H3C SR8800-F User manual
H3C SR8800-F Routers
Comware 7 User Access Configuration Guide
New H3C Technologies Co., Ltd.
http://www.h3c.com.hk
Software version: SR8800FS-CMW710-R7655P05 or later
Document version: 6W100-20170825
Copyright © 2017, New H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written
consent of New H3C Technologies Co., Ltd.
Trademarks
H3C, , H3CS, H3CIE, H3CNE,Aolynk, , H3Care, , IRF, NetPilot, Netflow, SecEngine,
SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies
Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
This configuration guide describes fundamentals and configuration of user access features.
This preface includes the following topics about the documentation:
•Audience.
•Conventions
•Obtaining documentation
•Technical support
•Documentation feedback
Audience
This documentation is intended for:
•Network planners.
•Field technical support and servicing engineers.
•Network administrators working with the routers.
Conventions
The following information describes the conventions used in the documentation.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars,
from which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select a minimum of one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n> The argument or keyword and argument combination before the ampersand (&) sign
can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
Boldface Window names, button names, field names, and menu items are in Boldface. For
example, the New User window opens; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create >
Convention Description
Folde
r
.
Symbols
Convention Description
WARNING! An alert that calls attention to important information that if not understood or followed
can result in personal injury.
CAUTION: An alert that calls attention to important information that if not understood or followed
can result in data loss, data corruption, or damage to hardware or software.
IMPORTANT: An alert that calls attention to essential information.
NOTE: An alert that contains additional or supplementary information.
TIP: An alert that provides helpful information.
Network topology icons
Convention Description
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that
supports Layer 2 forwarding and other Layer 2 features.
Represents an access controller, a unified wired-WLAN module, or the access
controller engine on a unified wired-WLAN switch.
Represents an access point.
Wireless terminator unit.
Wireless terminator.
Represents a mesh access point.
Represents omnidirectional signals.
Represents directional signals.
Represents a security product, such as a firewall, UTM, multiservice security
gateway, or load balancing device.
Represents a security module, such as a firewall, load balancing, NetStream, SSL
VPN, IPS, or ACG module.
T
T
T
T
Examples provided in this document
Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.
Obtaining documentation
To access the most up-to-date H3C product documentation, go to the H3C website at
http://www.h3c.com.hk
To obtain information about installation, configuration, and maintenance, click
http://www.h3c.com.hk/Technical_Documents
To obtain software version information such as release notes, click
http://www.h3c.com.hk/Software_Download
Technical support
service@h3c.com
http://www.h3c.com.hk
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
i
Contents
Configuring AAA ··············································································1
About AAA ·······························································································································1
AAA implementation ············································································································1
AAA network diagram···········································································································1
RADIUS ····························································································································2
HWTACACS ······················································································································5
LDAP································································································································8
User management based on ISP domains and user access types ···············································11
Authentication, authorization, and accounting methods······························································11
AAA for MPLS L3VPNs ······································································································13
Protocols and standards ·····································································································13
AAA tasks at a glance···············································································································14
Configuring local users··············································································································15
About local users···············································································································15
Local user configuration tasks at a glance···············································································16
Configuring attributes for device management users·································································16
Configuring attributes for network access users ·······································································17
Configuring local guest attributes··························································································18
Configuring user group attributes··························································································19
Managing local guests········································································································21
Display and maintenance commands for local users and local user groups····································22
Configuring RADIUS·················································································································23
RADIUS tasks at a glance···································································································23
Configuring a test profile for RADIUS server status detection······················································23
Creating a RADIUS scheme ································································································24
Specifying the RADIUS authentication servers·········································································24
Specifying the RADIUS accounting servers·············································································25
Specifying the shared keys for secure RADIUS communication···················································26
Specifying an MPLS L3VPN instance for the scheme································································26
Setting the username format and traffic statistics units ······························································27
Setting the maximum number of RADIUS request transmission attempts ······································27
Setting the maximum number of real-time accounting attempts ···················································28
Configuring RADIUS stop-accounting packet buffering······························································28
Setting the maximum number of pending RADIUS requests ·······················································29
Setting the status of RADIUS servers ····················································································29
Enabling the RADIUS server load sharing feature ····································································31
Specifying the source IP address for outgoing RADIUS packets··················································32
Setting RADIUS timers·······································································································33
Configuring the RADIUS accounting-on feature ·······································································34
Interpreting the RADIUS class attribute as CAR parameters·······················································34
Configuring the Login-Service attribute check method for SSH, FTP, and terminal users ··················35
Configuring the MAC address format for RADIUS attribute 31·····················································35
Configuring the format for RADIUS attribute 87········································································36
Setting the data measurement unit for the Remanent_Volume attribute·········································36
Specifying a server version for interoperating with servers with a vendor ID of 2011 ························37
Configuring the RADIUS attribute translation feature·································································37
Configuring the RADIUS session-control feature······································································39
Configuring the RADIUS DAS feature····················································································39
Changing the DSCP priority for RADIUS packets ·····································································40
Configuring the device to preferentially process RADIUS authentication requests ···························40
Enabling SNMP notifications for RADIUS ···············································································41
Display and maintenance commands for RADIUS····································································41
Configuring HWTACACS···········································································································42
HWTACACS tasks at a glance ····························································································· 42
Creating an HWTACACS scheme·························································································42
Specifying the HWTACACS authentication servers···································································42
Specifying the HWTACACS authorization servers ····································································43
ii
Specifying the HWTACACS accounting servers·······································································44
Specifying the shared keys for secure HWTACACS communication·············································44
