H3C SR8800-F Configuration Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Router
  5. SR8800-F
  6. Configuration manual

H3C SR8800-F Configuration Manual

Comware 7 user access
Hide thumbs Also See for SR8800-F:
1
2
3
4
5
Table Of Contents
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
Table of Contents

Advertisement

Quick Links

Download this manual
H3C SR8800-F Routers
Comware 7 User Access Configuration Guide
New H3C Technologies Co., Ltd.
http://www.h3c.com.hk
Software version: SR8800FS-CMW710-R7655P05 or later
Document version: 6W100-20170825

Advertisement

Table of Contents
loading

Related Manuals for H3C SR8800-F

Summary of Contents for H3C SR8800-F

  • Page 1 H3C SR8800-F Routers Comware 7 User Access Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: SR8800FS-CMW710-R7655P05 or later Document version: 6W100-20170825...
  • Page 2 , H3CS, H3CIE, H3CNE, Aolynk, Care, , IRF, NetPilot, Netflow, SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice.
  • Page 3 Preface This configuration guide describes fundamentals and configuration of user access features. This preface includes the following topics about the documentation: • Audience. • Conventions • Obtaining documentation • Technical support • Documentation feedback Audience This documentation is intended for: •...
  • Page 4 Convention Description Folder. Symbols Convention Description An alert that calls attention to important information that if not understood or followed WARNING! can result in personal injury. An alert that calls attention to important information that if not understood or followed CAUTION: can result in data loss, data corruption, or damage to hardware or software.
  • Page 5 Obtaining documentation To access the most up-to-date H3C product documentation, go to the H3C website at http://www.h3c.com.hk To obtain information about installation, configuration, and maintenance, click http://www.h3c.com.hk/Technical_Documents...

  • Page 6: Table Of Contents

    Contents Configuring AAA ·············································································· 1     About AAA ······························································································································· 1   AAA implementation ············································································································ 1   AAA network diagram ··········································································································· 1   RADIUS ···························································································································· 2   HWTACACS ······················································································································ 5   LDAP ································································································································ 8   User management based on ISP domains and user access types ··············································· 11  ...
  • Page 7   Specifying the HWTACACS accounting servers ······································································· 44   Specifying the shared keys for secure HWTACACS communication ············································· 44   Specifying an MPLS L3VPN instance for the scheme ································································ 45   Setting the username format and traffic statistics units ······························································ 45  ...
  • Page 8   IP address allocation process ······························································································ 89   IP address lease extension ·································································································· 89   DHCP message format ············································································································· 90   DHCP options ························································································································· 91   Common DHCP options ············································································································ 91   Custom DHCP options ·············································································································· 91   Vendor-specific option (Option 43) ························································································ 92  ...
  • Page 9   Example: Configuring static IP address assignment ································································ 120   Example: Configuring dynamic IP address assignment ···························································· 121   Example: Configuring DHCP user class ··············································································· 123   Example: Configuring DHCP user class whitelist ···································································· 125   Example: Configuring primary and secondary subnets ···························································· 126  ...
  • Page 10 Configuring DHCP snooping ··························································· 157     About DHCP snooping ············································································································ 157   Application of trusted and untrusted ports ············································································· 157   DHCP snooping support for Option 82 ················································································· 158   Restrictions and guidelines: DHCP snooping configuration ····························································· 159   DHCP snooping tasks at a glance ·····························································································...
  • Page 11   Configuring DHCPv6 flood attack protection ·········································································· 188   Enabling the DHCPv6 server to advertise IPv6 prefixes ·································································· 189   Enabling DHCPv6 logging on the DHCPv6 server ········································································· 189   Display and maintenance commands for DHCPv6 server ······························································· 189   DHCPv6 server configuration examples ······················································································...
  • Page 12   Configuring the user account format ··························································································· 217   Configuring MAC authentication timers ······················································································· 217   About MAC authentication timers ························································································ 217   Procedure ······················································································································ 217   Enabling MAC authentication offline detection ·············································································· 218   Setting the maximum number of concurrent MAC authentication users on a port ································· 218  ...
  • Page 13 Configuring L2TP ········································································· 250     About L2TP ·························································································································· 250   Typical L2TP networking ··································································································· 250   L2TP message types and encapsulation structure ·································································· 250   L2TP tunnel and session ··································································································· 251   L2TP tunneling modes and tunnel establishment process ························································ 251  ...
  • Page 14   Enabling PPPoE logging ··································································································· 282   Display and maintenance commands for PPPoE ·········································································· 282   PPPoE configuration examples ································································································· 283   Example: Configuring the PPPoE server ·············································································· 283   Example: Assigning the PPPoE server IP address through the local DHCP server ························ 284  ...
  • Page 15   Configuring portal authentication server detection ·································································· 320   Configuring portal Web server detection ··············································································· 321   Configuring portal user synchronization ················································································ 321   Configuring portal packet attributes ···························································································· 322   Configuring the BAS-IP or BAS-IPv6 attribute ········································································ 322   Specifying the device ID ···································································································...
  • Page 16   Configuring passwords for dynamic individual users ······························································· 396   Configuring ISP domains for dynamic individual users ····························································· 396   Configuring the maximum number of dynamic IPoE sessions ··················································· 397   Configuring trusted DHCP options for DHCP users ································································· 398  ...

  • Page 17: Configuring Aaa

    Configuring AAA About AAA AAA implementation Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.

  • Page 18: Radius

    The device performs dynamic password authentication. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
  • Page 19 User authentication methods The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP. Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
  • Page 20 RADIUS packet format RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure smooth packet exchange between the RADIUS server and the client. These mechanisms include the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 RADIUS packet format Descriptions of the fields are as follows: •...

  • Page 21: Hwtacacs

    • The Attributes field (variable in length) includes authentication, authorization, and accounting information. This field can contain multiple attributes, each with the following subfields: Type—Type of the attribute. Length—Length of the attribute in bytes, including the Type, Length, and Value subfields. Value—Value of the attribute.
  • Page 22 HWTACACS RADIUS Encrypts the entire packet except for the Encrypts only the user password field in an HWTACACS header. authentication packet. Protocol packets are complicated and authorization Protocol packets are simple and the authorization is independent of authentication. Authentication and process is combined with the authentication authorization can be deployed on different process.
  • Page 23 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 24: Ldap

    10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
  • Page 25 Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
  • Page 26 The LDAP server processes the request, and sends a response to notify the LDAP client of the bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound.

  • Page 27: User Management Based On Isp Domains And User Access Types

    The LDAP client sends an authorization search request with the username of the Telnet user to the LDAP server. If the user uses the same LDAP server for authentication and authorization, the client sends the request with the saved user DN of the Telnet user to the LDAP server. After receiving the request, the LDAP server searches for the user information by the base DN, search scope, filtering conditions, and LDAP attributes.
  • Page 28 AAA also supports configuring a set of default methods for an ISP domain. These default methods are applied to users for which no AAA methods are configured. Authentication methods The device supports the following authentication methods: • No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method.

  • Page 29: Aaa For Mpls L3Vpns

    • Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.

  • Page 30: Aaa Tasks At A Glance

    • RFC 2251, Lightweight Directory Access Protocol (v3) AAA tasks at a glance To configure AAA, complete the following tasks on the NAS: Configure the required AAA schemes: If local authentication is used, configure local users and the related attributes. If remote authentication is used, configure the required RADIUS, HWTACACS, or LDAP schemes.

  • Page 31: Configuring Local Users

    Tasks at a glance (Optional.) Configuring the device ID Configuring local users About local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device.

  • Page 32: Local User Configuration Tasks At A Glance

    Local user configuration tasks at a glance Tasks at a glance (Required.) Configure local user attributes based on the user type: • Configuring attributes for device management users • Configuring attributes for network access users • Configuring local guest attributes (Optional.) Configuring user group attributes (Optional.)

  • Page 33: Configuring Attributes For Network Access Users

    Step Command Remarks The following default settings apply: • The working directory for FTP, SFTP, and SCP users is the root authorization-attribute directory of the NAS. However, the (Optional.) Configure { idle-cut minutes | user-role users do not have permission to authorization attributes role-name | work-directory access the root directory.

  • Page 34: Configuring Local Guest Attributes

    Step Command Remarks Enter system view. system-view Add a local user and enter local-user user-name [ class By default, no local users exist. network access user view. network ] By default, no password is configured for a local user. A local user can pass (Optional.) Configure a password { cipher | simple } authentication after entering the...

  • Page 35: Configuring User Group Attributes

    To configure local guest attributes: Step Command Remarks Enter system view. system-view Create a local guest and local-user user-name class By default, no local guests exist. enter local guest view. network guest Configure a password for the password { cipher | simple } By default, no password is local guest.
  • Page 36 By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view. To configure user group attributes: Step Command Remarks...

  • Page 37: Managing Local Guests

    Managing local guests About local guest management The local guest management features are for registration, approval, maintenance, and access control of local guests. The registration and approval processes are as follows: The device pushes the portal user registration page to a user that wants to access the network as a local guest.

  • Page 38: Display And Maintenance Commands For Local Users And Local User Groups

    Step Command Remarks Configure the guest local-guest manager-email By default, the guest manager's manager's email address. email-address email address is not configured. (Optional.) Set the waiting-approval timeout local-guest timer The default is 24 hours. timer for guest registration waiting-approval time-value requests.

  • Page 39: Configuring Radius

    Configuring RADIUS RADIUS tasks at a glance Tasks at a glance (Optional.) Configuring a test profile for RADIUS server status detection (Required.) Creating a RADIUS scheme (Required.) Specifying the RADIUS authentication servers (Optional.) Specifying the RADIUS accounting servers (Optional.) Specifying the shared keys for secure RADIUS communication (Optional.) Specifying an MPLS L3VPN instance for the scheme (Optional.)

  • Page 40: Creating A Radius Scheme

    With the test profile specified, the device sends a detection packet to the RADIUS server within each detection interval. The detection packet is a simulated authentication request that includes the specified user name in the test profile. • If the device receives a response from the server within the interval, it sets the server to the active state.

  • Page 41: Specifying The Radius Accounting Servers

    When RADIUS server load sharing is enabled, the device distributes the workload over all servers without considering the primary and secondary server roles. The device checks the weight value and number of currently served users for each active server, and then determines the most appropriate server in performance to receive an authentication request.

  • Page 42: Specifying The Shared Keys For Secure Radius Communication

    Step Command Remarks • Specify the primary RADIUS accounting server: By default, no accounting primary accounting servers are specified. { ipv4-address | ipv6 Two accounting servers in a ipv6-address } [ port-number | key scheme, primary or { cipher | simple } string | secondary, cannot have the vpn-instance vpn-instance-name same combination of IP...

  • Page 43: Setting The Username Format And Traffic Statistics Units

    Step Command Remarks By default, a RADIUS Specify a VPN instance for the vpn-instance vpn-instance-name scheme belongs to the public RADIUS scheme. network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.

  • Page 44: Setting The Maximum Number Of Real-Time Accounting Attempts

    Step Command Remarks Set the maximum number of RADIUS request transmission retry retries The default setting is 3. attempts. Setting the maximum number of real-time accounting attempts If you specify a maximum number of real-time accounting attempts, the device will disconnect users from which no accounting responses are received within the permitted attempts.

  • Page 45: Setting The Maximum Number Of Pending Radius Requests

    Setting the maximum number of pending RADIUS requests About the maximum number of pending RADIUS requests This feature controls the rate of RADIUS requests that are sent to the RADIUS server. Use this feature if the RADIUS server has a limited performance and cannot concurrently process too many RADIUS requests.
  • Page 46 • If the secondary server is unreachable, the device performs the following operations: Changes the server status to blocked. Starts a quiet timer for the server. Tries to communicate with the next secondary server in active state that has the highest priority.

  • Page 47: Enabling The Radius Server Load Sharing Feature

    Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active By default, a RADIUS server | block } is in active state.

  • Page 48: Specifying The Source Ip Address For Outgoing Radius Packets

    Specifying the source IP address for outgoing RADIUS packets About source IP address for outgoing RADIUS packets The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.

  • Page 49: Setting Radius Timers

    Setting RADIUS timers About RADIUS timers The device uses the following types of timers to control communication with a RADIUS server: • Server response timeout timer (response-timeout)—Defines the RADIUS request retransmission interval. The timer starts immediately after a RADIUS request is sent. If the device does not receive a response from the RADIUS server before the timer expires, it resends the request.

  • Page 50: Configuring The Radius Accounting-On Feature

    Configuring the RADIUS accounting-on feature About RADIUS accounting-on When the accounting-on feature is enabled, the device automatically sends an accounting-on packet to the RADIUS server after the entire device reboots. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device. Without this feature, users cannot log in again after the reboot, because the RADIUS server considers them to come online.

  • Page 51: Configuring The Login-Service Attribute Check Method For Ssh, Ftp, And Terminal Users

    Configuring the Login-Service attribute check method for SSH, FTP, and terminal users About Login-Service attribute check methods The device supports the following check methods for the Login-Service attribute (RADIUS attribute 15) of SSH, FTP, and terminal users: • Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

  • Page 52: Configuring The Format For Radius Attribute 87

    Setting the data measurement unit for the Remanent_Volume attribute The Remanent_Volume attribute is H3C proprietary. The RADIUS server uses this attribute in authentication or real-time accounting responses to notify the device of the current amount of data available for online users.

  • Page 53: Specifying A Server Version For Interoperating With Servers With A Vendor Id Of 2011

    Specifying a server version for interoperating with servers with a vendor ID of 2011 For the device to correctly interpret RADIUS attributes from the servers with a vendor ID of 2011, specify a server version that is the same as the version of the RADIUS servers. To specify a server version for interoperating with servers with a vendor ID of 2011: Step Commands...
  • Page 54 Configuring the RADIUS attribute translation feature for a RADIUS scheme Step Command Remarks Enter system view. system-view By default, no user-defined radius attribute extended extended RADIUS attributes exist. (Optional.) Define an attribute-name [ vendor vendor-id ] extended RADIUS code attribute-code type { binary | Repeat this command to define attribute.

  • Page 55: Configuring The Radius Session-Control Feature

    Configuring the RADIUS session-control feature About RADIUS session-control Enable this feature for the RADIUS server to dynamically change the user authorization information or forcibly disconnect users by using session-control packets. This task enables the device to receive RADIUS session-control packets on UDP port 1812. To verify the session-control packets sent from a RADIUS server, specify the RADIUS server as a session-control client to the device.

  • Page 56: Changing The Dscp Priority For Radius Packets

    Change the authorization information of specific online users. Shut down and then bring up the access interfaces of users. Procedure To configure the RADIUS DAS feature: Step Command Remarks Enter system view. system-view Enable the RADIUS DAS By default, the RADIUS DAS feature and enter RADIUS radius dynamic-author server feature is disabled.

  • Page 57: Enabling Snmp Notifications For Radius

    Step Command Remarks Enter system view. system-view Configure the device to By default, the device processes preferentially process radius authentication-request RADIUS requests in the sequence RADIUS authentication first that the requests are initiated. requests. Enabling SNMP notifications for RADIUS When SNMP notifications are enabled for RADIUS, the SNMP agent supports the following notifications generated by RADIUS: •...

  • Page 58: Configuring Hwtacacs

    Configuring HWTACACS HWTACACS tasks at a glance Tasks at a glance (Required.) Creating an HWTACACS scheme (Required.) Specifying the HWTACACS authentication servers (Optional.) Specifying the HWTACACS authorization servers (Optional.) Specifying the HWTACACS accounting servers (Required.) Specifying the shared keys for secure HWTACACS communication (Optional.) Specifying an MPLS L3VPN instance for the scheme (Optional.)

  • Page 59: Specifying The Hwtacacs Authorization Servers

    Step Command Remarks Enter HWTACACS hwtacacs scheme scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS authentication server: primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | By default, no authentication simple } string | servers are specified.

  • Page 60: Specifying The Hwtacacs Accounting Servers

    Specifying the HWTACACS accounting servers You can specify one primary accounting server and a maximum of 16 secondary accounting servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.

  • Page 61: Specifying An Mpls L3Vpn Instance For The Scheme

    Step Command Remarks By default, no shared key is specified for secure HWTACACS Specify a shared key for communication. secure HWTACACS key { accounting | authentication, authorization, authentication | authorization } The shared key configured on the or accounting { cipher | simple } string device must be the same as the communication.

  • Page 62: Configuring Hwtacacs Stop-Accounting Packet Buffering

    Configuring HWTACACS stop-accounting packet buffering The device sends HWTACACS stop-accounting requests when it receives connection teardown requests from hosts or connection teardown commands from an administrator. However, the device might fail to receive a response for a stop-accounting request in a single transmission. Enable the device to buffer HWTACACS stop-accounting requests that have not received responses from the accounting server.

  • Page 63: Setting Hwtacacs Timers

    Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: The source IP address specified for the HWTACACS scheme. The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides.

  • Page 64: Display And Maintenance Commands For Hwtacacs

    Tries to communicate with a secondary server in active state that has the highest priority. • If the secondary server is unreachable, the device performs the following operations: Changes the server status to blocked. Starts a quiet timer for the server. Tries to communicate with the next secondary server in active state that has the highest priority.

  • Page 65: Configuring Ldap

    Task Command Display the configuration or server display hwtacacs scheme [ hwtacacs-scheme-name statistics of HWTACACS schemes. [ statistics ] ] Display information about buffered HWTACACS stop-accounting requests display stop-accounting-buffer hwtacacs-scheme to which no responses have been hwtacacs-scheme-name received. reset hwtacacs statistics { accounting | all | authentication | Clear HWTACACS statistics.

  • Page 66: Specifying The Ldap Version

    Step Command Remarks Enter LDAP server view. ldap server server-name By default, an LDAP server does not have an IP address. { ip ip-address | ipv6 Configure the IP address of ipv6-address } [ port You can configure either an IPv4 the LDAP server.

  • Page 67: Configuring Ldap User Attributes

    Step Command Remarks By default, no administrator DN is specified. Specify the administrator The administrator DN specified on login-dn dn-string the device must be the same as the administrator DN configured on the LDAP server. Configure the login-password { cipher | By default, no administrator administrator password.

  • Page 68: Configuring An Ldap Attribute Map

    Step Command Remarks By default, no user object class is specified, and the default user object class on the LDAP server is user-parameters (Optional.) Specify the user used. user-object-class object class. object-class-name The default user object class for this command varies by LDAP server model.

  • Page 69: Specifying The Ldap Authentication Server

    Specifying the LDAP authentication server Step Command Remarks Enter system view. system-view Enter LDAP scheme view. ldap scheme ldap-scheme-name Specify the LDAP authentication-server By default, no LDAP authentication authentication server. server-name server is specified. Specifying the LDAP authorization server Step Command Remarks Enter system view.

  • Page 70: Configuring Aaa Methods For Isp Domains

    Configuring AAA methods for ISP domains Creating an ISP domain About ISP domains In a networking scenario with multiple ISPs, the device can connect to users of different ISPs. These users can have different user attributes, such as different username and password structures, different service types, and different rights.

  • Page 71: Configuring Isp Domain Attributes

    Configuring ISP domain attributes Setting ISP domain status By placing the ISP domain in active or blocked state, you allow or deny network service requests from users in the domain. To set ISP domain status: Step Command Remarks Enter system view. system-view Enter ISP domain view.
  • Page 72 • Authorization VPN instance—The device allows authenticated PPP and IPoE users in the domain to access network resources in the authorization VPN. • Maximum number of multicast groups—The attribute restricts the maximum number of multicast groups that an authenticated IPoE, portal, or PPP user can join concurrently. •...
  • Page 73 Step Command Remarks The default settings are as follows: authorization-attribute { acl • acl-number | car inbound cir idle feature disabled. committed-information-rate [ pir peak-information-rate ] outbound • An IPv4 user can concurrently cir committed-information-rate join a maximum of four IGMP [ pir peak-information-rate ] | multicast groups.

  • Page 74: Configuring Authentication Methods For An Isp Domain

    Step Command Remarks user-address-type { ds-lite | Specify the user address ipv6 | nat64 | private-ds | By default, no user address type is type in the ISP domain. private-ipv4 | public-ds | specified. public-ipv4 } Specifying the service type for users in an ISP domain Step Command Remarks...
  • Page 75 The user account is not configured on the device or the user is not allowed to use the access service. • The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user. Prerequisites Before configuring authentication methods, complete the following tasks: Determine the access type or service type to be configured.

