Scribd
Upload
44 views16 pages

Terminal Access Configuration

Uploaded by

Hani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
44 views16 pages

Terminal Access Configuration

Uploaded by

Hani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Huawei AR Series Access Routers

CLI-based Configuration Guide - Security 4 Terminal Access Configuration

4 Terminal Access Configuration

About This Chapter

4.1 Overview of BRAS Access


4.2 Configuring Terminal Access
4.3 Configuration Examples for BRAS Access

4.1 Overview of BRAS Access

Context
The terminal access gateway supports management of access authentication for
terminal users such as PPPoE, IPoE, and L2TP terminal users. It supports access of
100 to 500 terminals of a small-sized enterprise to the NMS, and applies to
scenarios of terminal address assignment and terminal user authentication.
As shown in Figure 4-1, the Router is the enterprise's egress gateway in the
broadband network. It also acts as a terminal access to provide basic access
methods and broadband access network management functions for users. The
terminal access allows Ethernet access using LAN switches, WLAN access using
APs, and asymmetric digital subscriber line (ADSL) access using digital subscriber
line access multiplexers (DSLAMs).

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 283


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

Figure 4-1 Connecting to the Router using different broadband access modes

Access user
(Portal, PPPoE) Ethernet
access
LAN
Switch

Portal Internet
access user WLAN
AP access Router
Authenticatio
n
ADSL Authenticatio
PPPoE
access n
access user
Accounting
DSLAM Management

Access network

4.2 Configuring Terminal Access

Access User Authentication


Authentication determines whether users can access a network.
As shown in Figure 4-2, physical access modes of user are shielded on access
devices, and the Router can identify encryption formats of user packets. That is,
the terminal access differentiates users based on the protocol stacks of user
packets and applies different authentication methods to users flexibly.
The Terminal access supports two authentication modes: PPPoE authentication
and Portal authentication.

Figure 4-2 Connecting to the Router using different broadband access modes

Access user
(Portal, PPPoE) Ethernet
access
LAN
Switch

Portal Internet
access user WLAN
AP access Router
Authenticatio
n
ADSL Authenticatio
PPPoE
access n
access user
Accounting
DSLAM Management

Access network

● PPPoE authentication

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 284


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

In Figure 4-3, PPPoE users connect to the Internet through PPPoE dial-up (in
Ethernet or ADSL access mode). When PPPoE users use client software on
their terminals to perform PPPoE dial-up, the Router functions as the PPPoE
server to perform PPP authentication for the PPPoE users, and user
information such as the user names and passwords are authenticated on the
AAA server. After the PPPoE users are authenticated, the Router assigns IP
addresses to the users so that they can access the Internet.

Figure 4-3 PPPoE authentication process

AAA server

Access
network

Remote
terminal Router

1. Perform PPP authentication


Enter the user
name and
password using 2. Assign an IP address after the
the client authentication succeeds
software

For details on PPPoE server configuration, see Configuring the Device as a


PPPoE Server in the Huawei AR Series Access Routers Configuration Guide -
WAN.
NOTE

In addition to allocating IP addresses to PPPoE clients through the global address pool, the
device can also allocate IP addresses to users through domains. That is, an IP address pool
is bound to an AAA scheme and the AAA scheme is bound to a domain. When the users in
the domain go online, the device allocates IP addresses to the users. The priority of IP
addresses allocated through domains is higher than the priority of IP addresses allocated
through the global address pool.
#
ip pool pool1
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa
service-scheme sch1
ip-pool pool1
domain huawei
service-scheme sch1
#

● Portal authentication
Portal authentication (web authentication): When a user attempts to access
an address before authentication, the Router redirects the access request to
the forcible Portal server. The user enters the user name and password on the

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 285


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

authentication page. After the Router exchanges information with the remote
terminal, user information such as the user name and password is
authenticated on the AAA server.
In Figure 4-4, web users log in to the authentication page of the Portal server
to access the Internet (in Ethernet or WLAN access mode). After a web user
obtains a static IP address or uses DHCP to obtain an IP address, the Portal
authentication website is pushed to the user for Portal authentication. The
web user can access the Internet only after the authentication succeeds.

Figure 4-4 Portal authentication process

AAA server

Access
network

Remote
Router Portal server
terminal

1. Obtain an IP address
Enter the website
using the browser
2. Log in to the Portal server
forcibly
Enter the user name
and password
3. Connect to the Internet after
the authentication succeeds

For details on Portal authentication configuration, see 3.6 Configuring NAC


in the Huawei AR Series Access Routers Configuration Guide - Security.