Specifying an MPLS L3VPN instance for the scheme································································45
Setting the username format and traffic statistics units ······························································45
Configuring HWTACACS stop-accounting packet buffering ························································46
Specifying the source IP address for outgoing HWTACACS packets ············································46
Setting HWTACACS timers ·································································································47
Display and maintenance commands for HWTACACS ······························································48
Configuring LDAP ····················································································································49
LDAP tasks at a glance ······································································································49
Creating an LDAP server ····································································································49
Configuring the IP address of the LDAP server········································································49
Specifying the LDAP version································································································50
Setting the LDAP server timeout period··················································································50
Configuring administrator attributes·······················································································50
Configuring LDAP user attributes··························································································51
Configuring an LDAP attribute map ·······················································································52
Creating an LDAP scheme··································································································52
Specifying the LDAP authentication server··············································································53
Specifying the LDAP authorization server···············································································53
Specifying an LDAP attribute map for LDAP authorization··························································53
Display and maintenance commands for LDAP········································································53
Configuring AAA methods for ISP domains····················································································54
Creating an ISP domain······································································································54
Configuring ISP domain attributes·························································································55
Configuring authentication methods for an ISP domain······························································58
Configuring authorization methods for an ISP domain ·······························································60
Configuring accounting methods for an ISP domain··································································62
Display and maintenance commands for ISP domains ······························································64
Setting the maximum number of concurrent login users····································································65
Configuring the local bill cache feature ·························································································65
About local bill cache ·········································································································65
Procedure························································································································65
Display and maintenance commands for local bill cache····························································66
Configuring a NAS-ID ···············································································································66
About NAS-IDs ·················································································································66
Configuring a NAS-ID profile································································································66
Setting the NAS-ID on an interface························································································67
Setting the NAS-ID in an ISP domain·····················································································67
Configuring the device ID···········································································································68
AAA configuration examples·······································································································68
Example: Configuring authentication and authorization for SSH users by a RADIUS server···············68
Example: Configuring local authentication and authorization for SSH users ···································71
Example: Configuring AAA for SSH users by an HWTACACS server············································72
Example: Configuring authentication for SSH users by an LDAP server ········································73
Example: Configuring AAA for PPP users by an HWTACACS server············································78
Troubleshooting RADIUS···········································································································79
RADIUS authentication failure······························································································79
RADIUS packet delivery failure ····························································································80
RADIUS accounting error····································································································80
Troubleshooting HWTACACS·····································································································81
Troubleshooting LDAP··············································································································81
LDAP authentication failure ·································································································81
Appendixes ····························································································································82
Appendix A Commonly used RADIUS attributes·······································································82
Appendix B Descriptions for commonly used standard RADIUS attributes ·····································83
Appendix C RADIUS subattributes (vendor ID 25506)·······························································85
DHCP overview ·············································································88
DHCP network model ···············································································································88
DHCP address allocation···········································································································88
Allocation mechanisms·······································································································88
iii
IP address allocation process ······························································································89
IP address lease extension··································································································89
DHCP message format ·············································································································90
DHCP options ·························································································································91
Common DHCP options ············································································································91
Custom DHCP options··············································································································91
Vendor-specific option (Option 43) ························································································92
Relay agent option (Option 82)·····························································································93
Option 184·······················································································································93
Protocols and standards············································································································94
Configuring the DHCP server····························································95
About DHCP server··················································································································95
DHCP address assignment mechanisms················································································95
Principles for selecting an address pool··················································································96
IP address allocation sequence····························································································97
DHCP server tasks at a glance ···································································································97
Creating a DHCP user class·······································································································98
Configuring an address pool on the DHCP server ···········································································98
DHCP address pool tasks at a glance····················································································98
Creating a DHCP address pool ····························································································99
Specifying IP address ranges for a DHCP address pool·····························································99
Specifying gateways for DHCP clients ················································································· 102
Specifying a domain name suffix for DHCP clients·································································· 102
Specifying DNS servers for DHCP clients············································································· 103
Specifying WINS servers and NetBIOS node type for DHCP clients ··········································· 103
Specifying BIMS server for DHCP clients·············································································· 103
Specifying the configuration file for DHCP client auto-configuration············································ 104
