Page 1
H3C SR8800-F Routers Comware 7 User Access Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: SR8800FS-CMW710-R7655P05 or later Document version: 6W100-20170825...
Page 2
, H3CS, H3CIE, H3CNE, Aolynk, Care, , IRF, NetPilot, Netflow, SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice.
Page 3
Preface This configuration guide describes fundamentals and configuration of user access features. This preface includes the following topics about the documentation: • Audience. • Conventions • Obtaining documentation • Technical support • Documentation feedback Audience This documentation is intended for: •...
Page 4
Convention Description Folder. Symbols Convention Description An alert that calls attention to important information that if not understood or followed WARNING! can result in personal injury. An alert that calls attention to important information that if not understood or followed CAUTION: can result in data loss, data corruption, or damage to hardware or software.
Page 5
Obtaining documentation To access the most up-to-date H3C product documentation, go to the H3C website at http://www.h3c.com.hk To obtain information about installation, configuration, and maintenance, click http://www.h3c.com.hk/Technical_Documents...
Contents Configuring AAA ·············································································· 1 About AAA ······························································································································· 1 AAA implementation ············································································································ 1 AAA network diagram ··········································································································· 1 RADIUS ···························································································································· 2 HWTACACS ······················································································································ 5 LDAP ································································································································ 8 User management based on ISP domains and user access types ··············································· 11 ...
Page 7
Specifying the HWTACACS accounting servers ······································································· 44 Specifying the shared keys for secure HWTACACS communication ············································· 44 Specifying an MPLS L3VPN instance for the scheme ································································ 45 Setting the username format and traffic statistics units ······························································ 45 ...
Page 8
IP address allocation process ······························································································ 89 IP address lease extension ·································································································· 89 DHCP message format ············································································································· 90 DHCP options ························································································································· 91 Common DHCP options ············································································································ 91 Custom DHCP options ·············································································································· 91 Vendor-specific option (Option 43) ························································································ 92 ...
Page 9
Example: Configuring static IP address assignment ································································ 120 Example: Configuring dynamic IP address assignment ···························································· 121 Example: Configuring DHCP user class ··············································································· 123 Example: Configuring DHCP user class whitelist ···································································· 125 Example: Configuring primary and secondary subnets ···························································· 126 ...
Page 10
Configuring DHCP snooping ··························································· 157 About DHCP snooping ············································································································ 157 Application of trusted and untrusted ports ············································································· 157 DHCP snooping support for Option 82 ················································································· 158 Restrictions and guidelines: DHCP snooping configuration ····························································· 159 DHCP snooping tasks at a glance ·····························································································...
Page 11
Configuring DHCPv6 flood attack protection ·········································································· 188 Enabling the DHCPv6 server to advertise IPv6 prefixes ·································································· 189 Enabling DHCPv6 logging on the DHCPv6 server ········································································· 189 Display and maintenance commands for DHCPv6 server ······························································· 189 DHCPv6 server configuration examples ······················································································...
Page 12
Configuring the user account format ··························································································· 217 Configuring MAC authentication timers ······················································································· 217 About MAC authentication timers ························································································ 217 Procedure ······················································································································ 217 Enabling MAC authentication offline detection ·············································································· 218 Setting the maximum number of concurrent MAC authentication users on a port ································· 218 ...
Page 13
Configuring L2TP ········································································· 250 About L2TP ·························································································································· 250 Typical L2TP networking ··································································································· 250 L2TP message types and encapsulation structure ·································································· 250 L2TP tunnel and session ··································································································· 251 L2TP tunneling modes and tunnel establishment process ························································ 251 ...
Page 14
Enabling PPPoE logging ··································································································· 282 Display and maintenance commands for PPPoE ·········································································· 282 PPPoE configuration examples ································································································· 283 Example: Configuring the PPPoE server ·············································································· 283 Example: Assigning the PPPoE server IP address through the local DHCP server ························ 284 ...
Page 15
Configuring portal authentication server detection ·································································· 320 Configuring portal Web server detection ··············································································· 321 Configuring portal user synchronization ················································································ 321 Configuring portal packet attributes ···························································································· 322 Configuring the BAS-IP or BAS-IPv6 attribute ········································································ 322 Specifying the device ID ···································································································...
Page 16
Configuring passwords for dynamic individual users ······························································· 396 Configuring ISP domains for dynamic individual users ····························································· 396 Configuring the maximum number of dynamic IPoE sessions ··················································· 397 Configuring trusted DHCP options for DHCP users ································································· 398 ...
Configuring AAA About AAA AAA implementation Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.
The device performs dynamic password authentication. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
Page 19
User authentication methods The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP. Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 20
RADIUS packet format RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure smooth packet exchange between the RADIUS server and the client. These mechanisms include the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 RADIUS packet format Descriptions of the fields are as follows: •...
• The Attributes field (variable in length) includes authentication, authorization, and accounting information. This field can contain multiple attributes, each with the following subfields: Type—Type of the attribute. Length—Length of the attribute in bytes, including the Type, Length, and Value subfields. Value—Value of the attribute.
Page 22
HWTACACS RADIUS Encrypts the entire packet except for the Encrypts only the user password field in an HWTACACS header. authentication packet. Protocol packets are complicated and authorization Protocol packets are simple and the authorization is independent of authentication. Authentication and process is combined with the authentication authorization can be deployed on different process.
Page 23
Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
Page 25
Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
Page 26
The LDAP server processes the request, and sends a response to notify the LDAP client of the bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound.
The LDAP client sends an authorization search request with the username of the Telnet user to the LDAP server. If the user uses the same LDAP server for authentication and authorization, the client sends the request with the saved user DN of the Telnet user to the LDAP server. After receiving the request, the LDAP server searches for the user information by the base DN, search scope, filtering conditions, and LDAP attributes.
Page 28
AAA also supports configuring a set of default methods for an ISP domain. These default methods are applied to users for which no AAA methods are configured. Authentication methods The device supports the following authentication methods: • No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method.
• Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.
• RFC 2251, Lightweight Directory Access Protocol (v3) AAA tasks at a glance To configure AAA, complete the following tasks on the NAS: Configure the required AAA schemes: If local authentication is used, configure local users and the related attributes. If remote authentication is used, configure the required RADIUS, HWTACACS, or LDAP schemes.
Tasks at a glance (Optional.) Configuring the device ID Configuring local users About local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device.
Local user configuration tasks at a glance Tasks at a glance (Required.) Configure local user attributes based on the user type: • Configuring attributes for device management users • Configuring attributes for network access users • Configuring local guest attributes (Optional.) Configuring user group attributes (Optional.)
Step Command Remarks The following default settings apply: • The working directory for FTP, SFTP, and SCP users is the root authorization-attribute directory of the NAS. However, the (Optional.) Configure { idle-cut minutes | user-role users do not have permission to authorization attributes role-name | work-directory access the root directory.
Step Command Remarks Enter system view. system-view Add a local user and enter local-user user-name [ class By default, no local users exist. network access user view. network ] By default, no password is configured for a local user. A local user can pass (Optional.) Configure a password { cipher | simple } authentication after entering the...
To configure local guest attributes: Step Command Remarks Enter system view. system-view Create a local guest and local-user user-name class By default, no local guests exist. enter local guest view. network guest Configure a password for the password { cipher | simple } By default, no password is local guest.
Page 36
By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view. To configure user group attributes: Step Command Remarks...
Managing local guests About local guest management The local guest management features are for registration, approval, maintenance, and access control of local guests. The registration and approval processes are as follows: The device pushes the portal user registration page to a user that wants to access the network as a local guest.
Step Command Remarks Configure the guest local-guest manager-email By default, the guest manager's manager's email address. email-address email address is not configured. (Optional.) Set the waiting-approval timeout local-guest timer The default is 24 hours. timer for guest registration waiting-approval time-value requests.
Configuring RADIUS RADIUS tasks at a glance Tasks at a glance (Optional.) Configuring a test profile for RADIUS server status detection (Required.) Creating a RADIUS scheme (Required.) Specifying the RADIUS authentication servers (Optional.) Specifying the RADIUS accounting servers (Optional.) Specifying the shared keys for secure RADIUS communication (Optional.) Specifying an MPLS L3VPN instance for the scheme (Optional.)
With the test profile specified, the device sends a detection packet to the RADIUS server within each detection interval. The detection packet is a simulated authentication request that includes the specified user name in the test profile. • If the device receives a response from the server within the interval, it sets the server to the active state.
When RADIUS server load sharing is enabled, the device distributes the workload over all servers without considering the primary and secondary server roles. The device checks the weight value and number of currently served users for each active server, and then determines the most appropriate server in performance to receive an authentication request.
Step Command Remarks • Specify the primary RADIUS accounting server: By default, no accounting primary accounting servers are specified. { ipv4-address | ipv6 Two accounting servers in a ipv6-address } [ port-number | key scheme, primary or { cipher | simple } string | secondary, cannot have the vpn-instance vpn-instance-name same combination of IP...
Step Command Remarks By default, a RADIUS Specify a VPN instance for the vpn-instance vpn-instance-name scheme belongs to the public RADIUS scheme. network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.
Step Command Remarks Set the maximum number of RADIUS request transmission retry retries The default setting is 3. attempts. Setting the maximum number of real-time accounting attempts If you specify a maximum number of real-time accounting attempts, the device will disconnect users from which no accounting responses are received within the permitted attempts.
Setting the maximum number of pending RADIUS requests About the maximum number of pending RADIUS requests This feature controls the rate of RADIUS requests that are sent to the RADIUS server. Use this feature if the RADIUS server has a limited performance and cannot concurrently process too many RADIUS requests.
Page 46
• If the secondary server is unreachable, the device performs the following operations: Changes the server status to blocked. Starts a quiet timer for the server. Tries to communicate with the next secondary server in active state that has the highest priority.
Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active By default, a RADIUS server | block } is in active state.
Specifying the source IP address for outgoing RADIUS packets About source IP address for outgoing RADIUS packets The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.
Setting RADIUS timers About RADIUS timers The device uses the following types of timers to control communication with a RADIUS server: • Server response timeout timer (response-timeout)—Defines the RADIUS request retransmission interval. The timer starts immediately after a RADIUS request is sent. If the device does not receive a response from the RADIUS server before the timer expires, it resends the request.
Configuring the RADIUS accounting-on feature About RADIUS accounting-on When the accounting-on feature is enabled, the device automatically sends an accounting-on packet to the RADIUS server after the entire device reboots. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device. Without this feature, users cannot log in again after the reboot, because the RADIUS server considers them to come online.
Configuring the Login-Service attribute check method for SSH, FTP, and terminal users About Login-Service attribute check methods The device supports the following check methods for the Login-Service attribute (RADIUS attribute 15) of SSH, FTP, and terminal users: • Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.
Setting the data measurement unit for the Remanent_Volume attribute The Remanent_Volume attribute is H3C proprietary. The RADIUS server uses this attribute in authentication or real-time accounting responses to notify the device of the current amount of data available for online users.
Specifying a server version for interoperating with servers with a vendor ID of 2011 For the device to correctly interpret RADIUS attributes from the servers with a vendor ID of 2011, specify a server version that is the same as the version of the RADIUS servers. To specify a server version for interoperating with servers with a vendor ID of 2011: Step Commands...
Page 54
Configuring the RADIUS attribute translation feature for a RADIUS scheme Step Command Remarks Enter system view. system-view By default, no user-defined radius attribute extended extended RADIUS attributes exist. (Optional.) Define an attribute-name [ vendor vendor-id ] extended RADIUS code attribute-code type { binary | Repeat this command to define attribute.
Configuring the RADIUS session-control feature About RADIUS session-control Enable this feature for the RADIUS server to dynamically change the user authorization information or forcibly disconnect users by using session-control packets. This task enables the device to receive RADIUS session-control packets on UDP port 1812. To verify the session-control packets sent from a RADIUS server, specify the RADIUS server as a session-control client to the device.
Change the authorization information of specific online users. Shut down and then bring up the access interfaces of users. Procedure To configure the RADIUS DAS feature: Step Command Remarks Enter system view. system-view Enable the RADIUS DAS By default, the RADIUS DAS feature and enter RADIUS radius dynamic-author server feature is disabled.
Step Command Remarks Enter system view. system-view Configure the device to By default, the device processes preferentially process radius authentication-request RADIUS requests in the sequence RADIUS authentication first that the requests are initiated. requests. Enabling SNMP notifications for RADIUS When SNMP notifications are enabled for RADIUS, the SNMP agent supports the following notifications generated by RADIUS: •...
Configuring HWTACACS HWTACACS tasks at a glance Tasks at a glance (Required.) Creating an HWTACACS scheme (Required.) Specifying the HWTACACS authentication servers (Optional.) Specifying the HWTACACS authorization servers (Optional.) Specifying the HWTACACS accounting servers (Required.) Specifying the shared keys for secure HWTACACS communication (Optional.) Specifying an MPLS L3VPN instance for the scheme (Optional.)
Specifying the HWTACACS accounting servers You can specify one primary accounting server and a maximum of 16 secondary accounting servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
Step Command Remarks By default, no shared key is specified for secure HWTACACS Specify a shared key for communication. secure HWTACACS key { accounting | authentication, authorization, authentication | authorization } The shared key configured on the or accounting { cipher | simple } string device must be the same as the communication.
Configuring HWTACACS stop-accounting packet buffering The device sends HWTACACS stop-accounting requests when it receives connection teardown requests from hosts or connection teardown commands from an administrator. However, the device might fail to receive a response for a stop-accounting request in a single transmission. Enable the device to buffer HWTACACS stop-accounting requests that have not received responses from the accounting server.
Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: The source IP address specified for the HWTACACS scheme. The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides.
Tries to communicate with a secondary server in active state that has the highest priority. • If the secondary server is unreachable, the device performs the following operations: Changes the server status to blocked. Starts a quiet timer for the server. Tries to communicate with the next secondary server in active state that has the highest priority.
Task Command Display the configuration or server display hwtacacs scheme [ hwtacacs-scheme-name statistics of HWTACACS schemes. [ statistics ] ] Display information about buffered HWTACACS stop-accounting requests display stop-accounting-buffer hwtacacs-scheme to which no responses have been hwtacacs-scheme-name received. reset hwtacacs statistics { accounting | all | authentication | Clear HWTACACS statistics.
Step Command Remarks Enter LDAP server view. ldap server server-name By default, an LDAP server does not have an IP address. { ip ip-address | ipv6 Configure the IP address of ipv6-address } [ port You can configure either an IPv4 the LDAP server.
Step Command Remarks By default, no administrator DN is specified. Specify the administrator The administrator DN specified on login-dn dn-string the device must be the same as the administrator DN configured on the LDAP server. Configure the login-password { cipher | By default, no administrator administrator password.