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 286


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

NOTE

The preceding two authentication modes require AAA authentication schemes to complete user
authentication. AAA is configured on the Router so that the Router can work with the AAA
server. After users enter their user names and passwords, the Router receives the user
authentication information and sends it to the AAA server for authentication. If the
authentication succeeds, the users can access the Internet.
In Terminal access configuration, you can configure local or RADIUS authentication in an AAA
authentication scheme on the Terminal access. For details on AAA authentication scheme
configuration, see 1 AAA Configuration in the Huawei AR Series Access Routers Configuration
Guide - Security.
The Router delivers bandwidth to access users through the AAA server. Therefore, you should
understand the RADIUS attributes supported by the Router. For details see 1.2.4.8 RADIUS
Attributes in the Huawei AR Series Access Routers Configuration Guide - Security.
In PPPoE authentication, the PPPoE server assigns IP addresses to users using the address
negotiation function of the PPP protocol. In Portal authentication, static IP addresses or DHCP
must be configured for users before the authentication.
● For details on how to configure static IP addresses, see IP Address Configuration in the
Huawei AR Series Access Routers Configuration Guide - IP Service.
● For details on how to obtain IP addresses using DHCP, see DHCP Configuration in the
Huawei AR Series Access Routers Configuration Guide - IP Service.

User Access Management


After access users go online, the Router uses AAA to manage the users. For
example, the Router charges users for the network resources they use, controls
bandwidth of online users, and forces users to go offline.
● Managing access users based on domains
In addition to authentication, AAA provides two security functions:
authorization and accounting. AAA manages users based on domains, and
user authentication, authorization, and accounting are all implemented in
domains. All authentication, authorization, and accounting schemes for access
users are created in the AAA view, and the corresponding schemes are
referenced in the domain view.
For example, users in the same domain can access the same websites and
share the same accounting policies, and share the same bandwidth.
NOTE

Authorization information configured in a domain has a lower priority than authorization


information delivered by an AAA server. That is, the authorization information delivered by
an AAA server is used preferentially. When the AAA server does not have or does not
support authorization, the authorization attributes configured in a domain take effect. In
this manner, you can increase services flexibly by means of domain management,
regardless of the authorization attributes provided by the AAA server.
● Charging access users based on their network resource usage
– The Router performs remote accounting based on traffic or online
duration through a RADIUS server.
For the AAA accounting scheme configuration, see 1.7.2 Using RADIUS
to Perform Authentication, Authorization, and Accounting in the
Huawei AR Series Access Routers Configuration Guide - Security.
– Destination address accounting (DAA)
In traffic-based accounting, if DAA is configured, users can access
specified destination addresses (for example, internal network resources)

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 287


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

for free. When users access external networks, the Router charges the
users based on the access traffic.
For the DAA configuration, see 2.7 Configuring DAA in the Huawei AR
Series Access Routers Configuration Guide - Security.
● Controlling access user bandwidth
– When selecting an AAA authentication scheme in local mode:
Create a QoS profile on the Router to specify the uplink and downlink
traffic limits for each user and bind the QoS profile to the AAA service
scheme. After that, access users in different domains have different
bandwidths.
i. Create a QoS profile to specify the uplink and downlink traffic limits.
<Huawei> system-view
[Huawei] qos-profile profile1
[Huawei-qos-profile-profile1] car cir 200 pir 300 cbs 1500 pbs 3500 outbound
[Huawei-qos-profile-profile1] car cir 200 pir 300 cbs 1500 pbs 3500 inbound
[Huawei-qos-profile-profile1] quit

ii. Create an AAA service scheme and bind the QoS profile to the
scheme.
[Huawei] aaa
[Huawei-aaa] service-scheme scheme1
[Huawei-aaa-service-scheme1] qos-profile profile1
[Huawei-aaa-service-scheme1] quit

iii. Create an AAA domain and bind the AAA service scheme to the
domain.
[Huawei-aaa] domain huawei
[Huawei-aaa-domain-huawei] service-scheme scheme1

– When selecting an AAA authentication scheme in RADIUS mode:


The AAA server delivers bandwidth limits to the corresponding domains
so that access users in different domains have different bandwidths.

