2. Computers & electronics
  3. Software
  4. H3C
  5. SR8800-F

H3C SR8800-F Configuration manual

  • Hello! I am an AI chatbot trained to assist you with the H3C SR8800-F Configuration manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
H3C SR8800-F Routers
Comware 7 User Access Configuration Guide
New H3C Technologies Co., Ltd.
http://www.h3c.com.hk
Software version: SR8800FS-CMW710-R7655P05 or later
Document version: 6W100-20170825
Copyright © 2017, New H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written
consent of New H3C Technologies Co., Ltd.
Trademarks
H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H
3
Care, , IRF, NetPilot, Netflow, SecEngine,
SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies
Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
This configuration guide describes fundamentals and configuration of user access features.
This preface includes the following topics about the documentation:
• Audience.
• Conventions
• Obtaining documentation
• Technical support
• Documentation feedback
Audience
This documentation is intended for:
• Network planners.
• Field technical support and servicing engineers.
• Network administrators working with the routers.
Conventions
The following information describes the conventions used in the documentation.
Command conventions
Convention Description
Boldface Bold
text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars,
from which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select a minimum of one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign
can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the
New User
window opens; click
OK
.
>
Multi-level menus are separated by angle brackets. For example,
File
>
Create
>
Convention Description
Folde
r
.
Symbols
Convention Description
WARNING!
An alert that calls attention to important information that if not understood or followed
can result in personal injury.
CAUTION:
An alert that calls attention to important information that if not understood or followed
can result in data loss, data corruption, or damage to hardware or software.
IMPORTANT:
An alert that calls attention to essential information.
NOTE:
An alert that contains additional or supplementary information.
TIP:
An alert that provides helpful information.
Network topology icons
Convention Description
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that
supports Layer 2 forwarding and other Layer 2 features.
Represents an access controller, a unified wired-WLAN module, or the access
controller engine on a unified wired-WLAN switch.
Represents an access point.
Wireless terminator unit.
Wireless terminator.
Represents a mesh access point.
Represents omnidirectional signals.
Represents directional signals.
Represents a security product, such as a firewall, UTM, multiservice security
gateway, or load balancing device.
Represents a security module, such as a firewall, load balancing, NetStream, SSL
VPN, IPS, or ACG module.
T
T
T
T




Examples provided in this document
Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.
Obtaining documentation
To access the most up-to-date H3C product documentation, go to the H3C website at
http://www.h3c.com.hk
To obtain information about installation, configuration, and maintenance, click
http://www.h3c.com.hk/Technical_Documents
To obtain software version information such as release notes, click
http://www.h3c.com.hk/Software_Download
Technical support
service@h3c.com
http://www.h3c.com.hk
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
i
Contents
Configuring AAA ·············································································· 1
About AAA ······························································································································· 1
AAA implementation ············································································································ 1
AAA network diagram ··········································································································· 1
RADIUS ···························································································································· 2
HWTACACS ······················································································································ 5
LDAP ································································································································ 8
User management based on ISP domains and user access types ··············································· 11
Authentication, authorization, and accounting methods ······························································ 11
AAA for MPLS L3VPNs ······································································································ 13
Protocols and standards ····································································································· 13
AAA tasks at a glance ··············································································································· 14
Configuring local users ·············································································································· 15
About local users ··············································································································· 15
Local user configuration tasks at a glance··············································································· 16
Configuring attributes for device management users ································································· 16
Configuring attributes for network access users ······································································· 17
Configuring local guest attributes ·························································································· 18
Configuring user group attributes ·························································································· 19
Managing local guests ········································································································ 21
Display and maintenance commands for local users and local user groups ···································· 22
Configuring RADIUS ················································································································· 23
RADIUS tasks at a glance ··································································································· 23
Configuring a test profile for RADIUS server status detection ······················································ 23
Creating a RADIUS scheme ································································································ 24
Specifying the RADIUS authentication servers ········································································· 24
Specifying the RADIUS accounting servers ············································································· 25
Specifying the shared keys for secure RADIUS communication ··················································· 26
Specifying an MPLS L3VPN instance for the scheme ································································ 26
Setting the username format and traffic statistics units ······························································ 27
Setting the maximum number of RADIUS request transmission attempts ······································ 27
Setting the maximum number of real-time accounting attempts ··················································· 28
Configuring RADIUS stop-accounting packet buffering ······························································ 28
Setting the maximum number of pending RADIUS requests ······················································· 29
Setting the status of RADIUS servers ···················································································· 29
Enabling the RADIUS server load sharing feature ···································································· 31
Specifying the source IP address for outgoing RADIUS packets ·················································· 32
Setting RADIUS timers ······································································································· 33
Configuring the RADIUS accounting-on feature ······································································· 34
Interpreting the RADIUS class attribute as CAR parameters ······················································· 34
Configuring the Login-Service attribute check method for SSH, FTP, and terminal users ·················· 35
Configuring the MAC address format for RADIUS attribute 31 ····················································· 35
Configuring the format for RADIUS attribute 87 ········································································ 36
Setting the data measurement unit for the Remanent_Volume attribute········································· 36
Specifying a server version for interoperating with servers with a vendor ID of 2011 ························ 37
Configuring the RADIUS attribute translation feature ································································· 37
Configuring the RADIUS session-control feature ······································································ 39
Configuring the RADIUS DAS feature ···················································································· 39
Changing the DSCP priority for RADIUS packets ····································································· 40
Configuring the device to preferentially process RADIUS authentication requests ··························· 40
Enabling SNMP notifications for RADIUS ··············································································· 41
Display and maintenance commands for RADIUS ···································································· 41
Configuring HWTACACS ··········································································································· 42
HWTACACS tasks at a glance ····························································································· 42
Creating an HWTACACS scheme ························································································· 42
Specifying the HWTACACS authentication servers ··································································· 42
Specifying the HWTACACS authorization servers ···································································· 43
ii
