H3C SR6600 Configuration Manual page 106

[Router] domain system
[Router-isp-system] authentication ppp radius-scheme cams
[Router-isp-system] ip pool 1 10.200.1.2 10.200.1.254
[Router-isp-system] quit
# Configure the IP address of the virtual template interface, enable PAP authentication on
this interface, specify the address pool to be used to assign addresses for PPP users,
enable L2TP access based EAD, and set fragment match mode to exactly.
[Router] interface virtual-template 1
[Router-Virtual-Template1] ip address 10.200.1.1 255.255.255.0
[Router-Virtual-Template1] ppp authentication-mode pap
[Router-Virtual-Template1] remote address pool 1
[Router-Virtual-Template1] ppp access-control enable
[Router-Virtual-Template1] ppp access-control match-fragments exactly
[Router-Virtual-Template1] quit
# Enable L2TP service, configure an L2TP group, configure the local tunnel name as LNS,
and disable tunnel authentication.
[Router] l2tp enable
[Router] l2tp-group 1
[Router-l2tp1] tunnel name LNS
[Router-l2tp1] undo tunnel authentication
[Router-l2tp1] allow l2tp virtual-template 1
[Router-l2tp1] quit
# Enable the firewall function, specify the default filtering action as denying packets, and
enable fragment inspection.
[Router] firewall enable
[Router] firewall default deny
[Router] firewall fragments-inspect
# Configure security ACL 2000, so that users passing security authentication can access
the Internet.
[Router] acl number 2000
[Router-acl-basic-2000] rule 0 permit
[Router-acl-basic-2000] quit
# Configure isolation ACL 3000, so that users failing security authentication can access
only quarantine area 10.22.2.0/24.
[Router] acl number 3000
[Router-acl-adv-3000] rule 0 permit ip destination 10.22.2.0 0.0.0.255
2) Configure the CAMS/iMC server
Specify ACL 2000 as the security ACL and ACL 3000 as the isolation ACL in the security
policy for the user.
See the related CAMS/iMC documentation for more configuration information.
5-96