Step Command Remarks By default, no user object class is specified, and the default user object class on the LDAP server is user-parameters (Optional.) Specify the user used. user-object-class object class. object-class-name The default user object class for this command varies by LDAP server model.
Specifying the LDAP authentication server Step Command Remarks Enter system view. system-view Enter LDAP scheme view. ldap scheme ldap-scheme-name Specify the LDAP authentication-server By default, no LDAP authentication authentication server. server-name server is specified. Specifying the LDAP authorization server Step Command Remarks Enter system view.
Configuring AAA methods for ISP domains Creating an ISP domain About ISP domains In a networking scenario with multiple ISPs, the device can connect to users of different ISPs. These users can have different user attributes, such as different username and password structures, different service types, and different rights.
Configuring ISP domain attributes Setting ISP domain status By placing the ISP domain in active or blocked state, you allow or deny network service requests from users in the domain. To set ISP domain status: Step Command Remarks Enter system view. system-view Enter ISP domain view.
Page 72
• Authorization VPN instance—The device allows authenticated PPP and IPoE users in the domain to access network resources in the authorization VPN. • Maximum number of multicast groups—The attribute restricts the maximum number of multicast groups that an authenticated IPoE, portal, or PPP user can join concurrently. •...
Page 73
Step Command Remarks The default settings are as follows: authorization-attribute { acl • acl-number | car inbound cir idle feature disabled. committed-information-rate [ pir peak-information-rate ] outbound • An IPv4 user can concurrently cir committed-information-rate join a maximum of four IGMP [ pir peak-information-rate ] | multicast groups.
Step Command Remarks user-address-type { ds-lite | Specify the user address ipv6 | nat64 | private-ds | By default, no user address type is type in the ISP domain. private-ipv4 | public-ds | specified. public-ipv4 } Specifying the service type for users in an ISP domain Step Command Remarks...
Page 75
The user account is not configured on the device or the user is not allowed to use the access service. • The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user. Prerequisites Before configuring authentication methods, complete the following tasks: Determine the access type or service type to be configured.
Step Command Remarks By default, the default authentication portal { ldap-scheme authentication method is ldap-scheme-name [ local ] [ none ] | local used for portal users. Specify authentication [ ldap-scheme ldap-scheme-name | methods for portal users. radius-scheme radius-scheme-name ] This command takes [ none ] | none | radius-scheme effect only on CSPEX...
Page 77
Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme Specify default radius-scheme-name | By default, the authorization authorization methods for hwtacacs-scheme method is local.
Setting the maximum number of concurrent login users Perform this task to set the maximum number of concurrent users that can log on to the device through a specific protocol, regardless of their authentication methods. The authentication methods include no authentication, local authentication, and remote authentication. To set the maximum number of concurrent login users: Step Command...
Step Command Remarks Specify the destination URL for exporting local-bill export-url url By default, no URL is specified. accounting bills. Set an interval at which By default, the interval is 1440 accounting bills are local-bill export-interval interval minutes. exported automatically. (Optional.) Enable SNMP By default, SNMP notification is notification for automatic...
Step Command Remarks Enter system view. system-view Create a NAS-ID profile By default, no NAS-ID profiles and enter NAS-ID profile aaa nas-id profile profile-name exist. view. By default, no NAS-ID and VLAN bindings exist. In a QinQ network, specify an Configure a NAS-ID and nas-id nas-identifier bind { { c-vid inner VLAN ID, outer VLAN ID, or...
Step Command Remarks Set the NAS-ID in the ISP By default, no NAS-ID is set in an nas-id nas-identifier domain. ISP domain. Configuring the device ID RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value for each online user based on the system time, random digits, and device ID.
Page 85
Set the ports for authentication and accounting to 1812 and 1813, respectively. c. Select Device Management Service from the Service Type list. d. Select H3C from the Access Device Type list. e. Select an access device from the device list or manually add an access device. In this example, the device IP address is 10.1.1.2.
Page 86
Figure 14 Adding an account for device management Configure the router: # Configure the IP addresses for interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Router> system-view [Router] public-key local create rsa [Router] public-key local create dsa # Enable the SSH service.
[Router-radius-rad] quit # Create an ISP domain named bbb and configure authentication, authorization, and accounting methods for login users. Because RADIUS user authorization information is piggybacked in authentication responses, the authentication and authorization methods must use the same RADIUS scheme. [Router] domain bbb [Router-isp-bbb] authentication login radius-scheme rad [Router-isp-bbb] authorization login radius-scheme rad...
# Set the password to 123456TESTplat&! in plaintext form for the local user. [Router-luser-manage-ssh] password simple 123456TESTplat&! # Specify the user role for the user as network-admin. [Router-luser-manage-ssh] authorization-attribute user-role network-admin [Router-luser-manage-ssh] quit # Create an ISP domain named bbb and configure the domain to use local authentication and authorization for login users.
<Router> system-view [Router] hwtacacs scheme hwtac # Specify the primary authentication server. [Router-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server. [Router-hwtacacs-hwtac] primary authorization 10.1.1.1 49 # Specify the primary accounting server. [Router-hwtacacs-hwtac] primary accounting 10.1.1.1 49 # Set the shared keys to expert in plaintext form for secure HWTACACS communication. [Router-hwtacacs-hwtac] key authentication simple expert [Router-hwtacacs-hwtac] key authorization simple expert [Router-hwtacacs-hwtac] key accounting simple expert...
Page 90
• Use the LDAP server to authenticate SSH users. • Assign the default user role network-operator to SSH users after they pass authentication. On the LDAP server, set the administrator password to admin!123456, add a user named aaa, and set the user's password to ldap!123456. Figure 17 Network diagram Procedure Configure the LDAP server:...
Page 91
f. In the dialog box, enter password ldap!123456, select options as needed, and click Next. Figure 19 Setting the user's password g. Click OK. # Add user aaa to group Users: a. From the navigation tree, click Users under the ldap.com node. b.
Page 92
Figure 20 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 21 Adding user aaa to group Users # Set the administrator password to admin!123456: a.
Page 93
# Create the local DSA key pair and RSA key pairs. <Router> system-view [Router] public-key local create dsa [Router] public-key local create rsa # Enable the SSH service. [Router] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit...
Example: Configuring AAA for PPP users by an HWTACACS server Network configuration As shown in Figure • Router A uses the HWTACACS server to perform PAP authentication for users from Router B. • The HWTACACS server is also the authorization server and accounting server of Router B. •...
[RouterA] domain bbb [RouterA-isp-bbb] authentication ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] authorization ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] accounting ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] quit # Enable PPP encapsulation on Serial 2/1/0/1:0. [RouterA] interface serial 2/1/0/1:0 [RouterA-Serial2/1/0/1:0] link-protocol ppp # Configure Serial 2/1/0/1:0 to authenticate the peer by using PAP in authentication domain bbb.
The user is configured on the RADIUS server. The correct password is entered. The same shared key is configured on both the RADIUS server and the NAS. If the problem persists, contact H3C Support. RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server.
The accounting server IP address is correctly configured on the NAS. If the problem persists, contact H3C Support. Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS." Troubleshooting LDAP LDAP authentication failure Symptom User authentication fails. Analysis Possible reasons include: •...
Attribute Attribute NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-ID Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Appendix B Descriptions for commonly used standard RADIUS attributes Attribute Description User-Name Name of the user to be authenticated.
Page 100
User identification that the NAS sends to the server. For the LAN Calling-Station-Id access service provided by an H3C device, this attribute includes the MAC address of the user. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
Attribute Description Used for authentication and verification of authentication packets to Message-Authenticator prevent spoofing Access-Requests. This attribute is present when EAP authentication is used. Group ID for a tunnel session. To assign VLANs, the NAS conveys Tunnel-Private-Group-ID VLAN IDs by using this attribute. NAS-Port-Id String for describing the port of the NAS that is authenticating the user.
Page 102
Subattribute Description End port number of the port range assigned to the user when the NAT-End-Port source IP address and port are translated. Startup time of the NAS in seconds, which is represented by the NAS_Startup_Timestamp time elapsed after 00:00:00 on Jan. 1, 1970 (UTC). User IP address and MAC address included in authentication and Ip_Host_Addr accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh.
Page 103
Subattribute Description Bytes of IPv6 packets in the outbound direction. The Acct_IPv6_Output_Gigawords measurement unit is 4G bytes. User-Roles List of space-separated user roles. User-defined attribute pair. Available attribute pairs include: • Server-assigned dynamic WEP key in the format of leap:session-key=xxx. Av-Pair •...
DHCP overview DHCP network model The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 23 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent.
IP address allocation process Figure 24 IP address allocation process As shown in Figure 24, a DHCP server assigns an IP address to a DHCP client in the following process: The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message.
If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast. DHCP message format Figure 25 shows the DHCP message format.
DHCP options DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients. Figure 26 DHCP option format Common DHCP options The following are common DHCP options: •...
Vendor-specific option (Option 43) Option 43 function DHCP servers and clients use Option 43 to exchange vendor-specific configuration information. The DHCP client can obtain the following information through Option 43: • ACS parameters, including the ACS URL, username, and password. •...
Figure 29 PXE server address sub-option value field Relay agent option (Option 82) Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request and sends it to the server.
• Sub-option 4—Specifies the failover route that includes the IP address and the number of the target user. A SIP VoIP user uses this IP address and number to directly establish a connection to the target SIP user when both the primary and backup calling processors are unreachable. Protocols and standards •...
Configuring the DHCP server About DHCP server A DHCP server manages a pool of IP addresses and client configuration parameters. It selects an IP address and configuration parameters from the address pool and allocates them to a requesting DHCP client. DHCP address assignment mechanisms Configure the following address assignment mechanisms as needed: •...
Principles for selecting an address pool The DHCP server observes the following principles to select an address pool for a client: If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server selects this address pool and assigns the statically bound IP address and other configuration parameters to the client.
IP address allocation sequence The DHCP server selects an IP address for a client in the following sequence: IP address statically bound to the client's MAC address or ID. IP address that was ever assigned to the client. IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client.
Tasks at a glance (Optional.) Enabling client offline detection on the DHCP server (Optional.) Configuring SNMP notifications for the DHCP server (Optional.) Enabling DHCP logging on the DHCP server Creating a DHCP user class The DHCP server classifies DHCP users into different user classes according to the hardware address, option information, or the giaddr field in the received DHCP requests.
Creating a DHCP address pool Step Command Remarks Enter system view. system-view Create a DHCP address pool By default, no DHCP address dhcp server ip-pool pool-name and enter its view. pool exists. Specifying IP address ranges for a DHCP address pool You can configure both static and dynamic address allocation mechanisms in a DHCP address pool.
Page 116
Step Command Remarks By default, no IP address range is specified for a user class. (Optional.) Specify an IP class class-name range The DHCP user class must address range for a DHCP user already exist. start-ip-address end-ip-address class. To specify address ranges for multiple DHCP user classes, repeat this step.
Page 117
Step Command Remarks expired { allow-hint | { day day (Optional.) Set the address lease [ hour hour [ minute minute The default setting is 1 day. duration. [ second second ] ] ] | unlimited } [ allow-hint ] } By default, all the IP addresses in the DHCP address pool can be...
Step Command Remarks expired { allow-hint | { day day (Optional.) Set the lease [ hour hour [ minute minute The default setting is 1 day. duration for the IP address. [ second second ] ] ] | unlimited } [ allow-hint ] } Specifying gateways for DHCP clients DHCP clients send packets destined for other networks to a gateway.
Specifying DNS servers for DHCP clients To access hosts on the Internet through domain names, a DHCP client must contact a DNS server to resolve names. You can specify up to eight DNS servers in a DHCP address pool. To specify DNS servers in a DHCP address pool: Step Command Remarks...
Step Command Remarks Enter system view. system-view Enter DHCP address pool By default, no DHCP dhcp server ip-pool pool-name view. address pool exists. Specify the BIMS server IP bims-server ip ip-address [ port By default, no BIMS server address, port number, and port-number ] sharekey { cipher | information is specified.
Specifying a server for DHCP clients Some DHCP clients need to obtain configuration information from a server, such as a TFTP server. You can specify the IP address of that server. The DHCP server sends the server's IP address to DHCP clients along with other configuration information.
Page 122
• Add newly released options. • Add options for which the vendor defines the contents, for example, Option 43. • Add options for which the CLI does not provide a dedicated configuration command. For example, you can use the option 4 ip-address 1.1.1.1 command to define the time server address 1.1.1.1 for DHCP clients.
Step Command Remarks Create a DHCP option dhcp option group By default, no DHCP option group group and enter DHCP option-group-number exists. option group view. By default, no DHCP option is customized in a DHCP option group. option code { ascii ascii-string | hex Customize a DHCP hex-string | ip-address DHCP options specified in DHCP...
Enabling the DHCP server on an interface Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns the client an IP address and other configuration parameters from a DHCP address pool.
• If a static binding is found for the client, the server assigns the static IP address and configuration parameters from the address pool that contains the static binding. • If no static binding is found for the client, the server uses the address pool applied to the interface for address and configuration parameter allocation.
Allocating different IP addresses to DHCP clients with the same MAC Traditionally, the DHCP server identifies DHCP clients based on their MAC addresses. Each MAC address can be bound to only one IP address. However, DHCP clients that have the same MAC address exist in the network, and each client requires an IP address.
• If the server receives a response within the specified period, it selects and pings another IP address. • If it receives no response, the server continues to ping the IP address until the maximum number of ping packets are sent. If still no response is received, the server assigns the IP address to the requesting client.
Step Command Remarks Disable the DHCP server from By default, the DHCP server can encapsulating dhcp server reply-exclude-option60 encapsulate Option 60 in DHCP Option 60 in DHCP replies. replies. Configuring the DHCP server security features Restrictions and guidelines The DHCP server security features are not applicable if a DHCP relay agent exists in the network. This is because the MAC address of the DHCP relay agent is encapsulated as the source MAC address in the DHCP request received by the DHCP server.
Configuring DHCP starvation attack protection About DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses.
Step Command Remarks Enter system view. system-view By default, the DHCP server reads Enable the DHCP server the broadcast flag to decide broadcast dhcp server always-broadcast whether to broadcast or unicast a responses. response. Enabling the DHCP server to return a DHCP-NAK message upon client notions of incorrect IP addresses About returning a DHCP-NAK message upon client notions of incorrect IP addresses A DHCP client can send a DHCP-REQUEST message directly or upon receiving a DHCP-OFFER...
Configuring the DHCP server to send BOOTP responses in RFC 1048 format Not all BOOTP clients can send requests that are compatible with RFC 1048. By default, the DHCP server does not process the Vend field of RFC 1048-incompliant requests but copies the Vend field into responses.