  • Page 76: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks By default, the default authentication portal { ldap-scheme authentication method is ldap-scheme-name [ local ] [ none ] | local used for portal users. Specify authentication [ ldap-scheme ldap-scheme-name | methods for portal users. radius-scheme radius-scheme-name ] This command takes [ none ] | none | radius-scheme effect only on CSPEX...
  • Page 77 Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme Specify default radius-scheme-name | By default, the authorization authorization methods for hwtacacs-scheme method is local.

  • Page 78: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | By default, the default Specify authorization hwtacacs-scheme authorization method is used methods for PPP users. hwtacacs-scheme-name ] * [ none ] | for PPP users.
  • Page 79 Step Command Remarks accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | Specify default accounting hwtacacs-scheme By default, the accounting methods for all types of hwtacacs-scheme-name ] * [ none ] | method is local.

  • Page 80: Display And Maintenance Commands For Isp Domains

    Step Command Remarks accounting ppp { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] | hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] By default, the default Specify accounting [ local ] [ none ] | local [ radius-scheme accounting method is used methods for PPP users.

  • Page 81: Setting The Maximum Number Of Concurrent Login Users

    Setting the maximum number of concurrent login users Perform this task to set the maximum number of concurrent users that can log on to the device through a specific protocol, regardless of their authentication methods. The authentication methods include no authentication, local authentication, and remote authentication. To set the maximum number of concurrent login users: Step Command...

  • Page 82: Display And Maintenance Commands For Local Bill Cache

    Step Command Remarks Specify the destination URL for exporting local-bill export-url url By default, no URL is specified. accounting bills. Set an interval at which By default, the interval is 1440 accounting bills are local-bill export-interval interval minutes. exported automatically. (Optional.) Enable SNMP By default, SNMP notification is notification for automatic...

  • Page 83: Setting The Nas-Id On An Interface

    Step Command Remarks Enter system view. system-view Create a NAS-ID profile By default, no NAS-ID profiles and enter NAS-ID profile aaa nas-id profile profile-name exist. view. By default, no NAS-ID and VLAN bindings exist. In a QinQ network, specify an Configure a NAS-ID and nas-id nas-identifier bind { { c-vid inner VLAN ID, outer VLAN ID, or...

  • Page 84: Configuring The Device Id

    Step Command Remarks Set the NAS-ID in the ISP By default, no NAS-ID is set in an nas-id nas-identifier domain. ISP domain. Configuring the device ID RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value for each online user based on the system time, random digits, and device ID.
  • Page 85 Set the ports for authentication and accounting to 1812 and 1813, respectively. c. Select Device Management Service from the Service Type list. d. Select H3C from the Access Device Type list. e. Select an access device from the device list or manually add an access device. In this example, the device IP address is 10.1.1.2.
  • Page 86 Figure 14 Adding an account for device management Configure the router: # Configure the IP addresses for interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Router> system-view [Router] public-key local create rsa [Router] public-key local create dsa # Enable the SSH service.

  • Page 87: Example: Configuring Local Authentication And Authorization For Ssh Users

    [Router-radius-rad] quit # Create an ISP domain named bbb and configure authentication, authorization, and accounting methods for login users. Because RADIUS user authorization information is piggybacked in authentication responses, the authentication and authorization methods must use the same RADIUS scheme. [Router] domain bbb [Router-isp-bbb] authentication login radius-scheme rad [Router-isp-bbb] authorization login radius-scheme rad...

  • Page 88: Example: Configuring Aaa For Ssh Users By An Hwtacacs Server

    # Set the password to 123456TESTplat&! in plaintext form for the local user. [Router-luser-manage-ssh] password simple 123456TESTplat&! # Specify the user role for the user as network-admin. [Router-luser-manage-ssh] authorization-attribute user-role network-admin [Router-luser-manage-ssh] quit # Create an ISP domain named bbb and configure the domain to use local authentication and authorization for login users.

  • Page 89: Example: Configuring Authentication For Ssh Users By An Ldap Server

    <Router> system-view [Router] hwtacacs scheme hwtac # Specify the primary authentication server. [Router-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server. [Router-hwtacacs-hwtac] primary authorization 10.1.1.1 49 # Specify the primary accounting server. [Router-hwtacacs-hwtac] primary accounting 10.1.1.1 49 # Set the shared keys to expert in plaintext form for secure HWTACACS communication. [Router-hwtacacs-hwtac] key authentication simple expert [Router-hwtacacs-hwtac] key authorization simple expert [Router-hwtacacs-hwtac] key accounting simple expert...
  • Page 90 • Use the LDAP server to authenticate SSH users. • Assign the default user role network-operator to SSH users after they pass authentication. On the LDAP server, set the administrator password to admin!123456, add a user named aaa, and set the user's password to ldap!123456. Figure 17 Network diagram Procedure Configure the LDAP server:...
  • Page 91 f. In the dialog box, enter password ldap!123456, select options as needed, and click Next. Figure 19 Setting the user's password g. Click OK. # Add user aaa to group Users: a. From the navigation tree, click Users under the ldap.com node. b.
  • Page 92 Figure 20 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 21 Adding user aaa to group Users # Set the administrator password to admin!123456: a.
  • Page 93 # Create the local DSA key pair and RSA key pairs. <Router> system-view [Router] public-key local create dsa [Router] public-key local create rsa # Enable the SSH service. [Router] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit...

  • Page 94: Example: Configuring Aaa For Ppp Users By An Hwtacacs Server

    Example: Configuring AAA for PPP users by an HWTACACS server Network configuration As shown in Figure • Router A uses the HWTACACS server to perform PAP authentication for users from Router B. • The HWTACACS server is also the authorization server and accounting server of Router B. •...

  • Page 95: Troubleshooting Radius

    [RouterA] domain bbb [RouterA-isp-bbb] authentication ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] authorization ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] accounting ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] quit # Enable PPP encapsulation on Serial 2/1/0/1:0. [RouterA] interface serial 2/1/0/1:0 [RouterA-Serial2/1/0/1:0] link-protocol ppp # Configure Serial 2/1/0/1:0 to authenticate the peer by using PAP in authentication domain bbb.

  • Page 96: Radius Packet Delivery Failure

    The user is configured on the RADIUS server. The correct password is entered. The same shared key is configured on both the RADIUS server and the NAS. If the problem persists, contact H3C Support. RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server.

  • Page 97: Troubleshooting Hwtacacs

    The accounting server IP address is correctly configured on the NAS. If the problem persists, contact H3C Support. Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS." Troubleshooting LDAP LDAP authentication failure Symptom User authentication fails. Analysis Possible reasons include: •...

  • Page 98: Appendixes

    Appendixes Appendix A Commonly used RADIUS attributes Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 3 Commonly used RADIUS attributes Attribute Attribute User-Name Acct-Authentic User-Password Acct-Session-Time CHAP-Password Acct-Input-Packets NAS-IP-Address Acct-Output-Packets NAS-Port Acct-Terminate-Cause Service-Type Acct-Multi-Session-Id...

  • Page 99: Appendix B Descriptions For Commonly Used Standard Radius Attributes

    Attribute Attribute NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-ID Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Appendix B Descriptions for commonly used standard RADIUS attributes Attribute Description User-Name Name of the user to be authenticated.
  • Page 100 User identification that the NAS sends to the server. For the LAN Calling-Station-Id access service provided by an H3C device, this attribute includes the MAC address of the user. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.

  • Page 101: Appendix C Radius Subattributes (Vendor Id 25506)

    Attribute Description Used for authentication and verification of authentication packets to Message-Authenticator prevent spoofing Access-Requests. This attribute is present when EAP authentication is used. Group ID for a tunnel session. To assign VLANs, the NAS conveys Tunnel-Private-Group-ID VLAN IDs by using this attribute. NAS-Port-Id String for describing the port of the NAS that is authenticating the user.
  • Page 102 Subattribute Description End port number of the port range assigned to the user when the NAT-End-Port source IP address and port are translated. Startup time of the NAS in seconds, which is represented by the NAS_Startup_Timestamp time elapsed after 00:00:00 on Jan. 1, 1970 (UTC). User IP address and MAC address included in authentication and Ip_Host_Addr accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh.
  • Page 103 Subattribute Description Bytes of IPv6 packets in the outbound direction. The Acct_IPv6_Output_Gigawords measurement unit is 4G bytes. User-Roles List of space-separated user roles. User-defined attribute pair. Available attribute pairs include: • Server-assigned dynamic WEP key in the format of leap:session-key=xxx. Av-Pair •...

  • Page 104: Dhcp Overview

    DHCP overview DHCP network model The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 23 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent.

  • Page 105: Ip Address Allocation Process

    IP address allocation process Figure 24 IP address allocation process As shown in Figure 24, a DHCP server assigns an IP address to a DHCP client in the following process: The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message.

  • Page 106: Dhcp Message Format

    If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast. DHCP message format Figure 25 shows the DHCP message format.

  • Page 107: Dhcp Options

    DHCP options DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients. Figure 26 DHCP option format Common DHCP options The following are common DHCP options: •...

  • Page 108: Vendor-Specific Option (Option 43)

    Vendor-specific option (Option 43) Option 43 function DHCP servers and clients use Option 43 to exchange vendor-specific configuration information. The DHCP client can obtain the following information through Option 43: • ACS parameters, including the ACS URL, username, and password. •...

  • Page 109: Relay Agent Option (Option 82)

    Figure 29 PXE server address sub-option value field Relay agent option (Option 82) Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request and sends it to the server.

  • Page 110: Protocols And Standards

    • Sub-option 4—Specifies the failover route that includes the IP address and the number of the target user. A SIP VoIP user uses this IP address and number to directly establish a connection to the target SIP user when both the primary and backup calling processors are unreachable. Protocols and standards •...

  • Page 111: Configuring The Dhcp Server

    Configuring the DHCP server About DHCP server A DHCP server manages a pool of IP addresses and client configuration parameters. It selects an IP address and configuration parameters from the address pool and allocates them to a requesting DHCP client. DHCP address assignment mechanisms Configure the following address assignment mechanisms as needed: •...

  • Page 112: Principles For Selecting An Address Pool

    Principles for selecting an address pool The DHCP server observes the following principles to select an address pool for a client: If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server selects this address pool and assigns the statically bound IP address and other configuration parameters to the client.

  • Page 113: Ip Address Allocation Sequence

    IP address allocation sequence The DHCP server selects an IP address for a client in the following sequence: IP address statically bound to the client's MAC address or ID. IP address that was ever assigned to the client. IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client.

  • Page 114: Creating A Dhcp User Class

    Tasks at a glance (Optional.) Enabling client offline detection on the DHCP server (Optional.) Configuring SNMP notifications for the DHCP server (Optional.) Enabling DHCP logging on the DHCP server Creating a DHCP user class The DHCP server classifies DHCP users into different user classes according to the hardware address, option information, or the giaddr field in the received DHCP requests.

  • Page 115: Creating A Dhcp Address Pool

    Creating a DHCP address pool Step Command Remarks Enter system view. system-view Create a DHCP address pool By default, no DHCP address dhcp server ip-pool pool-name and enter its view. pool exists. Specifying IP address ranges for a DHCP address pool You can configure both static and dynamic address allocation mechanisms in a DHCP address pool.
  • Page 116 Step Command Remarks By default, no IP address range is specified for a user class. (Optional.) Specify an IP class class-name range The DHCP user class must address range for a DHCP user already exist. start-ip-address end-ip-address class. To specify address ranges for multiple DHCP user classes, repeat this step.
  • Page 117 Step Command Remarks expired { allow-hint | { day day (Optional.) Set the address lease [ hour hour [ minute minute The default setting is 1 day. duration. [ second second ] ] ] | unlimited } [ allow-hint ] } By default, all the IP addresses in the DHCP address pool can be...

  • Page 118: Specifying Gateways For Dhcp Clients

    Step Command Remarks expired { allow-hint | { day day (Optional.) Set the lease [ hour hour [ minute minute The default setting is 1 day. duration for the IP address. [ second second ] ] ] | unlimited } [ allow-hint ] } Specifying gateways for DHCP clients DHCP clients send packets destined for other networks to a gateway.

  • Page 119: Specifying Dns Servers For Dhcp Clients

    Specifying DNS servers for DHCP clients To access hosts on the Internet through domain names, a DHCP client must contact a DNS server to resolve names. You can specify up to eight DNS servers in a DHCP address pool. To specify DNS servers in a DHCP address pool: Step Command Remarks...

  • Page 120: Specifying The Configuration File For Dhcp Client Auto-Configuration

    Step Command Remarks Enter system view. system-view Enter DHCP address pool By default, no DHCP dhcp server ip-pool pool-name view. address pool exists. Specify the BIMS server IP bims-server ip ip-address [ port By default, no BIMS server address, port number, and port-number ] sharekey { cipher | information is specified.

  • Page 121: Specifying A Server For Dhcp Clients

    Specifying a server for DHCP clients Some DHCP clients need to obtain configuration information from a server, such as a TFTP server. You can specify the IP address of that server. The DHCP server sends the server's IP address to DHCP clients along with other configuration information.
  • Page 122 • Add newly released options. • Add options for which the vendor defines the contents, for example, Option 43. • Add options for which the CLI does not provide a dedicated configuration command. For example, you can use the option 4 ip-address 1.1.1.1 command to define the time server address 1.1.1.1 for DHCP clients.

  • Page 123: Configuring The Dhcp User Class Whitelist

    Step Command Remarks Create a DHCP option dhcp option group By default, no DHCP option group group and enter DHCP option-group-number exists. option group view. By default, no DHCP option is customized in a DHCP option group. option code { ascii ascii-string | hex Customize a DHCP hex-string | ip-address DHCP options specified in DHCP...

  • Page 124: Enabling The Dhcp Server On An Interface

    Enabling the DHCP server on an interface Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns the client an IP address and other configuration parameters from a DHCP address pool.

  • Page 125: Configuring A Dhcp Policy For Dynamic Address Assignment

    • If a static binding is found for the client, the server assigns the static IP address and configuration parameters from the address pool that contains the static binding. • If no static binding is found for the client, the server uses the address pool applied to the interface for address and configuration parameter allocation.

  • Page 126: Allocating Different Ip Addresses To Dhcp Clients With The Same Mac

    Allocating different IP addresses to DHCP clients with the same MAC Traditionally, the DHCP server identifies DHCP clients based on their MAC addresses. Each MAC address can be bound to only one IP address. However, DHCP clients that have the same MAC address exist in the network, and each client requires an IP address.

  • Page 127: Enabling Handling Of Option 82

    • If the server receives a response within the specified period, it selects and pings another IP address. • If it receives no response, the server continues to ping the IP address until the maximum number of ping packets are sent. If still no response is received, the server assigns the IP address to the requesting client.

  • Page 128: Configuring The Dhcp Server Security Features

    Step Command Remarks Disable the DHCP server from By default, the DHCP server can encapsulating dhcp server reply-exclude-option60 encapsulate Option 60 in DHCP Option 60 in DHCP replies. replies. Configuring the DHCP server security features Restrictions and guidelines The DHCP server security features are not applicable if a DHCP relay agent exists in the network. This is because the MAC address of the DHCP relay agent is encapsulated as the source MAC address in the DHCP request received by the DHCP server.

  • Page 129: Configuring Dhcp Starvation Attack Protection

    Configuring DHCP starvation attack protection About DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses.

  • Page 130: Configure The Dhcp Server To Ignore Bootp Requests

    Step Command Remarks Enter system view. system-view By default, the DHCP server reads Enable the DHCP server the broadcast flag to decide broadcast dhcp server always-broadcast whether to broadcast or unicast a responses. response. Enabling the DHCP server to return a DHCP-NAK message upon client notions of incorrect IP addresses About returning a DHCP-NAK message upon client notions of incorrect IP addresses A DHCP client can send a DHCP-REQUEST message directly or upon receiving a DHCP-OFFER...

  • Page 131: Configuring The Dhcp Server To Send Bootp Responses In Rfc 1048 Format

    Configuring the DHCP server to send BOOTP responses in RFC 1048 format Not all BOOTP clients can send requests that are compatible with RFC 1048. By default, the DHCP server does not process the Vend field of RFC 1048-incompliant requests but copies the Vend field into responses.

  • Page 132: Configuring Dhcp Binding Auto Backup

    Configuring DHCP binding auto backup The auto backup feature saves bindings to a backup file and allows the DHCP server to download the bindings from the backup file at the server reboot. The bindings include the lease bindings and conflicted IP addresses. They cannot survive a reboot on the DHCP server. The DHCP server does not provide services during the download process.

  • Page 133: Advertising Subnets Assigned To Clients

    Figure 30 Network diagram If the address pool is applied to a VPN instance, the VPN instance must exist. To bind the gateways to the DHCP server's MAC address: Step Command Remarks Enter system view. system-view Enter DHCP address pool By default, no DHCP address dhcp server ip-pool pool-name view.

  • Page 134: Enabling Client Offline Detection On The Dhcp Server

    Step Command Remarks Enter system view. system-view Create a DHCP address pool By default, no DHCP address dhcp server ip-pool pool-name and enter its view. pool exists. network network-address By default, the subnets Advertise subnets assigned to [ mask-length | mask mask ] assigned to DHCP clients are DHCP clients.

  • Page 135: Enabling Dhcp Logging On The Dhcp Server

    Step Command Remarks snmp-agent trap enable dhcp By default, SNMP notifications Enable SNMP notifications for server [ address-exhaust | are enabled for the DHCP the DHCP server. allocated-ip | ip-in-use ] server. By default, no SNMP (Optional.) Set the IP address dhcp server allocated-ip notification is sent for an IP allocation success rate...

  • Page 136: Dhcp Server Configuration Examples

    Task Command Display information about assignable IP display dhcp server free-ip [ pool pool-name | addresses. vpn-instance vpn-instance-name ] Display information about assigned IP display dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ] addresses.

  • Page 137: Example: Configuring Dynamic Ip Address Assignment

    [RouterA-GigabitEthernet1/0/1] ip address 10.1.1.1 25 [RouterA-GigabitEthernet1/0/1] quit Configure the DHCP server: # Enable DHCP. [RouterA] dhcp enable # Enable the DHCP server on GigabitEthernet 1/0/1. [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] dhcp select server [RouterA-GigabitEthernet1/0/1] quit # Create DHCP address pool 0. [RouterA] dhcp server ip-pool 0 # Configure a static binding for Router B.
  • Page 138 Table 6 Assignment scheme DHCP clients IP address Lease Other configuration parameters • Gateway: 10.1.1.126/25 Clients connected to • DNS server: 10.1.1.2/25 IP addresses on 10 days and 12 GigabitEthernet • subnet 10.1.1.0/25 hours Domain name: aabbcc.com 1/0/1 • WINS server: 10.1.1.4/25 •...

  • Page 139: Example: Configuring Dhcp User Class

    [RouterA-dhcp-pool-1] domain-name aabbcc.com [RouterA-dhcp-pool-1] dns-list 10.1.1.2 [RouterA-dhcp-pool-1] gateway-list 10.1.1.126 [RouterA-dhcp-pool-1] nbns-list 10.1.1.4 [RouterA-dhcp-pool-1] quit # Configure DHCP address pool 2 to assign IP addresses and other configuration parameters to clients on subnet 10.1.1.128/25. [RouterA] dhcp server ip-pool 2 [RouterA-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128 [RouterA-dhcp-pool-2] expired day 5 [RouterA-dhcp-pool-2] domain-name aabbcc.com [RouterA-dhcp-pool-2] dns-list 10.1.1.2...
  • Page 140 Assign IP addresses To clients 10.10.1.2 to 10.10.1.10 The DHCP request contains Option 82. The hardware address in the request is six bytes long and 10.10.1.11 to 10.10.1.26 begins with aabb-aabb-aab. Router B assigns the DNS server address 10.10.1.20/24 and the gateway address 10.10.1.254/24 to clients on subnet 10.10.1.0/24.

