H3C product documentation go to the H3C website at http www h3c com hk To obtain information about installation configuration and maintenance click http www h...

Страница 6: ...the maximum number of real time accounting attempts 28 Configuring RADIUS stop accounting packet buffering 28 Setting the maximum number of pending RADIUS requests 29 Setting the status of RADIUS serv...

Страница 7: ...domain 60 Configuring accounting methods for an ISP domain 62 Display and maintenance commands for ISP domains 64 Setting the maximum number of concurrent login users 65 Configuring the local bill ca...

Страница 8: ...g a DHCP address pool to a VPN instance 108 Applying an address pool on an interface 108 Configuring a DHCP policy for dynamic address assignment 109 Allocating different IP addresses to DHCP clients...

Страница 9: ...nabling client offline detection on the DHCP relay agent 141 Configuring the DHCP relay agent to release an IP address 141 Configuring Option 82 141 Setting the DSCP value for DHCP packets sent by the...

Страница 10: ...uration examples 169 Example Configuring BOOTP client 169 DHCPv6 overview 170 DHCPv6 address prefix assignment 170 Rapid assignment involving two messages 170 Assignment involving four messages 170 Ad...

Страница 11: ...ction 200 Enabling the DHCPv6 relay agent to advertise IPv6 prefixes 201 Display and maintenance commands for DHCPv6 relay agent 201 DHCPv6 relay agent configuration examples 202 Example Configuring D...

Страница 12: ...About PPP 230 PPP protocols 230 PPP link establishment process 230 PPP authentication 231 PPP for IPv4 231 PPP for IPv6 232 Protocols and standards 233 PPP tasks at a glance 233 Configuring a VT inte...

Страница 13: ...iguring optional L2TP parameters 264 Configuring L2TP tunnel authentication 264 Setting the Hello interval 265 Setting the DSCP value of L2TP packets 265 Setting the TSA ID of the LTS 265 Enabling L2T...

Страница 14: ...rule for URL redirection 304 Configuring a local portal Web service 304 Restrictions and guidelines for configuring a local portal Web service 304 Customizing authentication pages 304 Configuring par...

Страница 15: ...ication 353 Example Configuring portal server detection and portal user synchronization 356 Example Configuring cross subnet portal authentication for MPLS L3VPNs 364 Example Configuring direct portal...

Страница 16: ...user configuration tasks at a glance 404 Configuring interface leased users 405 Configuring subnet leased users 405 Configuring L2VPN leased users 406 Configuring ISP domains for leased users 406 Con...

Страница 17: ...trols user access The server maintains user information centrally See Figure 1 Figure 1 AAA network diagram To access networks or resources beyond the NAS a user sends its identity information to the...

Страница 18: ...ocess 1 Receives authentication authorization and accounting requests from RADIUS clients 2 Performs user authentication authorization or accounting 3 Returns user access control information for examp...

Страница 19: ...password If the authentication succeeds the server sends back an Access Accept packet that contains the user s authorization information If the authentication fails the server returns an Access Rejec...

Страница 20: ...cation fails and the server sends an Access Reject response 4 Accounting Reques t From the client to the server A packet of this type includes user information for the server to start or stop accounti...

Страница 21: ...upports RADIUS subattributes with a vendor ID of 25506 For more information see Appendix C RADIUS subattributes vendor ID 25506 Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller A...

Страница 22: ...he authentication process Supports authorization of configuration commands Access to commands depends on both the user s roles and authorization A user can use only commands that are permitted by the...

Страница 23: ...sponse to request the login password 8 Upon receipt of the response the HWTACACS client prompts the user for the login password 9 The user enters the password Host HWTACACS client HWTACACS server 1 Th...

Страница 24: ...ot often change The protocol is used to store user information For example LDAP server software Active Directory Server is used in Microsoft Windows operating systems The software stores the user info...

Страница 25: ...basic LDAP authentication process 1 A Telnet user initiates a connection request and sends the username and password to the LDAP client 2 After receiving the request the LDAP client establishes a TCP...

Страница 26: ...8 Basic LDAP authorization process for a Telnet user The following shows the basic LDAP authorization process 1 A Telnet user initiates a connection request and sends the username and password to the...

Страница 27: ...omain for a user by username AAA manages users in the same ISP domain based on the users access types The device supports the following user access types LAN LAN users must pass MAC authentication to...

Страница 28: ...gin users is the root directory of the NAS However the users do not have permission to access the root directory Local authorization The NAS performs authorization according to the user attributes loc...

Страница 29: ...LS backbone acts as a NAS The NAS transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication Authentication packets of privat...

Страница 30: ...domains 1 Required Creating an ISP domain 2 Optional Configuring ISP domain attributes 3 Required Perform a minimum one of the following tasks to configure AAA authentication authorization and accoun...

Страница 31: ...ibutes of the group The attributes include the password control attributes and authorization attributes For more information about local user group see Configuring user group attributes Binding attrib...

Страница 32: ...vice management user Step Command Remarks 1 Enter system view system view N A 2 Add a local user and enter device management user view local user user name class manage By default no local users exist...

Страница 33: ...to take if there is a login failure password control login attempt login times exceed lock lock time time unlock By default the local user uses password control attributes of the user group to which t...

Страница 34: ...te call number call number subcall number location interface interface type interface number mac mac address vlan vlan id By default no binding attributes are configured for a local user 8 Optional Co...

Страница 35: ...onsor name is specified for a local guest 10 Specify the sponsor department for the local guest sponsor department department string By default no sponsor department is specified for a local guest 11...

Страница 36: ...es subscriber id subscriber id url url string user profile user profile name vlan vlan id vpn instance vpn instance name work directory directory name By default no authorization attributes are config...

Страница 37: ...al guests after the guest registration information is approved by a guest manager Email notification The device notifies the local guests guest sponsors or guest managers by email of the guest account...

Страница 38: ...t local guest account information to a csv file in the specified path local user export class network guest url url string N A 10 Optional Enable the guest auto delete feature local guest auto delete...

Страница 39: ...ional Configuring the RADIUS accounting on feature Optional Interpreting the RADIUS class attribute as CAR parameters Optional Configuring the Login Service attribute check method for SSH FTP and term...

Страница 40: ...servers radius server test profile profile name username name interval interval By default no test profiles exist You can configure multiple test profiles in the system Creating a RADIUS scheme Creat...

Страница 41: ...etect the server status Two authentication servers in a scheme primary or secondary cannot have the same combination of IP address port number and VPN instance The weight weight value option takes eff...

Страница 42: ...se the same key for each type of communication A key configured in this task is for all servers of the same type accounting or authentication in the scheme The key has a lower priority than a key conf...

Страница 43: ...he format for usernames sent to the RADIUS servers user name format keep original with domain without domain By default the ISP domain name is included in a username 4 Optional Set the data flow and p...

Страница 44: ...ive a response for a stop accounting request in a single transmission Enable the device to buffer RADIUS stop accounting requests that have not received responses from the accounting server The device...

Страница 45: ...nter decreases by 1 each time the device receives a respond from the server or the respond timeout timer for a request expires 3 The device buffers the subsequent requests when the counter reaches the...

Страница 46: ...s status accordingly in all RADIUS schemes in which this server is specified When a RADIUS server is manually set to blocked server detection is disabled for the server regardless of whether a test pr...

Страница 47: ...it then searches for the secondary servers in the order they are configured The first secondary server in active state is used for communication In this process the workload is always placed on the a...

Страница 48: ...em view The IP address specified in RADIUS scheme view applies only to one RADIUS scheme The IP address specified in system view applies to all RADIUS schemes in which the RADIUS servers are in a VPN...

Страница 49: ...uch as Telnet can time out When the client connections have a short timeout period a large number of secondary servers can cause the initial authentication or accounting attempt to fail In this case r...

Страница 50: ...ting on packet to the RADIUS server after a card reboot The packet contains the card identifier Upon receiving the accounting on packet the RADIUS server logs out all online users that access the devi...

Страница 51: ...Command Remarks 1 Enter system view system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Configure the Login Service attribute check method for SSH FTP and terminal users...

Страница 52: ...interface type delimiter port delimiter s vid delimiter slot delimiter string string delimiter subslot delimiter vendor vendor id By default no format is configured for RADIUS attribute 87 and the de...

Страница 53: ...Attribute rejection Rejects RADIUS attributes based on RADIUS attribute rejection rules When the RADIUS attribute translation feature is enabled the device processes RADIUS packets as follows For the...

Страница 54: ...sent By default no RADIUS attribute rejection rules exist Repeat this command to add multiple RADIUS attribute rejection rules Configuring the RADIUS attribute translation feature for a RADIUS DAS Ste...

Страница 55: ...session control enable By default the session control feature is disabled 3 Specify a session control client radius session control client ip ipv4 address ipv6 ipv6 address key cipher simple string v...

Страница 56: ...the DSCP priority is 0 for RADIUS packets Configuring the device to preferentially process RADIUS authentication requests About configuring the device to preferentially process RADIUS authentication r...

Страница 57: ...you must also configure SNMP on the device For more information about SNMP configuration see Network Management and Monitoring Configuration Guide To enable SNMP notifications for RADIUS Step Command...

Страница 58: ...es An HWTACACS scheme can be used by multiple ISP domains To create an HWTACACS scheme Step Command Remarks 1 Enter system view system view N A 2 Create an HWTACACS scheme and enter HWTACACS scheme vi...

Страница 59: ...the secondary servers in the order they are configured The first secondary server in active state is used for communication If redundancy is not required specify only the primary server An HWTACACS se...

Страница 60: ...ddress ipv6 ipv6 address port number key cipher simple string single connection vpn instance vpn instance name Specify a secondary HWTACACS accounting server secondary accounting ipv4 address ipv6 ipv...

Страница 61: ...rmat where the isp name argument represents the user s ISP domain name By default the ISP domain name is included in a username If HWTACACS servers do not recognize usernames that contain ISP domain n...

Страница 62: ...address for outgoing HWTACACS packets About source IP address for outgoing HWTACACS packets The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured...

Страница 63: ...es the following timers to control communication with an HWTACACS server Server response timeout timer response timeout Defines the HWTACACS server response timeout timer The device starts this timer...

Страница 64: ...en one or more servers are in active state the device tries to communicate with these servers only even if they are unavailable When an HWTACACS server s status changes automatically the device change...

Страница 65: ...ance Configuring an LDAP server Required Creating an LDAP server Required Configuring the IP address of the LDAP server Optional Specifying the LDAP version Optional Setting the LDAP server timeout pe...

Страница 66: ...d A Microsoft LDAP server supports only LDAPv3 Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server without receiving the server s response within the...

Страница 67: ...user attributes of the LDAP client The LDAP user attributes include Search base DN Search scope Username attribute Username format User object class If the LDAP server contains many directory levels...

Страница 68: ...s to include important LDAP attributes that should not be ignored An LDAP attribute can be mapped only to one AAA attribute Different LDAP attributes can be mapped to the same AAA attribute To configu...

Страница 69: ...ion server is specified Specifying an LDAP attribute map for LDAP authorization Specify an LDAP attribute map for LDAP authorization to convert LDAP attributes obtained from the LDAP authorization ser...

Страница 70: ...ort for the authentication domain configuration depends on the access module 2 The ISP domain in the username 3 The default ISP domain of the device If the chosen domain does not exist on the device t...

Страница 71: ...fied direction in the domain at the idle timeout interval The device logs out an online user if the user s total traffic in the idle timeout period at the specified direction is less than the specifie...

Страница 72: ...sers Portal users might have both the preauthentication IP address pool and the authorization IP address pool The two DHCP address pools must both have the export route keyword specified or not specif...

Страница 73: ...ly the authorization user priority only to upstream packets of users The user profile attribute takes effect only on CSPEX cards The session group profile attribute does not take effect Including the...

