配置IPoE双栈接入(Web+MAC认证)示例
介绍一个IPv4和IPv6双协议栈认证(Web+MAC)示例,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、配置思路、操作步骤和配置文件。
适用产品和版本
适用于V800R010C00及以后版本的NE40E/ME60系列产品。
组网需求
例如,校园网内教工宿舍区、学生宿舍区、办公区的有线用户、无线用户和哑终端实现IPv4和IPv6双栈认证,通过Web接入。用户首次上网时会进入MAC认证域,通过Web认证时需要输入用户名和密码,RADIUS服务器自动记录终端的MAC地址,与用户名和密码做一个关联关系,在后续的入网过程中,用户可以不再重复登录,自动接入到网络,即MAC认证。如果用户认证失败,被重定向到web认证域,web认证域用户只能访问受限的网络地址,如Web服务器,该域用户访问其无权访问的地址时被强制重定向到指定的Web服务器,重新输入正确的用户名、密码,通过认证后变为认证后域用户可正常访问网络资源。当用户下次登录时,则会按照记录终端的MAC地址进行MAC认证接入。
- 采用RADIUS认证和RADIUS计费。
- RADIUS服务器地址为10.1.2.10,认证和计费端口分别是1812和1813,采用标准RADIUS协议,密钥为Root@1234。
- 两台DNS服务器的地址分别为3001:DA8:20D:30::30、10.1.6.2。
- Web服务器的地址为10.1.1.10,密钥为Root@123。
图1-20 IPv4和IPv6双协议栈认证(Web+MAC)组网图
配置思路
采用如下思路配置IPv4和IPv6双协议栈认证(Web+MAC):
- 使能IPv6报文转发功能。
- 创建3个域:MAC认证域mac-domain,web认证域web-domain,认证后域after-domain。
- 配置AAA方案和RADIUS服务器组d,在RADIUS服务器组下配置认证请求报文hw-auth-type属性,如果RADIUS服务器不支持对接hw-auth-type属性,可以配置属性转换把hw-auth-type属性转换成华为私有109号属性。
- 配置地址池。
- 在MAC认证域mac-domain下配置MAC认证使能,绑定RADIUS组group1及认证模板portal-mac-auth。
- 配置web认证域web-domain,web认证域用户只能受限访问,绑定不认证模板和不计费模板。
- 配置web认证域web-domain的ACL规则。
- 配置认证后域after-domain。
- 在AAA视图下配置直接使用用户连接请求报文携带的MAC地址作为纯用户名。
- 配置DHCPv6服务器的DUID。
- BAS口下使能IPv6以及配置MAC认证域、认证后域及认证方法。
操作步骤
1 . 使能设备的IPv6报文转发功能。
<huawei> system-view
[~HUAWEI] ipv6
/<huawei>
2 . 创建3个域:MAC认证域mac-domain,web认证域web-domain,认证后域after-domain。
- 配置MAC认证域mac-domain,web认证域web-domain,认证后域after-domain
[~HUAWEI] aaa
[*HUAWEI-aaa] domain mac-domain
[~HUAWEI-aaa-domain-mac-domain] quit
[*HUAWEI-aaa] domain web-domain
[~HUAWEI-aaa-domain-web-domain] quit
[*HUAWEI-aaa] domain after-domain
[*HUAWEI-aaa-domain-after-domain] commit
[~HUAWEI-aaa-domain-after-domain] quit
[~HUAWEI-aaa] quit
3 . 配置AAA方案和RADIUS服务器组。
- 创建RADIUS服务器组group1,在RADIUS服务器组下配置认证请求报文hw-auth-type属性,配置属性转换把hw-auth-type属性转换成华为私有109号属性
[~HUAWEI] radius-server group group1
[*HUAWEI-radius-group1] radius-server authentication 10.1.2.10 1812
[*HUAWEI-radius-group1] radius-server accounting 10.1.2.10 1813
[*HUAWEI-radius-group1] radius-server shared-key-cipher Root@1234
[*HUAWEI-radius-group1] radius-attribute include hw-auth-type
[*HUAWEI-radius-group1] radius-server attribute translate
[*HUAWEI-radius-group1] radius-attribute translate extend hw-auth-type vendor-specific 2011 109 access-request account
[*HUAWEI-radius-group1] commit
[~HUAWEI-radius-group1] quit
- 创建认证模板portal-mac-auth,在认证模板下配置认证失败重定向到web认证域web-domain
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme portal-mac-auth
[*HUAWEI-aaa-authen-portal-mac-auth] authening authen-fail online authen-domain web-domain
[*HUAWEI-aaa-authen-portal-mac-auth] commit
[~HUAWEI-aaa-authen-portal-mac-auth] quit
- 配置认证方案radius为RADIUS认证