Configuring DHCP binding auto backup The auto backup feature saves bindings to a backup file and allows the DHCP server to download the bindings from the backup file at the server reboot. The bindings include the lease bindings and conflicted IP addresses. They cannot survive a reboot on the DHCP server. The DHCP server does not provide services during the download process.
Figure 30 Network diagram If the address pool is applied to a VPN instance, the VPN instance must exist. To bind the gateways to the DHCP server's MAC address: Step Command Remarks Enter system view. system-view Enter DHCP address pool By default, no DHCP address dhcp server ip-pool pool-name view.
Step Command Remarks Enter system view. system-view Create a DHCP address pool By default, no DHCP address dhcp server ip-pool pool-name and enter its view. pool exists. network network-address By default, the subnets Advertise subnets assigned to [ mask-length | mask mask ] assigned to DHCP clients are DHCP clients.
Step Command Remarks snmp-agent trap enable dhcp By default, SNMP notifications Enable SNMP notifications for server [ address-exhaust | are enabled for the DHCP the DHCP server. allocated-ip | ip-in-use ] server. By default, no SNMP (Optional.) Set the IP address dhcp server allocated-ip notification is sent for an IP allocation success rate...
Task Command Display information about assignable IP display dhcp server free-ip [ pool pool-name | addresses. vpn-instance vpn-instance-name ] Display information about assigned IP display dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ] addresses.
[RouterA-GigabitEthernet1/0/1] ip address 10.1.1.1 25 [RouterA-GigabitEthernet1/0/1] quit Configure the DHCP server: # Enable DHCP. [RouterA] dhcp enable # Enable the DHCP server on GigabitEthernet 1/0/1. [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] dhcp select server [RouterA-GigabitEthernet1/0/1] quit # Create DHCP address pool 0. [RouterA] dhcp server ip-pool 0 # Configure a static binding for Router B.
Page 138
Table 6 Assignment scheme DHCP clients IP address Lease Other configuration parameters • Gateway: 10.1.1.126/25 Clients connected to • DNS server: 10.1.1.2/25 IP addresses on 10 days and 12 GigabitEthernet • subnet 10.1.1.0/25 hours Domain name: aabbcc.com 1/0/1 • WINS server: 10.1.1.4/25 •...
[RouterA-dhcp-pool-1] domain-name aabbcc.com [RouterA-dhcp-pool-1] dns-list 10.1.1.2 [RouterA-dhcp-pool-1] gateway-list 10.1.1.126 [RouterA-dhcp-pool-1] nbns-list 10.1.1.4 [RouterA-dhcp-pool-1] quit # Configure DHCP address pool 2 to assign IP addresses and other configuration parameters to clients on subnet 10.1.1.128/25. [RouterA] dhcp server ip-pool 2 [RouterA-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128 [RouterA-dhcp-pool-2] expired day 5 [RouterA-dhcp-pool-2] domain-name aabbcc.com [RouterA-dhcp-pool-2] dns-list 10.1.1.2...
Page 140
Assign IP addresses To clients 10.10.1.2 to 10.10.1.10 The DHCP request contains Option 82. The hardware address in the request is six bytes long and 10.10.1.11 to 10.10.1.26 begins with aabb-aabb-aab. Router B assigns the DNS server address 10.10.1.20/24 and the gateway address 10.10.1.254/24 to clients on subnet 10.10.1.0/24.
# Specify the address range for dynamic allocation. [RouterB-dhcp-pool-aa] address range 10.10.1.2 10.10.1.100 # Specify the address range for user class tt. [RouterB-dhcp-pool-aa] class tt range 10.10.1.2 10.10.1.10 # Specify the address range for user class ss. [RouterB-dhcp-pool-aa] class ss range 10.10.1.11 10.10.1.26 # Specify the gateway address and the DNS server address.
[RouterB-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000 [RouterB-dhcp-class-ss] quit # Create DHCP address pool aa. [RouterB] dhcp server ip-pool aa # Specify the subnet for dynamic allocation. [RouterB-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0 # Enable the DHCP user class whitelist. [RouterB-dhcp-pool-aa] verify class # Add DHCP user class ss to the DHCP user class whitelist.
Procedure # Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Configure the primary and secondary IP addresses of GigabitEthernet1/0/1, and enable the DHCP server on GigabitEthernet 1/0/1. [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] ip address 10.1.1.1 24 [RouterA-GigabitEthernet1/0/1] ip address 10.1.2.1 24 sub [RouterA-GigabitEthernet1/0/1] dhcp select server [RouterA-GigabitEthernet1/0/1] quit # Create DHCP address pool aa.
Page 144
Assign PXE addresses To clients 1.2.3.4 and 2.2.2.2. Other clients. The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a custom option. The formats of Option 43 and PXE server address sub-option are shown in Figure 27 Figure 29.
[RouterA-dhcp-pool-0] quit Verifying the configuration # Verify that Router B can obtain an IP address on subnet 10.1.1.0/24 and the corresponding PXE server addresses from Router A. (Details not shown.) # On the DHCP server, display the IP addresses assigned to the clients. [RouterA] display dhcp server ip-in-use IP address Client identifier/...
Procedure Specify an IP address for GigabitEthernet 1/0/1 on the device. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [Device-GigabitEthernet1/0/1] quit Configure the DHCP server: # Enable DHCP. [Device] dhcp enable # Enable the DHCP server on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ip address dhcp select server [Device-GigabitEthernet1/0/1] quit...
Page 147
Disable the client's network adapter or disconnect the client's network cable. Ping the IP address of the client from another host to check whether there is a host using the same IP address. If a ping response is received, the IP address has been manually configured on a host. Execute the dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic allocation.
Configuring the DHCP relay agent About DHCP relay agent The DHCP relay agent enables clients to get IP addresses and configuration parameters from a DHCP server on another subnet. Figure 39 shows a typical application of the DHCP relay agent. Figure 39 DHCP relay agent application DHCP relay agent operation The DHCP server and client interact with each other in the same way regardless of whether the relay...
Figure 40 DHCP relay agent operation DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to perform the following tasks: • Locate the DHCP client for security and accounting purposes. •...
DHCP relay agent tasks at a glance Tasks at a glance (Required.) Enabling DHCP (Required.) Enabling the DHCP relay agent on an interface (Required.) Specifying DHCP servers (Optional.) Configuring the DHCP relay agent security features (Optional.) Configuring the DHCP relay agent to release an IP address (Optional.) Configuring Option 82 (Optional.)
Specifying DHCP servers Specifying DHCP servers on a relay agent To improve availability, you can specify several DHCP servers on the DHCP relay agent. When the interface receives request messages from clients, the relay agent forwards them to all DHCP servers.
Procedure To configure a DHCP address pool on the DHCP relay agent: Step Command Remarks Enter system view. system-view Create a DHCP address By default, no DHCP address pools dhcp server ip-pool pool-name pool and enter its view. exist. Specify gateway addresses gateway-list ip-address&<1-64>...
Page 153
Specifying the DHCP server selecting algorithm in interface view Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, an interface operates in Enable the DHCP relay agent. dhcp select relay the DHCP server mode when DHCP is enabled.
Step Command Remarks 10. (Optional.) Enable the By default, the DHCP relay agent switchback to the master master-server switch-delay does not switch back to the master DHCP server and set the delay-time DHCP server. delay time. Configuring the DHCP relay agent security features Rustications and guidelines If you execute both the dhcp flood-protection enable and dhcp server check mac-address...
Step Command Remarks Enter system view. system-view By default, periodic refresh Enable periodic refresh of dhcp relay client-information refresh of dynamic relay entries is dynamic relay entries. enable enabled. By default, the refresh dhcp relay client-information refresh interval is auto, which is Set the refresh interval.
Limit the number of ARP entries that a Layer 3 interface can learn. Set the MAC learning limit for a Layer 2 port, and disable unknown frame forwarding when the MAC learning limit is reached. • To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP relay agent.
Enabling client offline detection on the DHCP relay agent The client offline detection on the DHCP relay agent detects the user online status based on the ARP entry aging. When an ARP entry ages out, the DHCP client offline detection feature deletes the relay entry for the IP address and sends a RELEASE message to the DHCP server.
Step Command Remarks interface interface-type Enter interface view. interface-number Enable the relay agent to handle By default, handling of dhcp relay information enable Option 82. Option 82 is disabled. By default, the handling strategy is replace. If the handling strategy is replace, configure a (Optional.) Configure the strategy padding mode and a...
Configuring DHCP packet rate limit on a DHCP relay interface IMPORTANT: The feature is available only on the CSPEX cards. This feature enables the DHCP relay interface to discard DHCP packets that exceed the maximum rate. To configure DHCP packet rate limit: Step Command Remarks...
Page 160
The relay agent initially encapsulates its primary IP address to the giaddr field before forwarding a request to the DHCP server. If no DHCP-OFFER is received, the relay agent allows the client to send a maximum of two requests to the DHCP server by using the primary IP address. If no DHCP-OFFER is returned after two retries, the relay agent switches to a secondary IP address.
Step Command Remarks By default, the DHCP address pool does not have any DHCP server IP addresses. You can specify a maximum of eight DHCP servers for one DHCP Specify DHCP servers for the remote-server address pool for high availability. DHCP address pool.
Step Command Remarks By default, the DHCP relay agent uses the primary IP address of the interface that connects to the DHCP server as the source IP address for DHCP requests. If this interface dhcp relay source-address does not have an IP address, the Specify the source IP address { ip-address [ option { 60 DHCP relay agent uses an IP...
secondary gateway. Then, when the secondary gateway receives a DHCP reply, it resolves Option 82, records the VLAN ID of the L2VE subinterface, and forwards the reply to the PW. To configure forwarding DHCP replies based on Option 82: Step Command Remarks Enter system view.
DHCP relay agent configuration examples Example: Configuring basic DHCP relay agent Network configuration As shown in Figure 41, configure the DHCP relay agent on Router A. The DHCP relay agent enables DHCP clients to obtain IP addresses and other configuration parameters from the DHCP server on another subnet.
Example: Configuring Option 82 Network configuration As shown in Figure 41, the DHCP relay agent (Router A) replaces Option 82 in DHCP requests before forwarding them to the DHCP server (Router B). • The Circuit ID sub-option is company001. • The Remote ID sub-option is device001.
Page 166
Figure 42 Network diagram Procedure Assign IP addresses to interfaces on the routers. (Details not shown.) Configure Router B and Router C as DHCP servers. (Details not shown.) Configure the DHCP relay agent on Router A: # Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Enable the DHCP relay agent on GigabitEthernet 1/0/1.
Troubleshooting DHCP relay agent configuration Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent Symptom DHCP clients cannot obtain configuration parameters through the DHCP relay agent. Solution Some problems might occur with the DHCP relay agent or server configuration. To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information.
Configuring the DHCP client About DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address. Restrictions and guidelines: DHCP client configuration The DHCP client configuration is supported only on the Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces on CSPEX (except CSPEX-1204) cards.
• Use an ASCII string as the client ID. If an ASCII string is used, the type value is 00. • Use a hexadecimal number as the client ID. If a hexadecimal number is used, the type value is the first two characters in the number. •...
Step Command Remarks Set the DSCP value for DHCP dhcp client dscp By default, the DSCP value in DHCP packets sent by the DHCP dscp-value packets sent by the DHCP client is 56. client. Display and maintenance commands for DHCP client Execute display command in any view.
Page 171
Procedure Configure Router A: # Specify an IP address for GigabitEthernet 1/0/1. <RouterA> system-view [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] ip address 10.1.1.1 24 [RouterA-GigabitEthernet1/0/1] quit # Enable DHCP. [RouterA] dhcp enable # Exclude an IP address from dynamic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0.
Page 172
Destinations : 11 Routes : 11 Destination/Mask Proto Cost NextHop Interface 10.1.1.0/24 Direct 0 10.1.1.3 GE1/0/1 10.1.1.3/32 Direct 0 127.0.0.1 InLoop0 20.1.1.0/24 Static 70 10.1.1.2 GE1/0/1 10.1.1.255/32 Direct 0 10.1.1.3 GE1/0/1 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.0/32 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0...
Configuring DHCP snooping About DHCP snooping DHCP snooping is a security feature for DHCP. DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.
Figure 45 Trusted and untrusted ports In a cascaded network as shown in Figure 46, configure the DHCP snooping devices' ports facing the DHCP server as trusted ports. To save system resources, you can enable only the untrusted ports directly connected to the DHCP clients to record DHCP snooping entries. Figure 46 Trusted and untrusted ports in a cascaded network DHCP client Host A...
Table 8 Handling strategies If a DHCP request Handling DHCP snooping… has… strategy Drop Drops the message. Keep Forwards the message without changing Option 82. Option 82 Forwards the message after replacing the original Option 82 with Replace the Option 82 padded according to the configured padding format, padding content, and code type.
Step Command Remarks By default, DHCP snooping is Enable DHCP snooping. dhcp snooping enable disabled. interface interface-type This interface must connect to the Enter interface view. interface-number DHCP server. By default, all ports are untrusted Specify the port as a trusted dhcp snooping trust ports after DHCP snooping is port.
Step Command Remarks By default, DHCP snooping Enable DHCP snooping to dhcp snooping information enable does not support Option support Option 82. (Optional.) Configure a handling strategy for DHCP dhcp snooping information strategy By default, the handling requests that contain { drop | keep | replace } strategy is replace.
Step Command Remarks The default waiting time is 300 seconds. When a DHCP snooping entry is learned, updated, or removed, the (Optional.) Set the waiting waiting period starts. The DHCP time after a DHCP snooping dhcp snooping binding snooping device updates the entry change for the DHCP database update interval backup file when the specified...
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate DHCP clients that still need the IP addresses. To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages. •...
Step Command Remarks Configure the port to block By default, the port does not block dhcp snooping deny DHCP requests. DHCP requests. Enabling DHCP snooping logging The DHCP snooping logging feature enables the DHCP snooping device to generate DHCP snooping logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
DHCP snooping configuration examples Example: Configuring basic DHCP snooping Network configuration As shown in Figure 47, Switch B is connected to the authorized DHCP server through GigabitEthernet 1/0/1, to the unauthorized DHCP server through GigabitEthernet 1/0/3, and to the DHCP client through GigabitEthernet 1/0/2. Configure only the port connected to the authorized DHCP server to forward the responses from the DHCP server.
Example: Configuring DHCP snooping support for Option 82 Network configuration As shown in Figure 48, enable DHCP snooping and configure Option 82 on Switch B as follows: • Configure the handling strategy for DHCP requests that contain Option 82 as replace. •...
Page 183
Verifying the configuration # Display Option 82 configuration information on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 on the DHCP snooping device. [SwitchB] display dhcp snooping information...
Configuring the BOOTP client About BOOTP client BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server. To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the BOOTP server.