Specifying a server for DHCP clients ··················································································· 105
Configuring Option 184 parameters for DHCP clients······························································ 105
Customizing DHCP options ······························································································· 105
Configuring the DHCP user class whitelist ············································································ 107
Enabling DHCP ····················································································································· 107
Enabling the DHCP server on an interface ·················································································· 108
Applying a DHCP address pool to a VPN instance ········································································ 108
Applying an address pool on an interface···················································································· 108
Configuring a DHCP policy for dynamic address assignment··························································· 109
Allocating different IP addresses to DHCP clients with the same MAC··············································· 110
Enabling random IP address allocation······················································································· 110
Configuring IP address conflict detection····················································································· 110
Enabling handling of Option 82 ································································································· 111
Disabling Option 60 encapsulation in DHCP replies······································································· 111
Configuring the DHCP server security features············································································· 112
Restrictions and guidelines································································································ 112
Configuring DHCP flood attack protection············································································· 112
Configuring DHCP starvation attack protection ······································································ 113
Configuring DHCP server compatibility ······················································································· 113
Configuring the DHCP server to always broadcast responses··················································· 113
Enabling the DHCP server to return a DHCP-NAK message upon client notions of incorrect IP addresses
··································································································································· 114
Configure the DHCP server to ignore BOOTP requests··························································· 114
Configuring the DHCP server to send BOOTP responses in RFC 1048 format ····························· 115
Setting the DSCP value for DHCP packets sent by the DHCP server ················································ 115
Configuring DHCP packet rate limit on a DHCP server interface ······················································ 115
Configuring DHCP binding auto backup······················································································ 116
Binding gateways to DHCP server's MAC address········································································ 116
Advertising subnets assigned to clients······················································································· 117
Enabling client offline detection on the DHCP server ····································································· 118
Configuring SNMP notifications for the DHCP server····································································· 118
Enabling DHCP logging on the DHCP server ··············································································· 119
Display and maintenance commands for DHCP server ·································································· 119
DHCP server configuration examples························································································· 120
iv
Example: Configuring static IP address assignment································································ 120
Example: Configuring dynamic IP address assignment···························································· 121
Example: Configuring DHCP user class ··············································································· 123
Example: Configuring DHCP user class whitelist···································································· 125
Example: Configuring primary and secondary subnets ···························································· 126
Example: Customizing DHCP option ··················································································· 127
Example: Configuring DHCP server (WLAN application)································································· 129
Network configuration······································································································· 129
Procedure······················································································································ 130
Verifying the configuration································································································· 130
Troubleshooting DHCP server configuration ················································································ 130
Failure to obtain a non-conflicting IP address ········································································ 130
Configuring the DHCP relay agent··················································· 132
About DHCP relay agent ········································································································· 132
DHCP relay agent operation ······························································································ 132
DHCP relay agent support for Option 82··············································································· 133
DHCP relay agent support for MCE····················································································· 133
DHCP relay agent tasks at a glance··························································································· 134
Enabling DHCP ····················································································································· 134
Enabling the DHCP relay agent on an interface············································································ 134
Specifying DHCP servers ········································································································ 135
Specifying DHCP servers on a relay agent············································································ 135
Configuring a DHCP address pool on a DHCP relay agent······················································· 135
Specifying the DHCP server selecting algorithm····································································· 136
Configuring the DHCP relay agent security features ······································································ 138
Rustications and guidelines ······························································································· 138
Enabling the DHCP relay agent to record relay entries ···························································· 138
Enabling periodic refresh of dynamic relay entries·································································· 138
Configuring DHCP flood attack protection············································································· 139
Enabling DHCP starvation attack protection·········································································· 139
Enabling DHCP server proxy on the DHCP relay agent ··························································· 140
Enabling client offline detection on the DHCP relay agent ························································ 141
Configuring the DHCP relay agent to release an IP address···························································· 141
Configuring Option 82············································································································· 141
Setting the DSCP value for DHCP packets sent by the DHCP relay agent·········································· 142
Configuring DHCP packet rate limit on a DHCP relay interface ························································ 143
Specifying the DHCP relay agent address for the giaddr field ························································· 143
Manually specifying the DHCP relay agent address for the giaddr field······································· 143
Configuring smart relay to specify the DHCP relay agent address for the giaddr field ···················· 143
Specifying the source IP address for DHCP requests····································································· 145
Configuring the DHCP relay agent to always unicast relayed DHCP responses··································· 146
Configuring forwarding DHCP replies based on Option 82 ······························································ 146
Display and maintenance commands for DHCP relay agent···························································· 147
DHCP relay agent configuration examples ·················································································· 148
Example: Configuring basic DHCP relay agent ······································································ 148
Example: Configuring Option 82························································································· 149
Example: Configuring DHCP server selection········································································ 149
Troubleshooting DHCP relay agent configuration·········································································· 151
Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent ············· 151
Configuring the DHCP client··························································· 152
About DHCP client ················································································································· 152
Restrictions and guidelines: DHCP client configuration··································································· 152
Enabling the DHCP client on an interface···················································································· 152