[*HUAWEI-aaa] authentication-scheme radius
[*HUAWEI-aaa-authen-radius] authentication-mode radius local
[*HUAWEI-aaa-authen-radius] commit
[~HUAWEI-aaa-authen-radius] quit
- 配置认证方案none为不认证
[*HUAWEI-aaa] authentication-scheme none
[*HUAWEI-aaa-authen-none] authentication-mode none
[*HUAWEI-aaa-authen-none] commit
[~HUAWEI-aaa-authen-none] quit
- 配置计费方案radius为RADIUS计费
[*HUAWEI-aaa] accounting-scheme radius
[*HUAWEI-aaa-accounting-radius] accounting interim interval 10 hash
[*HUAWEI-aaa-accounting-radius] commit
[~HUAWEI-aaa-accounting-radius] quit
- 配置计费方案none为不计费
[*HUAWEI-aaa] accounting-scheme none
[*HUAWEI-aaa-accounting-none] accounting-mode none
[*HUAWEI-aaa-accounting-none] commit
[~HUAWEI-aaa-accounting-none] quit
[~HUAWEI-aaa] quit
4 . 配置地址池。
- 配置IPv4地址池
[~HUAWEI] ip pool pool1 bas local
[*HUAWEI-ip-pool-pool1] gateway 10.10.17.1 255.255.240.0
[*HUAWEI-ip-pool-pool1] section 0 10.10.17.2 10.10.19.254
[*HUAWEI-ip-pool-pool1] dns-server 10.1.6.2
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] quit
配置IPv6前缀池[~HUAWEI] ipv6 prefix prefix1 local
[*HUAWEI-ipv6-prefix-prefix1] prefix 3001:DA8:801D:2005::/64
[*HUAWEI-ipv6-prefix-prefix1] commit
[~HUAWEI-ipv6-prefix-prefix1] quit
- 配置IPv6地址池
[~HUAWEI] ipv6 pool pool1 bas local
[*HUAWEI-ip-pool-pool1] prefix prefix1
[*HUAWEI-ip-pool-pool1] dns-server 3001:DA8:20D:30::30
[*HUAWEI-ip-pool-pool1] commit
[~HUAWEI-ip-pool-pool1] quit
5 . 在MAC认证域mac-domain下配置MAC认证使能,绑定RADIUS组group1及认证模板portal-mac-auth。
[~HUAWEI] user-group mac-group
[~HUAWEI] aaa
[*HUAWEI-aaa] domain mac-domain
[*HUAWEI-aaa-domain-mac-domain] radius-server group group1
[*HUAWEI-aaa-domain-mac-domain] authentication-scheme portal-mac-auth
[*HUAWEI-aaa-domain-mac-domain] accounting-scheme radius
[*HUAWEI-aaa-domain-mac-domain] ip-pool pool1
[*HUAWEI-aaa-domain-mac-domain] ipv6-pool pool1
[*HUAWEI-aaa-domain-mac-domain] mac-authentication enable
[*HUAWEI-aaa-domain-mac-domain] user-group mac-group
[*HUAWEI-aaa-domain-mac-domain] commit
[~HUAWEI-aaa-domain-mac-domain] quit
[~HUAWEI-aaa] quit
6 . 配置web认证域web-domain,web认证域用户只能受限访问,绑定不认证模板和不计费模板。
[~HUAWEI] user-group web-group
[~HUAWEI] aaa
[*HUAWEI-aaa] http-redirect enable
[*HUAWEI-aaa] domain web-domain
[*HUAWEI-aaa-domain-web-domain] authentication-scheme none
[*HUAWEI-aaa-domain-web-domain] accounting-scheme none
[*HUAWEI-aaa-domain-web-domain] ip-pool pool1
[*HUAWEI-aaa-domain-web-domain] ipv6-pool pool1
[*HUAWEI-aaa-domain-web-domain] user-group web-group
[*HUAWEI-aaa-domain-web-domain] web-server 10.1.1.10
[*HUAWEI-aaa-domain-web-domain] web-server url http://10.1.1.10
[*HUAWEI-aaa-domain-web-domain] commit
[~HUAWEI-aaa-domain-web-domain] quit
