H3C SR8800-F User manual

H3C SR8800-F Routers

Comware 7 User Access Configuration Guide

New H3C Technologies Co., Ltd.

http://www.h3c.com.hk

Software version: SR8800FS-CMW710-R7655P05 or later

Document version: 6W100-20170825

No part of this manual may be reproduced or transmitted in any form or by any means without prior written

consent of New H3C Technologies Co., Ltd.

Trademarks

H3C, , H3CS, H3CIE, H3CNE,Aolynk, , H3Care, , IRF, NetPilot, Netflow, SecEngine,

SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies

Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners

Notice

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface

This configuration guide describes fundamentals and configuration of user access features.

This preface includes the following topics about the documentation:

•Audience.

•Conventions

•Obtaining documentation

•Technical support

•Documentation feedback

Audience

This documentation is intended for:

•Network planners.

•Field technical support and servicing engineers.

•Network administrators working with the routers.

Conventions

The following information describes the conventions used in the documentation.

Command conventions

Convention Description

Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars, from which

you select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical bars,

from which you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by vertical

bars, from which you select a minimum of one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by vertical

bars, from which you select one choice, multiple choices, or none.

&<1-n> The argument or keyword and argument combination before the ampersand (&) sign

can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description

Boldface Window names, button names, field names, and menu items are in Boldface. For

example, the New User window opens; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create >

Convention Description

Folde

Symbols

Convention Description

WARNING! An alert that calls attention to important information that if not understood or followed

can result in personal injury.

CAUTION: An alert that calls attention to important information that if not understood or followed

can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT: An alert that calls attention to essential information.

NOTE: An alert that contains additional or supplementary information.

TIP: An alert that provides helpful information.

Network topology icons

Convention Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that

supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access

controller engine on a unified wired-WLAN switch.

Represents an access point.

Wireless terminator unit.

Wireless terminator.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security

gateway, or load balancing device.

Represents a security module, such as a firewall, load balancing, NetStream, SSL

VPN, IPS, or ACG module.



Examples provided in this document

Examples in this document might use devices that differ from your device in hardware model,

configuration, or software version. It is normal that the port numbers, sample output, screenshots,

and other information in the examples differ from what you have on your device.

Obtaining documentation

To access the most up-to-date H3C product documentation, go to the H3C website at

http://www.h3c.com.hk

To obtain information about installation, configuration, and maintenance, click

http://www.h3c.com.hk/Technical_Documents

To obtain software version information such as release notes, click

http://www.h3c.com.hk/Software_Download

Technical support

service@h3c.com

http://www.h3c.com.hk

Documentation feedback

You can e-mail your comments about product documentation to info@h3c.com.

We appreciate your comments.

Contents

Configuring AAA ··············································································1

About AAA ·······························································································································1

AAA implementation ············································································································1

AAA network diagram···········································································································1

RADIUS ····························································································································2

HWTACACS ······················································································································5

LDAP································································································································8

User management based on ISP domains and user access types ···············································11

Authentication, authorization, and accounting methods······························································11

AAA for MPLS L3VPNs ······································································································13

Protocols and standards ·····································································································13

AAA tasks at a glance···············································································································14

Configuring local users··············································································································15

About local users···············································································································15

Local user configuration tasks at a glance···············································································16

Configuring attributes for device management users·································································16

Configuring attributes for network access users ·······································································17

Configuring local guest attributes··························································································18

Configuring user group attributes··························································································19

Managing local guests········································································································21

Display and maintenance commands for local users and local user groups····································22

Configuring RADIUS·················································································································23

RADIUS tasks at a glance···································································································23

Configuring a test profile for RADIUS server status detection······················································23

Creating a RADIUS scheme ································································································24

Specifying the RADIUS authentication servers·········································································24

Specifying the RADIUS accounting servers·············································································25

Specifying the shared keys for secure RADIUS communication···················································26

Specifying an MPLS L3VPN instance for the scheme································································26