  • Page 141: Example: Configuring Dhcp User Class Whitelist

    # Specify the address range for dynamic allocation. [RouterB-dhcp-pool-aa] address range 10.10.1.2 10.10.1.100 # Specify the address range for user class tt. [RouterB-dhcp-pool-aa] class tt range 10.10.1.2 10.10.1.10 # Specify the address range for user class ss. [RouterB-dhcp-pool-aa] class ss range 10.10.1.11 10.10.1.26 # Specify the gateway address and the DNS server address.

  • Page 142: Example: Configuring Primary And Secondary Subnets

    [RouterB-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000 [RouterB-dhcp-class-ss] quit # Create DHCP address pool aa. [RouterB] dhcp server ip-pool aa # Specify the subnet for dynamic allocation. [RouterB-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0 # Enable the DHCP user class whitelist. [RouterB-dhcp-pool-aa] verify class # Add DHCP user class ss to the DHCP user class whitelist.

  • Page 143: Example: Customizing Dhcp Option

    Procedure # Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Configure the primary and secondary IP addresses of GigabitEthernet1/0/1, and enable the DHCP server on GigabitEthernet 1/0/1. [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] ip address 10.1.1.1 24 [RouterA-GigabitEthernet1/0/1] ip address 10.1.2.1 24 sub [RouterA-GigabitEthernet1/0/1] dhcp select server [RouterA-GigabitEthernet1/0/1] quit # Create DHCP address pool aa.
  • Page 144 Assign PXE addresses To clients 1.2.3.4 and 2.2.2.2. Other clients. The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a custom option. The formats of Option 43 and PXE server address sub-option are shown in Figure 27 Figure 29.

  • Page 145: Example: Configuring Dhcp Server (Wlan Application)

    [RouterA-dhcp-pool-0] quit Verifying the configuration # Verify that Router B can obtain an IP address on subnet 10.1.1.0/24 and the corresponding PXE server addresses from Router A. (Details not shown.) # On the DHCP server, display the IP addresses assigned to the clients. [RouterA] display dhcp server ip-in-use IP address Client identifier/...

  • Page 146: Procedure

    Procedure Specify an IP address for GigabitEthernet 1/0/1 on the device. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [Device-GigabitEthernet1/0/1] quit Configure the DHCP server: # Enable DHCP. [Device] dhcp enable # Enable the DHCP server on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ip address dhcp select server [Device-GigabitEthernet1/0/1] quit...
  • Page 147 Disable the client's network adapter or disconnect the client's network cable. Ping the IP address of the client from another host to check whether there is a host using the same IP address. If a ping response is received, the IP address has been manually configured on a host. Execute the dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic allocation.

  • Page 148: Configuring The Dhcp Relay Agent

    Configuring the DHCP relay agent About DHCP relay agent The DHCP relay agent enables clients to get IP addresses and configuration parameters from a DHCP server on another subnet. Figure 39 shows a typical application of the DHCP relay agent. Figure 39 DHCP relay agent application DHCP relay agent operation The DHCP server and client interact with each other in the same way regardless of whether the relay...

  • Page 149: Dhcp Relay Agent Support For Option 82

    Figure 40 DHCP relay agent operation DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to perform the following tasks: • Locate the DHCP client for security and accounting purposes. •...

  • Page 150: Dhcp Relay Agent Tasks At A Glance

    DHCP relay agent tasks at a glance Tasks at a glance (Required.) Enabling DHCP (Required.) Enabling the DHCP relay agent on an interface (Required.) Specifying DHCP servers (Optional.) Configuring the DHCP relay agent security features (Optional.) Configuring the DHCP relay agent to release an IP address (Optional.) Configuring Option 82 (Optional.)

  • Page 151: Specifying Dhcp Servers

    Specifying DHCP servers Specifying DHCP servers on a relay agent To improve availability, you can specify several DHCP servers on the DHCP relay agent. When the interface receives request messages from clients, the relay agent forwards them to all DHCP servers.

  • Page 152: Specifying The Dhcp Server Selecting Algorithm

    Procedure To configure a DHCP address pool on the DHCP relay agent: Step Command Remarks Enter system view. system-view Create a DHCP address By default, no DHCP address pools dhcp server ip-pool pool-name pool and enter its view. exist. Specify gateway addresses gateway-list ip-address&<1-64>...
  • Page 153 Specifying the DHCP server selecting algorithm in interface view Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, an interface operates in Enable the DHCP relay agent. dhcp select relay the DHCP server mode when DHCP is enabled.

  • Page 154: Configuring The Dhcp Relay Agent Security Features

    Step Command Remarks 10. (Optional.) Enable the By default, the DHCP relay agent switchback to the master master-server switch-delay does not switch back to the master DHCP server and set the delay-time DHCP server. delay time. Configuring the DHCP relay agent security features Rustications and guidelines If you execute both the dhcp flood-protection enable and dhcp server check mac-address...

  • Page 155: Configuring Dhcp Flood Attack Protection

    Step Command Remarks Enter system view. system-view By default, periodic refresh Enable periodic refresh of dhcp relay client-information refresh of dynamic relay entries is dynamic relay entries. enable enabled. By default, the refresh dhcp relay client-information refresh interval is auto, which is Set the refresh interval.

  • Page 156: Enabling Dhcp Server Proxy On The Dhcp Relay Agent

    Limit the number of ARP entries that a Layer 3 interface can learn. Set the MAC learning limit for a Layer 2 port, and disable unknown frame forwarding when the MAC learning limit is reached. • To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP relay agent.

  • Page 157: Enabling Client Offline Detection On The Dhcp Relay Agent

    Enabling client offline detection on the DHCP relay agent The client offline detection on the DHCP relay agent detects the user online status based on the ARP entry aging. When an ARP entry ages out, the DHCP client offline detection feature deletes the relay entry for the IP address and sends a RELEASE message to the DHCP server.

  • Page 158: Setting The Dscp Value For Dhcp Packets Sent By The Dhcp Relay Agent

    Step Command Remarks interface interface-type Enter interface view. interface-number Enable the relay agent to handle By default, handling of dhcp relay information enable Option 82. Option 82 is disabled. By default, the handling strategy is replace. If the handling strategy is replace, configure a (Optional.) Configure the strategy padding mode and a...

  • Page 159: Configuring Dhcp Packet Rate Limit On A Dhcp Relay Interface

    Configuring DHCP packet rate limit on a DHCP relay interface IMPORTANT: The feature is available only on the CSPEX cards. This feature enables the DHCP relay interface to discard DHCP packets that exceed the maximum rate. To configure DHCP packet rate limit: Step Command Remarks...
  • Page 160 The relay agent initially encapsulates its primary IP address to the giaddr field before forwarding a request to the DHCP server. If no DHCP-OFFER is received, the relay agent allows the client to send a maximum of two requests to the DHCP server by using the primary IP address. If no DHCP-OFFER is returned after two retries, the relay agent switches to a secondary IP address.

  • Page 161: Specifying The Source Ip Address For Dhcp Requests

    Step Command Remarks By default, the DHCP address pool does not have any DHCP server IP addresses. You can specify a maximum of eight DHCP servers for one DHCP Specify DHCP servers for the remote-server address pool for high availability. DHCP address pool.

  • Page 162: Configuring The Dhcp Relay Agent To Always Unicast Relayed Dhcp Responses

    Step Command Remarks By default, the DHCP relay agent uses the primary IP address of the interface that connects to the DHCP server as the source IP address for DHCP requests. If this interface dhcp relay source-address does not have an IP address, the Specify the source IP address { ip-address [ option { 60 DHCP relay agent uses an IP...

  • Page 163: Display And Maintenance Commands For Dhcp Relay Agent

    secondary gateway. Then, when the secondary gateway receives a DHCP reply, it resolves Option 82, records the VLAN ID of the L2VE subinterface, and forwards the reply to the PW. To configure forwarding DHCP replies based on Option 82: Step Command Remarks Enter system view.

  • Page 164: Dhcp Relay Agent Configuration Examples

    DHCP relay agent configuration examples Example: Configuring basic DHCP relay agent Network configuration As shown in Figure 41, configure the DHCP relay agent on Router A. The DHCP relay agent enables DHCP clients to obtain IP addresses and other configuration parameters from the DHCP server on another subnet.

  • Page 165: Example: Configuring Option 82

    Example: Configuring Option 82 Network configuration As shown in Figure 41, the DHCP relay agent (Router A) replaces Option 82 in DHCP requests before forwarding them to the DHCP server (Router B). • The Circuit ID sub-option is company001. • The Remote ID sub-option is device001.
  • Page 166 Figure 42 Network diagram Procedure Assign IP addresses to interfaces on the routers. (Details not shown.) Configure Router B and Router C as DHCP servers. (Details not shown.) Configure the DHCP relay agent on Router A: # Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Enable the DHCP relay agent on GigabitEthernet 1/0/1.

  • Page 167: Troubleshooting Dhcp Relay Agent Configuration

    Troubleshooting DHCP relay agent configuration Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent Symptom DHCP clients cannot obtain configuration parameters through the DHCP relay agent. Solution Some problems might occur with the DHCP relay agent or server configuration. To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information.

  • Page 168: Configuring The Dhcp Client

    Configuring the DHCP client About DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address. Restrictions and guidelines: DHCP client configuration The DHCP client configuration is supported only on the Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces on CSPEX (except CSPEX-1204) cards.

  • Page 169: Enabling Duplicated Address Detection

    • Use an ASCII string as the client ID. If an ASCII string is used, the type value is 00. • Use a hexadecimal number as the client ID. If a hexadecimal number is used, the type value is the first two characters in the number. •...

  • Page 170: Display And Maintenance Commands For Dhcp Client

    Step Command Remarks Set the DSCP value for DHCP dhcp client dscp By default, the DSCP value in DHCP packets sent by the DHCP dscp-value packets sent by the DHCP client is 56. client. Display and maintenance commands for DHCP client Execute display command in any view.
  • Page 171 Procedure Configure Router A: # Specify an IP address for GigabitEthernet 1/0/1. <RouterA> system-view [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] ip address 10.1.1.1 24 [RouterA-GigabitEthernet1/0/1] quit # Enable DHCP. [RouterA] dhcp enable # Exclude an IP address from dynamic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0.
  • Page 172 Destinations : 11 Routes : 11 Destination/Mask Proto Cost NextHop Interface 10.1.1.0/24 Direct 0 10.1.1.3 GE1/0/1 10.1.1.3/32 Direct 0 127.0.0.1 InLoop0 20.1.1.0/24 Static 70 10.1.1.2 GE1/0/1 10.1.1.255/32 Direct 0 10.1.1.3 GE1/0/1 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.0/32 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0...

  • Page 173: Configuring Dhcp Snooping

    Configuring DHCP snooping About DHCP snooping DHCP snooping is a security feature for DHCP. DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.

  • Page 174: Dhcp Snooping Support For Option 82

    Figure 45 Trusted and untrusted ports In a cascaded network as shown in Figure 46, configure the DHCP snooping devices' ports facing the DHCP server as trusted ports. To save system resources, you can enable only the untrusted ports directly connected to the DHCP clients to record DHCP snooping entries. Figure 46 Trusted and untrusted ports in a cascaded network DHCP client Host A...

  • Page 175: Restrictions And Guidelines: Dhcp Snooping Configuration

    Table 8 Handling strategies If a DHCP request Handling DHCP snooping… has… strategy Drop Drops the message. Keep Forwards the message without changing Option 82. Option 82 Forwards the message after replacing the original Option 82 with Replace the Option 82 padded according to the configured padding format, padding content, and code type.

  • Page 176: Configuring Option 82

    Step Command Remarks By default, DHCP snooping is Enable DHCP snooping. dhcp snooping enable disabled. interface interface-type This interface must connect to the Enter interface view. interface-number DHCP server. By default, all ports are untrusted Specify the port as a trusted dhcp snooping trust ports after DHCP snooping is port.

  • Page 177: Configuring Dhcp Snooping Entry Auto Backup

    Step Command Remarks By default, DHCP snooping Enable DHCP snooping to dhcp snooping information enable does not support Option support Option 82. (Optional.) Configure a handling strategy for DHCP dhcp snooping information strategy By default, the handling requests that contain { drop | keep | replace } strategy is replace.

  • Page 178: Enabling Dhcp Starvation Attack Protection

    Step Command Remarks The default waiting time is 300 seconds. When a DHCP snooping entry is learned, updated, or removed, the (Optional.) Set the waiting waiting period starts. The DHCP time after a DHCP snooping dhcp snooping binding snooping device updates the entry change for the DHCP database update interval backup file when the specified...

  • Page 179: Setting The Maximum Number Of Dhcp Snooping Entries

    Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate DHCP clients that still need the IP addresses. To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages. •...

  • Page 180: Enabling Dhcp Snooping Logging

    Step Command Remarks Configure the port to block By default, the port does not block dhcp snooping deny DHCP requests. DHCP requests. Enabling DHCP snooping logging The DHCP snooping logging feature enables the DHCP snooping device to generate DHCP snooping logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

  • Page 181: Dhcp Snooping Configuration Examples

    DHCP snooping configuration examples Example: Configuring basic DHCP snooping Network configuration As shown in Figure 47, Switch B is connected to the authorized DHCP server through GigabitEthernet 1/0/1, to the unauthorized DHCP server through GigabitEthernet 1/0/3, and to the DHCP client through GigabitEthernet 1/0/2. Configure only the port connected to the authorized DHCP server to forward the responses from the DHCP server.

  • Page 182: Example: Configuring Dhcp Snooping Support For Option 82

    Example: Configuring DHCP snooping support for Option 82 Network configuration As shown in Figure 48, enable DHCP snooping and configure Option 82 on Switch B as follows: • Configure the handling strategy for DHCP requests that contain Option 82 as replace. •...
  • Page 183 Verifying the configuration # Display Option 82 configuration information on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 on the DHCP snooping device. [SwitchB] display dhcp snooping information...

  • Page 184: Configuring The Bootp Client

    Configuring the BOOTP client About BOOTP client BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server. To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the BOOTP server.

  • Page 185: Display And Maintenance Commands For Bootp Client

    Step Command Remarks Configure an interface to use By default, an interface does not BOOTP for IP address ip address bootp-alloc use BOOTP for IP address acquisition. acquisition. Display and maintenance commands for BOOTP client Execute display command in any view. Task Command display bootp client [ interface interface-type...

  • Page 186: Dhcpv6 Overview

    DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages. Rapid assignment involving two messages As shown in Figure 49, rapid assignment operates in the following steps: The DHCPv6 client sends to the DHCPv6 server a Solicit message that contains a Rapid Commit option to prefer rapid assignment.

  • Page 187: Address/Prefix Lease Renewal

    Figure 50 Assignment involving four messages Address/prefix lease renewal An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.

  • Page 188: Stateless Dhcpv6

    Stateless DHCPv6 Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server. The device performs stateless DHCPv6 if an RA message with the following flags is received from the router during stateless address autoconfiguration: •...

  • Page 189: Option 37

    Figure 54 Option 18 format Figure 54 shows the Option 18 format, which includes the following fields: • Option code—Option code. The value is 18. • Option length—Size of the option data. • Port index—Port that receives the DHCPv6 request from the client. •...

  • Page 190: Protocols And Standards

    Protocols and standards • RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6 • RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6) • RFC 2462, IPv6 Stateless Address Autoconfiguration • RFC 3633, IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6...

  • Page 191: Configuring The Dhcpv6 Server

    Configuring the DHCPv6 server About DHCPv6 server A DHCPv6 server can assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients. IPv6 address assignment As shown in Figure 56, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients.

  • Page 192: Concepts

    Concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers. It uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents. DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent).

  • Page 193: Ipv6 Address/Prefix Allocation Sequence

    Address allocation mechanisms DHCPv6 supports the following address allocation mechanisms: • Static address allocation—To implement static address allocation for a client, create a DHCPv6 address pool, and manually bind the DUID and IAID of the client to an IPv6 address in the DHCPv6 address pool.

  • Page 194: Dhcpv6 Server Tasks At A Glance

    IPv6 address/prefix statically bound to the client's DUID and IAID. IPv6 address/prefix statically bound to the client's DUID and expected by the client. IPv6 address/prefix statically bound to the client's DUID. IPv6 address/prefix that was ever assigned to the client. Assignable IPv6 address/prefix in the address pool/prefix pool expected by the client.
  • Page 195 Restrictions and guidelines When you configure IPv6 prefix assignment, follow these restrictions and guidelines: • An IPv6 prefix can be bound to only one DHCPv6 client. You cannot modify bindings that have been created. To change the binding for a DHCPv6 client, you must delete the existing binding first.

  • Page 196: Configuring Ipv6 Address Assignment

    Step Command Remarks • Configure a static prefix binding: static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime By default, static or dynamic preferred-lifetime valid-lifetime prefix assignment is not Configure static prefix valid-lifetime ] configured for an address pool. assignment, dynamic •...

  • Page 197: Configuring Network Parameters Assignment

    Step Command Remarks Enter system view. system-view By default, all IPv6 addresses except for the DHCPv6 server's ipv6 dhcp server IP address in a DHCPv6 address forbidden-address pool are assignable. (Optional.) Specify the IPv6 start-ipv6-address addresses excluded from If the excluded IPv6 address is in [ end-ipv6-address ] dynamic assignment.

  • Page 198: Configuring Network Parameters In A Dhcpv6 Address Pool

    • Configure network parameters in a DHCPv6 option group, and specify the option group for a DHCPv6 address pool. Network parameters configured in a DHCPv6 address pool take precedence over those configured in a DHCPv6 option group. Configuring network parameters in a DHCPv6 address pool Step Command Remarks...

  • Page 199: Configuring A Dhcpv6 Policy For Ipv6 Address And Prefix Assignment

    Step Command Remarks By default, no SIP server Specify a SIP server address sip-server { address ipv6-address | address or domain name is or domain name. domain-name domain-name } specified. By default, no self-defined Configure a self-defined option code hex hex-string DHCPv6 option is DHCPv6 option.

  • Page 200: Configuring The Dhcpv6 Server On An Interface

    Step Command Remarks Return to system view. quit Create a DHCPv6 policy and By default, no DHCPv6 ipv6 dhcp policy policy-name enter DHCPv6 policy view. policies exist. Specify a DHCPv6 address By default, no address pool is class class-name pool pool-name pool for a DHCPv6 user class.

  • Page 201: Allocating Different Ipv6 Addresses To Dhcpv6 Clients With The Same Mac

    Step Command Remarks By default, the interface discards Enable the DHCPv6 ipv6 dhcp select server DHCPv6 packets from DHCPv6 server on the interface. clients. • Configure global address assignment: ipv6 dhcp server { allow-hint | preference preference-value | By default, desired rapid-commit } * Configure an address/prefix assignment and...

  • Page 202: Configuring Dhcpv6 Binding Auto Backup

    To set the DSCP value for DHCPv6 packets sent by the DHCPv6 server: Step Command Remarks Enter system view. system-view Set the DSCP value for By default, the DSCP value in DHCPv6 ipv6 dhcp dscp DHCPv6 packets sent by the packets sent by the DHCPv6 server is dscp-value DHCPv6 server.

  • Page 203: Applying A Dhcpv6 Address Pool To A Vpn Instance

    Figure 59 Network diagram If the address pool is applied to a VPN instance, the VPN instance must exist. To configure the subnet advertisement feature: Step Command Remarks Enter system view. system-view Create an address pool and By default, no DHCPv6 address ipv6 dhcp pool pool-name enter its view.

  • Page 204: Configuring The Dhcpv6 Server Security Features

    Step Command Remarks Enter system view. system-view Create an address pool and By default, no DHCPv6 address ipv6 dhcp pool pool-name enter its view. pools exist. By default, the address pool is Apply the address pool to a vpn-instance vpn-instance-name not applied to any VPN VPN instance.

  • Page 205: Enabling The Dhcpv6 Server To Advertise Ipv6 Prefixes

    Enabling the DHCPv6 server to advertise IPv6 prefixes A DHCPv6 client can obtain an IPv6 prefix through DHCPv6 and use this IPv6 prefix to assign IPv6 addresses for clients in a downstream network. If the IPv6 prefix is in a different subnet than the IPv6 address of the DHCPv6 client's upstream interface, the clients in the downstream network cannot access the external network.