Страница 74: ...the ISP domain ita policy policy name By default no ITA policy is applied Configuring authentication methods for an ISP domain Restrictions and guidelines When configuring authentication methods foll...

Страница 75: ...e ldap scheme name local none local radius scheme radius scheme name hwtacacs scheme hwtacacs scheme name none local ldap scheme ldap scheme name none none radius scheme radius scheme name hwtacacs sc...

Страница 76: ...se a RADIUS scheme as the authorization method specify the name of the RADIUS scheme that is configured as the authentication method for the ISP domain If an invalid RADIUS scheme is specified as the...

Страница 77: ...eme name local none By default the default authorization method is used for IPoE users This command takes effect only on CSPEX cards 6 Specify authorization methods for LAN users authorization lan acc...

Страница 78: ...e uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons An exception occurs in the AAA process The user disconnects from the device The us...

Страница 79: ...d takes effect only on CSPEX cards 6 Specify accounting methods for LAN users accounting lan access broadcast radius scheme radius scheme name1 radius scheme radius scheme name2 local none local radiu...

Страница 80: ...iled all their accounting update attempts accounting update fail max times max times offline online By default the device allows users that have failed all their accounting update attempts to stay onl...

Страница 81: ...mation Accounting traffic statistics Local accounting bills can be exported to a storage directory by using FTP or TFTP When an accounting server becomes available it can download the accounting bills...

Страница 82: ...ID to set the NAS Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users You can configure a NAS ID in NAS ID profile view in interface view or in...

Страница 83: ...face the NAS and VLAN binding in the NAS ID profile has higher priority To set the NAS ID on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 3 interface view interf...

Страница 84: ...es Example Configuring authentication and authorization for SSH users by a RADIUS server Network configuration As shown in Figure 12 configure the router to meet the following requirements Use the RAD...

Страница 85: ...Use the default values for other parameters and click OK The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the router The sou...

Страница 86: ...line vty0 63 authentication mode scheme Router line vty0 63 quit Enable the default user role feature to assign authenticated SSH users the default user role network operator Router role default role...

Страница 87: ...rk operator user role Details not shown Example Configuring local authentication and authorization for SSH users Network configuration As shown in Figure 15 configure the router to meet the following...

Страница 88: ...fy that the user can use the commands permitted by the network admin user role Details not shown Example Configuring AAA for SSH users by an HWTACACS server Network configuration As shown in Figure 16...

Страница 89: ...login hwtacacs scheme hwtac Router isp bbb authorization login hwtacacs scheme hwtac Router isp bbb accounting login hwtacacs scheme hwtac Router isp bbb quit Create local RSA and DSA key pairs Route...

Страница 90: ...TE In this example the LDAP server runs Microsoft Windows 2003 Server Active Directory Add a user named aaa and set the password to ldap 123456 a On the LDAP server select Start Control Panel Administ...

Страница 91: ...and click Next Figure 19 Setting the user s password g Click OK Add user aaa to group Users a From the navigation tree click Users under the ldap com node b In the right pane right click user aaa and...

Страница 92: ...ser aaa is added to group Users Figure 21 Adding user aaa to group Users Set the administrator password to admin 123456 a In the right pane right click user Administrator and select Set Password b In...

Страница 93: ...the administrator password Router ldap server ldap1 login password simple admin 123456 Configure the base DN for user search Router ldap server ldap1 search base dn dc ldap dc com Router ldap server l...

Страница 94: ...tac Configure the primary HWTACACS server at 10 1 1 1 Set the authentication authorization and accounting ports to 49 Configure the router to establish only one TCP connection with the server RouterA...

Страница 95: ...ion to userb and plaintext passb respectively RouterB Serial2 1 0 1 0 ppp pap local user userb password simple passb Verifying the configuration Use the display interface serial command to display inf...

Страница 96: ...The link between the NAS and the RADIUS server works well at both the physical and data link layers The IP address of the RADIUS server is correctly configured on the NAS The authentication and accou...

Страница 97: ...igured Some user attributes for example the username attribute configured on the NAS are not consistent with those configured on the server No user search base DN is specified for the LDAP scheme Solu...

Страница 98: ...ing 54 unassigned 11 Filter ID 55 Event Timestamp 12 Framed MTU 56 59 unassigned 13 Framed Compression 60 CHAP Challenge 14 Login IP Host 61 NAS Port Type 15 Login Service 62 Port Limit 16 Login TCP P...

Страница 99: ...sword for CHAP authentication only present in Access Request packets when CHAP authentication is used 4 NAS IP Address IP address for the server to use to identify the client Typically a client is ide...

Страница 100: ...Generation Partnership Project 9 to 14 Reserved for tunnel accounting 15 Reserved for failed 45 Acct Authentic Authentication method used by the user Possible values include 1 RADIUS 2 Local 3 Remote...

Страница 101: ...verage Rate Average rate in the direction from the NAS to the user in bps 6 Output Basic Rate Basic rate in the direction from the NAS to the user in bps 15 Remanent_Volume Total amount of data availa...

Страница 102: ...that the user belongs to multiple multicast groups 101 MLD Access Limit Maximum number of MLD multicast groups that the user can join concurrently 102 local name L2TP local tunnel name 103 IGMP Acces...

Страница 103: ...ther network resources the device redirects it to the URL specified by subattribute 250 2 The broadband lease of the subscriber expires The device redirects the subscriber to the URL specified by suba...

Страница 104: ...or more information about the DHCP relay agent see Configuring the DHCP relay agent Figure 23 A typical DHCP application DHCP address allocation Allocation mechanisms DHCP supports the following alloc...

Страница 105: ...cated to the client Returns a DHCP NAK message to deny the IP address allocation After receiving the DHCP ACK message the client verifies the following details before using the assigned IP address The...

Страница 106: ...0 flags The leftmost bit is defined as the BROADCAST B flag If this flag is set to 0 the DHCP server sent a reply back by unicast If this flag is set to 1 the DHCP server sent a reply back by broadcas...

Страница 107: ...tion It is used by a DHCP client to request specified configuration parameters The option includes values that correspond to the parameters requested by the client Option 60 Vendor class identifier op...

Страница 108: ...at Figure 27 Option 43 format Network configuration parameters are carried in different sub options of Option 43 as shown in Figure 27 Sub option type The field value can be 0x01 ACS parameter sub opt...

Страница 109: ...D interface number and interface type of the interface that receives the client s request Remote ID has the following padding modes String padding mode Includes a character string specified by the use...

Страница 110: ...SIP user when both the primary and backup calling processors are unreachable Protocols and standards RFC 2131 Dynamic Host Configuration Protocol RFC 2132 DHCP Options and BOOTP Vendor Extensions RFC...

Страница 111: ...ss in the address range of the user class for the client A user class can include multiple matching rules and a client matches the user class as long as it matches any of the rules In address pool vie...

Страница 112: ...the address pool with the longest matching secondary subnet Client on a different subnet than the server The DHCP server compares the IP address in the giaddr field of the DHCP request with the primar...

Страница 113: ...IP addresses can be assigned to other DHCP clients only after the addresses are in conflict for an hour DHCP server tasks at a glance Tasks at a glance Optional Creating a DHCP user class Required Co...

Страница 114: ...umber hardware address hardware address mask hardware address mask option option code ascii ascii string offset offset partial hex hex string mask mask offset offset length length partial relay agent...

Страница 115: ...ss pool If you execute the network or address range command multiple times for the same address pool the most recent configuration takes effect If you execute the forbidden ip command multiple times y...

Страница 116: ...DHCP address pool If an address pool has a primary subnet and multiple secondary subnets the server assigns IP addresses on a secondary subnet when the primary subnet has no assignable IP addresses Fo...

Страница 117: ...s pool When the client requests an IP address the DHCP server assigns the IP address in the static binding to the client Follow these guidelines when you configure a static binding One IP address can...

Страница 118: ...ys in the DHCP address pool Step Command Remarks 1 Enter system view system view N A 2 Enter DHCP address pool view dhcp server ip pool pool name By default no DHCP address pool exists 3 Specify gatew...

Страница 119: ...tion name in a unicast message to the WINS server The WINS server returns the destination IP address m mixed node An m node client broadcasts the destination name If it receives no response it unicast...

Страница 120: ...ile name If the configuration file is on an HTTP server specify the configuration file URL The DHCP client uses the obtained parameters to contact the TFTP server or the HTTP server to get the configu...

Страница 121: ...ep Command Remarks 1 Enter system view system view N A 2 Enter DHCP address pool view dhcp server ip pool pool name By default no DHCP address pool exists 3 Specify the IP address of the primary netwo...

Страница 122: ...me domain name ascii 44 NetBIOS over TCP IP Name Server Option nbns list ip address 46 NetBIOS over TCP IP Node Type Option netbios type hex 66 TFTP server name tftp server ascii 67 Boot file name boo...

Страница 123: ...user class whitelist The DHCP user class whitelist allows the DHCP server to process requests only from clients on the DHCP user class whitelist The whitelist does not take effect on clients who reque...

Страница 124: ...in authentication modules such as IPoE The VPN information of the DHCP server s interface that receives DHCP packets from the client If both VPN instances can be obtained the VPN information from aut...

Страница 125: ...e order that they are configured If a matching user class is found and the bound address pool has assignable IP addresses the server assigns an IP address and other parameters from the address pool If...

Страница 126: ...mation of the receiving interface To allocate different IP addresses to DHCP clients with the same MAC address Step Command Remarks 1 Enter system view system view N A 2 Enable allocation of different...

Страница 127: ...a DHCP request that contains Option 82 the DHCP server adds Option 82 into the DHCP response If you disable the DHCP to handle Option 82 it does not add Option 82 into the response message You must en...

Страница 128: ...packet from a client MAC address it creates a DHCP flood attack entry in check state If the number of DHCP packets from the same MAC address reaches the upper limit in the detection duration the serv...

Страница 129: ...haddr field of a received DHCP request with the source MAC address in the frame header If they are the same the DHCP server verifies this request as legal and processes it If they are not the same the...

Страница 130: ...e DHCP server to return DHCP NAK messages if the client notions of their IP addresses are incorrect After receiving the DHCP NAK message the DHCP client will request an IP address again Procedure To e...

Страница 131: ...1048 By default the DHCP server directly copies the Vend field of such requests into the responses Setting the DSCP value for DHCP packets sent by the DHCP server The DSCP value of a packet specifies...

Страница 132: ...immediately and runs auto backup 3 Optional Manually save the DHCP bindings to the backup file dhcp server database update now N A 4 Optional Set the waiting time after a DHCP binding change for the D...

Страница 133: ...ature enables the route management module to advertise subnets assigned to DHCP clients This feature achieves symmetric routing for traffic of the same host As shown in Figure 31 Router A and Router B...

Страница 134: ...etect By default client offline detection is disabled on the DHCP server Configuring SNMP notifications for the DHCP server Perform this task to configure the DHCP module to send SNMP notifications to...

Страница 135: ...uration Guide As a best practice disable this feature if the log generation affects the device performance or reduces the address allocation efficiency For example this situation might occur when a la...

Страница 136: ...n instance vpn instance name pool pool name Clear information about assigned IP addresses reset dhcp server ip in use ip ip address vpn instance vpn instance name pool pool name Clear DHCP server stat...

Страница 137: ...1 2 RouterA dhcp pool 0 gateway list 10 1 1 126 RouterA dhcp pool 0 quit RouterA Verifying the configuration Verify that Router B can obtain IP address 10 1 1 5 and all other network parameters from...

Страница 138: ...DHCP server on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 dhcp select server RouterA GigabitEthernet1 0 1 quit RouterA interfa...

Страница 139: ...ned to the clients RouterA display dhcp server ip in use IP address Client identifier Lease expiration Type Hardware address 10 1 1 3 0031 3865 392e 6262 Jan 14 22 25 03 2015 Auto C 3363 2e30 3230 352...