4.3 Configuration Examples for BRAS Access


4.3.1 Example for Configuring Terminal access in Which Portal
Authentication Is Used
Networking Requirements
As shown in Figure 4-5, terminal users of an enterprise access the Internet
through the Router (functioning as the egress gateway and access device). The
Router needs to authenticate, charge, and manage users.
The enterprise requires that:
● Portal authentication should be used for terminal users. The Router should
allow only authenticated users to access the Internet.
● The Router should not charge users for intranet (192.168.100.0/24) access,
and should charge the users based on duration when they access external
networks.
● If an online user is identified as an unauthorized user, the user is forced to go
offline by specifying the IP address.

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 288


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

Figure 4-5 Configuring terminal access in which Portal authentication is used


Portal Server RADIUS Server
192.168.2.20 192.168.2.30

User 1
Internet

Eth2/0/1
VLANIF20
192.168.2.29/24
Access Eth2/0/0
……

Network VLANIF10
192.168.1.20/ 24 Router

Intranet
User N
192.168.100.0/24

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AAA authentication and accounting schemes in RADIUS mode
to ensure information exchange between the Router and RADIUS server.
2. Configure Portal authentication to authenticate access users.
3. Configure DAA. After that, the Router does not charge users for intranet
(192.168.100.0/24) access, and charges the users based on duration when
they access external networks.
4. Configure the device to force unauthorized users with the IP address
192.168.1.3/24 to go offline.

Procedure
Step 1 Create VLANs and configure interfaces to allow the VLANs to ensure network
communication.
# Create VLAN 10 and VLAN 20.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 10 20

# On the Router, configure the interface connected to users as a trunk interface


and add the interface to VLAN 10.
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type trunk
[Router-Ethernet2/0/0] undo port trunk allow-pass vlan 1
[Router-Ethernet2/0/0] port trunk allow-pass vlan 10
[Router-Ethernet2/0/0] quit

# On the Router, configure the interface connected to the RADIUS server as a


trunk interface and add the interface to VLAN 20.
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type trunk

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 289


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

[Router-Ethernet2/0/1] undo port trunk allow-pass vlan 1


[Router-Ethernet2/0/1] port trunk allow-pass vlan 20
[Router-Ethernet2/0/1] quit

# Create VLANIF 10 and VLANIF 20, and assign IP addresses to the VLANIF
interfaces so that reachable routes can be set up between the terminals, Router,
and enterprise internal servers.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 192.168.1.20 24
[Router-Vlanif10] quit
[Router] interface vlanif 20
[Router-Vlanif20] ip address 192.168.2.29 24
[Router-Vlanif20] quit

Step 2 Create and configure a RADIUS server template, AAA authentication and
accounting schemes, and an authentication domain.
NOTE

Ensure that the shared key in the RADIUS server template is the same as on the RADIUS server.

# Create and configure the RADIUS server template rd1.


[Router] radius-server template rd1
[Router-radius-rd1] radius-server authentication 192.168.2.30 1812
[Router-radius-rd1] radius-server accounting 192.168.2.30 1813
[Router-radius-rd1] radius-server shared-key cipher Huawei@1234
[Router-radius-rd1] quit

# Create an AAA scheme, configure the authentication scheme auth, and set the
authentication mode to RADIUS authentication.
[Router] aaa
[Router-aaa] authentication-scheme auth
[Router-aaa-authen-auth] authentication-mode radius
[Router-aaa-authen-auth] quit

# Configure the accounting scheme abc in the AAA scheme and set the
accounting mode to RADIUS accounting.
[Router-aaa] accounting-scheme abc
[Router-aaa-accounting-abc] accounting-mode radius
[Router-aaa-accounting-abc] quit

# Configure the AAA domain isp1, and apply the authentication scheme auth,
accounting scheme abc, and RADIUS server template rd1 to the domain.
[Router-aaa] domain isp1
[Router-aaa-domain-isp1] authentication-scheme auth
[Router-aaa-domain-isp1] accounting-scheme abc
[Router-aaa-domain-isp1] radius-server rd1
[Router-aaa-domain-isp1] quit
[Router-aaa] quit

# Configure isp1 as the global default domain. During access authentication,


enter a user name in the format user@isp1 to perform AAA authentication in the
domain isp1. If the user name does not contain a domain name or contains an
invalid domain name, the user is authenticated in the default domain.
[Router] domain isp1

Step 3 Configure Portal authentication.


