WiFi认证平台对接华为ME60实现微信、短信、访客和MAC快速认证应用
配置三层IPoE接入(Portal推送)示例
介绍一个三层IPoE接入(Portal推送)的配置示例,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、思路准备、操作步骤和配置文件。
组网需求
如图1所示,三层IPoE接入组网需求为:
用户归属于isp2域,经DHCP Relay设备ME60A,从ME60B的GE1/0/2接口下以三层IPoE方式接入。
用户采用Web认证,并采用RADIUS认证模式和RADIUS计费模式。
RADIUS服务器地址为192.168.8.249,认证和计费端口分别是1812和1813,采用标准RADIUS协议,密钥为hello。
DNS服务器地址为192.168.8.252。
Web服务器、Web认证服务器和Portal服务器集成到一台设备上,Portal服务器地址为192.168.8.251。
为了提升Portal推送的准确率,需要配置基于流的Portal推送。如果用户访问指定的网页(IP地址:4.4.4.4),要进行Portal推送。
图1 三层IPoE(Portal推送)配置举例组网图
配置思路
配置思路如下,以下除了DHCP中继功能外,其他功能都是在ME60B上配置的:
配置ME60A的DHCP中继功能
配置认证方案和计费方案
配置RADIUS服务器组
配置地址池
配置Web认证的认证前域和认证域
配置Web认证服务器
配置Portal服务器
配置Portal业务策略
配置UCL规则和流量管理策略
配置BAS接口和上行接口
数据准备
完成此配置举例,需要准备以下数据:
认证模板的名称和认证方式
计费模板的名称和计费方式
RADIUS服务器组名称,RADIUS认证服务器和RADIUS计费服务器的IP地址、端口号
地址池名称、网关地址、DNS服务器地址
域的名称
Portal业务策略
Portal服务器地址
UCL规则
流量管理策略
BAS接口参数
操作步骤
在ME60A和ME60B上分别配置接口IP地址。
配置ME60A
<me60a> system-view
[ME60A] interface GigabitEthernet1/0/2
[ME60A-GigabitEthernet1/0/2] ip address 11.11.11.1 255.255.255.0
[ME60A-GigabitEthernet1/0/2] quit
[ME60A] interface GigabitEthernet1/0/1.1
[ME60A-GigabitEthernet1/0/1.1] ip address 192.168.1.2 255.255.255.0
[ME60A-GigabitEthernet1/0/1.1] vlan-type dot1q 1
[ME60A-GigabitEthernet1/0/1.1] quit
配置ME60B
[ME60B] interface GigabitEthernet1/0/2.1
[ME60B-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0
[ME60B-GigabitEthernet1/0/2.1] vlan-type dot1q 1
[ME60B-GigabitEthernet1/0/2.1] quit
在ME60A上配置Relay功能。
[ME60A] interface GigabitEthernet1/0/2
[ME60A-GigabitEthernet1/0/2] dhcp select relay
[ME60A-GigabitEthernet1/0/2] ip relay address 192.168.1.1
[ME60A-GigabitEthernet1/0/2] quit
在ME60B上配置网络侧地址池,网关与Relay (ME60A) 入接口的IP地址在同一个网段。
<me60b> system-view
[ME60B] ip pool huawei bas local
[ME60B-ip-pool-huawei] gateway 11.11.11.1 24
[ME60B-ip-pool-huawei] section 0 11.11.11.2 11.11.11.255
[ME60B-ip-pool-huawei] dns-server 192.168.8.252
[ME60B-ip-pool-huawei] quit
配置AAA方案
配置认证方案
[ME60B] aaa
[ME60B-aaa] authentication-scheme auth2
[ME60B-aaa-authen-auth2] authentication-mode radius
[ME60B-aaa-authen-auth2] quit
配置计费方案
[ME60B-aaa] accounting-scheme acct2
[ME60B-aaa-accounting-acct2] accounting-mode radius
[ME60B-aaa-accounting-acct2] quit
[ME60B-aaa] quit
配置RADIUS服务器组
[ME60B] radius-server group rd2
[ME60B-radius-rd2] radius-server authentication 192.168.8.249 1812
[ME60B-radius-rd2] radius-server accounting 192.168.8.249 1813
[ME60B-radius-rd2] radius-server type standard
[ME60B-radius-rd2] radius-server shared-key hello
[ME60B-radius-rd2] quit
配置域
配置default0域,作为Web认证的认证前域。
[ME60B] user-group huawei
[ME60B] aaa
[ME60B-aaa] domain default0
[ME60B-aaa-domain-default0] user-group huawei
[ME60B-aaa-domain-default0] web-server 192.168.8.251
[ME60B-aaa-domain-default0] web-server url http://192.168.8.251
[ME60B-aaa-domain-default0] ip-pool huawei
[ME60B-aaa-domain-default0] quit
配置Portal业务策略
[ME60B] service-group portal-group
[ME60B] service-policy name portal-policy portal
[ME60B-service-policy-pt] service-group portal-group
[ME60B-service-policy-pt] quit
配置认证域isp2,域下绑定Portal业务策略
[ME60B-aaa] domain isp2
[ME60B-aaa-domain-isp2] authentication-scheme auth2
[ME60B-aaa-domain-isp2] accounting-scheme acct2
[ME60B-aaa-domain-isp2] radius-server group rd2