  • Page 206: Dhcpv6 Server Configuration Examples

    Task Command Display DHCPv6 server information on an display ipv6 dhcp server [ interface interface-type interface. interface-number ] Display information about IPv6 address display ipv6 dhcp server conflict [ address ipv6-address ] [ vpn-instance vpn-instance-name ] conflicts. Display information about DHCPv6 display ipv6 dhcp server database binding auto backup Display information about expired IPv6...
  • Page 207 Figure 60 Network diagram Procedure # Specify an IPv6 address for GigabitEthernet 1/0/1. <Router> system-view [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ipv6 address 1::1/64 # Disable RA message suppression on GigabitEthernet 1/0/1. [Router-GigabitEthernet1/0/1] undo ipv6 nd ra halt # Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 1/0/1. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6.
  • Page 208 [Router-dhcp6-pool-1] sip-server domain-name bbb.com [Router-dhcp6-pool-1] quit # Enable the DHCPv6 server on GigabitEthernet 1/0/1, enable desired prefix assignment and rapid prefix assignment, and set the preference to the highest. [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ipv6 dhcp select server [Router-GigabitEthernet1/0/1] ipv6 dhcp server allow-hint preference 255 rapid-commit Verifying the configuration # Display the DHCPv6 server configuration on GigabitEthernet 1/0/1.

  • Page 209: Example: Configuring Dynamic Ipv6 Address Assignment

    2001:410:201::/48 Static(C) Jul 10 19:45:01 2009 # After the other client obtains an IPv6 prefix, display the binding information on the DHCPv6 server. [Router-GigabitEthernet1/0/1] display ipv6 dhcp server pd-in-use Pool: 1 IPv6 prefix Type Lease expiration 2001:410:201::/48 Static(C) Jul 10 19:45:01 2009 2001:410::/48 Auto(C) Jul 10 20:44:05 2009...
  • Page 210 # Specify an IPv6 address for GigabitEthernet 1/0/2. [RouterA] interface gigabitethernet 1/0/2 [RouterA-GigabitEthernet1/0/2] ipv6 address 1::2:0:0:1/96 # Disable RA message suppression on GigabitEthernet 1/0/2. [RouterA-GigabitEthernet1/0/2] undo ipv6 nd ra halt # Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 1/0/2. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6.

  • Page 211: Configuring The Dhcpv6 Relay Agent

    Configuring the DHCPv6 relay agent About DHCPv6 relay agent Typical application A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 62, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the...

  • Page 212: Dhcpv6 Relay Agent Tasks At A Glance

    Figure 63 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply DHCPv6 relay agent tasks at a glance Tasks at a glance (Required.) Enabling the DHCPv6 relay agent on an interface (Required.) Specifying DHCPv6 servers on the relay agent...

  • Page 213: Specifying Dhcpv6 Servers For A Dhcpv6 Address Pool On The Dhcpv6 Relay Agent

    To specify a DHCPv6 server on a relay agent: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no DHCPv6 server is specified. If a DHCPv6 server address is a ipv6 dhcp relay server-address link-local address or multicast Specify a DHCPv6 server.

  • Page 214: Specifying A Gateway Address For Dhcpv6 Clients

    Step Command Remarks Specify gateway addresses gateway-list By default, no gateway address is for the clients matching the ipv6-address&<1-8> specified. DHCPv6 address pool. By default, no DHCPv6 server is specified for the DHCPv6 address pool. Specify DHCPv6 servers remote-server ipv6-address You can specify a maximum of eight for the DHCPv6 address [ interface interface-type...

  • Page 215: Specifying A Padding Mode For The Interface-Id Option

    Specifying a padding mode for the Interface-ID option This feature enables the relay agent to fill the Interface-ID option in the specified mode. When receiving a DHCPv6 packet from a client, the relay agent fills the Interface-ID option in the mode and then forwards the packet to the DHCPv6 server.

  • Page 216: Enabling Client Offline Detection

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable IPv6 release By default, IPv6 release ipv6 dhcp relay release-agent notification. notification is disabled. Enabling client offline detection This feature enables the DHCPv6 relay agent to detect the status of ND entries. After an ND entry ages out, the DHCPv6 relay agent considers the client offline and deletes the relay entry for the client.

  • Page 217: Enabling The Dhcpv6 Relay Agent To Advertise Ipv6 Prefixes

    Enabling the DHCPv6 relay agent to advertise IPv6 prefixes A DHCPv6 client can obtain an IPv6 prefix through DHCPv6 and use this IPv6 prefix to assign IPv6 address to clients in a downstream network. If the IPv6 prefix is in a different subnet than the IPv6 address of the DHCPv6 client's upstream interface, the clients in the downstream network cannot access the external network.

  • Page 218: Dhcpv6 Relay Agent Configuration Examples

    DHCPv6 relay agent configuration examples Example: Configuring DHCPv6 relay agent Network configuration As shown in Figure 64, configure the DHCPv6 relay agent on Router A to relay DHCPv6 packets between DHCPv6 clients and the DHCPv6 server. Router A acts as the gateway of network 1::/64. It sends RA messages to notify the hosts to obtain IPv6 addresses and other configuration parameters through DHCPv6.
  • Page 219 [RouterA-GigabitEthernet1/0/1] display ipv6 dhcp relay server-address Interface: GigabitEthernet1/0/1 Server address Outgoing Interface 2::2 # Display packet statistics on the DHCPv6 relay agent. [RouterA-GigabitEthernet1/0/1] display ipv6 dhcp relay statistics Packets dropped Packets received Solicit Request Confirm Renew Rebind Release Decline Information-request Relay-forward Relay-reply Packets sent...

  • Page 220: Configuring Dhcpv6 Snooping

    Configuring DHCPv6 snooping About DHCPv6 snooping It guarantees that DHCPv6 clients obtain IP addresses from authorized DHCPv6 servers. Also, it records IP-to-MAC bindings of DHCPv6 clients (called DHCPv6 snooping entries) for security purposes. DHCPv6 snooping defines trusted and untrusted ports to make sure that clients obtain IPv6 addresses only from authorized DHCPv6 servers.

  • Page 221: Restrictions And Guidelines: Dhcpv6 Snooping Configuration

    Restrictions and guidelines: DHCPv6 snooping configuration DHCPv6 snooping works between the DHCPv6 client and server, or between the DHCPv6 client and DHCPv6 relay agent. DHCPv6 snooping does not work between the DHCPv6 server and DHCPv6 relay agent. DHCPv6 snooping tasks at a glance Tasks at a glance (Required.) Configuring basic DHCPv6 snooping...

  • Page 222: Configuring Support For Option 18

    Step Command Remarks interface interface-type This interface must connect to the Enter interface view. interface-number DHCPv6 client. (Optional.) Enable recording ipv6 dhcp snooping binding By default, DHCPv6 snooping of client information in record does not record client information. DHCPv6 snooping entries. Configuring support for Option 18 Step Command...

  • Page 223: Setting The Maximum Number Of Dhcpv6 Snooping Entries

    Step Command Remarks Enter system view. system-view By default, the DHCPv6 snooping device does not back up the DHCPv6 snooping ipv6 dhcp snooping entries. Configure the DHCPv6 binding database snooping device to back filename { filename | url With this command executed, the DHCPv6 up DHCPv6 snooping url [ username username snooping device backs up DHCPv6 snooping...

  • Page 224: Configuring A Dhcpv6 Packet Blocking Port

    The DHCPv6-REQUEST check feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries. • If any criterion in an entry is matched, the device compares the entry with the message information. If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server.

  • Page 225: Display And Maintenance Commands For Dhcpv6 Snooping

    Display and maintenance commands for DHCPv6 snooping Execute display commands in any view, and reset commands in user view. Task Command Display information about trusted ports. display ipv6 dhcp snooping trust display ipv6 dhcp snooping binding [ address Display DHCPv6 snooping entries. ipv6-address [ vlan vlan-id ] ] Display information about the file that stores DHCPv6 display ipv6 dhcp snooping binding database...

  • Page 226: Procedure

    Figure 66 Network diagram Procedure # Enable DHCPv6 snooping. <SwitchB> system-view [SwitchB] ipv6 dhcp snooping enable # Specify GigabitEthernet 1/0/1 as a trusted port. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] ipv6 dhcp snooping trust [SwitchB-GigabitEthernet1/0/1] quit # Enable the recording of DHCPv6 snooping entries on GigabitEthernet 1/0/2. [SwitchB]interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 dhcp snooping binding record [SwitchB-GigabitEthernet1/0/2] quit...

  • Page 227: Configuring Mac Authentication

    Configuring MAC authentication About MAC authentication MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.

  • Page 228: Authentication Methods

    Authentication methods You can perform MAC authentication on the access device (local authentication) or through a RADIUS server. For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." Local authentication If MAC-based accounts are used, the access device uses the source MAC address of the packet as the username and password to search the local account database for a match.
  • Page 229 Table 9 VLAN manipulation Port type VLAN manipulation • If the port is assigned to the authorization VLAN as an untagged member, the device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. All MAC authentication users on the port must be assigned the same authorization VLAN.

  • Page 230: Acl Assignment

    is not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA." Table 11 shows the way that the network access device handles critical VLANs for MAC authentication users. Table 11 VLAN manipulation Authentication status VLAN manipulation The device maps the MAC address of the user to the MAC authentication critical VLAN.

  • Page 231: Periodic Mac Reauthentication

    For more information about user profiles, see BRAS Services Configuration Guide. Periodic MAC reauthentication Periodic MAC reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the RADIUS server. The attributes include the ACL and VLAN. The device reauthenticates an online MAC authentication user periodically only after it receives the termination action Radius-request from the authentication server for this user.

  • Page 232: Prerequisites For Mac Authentication

    Prerequisites for MAC authentication Before you configure MAC authentication, configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA." • For local authentication, you must also create local user accounts (including usernames and passwords) and specify the lan-access service for local users. •...

  • Page 233: Configuring The User Account Format

    Step Command Remarks • In system view: mac-authentication domain domain-name Specify an authentication • By default, the system default In interface view: domain for MAC authentication domain is used for a. interface interface-type authentication users. MAC authentication users. interface-number b. mac-authentication domain domain-name Configuring the user account format Step...

  • Page 234: Enabling Mac Authentication Offline Detection

    Step Command Remarks Enter system view. system-view By default, the offline detect mac-authentication timer timer is 300 seconds, the quiet Configure MAC { offline-detect offline-detect-value | timer is 60 seconds, and the authentication timers. quiet quiet-value | server-timeout server timeout timer is 100 server-timeout-value } seconds.

  • Page 235: Configuring Mac Authentication Delay

    nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports. This feature improves transmission of data that is vulnerable to delay and interference.

  • Page 236: Prerequisites

    Prerequisites Before you configure the MAC authentication guest VLAN on a port, complete the following tasks: • Create the VLAN to be specified as the MAC authentication guest VLAN. • Configure the port as a hybrid port, and configure the VLAN as an untagged member on the port.

  • Page 237: Prerequisites

    Prerequisites Before you configure the MAC authentication critical VLAN on a port, complete the following tasks: • Create the VLAN to be specified as the MAC authentication critical VLAN. • Configure the port as a hybrid port, and configure the VLAN as an untagged member on the port.

  • Page 238: Including User Ip Addresses In Mac Authentication Requests

    Including user IP addresses in MAC authentication requests About the feature of including user IP addresses in MAC authentication requests This feature enables the device to add user IP addresses to the MAC authentication requests that are sent to an IMC server. Upon receiving an authentication request, the IMC server compares the user IP and MAC addresses in the request with its local IP-MAC mapping of the user.

  • Page 239: Mac Authentication Configuration Examples

    Task Command display mac-authentication [ interface interface-type Display MAC authentication information. interface-number ] display mac-authentication connection [ interface (In standalone mode.) Display MAC interface-type interface-number | slot slot-number | authentication connections. user-mac mac-address | user-name user-name ] display mac-authentication connection [ chassis (In IRF mode.) Display MAC authentication chassis-number slot slot-number | interface connections.
  • Page 240 # Specify the LAN access service for the user. [Device-luser-network-00-e0-fc-12-34-56] service-type lan-access [Device-luser-network-00-e0-fc-12-34-56] quit # Configure ISP domain bbb to perform local authentication for LAN users. [Device] domain bbb [Device-isp-bbb] authentication lan-access local [Device-isp-bbb] quit # Enable MAC authentication on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] mac-authentication [Device-GigabitEthernet1/0/1] quit...

  • Page 241: Example: Configuring Radius-Based Mac Authentication

    Host mode : Single VLAN Offline detection : Enabled Max online users : 4294967295 Authentication attempts : successful 1, failed 0 Current online users MAC address Auth state 00e0-fc12-3456 Authenticated The output shows that Host A has passed MAC authentication and has come online. Host B failed MAC authentication and its MAC address is marked as a silent MAC address.
  • Page 242 [Device-radius-2000] key accounting simple abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Apply the RADIUS scheme to ISP domain bbb for authentication, authorization, and accounting. [Device] domain bbb [Device-isp-bbb] authentication default radius-scheme 2000 [Device-isp-bbb] authorization default radius-scheme 2000 [Device-isp-bbb] accounting default radius-scheme 2000 [Device-isp-bbb] quit # Enable MAC authentication on GigabitEthernet 1/0/1.

  • Page 243: Example: Configuring Acl Assignment For Mac Authentication

    Guest VLAN auth-period : 30 s Critical VLAN : Not configured Host mode : Single VLAN Offline detection : Enabled Max online users : 4294967295 Authentication attempts : successful 1, failed 0 Current online users MAC address Auth state 00e0-fc12-3456 Authenticated Example: Configuring ACL assignment for MAC authentication...
  • Page 244 [Device-radius-2000] key accounting simple abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting. [Device] domain bbb [Device-isp-bbb] authentication default radius-scheme 2000 [Device-isp-bbb] authorization default radius-scheme 2000 [Device-isp-bbb] accounting default radius-scheme 2000 [Device-isp-bbb] quit # Specify the ISP domain for MAC authentication.
  • Page 245 Guest VLAN : Not configured Guest VLAN auth-period : 30 s Critical VLAN : Not configured Host mode : Single VLAN Offline detection : Enabled Max online users : 4294967295 Authentication attempts : successful 1, failed 0 Current online users MAC address Auth state 00e0-fc12-3456...

  • Page 246: Configuring Ppp

    Configuring PPP About PPP Point-to-Point Protocol (PPP) is a point-to-point link layer protocol. It provides user authentication, supports synchronous/asynchronous communication, and allows for easy extension. PPP protocols PPP includes the following protocols: • Link control protocol (LCP)—Establishes, tears down, and monitors data links. •...

  • Page 247: Ppp Authentication

    If a network layer protocol is configured, the PPP link enters the Network-Layer Protocol phase for NCP negotiation, such as IPCP negotiation and IPv6CP negotiation. If the NCP negotiation succeeds, the link goes up and becomes ready to carry negotiated network-layer protocol packets.

  • Page 248: Ppp For Ipv6

    IP address negotiation IP address negotiation enables one end to assign an IP address to the other. An interface can act as a client or a server during IP address negotiation: • Client—Obtains an IP address from the server. Use the client mode when the device accesses the Internet through an ISP.

  • Page 249: Protocols And Standards

    The device can assign a host an IPv6 address in either of the following ways: • When the host connects to the device directly or through a bridge device, the device can use method 1 or method 2. • When the host accesses the device through a router, the device can use method 3 to assign an IPv6 prefix to the router.

  • Page 250: Configuring Ppp Authentication

    Step Command Remarks Create a VT interface and enter its view, or enter the interface virtual-template view of an existing VT number interface. By default, the description for a VT (Optional.) Configure the interface is interface name description text description of the interface. Interface (for example, Virtual-Template1 Interface)..

  • Page 251: Configuring Chap Authentication (Authenticator Name Is Configured)

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, when being authenticated by the authenticator Configure the PAP username by using PAP, the peer sends null and password sent from the username and password to the ppp pap local-user username peer to the authenticator authenticator.

  • Page 252: Configuring Chap Authentication (Authenticator Name Is Not Configured)

    Step Command Remarks The default setting is null. The username you configure for the Configure a username for ppp chap user username peer here must be the same as the the CHAP peer. local username you configure for the peer on the authenticator. For local AAA authentication, the username and password of the authenticator must be configured...

  • Page 253: Configuring Ms-Chap Or Ms-Chap-V2 Authentication

    Step Command Remarks The default setting is null. The username you configure on the Configure a username for ppp chap user username peer must be the same as the local the CHAP peer. username you configure for the peer on the authenticator. The default setting is null.

  • Page 254: Configuring The Polling Feature

    Configuring MS-CHAP or MS-CHAP-V2 authentication (authenticator name is not configured) Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure the authenticator to ppp authentication-mode { ms-chap | authenticate the By default, PPP authentication is ms-chap-v2 } [ domain { isp-name | peer by using disabled.

  • Page 255: Enabling Fast Reply For Keepalive Packets

    Enabling fast reply for keepalive packets This feature allows the hardware to automatically identify and reply to incoming keepalive requests, which can prevent DDoS attacks. This feature is only supported by CSPEX cards (except CSPEX-1204). To enable fast reply for keepalive packets: Step Command Remarks...

  • Page 256: Configuring Ip Address Negotiation On The Client

    Step Command Remarks By default, PPP starts LCP (Optional.) Set the LCP ppp lcp delay milliseconds negotiation immediately after the negotiation delay timer. physical layer comes up. Configuring IP address negotiation on the client Step Command Remarks Enter system view. system-view interface interface-type Enter interface view.
  • Page 257 Specifying a PPP address pool on the server interface Step Command Remarks Enter system view. system-view ip pool pool-name By default, no PPP address Configure a PPP address pool. start-ip-address [ end-ip-address ] pool is configured. [ group group-name ] (Optional.) Enable new IP ip pool pool-name By default, new IP address...
  • Page 258 Step Command Remarks Configure the interface to By default, an interface does not assign an IP address from the remote address pool pool-name assign an IP address to the configured DHCP address pool peer. to the peer. Configure an IP address for the By default, no IP address is ip address ip-address interface.

  • Page 259: Enabling Ip Segment Match

    Step Command Remarks • If the server acts as a DHCP server, perform the following tasks: Configure the DHCP server. Configure a DHCP address pool on the server. • If the server acts as a DHCP For information, see relay agent, perform the "Configuring the DHCP server"...

  • Page 260: Configuring Dns Server Ip Address Negotiation On The Client

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, this feature is Enable IP segment match. ppp ipcp remote-address match disabled. Configuring DNS server IP address negotiation on the client During PPP negotiation, the server will assign a DNS server IP address only for a client configured with the ppp ipcp dns request command.

  • Page 261: Enabling Logging For Ppp Users

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number ppp account-statistics enable By default, PPP accounting is Enable PPP accounting. [ acl { acl-number | name disabled. acl-name } ] Enabling logging for PPP users The PPP user logging feature enables the device to generate PPP logs and send them to the information center.

  • Page 262: Enabling Ppp User Blocking

    Enabling PPP user blocking About PPP user blocking This feature blocks a PPP user for a period if the user fails authentication consecutively for the specified number of times within the detection period. This feature helps prevent illegal users from using the method of exhaustion to obtain the password, and reduces authentication packets sent to the authentication server.

  • Page 263: Suppressing Adding Ppp Peer Host Routes To The Local Direct Route Table

    Suppressing adding PPP peer host routes to the local direct route table By default, PPP automatically adds the peer host routes to the local direct route table after the PPP link negotiation succeeds. The PPP links do not strictly require that the peer routes and local routes are on the same network segment.
  • Page 264 Task Command display interface [ virtual-template [ interface-number ] ] Display information about VT interfaces. [ brief [ description | down ] ] display ppp access-user { domain domain-name [ count | verbose ] | interface interface-type interface-number [ count | verbose ] | ip-address ipv4-address | ipv6-address ipv6-address | ip-type { ipv4 | ipv6 | dual-stack } [ count | verbose ] | mac-address (In standalone mode.) Display information...
  • Page 265 Task Command reset ppp access-user { domain domain-name | interface interface-type interface-number | ip-address ipv4-address [ vpn-instance ipv4-vpn-instance-name ] | ipv6-address ipv6-address [ vpn-instance ipv6-vpn-instance-name ] | ip-type { ipv4 | ipv6 | (In IRF mode.) Log off a PPP user. dual-stack } | mac-address mac-address | pool pool-name | s-vlan svlan-minimum [ svlan-maximum ] [ c-vlan cvlan-minimum [ cvlan-maximum ] ] | username...