# Create and configure a Portal server template abc.
[Router] web-auth-server abc
[Router-web-auth-server-abc] server-ip 192.168.2.20

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 290


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

[Router-web-auth-server-abc] port 50200


[Router-web-auth-server-abc] url http://192.168.2.20:8080/webagent

# Set the shared key that the device uses to exchange information with the Portal
server to Huawei@1234 in cipher text.
[Router-web-auth-server-abc] shared-key cipher Huawei@1234

# Configure the detection and keepalive function of Portal authentication.


[Router-web-auth-server-abc] server-detect action log
[Router-web-auth-server-abc] user-sync
[Router-web-auth-server-abc] quit

NOTE

If the Portal server does not support detection, you do not need to configure this command.
When you run the user-sync command, make sure that the Portal server supports this function.
Otherwise, the users will go offline.

# Configure the Portal access profile web1.


[Router] portal-access-profile name web1
[Router-portal-access-profile-web1] web-auth-server abc direct
[Router-portal-access-profile-web1] quit

# Configure the authentication profile p1, bind the Portal access profile web1.
[Router] authentication-profile name p1
[Router-authen-profile-p1] portal-access-profile web1
[Router-authen-profile-p1] quit

# Bind the authentication profile p1 to VLANIF 10 and enable Portal


authentication on the interface.
[Router] interface vlanif 10
[Router-Vlanif10] authentication-profile p1
[Router-Vlanif10] quit

Step 4 Configure DAA.

# Configure the traffic identification rule ACL 3000 to identify the traffic destined
for the internal network segment 192.168.100.0/24.
[Router] acl 3000
[Router-acl-adv-3000] rule 5 permit ip destination 192.168.100.0 0.0.0.255
[Router-acl-adv-3000] quit

# Set the tariff level for access the internal network to 1.


[Router] traffic-group huawei
[Router-traffic-group-huawei] acl 3000 tariff-level 1
[Router-traffic-group-huawei] quit
[Router] traffic-group huawei enable

# Configure accounting for all the traffic that does not match ACL 3000.
● For traffic of tariff level 1, traffic statistics collection is disabled and
accounting is not performed.
● For other traffic, the device collects traffic statistics and sends the statistics to
the RADIUS accounting server.
[Router] aaa
[Router-aaa] domain isp1
[Router-aaa-domain-isp1] statistic enable
[Router-aaa-domain-isp1] quit

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 291


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

Step 5 Force the access users with the IP address 192.168.1.3 to go offline.
[Router-aaa] cut access-user ip-address 192.168.1.3
[Router-aaa] quit
[Router] quit

Step 6 Verify the configuration.


# Run the display web-auth-server configuration command to check the
configuration of the Portal server.
<Router> display web-auth-server configuration
Listening port : 2000
Portal : version 1, version 2
Include reply message : enabled

-------------------------------------------------------------------------------
Web-auth-server Name : abc
IP-address : 192.168.2.20
Shared-key : %^%#s@<60z+%'"EJI#4KOij5M)"m&9%"k:63Vl+xTc"K%^%#
Source-IP :-
Port / PortFlag : 50200 / NO
URL : http://192.168.2.20:8080/webagent
URL Template :
Redirection : Enable
Sync : Enable
Sync Seconds : 300
Sync Max-times :3
Detect : Enable
Detect Seconds : 60
Detect Max-times :3
Detect Critical-num : 0
Detect Action : log
Bound Vlanif : 10
VPN Instance :
Bound Interface :

-------------------------------------------------------------------------------
1 Web authentication server(s) in total

Run the display traffic-group name command to check information about the
traffic group huawei.
<Router> display traffic-group name huawei
----------------------------------------------------------------------------
Acl-id Tariff-level
----------------------------------------------------------------------------
3000 1
----------------------------------------------------------------------------
Total: 1