Setting the username format and traffic statistics units ······························································27

Setting the maximum number of RADIUS request transmission attempts ······································27

Setting the maximum number of real-time accounting attempts ···················································28

Configuring RADIUS stop-accounting packet buffering······························································28

Setting the maximum number of pending RADIUS requests ·······················································29

Setting the status of RADIUS servers ····················································································29

Enabling the RADIUS server load sharing feature ····································································31

Specifying the source IP address for outgoing RADIUS packets··················································32

Setting RADIUS timers·······································································································33

Configuring the RADIUS accounting-on feature ·······································································34

Interpreting the RADIUS class attribute as CAR parameters·······················································34

Configuring the Login-Service attribute check method for SSH, FTP, and terminal users ··················35

Configuring the MAC address format for RADIUS attribute 31·····················································35

Configuring the format for RADIUS attribute 87········································································36

Setting the data measurement unit for the Remanent_Volume attribute·········································36

Specifying a server version for interoperating with servers with a vendor ID of 2011 ························37

Configuring the RADIUS attribute translation feature·································································37

Configuring the RADIUS session-control feature······································································39

Configuring the RADIUS DAS feature····················································································39

Changing the DSCP priority for RADIUS packets ·····································································40

Configuring the device to preferentially process RADIUS authentication requests ···························40

Enabling SNMP notifications for RADIUS ···············································································41

Display and maintenance commands for RADIUS····································································41

Configuring HWTACACS···········································································································42

HWTACACS tasks at a glance ····························································································· 42

Creating an HWTACACS scheme·························································································42

Specifying the HWTACACS authentication servers···································································42

Specifying the HWTACACS authorization servers ····································································43

Specifying the HWTACACS accounting servers·······································································44

Specifying the shared keys for secure HWTACACS communication·············································44

Specifying an MPLS L3VPN instance for the scheme································································45

Setting the username format and traffic statistics units ······························································45

Configuring HWTACACS stop-accounting packet buffering ························································46

Specifying the source IP address for outgoing HWTACACS packets ············································46

Setting HWTACACS timers ·································································································47

Display and maintenance commands for HWTACACS ······························································48

Configuring LDAP ····················································································································49

LDAP tasks at a glance ······································································································49

Creating an LDAP server ····································································································49

Configuring the IP address of the LDAP server········································································49

Specifying the LDAP version································································································50

Setting the LDAP server timeout period··················································································50

Configuring administrator attributes·······················································································50

Configuring LDAP user attributes··························································································51

Configuring an LDAP attribute map ·······················································································52

Creating an LDAP scheme··································································································52

Specifying the LDAP authentication server··············································································53

Specifying the LDAP authorization server···············································································53

Specifying an LDAP attribute map for LDAP authorization··························································53

Display and maintenance commands for LDAP········································································53

Configuring AAA methods for ISP domains····················································································54

Creating an ISP domain······································································································54

Configuring ISP domain attributes·························································································55

Configuring authentication methods for an ISP domain······························································58

Configuring authorization methods for an ISP domain ·······························································60

Configuring accounting methods for an ISP domain··································································62

Display and maintenance commands for ISP domains ······························································64

Setting the maximum number of concurrent login users····································································65

Configuring the local bill cache feature ·························································································65

About local bill cache ·········································································································65

Procedure························································································································65

Display and maintenance commands for local bill cache····························································66

Configuring a NAS-ID ···············································································································66

About NAS-IDs ·················································································································66

Configuring a NAS-ID profile································································································66

Setting the NAS-ID on an interface························································································67

Setting the NAS-ID in an ISP domain·····················································································67

Configuring the device ID···········································································································68

AAA configuration examples·······································································································68

Example: Configuring authentication and authorization for SSH users by a RADIUS server···············68

Example: Configuring local authentication and authorization for SSH users ···································71

Example: Configuring AAA for SSH users by an HWTACACS server············································72