  • Page 266: Configuring L2Tp

    Configuring L2TP About L2TP The Layer 2 Tunneling Protocol (L2TP) is a Virtual Private Dialup Network (VPDN) tunneling protocol. L2TP sets up point-to-point tunnels across a public network (for example, the Internet) and transmits encapsulated PPP frames (L2TP packets) over the tunnels. With L2TP, remote users can access the private networks through L2TP tunnels after connecting to a public network by using PPP.

  • Page 267: L2Tp Tunnel And Session

    • Control messages—Used to establish, maintain, and delete L2TP tunnels and sessions. Control messages are transmitted over a reliable control channel, which supports flow control and congestion control. • Data messages—Used to encapsulate PPP frames, as shown in Figure 74. Data messages are transmitted over an unreliable data channel and are not retransmitted when packet loss occurs.
  • Page 268 • The remote system only needs to support PPP, and it does not need to support L2TP. • Authentication and accounting of the remote system can be implemented on the LAC or LNS. Figure 77 NAS-initiated tunnel establishment process Remote system RADIUS server A RADIUS server B Host A...
  • Page 269 In steps 12 and 13, the LAC forwards packets for the remote system and LNS. Host A and LAC exchange PPP frames, and the LAC and LNS exchange L2TP packets. Client-initiated tunneling mode As shown in Figure 78, a remote system running L2TP (LAC client) has a public IP address to communicate with the LNS through the Internet.

  • Page 270: L2Tp Features

    Figure 80 LAC-auto-initiated tunneling mode LAC auto initiated L2TP tunnel Private Internet network Remote system Device A Device B Host A RADIUS server An LAC-auto-initiated tunnel has the following characteristics: • The connection between a remote system and the LAC is not confined to a dial-up connection and can be any IP-based connection.
  • Page 271 • Private address allocation—An LNS can dynamically allocate private addresses to remote users. This facilitates address allocation for private internets (RFC 1918) and improves security. • Flexible accounting—Accounting can be simultaneously performed on the LAC and LNS. This allows bills to be generated on the ISP side and charging and auditing to be processed on the enterprise gateway.

  • Page 272: L2Tp-Based Ead

    L2TP tunnel sharing—Different users can share the same L2TP tunnel between the LAC and the LTS. The LTS distributes data of different users to different LNSs. Figure 82 L2TP tunnel switching network diagram L2TP-based EAD EAD authenticates PPP users that pass the access authentication. PPP users that pass EAD authentication can access network resources.

  • Page 273: L2Tp Tasks At A Glance

    L2TP tasks at a glance When you configure L2TP, perform the following tasks: Determine the network devices needed according to the networking environment. For NAS-initiated mode and LAC-auto-initiated mode, configure both the LAC and the LNS. For client-initiated mode, you only need to configure the LNS. Configure the devices based on the intended role (LAC or LNS) on the network.

  • Page 274: Configuring Basic L2Tp Capabilities

    Configuring basic L2TP capabilities Basic L2TP capability configuration includes the following tasks: • Enabling L2TP—L2TP must be enabled for L2TP configurations to take effect. • Creating an L2TP group—An L2TP group is intended to represent a group of parameters. This enables not only flexible L2TP configuration on devices, but also one-to-one and one-to-many networking applications for LACs and LNSs.

  • Page 275: Specifying Lns Ip Addresses

    Step Command Remarks By default, an LAC does not Configure the LAC to initiate user { domain domain-name | initiate tunneling requests for any tunneling requests for a user. fullusername user-name } users. Specifying LNS IP addresses You can specify up to five LNS IP addresses. The LAC initiates an L2TP tunneling request to its specified LNSs consecutively in their configuration order until it receives an acknowledgment from an LNS.

  • Page 276: Enabling Transferring Avp Data In Hidden Mode

    Step Command Remarks Enter L2TP group view in l2tp-group group-number [ mode LAC mode. lac ] Configure each L2TP user to By default, an L2TP tunnel can be use an L2TP tunnel tunnel-per-user used by multiple L2TP users. exclusively. Enabling transferring AVP data in hidden mode L2TP uses Attribute Value Pairs (AVPs) to transmit tunnel negotiation parameters, session negotiation parameters, and user authentication information.

  • Page 277: Configuring An Lns

    Specify the PPP authentication method for the PPP user. Configure the username and password of the PPP user. The LNS then authenticates the PPP user. For more information, see "Configuring PPP." • Trigger the LAC to automatically establish an L2TP tunnel. To configure an LAC to automatically establish an L2TP tunnel: Step Command...

  • Page 278: Creating A Vt Interface

    Creating a VT interface After an L2TP session is established, a PPP session is needed for data exchange with the peer. The system will dynamically create PPP sessions based on the parameters of the virtual template (VT) interface. To configure an LNS, first create a VT interface and configure the following parameters for •...
  • Page 279 • LCP renegotiation—The LNS ignores the LAC proxy authentication information and performs a new round of LCP negotiation with the user. The LNS chooses an authentication method depending on your configuration. • If you configure both LCP renegotiation and mandatory CHAP authentication, the LNS uses LCP renegotiation.

  • Page 280: Configuring Aaa Authentication On An Lns

    Configuring AAA authentication on an LNS After you configure AAA authentication on an LNS, the LNS can authenticate the usernames and passwords of remote access users. If a user passes AAA authentication, the user can communicate with the LNS to access the private network. Configure AAA authentication on the LNS in one of the following cases: •...

  • Page 281: Setting The Hello Interval

    Step Command Remarks Enter system view. system-view l2tp-group group-number [ mode Enter L2TP group view. { lac | lns } ] Enable L2TP tunnel By default, L2TP tunnel tunnel authentication authentication. authentication is enabled. Set the tunnel tunnel password { cipher | simple } By default, no key is set.

  • Page 282: Enabling L2Tp-Based Ead

    Sends the packet to the next hop LTS. To avoid loop detection errors, make sure the TSA ID of each LTS is unique. To set the TSA ID of the LTS: Step Command Remarks Enter system view. system-view Set the TSA ID of the LTS By default, the TSA ID of the LTS and enable L2TP loop l2tp tsa-id tsa-id...

  • Page 283: Display And Maintenance Commands For L2Tp

    To configure IMSI/SN binding authentication on the LNS: Step Command Remarks Enter system view. system-view Create a VT interface and interface virtual-template enter its view interface-number • Enable the LNS to initiate IMSI/SN binding authentication requests: By default, the LNS does not ppp lcp imsi request initiate IMSI/SN binding Enable the LNS to initiate...
  • Page 284 Figure 83 Network diagram Procedure Configure the LAC: # Configure IP addresses for the interfaces. (Details not shown.) # Create a local user named vpdnuser, set the password, and enable the PPP service. <LAC> system-view [LAC] local-user vpdnuser class network [LAC-luser-network-vpdnuser] password simple Hello [LAC-luser-network-vpdnuser] service-type ppp [LAC-luser-network-vpdnuser] quit...
  • Page 285 [LNS] local-user vpdnuser class network [LNS-luser-network-vpdnuser] password simple Hello [LNS-luser-network-vpdnuser] service-type ppp [LNS-luser-network-vpdnuser] quit # Configure local authentication for PPP users in ISP domain system. [LNS] domain system [LNS-isp-system] authentication ppp local [LNS-isp-system] quit # Enable L2TP. [LNS] l2tp enable # Create a PPP address pool.

  • Page 286: Example: Configuring A Client-Initiated L2Tp Tunnel

    Example: Configuring a client-initiated L2TP tunnel Network configuration As shown in Figure 84, a PPP user directly initiates a tunneling request to the LNS to access the corporate network. Figure 84 Network diagram Procedure Configure the LNS: # Configure IP addresses for the interfaces. (Details not shown.) # Configure the route between the LNS and the remote host.

  • Page 287: Example: Configuring An Lac-Auto-Initiated L2Tp Tunnel

    # Configure the IP address of the remote host as 2.1.1.1, and configure a route to the LNS (1.1.2.2). # Create a virtual private network connection by using the Windows system, or install the L2TP LAC client software, such as WinVPN Client. # Complete the following configuration procedure (the procedure depends on the client software): Specify the PPP username as vpdnuser and the password as Hello.
  • Page 288 [LNS] local-user vpdnuser class network [LNS-luser-network-vpdnuser] password simple Hello [LNS-luser-network-vpdnuser] service-type ppp [LNS-luser-network-vpdnuser] quit # Create a PPP address pool. [LNS] ip pool aaa 192.168.0.10 192.168.0.20 [LNS] ip pool aaa gateway 192.168.0.1 # Create Virtual-Template 1, specify its PPP authentication mode as PAP, and use address pool aaa to assign IP addresses to the PPP users.

  • Page 289: Troubleshooting L2Tp

    [LAC-Virtual-PPP1] ip address ppp-negotiate [LAC-Virtual-PPP1] ppp pap local-user vpdnuser password simple Hello [LAC-Virtual-PPP1] quit # Configure a static route so that packets destined for the corporate network will be forwarded through the L2TP tunnel. [LAC] ip route-static 10.1.0.0 16 virtual-ppp 1 # Trigger the LAC to establish an L2TP tunnel with the LNS.

  • Page 290: Data Transmission Failure

    L2TP data transmission is based on UDP, which does not provide the packet error control feature. If the line is unstable, the LAC and LNS might be unable to ping each other. If the problem persists, contact H3C Support. L2TP user offline Symptom A L2TP user goes offline when sending a large L2TP packet.

  • Page 291: Configuring Pppoe

    Configuring PPPoE About PPPoE Point-to-Point Protocol over Ethernet (PPPoE) extends PPP by transporting PPP frames encapsulated in Ethernet over point-to-point links. PPPoE specifies the methods for establishing PPPoE sessions and encapsulating PPP frames over Ethernet. PPPoE requires a point-to-point relationship between peers instead of a point-to-multipoint relationship as in multi-access environments such as Ethernet.

  • Page 292: Host-Initiated Network Structure

    Host-initiated network structure As shown in Figure 87, a PPPoE session is established between each host (PPPoE client) and the carrier router (PPPoE server). The service provider assigns an account to each host for billing and control. The host must be installed with PPPoE client software. Figure 87 Host-initiated network structure PPPoE Client Host A...

  • Page 293: Configuring The Pppoe Server

    (AC) pppoe-server tag ac-name name PPPoE server according to the name for the PPPoE server. AC name. The PPPoE client on H3C devices do not support this feature. (Optional.) Enable the PPPoE server to support the pppoe-server tag...

  • Page 294: Setting The Maximum Number Of Pppoe Sessions

    Step Command Remarks 10. (Optional.) Set the response pppoe-server access-delay By default, no response delay delay time for user access. delay-time time is set. 11. Return to system view. quit 12. Configure the PPPoE server to perform authentication, "Configuring AAA." authorization, and accounting for PPP users.

  • Page 295: Configuring The Nas-Port-Id Attribute

    The device uses a monitoring table and a blocking table to control PPP access rates: • Monitoring table—Stores a maximum of 8000 monitoring entries. Each entry records the number of PPPoE sessions created by a user within the monitoring time. When the monitoring entries reach the maximum, the system stops monitoring and blocking session requests from new users.

  • Page 296: Enabling Pppoe Users To Come Online Despite The Pppoe-Nat444 Collaboration Failure

    Step Command Remarks pppoe-server access-line-id By default, the NAS-Port-ID Configure the content of the content { all [ separator ] | attribute contains only the NAS-Port-ID attribute. circuit-id | remote-id } circuit-id. Configure the NAS-Port-ID By default, the NAS-Port-ID pppoe-server access-line-id attribute to include the BAS attribute does not include the BAS bas-info [ cn-163 ]...

  • Page 297: Setting The Maximum Number Of Padi Packets That The Device Can Receive Per Second

    Setting the maximum number of PADI packets that the device can receive per second When device reboot or version update is performed, the burst of online requests might affect the device performance. To avoid device performance degradation and make sure the device can process PADI packets correctly, use this feature to adjust the PADI packet receiving rate limit.

  • Page 298: Enabling Pppoe Logging

    Enabling MAC-based user blocking in system view Step Command Remarks Enter system view. system-view pppoe-server connection chasten [ quickoffline ] Enable MAC-based user By default, MAC-based user [ multi-sessions-permac ] blocking. blocking is disabled. requests request-period blocking-period Enabling MAC-based user blocking in interface view Step Command Remarks...

  • Page 299: Pppoe Configuration Examples

    Task Command display pppoe-server chasten statistics (In IRF mode.) Display PPPoE chasten [ mac-address ] [ interface interface-type interface-number | chassis chassis-number slot statistics. slot-number ] display pppoe-server chasten user [ mac-address (In standalone mode.) Display information [ mac-address ] ] [ interface interface-type about blocked PPPoE users.

  • Page 300: Example: Assigning The Pppoe Server Ip Address Through The Local Dhcp Server

    Procedure # Create a PPPoE user. <Router> system-view [Router] local-user user1 class network [Router-luser-network-user1] password simple pass1 [Router-luser-network-user1] service-type ppp [Router-luser-network-user1] quit # Configure Virtual-Template 1 to use CHAP for authentication and use a PPP address pool for IP address assignment. Set the DNS server IP address for the peer. [Router] interface virtual-template 1 [Router-Virtual-Template1] ppp authentication-mode chap domain system [Router-Virtual-Template1] ppp chap user user1...

  • Page 301: Example: Assigning The Pppoe Server Ip Address Through A Remote Dhcp Server

    Procedure # Configure Virtual-Template 10 to use PAP for authentication and use a DHCP address pool to allocate IP addresses and DNS server IP addresses for users. <Router> system-view [Router] interface virtual-template 10 [Router-Virtual-Template10] ppp authentication-mode pap [Router-Virtual-Template10] remote address pool pool1 [Router-Virtual-Template10] quit # Enable the PPPoE server on GigabitEthernet 3/1/1, and bind the interface to Virtual-Template 10.
  • Page 302 Figure 90 Network diagram Procedure Configure Router A as the PPPoE server: # Configure Virtual-Template 10 to use PAP for authentication and use a DHCP address pool to allocate IP addresses and DNS server IP addresses for users. <RouterA> system-view [RouterA] interface virtual-template 10 [RouterA-Virtual-Template10] ppp authentication-mode pap [RouterA-Virtual-Template10] remote address pool pool1...

  • Page 303: Example: Assigning The Pppoe Server Ipv6 Address Through Nd And Ipv6Cp Negotiation

    [RouterB-dhcp-pool-pool1] network 2.2.2.0 24 [RouterB-dhcp-pool-pool1] gateway-list 2.2.2.1 [RouterB-dhcp-pool-pool1] dns-list 8.8.8.8 # Exclude the IP address 2.2.2.1 from dynamic allocation in DHCP address pool pool1. [RouterB-dhcp-pool-pool1] forbidden-ip 2.2.2.1 [RouterB-dhcp-pool-pool1] quit # Specify an IP address for GigabitEthernet 3/1/1. [RouterB] interface gigabitethernet 3/1/1 [RouterB-GigabitEthernet3/1/1] ip address 10.1.1.1 24 [RouterB-GigabitEthernet3/1/1] quit # Configure a static route to the PPPoE server.
  • Page 304 Procedure # Create Virtual-Template 10. <Router> system-view [Router] interface virtual-template 10 # Configure Virtual-Template 10 to use PAP to authenticate the peer. [Router-Virtual-Template10] ppp authentication-mode pap domain system # Configure Virtual-Template 10 to automatically generate an IPv6 link-local address. [Router-Virtual-Template10] ipv6 address auto link-local # Enable Virtual-Template 10 to advertise RA messages.

  • Page 305: Example: Assigning The Pppoe Server Ipv6 Address Through Dhcpv6

    Example: Assigning the PPPoE server IPv6 address through DHCPv6 Network configuration As shown in Figure 92, configure the PPPoE server to assign an IPv6 address to the host through DHCPv6. Figure 92 Network diagram Procedure # Create Virtual-Template 10. <Router> system-view [Router] interface virtual-template 10 # Configure Virtual-Template 10 to use PAP to authenticate the peer.

  • Page 306: Example: Assigning The Pppoe Server Ipv6 Address Through Prefix Delegation By Dhcpv6

    [Router-isp-system] quit Verifying the configuration # Display PPP user information on GigabitEthernet 3/1/1. [Router] display ppp access-user interface gigabitethernet 3/1/1 Interface Username MAC address IP address IPv6 address IPv6 PDPrefix BAS0 user1 0000-5e08-9d00 3001::2 Example: Assigning the PPPoE server IPv6 address through prefix delegation by DHCPv6 Network configuration As shown in...

  • Page 307: Example: Configuring Pppoe Server Radius-Based Ip Address Assignment

    [Router-dhcp6-pool-pool1] quit # Configure a PPPoE user. [RouterB] local-user user1 class network [RouterB-luser-network-user1] password simple pass1 [RouterB-luser-network-user1] service-type ppp [RouterB-luser-network-user1] quit # Configure an IPv6 pool attribute authorized to the user in the ISP domain. [RouterB] domain system [RouterB-isp-system] authorization-attribute ipv6-pool pool1 Verifying the configuration # Verify that Router B has assigned a prefix to Router A.
  • Page 308 Auth-Type == CHAP,User-Password := pass1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IPv6-Pool = "pool1", H3C-VPN-Instance = "vpn1", Configure Router A: a. Configure the PPPoE server: # Configure Virtual-Template 1 to use CHAP for authentication and use ISP domain dm1 as the authentication domain.
  • Page 309 [RouterA-radius-rs1] key accounting simple radius # Exclude domain names in the usernames sent to the RADIUS server. [RouterA-radius-rs1] user-name-format without-domain [RouterA-radius-rs1] quit c. Configure an authentication domain: # Create an ISP domain named dm1. [RouterA] domain dm1 # In ISP domain dm1, perform RADIUS authentication, authorization, and accounting for users based on scheme rs1.

  • Page 310: Configuring Portal Authentication

    Users can access more network resources after passing security check. Security check must cooperate with the H3C IMC security policy server and the iNode client. Portal system A typical portal system consists of these basic components: authentication client, access device,...

  • Page 311: Portal Authentication Using A Remote Portal Server

    An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client. Security check for the user host is implemented through the interaction between the portal client and the security policy server. Only the H3C iNode client is supported. Access device An access device provides access services.

  • Page 312: Local Portal Service

    Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the H3C iNode client for extended portal functions. The user enters the authentication information on the authentication page/dialog box and submits the information.

  • Page 313: Portal Authentication Process

    Re-DHCP authentication saves public IP addresses. For example, an ISP can allocate public IP addresses to broadband users only when they access networks beyond the residential community network. Only the H3C iNode client supports re-DHCP authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device.
  • Page 314 If the packet does not match any portal-free rule, the access device redirects the packet to the portal Web server. The portal Web server pushes the Web authentication page to the user for him to enter his username and password. The portal Web server submits the user authentication information to the portal authentication server.

  • Page 315: Portal Filtering Rules

    Step 1 through step 7 are the same as those in the direct authentication/cross-subnet authentication process. After receiving the authentication success packet, the client obtains a public IP address through DHCP. The client then notifies the portal authentication server that it has a public IP address. The portal authentication server notifies the access device that the client has obtained a public IP address.

  • Page 316: Restrictions: Hardware Compatibility With Portal

    H3C iNode client. • Portal authentication supports NAT traversal whether it is initiated by a Web client or an H3C iNode client. NAT traversal must be configured when the portal client is on a private network and the portal server is on a public network.
  • Page 317 Tasks at a glance Remarks (Optional.) Configuring a local portal Web service (Optional.) Specifying a portal authentication domain (Optional.) Configuring a portal preauthentication policy (Optional.) Specifying a preauthentication IP address pool (Required.) Enabling portal authentication on an interface (Required.) Specifying a portal Web server on an interface (Optional.) Controlling portal user access •...

  • Page 318: Prerequisites For Portal

    Prerequisites for portal The portal feature provides a solution for user identity authentication and security check. To complete user identity authentication, portal must cooperate with RADIUS. The prerequisites for portal authentication configuration are as follows: • The portal authentication server, portal Web server, and RADIUS server have been installed and configured correctly.