[ME60B-aaa-domain-isp2] portal-server 192.168.8.251
[ME60B-aaa-domain-isp2] portal-server url http://192.168.8.251/portal/admin/
[ME60B-aaa-domain-isp2] service-policy portal-policy
[ME60B-aaa-domain-isp2] quit
[ME60B-aaa] quit
配置Web认证服务器
[ME60B] web-auth-server 192.168.8.251
配置UCL
配置用户在前域时,重定向到Web认证页面的UCL规则,其中UCL 6000里配置的是允许用户访问的网页的IP地址。
[ME60B] acl 6000
[ME60B-acl-ucl-6000] rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0
[ME60B-acl-ucl-6000] rule 15 permit ip source ip-address 127.0.0.1 0 destination user-group huawei
说明:
配置针对127.0.0.1的UCL是为了让上送ME60B设备CPU的用户报文能顺利通过。如果是在BSUA/MSUA单板上配置BAS接口,则需要配置针对127.0.0.1的UCL;如果是在BSUF-21/BSUF-40单板上配置BAS接口,则此处的127.0.0.1也可以替换为地址池gateway地址11.11.11.1。
[ME60B-acl-ucl-6000] rule 20 permit ip source user-group huawei destination ip-address 192.168.8.252 0
[ME60B-acl-ucl-6000] rule 25 permit ip source ip-address 192.168.8.252 0 destination user-group huawei
[ME60B-acl-ucl-6000] rule 30 permit ip source user-group huawei destination ip-address 192.168.8.249 0
[ME60B-acl-ucl-6000] rule 35 permit ip source ip-address 192.168.8.249 0 destination user-group huawei
[ME60B-acl-ucl-6000] rule 40 permit ip source user-group huawei destination ip-address 192.168.8.251 0
[ME60B-acl-ucl-6000] rule 45 permit ip source ip-address 192.168.8.251 0 destination user-group huawei
[ME60B] acl 6001
[ME60B-acl-ucl-6001] rule 10 permit tcp source user-group huawei destination-port eq www
[ME60B-acl-ucl-6001] rule 15 permit tcp source user-group huawei destination-port eq 8080
[ME60B-acl-ucl-6001] rule 20 permit ip source user-group huawei
配置用户在认证域时,访问指定的网页会被重定向到Portal推送页面的UCL规则,其中4.4.4.4为指定的某个网页的IP地址,192.168.8.251为PORTAL服务器地址
ME60B] acl 7000
ME60B-acl-ucl-7000] rule 5 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq www
ME60B-acl-ucl-7000] rule 10 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq 8080
ME60B-acl-ucl-7000] rule 15 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq www
ME60B-acl-ucl-7000] rule 20 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq 8080
ME60B-acl-ucl-7000] quit
配置流量管理策略
[ME60B] traffic classifier web_permit
[ME60B-classifier-web_permit] if-match acl 6000
[ME60B-classifier-web_permit] quit
[ME60B] traffic behavior web_permit
[ME60B-behavior-web_permit] permit
[ME60B-behavior-web_permit] quit
[ME60B] traffic classifier web_deny
[ME60B-classifier-web_deny] if-match acl 6001
[ME60B-classifier-web_deny] quit
[ME60B] traffic behavior web_deny
[ME60B-behavior-web_deny] http-redirect
[ME60B-behavior-web_deny] quit
[ME60B] traffic behavior portal
[ME60B-behavior-portal] if-match acl 7000
[ME60B-behavior-portal] quit
[ME60B] traffic behavior portal
[ME60B-behavior-portal] redirect-cpu portal
[ME60B-behavior-portal] quit
[ME60B] traffic policy l3-ipoe
[ME60B-policy-l3-ipoe] classifier portal behavior portal
[ME60B-policy-l3-ipoe] classifier web_permit behavior web_permit
[ME60B-policy-l3-ipoe] classifier web_deny behavior web_deny
[ME60B-policy-l3-ipoe] quit
在全局下应用用户侧流量管理策略
[ME60B] traffic-policy l3-ipoe inbound
[ME60B] traffic-policy l3-ipoe outbound
配置接口
配置BAS接口
[ME60B] interface GigabitEthernet 1/0/2.1
[ME60B-GigabitEthernet1/0/2.1] vlan-type dot1q 1
[ME60B-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0