Specifying the HWTACACS accounting servers ······································································· 44
Specifying the shared keys for secure HWTACACS communication ············································· 44
Specifying an MPLS L3VPN instance for the scheme ································································ 45
Setting the username format and traffic statistics units ······························································ 45
Configuring HWTACACS stop-accounting packet buffering ························································ 46
Specifying the source IP address for outgoing HWTACACS packets ············································ 46
Setting HWTACACS timers ································································································· 47
Display and maintenance commands for HWTACACS ······························································ 48
Configuring LDAP ···················································································································· 49
LDAP tasks at a glance ······································································································ 49
Creating an LDAP server ···································································································· 49
Configuring the IP address of the LDAP server ········································································ 49
Specifying the LDAP version ································································································ 50
Setting the LDAP server timeout period ·················································································· 50
Configuring administrator attributes ······················································································· 50
Configuring LDAP user attributes ·························································································· 51
Configuring an LDAP attribute map ······················································································· 52
Creating an LDAP scheme ·································································································· 52
Specifying the LDAP authentication server·············································································· 53
Specifying the LDAP authorization server ··············································································· 53
Specifying an LDAP attribute map for LDAP authorization ·························································· 53
Display and maintenance commands for LDAP ········································································ 53
Configuring AAA methods for ISP domains ···················································································· 54
Creating an ISP domain ······································································································ 54
Configuring ISP domain attributes ························································································· 55
Configuring authentication methods for an ISP domain ······························································ 58
Configuring authorization methods for an ISP domain ······························································· 60
Configuring accounting methods for an ISP domain ·································································· 62
Display and maintenance commands for ISP domains ······························································ 64
Setting the maximum number of concurrent login users···································································· 65
Configuring the local bill cache feature ························································································· 65
About local bill cache ········································································································· 65
Procedure ························································································································ 65
Display and maintenance commands for local bill cache ···························································· 66
Configuring a NAS-ID ··············································································································· 66
About NAS-IDs ················································································································· 66
Configuring a NAS-ID profile ································································································ 66
Setting the NAS-ID on an interface ························································································ 67
Setting the NAS-ID in an ISP domain ····················································································· 67
Configuring the device ID ··········································································································· 68
AAA configuration examples ······································································································· 68
Example: Configuring authentication and authorization for SSH users by a RADIUS server ··············· 68
Example: Configuring local authentication and authorization for SSH users ··································· 71
Example: Configuring AAA for SSH users by an HWTACACS server ············································ 72
Example: Configuring authentication for SSH users by an LDAP server ········································ 73
Example: Configuring AAA for PPP users by an HWTACACS server ············································ 78
Troubleshooting RADIUS ··········································································································· 79
RADIUS authentication failure ······························································································ 79
RADIUS packet delivery failure ···························································································· 80
RADIUS accounting error ···································································································· 80
Troubleshooting HWTACACS ····································································································· 81
Troubleshooting LDAP ·············································································································· 81
LDAP authentication failure ································································································· 81
Appendixes ···························································································································· 82
Appendix A Commonly used RADIUS attributes ······································································· 82
Appendix B Descriptions for commonly used standard RADIUS attributes ····································· 83
Appendix C RADIUS subattributes (vendor ID 25506) ······························································· 85
DHCP overview ············································································· 88
DHCP network model ··············································································································· 88
DHCP address allocation ··········································································································· 88
Allocation mechanisms ······································································································· 88
iii
IP address allocation process ······························································································ 89
IP address lease extension ·································································································· 89
DHCP message format ············································································································· 90
DHCP options ························································································································· 91
Common DHCP options ············································································································ 91
Custom DHCP options ·············································································································· 91
Vendor-specific option (Option 43) ························································································ 92
Relay agent option (Option 82) ····························································································· 93
Option 184 ······················································································································· 93
Protocols and standards ············································································································ 94
Configuring the DHCP server ···························································· 95
About DHCP server ·················································································································· 95
DHCP address assignment mechanisms ················································································ 95
Principles for selecting an address pool·················································································· 96
IP address allocation sequence ···························································································· 97
DHCP server tasks at a glance ··································································································· 97
Creating a DHCP user class ······································································································· 98
Configuring an address pool on the DHCP server ··········································································· 98
DHCP address pool tasks at a glance ···················································································· 98
Creating a DHCP address pool ···························································································· 99
Specifying IP address ranges for a DHCP address pool ····························································· 99
Specifying gateways for DHCP clients ················································································· 102
Specifying a domain name suffix for DHCP clients ·································································· 102
Specifying DNS servers for DHCP clients ············································································· 103