  • Page 319: Configuring A Portal Web Server

    Step Command Remarks (Optional.) Set the By default, the UDP port destination UDP port number is 50100. number used by the This port number must be the device to send unsolicited port port-number same as the listening port portal packets to the number specified on the portal portal authentication authentication server.

  • Page 320: Configuring A Match Rule For Url Redirection

    Configuring a match rule for URL redirection A URL redirection match rule matches HTTP or HTTPS requests by user-requested URL or User-Agent information, and redirects the matching HTTP or HTTPS requests to the specified redirection URL. For a user to successfully access a redirection URL, configure a portal-free rule to allow HTTP or HTTPS requests destined for the redirection URL to pass.
  • Page 321 • System busy page • Logoff success page You must customize the authentication pages, including the page elements that the authentication pages will use, for example, back.jpg for authentication page Logon.htm. Follow the authentication page customization rules when you edit the authentication page files. File name rules The names of the main authentication page files are fixed (see Table...

  • Page 322: Configuring Parameters For A Local Portal Web Service

    </form> Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request. The following example shows part of the script in page online.htm. <form action=logon.cgi method = post > <p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;"> </form> Page file compression and saving rules You must compress the authentication pages and their page elements into a standard zip file.

  • Page 323: Specifying A Portal Authentication Domain

    name of the policy must be https_redirect. For more information about SSL server policy configuration, see SSL configuration in Security Configuration Guide. Procedure To configure the parameters for a local portal Web service: Step Command Remarks Enter system view. system-view Create an HTTP- or portal local-web-server { http | HTTPS-based local portal...

  • Page 324: Specifying A Portal Authentication Domain On An Interface

    Specifying a portal authentication domain on an interface Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no portal authentication domain is specified on an interface. Specify an portal portal [ ipv6 ] domain authentication domain on the You can specify both an IPv4 domain-name...

  • Page 325: Specifying A Preauthentication Ip Address Pool

    Step Command Remarks user-attribute { acl acl-number | Configure a user attribute in car { inbound | outbound } cir By default, no user attributes are the portal preauthentication committed-information-rate [ pir configured for a portal policy. peak-information-rate ] | preauthentication policy.

  • Page 326: Procedure

    Procedure To specify a preauthentication IP address pool: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Specify a preauthentication By default, no preauthentication portal [ ipv6 ] pre-auth ip-pool IP address pool on the IP address pool is specified on an pool-name interface.

  • Page 327: Procedure

    Restrictions and guidelines for enabling re-DHCP portal authentication When you configure re-DHCP portal authentication (re-dhcp) on an interface, follow these restrictions and guidelines: • Make sure the interface has a valid IP address before you enable re-DHCP portal authentication on the interface. For re-DHCP portal authentication to take effect after the IP address of the interface changes, you must disable portal authentication and then enable re-DHCP portal authentication.

  • Page 328: Controlling Portal User Access

    Step Command Remarks The following types of interfaces are supported: • Layer 3 Ethernet interface. • Layer 3 Ethernet Enter interface view. subinterface. interface interface-type interface-number • VLAN interface. • Layer 3 aggregate interface. • Layer 3 aggregate subinterface. • To specify an IPv4 portal Web server: portal apply web-server...

  • Page 329: Configuring An Authentication Source Subnet

    • If a portal-enabled interface is enabled with the DHCP users feature of IPoE, you must specify the source IP address in the portal-free rule. Make sure the specified source IP address is not the same as any of the IP addresses that the DHCP server assigns to IPoE users. For more information about enabling the DHCP users feature, see "Configuring IPoE."...

  • Page 330: Setting The Maximum Number Of Portal Users

    Restrictions and guidelines for configuring an authentication source subnet When you configure a portal authentication source subnet, follow these restrictions and guidelines: • Authentication source subnets apply only to cross-subnet portal authentication. • In direct or re-DHCP portal authentication mode, a portal user and its access interface (portal-enabled) are on the same subnet.

  • Page 331: Enabling Strict-Checking On Portal Authorization Information

    To set the global maximum number of portal users: Step Command Remarks Enter system view. system-view Set the global maximum By default, no limit is set on the portal max-user max-number number of portal users. global number of portal users. Setting the maximum number of portal users on an interface If you set the maximum number smaller than the current number of portal users on an interface, this configuration still takes effect.

  • Page 332: Allowing Only Users With Dhcp-Assigned Ip Addresses To Pass Portal Authentication

    Step Command Remarks By default, strict checking on portal authentication information Enable strict checking on is disabled on an interface. In this portal authorization { acl | portal authorization case, the portal users stay online user-profile } strict-checking information. even when the authorized ACLs or user profiles do not exist or fail to be deployed.

  • Page 333: Blocking Portal Users That Fail Portal Authentication

    • Configure portal-free rules to allow user packets destined for the WPAD server to pass without authentication. If portal users enable Web proxy in their browsers, the users must add the IP address of the portal authentication server as a proxy exception in their browsers. Thus, HTTP packets that the users send to the portal authentication server will not be sent to Web proxy servers.

  • Page 334: Configuring The Portal Fail-Permit Feature

    If portal roaming is disabled, to access external network resources from a Layer 2 port different from the current access port in the VLAN, the user must do the following: Logs out from the current port. Re-authenticates on the new Layer 2 port. Restrictions and guidelines When you enable portal roaming, follow these restrictions and guidelines: •...

  • Page 335: Configuring Portal Detection Features

    Configuring portal detection features Configuring online detection of portal users About online detection for portal users Configure online detection to quickly detect abnormal logouts of portal users. • Configure ARP or ICMP detection for IPv4 portal users. • Configure ND or ICMPv6 detection for IPv6 portal users. If the device receives no packets from a portal user within the idle time, the device detects the user's online status as follows: •...

  • Page 336: Configuring Portal Authentication Server Detection

    Configuring portal authentication server detection About portal authentication server detection During portal authentication, if the communication between the access device and portal authentication server is broken, new portal users are not able to log in. Online portal users are not able to log out normally.

  • Page 337: Configuring Portal Web Server Detection

    Configuring portal Web server detection About portal Web server detection A portal authentication process cannot complete if the communication between the access device and the portal Web server is broken. To address this problem, you can enable portal Web server detection on the access device.

  • Page 338: Configuring Portal Packet Attributes

    synchronization feature. This feature is implemented by sending and detecting portal synchronization packets, as follows: The portal authentication server sends the online user information to the access device in a synchronization packet at the user heartbeat interval. The user heartbeat interval is set on the portal authentication server. Upon receiving the synchronization packet, the access device compares the users carried in the packet with its own user list and performs the following operations: If a user contained in the packet does not exist on the access device, the access device...

  • Page 339: Specifying The Device Id

    You must configure the BAS-IP or BAS-IPv6 attribute on a portal authentication-enabled interface if the following conditions are met: The portal authentication server is an H3C IMC server. The portal device IP address specified on the portal authentication server is not the IP address of the portal packet output interface.

  • Page 340: Configuring Attributes For Radius Packets

    Step Command Remarks By default, a device is not Specify the device ID. portal device-id device-id configured with a device ID. Configuring attributes for RADIUS packets Specifying a format for the NAS-Port-Id attribute RADIUS servers from different vendors might require different formats of the NAS-Port-Id attribute in the RADIUS packets.

  • Page 341: Configuring Mac-Based Quick Portal Authentication

    Step Command Remarks Return to system view. quit interface interface-type Enter interface view. interface-number Specify the NAS-ID profile on portal nas-id-profile By default, no NAS-ID profile is the interface. profile-name specified on the interface. Configuring MAC-based quick portal authentication Restrictions and guidelines for configuring MAC-based quick portal authentication Only IPv4 direct authentication supports MAC-based quick portal authentication.

  • Page 342: Specifying A Mac Binding Server On An Interface

    Step Command Remarks (Optional.) Specify the type By default, the type of a MAC server-type { cmcc | imc } of the MAC binding server binding server is IMC. (Optional.) Specify the By default, the version of the version version-number version of the portal protocol.

  • Page 343: Setting The User Traffic Backup Threshold

    Step Command Remarks By default, the blocking timer is 10 portal http-defense minutes, the statistical interval for Set the portal HTTP attack { block-timeout minutes | counting redirected HTTP packets defense parameters. statistics-interval value | is 5 minutes, and the blocking threshold number } * threshold is 6000 packets.

  • Page 344: Enabling Portal User Login/Logout Logging

    Enabling portal user login/logout logging This feature logs information about user login and logout events, including the username, user IP address and MAC address, user access interface, VLAN, and login result. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device.

  • Page 345: Display And Maintenance Commands For Portal

    Display and maintenance commands for portal Execute display commands in any view and the reset command in user view. Task Command (In standalone mode.) Display statistics for attacked display portal http-defense attacked-ip [ slot destination IP addresses in portal HTTP attack slot-number ] defense.

  • Page 346: Portal Configuration Examples

    Task Command (In IRF mode.) Clear statistics for attacked reset portal http-defense attacked-ip [ chassis destination IP addresses in portal HTTP attack chassis-number slot slot-number ] defense. (In standalone mode.) Clear statistics for blocked reset portal http-defense blocked-ip [ ip destination IP addresses in portal HTTP attack ipv4-address | ipv6 ipv6-address ] [ slot defense.
  • Page 347 Configuring the portal authentication server on IMC PLAT 3.20 In this example, the portal server runs on IMC PLAT 3.20-R2602P13 and IMC UAM 3.60-E6301. Configure the portal authentication server: a. Log in to IMC and click the Service tab. b. Select Access Service > Portal Service Management > Server from the navigation tree to open the portal server configuration page, as shown in Figure 100.
  • Page 348 a. Select Access Service > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure 102. c. Enter the device name NAS. d. Enter the IP address of the router's interface connected to the host. e.
  • Page 349 Figure 104 Port group configuration c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. e. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations.
  • Page 350 Figure 105 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure 106.
  • Page 351 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure 107. c. Enter the device name NAS. d.
  • Page 352 Figure 109 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router>...
  • Page 353 # Configure a portal authentication server. [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable direct portal authentication on GigabitEthernet 1/0/2. [Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] portal enable method direct # Reference the portal Web server newpt on GigabitEthernet 1/0/2.

  • Page 354: Example: Configuring Re-Dhcp Portal Authentication

    IP address Prefix length A user can perform portal authentication by using the H3C iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
  • Page 355 Figure 110 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 110 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
  • Page 356 [Router] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain.
  • Page 357 IP address Prefix length Before passing the authentication, a user that uses the H3C iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.

  • Page 358: Example: Configuring Cross-Subnet Portal Authentication

    [Router] display portal user interface gigabitethernet 1/0/2 Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0015-e9a6-7cfe 20.20.20.2 GigabitEthernet1/0/2 Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL: N/A Inbound CAR: N/A Outbound CAR: N/A Inbound priority: N/A...
  • Page 359 Procedure Perform the following tasks on Router A. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <RouterA> system-view [RouterA] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
  • Page 360 [RouterA–GigabitEthernet1/0/2] quit On Router B, configure a default route to subnet 192.168.0.0/24, specifying the next hop address as 20.20.20.1. (Details not shown.) Verifying the configuration # Verify that the portal configuration has taken effect. [RouterA] display portal interface gigabitethernet 1/0/2 Portal information of GigabitEthernet1/0/2 NAS-ID profile: Not configured Authorization : Strict checking...

  • Page 361: Example: Configuring Extended Direct Portal Authentication

    IP address Prefix length A user can perform portal authentication by using the H3C iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
  • Page 362 Figure 112 Network diagram Portal server 192.168.0.111/24 GE1/0/2 GE1/0/1 2.2.2.1/24 192.168.0.100/24 RADIUS server Host Router 192.168.0.112/24 2.2.2.2/24 Gateway: 2.2.2.1/24 Security policy server 192.168.0.113/24 Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 112 and make sure they can reach each other.
  • Page 363 [Router] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [Router] acl advanced 3000 [Router-acl-ipv4-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Router-acl-ipv4-adv-3000] rule deny ip [Router-acl-ipv4-adv-3000] quit [Router] acl advanced 3001 [Router-acl-ipv4-adv-3001] rule permit ip [Router-acl-ipv4-adv-3001] quit NOTE:...
  • Page 364 Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the H3C iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...

  • Page 365: Example: Configuring Extended Re-Dhcp Portal Authentication

    DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL: 3001 Inbound CAR: N/A Outbound CAR: N/A Inbound priority: N/A Outbound priority: N/A Example: Configuring extended re-DHCP portal authentication Network configuration As shown in Figure 113, the host is directly connected to the router (the access device). The host obtains an IP address through the DHCP server.
  • Page 366 • Make sure the IP address of the portal device added on the portal server is the public IP address (20.20.20.1) of the router's interface connecting the host. The private IP address range for the IP address group associated with the portal device is the private subnet 10.0.0.0/24 where the host resides.
  • Page 367 # Configure DHCP relay. [Router] dhcp enable [Router] dhcp relay client-information record [Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] ip address 20.20.20.1 255.255.255.0 [Router–GigabitEthernet1/0/2] ip address 10.0.0.1 255.255.255.0 sub [Router-GigabitEthernet1/0/2] dhcp select relay [Router-GigabitEthernet1/0/2] dhcp relay server-address 192.168.0.112 # Enable authorized ARP. [Router-GigabitEthernet1/0/2] arp authorized enable [Router-GigabitEthernet1/0/2] quit Configure portal authentication:...
  • Page 368 Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the H3C iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...

  • Page 369: Example: Configuring Extended Cross-Subnet Portal Authentication

    Session group profile: N/A ACL: 3001 Inbound CAR: N/A Outbound CAR: N/A Inbound priority: N/A Outbound priority: N/A Example: Configuring extended cross-subnet portal authentication Network configuration As shown in Figure 114, Router A supports portal authentication. The host accesses Router A through Router B.
  • Page 370 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [RouterA-radius-rs1] primary authentication 192.168.0.112 [RouterA-radius-rs1] primary accounting 192.168.0.112 [RouterA-radius-rs1] key authentication simple radius [RouterA-radius-rs1] key accounting simple radius [RouterA-radius-rs1] user-name-format without-domain # Enable RADIUS session control.
  • Page 371 [RouterA–GigabitEthernet1/0/2] portal enable method layer3 # Reference the portal Web server newpt on GigabitEthernet 1/0/2. [RouterA–GigabitEthernet1/0/2] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 1/0/2 to the portal authentication server. [RouterA–GigabitEthernet1/0/2] portal bas-ip 20.20.20.1 [RouterA–GigabitEthernet1/0/2] quit On Router B, configure a default route to subnet 192.168.0.0/24, specifying the next hop address as 20.20.20.1.

  • Page 372: Example: Configuring Portal Server Detection And Portal User Synchronization

    Prefix length Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the H3C iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user are redirected to the authentication page. •...
  • Page 373 • Disable portal authentication when the authentication server is unreachable. • Synchronize portal user information with the portal server periodically. Figure 115 Network diagram Portal server GE1/0/1 GE1/0/2 192.168.0.111/24 192.168.0.100/24 2.2.2.1/24 Host Router 2.2.2.2/24 Gateway: 2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration prerequisites and guidelines •...
  • Page 374 d. Enter the start IP address and end IP address of the IP group. Make sure the host IP address (2.2.2.2) is in the IP group. e. Select a service group. This example uses the default group Ungrouped. f. Select Normal from the Action list. g.
  • Page 375 Associate the portal device with the IP address group: a. As shown in Figure 119, click the icon in the Port Group Information Management column of device NAS to open the port group configuration page. Figure 119 Device list b. Click Add to open the page as shown in Figure 120.
  • Page 376 Figure 121 Portal authentication server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure 122.
  • Page 377 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure 123. c. Enter the device name NAS. d.
  • Page 378 Figure 125 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router>...
  • Page 379 # Configure a portal authentication server. [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 # Configure reachability detection of the portal authentication server: set the server detection interval to 40 seconds, and send log messages upon reachability status changes. [Router-portal-server-newpt] server-detect timeout 40 log NOTE: The value of timeout must be greater than or equal to the portal server heartbeat interval.

  • Page 380: Example: Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns

    unreachable log "Portal server newpt turns down from up." and disables portal authentication on the access interface, so the host can access the external network without authentication. Example: Configuring cross-subnet portal authentication for MPLS L3VPNs Network configuration As shown in Figure 126, the PE device Router A provides portal authentication for the host in VPN 1.
  • Page 381 # Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. This address must be the same as that of the portal device specified on the portal authentication server to avoid authentication failures. [RouterA-radius-rs1] nas-ip 3.3.0.3 [RouterA-radius-rs1] quit # Enable RADIUS session control.

  • Page 382: Example: Configuring Direct Portal Authentication With A Preauthentication Policy

    State: Online VPN instance: vpn3 VLAN Interface 0000-0000-0000 3.3.0.1 GigabitEthernet1/0/1 Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL: N/A Inbound CAR: N/A Outbound CAR: N/A Inbound priority: N/A Outbound priority: N/A Example: Configuring direct portal authentication with a preauthentication policy Network configuration As shown in...
  • Page 383 [Router-dhcp-pool-pre] gateway-list 2.2.2.1 [Router-dhcp-pool-pre] network 2.2.2.0 24 [Router-dhcp-pool-pre] quit # Enable the DHCP server on GigabitEthernet 1/0/2. [Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] dhcp select server [Router–GigabitEthernet1/0/2] quit Configure a portal preauthentication policy: # Create a portal preauthentication policy named abc. [Router] portal pre-auth policy abc # Specify user attribute ACL 3010 in the portal preauthentication policy.

  • Page 384: Example: Configuring Re-Dhcp Portal Authentication With A Preauthentication Policy

    State: Online VPN instance: N/A Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL: 3010 Inbound CAR: N/A Outbound CAR: N/A Inbound priority: N/A Outbound priority: N/A Example: Configuring re-DHCP portal authentication with a preauthentication policy Network configuration As shown in Figure...
  • Page 385 For information about DHCP relay agent configuration, see "Configuring DHCP.". • Make sure the IP address of the portal device added on the portal server is the public IP address (20.20.20.1) of the router's interface connecting the host. The private IP address range for the IP address group associated with the portal device is the private subnet 10.0.0.0/24 where the host resides.

  • Page 386: Example: Configuring Direct Portal Authentication Using A Local Portal Web Service

    [Router-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on GigabitEthernet 1/0/2. [Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] portal enable method redhcp # Reference the portal Web server newpt on GigabitEthernet 1/0/2. [Router–GigabitEthernet1/0/2] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 1/0/2 to the portal authentication server.
  • Page 387 Configuration prerequisites and guidelines • Configure IP addresses for the host, router, and server as shown in Figure 129 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. • Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the router.
  • Page 388 # Create an HTTP-based local portal Web service and enter its view. [Router] portal local-web-server http # Specify file abc.zip as the default authentication page file for the local portal Web service. (Make sure the file exist under the root directory of the router.) [Router–portal-local-websvr-http] default-logon-page abc.zip # Set the HTTP listening port number to 2331 for the local portal Web service.

  • Page 389: Example: Configuring Mac-Based Quick Portal Authentication

    Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication through a Web page. Before passing the authentication, the user can access only the authentication page http://2.2.2.1:2331/portal and all Web requests will be redirected to the authentication page.
  • Page 390 Figure 130 Network diagram Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 130 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuring the portal server on IMC PLAT 7.1 In this example, the portal server runs on IMC PLAT 7.1(E0303), IMC EIA 7.1(F0303), and IMC EIP 7.1(F0303).
  • Page 391 a. Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure 132. c. Enter the IP group name. d.
  • Page 392 Figure 133 Adding a portal device Associate the portal device with the IP address group: a. As shown in Figure 134, click the Port Group Information Management icon for device NAS to open the port group configuration page. b. Click Add to open the page as shown in Figure 135.
  • Page 393 Figure 135 Adding a port group Select User Access Policy > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the MAC binding server on IMC PLAT 7.1 In this example, the MAC binding server runs on IMC PLAT 7.1(E0303), IMC EIA 7.1(F0303), and IMC EIP 7.1(F0303).
  • Page 394 a. Select User Access Policy > Access Service from the navigation tree to open the access service page. b. Click Add to open the page as shown in Figure 137. c. Enter the service name. d. Select the Transparent Authentication on Portal Endpoints option. e.
  • Page 395 d. Click OK. e. Click the Configure icon for Endpoint Aging Time to open the page as shown in Figure 140. f. Set the endpoint aging time as needed. This example uses the default value. Figure 139 Configuring user endpoint settings Figure 140 Setting the endpoint aging time Select User Access Policy >...
  • Page 396 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

  • Page 397: Troubleshooting Portal

    Authentication timeout : 3 minutes A user can perform portal authentication by using the H3C iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.