Example: Configuring authentication for SSH users by an LDAP server ········································73

Example: Configuring AAA for PPP users by an HWTACACS server············································78

Troubleshooting RADIUS···········································································································79

RADIUS authentication failure······························································································79

RADIUS packet delivery failure ····························································································80

RADIUS accounting error····································································································80

Troubleshooting HWTACACS·····································································································81

Troubleshooting LDAP··············································································································81

LDAP authentication failure ·································································································81

Appendixes ····························································································································82

Appendix A Commonly used RADIUS attributes·······································································82

Appendix B Descriptions for commonly used standard RADIUS attributes ·····································83

Appendix C RADIUS subattributes (vendor ID 25506)·······························································85

DHCP overview ·············································································88

DHCP network model ···············································································································88

DHCP address allocation···········································································································88

Allocation mechanisms·······································································································88

iii

IP address allocation process ······························································································89

IP address lease extension··································································································89

DHCP message format ·············································································································90

DHCP options ·························································································································91

Common DHCP options ············································································································91

Custom DHCP options··············································································································91

Vendor-specific option (Option 43) ························································································92

Relay agent option (Option 82)·····························································································93

Option 184·······················································································································93

Protocols and standards············································································································94

Configuring the DHCP server····························································95

About DHCP server··················································································································95

DHCP address assignment mechanisms················································································95

Principles for selecting an address pool··················································································96

IP address allocation sequence····························································································97

DHCP server tasks at a glance ···································································································97

Creating a DHCP user class·······································································································98

Configuring an address pool on the DHCP server ···········································································98

DHCP address pool tasks at a glance····················································································98

Creating a DHCP address pool ····························································································99

Specifying IP address ranges for a DHCP address pool·····························································99

Specifying gateways for DHCP clients ················································································· 102

Specifying a domain name suffix for DHCP clients·································································· 102

Specifying DNS servers for DHCP clients············································································· 103

Specifying WINS servers and NetBIOS node type for DHCP clients ··········································· 103

Specifying BIMS server for DHCP clients·············································································· 103

Specifying the configuration file for DHCP client auto-configuration············································ 104

Specifying a server for DHCP clients ··················································································· 105

Configuring Option 184 parameters for DHCP clients······························································ 105

Customizing DHCP options ······························································································· 105

Configuring the DHCP user class whitelist ············································································ 107

Enabling DHCP ····················································································································· 107

Enabling the DHCP server on an interface ·················································································· 108

Applying a DHCP address pool to a VPN instance ········································································ 108

Applying an address pool on an interface···················································································· 108

Configuring a DHCP policy for dynamic address assignment··························································· 109

Allocating different IP addresses to DHCP clients with the same MAC··············································· 110

Enabling random IP address allocation······················································································· 110

Configuring IP address conflict detection····················································································· 110

Enabling handling of Option 82 ································································································· 111

Disabling Option 60 encapsulation in DHCP replies······································································· 111

Configuring the DHCP server security features············································································· 112

Restrictions and guidelines································································································ 112

Configuring DHCP flood attack protection············································································· 112

Configuring DHCP starvation attack protection ······································································ 113

Configuring DHCP server compatibility ······················································································· 113

Configuring the DHCP server to always broadcast responses··················································· 113

Enabling the DHCP server to return a DHCP-NAK message upon client notions of incorrect IP addresses

··································································································································· 114

Configure the DHCP server to ignore BOOTP requests··························································· 114

Configuring the DHCP server to send BOOTP responses in RFC 1048 format ····························· 115

Setting the DSCP value for DHCP packets sent by the DHCP server ················································ 115

Configuring DHCP packet rate limit on a DHCP server interface ······················································ 115

Configuring DHCP binding auto backup······················································································ 116

Binding gateways to DHCP server's MAC address········································································ 116

Advertising subnets assigned to clients······················································································· 117

Enabling client offline detection on the DHCP server ····································································· 118