Step Command Remarks Configure an interface to use By default, an interface does not BOOTP for IP address ip address bootp-alloc use BOOTP for IP address acquisition. acquisition. Display and maintenance commands for BOOTP client Execute display command in any view. Task Command display bootp client [ interface interface-type...
DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages. Rapid assignment involving two messages As shown in Figure 49, rapid assignment operates in the following steps: The DHCPv6 client sends to the DHCPv6 server a Solicit message that contains a Rapid Commit option to prefer rapid assignment.
Figure 50 Assignment involving four messages Address/prefix lease renewal An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.
Stateless DHCPv6 Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server. The device performs stateless DHCPv6 if an RA message with the following flags is received from the router during stateless address autoconfiguration: •...
Figure 54 Option 18 format Figure 54 shows the Option 18 format, which includes the following fields: • Option code—Option code. The value is 18. • Option length—Size of the option data. • Port index—Port that receives the DHCPv6 request from the client. •...
Configuring the DHCPv6 server About DHCPv6 server A DHCPv6 server can assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients. IPv6 address assignment As shown in Figure 56, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients.
Concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers. It uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents. DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent).
Address allocation mechanisms DHCPv6 supports the following address allocation mechanisms: • Static address allocation—To implement static address allocation for a client, create a DHCPv6 address pool, and manually bind the DUID and IAID of the client to an IPv6 address in the DHCPv6 address pool.
IPv6 address/prefix statically bound to the client's DUID and IAID. IPv6 address/prefix statically bound to the client's DUID and expected by the client. IPv6 address/prefix statically bound to the client's DUID. IPv6 address/prefix that was ever assigned to the client. Assignable IPv6 address/prefix in the address pool/prefix pool expected by the client.
Page 195
Restrictions and guidelines When you configure IPv6 prefix assignment, follow these restrictions and guidelines: • An IPv6 prefix can be bound to only one DHCPv6 client. You cannot modify bindings that have been created. To change the binding for a DHCPv6 client, you must delete the existing binding first.
Step Command Remarks Enter system view. system-view By default, all IPv6 addresses except for the DHCPv6 server's ipv6 dhcp server IP address in a DHCPv6 address forbidden-address pool are assignable. (Optional.) Specify the IPv6 start-ipv6-address addresses excluded from If the excluded IPv6 address is in [ end-ipv6-address ] dynamic assignment.
• Configure network parameters in a DHCPv6 option group, and specify the option group for a DHCPv6 address pool. Network parameters configured in a DHCPv6 address pool take precedence over those configured in a DHCPv6 option group. Configuring network parameters in a DHCPv6 address pool Step Command Remarks...
Step Command Remarks By default, no SIP server Specify a SIP server address sip-server { address ipv6-address | address or domain name is or domain name. domain-name domain-name } specified. By default, no self-defined Configure a self-defined option code hex hex-string DHCPv6 option is DHCPv6 option.
Step Command Remarks Return to system view. quit Create a DHCPv6 policy and By default, no DHCPv6 ipv6 dhcp policy policy-name enter DHCPv6 policy view. policies exist. Specify a DHCPv6 address By default, no address pool is class class-name pool pool-name pool for a DHCPv6 user class.
Step Command Remarks By default, the interface discards Enable the DHCPv6 ipv6 dhcp select server DHCPv6 packets from DHCPv6 server on the interface. clients. • Configure global address assignment: ipv6 dhcp server { allow-hint | preference preference-value | By default, desired rapid-commit } * Configure an address/prefix assignment and...
To set the DSCP value for DHCPv6 packets sent by the DHCPv6 server: Step Command Remarks Enter system view. system-view Set the DSCP value for By default, the DSCP value in DHCPv6 ipv6 dhcp dscp DHCPv6 packets sent by the packets sent by the DHCPv6 server is dscp-value DHCPv6 server.
Figure 59 Network diagram If the address pool is applied to a VPN instance, the VPN instance must exist. To configure the subnet advertisement feature: Step Command Remarks Enter system view. system-view Create an address pool and By default, no DHCPv6 address ipv6 dhcp pool pool-name enter its view.
Step Command Remarks Enter system view. system-view Create an address pool and By default, no DHCPv6 address ipv6 dhcp pool pool-name enter its view. pools exist. By default, the address pool is Apply the address pool to a vpn-instance vpn-instance-name not applied to any VPN VPN instance.
Enabling the DHCPv6 server to advertise IPv6 prefixes A DHCPv6 client can obtain an IPv6 prefix through DHCPv6 and use this IPv6 prefix to assign IPv6 addresses for clients in a downstream network. If the IPv6 prefix is in a different subnet than the IPv6 address of the DHCPv6 client's upstream interface, the clients in the downstream network cannot access the external network.
Task Command Display DHCPv6 server information on an display ipv6 dhcp server [ interface interface-type interface. interface-number ] Display information about IPv6 address display ipv6 dhcp server conflict [ address ipv6-address ] [ vpn-instance vpn-instance-name ] conflicts. Display information about DHCPv6 display ipv6 dhcp server database binding auto backup Display information about expired IPv6...
Page 207
Figure 60 Network diagram Procedure # Specify an IPv6 address for GigabitEthernet 1/0/1. <Router> system-view [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ipv6 address 1::1/64 # Disable RA message suppression on GigabitEthernet 1/0/1. [Router-GigabitEthernet1/0/1] undo ipv6 nd ra halt # Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 1/0/1. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6.
Page 208
[Router-dhcp6-pool-1] sip-server domain-name bbb.com [Router-dhcp6-pool-1] quit # Enable the DHCPv6 server on GigabitEthernet 1/0/1, enable desired prefix assignment and rapid prefix assignment, and set the preference to the highest. [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ipv6 dhcp select server [Router-GigabitEthernet1/0/1] ipv6 dhcp server allow-hint preference 255 rapid-commit Verifying the configuration # Display the DHCPv6 server configuration on GigabitEthernet 1/0/1.
2001:410:201::/48 Static(C) Jul 10 19:45:01 2009 # After the other client obtains an IPv6 prefix, display the binding information on the DHCPv6 server. [Router-GigabitEthernet1/0/1] display ipv6 dhcp server pd-in-use Pool: 1 IPv6 prefix Type Lease expiration 2001:410:201::/48 Static(C) Jul 10 19:45:01 2009 2001:410::/48 Auto(C) Jul 10 20:44:05 2009...
Page 210
# Specify an IPv6 address for GigabitEthernet 1/0/2. [RouterA] interface gigabitethernet 1/0/2 [RouterA-GigabitEthernet1/0/2] ipv6 address 1::2:0:0:1/96 # Disable RA message suppression on GigabitEthernet 1/0/2. [RouterA-GigabitEthernet1/0/2] undo ipv6 nd ra halt # Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 1/0/2. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6.
Configuring the DHCPv6 relay agent About DHCPv6 relay agent Typical application A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 62, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the...
Figure 63 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply DHCPv6 relay agent tasks at a glance Tasks at a glance (Required.) Enabling the DHCPv6 relay agent on an interface (Required.) Specifying DHCPv6 servers on the relay agent...
To specify a DHCPv6 server on a relay agent: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no DHCPv6 server is specified. If a DHCPv6 server address is a ipv6 dhcp relay server-address link-local address or multicast Specify a DHCPv6 server.
Step Command Remarks Specify gateway addresses gateway-list By default, no gateway address is for the clients matching the ipv6-address&<1-8> specified. DHCPv6 address pool. By default, no DHCPv6 server is specified for the DHCPv6 address pool. Specify DHCPv6 servers remote-server ipv6-address You can specify a maximum of eight for the DHCPv6 address [ interface interface-type...
Specifying a padding mode for the Interface-ID option This feature enables the relay agent to fill the Interface-ID option in the specified mode. When receiving a DHCPv6 packet from a client, the relay agent fills the Interface-ID option in the mode and then forwards the packet to the DHCPv6 server.
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable IPv6 release By default, IPv6 release ipv6 dhcp relay release-agent notification. notification is disabled. Enabling client offline detection This feature enables the DHCPv6 relay agent to detect the status of ND entries. After an ND entry ages out, the DHCPv6 relay agent considers the client offline and deletes the relay entry for the client.
Enabling the DHCPv6 relay agent to advertise IPv6 prefixes A DHCPv6 client can obtain an IPv6 prefix through DHCPv6 and use this IPv6 prefix to assign IPv6 address to clients in a downstream network. If the IPv6 prefix is in a different subnet than the IPv6 address of the DHCPv6 client's upstream interface, the clients in the downstream network cannot access the external network.
DHCPv6 relay agent configuration examples Example: Configuring DHCPv6 relay agent Network configuration As shown in Figure 64, configure the DHCPv6 relay agent on Router A to relay DHCPv6 packets between DHCPv6 clients and the DHCPv6 server. Router A acts as the gateway of network 1::/64. It sends RA messages to notify the hosts to obtain IPv6 addresses and other configuration parameters through DHCPv6.
Configuring DHCPv6 snooping About DHCPv6 snooping It guarantees that DHCPv6 clients obtain IP addresses from authorized DHCPv6 servers. Also, it records IP-to-MAC bindings of DHCPv6 clients (called DHCPv6 snooping entries) for security purposes. DHCPv6 snooping defines trusted and untrusted ports to make sure that clients obtain IPv6 addresses only from authorized DHCPv6 servers.
Restrictions and guidelines: DHCPv6 snooping configuration DHCPv6 snooping works between the DHCPv6 client and server, or between the DHCPv6 client and DHCPv6 relay agent. DHCPv6 snooping does not work between the DHCPv6 server and DHCPv6 relay agent. DHCPv6 snooping tasks at a glance Tasks at a glance (Required.) Configuring basic DHCPv6 snooping...
Step Command Remarks interface interface-type This interface must connect to the Enter interface view. interface-number DHCPv6 client. (Optional.) Enable recording ipv6 dhcp snooping binding By default, DHCPv6 snooping of client information in record does not record client information. DHCPv6 snooping entries. Configuring support for Option 18 Step Command...
Step Command Remarks Enter system view. system-view By default, the DHCPv6 snooping device does not back up the DHCPv6 snooping ipv6 dhcp snooping entries. Configure the DHCPv6 binding database snooping device to back filename { filename | url With this command executed, the DHCPv6 up DHCPv6 snooping url [ username username snooping device backs up DHCPv6 snooping...
The DHCPv6-REQUEST check feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries. • If any criterion in an entry is matched, the device compares the entry with the message information. If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server.
Display and maintenance commands for DHCPv6 snooping Execute display commands in any view, and reset commands in user view. Task Command Display information about trusted ports. display ipv6 dhcp snooping trust display ipv6 dhcp snooping binding [ address Display DHCPv6 snooping entries. ipv6-address [ vlan vlan-id ] ] Display information about the file that stores DHCPv6 display ipv6 dhcp snooping binding database...
Configuring MAC authentication About MAC authentication MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.
Authentication methods You can perform MAC authentication on the access device (local authentication) or through a RADIUS server. For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." Local authentication If MAC-based accounts are used, the access device uses the source MAC address of the packet as the username and password to search the local account database for a match.
Page 229
Table 9 VLAN manipulation Port type VLAN manipulation • If the port is assigned to the authorization VLAN as an untagged member, the device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. All MAC authentication users on the port must be assigned the same authorization VLAN.
is not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA." Table 11 shows the way that the network access device handles critical VLANs for MAC authentication users. Table 11 VLAN manipulation Authentication status VLAN manipulation The device maps the MAC address of the user to the MAC authentication critical VLAN.
For more information about user profiles, see BRAS Services Configuration Guide. Periodic MAC reauthentication Periodic MAC reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the RADIUS server. The attributes include the ACL and VLAN. The device reauthenticates an online MAC authentication user periodically only after it receives the termination action Radius-request from the authentication server for this user.
Prerequisites for MAC authentication Before you configure MAC authentication, configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA." • For local authentication, you must also create local user accounts (including usernames and passwords) and specify the lan-access service for local users. •...
Step Command Remarks • In system view: mac-authentication domain domain-name Specify an authentication • By default, the system default In interface view: domain for MAC authentication domain is used for a. interface interface-type authentication users. MAC authentication users. interface-number b. mac-authentication domain domain-name Configuring the user account format Step...
Step Command Remarks Enter system view. system-view By default, the offline detect mac-authentication timer timer is 300 seconds, the quiet Configure MAC { offline-detect offline-detect-value | timer is 60 seconds, and the authentication timers. quiet quiet-value | server-timeout server timeout timer is 100 server-timeout-value } seconds.
nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports. This feature improves transmission of data that is vulnerable to delay and interference.
Prerequisites Before you configure the MAC authentication guest VLAN on a port, complete the following tasks: • Create the VLAN to be specified as the MAC authentication guest VLAN. • Configure the port as a hybrid port, and configure the VLAN as an untagged member on the port.
Prerequisites Before you configure the MAC authentication critical VLAN on a port, complete the following tasks: • Create the VLAN to be specified as the MAC authentication critical VLAN. • Configure the port as a hybrid port, and configure the VLAN as an untagged member on the port.
Including user IP addresses in MAC authentication requests About the feature of including user IP addresses in MAC authentication requests This feature enables the device to add user IP addresses to the MAC authentication requests that are sent to an IMC server. Upon receiving an authentication request, the IMC server compares the user IP and MAC addresses in the request with its local IP-MAC mapping of the user.
Page 240
# Specify the LAN access service for the user. [Device-luser-network-00-e0-fc-12-34-56] service-type lan-access [Device-luser-network-00-e0-fc-12-34-56] quit # Configure ISP domain bbb to perform local authentication for LAN users. [Device] domain bbb [Device-isp-bbb] authentication lan-access local [Device-isp-bbb] quit # Enable MAC authentication on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] mac-authentication [Device-GigabitEthernet1/0/1] quit...
Host mode : Single VLAN Offline detection : Enabled Max online users : 4294967295 Authentication attempts : successful 1, failed 0 Current online users MAC address Auth state 00e0-fc12-3456 Authenticated The output shows that Host A has passed MAC authentication and has come online. Host B failed MAC authentication and its MAC address is marked as a silent MAC address.
Page 242
[Device-radius-2000] key accounting simple abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Apply the RADIUS scheme to ISP domain bbb for authentication, authorization, and accounting. [Device] domain bbb [Device-isp-bbb] authentication default radius-scheme 2000 [Device-isp-bbb] authorization default radius-scheme 2000 [Device-isp-bbb] accounting default radius-scheme 2000 [Device-isp-bbb] quit # Enable MAC authentication on GigabitEthernet 1/0/1.
Configuring PPP About PPP Point-to-Point Protocol (PPP) is a point-to-point link layer protocol. It provides user authentication, supports synchronous/asynchronous communication, and allows for easy extension. PPP protocols PPP includes the following protocols: • Link control protocol (LCP)—Establishes, tears down, and monitors data links. •...