Страница 140: ...DHCP server on the interface GigabitEthernet1 0 1 RouterB interface gigabitethernet 1 0 1 RouterB GigabitEthernet1 0 1 dhcp select server RouterB GigabitEthernet1 0 1 quit Create DHCP user class tt a...

Страница 141: ...address Client identifier Lease expiration Type Hardware address 10 10 1 2 0031 3865 392e 6262 Jan 14 22 25 03 2015 Auto C 3363 2e30 3230 352d 4745 302f 30 10 10 1 11 aabb aabb aab1 Jan 14 22 25 03 2...

Страница 142: ...e clients RouterB display dhcp server ip in use IP address Client identifier Lease expiration Type Hardware address 10 1 1 2 aabb aabb ab01 Jan 14 22 25 03 2015 Auto C Example Configuring primary and...

Страница 143: ...rA dhcp pool aa secondary quit RouterA dhcp pool aa quit Verifying the configuration Verify that the DHCP server assigns clients IP addresses and gateway address from the secondary subnet when no assi...

Страница 144: ...erver Enable DHCP RouterA system view RouterA dhcp enable Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aa...

Страница 145: ...Create an address pool specify the subnet 10 1 1 0 24 and configure the address lease duration as ten days Specify the gateway address and the DNS server address as 10 1 1 1 and 20 1 1 1 Configure Opt...

Страница 146: ...subnet as 10 1 1 0 24 and the address lease duration as ten days Device dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 Device dhcp pool 0 expired day 10 Specify the gateway address as 10 1 1 1 and th...

Страница 147: ...dhcp server forbidden ip command on the DHCP server to exclude the IP address from dynamic allocation 3 Enable the network adapter or connect the network cable release the IP address and obtain anoth...

Страница 148: ...ss of whether the relay agent exists For the interaction details see IP address allocation process The following only describes steps related to the DHCP relay agent 1 After receiving a DHCP DISCOVER...

Страница 149: ...n 82 before forwarding the response to the client Table 7 Handling strategies of the DHCP relay agent If a DHCP request has Handling strategy The DHCP relay agent Option 82 Drop Drops the message Keep...

Страница 150: ...guring forwarding DHCP replies based on Option 82 Enabling DHCP You must enable DHCP to validate other DHCP relay agent settings To enable DHCP Step Command Remarks 1 Enter system view system view N A...

Страница 151: ...relay agent connects to clients of the same access type but classified into different types by their locations In this case the relay interface typically has no IP address configured You can use the...

Страница 152: ...forwards the subsequent DHCP requests to a backup DHCP server If the backup DHCP server is not available the relay agent selects the next backup DHCP server and so on If no backup DHCP server is avai...

Страница 153: ...selecting algorithm in DHCP address pool view Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable the DHCP relay age...

Страница 154: ...running on synchronous asynchronous serial interfaces To enable the DHCP relay agent to record relay entries Step Command Remarks 1 Enter system view system view N A 2 Enable the relay agent to recor...

Страница 155: ...es later the DHCP relay agent will create a flood attack entry and count the number of incoming DHCP packets for that client again Procedure To configure DHCP flood attack protection Step Command Rema...

Страница 156: ...ntry To enable MAC address check Step Command Remarks 1 Enter system view system view N A 2 Set the aging time for MAC address check entries dhcp relay check mac address aging time time The default ag...

Страница 157: ...nabled an interface operates in the DHCP server mode 5 Enable client offline detection dhcp client detect By default client offline detection is disabled on the DHCP relay agent Configuring the DHCP r...

Страница 158: ...terface vlan interface format ascii hex By default the padding mode for Circuit ID sub option is normal and the padding format is hex The device name sysname must not include spaces if it is configure...

Страница 159: ...ws you to specify the IP addresses to be encapsulated to the giaddr field of the DHCP requests If you do not specify any DHCP relay agent address the primary IP address of the DHCP relay interface is...

Страница 160: ...r field in a common network Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable the DHCP relay agent dhcp select rela...

Страница 161: ...ress on the same subnet as the specified IP address in the giaddr field As a result the client might not be on the same subnet as the DHCP relay interface the gateway To avoid this problem you must co...

Страница 162: ...broadcast or unicast a response Configuring forwarding DHCP replies based on Option 82 Configure this feature if the DHCP relay agent is required to forward DHCP replies to DHCP clients based on Optio...

Страница 163: ...padding mode to bas normal or verbose and specify the sub interface vlan keyword for this command 5 Configure the DHCP relay agent to forward DHCP replies based on Option 82 dhcp relay forward reply b...

Страница 164: ...interfaces Details not shown Enable DHCP RouterA system view RouterA dhcp enable Enable the DHCP relay agent on GigabitEthernet 1 0 1 RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1...

Страница 165: ...e Option 82 and perform Option 82 related configuration RouterA GigabitEthernet1 0 1 dhcp relay information enable RouterA GigabitEthernet1 0 1 dhcp relay information strategy replace RouterA GigabitE...

Страница 166: ...thernet1 0 1 dhcp relay server address algorithm master backup Configure the DHCP relay agent to switch back to the master DHCP server 3 minutes after it switches to the backup DHCP server RouterA Gig...

Страница 167: ...nt or server configuration To locate the problem enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information Check that D...

Страница 168: ...s enabled with the DHCP client If the interface obtains an IP address on the same segment as another interface on the device the interface does not use the assigned address Instead it requests a new I...

Страница 169: ...face generates the DHCP client ID based on its MAC address If the interface has no MAC address it uses the MAC address of the first Ethernet interface to generate its client ID Enabling duplicated add...

Страница 170: ...tion The DHCP client s IP address resides on subnet 10 1 1 0 24 The DNS server address is 20 1 1 1 The next hop of the static route to subnet 20 1 1 0 24 is 10 1 1 2 The DHCP server uses Option 121 to...

Страница 171: ...nterface gigabitethernet 1 0 1 RouterB GigabitEthernet1 0 1 ip address dhcp alloc RouterB GigabitEthernet1 0 1 quit Verifying the configuration Display the IP address and other network parameters assi...

Страница 172: ...24 Static 70 0 10 1 1 2 GE1 0 1 10 1 1 255 32 Direct 0 0 10 1 1 3 GE1 0 1 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 1...

Страница 173: ...ng entry includes the MAC and IP addresses of a client the port that connects to the DHCP client and the VLAN The following features need to use DHCP snooping entries ARP attack detection Uses DHCP sn...

Страница 174: ...about Option 82 see Relay agent option Option 82 DHCP snooping uses the same strategies as the DHCP relay agent to handle Option 82 for DHCP request messages as shown in Table 8 If a response returned...

Страница 175: ...authorized DHCP servers as trusted ports to make sure that DHCP clients can obtain valid IP addresses The trusted ports and the ports connected to DHCP clients must be in the same VLAN You can specify...

Страница 176: ...gy is replace configure a padding mode and padding format for Option 82 If the handling strategy is keep or drop you do not need to configure any padding mode or padding format for Option 82 The setti...

Страница 177: ...uto backup The auto backup feature saves DHCP snooping entries to a backup file and allows the DHCP snooping device to download the entries from the backup file at device reboot The entries on the DHC...

Страница 178: ...s contain different sender MAC addresses use the mac address max mac count command to set the MAC learning limit on a Layer 2 port For more information about the command see Layer 2 LAN Switching Comm...

Страница 179: ...terface interface type interface number N A 3 Enable DHCP REQUEST check dhcp snooping check request message By default DHCP REQUEST check is disabled Setting the maximum number of DHCP snooping entrie...

Страница 180: ...d Display DHCP snooping entries display dhcp snooping binding ip ip address vlan vlan id verbose Display Option 82 configuration information on the DHCP snooping device display dhcp snooping informati...

Страница 181: ...DHCP REQUEST messages Figure 47 Network diagram Procedure Enable DHCP snooping SwitchB system view SwitchB dhcp snooping enable Configure GigabitEthernet 1 0 1 as a trusted port SwitchB interface gig...

Страница 182: ...a trusted port SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust SwitchB GigabitEthernet1 0 1 quit Configure Option 82 on GigabitEthernet 1 0 2 SwitchB interface...

Страница 183: ...167 Verifying the configuration Display Option 82 configuration information on GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 on the DHCP snooping device SwitchB display dhcp snooping information...

Страница 184: ...s dynamically A BOOTP client dynamically obtains an IP address from a BOOTP server as follows 1 The BOOTP client broadcasts a BOOTP request which contains its own MAC address 2 Upon receiving the requ...

Страница 185: ...wn in Figure 33 GigabitEthernet 1 0 1 of Router B connects to the LAN to obtain an IP address from the DHCP server by using BOOTP To make the BOOTP client obtain an IP address from the DHCP server per...

Страница 186: ...ges Assignment involving four messages As shown in Figure 50 four message assignment operates using the following steps 1 The DHCPv6 client sends a Solicit message to request an IPv6 address prefix an...

Страница 187: ...essage informing the client whether the lease is renewed Figure 52 Using the Rebind message for address prefix lease renewal As shown in Figure 52 If the DHCPv6 client does not receive a response from...

Страница 188: ...equested configuration parameters 2 The DHCPv6 server returns to the client a Reply message containing the requested configuration parameters 3 The client checks the Reply message If the obtained conf...

Страница 189: ...is used to identify the client The DHCPv6 snooping device adds Option 37 to the received DHCPv6 request message before forwarding it to the DHCPv6 server This option provides client information about...

Страница 190: ...amic Host Configuration Protocol DHCP Service for IPv6 RFC 3315 Dynamic Host Configuration Protocol for IPv6 DHCPv6 RFC 2462 IPv6 Stateless Address Autoconfiguration RFC 3633 IPv6 Prefix Options for D...

Страница 191: ...include the following types Temporary IPv6 addresses Frequently changed without lease renewal Non temporary IPv6 addresses Correctly used by DHCPv6 clients with lease renewal Figure 56 IPv6 address a...

Страница 192: ...evice supports the hardware type of Ethernet with the value of 0x0001 Link layer address Takes the value of the bridge MAC address of the device IA Identified by an IAID an identity association IA pro...

Страница 193: ...for a client 1 If there is an address pool where an IPv6 address is statically bound to the DUID or IAID of the client the DHCPv6 server selects this address pool It assigns the statically bound IPv6...

Страница 194: ...a DHCPv6 policy for IPv6 address and prefix assignment Configuring the DHCPv6 server on an interface Optional Allocating different IPv6 addresses to DHCPv6 clients with the same MAC Optional Setting t...

Страница 195: ...ixes in the prefix pool are excluded from dynamic assignment If the excluded IPv6 prefix is in a static binding the prefix still can be assigned to the client To exclude multiple IPv6 prefix ranges re...

Страница 196: ...ed by the address range command If no non temporary address range is specified the server selects addresses on the subnet specified by the network command Temporary address assignment The server selec...

Страница 197: ...range address range start ipv6 address end ipv6 address preferred lifetime preferred lifetime valid lifetime valid lifetime By default no non temporary IPv6 address range is specified and all unicast...

Страница 198: ...erver ipv6 address By default no DNS server address is specified 5 Specify a domain name domain name domain name By default no domain name is specified 6 Specify an AFTR domain name aftr name aftr nam...

Страница 199: ...ser classes in the order that they are configured If a match is found and the bound address pool has assignable IPv6 addresses or prefixes the server uses the address pool for assignment If the bound...

Страница 200: ...to assign an IPv6 address prefix to a client Configure global address assignment on the interface The DHCPv6 server selects an IPv6 address prefix in the global DHCPv6 address pool that matches the s...