Configuring SNMP notifications for the DHCP server····································································· 118

Enabling DHCP logging on the DHCP server ··············································································· 119

Display and maintenance commands for DHCP server ·································································· 119

DHCP server configuration examples························································································· 120

Example: Configuring static IP address assignment································································ 120

Example: Configuring dynamic IP address assignment···························································· 121

Example: Configuring DHCP user class ··············································································· 123

Example: Configuring DHCP user class whitelist···································································· 125

Example: Configuring primary and secondary subnets ···························································· 126

Example: Customizing DHCP option ··················································································· 127

Example: Configuring DHCP server (WLAN application)································································· 129

Network configuration······································································································· 129

Procedure······················································································································ 130

Verifying the configuration································································································· 130

Troubleshooting DHCP server configuration ················································································ 130

Failure to obtain a non-conflicting IP address ········································································ 130

Configuring the DHCP relay agent··················································· 132

About DHCP relay agent ········································································································· 132

DHCP relay agent operation ······························································································ 132

DHCP relay agent support for Option 82··············································································· 133

DHCP relay agent support for MCE····················································································· 133

DHCP relay agent tasks at a glance··························································································· 134

Enabling DHCP ····················································································································· 134

Enabling the DHCP relay agent on an interface············································································ 134

Specifying DHCP servers ········································································································ 135

Specifying DHCP servers on a relay agent············································································ 135

Configuring a DHCP address pool on a DHCP relay agent······················································· 135

Specifying the DHCP server selecting algorithm····································································· 136

Configuring the DHCP relay agent security features ······································································ 138

Rustications and guidelines ······························································································· 138

Enabling the DHCP relay agent to record relay entries ···························································· 138

Enabling periodic refresh of dynamic relay entries·································································· 138

Configuring DHCP flood attack protection············································································· 139

Enabling DHCP starvation attack protection·········································································· 139

Enabling DHCP server proxy on the DHCP relay agent ··························································· 140

Enabling client offline detection on the DHCP relay agent ························································ 141

Configuring the DHCP relay agent to release an IP address···························································· 141

Configuring Option 82············································································································· 141

Setting the DSCP value for DHCP packets sent by the DHCP relay agent·········································· 142

Configuring DHCP packet rate limit on a DHCP relay interface ························································ 143

Specifying the DHCP relay agent address for the giaddr field ························································· 143

Manually specifying the DHCP relay agent address for the giaddr field······································· 143

Configuring smart relay to specify the DHCP relay agent address for the giaddr field ···················· 143

Specifying the source IP address for DHCP requests····································································· 145

Configuring the DHCP relay agent to always unicast relayed DHCP responses··································· 146

Configuring forwarding DHCP replies based on Option 82 ······························································ 146

Display and maintenance commands for DHCP relay agent···························································· 147

DHCP relay agent configuration examples ·················································································· 148

Example: Configuring basic DHCP relay agent ······································································ 148

Example: Configuring Option 82························································································· 149

Example: Configuring DHCP server selection········································································ 149

Troubleshooting DHCP relay agent configuration·········································································· 151

Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent ············· 151

Configuring the DHCP client··························································· 152

About DHCP client ················································································································· 152

Restrictions and guidelines: DHCP client configuration··································································· 152

Enabling the DHCP client on an interface···················································································· 152

Configuring a DHCP client ID for an interface··············································································· 152

Enabling duplicated address detection························································································ 153

Setting the DSCP value for DHCP packets sent by the DHCP client ················································· 153

Display and maintenance commands for DHCP client···································································· 154

DHCP client configuration examples ·························································································· 154

Example: Configuring DHCP client······················································································ 154

Configuring DHCP snooping··························································· 157

About DHCP snooping············································································································ 157

Application of trusted and untrusted ports············································································· 157

DHCP snooping support for Option 82 ················································································· 158

Restrictions and guidelines: DHCP snooping configuration ····························································· 159