Configuring a DHCP client ID for an interface··············································································· 152
Enabling duplicated address detection························································································ 153
Setting the DSCP value for DHCP packets sent by the DHCP client ················································· 153
Display and maintenance commands for DHCP client···································································· 154
DHCP client configuration examples ·························································································· 154
Example: Configuring DHCP client······················································································ 154
v
Configuring DHCP snooping··························································· 157
About DHCP snooping············································································································ 157
Application of trusted and untrusted ports············································································· 157
DHCP snooping support for Option 82 ················································································· 158
Restrictions and guidelines: DHCP snooping configuration ····························································· 159
DHCP snooping tasks at a glance ····························································································· 159
Configuring basic DHCP snooping····························································································· 159
Configuring Option 82············································································································· 160
Configuring DHCP snooping entry auto backup············································································ 161
Enabling DHCP starvation attack protection················································································· 162
Enabling DHCP-REQUEST attack protection··············································································· 162
Setting the maximum number of DHCP snooping entries································································ 163
Configuring a DHCP packet blocking port···················································································· 163
Enabling DHCP snooping logging······························································································ 164
Display and maintenance commands for DHCP snooping······························································· 164
DHCP snooping configuration examples····················································································· 165
Example: Configuring basic DHCP snooping········································································· 165
Example: Configuring DHCP snooping support for Option 82···················································· 166
Configuring the BOOTP client························································· 168
About BOOTP client ··············································································································· 168
BOOTP application·········································································································· 168
Obtaining an IP address dynamically··················································································· 168
Protocols and standards ··································································································· 168
Configuring an interface to use BOOTP for IP address acquisition···················································· 168
Display and maintenance commands for BOOTP client·································································· 169
BOOTP client configuration examples ························································································ 169
Example: Configuring BOOTP client···················································································· 169
DHCPv6 overview········································································ 170
DHCPv6 address/prefix assignment··························································································· 170
Rapid assignment involving two messages ··········································································· 170
Assignment involving four messages··················································································· 170
Address/prefix lease renewal···································································································· 171
Stateless DHCPv6 ················································································································· 172
DHCPv6 options···················································································································· 172
Option 18······················································································································· 172
Option 37······················································································································· 173
Protocols and standards·········································································································· 174
Configuring the DHCPv6 server ······················································ 175
About DHCPv6 server············································································································· 175
IPv6 address assignment·································································································· 175
IPv6 prefix assignment ····································································································· 175
Concepts······················································································································· 176
DHCPv6 address pool······································································································ 176
IPv6 address/prefix allocation sequence··············································································· 177
DHCPv6 server tasks at a glance······························································································ 178
Configuring IPv6 prefix assignment···························································································· 178
Configuring IPv6 address assignment ························································································ 180
Configuring network parameters assignment ··············································································· 181
Configuring network parameters in a DHCPv6 address pool····················································· 182
Configuring network parameters in a DHCPv6 option group ····················································· 182
Configuring a DHCPv6 policy for IPv6 address and prefix assignment··············································· 183
Configuring the DHCPv6 server on an interface············································································ 184
Allocating different IPv6 addresses to DHCPv6 clients with the same MAC ········································ 185
Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server·········································· 185
Configuring DHCPv6 binding auto backup··················································································· 186
Advertising subnets assigned to clients······················································································· 186
Applying a DHCPv6 address pool to a VPN instance····································································· 187
Configuring the DHCPv6 server security features ········································································· 188
vi
Configuring DHCPv6 flood attack protection·········································································· 188
Enabling the DHCPv6 server to advertise IPv6 prefixes·································································· 189
Enabling DHCPv6 logging on the DHCPv6 server········································································· 189
Display and maintenance commands for DHCPv6 server ······························································· 189
DHCPv6 server configuration examples······················································································ 190
Example: Configuring dynamic IPv6 prefix assignment···························································· 190
Example: Configuring dynamic IPv6 address assignment························································· 193
Configuring the DHCPv6 relay agent················································ 195
About DHCPv6 relay agent ······································································································ 195
Typical application··········································································································· 195
DHCPv6 relay agent operating process················································································ 195
DHCPv6 relay agent tasks at a glance························································································ 196
Enabling the DHCPv6 relay agent on an interface········································································· 196
Specifying DHCPv6 servers on the relay agent ············································································ 196
Specifying the DHCPv6 server IP addresses········································································· 196
Specifying DHCPv6 servers for a DHCPv6 address pool on the DHCPv6 relay agent ···················· 197
Specifying a gateway address for DHCPv6 clients ········································································ 198
Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent ··································· 198
Specifying a padding mode for the Interface-ID option ··································································· 199
Configuring DHCPv6 relay security features ················································································ 199
Enabling the DHCPv6 relay agent to record relay entries ························································· 199
Enabling IPv6 release notification ······················································································· 199