  • Page 398: Cannot Log Out Portal Users On The Access Device

    Cannot log out portal users on the RADIUS server Symptom The access device uses the H3C IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.

  • Page 399: Re-Dhcp Portal Authenticated Users Cannot Log In Successfully

    Analysis When you execute the portal delete-user command on the access device to log out a user, the access device sends an unsolicited logout notification to the portal authentication server. If the BAS-IP or BAS-IPv6 address carried in the logout notification is different from the portal device IP address specified on the portal authentication server, the portal authentication server discards the logout notification.

  • Page 400: Configuring Ipoe

    Configuring IPoE About IPoE IP over Ethernet (IPoE) enables a BRAS to connect and authenticate users over IPoE connections. As shown in Figure 141, a BRAS connects hosts over IPoE connections, and provides AAA, security, and DHCP services for the hosts. This solution does not require the hosts to install any client software.

  • Page 401: Ipoe Session

    • Dynamic individual users IPoE defines the following dynamic individual users: DHCP user—Sends DHCP packets to trigger IPoE session establishment. IPv6-ND-RS user—Sends IPv6 ND RS packets to trigger IPoE session establishment. Unclassified-IP user—Sends packets other than DHCP and IPv6 ND RS packets to trigger IPoE session establishment.

  • Page 402: Ipoe Addressing

    For interface-leased users, subnet-leased users, and L2VPN-leased users, the BRAS creates a static IPoE session based on configured information after you enable IPoE on an interface. The BRAS initiates user authentication based on the configured username and password. IPoE addressing IPoE addressing varies with user types.
  • Page 403 Figure 142 Access procedure for a DHCPv4 user BRAS DHCP client DHCP server AAA server (DHCP relay) (1) DHCP-DISCOVER (2) Inserts Option82 and initiates an IPoE session. (3) Access Request (4) Access Accept (5) Updates the IPoE session as an authorized session. (6) DHCP-DISCOVER (7) DHCP-OFFER (8) DHCP-REQUEST...
  • Page 404 e. Marks the session state as online. If the authentication fails, the BRAS marks the session as failure and discards the DHCP-DISCOVER message. 12. The DHCP client obtains configuration information from the DHCP-ACK message. 13. The BRAS sends the AAA server a message to start accounting. Access procedure for IPv6-ND-RS users This example uses a Layer 2 device as the BRAS.

  • Page 405: Support For Mpls L3Vpn

    Access procedure for unclassified-IP users Figure 144 Access procedure for unclassified-IP users The host sends an IP packet to the BRAS. The BRAS obtains user information from the IP packet, and matches the user information against existing IPoE sessions. If no match is found, the BRAS initiates an IPoE session for the user. (This section uses this case as an example.) If the information matches an authenticated session, the BRAS forwards the IP packet.

  • Page 406: Support For Ita

    NOTE: • When an IPoE user comes online through an authorized VPN, you must configure a gateway IP address or enable proxy ARP by using the proxy-arp enable command on the access interface. As a best practice, enable proxy ARP. For more information, see proxy ARP configuration in Layer 3—IP Services Configuration Guide.

  • Page 407: Prerequisites For Ipoe

    Configure the RADIUS server and client. For more information about how to configure a RADIUS client, see "Configuring AAA." • Configure security policies on the H3C IMC security server and configure the security server's IP address on the BRAS. For more information about how to configure a security server, see "Configuring AAA." •...

  • Page 408: Configuring Dynamic Individual Users

    Step Command Remarks • For IPv4 individual users: ip subscriber Configure bind authentication-method bind By default, bind authentication is authentication for • configured for individual users. For IPv6 individual users: individual users. ipv6 subscriber authentication-method bind Configuring dynamic individual users Dynamic individual user configuration tasks at a glance Tasks at a glance (Required.)

  • Page 409: Configuring Authentication User Naming Conventions For Dynamic Individual Users

    Step Command Remarks • Enable the IPv4 dynamic individual user: ip subscriber initiator { dhcp | unclassified-ip } enable Enable dynamic By default, no dynamic individual • individual users. users are enabled. Enable the IPv6 dynamic individual user: ipv6 subscriber initiator { dhcp | ndrs | unclassified-ip } enable Configuring authentication user naming conventions for dynamic individual users...
  • Page 410 Step Command Remarks • Configure an authentication user naming convention for DHCP users: ip subscriber dhcp username include { circuit-id [ mac ] [ separator separator ] | client-id [ separator separator ] | nas-port-id [ separator separator ] | port [ separator separator ] | remote-id [ separator separator ] | second-vlan [ separator...
  • Page 411 Step Command Remarks • Configure an authentication user naming convention for DHCPv6 users: ipv6 subscriber dhcp username include { circuit-id [ separator separator ] | client-id [ separator separator ] | nas-port-id [ separator separator ] | port [ separator separator ] | remote-id [ separator separator ] | second-vlan [ separator separator] | slot [ separator...

  • Page 412: Configuring Passwords For Dynamic Individual Users

    Configuring passwords for dynamic individual users Passwords configured for dynamic individual users must be the same as those configured on the AAA server. If you configure multiple passwords for an DHCP user, the passwords are used in the following order: Password specified in Option 60 or Option 16 if the BRAS trusts Option 60 or Option 16.

  • Page 413: Configuring The Maximum Number Of Dynamic Ipoe Sessions

    Dynamic individual Order in selecting an ISP domain users • Service-specific ISP domain • Interface-specific ISP domain Unclassified-IP user • Default system ISP domain For more information about how to configure trusted DHCP options, see "Configuring trusted DHCP options for DHCP users."...

  • Page 414: Configuring Trusted Dhcp Options For Dhcp Users

    Step Command Remarks • Configure the maximum number of IPv4 IPoE sessions: ip subscriber { dhcp | unclassified-ip } max-session Configure the By default, the maximum number of max-number maximum number of dynamic IPoE sessions is not • dynamic IPoE Configure the maximum number configured.

  • Page 415: Configuring Trusted Source Ip Addresses For Unclassified-Ip Users

    • If the string selected from Option 60/Option 16/Option 17 does not contain the trusted ISP domain, the DHCP user use portal authentication. For more information, see "Configuring portal authentication." Configure trusted DHCP options before you configure the trusted ISP domains. For more information about how to configure trusted DHCP options, see "Configuring trusted DHCP options for DHCP users."...

  • Page 416: Enabling Dynamic Individual Users To Come Online Despite The Ipoe-Nat Collaboration Failure

    Enabling dynamic individual users to come online despite the IPoE-NAT collaboration failure If a card that supports NAT collaboration fails, the IPoE-NAT collaboration fails. Perform this task to enable dynamic individual users to come online despite the collaboration failure. For more information about NAT, see Layer 3—IP Services Configuration Guide.

  • Page 417: Configuring Static Ipoe Sessions On An Interface

    • Disabling ARP-based static individual users do not affect online ARP-based static individual users. Procedure To enable static individual users: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number • Enable IPv4 static individual users: ip subscriber initiator unclassified-ip enable •...

  • Page 418: Configuring Global Static Ipoe Sessions

    Step Command Remarks • For IPv4 static IPoE session: ip subscriber static-session Configure the interval request-online interval seconds at which the device By default, the interval is 180 • sends online requests seconds. For IPv6 static IPoE sessions: to static IPoE users. ipv6 subscriber static-session request-online interval seconds Configuring global static IPoE sessions...

  • Page 419: Configuring Passwords For Static Individual Users

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number • Configure an authentication user naming convention for IPv4 static individual users: ip subscriber unclassified-ip username include { nas-port-id [ separator separator ] | port [ separator separator ] | second-vlan [ separator separator ] | slot [ separator separator ] | source-ip...

  • Page 420: Configuring Isp Domains For Static Individual Users

    Step Command Remarks • Configure a password for IPv4 static individual users: ip subscriber password Configure passwords { ciphertext | plaintext } string The default password for a static for static individual • individual user is vlan. Configure a password for IPv6 users.

  • Page 421: Configuring Interface-Leased Users

    Configuring interface-leased users You can configure up to one IPv4 interface-leased user and one IPv6 interface-leased user on an interface. When leased users are in Layer 2 access mode, all IP users who access the BRAS through an IPoE interface are called subusers. Use the display or reset commands to view or delete the subuser information.

  • Page 422: Configuring L2Vpn-Leased Users

    Step Command Remarks • Configure an IPv4 subnet-leased user: ip subscriber subnet-leased ip ip-address { mask | mask-length } username name password { ciphertext | plaintext } string [ domain domain-name ] Configure By default, no subnet-leased user • subnet-leased users. is configured.

  • Page 423: Configuring Service-Specific Isp Domains

    Step Command Remarks interface interface-type Enter interface view. interface-number • Configure a domain collectively for IPv4 leased users: ip subscriber unclassified-ip Configure ISP domain domain-name By default, leased users use the domains for leased • default system ISP domain. Configure a domain collectively users.

  • Page 424: Configuring The Quiet Feature For Users

    Step Command Remarks By default, no service identifier is configured for DHCPv6 users, IPv6 unclassified-IP users, static ipv6 subscriber service-identify Configure a service individual users, and leased users. { 8021p { second-vlan | vlan } | dscp | identifier. second-vlan | vlan } Only subinterfaces support parameters 8021p, second-vlan and vlan.

  • Page 425: Configuring Nas-Port-Type For An Interface

    After you configure online detection, the BRAS starts a detection timer to detect online users. If the BRAS does not receive user packets from a user when the detection timer expires, it sends a detection packet to the user and performs the following operations: •...

  • Page 426: Configuring Nas-Port-Id Formats

    Configuring NAS-Port-ID formats The NAS-Port-ID RADIUS attribute specifies access location of a user. The BRAS supports the following formats for NAS-Port-ID: • version 1.0—Format for China Telecom. • version 2.0—Format specified in YDT 2275-2011 Subscriber Access Loop (Port) Identification in Broadband Access Networks. You can configure the following settings if version 2.0 is used when the BRAS acts as a DHCP relay: •...

  • Page 427: Setting The Traffic Statistics Update Timer For Ipoe Sessions

    Step Command Remarks interface interface-type Enter interface view. interface-number • Enable IPoE access-out authentication for IPv4 users: Enable IPoE ip subscriber access-out By default, IPoE access-out access-out • authentication is disabled. Enable IPoE access-out authentication. authentication for IPv6 users: ipv6 subscriber access-out Setting the traffic statistics update timer for IPoE sessions You can set the traffic statistics update timer for IPoE sessions based on the statistic frequency...

  • Page 428: Display And Maintenance Commands For Ipoe

    Display and maintenance commands for IPoE Execute display commands in any view and reset commands in user view. Task Command • For IPv4 individual users: display ip subscriber chasten user [ interface interface-type interface-number ] [ ip ip-address | mac mac-address | user-type { dhcp | unclassified-ip | static } ] [ verbose ] [ slot slot-number ] (In standalone mode.) Display information...
  • Page 429 Task Command • For IPv4 individual users: display ip subscriber session [ interface interface-type interface-number ] [ domain domain-name | ip ip-address [ vpn-instance vpn-instance-name ] | mac mac-address | static | username name | user-address-type { private-ds | private-ipv4 | public-ds | public-ipv4 } | auth-type bind ] [ chassis chassis-number slot slot-number ] (In IRF mode.) Display IPoE session [ verbose ]...
  • Page 430 Task Command • For IPv4 subnet-leased users: display ip subscriber subnet-leased [ interface interface-type interface-number ] [ ip ip-address mask-length ] [ chassis chassis-number slot slot-number ] (In IRF mode.) Display information about • IPoE subnet-leased users. For IPv6 subnet-leased users: display ipv6 subscriber subnet-leased [ interface interface-type interface-number ] [ ipv6 ipv6-address prefix-length ] [ chassis chassis-number slot...
  • Page 431 Task Command • For IPv4 interface-leased users: display ip subscriber interface-leased statistics [ interface interface-type interface-number ] [ slot slot-number ] (In standalone mode.) Display IPoE session • statistics for interface-leased users. For IPv6 interface-leased users: display ipv6 subscriber interface-leased statistics [ interface interface-type interface-number ] [ slot slot-number ] •...

  • Page 432: Ipoe Configuration Examples

    Task Command • For IPv4 interface-leased users: reset ip subscriber interface-leased user [ interface interface-type interface-number [ ip ip-address | mac mac-address ] ] Delete IPoE interface-leased user • information and log out users. For IPv6 interface-leased users: reset ipv6 subscriber interface-leased user [ interface interface-type interface-number [ ipv6 ipv6-address | mac mac-address ] ] •...
  • Page 433 Figure 145 Network diagram Procedure Configure the RADIUS server: (This section uses the Linux Free RADIUS server as an example.) # Add BRAS IP address 4.4.4.2 and secret radius to the clients.conf file. client 4.4.4.2/32 { ipaddr = 4.4.4.2 netmask=32 secret=radius # Add the username and password to the users user information file.

  • Page 434: Example: Configuring A Dhcp User

    [Device–GigabitEthernet3/1/2] ip subscriber initiator unclassified-ip enable # Specify dm1 as the ISP domain. [Device–GigabitEthernet3/1/2] ip subscriber unclassified-ip domain dm1 # Configure plaintext password radius for authentication. [Device–GigabitEthernet3/1/2] ip subscriber password plaintext radius [Device–GigabitEthernet3/1/2] quit Verifying the configuration # Display IPoE session information to verify that the host has come online. [Device] display ip subscriber session Type: D-DHCP S-Static...
  • Page 435 # Create an IP address pool named pool1 and enter its view. [DHCP-server] dhcp server ip-pool pool1 # Configure network segment 3.3.3.0/24 to the pool, and configure IP address 3.3.3.1 as unavailable. [DHCP-server-pool-pool1] network 3.3.3.0 24 [DHCP-server-pool-pool1] forbidden-ip 3.3.3.1 [DHCP-server-pool-pool1] quit Configure the BRAS: a.

  • Page 436: Example: Configuring An Ipv6-Nd-Rs User

    Verifying the configuration # Display IPoE session information to verify that the host has come online. [Device] display ip subscriber session Type: D-DHCP S-Static U-Unclassified-IP Interface IP address MAC address Type State -------------------------------------------------------------------------------- GE3/1/2 3.3.3.2 000c-29a6-b656 D Online Example: Configuring an IPv6-ND-RS user Network configuration As shown in Figure...

  • Page 437: Example: Configuring An Arp-Based Static User

    [Device-radius-rs1] key authentication simple radius [Device-radius-rs1] key accounting simple radius # Exclude the ISP name from the username sent to the RADIUS server. [Device-radius-rs1] user-name-format without-domain [Device-radius-rs1] quit d. Configure the ISP domain: # Create an ISP domain named dm1 and enter its view. [Device] domain dm1 # Configure dm1 to use RADIUS scheme rs1.
  • Page 438 Procedure Configure the RADIUS server: (This section uses the Linux Free RADIUS server as an example.) # Add BRAS IP address 4.4.4.2 and secret radius to the clients.conf file. client 4.4.4.2/32 { ipaddr = 4.4.4.2 netmask=32 secret=radius # Add the username and password to the users user information file. The username is the host IP address 3.3.3.2.

  • Page 439: Example: Configuring Subnet-Leased Users

    [Device] dhcp enable # Create an IP address pool named test and enter its view. [Device] dhcp server ip-pool test # Configure a gateway IP address for the host and enable route exporting. Route exporting automatically adds the gateway IP address and related static IP address to the routing table of the host.
  • Page 440 # Add usernames and passwords to the users user information file. Usernames for the three subnet user groups are us1, us2, and us3. Passwords for the three subnet user groups are pw1, pw2, and pw3. Cleartext-Password :="pw1" Cleartext-Password :="pw2" Cleartext-Password :="pw3" Configure the BRAS: a.
  • Page 441 Network : 5.5.5.0/24 User ID : 0x38060000 State : Online Service node : Slot 3 CPU 0 Domain : dm1 Login time : May 14 20:08:35 2014 Online time (hh:mm:ss) : 00:16:37 Total users : 10 AAA: ITA policyname : N/A IP pool : N/A Primary DNS server...
  • Page 442 AAA: ITA policyname : N/A IP pool : N/A Primary DNS server : N/A Secondary DNS server : N/A Session idle cut : N/A Session duration : N/A, remaining: N/A Traffic quota : N/A Acct start-fail action : Online Acct update-fail action : Online Acct quota-out action : Offline...

  • Page 443: Example: Configuring An Interface-Leased User

    Traffic quota : N/A Acct start-fail action : Online Acct update-fail action : Online Acct quota-out action : Offline Max multicast addresses Multicast address list : N/A QoS: User profile : N/A Session group profile : N/A User group acl : N/A Inbound CAR : N/A...
  • Page 444 Cleartext-Password :="pw1" Configure the BRAS: a. Configure IP addresses for interfaces. (Details not shown.) b. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Device> system-view [Device] radius scheme rs1 # Configure primary servers and keys for authentication and accounting. [Device-radius-rs1] primary authentication 4.4.4.1 [Device-radius-rs1] primary accounting 4.4.4.1 [Device-radius-rs1] key authentication simple radius...

  • Page 445: Example: Configuring An L2Vpn-Leased User

    ITA policyname : N/A IP pool : N/A Primary DNS server : N/A Secondary DNS server : N/A Session idle cut : N/A Session duration : N/A, remaining: N/A Traffic quota : N/A Acct start-fail action : Online Acct update-fail action : Online Acct quota-out action : Offline...
  • Page 446 Procedure Configure the RADIUS server: (This section uses the Linux Free RADIUS server as an example.) # Add the BRAS IP address 4.4.4.2 and the secret radius to the clients.conf file. client 4.4.4.2/32 { ipaddr = 4.4.4.2 netmask=32 secret=radius # Add host username and password to the users user information file. The username is us1 and the password is pw1.
  • Page 447 [PE2–GigabitEthernet3/1/1] xconnect vsi svc [PE2–GigabitEthernet3/1/1] quit Configure PE1: # Configure an LSR ID. <PE1> system-view [PE1] interface loopback 0 [PE1-LoopBack0] ip address 1.1.1.9 32 [PE1-LoopBack0] quit [PE1] mpls lsr-id 1.1.1.9 # Enable L2VPN. [PE1] l2vpn enable # Enable LDP globally. [PE1] mpls ldp [PE1-ldp] quit # Configure GigabitEthernet 3/1/2 (the interface connected to PE 2), and enable LDP on the...
  • Page 448 [PE1-radius-rs1] key authentication simple radius [PE1-radius-rs1] key accounting simple radius # Exclude the ISP name from the username sent to the RADIUS server. [PE1-radius-rs1] user-name-format without-domain [PE1-radius-rs1] quit # Enable the RADIUS session-control feature. [PE1] radius session-control enable b. Configure the ISP domain: # Create an ISP domain named dm1 and enter its view.

  • Page 449: Example: Configuring A Vpn Dhcp User

    Acct start-fail action : Online Acct update-fail action : Online Acct quota-out action : Offline Max multicast addresses Multicast address list : N/A QoS: User profile : N/A Session group profile : N/A User group acl : N/A Inbound CAR : N/A Outbound CAR : N/A...
  • Page 450 Framed-Pool := " pool1" Configure the DHCP server: # Enable DHCP. <DHCP-server> system-view [DHCP-server] dhcp enable # Create an IP address pool named pool1 and enter its view. [DHCP-server] dhcp server ip-pool pool1 # Configure network segment 3.3.3.0/24 to the pool. [DHCP-server-pool-pool1] network 3.3.3.0 24 # Configure IP address 3.3.3.1 as unavailable.
  • Page 451 # Configure a gateway IP address for the host and enable route exporting. Route exporting automatically adds the gateway IP address and related static IP address to the routing table of vpn1. [Device-dhcp-pool-pool1] gateway-list 3.3.3.1 export-route # Configure an IP address for the DHCP sever [Device-dhcp-pool-pool1] remote-server 4.4.4.3 e.