[~HUAWEI-aaa] quit
- 配置Web认证服务器
[*HUAWEI] web-auth-server 10.1.1.10 key cipher Root@123
7 . 配置web认证域web-domain的ACL规则。
- 配置IPv4 ACL规则
[~HUAWEI] acl number 6000
[*HUAWEI-acl-ucl-6000] rule 5 permit ip source ip-address 10.1.1.10 0 destination user-group web-group
[*HUAWEI-acl-ucl-6000] rule 10 permit ip source user-group web-group destination ip-address 10.1.1.10 0
[*HUAWEI-acl-ucl-6000] rule 15 permit ip source ip-address 10.1.6.2 0 destination user-group web-group
[*HUAWEI-acl-ucl-6000] rule 20 permit ip source user-group web-group destination ip-address 10.1.6.2 0
[~HUAWEI-acl-ucl-6000] quit
[~HUAWEI] acl number 6001
[*HUAWEI-acl-ucl-6001] rule 5 permit tcp source user-group web-group destination-port eq www
[*HUAWEI-acl-ucl-6001] rule 10 permit tcp source user-group web-group destination-port eq 8080
[*HUAWEI-acl-ucl-6001] rule 15 permit ip source user-group web-group
[~HUAWEI-acl-ucl-6001] quit
[~HUAWEI] acl number 6002
[*HUAWEI-acl-ucl-6002] rule 5 permit ip source user-group web-group destination user-group web-group
[*HUAWEI-acl-ucl-6002] rule 10 permit ip source user-group web-group destination ip-address any
[~HUAWEI-acl-ucl-6002] quit
[~HUAWEI] acl number 6003
[*HUAWEI-acl-ucl-6003] rule 5 permit ip destination user-group web-group
[~HUAWEI-acl-ucl-6003] quit
- 配置IPv6 ACL规则
[~HUAWEI] acl ipv6 number 6000
[*HUAWEI-acl6-ucl-6000] rule 5 deny ipv6 source user-group web-group destination ipv6-address 3001:DA8:20D:30::30/128
[*HUAWEI-acl6-ucl-6000] rule 10 deny ipv6 source ipv6-address 3001:DA8:20D:30::30/128 destination user-group web-group
[~HUAWEI-acl6-ucl-6000] quit
[~HUAWEI] acl ipv6 number 6001
[*HUAWEI-acl6-ucl-6001] rule 5 permit tcp source user-group web-group destination-port eq www
[*HUAWEI-acl6-ucl-6001] rule 10 permit tcp source user-group web-group destination-port eq 8080
[*HUAWEI-acl6-ucl-6001] rule 15 permit ipv6 source user-group web-group
[~HUAWEI-acl6-ucl-6001] quit
- 配置流量管理策略
[~HUAWEI] traffic classifier 6000
[*HUAWEI-classifier-6000] if-match acl 6000
[*HUAWEI-classifier-6000] if-match ipv6 acl 6000
[~HUAWEI-classifier-6000] quit
[~HUAWEI] traffic classifier 6001
[*HUAWEI-classifier-6001] if-match acl 6001
[*HUAWEI-classifier-6001] if-match ipv6 acl 6001
[~HUAWEI-classifier-6001] quit
[~HUAWEI] traffic classifier 6002
[*HUAWEI-classifier-6002] if-match acl 6002
[~HUAWEI-classifier-6002] quit
[~HUAWEI] traffic classifier 6003
[*HUAWEI-classifier-6003] if-match acl 6003
[~HUAWEI-classifier-6003] quit
[~HUAWEI] traffic behavior permit
[*HUAWEI-behavior-permit] permit
[~HUAWEI] traffic behavior in-deny
[*HUAWEI-behavior-in-deny] deny
[~HUAWEI-behavior-in-deny] quit
[~HUAWEI] traffic behavior out-deny