Specifying WINS servers and NetBIOS node type for DHCP clients ··········································· 103
Specifying BIMS server for DHCP clients ·············································································· 103
Specifying the configuration file for DHCP client auto-configuration ············································ 104
Specifying a server for DHCP clients ··················································································· 105
Configuring Option 184 parameters for DHCP clients ······························································ 105
Customizing DHCP options ······························································································· 105
Configuring the DHCP user class whitelist ············································································ 107
Enabling DHCP ····················································································································· 107
Enabling the DHCP server on an interface ·················································································· 108
Applying a DHCP address pool to a VPN instance ········································································ 108
Applying an address pool on an interface ···················································································· 108
Configuring a DHCP policy for dynamic address assignment ··························································· 109
Allocating different IP addresses to DHCP clients with the same MAC ··············································· 110
Enabling random IP address allocation ······················································································· 110
Configuring IP address conflict detection ····················································································· 110
Enabling handling of Option 82 ································································································· 111
Disabling Option 60 encapsulation in DHCP replies ······································································· 111
Configuring the DHCP server security features ············································································· 112
Restrictions and guidelines ································································································ 112
Configuring DHCP flood attack protection ············································································· 112
Configuring DHCP starvation attack protection ······································································ 113
Configuring DHCP server compatibility ······················································································· 113
Configuring the DHCP server to always broadcast responses ··················································· 113
Enabling the DHCP server to return a DHCP-NAK message upon client notions of incorrect IP addresses
··································································································································· 114

Configure the DHCP server to ignore BOOTP requests ··························································· 114
Configuring the DHCP server to send BOOTP responses in RFC 1048 format ····························· 115
Setting the DSCP value for DHCP packets sent by the DHCP server ················································ 115
Configuring DHCP packet rate limit on a DHCP server interface ······················································ 115
Configuring DHCP binding auto backup ······················································································ 116
Binding gateways to DHCP server's MAC address ········································································ 116
Advertising subnets assigned to clients ······················································································· 117
Enabling client offline detection on the DHCP server ····································································· 118
Configuring SNMP notifications for the DHCP server ····································································· 118
Enabling DHCP logging on the DHCP server ··············································································· 119
Display and maintenance commands for DHCP server ·································································· 119
DHCP server configuration examples ························································································· 120
iv
Example: Configuring static IP address assignment ································································ 120
Example: Configuring dynamic IP address assignment ···························································· 121
Example: Configuring DHCP user class ··············································································· 123
Example: Configuring DHCP user class whitelist ···································································· 125
Example: Configuring primary and secondary subnets ···························································· 126
Example: Customizing DHCP option ··················································································· 127
Example: Configuring DHCP server (WLAN application) ································································· 129
Network configuration ······································································································· 129
Procedure ······················································································································ 130
Verifying the configuration ································································································· 130
Troubleshooting DHCP server configuration ················································································ 130
Failure to obtain a non-conflicting IP address ········································································ 130
Configuring the DHCP relay agent ··················································· 132
About DHCP relay agent ········································································································· 132
DHCP relay agent operation ······························································································ 132
DHCP relay agent support for Option 82 ··············································································· 133
DHCP relay agent support for MCE ····················································································· 133
DHCP relay agent tasks at a glance ··························································································· 134
Enabling DHCP ····················································································································· 134
Enabling the DHCP relay agent on an interface ············································································ 134
Specifying DHCP servers ········································································································ 135
Specifying DHCP servers on a relay agent ············································································ 135
Configuring a DHCP address pool on a DHCP relay agent ······················································· 135
Specifying the DHCP server selecting algorithm ····································································· 136
Configuring the DHCP relay agent security features ······································································ 138
Rustications and guidelines ······························································································· 138
Enabling the DHCP relay agent to record relay entries ···························································· 138
Enabling periodic refresh of dynamic relay entries ·································································· 138
Configuring DHCP flood attack protection ············································································· 139
Enabling DHCP starvation attack protection ·········································································· 139
Enabling DHCP server proxy on the DHCP relay agent ··························································· 140
Enabling client offline detection on the DHCP relay agent ························································ 141
Configuring the DHCP relay agent to release an IP address ···························································· 141
Configuring Option 82 ············································································································· 141
Setting the DSCP value for DHCP packets sent by the DHCP relay agent ·········································· 142
Configuring DHCP packet rate limit on a DHCP relay interface ························································ 143
Specifying the DHCP relay agent address for the giaddr field ························································· 143
Manually specifying the DHCP relay agent address for the giaddr field······································· 143
Configuring smart relay to specify the DHCP relay agent address for the giaddr field ···················· 143
Specifying the source IP address for DHCP requests····································································· 145
Configuring the DHCP relay agent to always unicast relayed DHCP responses ··································· 146
Configuring forwarding DHCP replies based on Option 82 ······························································ 146
Display and maintenance commands for DHCP relay agent ···························································· 147
DHCP relay agent configuration examples ·················································································· 148
Example: Configuring basic DHCP relay agent ······································································ 148
Example: Configuring Option 82 ························································································· 149
Example: Configuring DHCP server selection ········································································ 149
Troubleshooting DHCP relay agent configuration ·········································································· 151
Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent ············· 151
Configuring the DHCP client ··························································· 152