Enabling client offline detection ·························································································· 200
Configuring DHCPv6 flood attack protection·········································································· 200
Enabling the DHCPv6 relay agent to advertise IPv6 prefixes··························································· 201
Display and maintenance commands for DHCPv6 relay agent························································· 201
DHCPv6 relay agent configuration examples ··············································································· 202
Example: Configuring DHCPv6 relay agent··········································································· 202
Configuring DHCPv6 snooping························································ 204
About DHCPv6 snooping········································································································· 204
Application of trusted and untrusted ports············································································· 204
Restrictions and guidelines: DHCPv6 snooping configuration ·························································· 205
DHCPv6 snooping tasks at a glance ·························································································· 205
Configuring basic DHCPv6 snooping·························································································· 205
Configuring support for Option 18······························································································ 206
Configuring support for Option 37······························································································ 206
Configuring DHCPv6 snooping entry auto backup········································································· 206
Setting the maximum number of DHCPv6 snooping entries····························································· 207
Enabling DHCPv6-REQUEST check·························································································· 207
Configuring a DHCPv6 packet blocking port ················································································ 208
Enabling DHCPv6 snooping logging··························································································· 208
Display and maintenance commands for DHCPv6 snooping ··························································· 209
Example: Configuring DHCPv6 snooping···················································································· 209
Network configuration······································································································· 209
Procedure······················································································································ 210
Verifying the configuration································································································· 210
Configuring MAC authentication ······················································ 211
About MAC authentication ······································································································· 211
User account policies······································································································· 211
Authentication methods ···································································································· 212
VLAN assignment············································································································ 212
ACL assignment·············································································································· 214
User profile assignment···································································································· 214
Periodic MAC reauthentication ··························································································· 215
Restrictions and guidelines: MAC authentication configuration························································· 215
MAC authentication tasks at a glance························································································· 215
Prerequisites for MAC authentication ························································································· 216
Enabling MAC authentication···································································································· 216
Specifying a MAC authentication domain ···················································································· 216
vii
Configuring the user account format··························································································· 217
Configuring MAC authentication timers······················································································· 217
About MAC authentication timers························································································ 217
Procedure······················································································································ 217
Enabling MAC authentication offline detection·············································································· 218
Setting the maximum number of concurrent MAC authentication users on a port ································· 218
Enabling MAC authentication multi-VLAN mode on a port······························································· 218
Configuring MAC authentication delay························································································ 219
Configuring a MAC authentication guest VLAN············································································· 219
Restrictions and guidelines································································································ 219
Prerequisites·················································································································· 220
Procedure······················································································································ 220
Configuring a MAC authentication critical VLAN ··········································································· 220
Restrictions and guidelines································································································ 220
Prerequisites·················································································································· 221
Procedure······················································································································ 221
Configuring the keep-online feature ··························································································· 221
Including user IP addresses in MAC authentication requests··························································· 222
About the feature of including user IP addresses in MAC authentication requests ························· 222
Restrictions and guidelines································································································ 222
Procedure······················································································································ 222
Display and maintenance commands for MAC authentication·························································· 222
MAC authentication configuration examples ················································································ 223
Example: Configuring local MAC authentication····································································· 223
Example: Configuring RADIUS-based MAC authentication······················································· 225
Example: Configuring ACL assignment for MAC authentication················································· 227
Configuring PPP ·········································································· 230
About PPP ··························································································································· 230
PPP protocols················································································································· 230
PPP link establishment process·························································································· 230
PPP authentication·········································································································· 231
PPP for IPv4 ·················································································································· 231
PPP for IPv6 ·················································································································· 232
Protocols and standards·········································································································· 233
PPP tasks at a glance············································································································· 233
Configuring a VT interface ······································································································· 233
Configuring PPP authentication································································································· 234
Configuring PAP authentication·························································································· 234
Configuring CHAP authentication (authenticator name is configured)·········································· 235
Configuring CHAP authentication (authenticator name is not configured)····································· 236
Configuring MS-CHAP or MS-CHAP-V2 authentication ··························································· 237
Configuring the polling feature ·································································································· 238
Enabling fast reply for keepalive packets····················································································· 239
Configuring PPP negotiation····································································································· 239
Configuring the PPP negotiation timeout time········································································ 239
Configuring IP address negotiation on the client····································································· 240
Configuring IP address negotiation on the server ··································································· 240