Страница 201: ...e following methods to identify the DHCPv6 clients that have the same MAC address If a DHCPv6 snooping device or a DHCPv6 relay agent exist you must enable the DHCPv6 snooping device or the DHCPv6 rel...

Страница 202: ...name filename url url username username password cipher simple string By default the DHCPv6 server does not back up the DHCPv6 bindings With this command executed the DHCPv6 server backs up its bindin...

Страница 203: ...assigns IPv6 addresses in this address pool to clients in the VPN instance Addresses in this address pool will not be assigned to clients on the public network The DHCPv6 server can obtain the VPN ins...

Страница 204: ...rver will create a flood attack entry and count the number of incoming DHCPv6 packets for that client again This feature is not applicable to a DHCPv6 server if a DHCPv6 relay agent exists in the netw...

Страница 205: ...ter For information about the log destination and output rule configuration in the information center see Network Management and Monitoring Configuration Guide As a best practice disable this feature...

Страница 206: ...vpn instance vpn instance name Clear information about expired IPv6 address bindings reset ipv6 dhcp server expired address ipv6 address vpn instance vpn instance name pool pool name Clear information...

Страница 207: ...ix 2001 0410 32 with assigned prefix length 48 Router ipv6 dhcp prefix pool 1 prefix 2001 0410 32 assign len 48 Create address pool 1 Router ipv6 dhcp pool 1 In address pool 1 specify subnet 1 64 wher...

Страница 208: ...on about address pool 1 Router GigabitEthernet1 0 1 display ipv6 dhcp pool 1 DHCPv6 pool 1 Network 1 64 Preferred lifetime 604800 valid lifetime 2592000 Prefix pool 1 Preferred lifetime 86400 valid li...

Страница 209: ...0 0 2 96 The lease duration of the addresses on subnet 1 2 0 0 0 96 is 432000 seconds five days the valid time is 864000 seconds ten days the domain name is aabbcc com and the DNS server address is 1...

Страница 210: ...rnet1 0 2 ipv6 dhcp select server RouterA GigabitEthernet1 0 2 quit Exclude the DNS server addresses from dynamic assignment RouterA ipv6 dhcp server forbidden address 1 1 0 0 2 RouterA ipv6 dhcp serv...

Страница 211: ...a Solicit message containing the Rapid Commit option to the multicast address FF02 1 2 of all the DHCPv6 servers and relay agents After receiving the Solicit message the DHCPv6 relay agent encapsulate...

Страница 212: ...an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable DHCPv6 relay agent on the interface ipv6 dhcp selec...

Страница 213: ...list command to specify the gateway addresses for clients matching the same DHCPv6 address pool Upon receiving a DHCPv6 Solicit or Request from a client that matches a DHCPv6 address pool the relay ag...

Страница 214: ...y address on the relay agent for DHCPv6 clients The DHCPv6 relay agent uses the specified gateway address to fill the link address field of DHCPv6 Solicit and Request packets To specify a gateway addr...

Страница 215: ...inding between a client s hardware address and IPv6 address or prefix Some security features such as IP source guard use DHCPv6 relay entries to check incoming packets and block packets that do not ma...

Страница 216: ...es a DHCPv6 flood attack entry in check state If the number of DHCPv6 packets from the same MAC address reaches the upper limit in the detection duration the relay agent determines that the client is...

Страница 217: ...id Display DHCPv6 relay entries that record clients IPv6 address information display ipv6 dhcp relay client information address interface interface type interface number ipv6 ipv6 address vpn instance...

Страница 218: ...2 quit RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 ipv6 address 1 1 64 Disable RA message suppression on GigabitEthernet 1 0 1 RouterA GigabitEthernet1 0 1 undo ipv6 nd ra ha...

Страница 219: ...y packet statistics on the DHCPv6 relay agent RouterA GigabitEthernet1 0 1 display ipv6 dhcp relay statistics Packets dropped 0 Packets received 14 Solicit 0 Request 0 Confirm 0 Renew 0 Rebind 0 Relea...

Страница 220: ...HCPv6 snooping reads DHCP ACK messages received from trusted ports and DHCP REQUEST messages to create DHCPv6 snooping entries A DHCPv6 snooping entry includes the MAC and IP addresses of a client the...

Страница 221: ...elines when you configure basic DHCPv6 snooping To make sure DHCPv6 clients can obtain valid IPv6 addresses specify the ports connected to authorized DHCPv6 servers as trusted ports The trusted ports...

Страница 222: ...oping option remote id enable By default Option 37 is not supported 4 Optional Specify the content as the remote ID ipv6 dhcp snooping option remote id vlan vlan id string remote id By default the DHC...

Страница 223: ...ified waiting period is reached All changed entries during the period will be saved to the backup file If no DHCPv6 snooping entry changes the backup file is not updated Setting the maximum number of...

Страница 224: ...port Perform this task to configure a port as a DHCPv6 packet blocking port The DHCPv6 packet blocking port drops all incoming DHCP requests To configure a DHCPv6 packet blocking port Step Command Re...

Страница 225: ...number slot slot number Clear DHCPv6 snooping entries reset ipv6 dhcp snooping binding all address ipv6 address vlan vlan id In standalone mode Clear DHCPv6 packet statistics for DHCPv6 snooping reset...

Страница 226: ...Enable the recording of DHCPv6 snooping entries on GigabitEthernet 1 0 2 SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 ipv6 dhcp snooping binding record SwitchB GigabitEthernet1...

Страница 227: ...quiet time The quiet mechanism avoids repeated authentication during a short time User account policies MAC authentication supports the following user account policies One MAC based user account for...

Страница 228: ...server for authentication VLAN assignment Authorization VLAN The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources The device suppor...

Страница 229: ...are server for downloading software and system patches A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member After the assignment do not reconfigure the port as a t...

Страница 230: ...address of the user to the PVID of the access port ACL assignment You can specify an authorization ACL in the user account for a MAC authentication user to control the user s access to network resour...

Страница 231: ...C authentication is exclusive with link aggregation group or service loopback group You cannot enable MAC authentication on a port already in a link aggregation group or a service loopback group You c...

Страница 232: ...authentication By default MAC authentication is disabled globally 3 Enter interface view interface interface type interface number N A 4 Enable MAC authentication on the port mac authentication By de...

Страница 233: ...address is in the hexadecimal notation without hyphens and letters are in lower case Configuring MAC authentication timers About MAC authentication timers MAC authentication uses the following timers...

Страница 234: ...view N A 2 Enter Ethernet interface view interface interface type interface number N A 3 Enable MAC authentication offline detection mac authentication offline detect enable By default MAC authenticat...

Страница 235: ...off and reauthenticates the user Configuring MAC authentication delay Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 En...

Страница 236: ...4 Optional Set the authentication interval for users in the MAC authentication guest VLAN mac authentication guest vlan auth period period value The default setting is 30 seconds Configuring a MAC aut...

Страница 237: ...one MAC authentication critical VLAN on a port Configuring the keep online feature By default the device logs off online MAC authentication users if no server is reachable for MAC reauthentication The...

Страница 238: ...n of the user is valid The server will record the IP MAC combination of the user If the user IP address is changed at the next authentication the user cannot pass authentication Restrictions and guide...

Страница 239: ...guest VLAN on a port reset mac authentication guest vlan interface interface type interface number mac address mac address MAC authentication configuration examples Example Configuring local MAC auth...

Страница 240: ...in the hexadecimal notation with hyphens and letters are in lower case Device mac authentication user name format mac address with hyphen lowercase Enable MAC authentication globally Device mac authe...

Страница 241: ...Ethernet 1 0 1 Configure the device to detect whether a user has gone offline every 180 seconds Configure the device to deny a user for 180 seconds if the user fails MAC authentication Configure all u...

Страница 242: ...ication timer offline detect 180 Device mac authentication timer quiet 180 Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users Device mac authenti...

Страница 243: ...based user accounts for MAC authentication users Each MAC address is in the hexadecimal notation with hyphens and letters are in lower case Use an ACL to deny authenticated users to access the FTP ser...

Страница 244: ...rnet 1 0 1 Device GigabitEthernet1 0 1 mac authentication Device GigabitEthernet1 0 1 quit Enable MAC authentication globally Device mac authentication 3 Configure the RADIUS servers Add a user accoun...

Страница 245: ...users 1 MAC address Auth state 00e0 fc12 3456 Authenticated Verify that you cannot ping the FTP server from the host C ping 10 0 0 1 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request t...

Страница 246: ...Establishment phase the LCP negotiation is performed The LCP configuration options include Authentication Protocol Async Control Character Map ACCM Maximum Receive Unit MRU Magic Number Protocol Fiel...

Страница 247: ...s the result calculated from the password and random packet ID by using the MD5 algorithm It is more secure than PAP The authenticator may or may not be configured with a username As a best practice c...

Страница 248: ...s the server to assign the DNS server IP address to the host When the device is connected to an ISP access server configure the device as the client Then the device can obtain the DNS server IP addres...

Страница 249: ...equired Configuring a VT interface Required Configuring PPP authentication Optional Configuring the polling feature Optional Enabling fast reply for keepalive packets Required Configuring PPP negotiat...

Страница 250: ...ceeds If the response packet from the peer carries a recommended authentication mode the authenticator directly uses the authentication mode if it finds the mode configured Configuring PAP authenticat...

Страница 251: ...ate the peer by using CHAP ppp authentication mode chap domain isp name default enable isp name By default PPP authentication is disabled 4 Configure a username for the CHAP authenticator ppp chap use...

Страница 252: ...icator name is not configured To configure the authenticator Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure t...

Страница 253: ...entication method for PPP users to none when MS CHAP V2 authentication is used Configuring MS CHAP or MS CHAP V2 authentication authenticator name is configured Step Command Remarks 1 Enter system vie...

Страница 254: ...the polling feature The polling feature checks PPP link state On an interface that uses PPP encapsulation the link layer sends keepalives at keepalive intervals to detect the availability of the peer...

Страница 255: ...match DNS server IP address negotiation ACCM negotiation ACFC negotiation PFC negotiation Configuring the PPP negotiation timeout time The device starts the PPP negotiation timeout timer after sending...

Страница 256: ...ts requiring no authentication you can use either method 1 or method 2 When both method 1 and method 2 are configured the most recent configuration takes effect For clients requiring authentication yo...

Страница 257: ...ter interface view interface interface type interface number N A 7 Configure the interface to assign an IP address from the configured PPP address pool to the peer remote address pool pool name By def...

Страница 258: ...ble new IP address allocation ip pool pool name allocate new ip enable By default new IP address allocation is disabled 4 Optional Configure a gateway address for the PPP address pool ip pool pool nam...

Страница 259: ...e AAA commands in User Access Command Reference 5 Return to system view quit N A 6 Enter interface view interface interface type interface number N A 7 Configure an IP address for the interface ip add...

Страница 260: ...to accept the DNS server IP addresses assigned by the peer even though it does not request the peer for the DNS server IP addresses ppp ipcp dns admit any By default a device does not accept the DNS s...

Страница 261: ...ep Command Remarks 1 Enter system view system view N A 2 Enable logging for PPP users ppp access user log enable successful login failed login normal logout abnormal logout By default logging is disab...

Страница 262: ...tem view N A 2 Enable PPP user blocking ppp authentication chasten auth failure auth period blocking period By default PPP user blocking is disabled Configuring the NAS Port Type attribute The NAS Por...

Страница 263: ...e suppress By default this feature is disabled Configuring the traffic accounting frequency mode for online PPP users The device supports the following frequency modes fast This mode can be configured...

Страница 264: ...er In IRF mode Display PPP chasten statistics display ppp chasten user auth failed blocked username user name chassis chassis number slot slot number In standalone mode Display blocking information ab...

Страница 265: ...um username user name user type lac lns pppoe vpn instance vpn name chassis chassis number slot slot number In standalone mode Clear offline reason statistics about PPP users reset ppp offline reason...