  • Page 452: Example: Configuring Online Detection

    VxLAN ID DHCP lease : 86400 sec DHCP remain lease : 18400 sec Access time : May 9 08:56:29 2014 Online time (hh:mm:ss) : 00:16:37 Service node : Slot 3 CPU 0 Authentication type : Bind Type : DHCP State : Online AAA: ITA policyname...
  • Page 453 Figure 153 Network diagram Procedure Configure the RADIUS server: (This section uses the Linux Free RADIUS server as an example.) # Add BRAS IP address 4.4.4.2 and secret radius to the clients.conf file. client 4.4.4.2/32 { ipaddr = 4.4.4.2 netmask=32 secret=radius # Add the usernames and passwords to the users user information file.

  • Page 454: Troubleshooting Ipoe

    ISP domain in the option exists on the BRAS. If the DHCP packet does not carry Option 60 or Option 16/Option 17, verify that the ISP domain specified on the interface exists on the BRAS. If the problem persists, contact H3C Support.

  • Page 455: Index

    Index ISP domain idle timeout period include in user online duration, ISP domain method, Appendix A, RADIUS commonly used ISP domain user address type, attributes, ISP domain user ITA policy, Appendix C, RADIUS subattributes (vendor ID ISP domain user service type, 25506), L2TP LAC AAA authentication, concurrent login user max,...
  • Page 456 PPP CHAP authentication (authenticator direct portal authentication configuration, name not configured), direct portal authentication configuration (local PPP PAP authentication configuration, portal Web service), preferentially processing RADIUS extended cross-subnet portal authentication authentication requests, configuration, protocols and standards, extended direct portal authentication configuration, RADIUS accounting server, extended re-DHCP portal authentication...
  • Page 457 DHCP server address pool, DHCPv6 dynamic prefix allocation, DHCP server address pool creation, DHCPv6 IPv6 address/prefix allocation sequence, DHCP server address pool IP address range, DHCPv6 static address allocation, DHCPv6 address allocation, DHCPv6 static prefix allocation, DHCPv6 address pool, allowing DHCPv6 address pool selection, only DHCP users to pass portal authorization, DHCPv6 address pool VPN instance...
  • Page 458 AAA ISP domain idle timeout period include in IPoE unclassified-IP user configuration, user online duration, IPoE VPN DHCP user configuration, AAA ISP domain user address type, L2TP LAC AAA authentication, AAA ISP domain user ITA policy, L2TP LNS AAA authentication, AAA ISP domain user service type, L2TP LNS IMSI/SN binding authentication, AAA LDAP,...
  • Page 459 L2TP LAC-auto-initiated tunneling, AAA HWTACACS stop-accounting packet buffering, L2TP tunnel configuration (LAC-auto-initiated), AAA RADIUS stop-accounting packet buffering, AVP data transfer in hidden mode (L2TP), cache backing up AAA local bill cache, DHCP binding auto backup, DHCP snooping entries, AAA RADIUS class attribute as CAR DHCPv6 binding auto backup, parameter, DHCPv6 snooping entry auto backup,...
  • Page 460 DHCP snooping Option 82 support, AAA NAS-ID profile, DHCP voice client Option 184 AAA network access user attributes, parameters, AAA RADIUS, DHCPv6 address pool, AAA RADIUS accounting-on, DHCPv6 IA, AAA RADIUS attribute 31 MAC address DHCPv6 IAID, format, DHCPv6 IPv6 prefix assignment, AAA RADIUS attribute 87 format, DHCPv6 relay agent configuration, 195, 202...
  • Page 461 DHCP server BOOTP response format, direct portal authentication+preauthentication policy, DHCP server broadcast response, extended cross-subnet portal authentication, DHCP server compatibility, extended direct portal authentication, DHCP server configuration (WLAN application), extended re-DHCP portal authentication, DHCP server IP address dynamic IP-based portal-free rule, assignment, IPoE, 384, 390, 416...
  • Page 462 L2TP LAC AAA authentication, portal authentication user online detection (IPv6), L2TP LAC automatic tunnel establishment, portal authentication user synchronization, L2TP LAC source IP address, portal authentication Web proxy support, L2TP LAC tunnel exclusive use, portal authentication Web redirect, L2TP LAC tunnel request initiation, portal authentication Web server detection, L2TP LNS, portal HTTP attack defense,...
  • Page 463 RADIUS packet attributes, AAA RADIUS attribute translation (DAS), re-DHCP portal authentication, AAA RADIUS DAS, re-DHCP portal data authentication+preauthentication policy, L2TP AVP data transfer in hidden mode, remote portal authentication Web server, L2TP data message type, service tracing object, delaying source-based portal-free rule, MAC authentication delay, traffic accounting frequency mode, destination...
  • Page 464 AAA NAS-ID setting (interface), direct portal authentication+preauthentication policy configuration, AAA NAS-ID setting (ISP domain), extended cross-subnet portal authentication AAA RADIUS accounting server, configuration, AAA RADIUS authentication server, extended direct portal authentication AAA RADIUS configuration, configuration, AAA RADIUS implementation, extended re-DHCP portal authentication AAA RADIUS scheme VPN instance, configuration, AAA RADIUS server SSH user...
  • Page 465 BOOTP protocols and standards, Option 6;Option 006, client auto-configuration file, Option 60 encapsulation;Option 060 encapsulation, client BIMS server information, Option 60;Option 060, client configuration, 152, 154, 154 Option 66;Option 066, client configuration restrictions, Option 67;Option 067, client display, Option 82 (relay agent);Option 082 (relay client DNS server, agent), 91, 93...
  • Page 466 relay agent relay entry recording, configuration restrictions, relay agent security features, DHCP-REQUEST message attack protection, relay agent server, display, relay agent server proxy, entry auto backup, relay agent server selection, entry max, relay agent server selection algorithm, logging, relay agent source IP address, maintain, relay agent starvation attack protection, Option 82 configuration,...
  • Page 467 relay agent flood attack protection, AAA ISP domain, relay agent Interface-ID option padding AAA LDAP, mode, AAA local bill cache, relay agent IPv6 release notification, AAA local users/user groups, relay agent maintain, AAA RADIUS, relay agent packet DSCP value, BOOTP client, relay agent server, DHCP client, server configuration,...
  • Page 468 PPP DHCP address pool+ISP domain DHCP client (on interface), association, DHCP client duplicated address detection, DSCP DHCP different IP addresses allocation to clients AAA RADIUS packet DSCP priority with the same MAC, change, DHCP Option 82 handling, DHCP client packet DSCP value, DHCP random IP address allocation, DHCP relay agent packet DSCP value, DHCP relay agent,...
  • Page 469 MAC authentication multi-VLAN mode, PPPoE configuration, 275, 283 MAC authentication offline detection, PPPoE server configuration, portal authentication (interface), extending portal authentication roaming, DHCP IP address lease extension, portal authorization strict-checking mode, portal authorization strict-checking mode fail (interface), portal fail-permit feature, PPP accounting, fast reply PPP IPCP IP segment match,...
  • Page 470 DHCPv6 relay agent Interface-ID option padding mode, hello L2TP LTS TSA ID setting, L2TP hello interval, identity host association. See IA PPPoE network structure (host-initiated), association ID. See IAID HTTP ignoring portal URL redirection match rules, DHCP server BOOTP request, HTTP attack defense portal authentication configuration, AAA RADIUS session-control,...
  • Page 471 AAA RADIUS outgoing packet source IP DHCPv6 different IPv6 addresses allocation to address (all schemes), clients with same MAC, AAA RADIUS outgoing packet source IP DHCPv6 overview, address (single scheme), DHCPv6 server configuration, 172, 175, 190 BOOTP client configuration, 168, 169 DHCPv6 server configuration on interface, BOOTP client dynamic IP address DHCPv6 server dynamic IPv6 address...
  • Page 472 BOOTP client configuration, 168, 169 DHCP relay agent Option 82 configuration, 141, 149 BOOTP client dynamic IP address acquisition, DHCP relay agent Option 82 support, BOOTP client IP address acquisition DHCP relay agent relay entry recording, interface, DHCP relay agent security features, DHCP address, DHCP relay agent server, DHCP address allocation,...
  • Page 473 DHCP snooping untrusted port, DHCPv6 snooping basics, DHCP user class creation, DHCPv6 snooping configuration, 204, 209 DHCP user class whitelist, DHCPv6 snooping display, DHCP voice client Option 184 parameter, DHCPv6 snooping entry auto backup, DHCP-REQUEST message attack DHCPv6 snooping entry max, protection, DHCPv6 snooping logging, DHCPv6 address pool,...
  • Page 474 leased user, IPoE IPv6-ND-RS user configuration, leased user configuration, IPoE IPv6-ND-RS users access procedure, leased user configuration portal authentication enable (interface), (interface-leased), portal authentication server, leased user configuration portal authentication Web server (interface), (L2VPN-leased), PPP IPCPv6 negotiation, leased user configuration PPPoE server IPv6 address assignment (subnet-leased), (ND+IPv6CP negotiation),...
  • Page 475 configuration, 250, 257, 267 L2TP LAC configuration, configuration restrictions, L2TP LAC tunnel exclusive use, display, L2TP LAC tunnel request initiation, encapsulation structure, L2TP LAC-auto-initiated tunneling, features, L2TP LNS LAC tunneling request acceptance, hello interval configuration, L2TP network component, L2TP-based EAD enable, L2TP source IP address configuration, LAC AAA authentication, L2TP tunnel configuration...
  • Page 476 directory service, AAA local authentication, display, AAA local authentication configuration, protocols and standards, AAA local authorization method, scheme creation, AAA local user, server creation, AAA SSH user authentication+authorization, server IP address, local portal Web service, server timeout period, MAC authentication (local), troubleshooting, MAC authentication method, troubleshooting authentication failure,...
  • Page 477 ACL assignment, 214, 227 matching authorization VLAN, PPP IPCP IP segment match enable, concurrent port users max, configuration, 211, 215, 223 relay agent support, configuration restrictions, message critical VLAN, DHCP format, critical VLAN configuration, DHCP-REQUEST message attack protection, critical VLAN configuration restrictions, DHCPv6 assignment (4 messages), delay configuration, DHCPv6 rapid assignment (2 messages),...
  • Page 478 IPoE NAS-Port-ID format configuration, AAA NAS-ID setting (ISP domain), IPoE NAS-Port-Type configuration, AAA network access user, L2TP NAS-initiated tunneling, AAA RADIUS configuration, L2TP tunnel configuration (NAS-initiated), AAA RADIUS implementation, portal authentication interface NAS-ID profile AAA RADIUS server SSH user (RADIUS), authentication+authorization, portal authentication NAS-Port-Id attribute allowing only DHCP users to pass portal...
  • Page 479 DHCP server user class configuration, DHCPv6 snooping entry max, DHCP server user class whitelist DHCPv6 snooping Option 18 support, configuration, DHCPv6 snooping Option 37 support, DHCP smart relay, DHCPv6 snooping packet blocking port, DHCP snooping basic configuration, 159, 165 DHCPv6-REQUEST check, DHCP snooping configuration, direct portal authentication configuration, DHCP snooping Option 82 configuration,...
  • Page 480 L2TP tunnel configuration portal authentication system, (LAC-auto-initiated), portal authentication system component L2TP tunnel configuration (NAS-initiated), interaction, L2TP-based EAD, 256, 266 portal authentication user access control, local portal authentication Web service, portal authentication user online detection, local portal Web service, portal authentication user setting max, MAC authentication (local), portal authentication user traffic backup threshold,...
  • Page 481 DHCP server configuration, 95, 97, 120 MAC authentication keep-online, DHCP snooping configuration, 159, 165 portal authentication user online detection, DHCPv6 concepts, option DHCPv6 overview, DHCP field, DHCPv6 relay agent configuration, 195, 202 DHCP option customization, DHCPv6 server configuration, 172, 175, 190 DHCP server option customization, DHCPv6 snooping configuration, 204, 209...
  • Page 482 DHCPv6 snooping packet blocking port, MAC authentication user account policies, L2TP packet DSCP value, portal authentication extended functions, portal authentication BAS-IP for portal portal authentication policy server, packets, portal preauthentication policy, portal authentication filtering rules, polling portal packet attributes configuration, PPP polling, RADIUS packet attributes configuration, pool...
  • Page 483 re-DHCP portal authentication page customization, configuration, page file compression+saving rules, portal authentication page request rules, AAA server, policy configuration, access device, policy server, advantages, portal authorization strict-checking mode, allowing only DHCP users to pass portal user preauthentication IP address pool, authentication, portal-free rule configuration, authenticated user redirection,...
  • Page 484 CHAP authentication (authenticator name display, configured), logging enable, CHAP authentication (authenticator name not maintain, configured), NAT444 collaboration failure user enable, configuration, network structure, configuring service tracing object, network structure (host-initiated), display, network structure (router-initiated), enabling accounting, PADI packets max, enabling user blocking, RADIUS NAS-Port-ID attribute configuration, IPCP IP segment match enable, server configuration,...
  • Page 485 applying DHCP address pool to VPN configuring AAA NAS-ID, instance, configuring AAA network access user applying DHCPv6 address pool to a VPN attributes, instance, configuring AAA RADIUS, applying portal authentication interface configuring AAA RADIUS accounting-on, NAS-ID profile, configuring AAA RADIUS attribute 31 MAC associating PPP address pool+ISP address format, domain,...
  • Page 486 configuring DHCP relay agent security configuring DHCPv6 server IPv6 prefix features, assignment, configuring DHCP relay agent server configuring DHCPv6 server network parameters selection, (address pool), configuring DHCP replies forward based on configuring DHCPv6 server network parameters option 82, (option group), configuring DHCP server, configuring DHCPv6 server network parameters assignment,...
  • Page 487 configuring IPoE ISP domain configuring L2TP LNS LAC tunneling request (service-specific), acceptance, configuring IPoE L2VPN-leased user, configuring L2TP LNS LCP renegotiation, configuring IPoE leased user, configuring L2TP LNS mandatory CHAP authentication, configuring IPoE leased user (interface-leased), configuring L2TP LNS user authentication, configuring IPoE leased user configuring L2TP optional parameters, (L2VPN-leased),...
  • Page 488 configuring portal authentication user online configuring PPPoE server IP address assignment detection (IPv4), (RADIUS-based), configuring portal authentication user online configuring PPPoE server IP address assignment detection (IPv6), (remote DHCP server), configuring portal authentication user configuring PPPoE server IPv6 address synchronization, assignment (DHCPv6 prefix delegation), configuring portal authentication Web proxy configuring PPPoE server IPv6 address...
  • Page 489 displaying IPoE, enabling DHCPv6 relay agent to record relay entries, displaying L2TP, enabling DHCPv6 server flood attack displaying MAC authentication, protection, displaying portal authentication, enabling DHCPv6 server logging, displaying PPP, enabling DHCPv6 snooping logging, displaying PPPoE, enabling DHCPv6-REQUEST check, enabling AAA RADIUS server load sharing, enabling IPoE, enabling AAA RADIUS SNMP notification, enabling IPoE access-out authentication,...
  • Page 490 maintaining DHCP server, setting portal authentication users max, maintaining DHCP snooping, setting portal authentication users max (global), maintaining DHCPv6 relay agent, setting portal authentication users max maintaining DHCPv6 server, (interface), maintaining DHCPv6 snooping, setting PPPoE session max, maintaining IPoE, setting user traffic backup threshold, maintaining L2TP, specifying AAA HWTACACS accounting maintaining MAC authentication,...
  • Page 491 specifying DHCP client NetBIOS node troubleshooting portal authentication cannot log type, out users (access device), specifying DHCP client server, troubleshooting portal authentication no page pushed for users, specifying DHCP client WINS server, troubleshooting portal authentication users specifying DHCP relay agent address, cannot log in (re-DHCP), specifying DHCP relay agent server, troubleshooting portal authentication users...
  • Page 492 AAA Appendix C, subattributes (vendor ID real-time accounting attempts max, 25506), Remanent_Volume attribute data measurement AAA configuration, 1, 14, 68 unit, AAA implementation, request transmission attempts max, AAA local user configuration, scheme creation, AAA MPLS L3VPN implementation, scheme VPN instance specification, AAA pending requests max, server load sharing, accounting server,...
  • Page 493 DHCP enable (on interface), AAA remote authentication, DHCP flood attack protection, AAA remote authentication configuration, DHCP IP address release, AAA remote authorization method, DHCP MCE support, L2TP remote system, DHCP Option 82, 91, 93 Remote Authentication Dial-In User Service. RADIUS DHCP Option 82 configuration, requesting DHCP Option 82 support,...
  • Page 494 L2TP tunnel configuration AAA local user, (LAC-auto-initiated), AAA MPLS L3VPN implementation, L2TP tunnel configuration (NAS-initiated), AAA protocols and standards, rule AAA RADIUS attribute translation, portal authentication file name rules, AAA RADIUS configuration, portal authentication packet filtering, AAA RADIUS DAS, portal authentication page file AAA RADIUS implementation, compression+saving rules, AAA RADIUS information exchange security...
  • Page 495 DHCPv6 snooping entry auto backup, MAC authentication request user IP address inclusion restrictions, DHCPv6 snooping entry max, MAC authentication timer, DHCPv6 snooping logging, MAC authentication user account format, DHCPv6 snooping Option 18 support configuration, MAC authentication user account policies, DHCPv6 snooping Option 37 support MAC authentication user profile assignment, configuration, MAC authentication VLAN assignment,...
  • Page 496 portal user preauthentication IP address DHCP client gateway specification, pool, DHCP client NetBIOS node type, PPP authentication, DHCP client offline detection, PPP authentication configuration, DHCP client server specification, PPP authentication configuration (MS-CHAP, DHCP client WINS server, MS-CHAP-V2), DHCP compatibility configuration, PPP authentication configuration (MS-CHAP, DHCP configuration, 95, 97, 120...
  • Page 497 portal authentication configuration, AAA RADIUS server status, portal authentication fail-permit, AAA RADIUS timer, portal authentication local portal Web service AAA RADIUS traffic statistics unit, parameter, AAA RADIUS username format, portal authentication MAC binding server, DHCP client packet DSCP value, portal authentication policy server, DHCP relay agent packet DSCP value, portal authentication server detection, DHCP server packet DSCP value,...
  • Page 498 DHCPv6-REQUEST check, DHCP relay agent server selection algorithm, source DHCP relay agent source IP address, IPoE unclassified IP user trusted source IP DHCP server address pool IP address range, address, DHCPv6 client gateway address, portal authentication portal-free rule, DHCPv6 relay agent Interface-ID option padding portal authentication subnet, mode, specifying...
  • Page 499 IPoE static users access procedure in AAA RADIUS server status detection test common mode, profile, statistics timeout AAA HWTACACS traffic statistics units, MAC authentication server timeout, AAA RADIUS traffic statistics units, PPP negotiation, IPoE traffic statistics update timer, PPP negotiation timeout time, strict-checking mode (portal authentication), timer subnetting...
  • Page 500 portal authentication users cannot log in unit (re-DHCP), AAA RADIUS Remanent_Volume attribute data portal authentication users logged out still measurement unit, exist on server, untrusted trusted DHCP snooping untrusted port, DHCP snooping trusted port, DHCPv6 snooping port, DHCPv6 snooping port, updating IPoE traffic statistics update timer, L2TP LTS TSA ID setting,...
  • Page 501 portal authentication authenticated user DHCP server IP address dynamic redirection, assignment, portal authentication failure user blocking, DHCP server IP address static assignment, portal authentication online user logout, DHCP server option customization, portal authentication roaming, DHCP server user class configuration, portal authentication user access control, DHCP snooping basic configuration, portal authentication user online DHCPv6 snooping configuration,...
  • Page 502 IPoE online detection configuration, troubleshooting L2TP data transmission failure, IPoE static user configuration (ARP-based), troubleshooting L2TP remote system network access failure, IPoE subnet-leased user configuration, troubleshooting L2TP user offline, IPoE traffic statistics update timer, IPoE unclassified-IP user configuration, cross-subnet portal authentication IPoE user logging enable, configuration, IPoE VPN DHCP user configuration,...

Table of Contents