Enabling IP segment match······························································································· 243
Configuring DNS server IP address negotiation on the client ···················································· 244
Configuring DNS server IP address negotiation on the server ··················································· 244
Enabling PPP accounting ········································································································ 244
Enabling logging for PPP users································································································· 245
Configuring service tracing objects ···························································································· 245
Enabling PPP user blocking ····································································································· 246
About PPP user blocking ·································································································· 246
Procedure······················································································································ 246
Configuring the NAS-Port-Type attribute ····················································································· 246
Suppressing adding PPP peer host routes to the local direct route table············································ 247
Configuring the traffic accounting frequency mode for online PPP users ············································ 247
Display and maintenance commands for PPP·············································································· 247
viii
Configuring L2TP········································································· 250
About L2TP ·························································································································· 250
Typical L2TP networking··································································································· 250
L2TP message types and encapsulation structure·································································· 250
L2TP tunnel and session··································································································· 251
L2TP tunneling modes and tunnel establishment process ························································ 251
L2TP features················································································································· 254
L2TP-based EAD ············································································································ 256
Protocols and standards ··································································································· 256
Restrictions: Hardware compatibility with L2TP ············································································ 256
Restrictions and guidelines: L2TP configuration············································································ 256
L2TP tasks at a glance············································································································ 257
Configuring basic L2TP capabilities ··························································································· 258
Configuring an LAC················································································································ 258
Configuring an LAC to initiate tunneling requests for a user······················································ 258
Specifying LNS IP addresses····························································································· 259
Configuring the source IP address of L2TP tunnel packets······················································· 259
Configuring each L2TP user to use an L2TP tunnel exclusively················································· 259
Enabling transferring AVP data in hidden mode ····································································· 260
Configuring AAA authentication on an LAC··········································································· 260
Configuring an LAC to automatically establish an L2TP tunnel ·················································· 260
Configuring an LNS················································································································ 261
Creating a VT interface····································································································· 262
Configuring an LNS to accept L2TP tunneling requests from an LAC·········································· 262
Configuring user authentication on an LNS ··········································································· 262
Configuring AAA authentication on an LNS··········································································· 264
Setting the maximum number of ICRQ packets that the LNS can process per second···················· 264
Configuring optional L2TP parameters························································································ 264
Configuring L2TP tunnel authentication················································································ 264
Setting the Hello interval··································································································· 265
Setting the DSCP value of L2TP packets·············································································· 265
Setting the TSA ID of the LTS ···························································································· 265
Enabling L2TP-based EAD ······································································································ 266
Configuring IMSI/SN binding authentication on the LNS ································································· 266
Display and maintenance commands for L2TP············································································· 267
L2TP configuration examples ··································································································· 267
Example: Configuring a NAS-initiated L2TP tunnel ································································· 267
Example: Configuring a client-initiated L2TP tunnel ································································ 270
Example: Configuring an LAC-auto-initiated L2TP tunnel ························································· 271
Troubleshooting L2TP············································································································· 273
Failure to access the private network··················································································· 273
Data transmission failure··································································································· 274
L2TP user offline············································································································· 274
Configuring PPPoE······································································· 275
About PPPoE························································································································ 275
PPPoE network structure········································································································· 275
Router-initiated network structure ······················································································· 275
Host-initiated network structure ·························································································· 276
Protocols and standards·········································································································· 276
Restrictions: Hardware compatibility with IPoE ············································································· 276
Restrictions and guidelines: PPPoE configuration ········································································· 276
Configuring the PPPoE server ·································································································· 277
PPPoE server tasks at a glance ························································································· 277
Configuring a PPPoE session ···························································································· 277
Setting the maximum number of PPPoE sessions ·································································· 278
Limiting the PPPoE access rate·························································································· 278
Configuring the NAS-Port-ID attribute ·················································································· 279
Enabling PPPoE users to come online despite the PPPoE-NAT444 collaboration failure ················ 280
Setting the maximum number of PADI packets that the device can receive per second ·················· 281
Configuring PPPoE user blocking ······················································································· 281
ix
Enabling PPPoE logging··································································································· 282
Display and maintenance commands for PPPoE ·········································································· 282
PPPoE configuration examples································································································· 283
Example: Configuring the PPPoE server ·············································································· 283
Example: Assigning the PPPoE server IP address through the local DHCP server ························ 284
Example: Assigning the PPPoE server IP address through a remote DHCP server························ 285
Example: Assigning the PPPoE server IPv6 address through ND and IPv6CP negotiation·············· 287
Example: Assigning the PPPoE server IPv6 address through DHCPv6······································· 289
Example: Assigning the PPPoE server IPv6 address through prefix delegation by DHCPv6 ············ 290
Example: Configuring PPPoE server RADIUS-based IP address assignment······························· 291
Configuring portal authentication ····················································· 294
About portal·························································································································· 294
Advantages of portal authentication····················································································· 294