Страница 266: ...s to access the private network LAC An L2TP access concentrator LAC is both PPP and L2TP capable It is usually a network access server NAS located at a local ISP which provides access services mainly...

Страница 267: ...oint to point connection between an LAC and an LNS Multiple L2TP tunnels can be established between an LNS and an LAC An L2TP tunnel can carry one or more L2TP sessions Each L2TP session corresponds t...

Страница 268: ...ing to the username or the ISP domain to which the user belongs 7 If tunnel authentication is needed the LAC and LNS send CHAP challenge messages to authenticate each other before successfully establi...

Страница 269: ...er security because it is established between a remote system and the LNS The remote system must support L2TP and be able to communicate with the LNS This causes poor expandability As shown in Figure...

Страница 270: ...unnel is similar to that for establishing a NAS initiated tunnel Details not shown Figure 81 Establishment process for LAC auto initiated tunnels L2TP features Flexible identity authentication mechani...

Страница 271: ...unnel attributes Table 15 Tunnel attributes that can be issued by the RADIUS server Attribute number Attribute name Description 64 Tunnel Type Tunnel type which can only be L2TP 65 Tunnel Medium Type...

Страница 272: ...nds the IP address of the CAMS IMC server to the iNode client The server IP address is permitted by the isolation ACLs 3 The CAMS IMC server authenticates the iNode client and performs security check...

Страница 273: ...ish an L2TP tunnel The first and fifth tasks are required for NAS initiated mode and unnecessary for LAC auto initiated mode The last task is required for LAC auto initiated mode and unnecessary for N...

Страница 274: ...view l2tp group group number mode lac lns By default no L2TP group exists Specify the mode as lac on the LAC side and as lns on the LNS side 4 Specify the local tunnel name tunnel name name Optional...

Страница 275: ...as the source IP address of L2TP tunnel packets on the LAC If equal cost routing paths exist between the LAC and LNS you must use the IP address of a loopback interface as the source IP address of L2...

Страница 276: ...authentication on an LAC You can configure AAA authentication an LAC to authenticate the remote dialup users and initiate a tunneling request only for qualified users A tunnel will not be established...

Страница 277: ...number By default an LAC does not establish an L2TP tunnel An L2TP tunnel automatically established in LAC auto initiated mode exists until you remove the tunnel by using the undo l2tp auto client or...

Страница 278: ...from an LAC and specify the VT interface to be used for tunnel setup If the L2TP group number is 1 allow l2tp virtual template virtual template number remote remote name If the L2TP group number is no...

Страница 279: ...tp group group number mode lns N A 3 Configure mandatory CHAP authentication mandatory chap By default CHAP authentication is not performed on an LNS This command is effective only on NAS initiated L2...

Страница 280: ...NS can process per second Step Command Remarks 1 Enter system view system view N A 2 Set the maximum number of ICRQ packets that the LNS can process per second l2tp icrq limit number By default the ma...

Страница 281: ...system view system view N A 2 Enter L2TP group view l2tp group group number mode lac lns N A 3 Set the Hello interval tunnel timer hello hello interval The default setting is 60 seconds Setting the DS...

Страница 282: ...AAA RADIUS L2TP firewalls and PPP are configured as required before you enable L2TP based EAD For more information about portal see Configuring portal authentication For more information about AAA and...

Страница 283: ...and maintenance commands for L2TP Execute display commands in any view and reset commands in user view Task Command Display L2TP tunnel information display l2tp tunnel statistics Display L2TP session...

Страница 284: ...it Enable the PPPoE server on GigabitEthernet 3 1 1 and bind the interface to Virtual Template 1 LAC interface gigabitethernet 3 1 1 LAC GigabitEthernet3 1 1 pppoe server bind virtual template 1 LAC G...

Страница 285: ...l template 1 remote LAC Enable tunnel authentication and specify the tunnel authentication key as aabbcc LNS l2tp1 tunnel authentication LNS l2tp1 tunnel password simple aabbcc LNS l2tp1 quit 3 On the...

Страница 286: ...for PPP users in ISP domain system LNS domain system LNS isp system authentication ppp local LNS isp system quit Enable L2TP LNS l2tp enable Create a PPP address pool LNS ip pool aaa 192 168 0 10 192...

Страница 287: ...C address IP address IPv6 address IPv6 PDPrefix BAS0 vpdnuser 192 168 0 10 On the remote host initiate the L2TP connection After the connection is established verify that the remote host can obtain th...

Страница 288: ...1 for receiving tunneling requests from an LAC LNS l2tp1 tunnel name LNS LNS l2tp1 allow l2tp virtual template 1 remote LAC Enable tunnel authentication and configure the authentication key as aabbcc...

Страница 289: ...524 Established 1 3 3 3 1 1701 LAC On the LNS verify that you can ping 10 2 0 1 a private network address on the LAC side This indicates that hosts on 10 2 0 0 16 and those on 10 1 0 0 16 can communi...

Страница 290: ...ice versa If no route is available configure a static route or a dynamic routing protocol 2 Increase the link bandwidth to enhance the link availability Internet backbone congestion and high packet lo...

Страница 291: ...etworks For more information about PPPoE see RFC 2516 PPPoE network structure PPPoE uses the client server model The PPPoE client initiates a connection request to the PPPoE server After session negot...

Страница 292: ...erfaces subinterfaces L3VE interfaces subinterfaces Restrictions and guidelines PPPoE configuration The device can only act as a PPPoE server Make sure the statistics polling interval is 300 seconds w...

Страница 293: ...ticator 4 Return to system view quit N A 5 Enter interface view interface interface type interface number N A 6 Enable the PPPoE server on the interface and bind this interface to the specified VT int...

Страница 294: ...PPoE sessions for a VLAN on an interface pppoe server session limit per vlan number By default the number of PPPoE sessions for a VLAN on an interface is not limited 5 Set the maximum number of PPPoE...

Страница 295: ...tes To limit the PPPoE access rate Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number The PPPoE server is enabled on the interfac...

Страница 296: ...ault format is a string of characters Enabling PPPoE users to come online despite the PPPoE NAT444 collaboration failure If a card that supports NAT444 collaboration fails the PPPoE NAT444 collaborati...

Страница 297: ...te limit MPU model PADI packet receiving rate limit CSR07SRPUD3 500 Other MPUs 200 Configuring PPPoE user blocking About PPPoE user blocking You can use this feature to prevent multiple PPPoE users fr...

Страница 298: ...end them to the information center Logs are generated when the following requirements are met The number of PPPoE sessions reaches the upper limit for an interface user VLAN or the system New users re...

Страница 299: ...nterface type interface number In standalone mode Display packet statistics for PPPoE sessions display pppoe server session packet slot slot number interface interface type interface number In IRF mod...

Страница 300: ...able IP addresses and configure a gateway address for the PPP address pool Router ip pool 1 1 1 1 2 1 1 1 10 Router ip pool 1 gateway 1 1 1 1 Enable the PPPoE server on GigabitEthernet 3 1 1 and bind...

Страница 301: ...pool1 dns list 8 8 8 8 Exclude the IP address 1 1 1 1 from dynamic allocation in DHCP address pool pool1 Router dhcp pool pool1 forbidden ip 1 1 1 1 Router dhcp pool pool1 quit Create a PPPoE user Ro...

Страница 302: ...the relay agent RouterA dhcp relay client information record Create DHCP relay address pool pool1 RouterA dhcp server ip pool pool1 Specify a gateway address for the clients in pool1 RouterA dhcp poo...

Страница 303: ...hcp relay client information Total number of client information items 1 Total number of dynamic items 1 Total number of temporary items 0 IP address MAC address Type Interface VPN name 2 2 2 3 00e0 00...

Страница 304: ...1 1 pppoe server bind virtual template 10 Router GigabitEthernet3 1 1 quit Create a DHCPv6 address pool named pool1 and specify DNS server IPv6 address 2 2 3 Router ipv6 dhcp pool pool1 Router dhcp6...

Страница 305: ...autoconfig managed address flag Enable the DHCPv6 server feature Router Virtual Template10 ipv6 dhcp select server Router Virtual Template10 quit Enable the PPPoE sever on GigabitEthernet 3 1 1 and b...

Страница 306: ...tem Configure an IPv6 address for Virtual Template 10 RouterB Virtual Template10 ipv6 address 2001 1 64 Enable Virtual Template 10 to advertise RA messages RouterB Virtual Template10 undo ipv6 nd ra h...

Страница 307: ...n Router A can assign the prefix 4001 1 42 to the host who uses the prefix to generate an IPv6 global unicast address Example Configuring PPPoE server RADIUS based IP address assignment Network config...

Страница 308: ...uthentication and use ISP domain dm1 as the authentication domain RouterA system view RouterA interface virtual template 1 RouterA Virtual Template1 ppp authentication mode chap domain dm1 RouterA Vir...

Страница 309: ...ounting for users based on scheme rs1 RouterA isp dm1 authentication ppp radius scheme rs1 RouterA isp dm1 authorization ppp radius scheme rs1 RouterA isp dm1 accounting ppp radius scheme rs1 RouterA...

Страница 310: ...ish information on the authentication page Supports multiple authentication modes For example re DHCP authentication implements a flexible address assignment scheme and saves public IP addresses Cross...

Страница 311: ...r receives authentication requests from authentication clients and interacts with the access device to authenticate users The portal Web server is typically integrated with the portal authentication s...

Страница 312: ...local portal Web service for the authentication client The authentication client can only be a Web browser and it cannot be a user host that runs a portal client Therefore extended portal functions a...

Страница 313: ...r a user passes authentication the access device generates an ACL for the user based on the user s IP address to control forwarding of the packets from the user Because no Layer 3 forwarding device ex...

Страница 314: ...the portal authentication server to notify authentication success or failure 7 The portal authentication server sends an authentication success or failure packet to the client 8 If the authentication...

Страница 315: ...of portal filtering rules First category The rule permits user packets that are destined for the portal Web server and packets that match the portal free rules to pass through Second category For an a...

Страница 316: ...rm normal portal authentication for the user If the user fails portal authentication an authentication failure message is returned to the user The whole process is finished If the user passes portal a...

Страница 317: ...permit feature N A Optional Configuring portal detection features Configuring online detection of portal users Configuring portal authentication server detection Configuring portal Web server detectio...

Страница 318: ...portal authentication server Configure this feature when user authentication uses a remote portal authentication server With portal authentication enabled the device searches for a portal authenticat...

Страница 319: ...ortal Web server Step Command Remarks 1 Enter system view system view N A 2 Create a portal Web server and enter its view portal web server server name By default no portal Web servers exist You can c...

Страница 320: ...em view N A 2 Create a portal Web server and enter its view portal web server server name By default no portal Web servers exist 3 Configure a match rule for URL redirection if match original url url...

Страница 321: ...if file Logon htm includes contents that perform Get action on file ca htm file ca htm cannot include any reference to file Logon htm Post requests Used when users submit username and password pairs...

Страница 322: ...53 44 ssid4 zip 2540 KB total 1319 KB free Redirecting authenticated users to a specific webpage To make the device automatically redirect authenticated users to a specific webpage do the following in...

Страница 323: ...ort number By default the HTTP service listening port number is 80 and the HTTPS service listening port number is 443 Specifying a portal authentication domain About portal authentication domains An a...

Страница 324: ...ributes such as ACL user profile and CAR After the users pass portal authentication they are assigned new attributes by the AAA server After the users go offline they are re assigned user attributes i...

Страница 325: ...ser uses the following IP address If the client is configured to obtain an IP address automatically through DHCP the user obtains an address from the specified IP address pool If the client is configu...

Страница 326: ...rface enabled with portal authentication to an aggregation group Otherwise portal authentication does not take effect As a best practice do not apply a QoS policy to an interface enabled with portal a...