[*HUAWEI-behavior-out-deny] deny
[~HUAWEI-behavior-out-deny] quit
[~HUAWEI] traffic behavior redirect
[*HUAWEI-behavior-redirect] http-redirect
[~HUAWEI-behavior-redirect] quit
[~HUAWEI] traffic policy before-auth-in
[*HUAWEI-policy-before-auth-in] share-mode
[*HUAWEI-policy-before-auth-in] classifier 6000 behavior permit
[*HUAWEI-policy-before-auth-in] classifier 6001 behavior redirect
[*HUAWEI-policy-before-auth-in] classifier 6002 behavior in-deny
[~HUAWEI-policy-before-auth-in] quit
[~HUAWEI] traffic policy before-auth-out
[*HUAWEI-policy-before-auth-out] share-mode
[*HUAWEI-policy-before-auth-out] classifier 6000 behavior permit
[*HUAWEI-policy-before-auth-out] classifier 6003 behavior out-deny
[~HUAWEI-policy-before-auth-out] quit
- 在全局下应用策略
[*HUAWEI] traffic-policy before-auth-in inbound
[*HUAWEI] traffic-policy before-auth-out outbound
8 . 配置认证后域after-domain。[~HUAWEI] aaa
[*HUAWEI-aaa] domain after-domain
[*HUAWEI-aaa-domain-after-domain] authentication-scheme radius
[*HUAWEI-aaa-domain-after-domain] accounting-scheme radius
[*HUAWEI-aaa-domain-after-domain] radius-server group group1
[*HUAWEI-aaa-domain-after-domain] commit
[~HUAWEI-aaa-domain-after-domain] quit
9 . 在AAA视图下配置直接使用用户连接请求报文携带的MAC地址作为纯用户名。
[*HUAWEI-aaa] default-user-name include mac-address -
[*HUAWEI-aaa] commit
[~HUAWEI-aaa] quit
10 . 配置DHCPv6服务器的DUID。
[*HUAWEI] dhcpv6 duid 12345678
11 . BAS口下使能IPv6以及配置MAC认证域、认证后域及认证方法。
[~HUAWEI] license
[*HUAWEI-license] active bas slot 1
[~HUAWEI-license] quit
[~HUAWEI] interface gigabitethernet0/1/0
[*HUAWEI-GigabitEthernet0/1/0] ipv6 enable
[*HUAWEI-GigabitEthernet0/1/0] ipv6 nd autoconfig managed-address-flag
[*HUAWEI-GigabitEthernet0/1/0] ipv6 nd autoconfig other-flag
[*HUAWEI-GigabitEthernet0/1/0] bas
[*HUAWEI-GigabitEthernet0/1/0-bas] access-type layer2-subscriber default-domain pre-authentication mac-domain authentication after-domain
[*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method web
[*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method-ipv6 web
[*HUAWEI-GigabitEthernet0/1/0-bas] commit
[~HUAWEI-GigabitEthernet0/1/0-bas] quit
[~HUAWEI-GigabitEthernet0/1/0] quit
12 . 验证配置结果。
- PC接入后获取IP地址。
- 设备上执行命令display access-user domain web-domain显示在线用户信息。
- 用户在网页地址栏输入其他网址,自动跳转至Web服务器的网址。
- 输入用户名密码认证成功后登录成功。
- 设备上执行命令display domain mac-domain查看域mac-domain的配置信息。显示域下绑定了IPv6地址池和IPv4地址池。
配置文件
#
sysname HUAWEI
#
license
active bas slot 1
#
ipv6
#
user-group after-domain
user-group web-domain
user-group mac-domain
#
dhcpv6 duid 12345678
#
radius-server group group1
radius-server shared-key-cipher Root@1234
radius-server authentication 10.1.2.10 1812 weight 0