Extended portal functions·································································································· 294
Portal system ················································································································· 294
Portal authentication using a remote portal server ·································································· 295
Local portal service·········································································································· 296
Portal authentication modes ······························································································ 296
Portal authentication process····························································································· 297
Portal filtering rules·········································································································· 299
MAC-based quick portal authentication ················································································ 299
Restrictions: Hardware compatibility with portal ············································································ 300
Restrictions and guidelines: Portal configuration··········································································· 300
Portal tasks at a glance··········································································································· 300
Prerequisites for portal············································································································ 302
Configuring a portal authentication server ··················································································· 302
Configuring a portal Web server································································································ 303
Configure basic parameters for a portal Web server································································ 303
Configuring a match rule for URL redirection········································································· 304
Configuring a local portal Web service························································································ 304
Restrictions and guidelines for configuring a local portal Web service········································· 304
Customizing authentication pages······················································································· 304
Configuring parameters for a local portal Web service····························································· 306
Specifying a portal authentication domain ··················································································· 307
About portal authentication domains···················································································· 307
Restrictions and guidelines for specifying a portal authentication domain····································· 307
Specifying a portal authentication domain on an interface ························································ 308
Configuring a portal preauthentication policy················································································ 308
About portal preauthentication policies················································································· 308
Restrictions and guidelines································································································ 308
Procedure······················································································································ 308
Specifying a preauthentication IP address pool ············································································ 309
About preauthentication IP address pools············································································· 309
Restrictions and guidelines································································································ 309
Procedure······················································································································ 310
Enabling portal authentication on an interface ·············································································· 310
Restrictions and guidelines································································································ 310
Procedure······················································································································ 311
Specifying a portal Web server on an interface············································································· 311
Controlling portal user access··································································································· 312
Configuring a portal-free rule ····························································································· 312
Configuring an authentication source subnet········································································· 313
Setting the maximum number of portal users········································································· 314
Enabling strict-checking on portal authorization information······················································ 315
Allowing only users with DHCP-assigned IP addresses to pass portal authentication ····················· 316
Configuring support of Web proxy for portal authentication······················································· 316
Blocking portal users that fail portal authentication·································································· 317
Enabling portal roaming···································································································· 317
Configuring the portal fail-permit feature··············································································· 318
Configuring portal detection features·························································································· 319
Configuring online detection of portal users··········································································· 319
x
Configuring portal authentication server detection ·································································· 320
Configuring portal Web server detection··············································································· 321
Configuring portal user synchronization················································································ 321
Configuring portal packet attributes···························································································· 322
Configuring the BAS-IP or BAS-IPv6 attribute········································································ 322
Specifying the device ID ··································································································· 323
Configuring attributes for RADIUS packets·················································································· 324
Specifying a format for the NAS-Port-Id attribute···································································· 324
Applying a NAS-ID profile to an interface·············································································· 324
Configuring MAC-based quick portal authentication······································································· 325
Restrictions and guidelines for configuring MAC-based quick portal authentication························ 325
Configuring a MAC binding server······················································································· 325
Specifying a MAC binding server on an interface···································································· 326
Configuring portal HTTP attack defense······················································································ 326
Setting the user traffic backup threshold ····················································································· 327
Logging out online portal users ································································································· 327
Enabling portal user login/logout logging····················································································· 328
Configuring Web redirect········································································································· 328
About Web redirect·········································································································· 328
Restrictions and guidelines································································································ 328
Procedure······················································································································ 328
Display and maintenance commands for portal ············································································ 329
Portal configuration examples··································································································· 330
Example: Configuring direct portal authentication··································································· 330
Example: Configuring re-DHCP portal authentication ······························································ 338
Example: Configuring cross-subnet portal authentication ························································· 342
Example: Configuring extended direct portal authentication······················································ 345
Example: Configuring extended re-DHCP portal authentication ················································· 349
Example: Configuring extended cross-subnet portal authentication ············································ 353
Example: Configuring portal server detection and portal user synchronization ······························ 356
Example: Configuring cross-subnet portal authentication for MPLS L3VPNs ································ 364
Example: Configuring direct portal authentication with a preauthentication policy ·························· 366
Example: Configuring re-DHCP portal authentication with a preauthentication policy ····················· 368
Example: Configuring direct portal authentication using a local portal Web service························ 370
Example: Configuring MAC-based quick portal authentication··················································· 373
Troubleshooting portal ············································································································ 381