About DHCP client ················································································································· 152
Restrictions and guidelines: DHCP client configuration ··································································· 152
Enabling the DHCP client on an interface ···················································································· 152
Configuring a DHCP client ID for an interface ··············································································· 152
Enabling duplicated address detection ························································································ 153
Setting the DSCP value for DHCP packets sent by the DHCP client ················································· 153
Display and maintenance commands for DHCP client ···································································· 154
DHCP client configuration examples ·························································································· 154
Example: Configuring DHCP client ······················································································ 154
v
Configuring DHCP snooping ··························································· 157
About DHCP snooping ············································································································ 157
Application of trusted and untrusted ports ············································································· 157
DHCP snooping support for Option 82 ················································································· 158
Restrictions and guidelines: DHCP snooping configuration ····························································· 159
DHCP snooping tasks at a glance ····························································································· 159
Configuring basic DHCP snooping ····························································································· 159
Configuring Option 82 ············································································································· 160
Configuring DHCP snooping entry auto backup ············································································ 161
Enabling DHCP starvation attack protection ················································································· 162
Enabling DHCP-REQUEST attack protection ··············································································· 162
Setting the maximum number of DHCP snooping entries ································································ 163
Configuring a DHCP packet blocking port ···················································································· 163
Enabling DHCP snooping logging ······························································································ 164
Display and maintenance commands for DHCP snooping ······························································· 164
DHCP snooping configuration examples ····················································································· 165
Example: Configuring basic DHCP snooping ········································································· 165
Example: Configuring DHCP snooping support for Option 82 ···················································· 166
Configuring the BOOTP client ························································· 168
About BOOTP client ··············································································································· 168
BOOTP application ·········································································································· 168
Obtaining an IP address dynamically ··················································································· 168
Protocols and standards ··································································································· 168
Configuring an interface to use BOOTP for IP address acquisition ···················································· 168
Display and maintenance commands for BOOTP client ·································································· 169
BOOTP client configuration examples ························································································ 169
Example: Configuring BOOTP client ···················································································· 169
DHCPv6 overview ········································································ 170
DHCPv6 address/prefix assignment ··························································································· 170
Rapid assignment involving two messages ··········································································· 170
Assignment involving four messages ··················································································· 170
Address/prefix lease renewal ···································································································· 171
Stateless DHCPv6 ················································································································· 172
DHCPv6 options ···················································································································· 172
Option 18 ······················································································································· 172
Option 37 ······················································································································· 173
Protocols and standards ·········································································································· 174
Configuring the DHCPv6 server ······················································ 175
About DHCPv6 server ············································································································· 175
IPv6 address assignment ·································································································· 175
IPv6 prefix assignment ····································································································· 175
Concepts ······················································································································· 176
DHCPv6 address pool ······································································································ 176
IPv6 address/prefix allocation sequence ··············································································· 177
DHCPv6 server tasks at a glance ······························································································ 178
Configuring IPv6 prefix assignment ···························································································· 178
Configuring IPv6 address assignment ························································································ 180
Configuring network parameters assignment ··············································································· 181
Configuring network parameters in a DHCPv6 address pool ····················································· 182
Configuring network parameters in a DHCPv6 option group ····················································· 182
Configuring a DHCPv6 policy for IPv6 address and prefix assignment ··············································· 183
Configuring the DHCPv6 server on an interface ············································································ 184
Allocating different IPv6 addresses to DHCPv6 clients with the same MAC ········································ 185
Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server ·········································· 185
Configuring DHCPv6 binding auto backup ··················································································· 186
Advertising subnets assigned to clients ······················································································· 186
Applying a DHCPv6 address pool to a VPN instance ····································································· 187
Configuring the DHCPv6 server security features ········································································· 188
vi
Configuring DHCPv6 flood attack protection ·········································································· 188
Enabling the DHCPv6 server to advertise IPv6 prefixes ·································································· 189
Enabling DHCPv6 logging on the DHCPv6 server ········································································· 189
Display and maintenance commands for DHCPv6 server ······························································· 189
DHCPv6 server configuration examples ······················································································ 190
Example: Configuring dynamic IPv6 prefix assignment ···························································· 190
Example: Configuring dynamic IPv6 address assignment ························································· 193
Configuring the DHCPv6 relay agent ················································ 195
About DHCPv6 relay agent ······································································································ 195
Typical application ··········································································································· 195
DHCPv6 relay agent operating process ················································································ 195
DHCPv6 relay agent tasks at a glance ························································································ 196
Enabling the DHCPv6 relay agent on an interface ········································································· 196
Specifying DHCPv6 servers on the relay agent ············································································ 196
Specifying the DHCPv6 server IP addresses ········································································· 196
Specifying DHCPv6 servers for a DHCPv6 address pool on the DHCPv6 relay agent ···················· 197
Specifying a gateway address for DHCPv6 clients ········································································ 198
Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent ··································· 198
Specifying a padding mode for the Interface-ID option ··································································· 199