DHCP snooping tasks at a glance ····························································································· 159

Configuring basic DHCP snooping····························································································· 159

Configuring Option 82············································································································· 160

Configuring DHCP snooping entry auto backup············································································ 161

Enabling DHCP starvation attack protection················································································· 162

Enabling DHCP-REQUEST attack protection··············································································· 162

Setting the maximum number of DHCP snooping entries································································ 163

Configuring a DHCP packet blocking port···················································································· 163

Enabling DHCP snooping logging······························································································ 164

Display and maintenance commands for DHCP snooping······························································· 164

DHCP snooping configuration examples····················································································· 165

Example: Configuring basic DHCP snooping········································································· 165

Example: Configuring DHCP snooping support for Option 82···················································· 166

Configuring the BOOTP client························································· 168

About BOOTP client ··············································································································· 168

BOOTP application·········································································································· 168

Obtaining an IP address dynamically··················································································· 168

Protocols and standards ··································································································· 168

Configuring an interface to use BOOTP for IP address acquisition···················································· 168

Display and maintenance commands for BOOTP client·································································· 169

BOOTP client configuration examples ························································································ 169

Example: Configuring BOOTP client···················································································· 169

DHCPv6 overview········································································ 170

DHCPv6 address/prefix assignment··························································································· 170

Rapid assignment involving two messages ··········································································· 170

Assignment involving four messages··················································································· 170

Address/prefix lease renewal···································································································· 171

Stateless DHCPv6 ················································································································· 172

DHCPv6 options···················································································································· 172

Option 18······················································································································· 172

Option 37······················································································································· 173

Protocols and standards·········································································································· 174

Configuring the DHCPv6 server ······················································ 175

About DHCPv6 server············································································································· 175

IPv6 address assignment·································································································· 175

IPv6 prefix assignment ····································································································· 175

Concepts······················································································································· 176

DHCPv6 address pool······································································································ 176

IPv6 address/prefix allocation sequence··············································································· 177

DHCPv6 server tasks at a glance······························································································ 178

Configuring IPv6 prefix assignment···························································································· 178

Configuring IPv6 address assignment ························································································ 180

Configuring network parameters assignment ··············································································· 181

Configuring network parameters in a DHCPv6 address pool····················································· 182

Configuring network parameters in a DHCPv6 option group ····················································· 182

Configuring a DHCPv6 policy for IPv6 address and prefix assignment··············································· 183

Configuring the DHCPv6 server on an interface············································································ 184

Allocating different IPv6 addresses to DHCPv6 clients with the same MAC ········································ 185

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server·········································· 185

Configuring DHCPv6 binding auto backup··················································································· 186

Advertising subnets assigned to clients······················································································· 186

Applying a DHCPv6 address pool to a VPN instance····································································· 187

Configuring the DHCPv6 server security features ········································································· 188

Other manuals for SR8800-F

Table of contents

Popular Network Router manuals by other brands

Allnet

Allnet ALL0333AU user guide

HomeSeer

HomeSeer HT-SEL Getting started guide

Sercomm

Sercomm Genesis OC3505D Quick installation guide

Billion

Billion BIPAC 5102 Series user manual

TP-Link

TP-Link TD-8817 QIG

Motorola

Motorola MR1900 user guide

Digi

Digi IX14 user guide

Cisco

Cisco NCS 540 Hardware installation guide

XAVi

XAVi X8821e user manual

BEC

BEC 6200WZL Quick installation guide

MikroTik

MikroTik hAP ac3 Series quick start

Korenix

Korenix JetNet 5428G Series user manual

NETGEAR

NETGEAR FS526T - Switch installation guide

Automated Logic

Automated Logic ZN551 Technical instructions

Cisco

Cisco ASR 1000 Series Installation and configuration guide

EnGenius

EnGenius ESR-9710 quick start guide

Cisco

Cisco 805 Series Product overview

LevelOne

LevelOne FBR-1416 user manual