If a network layer protocol is configured, the PPP link enters the Network-Layer Protocol phase for NCP negotiation, such as IPCP negotiation and IPv6CP negotiation. If the NCP negotiation succeeds, the link goes up and becomes ready to carry negotiated network-layer protocol packets.
IP address negotiation IP address negotiation enables one end to assign an IP address to the other. An interface can act as a client or a server during IP address negotiation: • Client—Obtains an IP address from the server. Use the client mode when the device accesses the Internet through an ISP.
The device can assign a host an IPv6 address in either of the following ways: • When the host connects to the device directly or through a bridge device, the device can use method 1 or method 2. • When the host accesses the device through a router, the device can use method 3 to assign an IPv6 prefix to the router.
Step Command Remarks Create a VT interface and enter its view, or enter the interface virtual-template view of an existing VT number interface. By default, the description for a VT (Optional.) Configure the interface is interface name description text description of the interface. Interface (for example, Virtual-Template1 Interface)..
Step Command Remarks interface interface-type Enter interface view. interface-number By default, when being authenticated by the authenticator Configure the PAP username by using PAP, the peer sends null and password sent from the username and password to the ppp pap local-user username peer to the authenticator authenticator.
Step Command Remarks The default setting is null. The username you configure for the Configure a username for ppp chap user username peer here must be the same as the the CHAP peer. local username you configure for the peer on the authenticator. For local AAA authentication, the username and password of the authenticator must be configured...
Step Command Remarks The default setting is null. The username you configure on the Configure a username for ppp chap user username peer must be the same as the local the CHAP peer. username you configure for the peer on the authenticator. The default setting is null.
Configuring MS-CHAP or MS-CHAP-V2 authentication (authenticator name is not configured) Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure the authenticator to ppp authentication-mode { ms-chap | authenticate the By default, PPP authentication is ms-chap-v2 } [ domain { isp-name | peer by using disabled.
Enabling fast reply for keepalive packets This feature allows the hardware to automatically identify and reply to incoming keepalive requests, which can prevent DDoS attacks. This feature is only supported by CSPEX cards (except CSPEX-1204). To enable fast reply for keepalive packets: Step Command Remarks...
Step Command Remarks By default, PPP starts LCP (Optional.) Set the LCP ppp lcp delay milliseconds negotiation immediately after the negotiation delay timer. physical layer comes up. Configuring IP address negotiation on the client Step Command Remarks Enter system view. system-view interface interface-type Enter interface view.
Page 257
Specifying a PPP address pool on the server interface Step Command Remarks Enter system view. system-view ip pool pool-name By default, no PPP address Configure a PPP address pool. start-ip-address [ end-ip-address ] pool is configured. [ group group-name ] (Optional.) Enable new IP ip pool pool-name By default, new IP address...
Page 258
Step Command Remarks Configure the interface to By default, an interface does not assign an IP address from the remote address pool pool-name assign an IP address to the configured DHCP address pool peer. to the peer. Configure an IP address for the By default, no IP address is ip address ip-address interface.
Step Command Remarks • If the server acts as a DHCP server, perform the following tasks: Configure the DHCP server. Configure a DHCP address pool on the server. • If the server acts as a DHCP For information, see relay agent, perform the "Configuring the DHCP server"...
Step Command Remarks interface interface-type Enter interface view. interface-number By default, this feature is Enable IP segment match. ppp ipcp remote-address match disabled. Configuring DNS server IP address negotiation on the client During PPP negotiation, the server will assign a DNS server IP address only for a client configured with the ppp ipcp dns request command.
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number ppp account-statistics enable By default, PPP accounting is Enable PPP accounting. [ acl { acl-number | name disabled. acl-name } ] Enabling logging for PPP users The PPP user logging feature enables the device to generate PPP logs and send them to the information center.
Enabling PPP user blocking About PPP user blocking This feature blocks a PPP user for a period if the user fails authentication consecutively for the specified number of times within the detection period. This feature helps prevent illegal users from using the method of exhaustion to obtain the password, and reduces authentication packets sent to the authentication server.
Suppressing adding PPP peer host routes to the local direct route table By default, PPP automatically adds the peer host routes to the local direct route table after the PPP link negotiation succeeds. The PPP links do not strictly require that the peer routes and local routes are on the same network segment.
Configuring L2TP About L2TP The Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dialup Network (VPDN) tunneling protocol. L2TP sets up point-to-point tunnels across a public network (for example, the Internet) and transmits encapsulated PPP frames (L2TP packets) over the tunnels. With L2TP, remote users can access the private networks through L2TP tunnels after connecting to a public network by using PPP.
• Control messages—Used to establish, maintain, and delete L2TP tunnels and sessions. Control messages are transmitted over a reliable control channel, which supports flow control and congestion control. • Data messages—Used to encapsulate PPP frames, as shown in Figure 74. Data messages are transmitted over an unreliable data channel and are not retransmitted when packet loss occurs.
Page 268
• The remote system only needs to support PPP, and it does not need to support L2TP. • Authentication and accounting of the remote system can be implemented on the LAC or LNS. Figure 77 NAS-initiated tunnel establishment process Remote system RADIUS server A RADIUS server B Host A...
Page 269
In steps 12 and 13, the LAC forwards packets for the remote system and LNS. Host A and LAC exchange PPP frames, and the LAC and LNS exchange L2TP packets. Client-initiated tunneling mode As shown in Figure 78, a remote system running L2TP (LAC client) has a public IP address to communicate with the LNS through the Internet.
Figure 80 LAC-auto-initiated tunneling mode LAC auto initiated L2TP tunnel Private Internet network Remote system Device A Device B Host A RADIUS server An LAC-auto-initiated tunnel has the following characteristics: • The connection between a remote system and the LAC is not confined to a dial-up connection and can be any IP-based connection.
Page 271
• Private address allocation—An LNS can dynamically allocate private addresses to remote users. This facilitates address allocation for private internets (RFC 1918) and improves security. • Flexible accounting—Accounting can be simultaneously performed on the LAC and LNS. This allows bills to be generated on the ISP side and charging and auditing to be processed on the enterprise gateway.
L2TP tunnel sharing—Different users can share the same L2TP tunnel between the LAC and the LTS. The LTS distributes data of different users to different LNSs. Figure 82 L2TP tunnel switching network diagram L2TP-based EAD EAD authenticates PPP users that pass the access authentication. PPP users that pass EAD authentication can access network resources.
L2TP tasks at a glance When you configure L2TP, perform the following tasks: Determine the network devices needed according to the networking environment. For NAS-initiated mode and LAC-auto-initiated mode, configure both the LAC and the LNS. For client-initiated mode, you only need to configure the LNS. Configure the devices based on the intended role (LAC or LNS) on the network.
Configuring basic L2TP capabilities Basic L2TP capability configuration includes the following tasks: • Enabling L2TP—L2TP must be enabled for L2TP configurations to take effect. • Creating an L2TP group—An L2TP group is intended to represent a group of parameters. This enables not only flexible L2TP configuration on devices, but also one-to-one and one-to-many networking applications for LACs and LNSs.
Step Command Remarks By default, an LAC does not Configure the LAC to initiate user { domain domain-name | initiate tunneling requests for any tunneling requests for a user. fullusername user-name } users. Specifying LNS IP addresses You can specify up to five LNS IP addresses. The LAC initiates an L2TP tunneling request to its specified LNSs consecutively in their configuration order until it receives an acknowledgment from an LNS.
Step Command Remarks Enter L2TP group view in l2tp-group group-number [ mode LAC mode. lac ] Configure each L2TP user to By default, an L2TP tunnel can be use an L2TP tunnel tunnel-per-user used by multiple L2TP users. exclusively. Enabling transferring AVP data in hidden mode L2TP uses Attribute Value Pairs (AVPs) to transmit tunnel negotiation parameters, session negotiation parameters, and user authentication information.
Specify the PPP authentication method for the PPP user. Configure the username and password of the PPP user. The LNS then authenticates the PPP user. For more information, see "Configuring PPP." • Trigger the LAC to automatically establish an L2TP tunnel. To configure an LAC to automatically establish an L2TP tunnel: Step Command...
Creating a VT interface After an L2TP session is established, a PPP session is needed for data exchange with the peer. The system will dynamically create PPP sessions based on the parameters of the virtual template (VT) interface. To configure an LNS, first create a VT interface and configure the following parameters for •...
Page 279
• LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs a new round of LCP negotiation with the user. The LNS chooses an authentication method depending on your configuration. • If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses LCP renegotiation.
Configuring AAA authentication on an LNS After you configure AAA authentication on an LNS, the LNS can authenticate the usernames and passwords of remote access users. If a user passes AAA authentication, the user can communicate with the LNS to access the private network. Configure AAA authentication on the LNS in one of the following cases: •...
Step Command Remarks Enter system view. system-view l2tp-group group-number [ mode Enter L2TP group view. { lac | lns } ] Enable L2TP tunnel By default, L2TP tunnel tunnel authentication authentication. authentication is enabled. Set the tunnel tunnel password { cipher | simple } By default, no key is set.
Sends the packet to the next hop LTS. To avoid loop detection errors, make sure the TSA ID of each LTS is unique. To set the TSA ID of the LTS: Step Command Remarks Enter system view. system-view Set the TSA ID of the LTS By default, the TSA ID of the LTS and enable L2TP loop l2tp tsa-id tsa-id...
To configure IMSI/SN binding authentication on the LNS: Step Command Remarks Enter system view. system-view Create a VT interface and interface virtual-template enter its view interface-number • Enable the LNS to initiate IMSI/SN binding authentication requests: By default, the LNS does not ppp lcp imsi request initiate IMSI/SN binding Enable the LNS to initiate...
Page 284
Figure 83 Network diagram Procedure Configure the LAC: # Configure IP addresses for the interfaces. (Details not shown.) # Create a local user named vpdnuser, set the password, and enable the PPP service. <LAC> system-view [LAC] local-user vpdnuser class network [LAC-luser-network-vpdnuser] password simple Hello [LAC-luser-network-vpdnuser] service-type ppp [LAC-luser-network-vpdnuser] quit...
Page 285
[LNS] local-user vpdnuser class network [LNS-luser-network-vpdnuser] password simple Hello [LNS-luser-network-vpdnuser] service-type ppp [LNS-luser-network-vpdnuser] quit # Configure local authentication for PPP users in ISP domain system. [LNS] domain system [LNS-isp-system] authentication ppp local [LNS-isp-system] quit # Enable L2TP. [LNS] l2tp enable # Create a PPP address pool.
Example: Configuring a client-initiated L2TP tunnel Network configuration As shown in Figure 84, a PPP user directly initiates a tunneling request to the LNS to access the corporate network. Figure 84 Network diagram Procedure Configure the LNS: # Configure IP addresses for the interfaces. (Details not shown.) # Configure the route between the LNS and the remote host.
# Configure the IP address of the remote host as 2.1.1.1, and configure a route to the LNS (1.1.2.2). # Create a virtual private network connection by using the Windows system, or install the L2TP LAC client software, such as WinVPN Client. # Complete the following configuration procedure (the procedure depends on the client software): Specify the PPP username as vpdnuser and the password as Hello.
Page 288
[LNS] local-user vpdnuser class network [LNS-luser-network-vpdnuser] password simple Hello [LNS-luser-network-vpdnuser] service-type ppp [LNS-luser-network-vpdnuser] quit # Create a PPP address pool. [LNS] ip pool aaa 192.168.0.10 192.168.0.20 [LNS] ip pool aaa gateway 192.168.0.1 # Create Virtual-Template 1, specify its PPP authentication mode as PAP, and use address pool aaa to assign IP addresses to the PPP users.
[LAC-Virtual-PPP1] ip address ppp-negotiate [LAC-Virtual-PPP1] ppp pap local-user vpdnuser password simple Hello [LAC-Virtual-PPP1] quit # Configure a static route so that packets destined for the corporate network will be forwarded through the L2TP tunnel. [LAC] ip route-static 10.1.0.0 16 virtual-ppp 1 # Trigger the LAC to establish an L2TP tunnel with the LNS.
L2TP data transmission is based on UDP, which does not provide the packet error control feature. If the line is unstable, the LAC and LNS might be unable to ping each other. If the problem persists, contact H3C Support. L2TP user offline Symptom A L2TP user goes offline when sending a large L2TP packet.
Configuring PPPoE About PPPoE Point-to-Point Protocol over Ethernet (PPPoE) extends PPP by transporting PPP frames encapsulated in Ethernet over point-to-point links. PPPoE specifies the methods for establishing PPPoE sessions and encapsulating PPP frames over Ethernet. PPPoE requires a point-to-point relationship between peers instead of a point-to-multipoint relationship as in multi-access environments such as Ethernet.
Host-initiated network structure As shown in Figure 87, a PPPoE session is established between each host (PPPoE client) and the carrier router (PPPoE server). The service provider assigns an account to each host for billing and control. The host must be installed with PPPoE client software. Figure 87 Host-initiated network structure PPPoE Client Host A...
(AC) pppoe-server tag ac-name name PPPoE server according to the name for the PPPoE server. AC name. The PPPoE client on H3C devices do not support this feature. (Optional.) Enable the PPPoE server to support the pppoe-server tag...
Step Command Remarks 10. (Optional.) Set the response pppoe-server access-delay By default, no response delay delay time for user access. delay-time time is set. 11. Return to system view. quit 12. Configure the PPPoE server to perform authentication, "Configuring AAA." authorization, and accounting for PPP users.
The device uses a monitoring table and a blocking table to control PPP access rates: • Monitoring table—Stores a maximum of 8000 monitoring entries. Each entry records the number of PPPoE sessions created by a user within the monitoring time. When the monitoring entries reach the maximum, the system stops monitoring and blocking session requests from new users.
Step Command Remarks pppoe-server access-line-id By default, the NAS-Port-ID Configure the content of the content { all [ separator ] | attribute contains only the NAS-Port-ID attribute. circuit-id | remote-id } circuit-id. Configure the NAS-Port-ID By default, the NAS-Port-ID pppoe-server access-line-id attribute to include the BAS attribute does not include the BAS bas-info [ cn-163 ]...
Setting the maximum number of PADI packets that the device can receive per second When device reboot or version update is performed, the burst of online requests might affect the device performance. To avoid device performance degradation and make sure the device can process PADI packets correctly, use this feature to adjust the PADI packet receiving rate limit.
Enabling MAC-based user blocking in system view Step Command Remarks Enter system view. system-view pppoe-server connection chasten [ quickoffline ] Enable MAC-based user By default, MAC-based user [ multi-sessions-permac ] blocking. blocking is disabled. requests request-period blocking-period Enabling MAC-based user blocking in interface view Step Command Remarks...