Configuring DHCPv6 relay security features ················································································ 199
Enabling the DHCPv6 relay agent to record relay entries ························································· 199
Enabling IPv6 release notification ······················································································· 199
Enabling client offline detection ·························································································· 200
Configuring DHCPv6 flood attack protection ·········································································· 200
Enabling the DHCPv6 relay agent to advertise IPv6 prefixes ··························································· 201
Display and maintenance commands for DHCPv6 relay agent ························································· 201
DHCPv6 relay agent configuration examples ··············································································· 202
Example: Configuring DHCPv6 relay agent ··········································································· 202
Configuring DHCPv6 snooping ························································ 204
About DHCPv6 snooping ········································································································· 204
Application of trusted and untrusted ports ············································································· 204
Restrictions and guidelines: DHCPv6 snooping configuration ·························································· 205
DHCPv6 snooping tasks at a glance ·························································································· 205
Configuring basic DHCPv6 snooping ·························································································· 205
Configuring support for Option 18 ······························································································ 206
Configuring support for Option 37 ······························································································ 206
Configuring DHCPv6 snooping entry auto backup ········································································· 206
Setting the maximum number of DHCPv6 snooping entries ····························································· 207
Enabling DHCPv6-REQUEST check ·························································································· 207
Configuring a DHCPv6 packet blocking port ················································································ 208
Enabling DHCPv6 snooping logging ··························································································· 208
Display and maintenance commands for DHCPv6 snooping ··························································· 209
Example: Configuring DHCPv6 snooping ···················································································· 209
Network configuration ······································································································· 209
Procedure ······················································································································ 210
Verifying the configuration ································································································· 210
Configuring MAC authentication ······················································ 211
About MAC authentication ······································································································· 211
User account policies ······································································································· 211
Authentication methods ···································································································· 212
VLAN assignment ············································································································ 212
ACL assignment ·············································································································· 214
User profile assignment ···································································································· 214
Periodic MAC reauthentication ··························································································· 215
Restrictions and guidelines: MAC authentication configuration ························································· 215
MAC authentication tasks at a glance ························································································· 215
Prerequisites for MAC authentication ························································································· 216
Enabling MAC authentication ···································································································· 216
Specifying a MAC authentication domain ···················································································· 216
vii
Configuring the user account format ··························································································· 217
Configuring MAC authentication timers ······················································································· 217
About MAC authentication timers ························································································ 217
Procedure ······················································································································ 217
Enabling MAC authentication offline detection ·············································································· 218
Setting the maximum number of concurrent MAC authentication users on a port ································· 218
Enabling MAC authentication multi-VLAN mode on a port ······························································· 218
Configuring MAC authentication delay ························································································ 219
Configuring a MAC authentication guest VLAN ············································································· 219
Restrictions and guidelines ································································································ 219
Prerequisites ·················································································································· 220
Procedure ······················································································································ 220
Configuring a MAC authentication critical VLAN ··········································································· 220
Restrictions and guidelines ································································································ 220
Prerequisites ·················································································································· 221
Procedure ······················································································································ 221
Configuring the keep-online feature ··························································································· 221
Including user IP addresses in MAC authentication requests ··························································· 222
About the feature of including user IP addresses in MAC authentication requests ························· 222
Restrictions and guidelines ································································································ 222
Procedure ······················································································································ 222
Display and maintenance commands for MAC authentication ·························································· 222
MAC authentication configuration examples ················································································ 223
Example: Configuring local MAC authentication ····································································· 223
Example: Configuring RADIUS-based MAC authentication ······················································· 225
Example: Configuring ACL assignment for MAC authentication ················································· 227
Configuring PPP ·········································································· 230
About PPP ··························································································································· 230
PPP protocols ················································································································· 230
PPP link establishment process ·························································································· 230
PPP authentication ·········································································································· 231
PPP for IPv4 ·················································································································· 231
PPP for IPv6 ·················································································································· 232
Protocols and standards ·········································································································· 233
PPP tasks at a glance ············································································································· 233
Configuring a VT interface ······································································································· 233
Configuring PPP authentication ································································································· 234
Configuring PAP authentication ·························································································· 234
Configuring CHAP authentication (authenticator name is configured)·········································· 235
Configuring CHAP authentication (authenticator name is not configured) ····································· 236
Configuring MS-CHAP or MS-CHAP-V2 authentication ··························································· 237
Configuring the polling feature ·································································································· 238
Enabling fast reply for keepalive packets ····················································································· 239
Configuring PPP negotiation ····································································································· 239