Страница 327: ...6 attribute use the portal bas ip bas ipv6 command An IPv6 portal server does not support re DHCP portal authentication Procedure To enable portal authentication on an interface Step Command Remarks 1...

Страница 328: ...s for configuring a portal free rule When you configure a portal free rule follow these restrictions and guidelines If you specify both a VLAN and an interface the interface must belong to the VLAN If...

Страница 329: ...tcp tcp port number udp udp port number interface interface type interface number By default no IPv6 based portal free rule exists Configuring a source based portal free rule Step Command Remarks 1 En...

Страница 330: ...IPv4 portal authentication source subnet portal layer3 source ipv4 network address mask length mask By default no IPv4 portal authentication source subnet is configured and users from any subnets must...

Страница 331: ...s temporarily when an active standby MPU switchover finishes and it resumes after user information synchronization completes between the global active MPU and service modules You can use the display d...

Страница 332: ...y IPv6 addresses to access the IPv6 network and will fail portal authentication This configuration does not affect the online portal users Procedure To allow only users with DHCP assigned IP addresses...

Страница 333: ...s within the failure detection period All authentication requests from the user are dropped by the device till the blocking times out The blocked portal user can perform portal authentication again wh...

Страница 334: ...rtal authentication server or portal Web server is unreachable it allows users on the interface to have network access without portal authentication If you enable fail permit for both a portal authent...

Страница 335: ...refreshed within the maximum number of detection attempts the device considers that the user is online and stops detecting the user s ARP or ND entry Then the device resets the idle timer and repeats...

Страница 336: ...on feature takes effect only when the device has a portal enabled interface Only the IMC portal authentication server supports sending heartbeat packets To test server reachability by detecting heartb...

Страница 337: ...n configure the device to take one or more of the following actions when the server reachability status changes Sending a trap message to the NMS The trap message contains the name and current state o...

Страница 338: ...ent the portal user synchronization feature you also need to configure the user heartbeat function on the portal authentication server Make sure the user heartbeat interval configured on the portal au...

Страница 339: ...A 2 Enter interface view interface interface type interface number N A 3 Configure the BAS IP attribute portal bas ip ipv4 address By default The BAS IP attribute of an IPv4 portal reply packet sent t...

Страница 340: ...ace By default the device sends its device name in the NAS Identifier attribute of all RADIUS requests A NAS ID profile enables you to send different NAS Identifier attribute strings in RADIUS request...

Страница 341: ...m view system view N A 2 Create a MAC binding server and enter its view portal mac trigger server server name By default no MAC binder servers exist 3 Specify the IP address of the MAC binding server...

Страница 342: ...r interface view interface interface type interface number The interface must be a Layer 3 interface 3 Specify a MAC binding server on the interface portal apply mac trigger server server name By defa...

Страница 343: ...nting processes Set a proper threshold to balance between service performance and traffic backup accuracy Procedure To set the user traffic backup threshold Step Command Remarks 1 Enter system view sy...

Страница 344: ...cation but is directly redirected to the specified URL on the first Web access attempt in a browser After the specified redirect interval the user is redirected from the visiting website to the specif...

Страница 345: ...tack defense display portal http defense monitored ip slot slot number In IRF mode Display statistics for monitored destination IP addresses in portal HTTP attack defense display portal http defense m...

Страница 346: ...web redirect rule interface interface type interface number chassis chassis number slot slot number Portal configuration examples Example Configuring direct portal authentication Network configuration...

Страница 347: ...example uses the default values d Click OK Figure 100 Portal authentication server configuration 2 Configure the IP address group a Select Access Service Portal Service Management IP Group from the na...

Страница 348: ...cation This example uses direct portal authentication and therefore select No from the Reallocate IP list g Set whether to support the portal server heartbeat and user heartbeat functions In this exam...

Страница 349: ...alidate the configurations Configuring the portal authentication server on IMC PLAT 5 0 In this example the portal server runs on IMC PLAT 5 0 E0101 and IMC UAM 5 0 E0101 1 Configure the portal authen...

Страница 350: ...group configuration page b Click Add to open the page as shown in Figure 106 c Enter the IP group name d Enter the start IP address and end IP address of the IP group Make sure the host IP address is...

Страница 351: ...st g Select whether to support server heartbeat and user heartbeat functions In this example select No for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 107 Adding a porta...

Страница 352: ...counting simple radius Exclude the ISP domain name from the username sent to the RADIUS server Router radius rs1 user name format without domain Router radius rs1 quit Enable RADIUS session control Ro...

Страница 353: ...hernet 1 0 2 to the portal authentication server Router GigabitEthernet1 0 2 portal bas ip 2 2 2 1 Router GigabitEthernet1 0 2 quit Verifying the configuration Verify that the portal configuration has...

Страница 354: ...e following command to display information about the portal user Router display portal user interface gigabitethernet 1 0 2 Total portal users 1 Username abc Portal server newpt State Online VPN insta...

Страница 355: ...portal server is the public IP address 20 20 20 1 of the router s interface connecting the host The private IP address range for the IP address group associated with the portal device is the private...

Страница 356: ...t1 0 2 dhcp relay server address 192 168 0 112 Enable authorized ARP Router GigabitEthernet1 0 2 arp authorized enable Router GigabitEthernet1 0 2 quit 4 Configure portal authentication Configure a po...

Страница 357: ...method Disabled Portal web server Not configured Authentication domain Not configured Pre auth policy Not configured User dhcp only Disabled Pre auth IP pool Not configured Max Portal users Not confi...

Страница 358: ...rtal Web server A RADIUS server acts as the authentication accounting server Configure Router A for cross subnet portal authentication Before passing the authentication the host can access only the po...

Страница 359: ...us scheme rs1 RouterA isp dm1 accounting portal radius scheme rs1 RouterA isp dm1 quit Configure domain dm1 as the default ISP domain If a user enters the username without the ISP domain name at login...

Страница 360: ...ed Pre auth policy Not configured User dhcp only Disabled Pre auth IP pool Not configured Max Portal users Not configured Bas ip 20 20 20 1 User detection Not configured Action for server detection Se...

Страница 361: ...IP VLAN Interface 0015 e9a6 7cfe 8 8 8 2 GigabitEthernet1 0 2 Authorization information DHCP IP pool N A User profile N A Session group profile N A ACL N A Inbound CAR N A Outbound CAR N A Inbound pri...

Страница 362: ...s rs1 user name format without domain Enable RADIUS session control Router radius session control enable Specify a session control client with IP address 192 168 0 113 and shared key 12345 in plain te...

Страница 363: ...vr newpt url http 192 168 0 111 8080 portal Router portal websvr newpt quit Enable direct portal authentication on GigabitEthernet 1 0 2 Router interface gigabitethernet 1 0 2 Router GigabitEthernet1...

Страница 364: ...Destination authenticate subnet IP address Prefix length Before passing portal authentication a user that uses the H3C iNode client can access only the authentication page http 192 168 0 111 8080 por...

Страница 365: ...accepts security check If the host fails the security check it can access only subnet 192 168 0 0 24 After passing the security check the host can access other network resources Figure 113 Network dia...

Страница 366: ...ify a session control client with IP address 192 168 0 114 and shared key 12345 in plain text Router radius session control client ip 192 168 0 114 key simple 12345 2 Configure an authentication domai...

Страница 367: ...outer portal websvr newpt quit Enable re DHCP portal authentication on GigabitEthernet 1 0 2 Router interface gigabitethernet 1 0 2 Router GigabitEthernet1 0 2 portal enable method redhcp Reference th...

Страница 368: ...x length Before passing portal authentication a user that uses the H3C iNode client can access only the authentication page http 192 168 0 111 8080 portal All Web requests from the user will be redire...

Страница 369: ...check the host can access other network resources Figure 114 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the router and servers as shown in Figure 114 and ma...

Страница 370: ...1 as the default ISP domain If a user enters the username without the ISP domain name at login the authentication and accounting methods of the default domain are used for the user RouterA domain defa...

Страница 371: ...itEthernet 1 0 2 NAS ID profile Not configured Authorization Strict checking ACL Disabled User profile Disabled IPv4 Portal status Enabled Portal authentication method Layer3 Portal web server newpt A...

Страница 372: ...r newpt State Online VPN instance N A MAC IP VLAN Interface 0015 e9a6 7cfe 8 8 8 2 GigabitEthernet1 0 2 Authorization information DHCP IP pool N A User profile N A Session group profile N A ACL 3001 I...

Страница 373: ...e portal authentication server a Log in to IMC and click the Service tab b Select Access Service Portal Service Management Server from the navigation tree to open the portal server configuration page...

Страница 374: ...ice configuration page b Click Add to open the page as shown in Figure 118 c Enter the device name NAS d Enter the IP address of the router s interface connected to the host e Enter the key which must...

Страница 375: ...values for other parameters f Click OK 5 Select Access Service Service Parameters Validate System Configuration from the navigation tree to validate the configurations Configuring the portal authentic...

Страница 376: ...address group configuration page b Click Add to open the page as shown in Figure 122 c Enter the IP group name d Enter the start IP address and end IP address of the IP group Make sure the host IP add...

Страница 377: ...st g Select whether to support server heartbeat and user heartbeat functions In this example select Yes for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 123 Adding a port...

Страница 378: ...counting simple radius Exclude the ISP domain name from the username sent to the RADIUS server Router radius rs1 user name format without domain Router radius rs1 quit Enable RADIUS session control Ro...

Страница 379: ...thentication on GigabitEthernet 1 0 2 Router interface gigabitethernet 1 0 2 Router GigabitEthernet1 0 2 portal enable method direct Enable portal fail permit for the portal authentication server newp...

Страница 380: ...on the user side PE For information about MPLS L3VPN configurations see MPLS Configuration Guide Configure the RADIUS server correctly to provide authentication and accounting functions Procedure Per...

Страница 381: ...l server newpt RouterA portal server newpt ip 192 168 0 111 vpn instance vpn3 key simple portal RouterA portal server newpt port 50100 RouterA portal server newpt quit Configure a portal Web server Ro...

Страница 382: ...re direct portal authentication so the host can access only subnet 192 168 0 0 24 before passing the authentication and access other network resources after passing the authentication Figure 127 Netwo...

Страница 383: ...authentication Configure a portal authentication server Router portal server newpt Router portal server newpt ip 192 168 0 111 key simple portal Router portal server newpt port 50100 Router portal ser...

Страница 384: ...he authentication the host gets a public IP address and can access other network resources Figure 128 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the router a...

Страница 385: ...3010 Router pre auth abc quit In ACL 3010 configure a rule to permit access to the subnet 192 168 0 0 24 Router acl advanced 3010 Router acl ipv4 adv 3010 rule 1 permit ip destination 192 168 0 0 24...

Страница 386: ...e auth interface gigabitethernet 1 0 2 MAC IP VLAN Interface 0015 e9a6 7cfe 10 10 10 4 GigabitEthernet1 0 2 State Online VPN instance N A DHCP IP pool N A User profile N A Session group profile N A AC...

Страница 387: ...gure an authentication domain Create an ISP domain named dm1 and enter its view Router domain dm1 Configure AAA methods for the ISP domain Router isp dm1 authentication portal radius scheme rs1 Router...

Страница 388: ...rization Strict checking ACL Disabled User profile Disabled IPv4 Portal status Enabled Portal authentication method Direct Portal web server newpt Authentication domain Not configured Pre auth policy...

Страница 389: ...State Online VPN instance N A MAC IP VLAN Interface 0015 e9a6 7cfe 2 2 2 2 GigabitEthernet1 0 2 Authorization information IP pool N A User profile N A Session group profile N A ACL N A Inbound CAR N...

Страница 390: ...n this example the portal server runs on IMC PLAT 7 1 E0303 IMC EIA 7 1 F0303 and IMC EIP 7 1 F0303 1 Configure the portal authentication server a Log in to IMC and click the User tab b Select User Ac...