Procedure # Create a PPPoE user. <Router> system-view [Router] local-user user1 class network [Router-luser-network-user1] password simple pass1 [Router-luser-network-user1] service-type ppp [Router-luser-network-user1] quit # Configure Virtual-Template 1 to use CHAP for authentication and use a PPP address pool for IP address assignment. Set the DNS server IP address for the peer. [Router] interface virtual-template 1 [Router-Virtual-Template1] ppp authentication-mode chap domain system [Router-Virtual-Template1] ppp chap user user1...
Procedure # Configure Virtual-Template 10 to use PAP for authentication and use a DHCP address pool to allocate IP addresses and DNS server IP addresses for users. <Router> system-view [Router] interface virtual-template 10 [Router-Virtual-Template10] ppp authentication-mode pap [Router-Virtual-Template10] remote address pool pool1 [Router-Virtual-Template10] quit # Enable the PPPoE server on GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 10.
Page 302
Figure 90 Network diagram Procedure Configure Router A as the PPPoE server: # Configure Virtual-Template 10 to use PAP for authentication and use a DHCP address pool to allocate IP addresses and DNS server IP addresses for users. <RouterA> system-view [RouterA] interface virtual-template 10 [RouterA-Virtual-Template10] ppp authentication-mode pap [RouterA-Virtual-Template10] remote address pool pool1...
[RouterB-dhcp-pool-pool1] network 2.2.2.0 24 [RouterB-dhcp-pool-pool1] gateway-list 2.2.2.1 [RouterB-dhcp-pool-pool1] dns-list 8.8.8.8 # Exclude the IP address 2.2.2.1 from dynamic allocation in DHCP address pool pool1. [RouterB-dhcp-pool-pool1] forbidden-ip 2.2.2.1 [RouterB-dhcp-pool-pool1] quit # Specify an IP address for GigabitEthernet 3/1/1. [RouterB] interface gigabitethernet 3/1/1 [RouterB-GigabitEthernet3/1/1] ip address 10.1.1.1 24 [RouterB-GigabitEthernet3/1/1] quit # Configure a static route to the PPPoE server.
Page 304
Procedure # Create Virtual-Template 10. <Router> system-view [Router] interface virtual-template 10 # Configure Virtual-Template 10 to use PAP to authenticate the peer. [Router-Virtual-Template10] ppp authentication-mode pap domain system # Configure Virtual-Template 10 to automatically generate an IPv6 link-local address. [Router-Virtual-Template10] ipv6 address auto link-local # Enable Virtual-Template 10 to advertise RA messages.
Example: Assigning the PPPoE server IPv6 address through DHCPv6 Network configuration As shown in Figure 92, configure the PPPoE server to assign an IPv6 address to the host through DHCPv6. Figure 92 Network diagram Procedure # Create Virtual-Template 10. <Router> system-view [Router] interface virtual-template 10 # Configure Virtual-Template 10 to use PAP to authenticate the peer.
[Router-isp-system] quit Verifying the configuration # Display PPP user information on GigabitEthernet 3/1/1. [Router] display ppp access-user interface gigabitethernet 3/1/1 Interface Username MAC address IP address IPv6 address IPv6 PDPrefix BAS0 user1 0000-5e08-9d00 3001::2 Example: Assigning the PPPoE server IPv6 address through prefix delegation by DHCPv6 Network configuration As shown in...
[Router-dhcp6-pool-pool1] quit # Configure a PPPoE user. [RouterB] local-user user1 class network [RouterB-luser-network-user1] password simple pass1 [RouterB-luser-network-user1] service-type ppp [RouterB-luser-network-user1] quit # Configure an IPv6 pool attribute authorized to the user in the ISP domain. [RouterB] domain system [RouterB-isp-system] authorization-attribute ipv6-pool pool1 Verifying the configuration # Verify that Router B has assigned a prefix to Router A.
Page 308
Auth-Type == CHAP,User-Password := pass1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IPv6-Pool = "pool1", H3C-VPN-Instance = "vpn1", Configure Router A: a. Configure the PPPoE server: # Configure Virtual-Template 1 to use CHAP for authentication and use ISP domain dm1 as the authentication domain.
Page 309
[RouterA-radius-rs1] key accounting simple radius # Exclude domain names in the usernames sent to the RADIUS server. [RouterA-radius-rs1] user-name-format without-domain [RouterA-radius-rs1] quit c. Configure an authentication domain: # Create an ISP domain named dm1. [RouterA] domain dm1 # In ISP domain dm1, perform RADIUS authentication, authorization, and accounting for users based on scheme rs1.
Users can access more network resources after passing security check. Security check must cooperate with the H3C IMC security policy server and the iNode client. Portal system A typical portal system consists of these basic components: authentication client, access device,...
An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client. Security check for the user host is implemented through the interaction between the portal client and the security policy server. Only the H3C iNode client is supported. Access device An access device provides access services.
Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the H3C iNode client for extended portal functions. The user enters the authentication information on the authentication page/dialog box and submits the information.
Re-DHCP authentication saves public IP addresses. For example, an ISP can allocate public IP addresses to broadband users only when they access networks beyond the residential community network. Only the H3C iNode client supports re-DHCP authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device.
Page 314
If the packet does not match any portal-free rule, the access device redirects the packet to the portal Web server. The portal Web server pushes the Web authentication page to the user for him to enter his username and password. The portal Web server submits the user authentication information to the portal authentication server.
Step 1 through step 7 are the same as those in the direct authentication/cross-subnet authentication process. After receiving the authentication success packet, the client obtains a public IP address through DHCP. The client then notifies the portal authentication server that it has a public IP address. The portal authentication server notifies the access device that the client has obtained a public IP address.
H3C iNode client. • Portal authentication supports NAT traversal whether it is initiated by a Web client or an H3C iNode client. NAT traversal must be configured when the portal client is on a private network and the portal server is on a public network.
Page 317
Tasks at a glance Remarks (Optional.) Configuring a local portal Web service (Optional.) Specifying a portal authentication domain (Optional.) Configuring a portal preauthentication policy (Optional.) Specifying a preauthentication IP address pool (Required.) Enabling portal authentication on an interface (Required.) Specifying a portal Web server on an interface (Optional.) Controlling portal user access •...
Prerequisites for portal The portal feature provides a solution for user identity authentication and security check. To complete user identity authentication, portal must cooperate with RADIUS. The prerequisites for portal authentication configuration are as follows: • The portal authentication server, portal Web server, and RADIUS server have been installed and configured correctly.
Step Command Remarks (Optional.) Set the By default, the UDP port destination UDP port number is 50100. number used by the This port number must be the device to send unsolicited port port-number same as the listening port portal packets to the number specified on the portal portal authentication authentication server.
Configuring a match rule for URL redirection A URL redirection match rule matches HTTP or HTTPS requests by user-requested URL or User-Agent information, and redirects the matching HTTP or HTTPS requests to the specified redirection URL. For a user to successfully access a redirection URL, configure a portal-free rule to allow HTTP or HTTPS requests destined for the redirection URL to pass.
Page 321
• System busy page • Logoff success page You must customize the authentication pages, including the page elements that the authentication pages will use, for example, back.jpg for authentication page Logon.htm. Follow the authentication page customization rules when you edit the authentication page files. File name rules The names of the main authentication page files are fixed (see Table...
</form> Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request. The following example shows part of the script in page online.htm. <form action=logon.cgi method = post > <p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;"> </form> Page file compression and saving rules You must compress the authentication pages and their page elements into a standard zip file.
name of the policy must be https_redirect. For more information about SSL server policy configuration, see SSL configuration in Security Configuration Guide. Procedure To configure the parameters for a local portal Web service: Step Command Remarks Enter system view. system-view Create an HTTP- or portal local-web-server { http | HTTPS-based local portal...
Specifying a portal authentication domain on an interface Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no portal authentication domain is specified on an interface. Specify an portal portal [ ipv6 ] domain authentication domain on the You can specify both an IPv4 domain-name...
Step Command Remarks user-attribute { acl acl-number | Configure a user attribute in car { inbound | outbound } cir By default, no user attributes are the portal preauthentication committed-information-rate [ pir configured for a portal policy. peak-information-rate ] | preauthentication policy.
Procedure To specify a preauthentication IP address pool: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Specify a preauthentication By default, no preauthentication portal [ ipv6 ] pre-auth ip-pool IP address pool on the IP address pool is specified on an pool-name interface.
Restrictions and guidelines for enabling re-DHCP portal authentication When you configure re-DHCP portal authentication (re-dhcp) on an interface, follow these restrictions and guidelines: • Make sure the interface has a valid IP address before you enable re-DHCP portal authentication on the interface. For re-DHCP portal authentication to take effect after the IP address of the interface changes, you must disable portal authentication and then enable re-DHCP portal authentication.
• If a portal-enabled interface is enabled with the DHCP users feature of IPoE, you must specify the source IP address in the portal-free rule. Make sure the specified source IP address is not the same as any of the IP addresses that the DHCP server assigns to IPoE users. For more information about enabling the DHCP users feature, see "Configuring IPoE."...
Restrictions and guidelines for configuring an authentication source subnet When you configure a portal authentication source subnet, follow these restrictions and guidelines: • Authentication source subnets apply only to cross-subnet portal authentication. • In direct or re-DHCP portal authentication mode, a portal user and its access interface (portal-enabled) are on the same subnet.
To set the global maximum number of portal users: Step Command Remarks Enter system view. system-view Set the global maximum By default, no limit is set on the portal max-user max-number number of portal users. global number of portal users. Setting the maximum number of portal users on an interface If you set the maximum number smaller than the current number of portal users on an interface, this configuration still takes effect.
Step Command Remarks By default, strict checking on portal authentication information Enable strict checking on is disabled on an interface. In this portal authorization { acl | portal authorization case, the portal users stay online user-profile } strict-checking information. even when the authorized ACLs or user profiles do not exist or fail to be deployed.
• Configure portal-free rules to allow user packets destined for the WPAD server to pass without authentication. If portal users enable Web proxy in their browsers, the users must add the IP address of the portal authentication server as a proxy exception in their browsers. Thus, HTTP packets that the users send to the portal authentication server will not be sent to Web proxy servers.
If portal roaming is disabled, to access external network resources from a Layer 2 port different from the current access port in the VLAN, the user must do the following: Logs out from the current port. Re-authenticates on the new Layer 2 port. Restrictions and guidelines When you enable portal roaming, follow these restrictions and guidelines: •...
Configuring portal detection features Configuring online detection of portal users About online detection for portal users Configure online detection to quickly detect abnormal logouts of portal users. • Configure ARP or ICMP detection for IPv4 portal users. • Configure ND or ICMPv6 detection for IPv6 portal users. If the device receives no packets from a portal user within the idle time, the device detects the user's online status as follows: •...
Configuring portal authentication server detection About portal authentication server detection During portal authentication, if the communication between the access device and portal authentication server is broken, new portal users are not able to log in. Online portal users are not able to log out normally.
Configuring portal Web server detection About portal Web server detection A portal authentication process cannot complete if the communication between the access device and the portal Web server is broken. To address this problem, you can enable portal Web server detection on the access device.
synchronization feature. This feature is implemented by sending and detecting portal synchronization packets, as follows: The portal authentication server sends the online user information to the access device in a synchronization packet at the user heartbeat interval. The user heartbeat interval is set on the portal authentication server. Upon receiving the synchronization packet, the access device compares the users carried in the packet with its own user list and performs the following operations: If a user contained in the packet does not exist on the access device, the access device...
You must configure the BAS-IP or BAS-IPv6 attribute on a portal authentication-enabled interface if the following conditions are met: The portal authentication server is an H3C IMC server. The portal device IP address specified on the portal authentication server is not the IP address of the portal packet output interface.
Step Command Remarks By default, a device is not Specify the device ID. portal device-id device-id configured with a device ID. Configuring attributes for RADIUS packets Specifying a format for the NAS-Port-Id attribute RADIUS servers from different vendors might require different formats of the NAS-Port-Id attribute in the RADIUS packets.
Step Command Remarks Return to system view. quit interface interface-type Enter interface view. interface-number Specify the NAS-ID profile on portal nas-id-profile By default, no NAS-ID profile is the interface. profile-name specified on the interface. Configuring MAC-based quick portal authentication Restrictions and guidelines for configuring MAC-based quick portal authentication Only IPv4 direct authentication supports MAC-based quick portal authentication.
Step Command Remarks (Optional.) Specify the type By default, the type of a MAC server-type { cmcc | imc } of the MAC binding server binding server is IMC. (Optional.) Specify the By default, the version of the version version-number version of the portal protocol.
Step Command Remarks By default, the blocking timer is 10 portal http-defense minutes, the statistical interval for Set the portal HTTP attack { block-timeout minutes | counting redirected HTTP packets defense parameters. statistics-interval value | is 5 minutes, and the blocking threshold number } * threshold is 6000 packets.
Enabling portal user login/logout logging This feature logs information about user login and logout events, including the username, user IP address and MAC address, user access interface, VLAN, and login result. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device.
Display and maintenance commands for portal Execute display commands in any view and the reset command in user view. Task Command (In standalone mode.) Display statistics for attacked display portal http-defense attacked-ip [ slot destination IP addresses in portal HTTP attack slot-number ] defense.
Task Command (In IRF mode.) Clear statistics for attacked reset portal http-defense attacked-ip [ chassis destination IP addresses in portal HTTP attack chassis-number slot slot-number ] defense. (In standalone mode.) Clear statistics for blocked reset portal http-defense blocked-ip [ ip destination IP addresses in portal HTTP attack ipv4-address | ipv6 ipv6-address ] [ slot defense.
Page 347
Configuring the portal authentication server on IMC PLAT 3.20 In this example, the portal server runs on IMC PLAT 3.20-R2602P13 and IMC UAM 3.60-E6301. Configure the portal authentication server: a. Log in to IMC and click the Service tab. b. Select Access Service > Portal Service Management > Server from the navigation tree to open the portal server configuration page, as shown in Figure 100.
Page 348
a. Select Access Service > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure 102. c. Enter the device name NAS. d. Enter the IP address of the router's interface connected to the host. e.
Page 349
Figure 104 Port group configuration c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. e. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations.
Page 350
Figure 105 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure 106.
Page 351
a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure 107. c. Enter the device name NAS. d.
Page 352
Figure 109 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router>...
Page 353
# Configure a portal authentication server. [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable direct portal authentication on GigabitEthernet 1/0/2. [Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] portal enable method direct # Reference the portal Web server newpt on GigabitEthernet 1/0/2.
IP address Prefix length A user can perform portal authentication by using the H3C iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
Page 355
Figure 110 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 110 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
Page 356
[Router] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain.
Page 357
IP address Prefix length Before passing the authentication, a user that uses the H3C iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.