Configuring the PPP negotiation timeout time ········································································ 239
Configuring IP address negotiation on the client ····································································· 240
Configuring IP address negotiation on the server ··································································· 240
Enabling IP segment match ······························································································· 243
Configuring DNS server IP address negotiation on the client ···················································· 244
Configuring DNS server IP address negotiation on the server ··················································· 244
Enabling PPP accounting ········································································································ 244
Enabling logging for PPP users ································································································· 245
Configuring service tracing objects ···························································································· 245
Enabling PPP user blocking ····································································································· 246
About PPP user blocking ·································································································· 246
Procedure ······················································································································ 246
Configuring the NAS-Port-Type attribute ····················································································· 246
Suppressing adding PPP peer host routes to the local direct route table ············································ 247
Configuring the traffic accounting frequency mode for online PPP users ············································ 247
Display and maintenance commands for PPP ·············································································· 247
viii
Configuring L2TP ········································································· 250
About L2TP ·························································································································· 250
Typical L2TP networking ··································································································· 250
L2TP message types and encapsulation structure ·································································· 250
L2TP tunnel and session ··································································································· 251
L2TP tunneling modes and tunnel establishment process ························································ 251
L2TP features ················································································································· 254
L2TP-based EAD ············································································································ 256
Protocols and standards ··································································································· 256
Restrictions: Hardware compatibility with L2TP ············································································ 256
Restrictions and guidelines: L2TP configuration ············································································ 256
L2TP tasks at a glance ············································································································ 257
Configuring basic L2TP capabilities ··························································································· 258
Configuring an LAC ················································································································ 258
Configuring an LAC to initiate tunneling requests for a user ······················································ 258
Specifying LNS IP addresses ····························································································· 259
Configuring the source IP address of L2TP tunnel packets ······················································· 259
Configuring each L2TP user to use an L2TP tunnel exclusively ················································· 259
Enabling transferring AVP data in hidden mode ····································································· 260
Configuring AAA authentication on an LAC ··········································································· 260
Configuring an LAC to automatically establish an L2TP tunnel ·················································· 260
Configuring an LNS ················································································································ 261
Creating a VT interface ····································································································· 262
Configuring an LNS to accept L2TP tunneling requests from an LAC ·········································· 262
Configuring user authentication on an LNS ··········································································· 262
Configuring AAA authentication on an LNS ··········································································· 264
Setting the maximum number of ICRQ packets that the LNS can process per second ···················· 264
Configuring optional L2TP parameters ························································································ 264
Configuring L2TP tunnel authentication ················································································ 264
Setting the Hello interval ··································································································· 265
Setting the DSCP value of L2TP packets ·············································································· 265
Setting the TSA ID of the LTS ···························································································· 265
Enabling L2TP-based EAD ······································································································ 266
Configuring IMSI/SN binding authentication on the LNS ································································· 266
Display and maintenance commands for L2TP ············································································· 267
L2TP configuration examples ··································································································· 267
Example: Configuring a NAS-initiated L2TP tunnel ································································· 267
Example: Configuring a client-initiated L2TP tunnel ································································ 270
Example: Configuring an LAC-auto-initiated L2TP tunnel ························································· 271
Troubleshooting L2TP ············································································································· 273
Failure to access the private network ··················································································· 273
Data transmission failure ··································································································· 274
L2TP user offline ············································································································· 274
Configuring PPPoE ······································································· 275
About PPPoE ························································································································ 275
PPPoE network structure ········································································································· 275
Router-initiated network structure ······················································································· 275
Host-initiated network structure ·························································································· 276
Protocols and standards ·········································································································· 276
Restrictions: Hardware compatibility with IPoE ············································································· 276
Restrictions and guidelines: PPPoE configuration ········································································· 276
Configuring the PPPoE server ·································································································· 277
PPPoE server tasks at a glance ························································································· 277
Configuring a PPPoE session ···························································································· 277
Setting the maximum number of PPPoE sessions ·································································· 278
Limiting the PPPoE access rate ·························································································· 278
Configuring the NAS-Port-ID attribute ·················································································· 279
Enabling PPPoE users to come online despite the PPPoE-NAT444 collaboration failure ················ 280
Setting the maximum number of PADI packets that the device can receive per second ·················· 281
Configuring PPPoE user blocking ······················································································· 281
ix
Enabling PPPoE logging ··································································································· 282
Display and maintenance commands for PPPoE ·········································································· 282
PPPoE configuration examples ································································································· 283
Example: Configuring the PPPoE server ·············································································· 283
Example: Assigning the PPPoE server IP address through the local DHCP server ························ 284
Example: Assigning the PPPoE server IP address through a remote DHCP server ························ 285
Example: Assigning the PPPoE server IPv6 address through ND and IPv6CP negotiation ·············· 287
Example: Assigning the PPPoE server IPv6 address through DHCPv6 ······································· 289
Example: Assigning the PPPoE server IPv6 address through prefix delegation by DHCPv6 ············ 290
Example: Configuring PPPoE server RADIUS-based IP address assignment ······························· 291