Страница 391: ...list g Click OK Figure 132 Adding an IP address group 3 Add a portal device a Select User Access Policy Portal Service Device from the navigation tree to open the portal device configuration page b Cl...

Страница 392: ...o open the port group configuration page b Click Add to open the page as shown in Figure 135 c Enter the port group name d Select the configured IP address group The IP address used by the user to acc...

Страница 393: ...he MAC binding server runs on IMC PLAT 7 1 E0303 IMC EIA 7 1 F0303 and IMC EIP 7 1 F0303 1 Add an access policy a Select User Access Policy Access Policy from the navigation tree to open the access po...

Страница 394: ...ree to open the access user page b Click Add to open the page as shown in Figure 138 c Select an access user d Set the password e Select a value from the Max Transparent Portal Bindings list f Click O...

Страница 395: ...1 Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Router radius rs1 primary authentication 192 168 0 112 Router radius...

Страница 396: ...n GigabitEthernet 1 0 2 Router GigabitEthernet1 0 2 portal apply web server newpt Configure the BAS IP as 2 2 2 1 for portal packets sent from GigabitEthernet 1 0 2 to the portal authentication server...

Страница 397: ...interface gigabitethernet 1 0 2 Total portal users 1 Username Client1 Portal server newpt State Online VPN instance N A MAC IP VLAN Interface 0015 e9a6 7cfe 2 2 2 2 GigabitEthernet1 0 2 Authorization...

Страница 398: ...vice uses the source port in the logout request as the destination port in the logout ACK message As a result the portal authentication server can definitely receive the logout ACK message and log out...

Страница 399: ...The device performs re DHCP portal authentication for users A user enters the correct username and password and the client successfully obtains the private and public IP addresses However the authent...

Страница 400: ...rough Layer 2 devices The BRAS uses MAC addresses to identify the hosts Layer 3 access mode Hosts use routing to access the BRAS The hosts connect to the BRAS directly or through Layer 3 devices When...

Страница 401: ...mic IPoE sessions The BRAS disconnects a dynamic IPoE session in one of the following cases The AAA authorized service expires The AAA server logs out the user The user traffic is less than the author...

Страница 402: ...Bind authentication Authenticates users by the usernames and passwords that the BRAS automatically generates based on user location information Web authentication Authenticates users by the usernames...

Страница 403: ...ilure and discards the DHCP DISCOVER message 6 The DHCP server sends a DHCP OFFER message to the BRAS 7 The BRAS forwards the DHCP OFFER message to the DHCP client 8 The DHCP client sends a DHCP REQUE...

Страница 404: ...r information such as the source MAC address 3 The AAA server returns an access accept that contains authorization information to the BRAS if the authentication succeeds If the authentication fails th...

Страница 405: ...e 5 The BRAS assigns a user profile and marks the IPoE session state as online 6 The BRAS sends the AAA server a message to start the service accounting Access procedure for static and leased users Th...

Страница 406: ...3 aggregate interfaces subinterfaces Layer 3 Ethernet interfaces subinterfaces L3VE interfaces subinterfaces Restrictions and guidelines IPoE configuration IPoE and IP source guard are mutually exclu...

Страница 407: ...ation about how to configure a local user account see Configuring AAA Make sure the hosts BRAS and servers can reach each other Enabling IPoE and setting the IPoE access mode You must enable IPoE for...

Страница 408: ...e the IPoE NAT collaboration failure Enabling dynamic individual users Dynamic individual users include the unclassified IP user IPv6 ND RS user and DHCP user After IPoE is enabled on an interface the...

Страница 409: ...e By default no dynamic individual users are enabled Configuring authentication user naming conventions for dynamic individual users Usernames configured for dynamic individual users must be the same...

Страница 410: ...ator vlan separator separator Configure an authentication user naming convention for unclassified IP users ip subscriber unclassified ip username include nas port id separator separator port separator...

Страница 411: ...riber ndrs username include nas port id separator separator port separator separator second vlan separator separator slot separator separator source mac address separator address separator separator s...

Страница 412: ...ring as the password for DHCP users Specify a string from DHCPv4 packet information as the password for IPv4 dynamic individual users ip subscriber dhcp password circuit id mac option60 offset offset...

Страница 413: ...er dhcp unclassified ip domain domain name Configure an ISP domain for IPv6 dynamic individual users ipv6 subscriber dhcp ndrs unclassified ip domain domain name By default dynamic individual users us...

Страница 414: ...tion Circuit ID DHCPv6 Option 18 DSL_AGENT_REMOTE_ID DHCPv4 Option 82 Suboption Remote ID DHCPv6 Option 37 If the BRAS trusts DHCPv4 Option 60 and DHCPv6 Option 16 or Option 17 IPoE can use the ISP do...

Страница 415: ...gured Configuring trusted source IP addresses for unclassified IP users If the unclassified IP user is enabled and portal authentication is configured IPoE authentication is available only for unclass...

Страница 416: ...al users Static individual user configuration tasks at a glance Tasks at a glance Required Enabling static individual users Required Perform one of the following tasks at minimum Configuring static IP...

Страница 417: ...sion for the user On one interface a maximum of one static IPoE session can be configured for one IP address Per interface static IPoE sessions take precedence over global static IPoE sessions To conf...

Страница 418: ...nterface interface type interface number vlan vlan id second vlan vlan id request online Configure a global static IPv6 IPoE session ipv6 subscriber session static ipv6 start ipv6 address end ipv6 add...

Страница 419: ...or Configure an authentication user naming convention for IPv6 static individual users ipv6 subscriber unclassified ip username include nas port id separator separator port separator separator second...

Страница 420: ...fic ISP domains For more information about how to configure the default system domain see Configuring AAA To configure an interface specific ISP domain for static individual users Step Command Remarks...

Страница 421: ...ce leased username name password ciphertext plaintext string domain domain name Configure an IPv6 interface leased user ipv6 subscriber interface leased username name password ciphertext plaintext str...

Страница 422: ...d user Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure an L2VPN leased user ip subscriber l2vpn leased usernam...

Страница 423: ...e a service identifier ip subscriber service identify 8021p second vlan vlan dscp second vlan vlan By default no service identifier is configured for DHCPv4 users IPv4 unclassified IP users static ind...

Страница 424: ...ts when number of consecutive authentication failures of a user reaches the limit in the specified period During the quiet timer period packets from the user are discarded After the quiet timer expire...

Страница 425: ...r IPv6 dynamic individual users ipv6 subscriber user detect icmpv6 nd retry retries interval interval By default The BRAS uses the ARP request packet and ND NS request packet to detect IPv4 and IPv6 d...

Страница 426: ...rsion2 0 Configure the NAS Port ID format for IPv6 users ipv6 subscriber nas port id format cn telecom version1 0 version2 0 The default format is version1 0 4 Optional Configure trusted DHCP options...

Страница 427: ...traffic By default the traffic statistics update timer for IPoE sessions is 180000 milliseconds Enabling logging for IPoE users The IPoE logging feature enables the device to generate IPoE logs and s...

Страница 428: ...c mac address user type dhcp unclassified ip static verbose chassis chassis number slot slot number For IPv6 individual users display ipv6 subscriber chasten user interface interface type interface nu...

Страница 429: ...r slot slot number For IPv6 interface leased users display ipv6 subscriber interface leased interface interface type interface number chassis chassis number slot slot number In standalone mode Display...

Страница 430: ...subnet leased user interface interface type interface number ipv6 ipv6 address prefix length ipv6 address chassis chassis number slot slot number verbose In standalone mode Display IPoE session inform...

Страница 431: ...slot slot number In IRF mode Display IPoE session statistics for subnet leased users For IPv4 subnet leased users display ip subscriber subnet leased statistics interface interface type interface num...

Страница 432: ...ress mask length ip address For IPv6 subnet leased users reset ipv6 subscriber subnet leased user interface interface type interface number ipv6 ipv6 address prefix length ipv6 address Delete dynamic...

Страница 433: ...ation and accounting Device radius rs1 primary authentication 4 4 4 1 Device radius rs1 primary accounting 4 4 4 1 Device radius rs1 key authentication simple radius Device radius rs1 key accounting s...

Страница 434: ...0c 29a6 b656 U Online Example Configuring a DHCP user Network configuration As shown in Figure 146 the host accesses the BRAS as a DHCP user It obtains configuration information from the DHCP server T...

Страница 435: ...ISP domain This example assumes that the DHCP packets do not contain option 60 Create an ISP domain named dm1 and enter its view Device domain dm1 Configure dm1 to use RADIUS scheme rs1 Device isp dm...

Страница 436: ...e client 4 4 4 2 32 ipaddr 4 4 4 2 netmask 32 secret radius Add the username password and authorized IPv6 prefix to the users user information file The username is the host MAC address the password is...

Страница 437: ...ted enable Enable the IPv6 ND RS user Device GigabitEthernet3 1 2 ipv6 subscriber initiator ndrs enable Specify dm1 as the ISP domain Device GigabitEthernet3 1 2 ipv6 subscriber ndrs domain dm1 Config...

Страница 438: ...ame from the username sent to the RADIUS server Device radius rs1 user name format without domain Device radius rs1 quit c Configure the ISP domain Create an ISP domain named dm1 and enter its view De...

Страница 439: ...en ip 3 3 3 2 Device dhcp pool test quit Verifying the configuration Display IPoE session information to verify that the host has come online Device display ip subscriber session Type D DHCP S Static...

Страница 440: ...med dm1 and enter its view Device domain dm1 Configure dm1 to use RADIUS scheme rs1 Device isp dm1 authentication ipoe radius scheme rs1 Device isp dm1 authorization ipoe radius scheme rs1 Device isp...

Страница 441: ...il action Online Acct quota out action Offline Max multicast addresses 4 Multicast address list N A QoS User profile N A Session group profile N A User group acl N A Inbound CAR N A Outbound CAR N A I...

Страница 442: ...group acl N A Inbound CAR N A Outbound CAR N A Inbound user priority N A Outbound user priority N A Flow statistic Uplink packets bytes 223423 28598144 Downlink packets bytes 5802626 742736000 Basic A...

Страница 443: ...626 742736000 Example Configuring an interface leased user Network configuration As shown in Figure 150 three hosts access the BRAS as one interface leased user The BRAS performs AAA for the hosts thr...

Страница 444: ...IUS scheme rs1 Device isp dm1 authentication ipoe radius scheme rs1 Device isp dm1 authorization ipoe radius scheme rs1 Device isp dm1 accounting ipoe radius scheme rs1 Device isp dm1 quit d Configure...

Страница 445: ...y N A Flow statistic Uplink packets bytes 16734145 2141970560 Downlink packets bytes 22314327 2856233728 Example Configuring an L2VPN leased user Network configuration As shown in Figure 150 an L2VPN...

Страница 446: ...et 3 1 2 the interface connected to PE 1 and enable LDP on the interface PE2 interface gigabitethernet 3 1 2 PE2 GigabitEthernet3 1 2 ip address 20 1 1 2 24 PE2 GigabitEthernet3 1 2 mpls enable PE2 Gi...

Страница 447: ...pf 1 area 0 0 0 0 network 20 1 1 0 0 0 0 255 PE1 ospf 1 area 0 0 0 0 network 1 1 1 9 0 0 0 0 PE1 ospf 1 area 0 0 0 0 quit PE1 ospf 1 quit Create a VSI and configure the peer PE PE1 vsi svc PE1 vsi svc...

Страница 448: ...r 3 access mode on GigabitEthernet 3 1 1 PE1 interface gigabitethernet 3 1 1 PE1 GigabitEthernet3 1 1 ip subscriber routed enable Configure the L2VPN leased user and specify the username password and...