# After the user goes online, run the display access-user command to check
traffic statistics at each tariff level.

----End

Configuration Files
Configuration files on Router

#
sysname Router
#
vlan batch 10 20
#
authentication-profile name p1

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 292


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

portal-access-profile web1
#
domain isp1
#
radius-server template rd1
radius-server shared-key cipher %^%#s@<60z+%'"EJI#4KOij5M)"m&9%"k:63Vl+xTc"K%^%#
radius-server authentication 192.168.2.30 1812 weight 80
radius-server accounting 192.168.2.30 1813 weight 80
#
acl number 3000
rule 5 permit ip destination 192.168.100.0 0.0.0.255
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#s@<60z+%'"EJI#4KOij5M)"m&9%"k:63Vl+xTc"K%^%#
url http://192.168.2.20:8080/webagent

server-detect action log


user-sync
#
portal-access-profile name web1
web-auth-server abc direct
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme abc
accounting-mode radius
domain isp1
authentication-scheme auth
accounting-scheme abc
radius-server rd1
statistic enable
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
authentication-profile p1
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
#
interface Ethernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20
#
traffic-group huawei
acl 3000 tariff-level 1
traffic-group huawei enable
#
return

4.3.2 Example for Configuring Terminal access in Which PPPoE


Authentication Is Used
Networking Requirements
As shown in Figure 4-6, terminal users of an enterprise access the Internet
through the Router (functioning as the egress gateway and access device). The
Router needs to authenticate, charge, and manage users.

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 293


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

The enterprise requires that:


● PPPoE authentication should be used for terminal users. The Router should
allow only authenticated users to access the Internet.
● The Router should not charge users for intranet (192.168.100.0/24) access,
and should charge the users based on duration when they access external
networks.
● If an online user is identified as an unauthorized user, the user is forced to go
offline by specifying the IP address.

Figure 4-6 Configuring terminal access in which PPPoE authentication is used

RADIUS Server
192.168.2.30

User 1
Internet

Eth2/0/1
VLANIF20
192.168.2.29/24
Access
Eth2/0/0
……

Networ
VLANIF10
k
Router

Intranet
User N
192.168.100.0/24

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AAA authentication and accounting schemes in RADIUS mode
to ensure information exchange between the Router and RADIUS server.
2. Configure the PPPoE server to perform PPP authentication on access users.
3. Configure DAA. After that, the Router does not charge users for intranet
access, and charges the users based on duration when they access external
networks.
4. Configure the device to force unauthorized users with the IP address
192.168.1.3/24 to go offline.

Procedure
Step 1 Create VLANs and configure interfaces to allow the VLANs to ensure network
communication.
# Create VLAN 10 and VLAN 20.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 10 20

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 294


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

# On the Router, configure the interface connected to users as a trunk interface


and add the interface to VLAN 10.
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type trunk
[Router-Ethernet2/0/0] undo port trunk allow-pass vlan 1
[Router-Ethernet2/0/0] port trunk allow-pass vlan 10
[Router-Ethernet2/0/0] quit

# On the Router, configure the interface connected to the RADIUS server as a


trunk interface and add the interface to VLAN 20.
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type trunk
[Router-Ethernet2/0/1] undo port trunk allow-pass vlan 1
[Router-Ethernet2/0/1] port trunk allow-pass vlan 20
[Router-Ethernet2/0/1] quit

# Create VLANIF 10 and VLANIF 20, and assign IP address to the VLANIF20
interface so that reachable routes can be set up between the terminals, Router,
and enterprise internal servers.
[Router] interface vlanif 10
[Router-Vlanif10] quit
[Router] interface vlanif 20
[Router-Vlanif20] ip address 192.168.2.29 24
[Router-Vlanif20] quit

Step 2 Create and configure a RADIUS server template, an AAA authentication scheme,
accounting scheme and an authentication domain.
NOTE

Ensure that the shared key in the RADIUS server template is the same as on the RADIUS server.

# Create and configure the RADIUS server template rd1.


[Router] radius-server template rd1
[Router-radius-rd1] radius-server authentication 192.168.2.30 1812
[Router-radius-rd1] radius-server accounting 192.168.2.30 1813
[Router-radius-rd1] radius-server shared-key cipher Huawei@1234
[Router-radius-rd1] quit

# Create an AAA scheme, configure the authentication scheme auth, and set the
authentication mode to RADIUS authentication.
[Router] aaa
[Router-aaa] authentication-scheme auth
[Router-aaa-authen-auth] authentication-mode radius
[Router-aaa-authen-auth] quit

# Configure the accounting scheme abc in the AAA scheme and set the
accounting mode to RADIUS accounting.
[Router-aaa] accounting-scheme abc
[Router-aaa-accounting-abc] accounting-mode radius
[Router-aaa-accounting-abc] quit

# Configure the AAA domain isp1, and apply the authentication scheme auth,
accounting scheme abc, and RADIUS server template rd1 to the domain.
[Router-aaa] domain isp1
[Router-aaa-domain-isp1] authentication-scheme auth
[Router-aaa-domain-isp1] accounting-scheme abc
[Router-aaa-domain-isp1] radius-server rd1
[Router-aaa-domain-isp1] quit
[Router-aaa] quit

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 295


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

# Configure isp1 as the global default domain. During access authentication,


enter a user name in the format user@isp1 to perform AAA authentication in the
domain isp1. If the user name does not contain a domain name or contains an
invalid domain name, the user is authenticated in the default domain.
[Router] domain isp1

Step 3 Configure the PPPoE server.