Configuring portal authentication ····················································· 294
About portal ·························································································································· 294
Advantages of portal authentication ····················································································· 294
Extended portal functions ·································································································· 294
Portal system ················································································································· 294
Portal authentication using a remote portal server ·································································· 295
Local portal service ·········································································································· 296
Portal authentication modes ······························································································ 296
Portal authentication process ····························································································· 297
Portal filtering rules ·········································································································· 299
MAC-based quick portal authentication ················································································ 299
Restrictions: Hardware compatibility with portal ············································································ 300
Restrictions and guidelines: Portal configuration ··········································································· 300
Portal tasks at a glance ··········································································································· 300
Prerequisites for portal ············································································································ 302
Configuring a portal authentication server ··················································································· 302
Configuring a portal Web server ································································································ 303
Configure basic parameters for a portal Web server ································································ 303
Configuring a match rule for URL redirection ········································································· 304
Configuring a local portal Web service ························································································ 304
Restrictions and guidelines for configuring a local portal Web service ········································· 304
Customizing authentication pages ······················································································· 304
Configuring parameters for a local portal Web service ····························································· 306
Specifying a portal authentication domain ··················································································· 307
About portal authentication domains ···················································································· 307
Restrictions and guidelines for specifying a portal authentication domain····································· 307
Specifying a portal authentication domain on an interface ························································ 308
Configuring a portal preauthentication policy ················································································ 308
About portal preauthentication policies ················································································· 308
Restrictions and guidelines ································································································ 308
Procedure ······················································································································ 308
Specifying a preauthentication IP address pool ············································································ 309
About preauthentication IP address pools ············································································· 309
Restrictions and guidelines ································································································ 309
Procedure ······················································································································ 310
Enabling portal authentication on an interface ·············································································· 310
Restrictions and guidelines ································································································ 310
Procedure ······················································································································ 311
Specifying a portal Web server on an interface ············································································· 311
Controlling portal user access ··································································································· 312
Configuring a portal-free rule ····························································································· 312
Configuring an authentication source subnet ········································································· 313
Setting the maximum number of portal users ········································································· 314
Enabling strict-checking on portal authorization information ······················································ 315
Allowing only users with DHCP-assigned IP addresses to pass portal authentication ····················· 316
Configuring support of Web proxy for portal authentication ······················································· 316
Blocking portal users that fail portal authentication ·································································· 317
Enabling portal roaming ···································································································· 317
Configuring the portal fail-permit feature ··············································································· 318
Configuring portal detection features ·························································································· 319
Configuring online detection of portal users ··········································································· 319
x
Configuring portal authentication server detection ·································································· 320
Configuring portal Web server detection ··············································································· 321
Configuring portal user synchronization ················································································ 321
Configuring portal packet attributes ···························································································· 322
Configuring the BAS-IP or BAS-IPv6 attribute ········································································ 322
Specifying the device ID ··································································································· 323
Configuring attributes for RADIUS packets ·················································································· 324
Specifying a format for the NAS-Port-Id attribute ···································································· 324
Applying a NAS-ID profile to an interface ·············································································· 324
Configuring MAC-based quick portal authentication ······································································· 325
Restrictions and guidelines for configuring MAC-based quick portal authentication ························ 325
Configuring a MAC binding server ······················································································· 325
Specifying a MAC binding server on an interface ···································································· 326
Configuring portal HTTP attack defense ······················································································ 326
Setting the user traffic backup threshold ····················································································· 327
Logging out online portal users ································································································· 327
Enabling portal user login/logout logging ····················································································· 328
Configuring Web redirect ········································································································· 328
About Web redirect ·········································································································· 328
Restrictions and guidelines ································································································ 328
Procedure ······················································································································ 328
Display and maintenance commands for portal ············································································ 329
Portal configuration examples ··································································································· 330
Example: Configuring direct portal authentication ··································································· 330
Example: Configuring re-DHCP portal authentication ······························································ 338
Example: Configuring cross-subnet portal authentication ························································· 342
Example: Configuring extended direct portal authentication ······················································ 345
Example: Configuring extended re-DHCP portal authentication ················································· 349
Example: Configuring extended cross-subnet portal authentication ············································ 353
Example: Configuring portal server detection and portal user synchronization ······························ 356
Example: Configuring cross-subnet portal authentication for MPLS L3VPNs ································ 364
Example: Configuring direct portal authentication with a preauthentication policy ·························· 366
Example: Configuring re-DHCP portal authentication with a preauthentication policy ····················· 368