Страница 449: ...ation As shown in Figure 152 the host in a VPN accesses the BRAS as a DHCP user The BRAS performs AAA for the host through the RADIUS server Figure 152 Network diagram Procedure 1 Configure the RADIUS...

Страница 450: ...d accounting Device radius rs1 primary authentication 4 4 4 1 Device radius rs1 primary accounting 4 4 4 1 Device radius rs1 key authentication simple radius Device radius rs1 key accounting simple ra...

Страница 451: ...et3 1 2 proxy arp enable Device GigabitEthernet3 1 2 quit g Configure a static route to direct the DHCP request from vpn1 to the DHCP server Device ip route static vpn instance vpn1 4 4 4 0 24 4 4 4 3...

Страница 452: ...e Acct update fail action Online Acct quota out action Offline Max multicast addresses 4 Multicast address list N A Accounting start time Sep 14 18 09 28 2014 QoS User profile N A Session group profil...

Страница 453: ...a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Device system view Device radius scheme rs1 Configure primary servers and keys for authentication and accounting Device radius rs1 p...

Страница 454: ...ry 2 interval 30 Device GigabitEthernet3 1 2 quit Verifying the configuration Use the display ip subscriber session command to verify that the BRAS deletes the IPoE session after the user goes offline...

Страница 455: ...ain creation 54 ISP domain creation restrictions 54 ISP domain display 64 ISP domain idle timeout period include in user online duration 57 ISP domain method 54 ISP domain user address type 57 ISP dom...

Страница 456: ...et portal authentication configuration 342 direct portal authentication configuration 330 direct portal authentication configuration local portal Web service 370 extended cross subnet portal authentic...

Страница 457: ...addresses allocation to clients with same MAC 185 DHCPv6 dynamic address allocation 177 DHCPv6 dynamic prefix allocation 177 DHCPv6 IPv6 address prefix allocation sequence 177 DHCPv6 static address al...

Страница 458: ...online detection configuration 436 IPoE static user configuration ARP based 421 IPoE subnet leased user configuration 423 IPoE unclassified IP user configuration 416 IPoE VPN DHCP user configuration 4...

Страница 459: ...16 IPoE VPN DHCP user configuration 433 broadcast DHCP relay agent broadcast response 146 DHCP server broadcast response 113 buffering AAA HWTACACS stop accounting packet buffering 46 AAA RADIUS stop...

Страница 460: ...user attributes 17 AAA RADIUS 23 AAA RADIUS accounting on 34 AAA RADIUS attribute 31 MAC address format 35 AAA RADIUS attribute 87 format 36 AAA RADIUS attribute translation 37 AAA RADIUS attribute t...

Страница 461: ...ortal authentication local portal Web service 370 direct portal authentication preauthentication policy 366 extended cross subnet portal authentication 353 extended direct portal authentication 345 ex...

Страница 462: ...356 portal authentication source subnet 313 portal authentication user online detection 319 portal authentication user online detection IPv4 319 portal authentication user online detection IPv6 319 p...

Страница 463: ...304 304 304 D DAE AAA RADIUS attribute translation DAS 38 AAA RADIUS DAS 39 data L2TP AVP data transfer in hidden mode 260 L2TP data message type 250 delaying MAC authentication delay 219 destination...

Страница 464: ...30 direct portal authentication configuration local portal Web service 370 direct portal authentication preauthentication policy configuration 366 extended cross subnet portal authentication configura...

Страница 465: ...91 Option 53 Option 053 91 Option 55 Option 055 91 Option 6 Option 006 91 Option 60 encapsulation Option 060 encapsulation 111 Option 60 Option 060 91 Option 66 Option 066 91 Option 67 Option 067 91...

Страница 466: ...oting IPoE client authentication failure 438 troubleshooting portal authentication users cannot log in re DHCP 383 user class creation 98 user class whitelist configuration 107 voice client Option 184...

Страница 467: ...b redirect 328 directory AAA LDAP directory service 8 disabling DHCP Option 60 encapsulation 111 displaying AAA HWTACACS 48 AAA ISP domain 64 AAA LDAP 53 AAA local bill cache 66 AAA local users user g...

Страница 468: ...t duplicated address detection 153 DHCP different IP addresses allocation to clients with the same MAC 110 DHCP Option 82 handling 111 DHCP random IP address allocation 110 DHCP relay agent 134 DHCP r...

Страница 469: ...IPoE IPv6 ND RS user configuration 420 IPoE L2VPN leased user configuration 429 IPoE online detection configuration 436 IPoE static user configuration ARP based 421 IPoE subnet leased user configurati...

Страница 470: ...ng ISP domain 67 AAA NAS ID profile configuration 66 DHCPv6 relay agent Interface ID option padding mode 199 L2TP LTS TSA ID setting 265 identity association See IA association ID See IAID ignoring DH...

Страница 471: ...DHCPv6 client subnet advertisement 186 DHCPv6 different IPv6 addresses allocation to clients with same MAC 185 DHCPv6 overview 170 DHCPv6 server configuration 172 175 190 DHCPv6 server configuration o...

Страница 472: ...DHCP relay agent Option 82 configuration 141 149 DHCP relay agent Option 82 support 133 DHCP relay agent relay entry recording 138 DHCP relay agent security features 138 DHCP relay agent server 135 DH...

Страница 473: ...183 DHCPv6 server IPv6 prefix assignment 178 DHCPv6 server logging 189 DHCPv6 server maintain 189 DHCPv6 server security features 188 DHCPv6 snooping basics 205 DHCPv6 snooping configuration 204 209...

Страница 474: ...server interface 311 PPP IPCP negotiation 231 PPPoE NAT444 collaboration failure user enable 280 IPv6 DHCPv6 See DHCPv6 IPoE IPv6 ND RS user configuration 420 IPoE IPv6 ND RS users access procedure 38...

Страница 475: ...g mode NAS initiated 251 LAC L2TP automatic tunnel establishment 260 L2TP LAC AAA authentication 260 L2TP LAC configuration 258 L2TP LAC tunnel exclusive use 259 L2TP LAC tunnel request initiation 258...

Страница 476: ...ing method 11 AAA local authentication 11 AAA local authentication configuration 14 AAA local authorization method 11 AAA local user 15 AAA SSH user authentication authorization 71 local portal Web se...

Страница 477: ...ing AAA local guests 21 manual AAA local bill cache 65 matching PPP IPCP IP segment match enable 243 MCE relay agent support 133 message DHCP format 90 DHCP REQUEST message attack protection 162 DHCPv...

Страница 478: ...7 AAA network access user 15 AAA RADIUS configuration 23 AAA RADIUS implementation 2 AAA RADIUS server SSH user authentication authorization 68 allowing only DHCP users to pass portal authorization 31...

Страница 479: ...206 DHCPv6 snooping entry max 207 DHCPv6 snooping Option 18 support 206 DHCPv6 snooping Option 37 support 206 DHCPv6 snooping packet blocking port 208 DHCPv6 REQUEST check 207 direct portal authentic...

Страница 480: ...erver 302 portal authentication server detection 320 portal authentication source subnet 313 portal authentication system 294 portal authentication system component interaction 295 portal authenticati...

Страница 481: ...le 218 online IPoE online detection configuration 436 IPoE user online detection 408 MAC authentication keep online 221 portal authentication user online detection 319 option DHCP field 91 DHCP option...

Страница 482: ...MAC authentication user account policies 211 portal authentication extended functions 294 portal authentication policy server 295 portal preauthentication policy 308 polling PPP polling 238 pool DHCP...

Страница 483: ...des 296 NAS Port Id attribute format 324 online user logout 327 packet filtering rules 299 page customization 304 page file compression saving rules 306 page request rules 305 policy configuration 308...

Страница 484: ...access rate limit 278 configuration 275 283 configuration restrictions 276 display 282 logging enable 282 maintain 282 NAT444 collaboration failure user enable 280 network structure 275 network struct...

Страница 485: ...ocal user 15 configuring AAA NAS ID 66 configuring AAA network access user attributes 17 configuring AAA RADIUS 23 configuring AAA RADIUS accounting on 34 configuring AAA RADIUS attribute 31 MAC addre...

Страница 486: ...server IPv6 prefix assignment 178 configuring DHCPv6 server network parameters address pool 182 configuring DHCPv6 server network parameters option group 182 configuring DHCPv6 server network paramet...

Страница 487: ...cation 266 configuring L2TP LNS LAC tunneling request acceptance 262 configuring L2TP LNS LCP renegotiation 263 configuring L2TP LNS mandatory CHAP authentication 263 configuring L2TP LNS user authent...

Страница 488: ...g PPPoE server IP address assignment local DHCP server 284 configuring PPPoE server IP address assignment RADIUS based 291 configuring PPPoE server IP address assignment remote DHCP server 285 configu...

Страница 489: ...tification 199 enabling DHCPv6 relay agent on interface 196 enabling DHCPv6 relay agent to record relay entries 199 enabling DHCPv6 server flood attack protection 188 enabling DHCPv6 server logging 18...

Страница 490: ...ax 218 setting PADI packets max 281 setting portal authentication users max 314 setting portal authentication users max global 314 setting portal authentication users max interface 315 setting PPPoE s...

Страница 491: ...IUS authentication failure 79 troubleshooting AAA RADIUS packet delivery failure 80 troubleshooting DHCP address conflict 130 troubleshooting L2TP data transmission failure 274 troubleshooting L2TP re...

Страница 492: ...rocessing RADIUS authentication requests 40 protocols and standards 13 real time accounting attempts max 28 Remanent_Volume attribute data measurement unit 36 request transmission attempts max 27 sche...

Страница 493: ...uration parameters 151 releasing DHCP relay agent IP address release 141 remote AAA remote accounting method 11 AAA remote authentication 11 AAA remote authentication configuration 14 AAA remote autho...

Страница 494: ...n 13 AAA protocols and standards 13 AAA RADIUS attribute translation 37 AAA RADIUS configuration 23 AAA RADIUS DAS 39 AAA RADIUS implementation 2 AAA RADIUS information exchange security mechanism 2 A...

Страница 495: ...thentication user account format 217 MAC authentication user account policies 211 MAC authentication user profile assignment 214 MAC authentication VLAN assignment 212 MAC based quick portal authentic...

Страница 496: ...ent gateway specification 102 DHCP client NetBIOS node type 103 DHCP client offline detection 118 DHCP client server specification 105 DHCP client WINS server 103 DHCP compatibility configuration 113...

Страница 497: ...measurement unit 36 AAA RADIUS request transmission attempts max 27 AAA RADIUS server status 29 AAA RADIUS timer 33 AAA RADIUS traffic statistics unit 27 AAA RADIUS username format 27 DHCP client pack...

Страница 498: ...03 DHCP relay agent address 143 DHCP relay agent server 135 DHCP relay agent server selection algorithm 136 DHCP relay agent source IP address 145 DHCP server address pool IP address range 99 DHCPv6 c...

Страница 499: ...175 terminal AAA RADIUS Login Service attribute check method 35 testing AAA RADIUS server status detection test profile 23 timeout MAC authentication server timeout 217 PPP negotiation 239 PPP negoti...

Страница 500: ...surement unit 36 untrusted DHCP snooping untrusted port 157 DHCPv6 snooping port 204 updating IPoE traffic statistics update timer 411 user AAA concurrent login user max 65 AAA local user 15 AAA manag...

Страница 501: ...ver IP address dynamic assignment 121 DHCP server IP address static assignment 120 DHCP server option customization 127 DHCP server user class configuration 123 DHCP snooping basic configuration 165 D...

Страница 502: ...route table 247 troubleshooting L2TP 273 troubleshooting L2TP data transmission failure 274 troubleshooting L2TP remote system network access failure 273 troubleshooting L2TP user offline 274 Web cros...

Отзывы:

Нет отзывов