[Router] display portal user interface gigabitethernet 1/0/2 Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0015-e9a6-7cfe 20.20.20.2 GigabitEthernet1/0/2 Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL: N/A Inbound CAR: N/A Outbound CAR: N/A Inbound priority: N/A...
Page 359
Procedure Perform the following tasks on Router A. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <RouterA> system-view [RouterA] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
Page 360
[RouterA–GigabitEthernet1/0/2] quit On Router B, configure a default route to subnet 192.168.0.0/24, specifying the next hop address as 20.20.20.1. (Details not shown.) Verifying the configuration # Verify that the portal configuration has taken effect. [RouterA] display portal interface gigabitethernet 1/0/2 Portal information of GigabitEthernet1/0/2 NAS-ID profile: Not configured Authorization : Strict checking...
IP address Prefix length A user can perform portal authentication by using the H3C iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
Page 362
Figure 112 Network diagram Portal server 192.168.0.111/24 GE1/0/2 GE1/0/1 2.2.2.1/24 192.168.0.100/24 RADIUS server Host Router 192.168.0.112/24 2.2.2.2/24 Gateway: 2.2.2.1/24 Security policy server 192.168.0.113/24 Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 112 and make sure they can reach each other.
Page 363
[Router] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [Router] acl advanced 3000 [Router-acl-ipv4-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Router-acl-ipv4-adv-3000] rule deny ip [Router-acl-ipv4-adv-3000] quit [Router] acl advanced 3001 [Router-acl-ipv4-adv-3001] rule permit ip [Router-acl-ipv4-adv-3001] quit NOTE:...
Page 364
Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the H3C iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL: 3001 Inbound CAR: N/A Outbound CAR: N/A Inbound priority: N/A Outbound priority: N/A Example: Configuring extended re-DHCP portal authentication Network configuration As shown in Figure 113, the host is directly connected to the router (the access device). The host obtains an IP address through the DHCP server.
Page 366
• Make sure the IP address of the portal device added on the portal server is the public IP address (20.20.20.1) of the router's interface connecting the host. The private IP address range for the IP address group associated with the portal device is the private subnet 10.0.0.0/24 where the host resides.
Page 368
Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the H3C iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
Session group profile: N/A ACL: 3001 Inbound CAR: N/A Outbound CAR: N/A Inbound priority: N/A Outbound priority: N/A Example: Configuring extended cross-subnet portal authentication Network configuration As shown in Figure 114, Router A supports portal authentication. The host accesses Router A through Router B.
Page 370
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [RouterA-radius-rs1] primary authentication 192.168.0.112 [RouterA-radius-rs1] primary accounting 192.168.0.112 [RouterA-radius-rs1] key authentication simple radius [RouterA-radius-rs1] key accounting simple radius [RouterA-radius-rs1] user-name-format without-domain # Enable RADIUS session control.
Page 371
[RouterA–GigabitEthernet1/0/2] portal enable method layer3 # Reference the portal Web server newpt on GigabitEthernet 1/0/2. [RouterA–GigabitEthernet1/0/2] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 1/0/2 to the portal authentication server. [RouterA–GigabitEthernet1/0/2] portal bas-ip 20.20.20.1 [RouterA–GigabitEthernet1/0/2] quit On Router B, configure a default route to subnet 192.168.0.0/24, specifying the next hop address as 20.20.20.1.
Prefix length Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the H3C iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user are redirected to the authentication page. •...
Page 373
• Disable portal authentication when the authentication server is unreachable. • Synchronize portal user information with the portal server periodically. Figure 115 Network diagram Portal server GE1/0/1 GE1/0/2 192.168.0.111/24 192.168.0.100/24 2.2.2.1/24 Host Router 2.2.2.2/24 Gateway: 2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration prerequisites and guidelines •...
Page 374
d. Enter the start IP address and end IP address of the IP group. Make sure the host IP address (2.2.2.2) is in the IP group. e. Select a service group. This example uses the default group Ungrouped. f. Select Normal from the Action list. g.
Page 375
Associate the portal device with the IP address group: a. As shown in Figure 119, click the icon in the Port Group Information Management column of device NAS to open the port group configuration page. Figure 119 Device list b. Click Add to open the page as shown in Figure 120.
Page 376
Figure 121 Portal authentication server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure 122.
Page 377
a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure 123. c. Enter the device name NAS. d.
Page 378
Figure 125 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router>...
Page 379
# Configure a portal authentication server. [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 # Configure reachability detection of the portal authentication server: set the server detection interval to 40 seconds, and send log messages upon reachability status changes. [Router-portal-server-newpt] server-detect timeout 40 log NOTE: The value of timeout must be greater than or equal to the portal server heartbeat interval.
unreachable log "Portal server newpt turns down from up." and disables portal authentication on the access interface, so the host can access the external network without authentication. Example: Configuring cross-subnet portal authentication for MPLS L3VPNs Network configuration As shown in Figure 126, the PE device Router A provides portal authentication for the host in VPN 1.
Page 381
# Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. This address must be the same as that of the portal device specified on the portal authentication server to avoid authentication failures. [RouterA-radius-rs1] nas-ip 3.3.0.3 [RouterA-radius-rs1] quit # Enable RADIUS session control.
State: Online VPN instance: N/A Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL: 3010 Inbound CAR: N/A Outbound CAR: N/A Inbound priority: N/A Outbound priority: N/A Example: Configuring re-DHCP portal authentication with a preauthentication policy Network configuration As shown in Figure...
Page 385
For information about DHCP relay agent configuration, see "Configuring DHCP.". • Make sure the IP address of the portal device added on the portal server is the public IP address (20.20.20.1) of the router's interface connecting the host. The private IP address range for the IP address group associated with the portal device is the private subnet 10.0.0.0/24 where the host resides.
[Router-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on GigabitEthernet 1/0/2. [Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] portal enable method redhcp # Reference the portal Web server newpt on GigabitEthernet 1/0/2. [Router–GigabitEthernet1/0/2] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 1/0/2 to the portal authentication server.
Page 387
Configuration prerequisites and guidelines • Configure IP addresses for the host, router, and server as shown in Figure 129 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. • Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the router.
Page 388
# Create an HTTP-based local portal Web service and enter its view. [Router] portal local-web-server http # Specify file abc.zip as the default authentication page file for the local portal Web service. (Make sure the file exist under the root directory of the router.) [Router–portal-local-websvr-http] default-logon-page abc.zip # Set the HTTP listening port number to 2331 for the local portal Web service.
Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication through a Web page. Before passing the authentication, the user can access only the authentication page http://2.2.2.1:2331/portal and all Web requests will be redirected to the authentication page.
Page 390
Figure 130 Network diagram Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 130 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuring the portal server on IMC PLAT 7.1 In this example, the portal server runs on IMC PLAT 7.1(E0303), IMC EIA 7.1(F0303), and IMC EIP 7.1(F0303).
Page 391
a. Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure 132. c. Enter the IP group name. d.
Page 392
Figure 133 Adding a portal device Associate the portal device with the IP address group: a. As shown in Figure 134, click the Port Group Information Management icon for device NAS to open the port group configuration page. b. Click Add to open the page as shown in Figure 135.
Page 393
Figure 135 Adding a port group Select User Access Policy > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the MAC binding server on IMC PLAT 7.1 In this example, the MAC binding server runs on IMC PLAT 7.1(E0303), IMC EIA 7.1(F0303), and IMC EIP 7.1(F0303).
Page 394
a. Select User Access Policy > Access Service from the navigation tree to open the access service page. b. Click Add to open the page as shown in Figure 137. c. Enter the service name. d. Select the Transparent Authentication on Portal Endpoints option. e.
Page 395
d. Click OK. e. Click the Configure icon for Endpoint Aging Time to open the page as shown in Figure 140. f. Set the endpoint aging time as needed. This example uses the default value. Figure 139 Configuring user endpoint settings Figure 140 Setting the endpoint aging time Select User Access Policy >...
Page 396
[Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
Authentication timeout : 3 minutes A user can perform portal authentication by using the H3C iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
Cannot log out portal users on the RADIUS server Symptom The access device uses the H3C IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.
Analysis When you execute the portal delete-user command on the access device to log out a user, the access device sends an unsolicited logout notification to the portal authentication server. If the BAS-IP or BAS-IPv6 address carried in the logout notification is different from the portal device IP address specified on the portal authentication server, the portal authentication server discards the logout notification.
Configuring IPoE About IPoE IP over Ethernet (IPoE) enables a BRAS to connect and authenticate users over IPoE connections. As shown in Figure 141, a BRAS connects hosts over IPoE connections, and provides AAA, security, and DHCP services for the hosts. This solution does not require the hosts to install any client software.
For interface-leased users, subnet-leased users, and L2VPN-leased users, the BRAS creates a static IPoE session based on configured information after you enable IPoE on an interface. The BRAS initiates user authentication based on the configured username and password. IPoE addressing IPoE addressing varies with user types.
Page 403
Figure 142 Access procedure for a DHCPv4 user BRAS DHCP client DHCP server AAA server (DHCP relay) (1) DHCP-DISCOVER (2) Inserts Option82 and initiates an IPoE session. (3) Access Request (4) Access Accept (5) Updates the IPoE session as an authorized session. (6) DHCP-DISCOVER (7) DHCP-OFFER (8) DHCP-REQUEST...
Page 404
e. Marks the session state as online. If the authentication fails, the BRAS marks the session as failure and discards the DHCP-DISCOVER message. 12. The DHCP client obtains configuration information from the DHCP-ACK message. 13. The BRAS sends the AAA server a message to start accounting. Access procedure for IPv6-ND-RS users This example uses a Layer 2 device as the BRAS.
Access procedure for unclassified-IP users Figure 144 Access procedure for unclassified-IP users The host sends an IP packet to the BRAS. The BRAS obtains user information from the IP packet, and matches the user information against existing IPoE sessions. If no match is found, the BRAS initiates an IPoE session for the user. (This section uses this case as an example.) If the information matches an authenticated session, the BRAS forwards the IP packet.
NOTE: • When an IPoE user comes online through an authorized VPN, you must configure a gateway IP address or enable proxy ARP by using the proxy-arp enable command on the access interface. As a best practice, enable proxy ARP. For more information, see proxy ARP configuration in Layer 3—IP Services Configuration Guide.
Configure the RADIUS server and client. For more information about how to configure a RADIUS client, see "Configuring AAA." • Configure security policies on the H3C IMC security server and configure the security server's IP address on the BRAS. For more information about how to configure a security server, see "Configuring AAA." •...
Step Command Remarks • For IPv4 individual users: ip subscriber Configure bind authentication-method bind By default, bind authentication is authentication for • configured for individual users. For IPv6 individual users: individual users. ipv6 subscriber authentication-method bind Configuring dynamic individual users Dynamic individual user configuration tasks at a glance Tasks at a glance (Required.)
Configuring passwords for dynamic individual users Passwords configured for dynamic individual users must be the same as those configured on the AAA server. If you configure multiple passwords for an DHCP user, the passwords are used in the following order: Password specified in Option 60 or Option 16 if the BRAS trusts Option 60 or Option 16.
Dynamic individual Order in selecting an ISP domain users • Service-specific ISP domain • Interface-specific ISP domain Unclassified-IP user • Default system ISP domain For more information about how to configure trusted DHCP options, see "Configuring trusted DHCP options for DHCP users."...
Step Command Remarks • Configure the maximum number of IPv4 IPoE sessions: ip subscriber { dhcp | unclassified-ip } max-session Configure the By default, the maximum number of max-number maximum number of dynamic IPoE sessions is not • dynamic IPoE Configure the maximum number configured.
• If the string selected from Option 60/Option 16/Option 17 does not contain the trusted ISP domain, the DHCP user use portal authentication. For more information, see "Configuring portal authentication." Configure trusted DHCP options before you configure the trusted ISP domains. For more information about how to configure trusted DHCP options, see "Configuring trusted DHCP options for DHCP users."...
Enabling dynamic individual users to come online despite the IPoE-NAT collaboration failure If a card that supports NAT collaboration fails, the IPoE-NAT collaboration fails. Perform this task to enable dynamic individual users to come online despite the collaboration failure. For more information about NAT, see Layer 3—IP Services Configuration Guide.
Step Command Remarks • For IPv4 static IPoE session: ip subscriber static-session Configure the interval request-online interval seconds at which the device By default, the interval is 180 • sends online requests seconds. For IPv6 static IPoE sessions: to static IPoE users. ipv6 subscriber static-session request-online interval seconds Configuring global static IPoE sessions...
Step Command Remarks • Configure a password for IPv4 static individual users: ip subscriber password Configure passwords { ciphertext | plaintext } string The default password for a static for static individual • individual user is vlan. Configure a password for IPv6 users.
Configuring interface-leased users You can configure up to one IPv4 interface-leased user and one IPv6 interface-leased user on an interface. When leased users are in Layer 2 access mode, all IP users who access the BRAS through an IPoE interface are called subusers. Use the display or reset commands to view or delete the subuser information.
Step Command Remarks interface interface-type Enter interface view. interface-number • Configure a domain collectively for IPv4 leased users: ip subscriber unclassified-ip Configure ISP domain domain-name By default, leased users use the domains for leased • default system ISP domain. Configure a domain collectively users.
Step Command Remarks By default, no service identifier is configured for DHCPv6 users, IPv6 unclassified-IP users, static ipv6 subscriber service-identify Configure a service individual users, and leased users. { 8021p { second-vlan | vlan } | dscp | identifier. second-vlan | vlan } Only subinterfaces support parameters 8021p, second-vlan and vlan.
After you configure online detection, the BRAS starts a detection timer to detect online users. If the BRAS does not receive user packets from a user when the detection timer expires, it sends a detection packet to the user and performs the following operations: •...
Configuring NAS-Port-ID formats The NAS-Port-ID RADIUS attribute specifies access location of a user. The BRAS supports the following formats for NAS-Port-ID: • version 1.0—Format for China Telecom. • version 2.0—Format specified in YDT 2275-2011 Subscriber Access Loop (Port) Identification in Broadband Access Networks. You can configure the following settings if version 2.0 is used when the BRAS acts as a DHCP relay: •...
Step Command Remarks interface interface-type Enter interface view. interface-number • Enable IPoE access-out authentication for IPv4 users: Enable IPoE ip subscriber access-out By default, IPoE access-out access-out • authentication is disabled. Enable IPoE access-out authentication. authentication for IPv6 users: ipv6 subscriber access-out Setting the traffic statistics update timer for IPoE sessions You can set the traffic statistics update timer for IPoE sessions based on the statistic frequency...
Display and maintenance commands for IPoE Execute display commands in any view and reset commands in user view. Task Command • For IPv4 individual users: display ip subscriber chasten user [ interface interface-type interface-number ] [ ip ip-address | mac mac-address | user-type { dhcp | unclassified-ip | static } ] [ verbose ] [ slot slot-number ] (In standalone mode.) Display information...