Example: Configuring direct portal authentication using a local portal Web service ························ 370
Example: Configuring MAC-based quick portal authentication ··················································· 373
Troubleshooting portal ············································································································ 381
No portal authentication page is pushed for users ·································································· 381
Cannot log out portal users on the access device ··································································· 382
Cannot log out portal users on the RADIUS server ································································· 382
Users logged out by the access device still exist on the portal authentication server ······················ 382
Re-DHCP portal authenticated users cannot log in successfully ················································ 383
Configuring IPoE ·········································································· 384
About IPoE ··························································································································· 384
IPoE access modes ········································································································· 384
IPoE users ····················································································································· 384
IPoE session ·················································································································· 385
IPoE addressing ·············································································································· 386
IPoE authentication methods ····························································································· 386
IPoE access procedure by using bind authentication ······························································· 386
Support for MPLS L3VPN ································································································· 389
Support for ITA ··············································································································· 390
Restrictions: Hardware compatibility with IPoE ············································································· 390
Restrictions and guidelines: IPoE configuration ············································································ 390
IPoE tasks at a glance ············································································································ 390
Prerequisites for IPoE ············································································································· 391
Enabling IPoE and setting the IPoE access mode ········································································· 391
Configuring bind authentication ································································································· 391
Configuring dynamic individual users ························································································· 392
Dynamic individual user configuration tasks at a glance ··························································· 392
Enabling dynamic individual users ······················································································ 392
Configuring authentication user naming conventions for dynamic individual users ························· 393
xi
Configuring passwords for dynamic individual users ······························································· 396
Configuring ISP domains for dynamic individual users ····························································· 396
Configuring the maximum number of dynamic IPoE sessions ··················································· 397
Configuring trusted DHCP options for DHCP users ································································· 398
Configuring trusted ISP domains for DHCP users ··································································· 398
Configuring trusted source IP addresses for unclassified-IP users·············································· 399
Enabling dynamic individual users to come online despite the IPoE-NAT collaboration failure ·········· 400
Configuring static individual users ······························································································ 400
Static individual user configuration tasks at a glance ······························································· 400
Enabling static individual users ··························································································· 400
Configuring static IPoE sessions on an interface ···································································· 401
Configuring global static IPoE sessions ················································································ 402
Configuring authentication user naming conventions for static individual users ····························· 402
Configuring passwords for static individual users ···································································· 403
Configuring ISP domains for static individual users ································································· 404
Configuring leased users ········································································································· 404
Leased user configuration tasks at a glance ·········································································· 404
Configuring interface-leased users ······················································································ 405
Configuring subnet-leased users ························································································ 405
Configuring L2VPN-leased users ························································································ 406
Configuring ISP domains for leased users ············································································ 406
Configuring service-specific ISP domains ···················································································· 407
Configuring the quiet feature for users ························································································ 408
Configuring online detection for users ························································································· 408
Configuring NAS-Port-Type for an interface ················································································· 409
Configuring NAS-Port-ID formats ······························································································· 410
Enabling IPoE access-out authentication ···················································································· 410
Setting the traffic statistics update timer for IPoE sessions ······························································ 411
Enabling logging for IPoE users ································································································ 411
Display and maintenance commands for IPoE ············································································· 412
IPoE configuration examples ···································································································· 416
Example: Configuring an unclassified-IP user ········································································ 416
Example: Configuring a DHCP user····················································································· 418
Example: Configuring an IPv6-ND-RS user ··········································································· 420
Example: Configuring an ARP-based static user ···································································· 421
Example: Configuring subnet-leased users ··········································································· 423
Example: Configuring an interface-leased user ······································································ 427
Example: Configuring an L2VPN-leased user ········································································ 429
Example: Configuring a VPN DHCP user ·············································································· 433
Example: Configuring online detection ················································································· 436
Troubleshooting IPoE ············································································································· 438
DHCP clients failed to come online ····················································································· 438
Index ························································································· 439
1
Configuring AAA
About AAA
AAA implementation
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
• Authentication—Identifies users and verifies their validity.
• Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
• Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA network diagram
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1
AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
You can use different servers to implement different security functions. For example, you can use an
HWTACACS server for authentication and authorization, and use a RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
Remote user
NAS
RADIUS server
HWTACACS server
Internet
Network
2
The device performs dynamic password authentication.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
• Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
• Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
• Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packet verifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
3
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
4
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
• The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 g
ives the main
values and their meanings.
Table 1 Main values of the Code field
Code Packet type Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and
the server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the
server sends an Access-Reject response.
4
Accounting-Reques
t
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or
stop accounting.
5
Accounting-Respon
se
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
• The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
• The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
• The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
/