No portal authentication page is pushed for users ·································································· 381
Cannot log out portal users on the access device··································································· 382
Cannot log out portal users on the RADIUS server ································································· 382
Users logged out by the access device still exist on the portal authentication server ······················ 382
Re-DHCP portal authenticated users cannot log in successfully ················································ 383
Configuring IPoE·········································································· 384
About IPoE··························································································································· 384
IPoE access modes········································································································· 384
IPoE users····················································································································· 384
IPoE session·················································································································· 385
IPoE addressing·············································································································· 386
IPoE authentication methods ····························································································· 386
IPoE access procedure by using bind authentication······························································· 386
Support for MPLS L3VPN ································································································· 389
Support for ITA ··············································································································· 390
Restrictions: Hardware compatibility with IPoE ············································································· 390
Restrictions and guidelines: IPoE configuration ············································································ 390
IPoE tasks at a glance ············································································································ 390
Prerequisites for IPoE············································································································· 391
Enabling IPoE and setting the IPoE access mode········································································· 391
Configuring bind authentication································································································· 391
Configuring dynamic individual users ························································································· 392
Dynamic individual user configuration tasks at a glance··························································· 392
Enabling dynamic individual users ······················································································ 392
Configuring authentication user naming conventions for dynamic individual users························· 393
xi
Configuring passwords for dynamic individual users ······························································· 396
Configuring ISP domains for dynamic individual users····························································· 396
Configuring the maximum number of dynamic IPoE sessions ··················································· 397
Configuring trusted DHCP options for DHCP users································································· 398
Configuring trusted ISP domains for DHCP users··································································· 398
Configuring trusted source IP addresses for unclassified-IP users·············································· 399
Enabling dynamic individual users to come online despite the IPoE-NAT collaboration failure·········· 400
Configuring static individual users······························································································ 400
Static individual user configuration tasks at a glance······························································· 400
Enabling static individual users··························································································· 400
Configuring static IPoE sessions on an interface···································································· 401
Configuring global static IPoE sessions················································································ 402
Configuring authentication user naming conventions for static individual users ····························· 402
Configuring passwords for static individual users···································································· 403
Configuring ISP domains for static individual users································································· 404
Configuring leased users········································································································· 404
Leased user configuration tasks at a glance·········································································· 404
Configuring interface-leased users······················································································ 405
Configuring subnet-leased users ························································································ 405
Configuring L2VPN-leased users························································································ 406
Configuring ISP domains for leased users ············································································ 406
Configuring service-specific ISP domains···················································································· 407
Configuring the quiet feature for users························································································ 408
Configuring online detection for users························································································· 408
Configuring NAS-Port-Type for an interface················································································· 409
Configuring NAS-Port-ID formats······························································································· 410
Enabling IPoE access-out authentication ···················································································· 410
Setting the traffic statistics update timer for IPoE sessions······························································ 411
Enabling logging for IPoE users ································································································ 411
Display and maintenance commands for IPoE ············································································· 412
IPoE configuration examples···································································································· 416
Example: Configuring an unclassified-IP user········································································ 416
Example: Configuring a DHCP user····················································································· 418
Example: Configuring an IPv6-ND-RS user··········································································· 420
Example: Configuring an ARP-based static user ···································································· 421
Example: Configuring subnet-leased users ··········································································· 423
Example: Configuring an interface-leased user······································································ 427
Example: Configuring an L2VPN-leased user········································································ 429
Example: Configuring a VPN DHCP user·············································································· 433
Example: Configuring online detection ················································································· 436
Troubleshooting IPoE ············································································································· 438
DHCP clients failed to come online ····················································································· 438
Index························································································· 439
1
Configuring AAA
About AAA
AAA implementation
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•Authentication—Identifies users and verifies their validity.
•Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
•Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA network diagram
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information toAAAservers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
You can use different servers to implement different security functions. For example, you can use an
HWTACACS server for authentication and authorization, and use a RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
The device performs dynamic password authentication.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet andADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packetverifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
3
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
4
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
Code Packet type Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and
the server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the
server sends an Access-Reject response.
4 Accounting-Reques
t
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or
stop accounting.
5 Accounting-Respon
se
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
•The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
Other manuals for SR8800-F
1
Table of contents
Other H3C Network Router manuals
H3C
H3C MSR 20 Series User manual
H3C
H3C S3100-52P User manual
H3C
H3C S3100-52P User manual
H3C
H3C SR6604 User manual
H3C
H3C SR6600 SPE-FWM Installation manual
H3C
H3C SR6600 SPE-FWM Installation manual
H3C
H3C SR8803-F User manual
H3C
H3C MSR Series Installation manual
H3C
H3C MSR 20-20 User manual
H3C
H3C AR 18-2 Series User manual
H3C
H3C SR6600 SPE-FWM Installation manual
H3C
H3C S3100-52P User manual
H3C
H3C MSR 50 Series Manual
H3C
H3C S3100 Series User manual
H3C
H3C CR16000-FA Series Instruction Manual
H3C
H3C MSR Series User manual
H3C
H3C S5500-SI Series User manual
H3C
H3C SR6600 SPE-FWM User manual
H3C
H3C S9500 Series Installation instructions
H3C
H3C MSR Series User manual