[ME60B-GigabitEthernet1/0/2.1] bas
[ME60B-GigabitEthernet1/0/2.1-bas] access-type layer3-subscriber default-domain pre-authentication default0 authentication isp2
[ME60B-GigabitEthernet1/0/2.1-bas] quit
[ME60B-GigabitEthernet1/0/2.1] quit
配置上行接口。
[ME60B] interface GigabitEthernet 1/0/1
[ME60B-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0
[ME60B-GigabitEthernet1/0/1] quit
配置文件
ME60A的配置文件
#
sysname ME60A
#
interface 1/0/2
undo shutdown
ip address 11.11.11.1 255.255.255.0
ip relay address 192.168.1.1
dhcp select relay
#
interface GigabitEthernet1/0/1.1
vlan-type dot1q 1
ip address 192.168.1.2 255.255.255.0
#
return
ME60B的配置文件
#
sysname ME60B
#
user-group huawei
#
radius-server group rd2
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key hello
#
acl number 6000
rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0
rule 15 permit ip source ip-address 127.0.0.1 0 destination user-group huawei
rule 20 permit ip source user-group huawei destination ip-address 192.168.8.252 0
rule 25 permit ip source ip-address 192.168.8.252 0 destination user-group huawei
rule 30 permit ip source user-group huawei destination ip-address 192.168.8.249 0
rule 35 permit ip source ip-address 192.168.8.249 0 destination user-group huawei
rule 40 permit ip source user-group huawei destination ip-address 192.168.8.251 0
rule 45 permit ip source ip-address 192.168.8.251 0 destination user-group huawei
#
acl number 6001
rule 10 permit tcp source user-group huawei destination-port eq www
rule 15 permit tcp source user-group huawei destination-port eq 8080
rule 20 permit ip source user-group huawei
#
acl number 7000
rule 5 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq www
rule 10 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq 8080
rule 15 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq www
rule 20 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq 8080
#
traffic classifier web_permit operator or
if-match acl 6000
traffic classifier web_deny operator or
if-match acl 6001
traffic classifier portal operator or
if-match acl 7000
#
traffic behavior web_permit
traffic behavior web_deny
http-redirect
traffic behavior portal
redirect-cpu portal
#
traffic policy l3-ipoe
share-mode
classifier portal behavior portal
classifier web_permit behavior web_permit
classifier web_deny behavior web_deny
#
ip pool huawei bas local
gateway 11.11.11.1 255.255.255.0
section 0 11.11.11.2 11.11.11.255
dns-server 192.168.8.252
#
aaa
authentication-scheme auth2
#
accounting-scheme acct2
#
domain default0
user-group huawei
web-server 192.168.8.251
web-server url http://192.168.8.251
ip-pool huawei
domain isp2
authentication-scheme auth2
accounting-scheme acct2
radius-server group rd2
portal-server 192.168.8.251
portal-server url http://192.168.8.251/portal/admin/
service-policy portal-policy
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/2.1
vlan-type dot1q 1
ip address 192.168.1.1 255.255.255.0
bas
#
access-type layer3-subscriber default-domain pre-authentication default0 authentication isp2
#
ip route-static 11.11.11.1 255.255.255.255 192.168.1.2
#
traffic-policy l3-ipoe inbound
traffic-policy l3-ipoe outbound
#
web-auth-server 192.168.8.251
#
return</me60b></me60a>
当前页面是本站的「Google AMP」版。查看和发表评论请点击:完整版 »