# Configure a global address pool so that the PPPoE server can dynamically assign
IP addresses to access users.
[Router] ip pool pool1
[Router-ip-pool-pool1] network 192.168.1.0 mask 255.255.255.0
[Router-ip-pool-pool1] gateway-list 192.168.1.1
[Router-ip-pool-pool1] quit

# Create and configure a virtual interface template.


[Router] interface virtual-template 1
[Router-Virtual-Template1] ppp authentication-mode chap domain isp1
[Router-Virtual-Template1] ip address 192.168.1.1 255.255.255.0
[Router-Virtual-Template1] remote address pool pool1
[Router-Virtual-Template1] quit

# Enable the PPPoE protocol on the VLANIF10 interface.


[Router] interface vlanif10
[Router-Vlanif10] pppoe-server bind virtual-template 1
[Router-Vlanif10] quit

Step 4 Configure DAA.

# Configure the traffic identification rule ACL 3000 to identify the traffic destined
for the internal network segment 192.168.100.0/24.
[Router] acl 3000
[Router-acl-adv-3000] rule 5 permit ip destination 192.168.100.0 0.0.0.255
[Router-acl-adv-3000] quit

# Set the tariff level to 1.


[Router] traffic-group huawei
[Router-traffic-group-huawei] acl 3000 tariff-level 1
[Router-traffic-group-huawei] quit
[Router] traffic-group huawei enable

# Configure accounting for all the traffic that does not match ACL 3000.
● For traffic of tariff level 1, traffic statistics collection is disabled and
accounting is not performed.
● For other traffic, the device collects traffic statistics and sends the statistics to
the RADIUS accounting server.
[Router] aaa
[Router-aaa] domain isp1
[Router-aaa-domain-isp1] statistic enable
[Router-aaa-domain-isp1] quit

Step 5 Force the access users with the IP address 192.168.1.3 to go offline.
[Router-aaa] cut access-user ip-address 192.168.1.3
[Router-aaa] quit
[Router] quit

Step 6 Verify the configuration.

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 296


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

# Run the display pppoe-server session all command to check the PPPoE session
status and configuration. The command output shows that the PPPoE session
status is Up and the session configuration is correct.
Run the display traffic-group name command to check information about the
traffic group huawei.
<Router> display traffic-group name huawei
----------------------------------------------------------------------------
Acl-id Tariff-level
----------------------------------------------------------------------------
3000 1
----------------------------------------------------------------------------
Total: 1

# After the user goes online, run the display access-user command to check the
IP address and traffic statistics of online users.

----End

Configuration Files
Configuration files on Router

#
sysname Router
#
vlan batch 10 20
#
domain isp1
#
radius-server template rd1
radius-server shared-key cipher %#%#s@<60z+%'"EJI#4KOij5M)"m&9%"k:63Vl+xTc"K%#%#
radius-server authentication 192.168.2.30 1812 weight 80
radius-server accounting 192.168.2.30 1813 weight 80
#
acl number 3000
rule 5 permit ip destination 192.168.100.0 0.0.0.255
#
ip pool pool1
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme abc
accounting-mode radius
domain isp1
authentication-scheme auth
accounting-scheme abc
radius-server rd1
statistic enable
#
interface Vlanif10
pppoe-server bind Virtual-Template 1
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
#
interface Ethernet2/0/1

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 297


Huawei AR Series Access Routers
CLI-based Configuration Guide - Security 4 Terminal Access Configuration

port link-type trunk


undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20
#
interface Virtual-Template1
ppp authentication-mode chap domain isp1
remote address pool pool1
ip address 192.168.1.1 255.255.255.0
#
traffic-group huawei
acl 3000 tariff-level 1
traffic-group huawei enable
#
return

Issue 13 (2024-08-30) Copyright © Huawei Technologies Co., Ltd. 298

You might also like