Task Command • For IPv4 interface-leased users: reset ip subscriber interface-leased user [ interface interface-type interface-number [ ip ip-address | mac mac-address ] ] Delete IPoE interface-leased user • information and log out users. For IPv6 interface-leased users: reset ipv6 subscriber interface-leased user [ interface interface-type interface-number [ ipv6 ipv6-address | mac mac-address ] ] •...
Page 433
Figure 145 Network diagram Procedure Configure the RADIUS server: (This section uses the Linux Free RADIUS server as an example.) # Add BRAS IP address 4.4.4.2 and secret radius to the clients.conf file. client 4.4.4.2/32 { ipaddr = 4.4.4.2 netmask=32 secret=radius # Add the username and password to the users user information file.
[Device–GigabitEthernet3/1/2] ip subscriber initiator unclassified-ip enable # Specify dm1 as the ISP domain. [Device–GigabitEthernet3/1/2] ip subscriber unclassified-ip domain dm1 # Configure plaintext password radius for authentication. [Device–GigabitEthernet3/1/2] ip subscriber password plaintext radius [Device–GigabitEthernet3/1/2] quit Verifying the configuration # Display IPoE session information to verify that the host has come online. [Device] display ip subscriber session Type: D-DHCP S-Static...
Page 435
# Create an IP address pool named pool1 and enter its view. [DHCP-server] dhcp server ip-pool pool1 # Configure network segment 3.3.3.0/24 to the pool, and configure IP address 3.3.3.1 as unavailable. [DHCP-server-pool-pool1] network 3.3.3.0 24 [DHCP-server-pool-pool1] forbidden-ip 3.3.3.1 [DHCP-server-pool-pool1] quit Configure the BRAS: a.
Verifying the configuration # Display IPoE session information to verify that the host has come online. [Device] display ip subscriber session Type: D-DHCP S-Static U-Unclassified-IP Interface IP address MAC address Type State -------------------------------------------------------------------------------- GE3/1/2 3.3.3.2 000c-29a6-b656 D Online Example: Configuring an IPv6-ND-RS user Network configuration As shown in Figure...
[Device-radius-rs1] key authentication simple radius [Device-radius-rs1] key accounting simple radius # Exclude the ISP name from the username sent to the RADIUS server. [Device-radius-rs1] user-name-format without-domain [Device-radius-rs1] quit d. Configure the ISP domain: # Create an ISP domain named dm1 and enter its view. [Device] domain dm1 # Configure dm1 to use RADIUS scheme rs1.
Page 438
Procedure Configure the RADIUS server: (This section uses the Linux Free RADIUS server as an example.) # Add BRAS IP address 4.4.4.2 and secret radius to the clients.conf file. client 4.4.4.2/32 { ipaddr = 4.4.4.2 netmask=32 secret=radius # Add the username and password to the users user information file. The username is the host IP address 3.3.3.2.
[Device] dhcp enable # Create an IP address pool named test and enter its view. [Device] dhcp server ip-pool test # Configure a gateway IP address for the host and enable route exporting. Route exporting automatically adds the gateway IP address and related static IP address to the routing table of the host.
Page 440
# Add usernames and passwords to the users user information file. Usernames for the three subnet user groups are us1, us2, and us3. Passwords for the three subnet user groups are pw1, pw2, and pw3. Cleartext-Password :="pw1" Cleartext-Password :="pw2" Cleartext-Password :="pw3" Configure the BRAS: a.
Page 441
Network : 5.5.5.0/24 User ID : 0x38060000 State : Online Service node : Slot 3 CPU 0 Domain : dm1 Login time : May 14 20:08:35 2014 Online time (hh:mm:ss) : 00:16:37 Total users : 10 AAA: ITA policyname : N/A IP pool : N/A Primary DNS server...
Page 442
AAA: ITA policyname : N/A IP pool : N/A Primary DNS server : N/A Secondary DNS server : N/A Session idle cut : N/A Session duration : N/A, remaining: N/A Traffic quota : N/A Acct start-fail action : Online Acct update-fail action : Online Acct quota-out action : Offline...
Traffic quota : N/A Acct start-fail action : Online Acct update-fail action : Online Acct quota-out action : Offline Max multicast addresses Multicast address list : N/A QoS: User profile : N/A Session group profile : N/A User group acl : N/A Inbound CAR : N/A...
Page 444
Cleartext-Password :="pw1" Configure the BRAS: a. Configure IP addresses for interfaces. (Details not shown.) b. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Device> system-view [Device] radius scheme rs1 # Configure primary servers and keys for authentication and accounting. [Device-radius-rs1] primary authentication 4.4.4.1 [Device-radius-rs1] primary accounting 4.4.4.1 [Device-radius-rs1] key authentication simple radius...
ITA policyname : N/A IP pool : N/A Primary DNS server : N/A Secondary DNS server : N/A Session idle cut : N/A Session duration : N/A, remaining: N/A Traffic quota : N/A Acct start-fail action : Online Acct update-fail action : Online Acct quota-out action : Offline...
Page 446
Procedure Configure the RADIUS server: (This section uses the Linux Free RADIUS server as an example.) # Add the BRAS IP address 4.4.4.2 and the secret radius to the clients.conf file. client 4.4.4.2/32 { ipaddr = 4.4.4.2 netmask=32 secret=radius # Add host username and password to the users user information file. The username is us1 and the password is pw1.
Page 447
[PE2–GigabitEthernet3/1/1] xconnect vsi svc [PE2–GigabitEthernet3/1/1] quit Configure PE1: # Configure an LSR ID. <PE1> system-view [PE1] interface loopback 0 [PE1-LoopBack0] ip address 1.1.1.9 32 [PE1-LoopBack0] quit [PE1] mpls lsr-id 1.1.1.9 # Enable L2VPN. [PE1] l2vpn enable # Enable LDP globally. [PE1] mpls ldp [PE1-ldp] quit # Configure GigabitEthernet 3/1/2 (the interface connected to PE 2), and enable LDP on the...
Page 448
[PE1-radius-rs1] key authentication simple radius [PE1-radius-rs1] key accounting simple radius # Exclude the ISP name from the username sent to the RADIUS server. [PE1-radius-rs1] user-name-format without-domain [PE1-radius-rs1] quit # Enable the RADIUS session-control feature. [PE1] radius session-control enable b. Configure the ISP domain: # Create an ISP domain named dm1 and enter its view.
Acct start-fail action : Online Acct update-fail action : Online Acct quota-out action : Offline Max multicast addresses Multicast address list : N/A QoS: User profile : N/A Session group profile : N/A User group acl : N/A Inbound CAR : N/A Outbound CAR : N/A...
Page 450
Framed-Pool := " pool1" Configure the DHCP server: # Enable DHCP. <DHCP-server> system-view [DHCP-server] dhcp enable # Create an IP address pool named pool1 and enter its view. [DHCP-server] dhcp server ip-pool pool1 # Configure network segment 3.3.3.0/24 to the pool. [DHCP-server-pool-pool1] network 3.3.3.0 24 # Configure IP address 3.3.3.1 as unavailable.
Page 451
# Configure a gateway IP address for the host and enable route exporting. Route exporting automatically adds the gateway IP address and related static IP address to the routing table of vpn1. [Device-dhcp-pool-pool1] gateway-list 3.3.3.1 export-route # Configure an IP address for the DHCP sever [Device-dhcp-pool-pool1] remote-server 4.4.4.3 e.
VxLAN ID DHCP lease : 86400 sec DHCP remain lease : 18400 sec Access time : May 9 08:56:29 2014 Online time (hh:mm:ss) : 00:16:37 Service node : Slot 3 CPU 0 Authentication type : Bind Type : DHCP State : Online AAA: ITA policyname...
Page 453
Figure 153 Network diagram Procedure Configure the RADIUS server: (This section uses the Linux Free RADIUS server as an example.) # Add BRAS IP address 4.4.4.2 and secret radius to the clients.conf file. client 4.4.4.2/32 { ipaddr = 4.4.4.2 netmask=32 secret=radius # Add the usernames and passwords to the users user information file.
ISP domain in the option exists on the BRAS. If the DHCP packet does not carry Option 60 or Option 16/Option 17, verify that the ISP domain specified on the interface exists on the BRAS. If the problem persists, contact H3C Support.
Index ISP domain idle timeout period include in user online duration, ISP domain method, Appendix A, RADIUS commonly used ISP domain user address type, attributes, ISP domain user ITA policy, Appendix C, RADIUS subattributes (vendor ID ISP domain user service type, 25506), L2TP LAC AAA authentication, concurrent login user max,...
Page 456
PPP CHAP authentication (authenticator direct portal authentication configuration, name not configured), direct portal authentication configuration (local PPP PAP authentication configuration, portal Web service), preferentially processing RADIUS extended cross-subnet portal authentication authentication requests, configuration, protocols and standards, extended direct portal authentication configuration, RADIUS accounting server, extended re-DHCP portal authentication...
Page 457
DHCP server address pool, DHCPv6 dynamic prefix allocation, DHCP server address pool creation, DHCPv6 IPv6 address/prefix allocation sequence, DHCP server address pool IP address range, DHCPv6 static address allocation, DHCPv6 address allocation, DHCPv6 static prefix allocation, DHCPv6 address pool, allowing DHCPv6 address pool selection, only DHCP users to pass portal authorization, DHCPv6 address pool VPN instance...
Page 458
AAA ISP domain idle timeout period include in IPoE unclassified-IP user configuration, user online duration, IPoE VPN DHCP user configuration, AAA ISP domain user address type, L2TP LAC AAA authentication, AAA ISP domain user ITA policy, L2TP LNS AAA authentication, AAA ISP domain user service type, L2TP LNS IMSI/SN binding authentication, AAA LDAP,...
Page 459
L2TP LAC-auto-initiated tunneling, AAA HWTACACS stop-accounting packet buffering, L2TP tunnel configuration (LAC-auto-initiated), AAA RADIUS stop-accounting packet buffering, AVP data transfer in hidden mode (L2TP), cache backing up AAA local bill cache, DHCP binding auto backup, DHCP snooping entries, AAA RADIUS class attribute as CAR DHCPv6 binding auto backup, parameter, DHCPv6 snooping entry auto backup,...
Page 476
directory service, AAA local authentication, display, AAA local authentication configuration, protocols and standards, AAA local authorization method, scheme creation, AAA local user, server creation, AAA SSH user authentication+authorization, server IP address, local portal Web service, server timeout period, MAC authentication (local), troubleshooting, MAC authentication method, troubleshooting authentication failure,...
Page 483
re-DHCP portal authentication page customization, configuration, page file compression+saving rules, portal authentication page request rules, AAA server, policy configuration, access device, policy server, advantages, portal authorization strict-checking mode, allowing only DHCP users to pass portal user preauthentication IP address pool, authentication, portal-free rule configuration, authenticated user redirection,...
Page 484
CHAP authentication (authenticator name display, configured), logging enable, CHAP authentication (authenticator name not maintain, configured), NAT444 collaboration failure user enable, configuration, network structure, configuring service tracing object, network structure (host-initiated), display, network structure (router-initiated), enabling accounting, PADI packets max, enabling user blocking, RADIUS NAS-Port-ID attribute configuration, IPCP IP segment match enable, server configuration,...
Page 485
applying DHCP address pool to VPN configuring AAA NAS-ID, instance, configuring AAA network access user applying DHCPv6 address pool to a VPN attributes, instance, configuring AAA RADIUS, applying portal authentication interface configuring AAA RADIUS accounting-on, NAS-ID profile, configuring AAA RADIUS attribute 31 MAC associating PPP address pool+ISP address format, domain,...
Page 486
configuring DHCP relay agent security configuring DHCPv6 server IPv6 prefix features, assignment, configuring DHCP relay agent server configuring DHCPv6 server network parameters selection, (address pool), configuring DHCP replies forward based on configuring DHCPv6 server network parameters option 82, (option group), configuring DHCP server, configuring DHCPv6 server network parameters assignment,...
Page 495
DHCPv6 snooping entry auto backup, MAC authentication request user IP address inclusion restrictions, DHCPv6 snooping entry max, MAC authentication timer, DHCPv6 snooping logging, MAC authentication user account format, DHCPv6 snooping Option 18 support configuration, MAC authentication user account policies, DHCPv6 snooping Option 37 support MAC authentication user profile assignment, configuration, MAC authentication VLAN assignment,...
Page 497
portal authentication configuration, AAA RADIUS server status, portal authentication fail-permit, AAA RADIUS timer, portal authentication local portal Web service AAA RADIUS traffic statistics unit, parameter, AAA RADIUS username format, portal authentication MAC binding server, DHCP client packet DSCP value, portal authentication policy server, DHCP relay agent packet DSCP value, portal authentication server detection, DHCP server packet DSCP value,...
Page 498
DHCPv6-REQUEST check, DHCP relay agent server selection algorithm, source DHCP relay agent source IP address, IPoE unclassified IP user trusted source IP DHCP server address pool IP address range, address, DHCPv6 client gateway address, portal authentication portal-free rule, DHCPv6 relay agent Interface-ID option padding portal authentication subnet, mode, specifying...
Page 499
IPoE static users access procedure in AAA RADIUS server status detection test common mode, profile, statistics timeout AAA HWTACACS traffic statistics units, MAC authentication server timeout, AAA RADIUS traffic statistics units, PPP negotiation, IPoE traffic statistics update timer, PPP negotiation timeout time, strict-checking mode (portal authentication), timer subnetting...
Page 500
portal authentication users cannot log in unit (re-DHCP), AAA RADIUS Remanent_Volume attribute data portal authentication users logged out still measurement unit, exist on server, untrusted trusted DHCP snooping untrusted port, DHCP snooping trusted port, DHCPv6 snooping port, DHCPv6 snooping port, updating IPoE traffic statistics update timer, L2TP LTS TSA ID setting,...
Page 501
portal authentication authenticated user DHCP server IP address dynamic redirection, assignment, portal authentication failure user blocking, DHCP server IP address static assignment, portal authentication online user logout, DHCP server option customization, portal authentication roaming, DHCP server user class configuration, portal authentication user access control, DHCP snooping basic configuration, portal authentication user online DHCPv6 snooping configuration,...
Page 502
IPoE online detection configuration, troubleshooting L2TP data transmission failure, IPoE static user configuration (ARP-based), troubleshooting L2TP remote system network access failure, IPoE subnet-leased user configuration, troubleshooting L2TP user offline, IPoE traffic statistics update timer, IPoE unclassified-IP user configuration, cross-subnet portal authentication IPoE user logging enable, configuration, IPoE VPN DHCP user configuration,...