radius-server accounting 10.1.2.10 1813 weight 0
radius-server attribute translate
radius-attribute include HW-Auth-Type
radius-attribute translate extend HW-Auth-Type vendor-specific 2011 109 access-request account
#
acl ipv6 number 6000
rule 5 deny ipv6 source user-group web-group destination ipv6-address 3001:DA8:20D:30::30/128
rule 10 deny ipv6 source ipv6-address 3001:DA8:20D:30::30/128 destination user-group web-group
#
acl ipv6 number 6000
rule 5 permit tcp source user-group web-group destination-port eq www
rule 10 permit tcp source user-group web-group destination-port eq 8080
rule 15 permit ipv6 source user-group web-group
#
acl number 6000
rule 5 permit ip source ip-address 10.1.1.10 0 destination user-group web-group
rule 10 permit ip source user-group web-group destination ip-address 10.1.1.10 0
rule 15 permit ip source ip-address 10.1.6.2 0 destination user-group web-group
rule 20 permit ip source user-group web-group destination ip-address 10.1.6.2 0
#
acl number 6001
rule 5 permit tcp source user-group web-group destination-port eq www
rule 10 permit tcp source user-group web-group destination-port eq 8080
rule 15 permit ip source user-group web-group
#
acl number 6002
rule 5 permit ip source user-group web-group destination user-group web-group
rule 10 permit ip source user-group web-group destination ip-address any
#
acl number 6003
rule 5 permit ip destination user-group web-group
#
traffic classifier 6000 operator or
if-match acl 6000
if-match ipv6 acl 6000
traffic classifier 6001 operator or
if-match acl 6001
if-match ipv6 acl 6001
traffic classifier 6002 operator or
if-match acl 6002
traffic classifier 6003 operator or
if-match acl 6003
#
traffic behavior in-deny
deny
traffic behavior out-deny
deny
traffic behavior permit
traffic behavior redirect
deny
traffic behavior redirect
http-redirect
#
traffic policy before-auth-in
share-mode
classifier 6000 behavior permit
classifier 6001 behavior redirect
classifier 6002 behavior in-deny
traffic policy before-auth-out
share-mode
classifier 6000 behavior permit
classifier 6003 behavior out-deny
#
ip pool pool1 bas local
gateway 10.10.17.1 255.255.240.0
section 0 10.10.17.2 10.10.19.254
dns-server 10.1.6.2
#
ipv6 prefix prefix1 local
prefix 3001:DA8:801D:2005::/64
#
ipv6 pool pool1 bas local
prefix prefix1
dns-server 3001:DA8:20D:30::30
#
aaa
http-redirect enable
default-user-name include mac-address -
authentication-scheme portal-mac-auth
authening authen-fail online authen-domain web-domain
authentication-scheme radius
authentication-mode radius local
authentication-scheme none
authentication-mode none
#
accounting-scheme radius
accounting interim interval 10 hash
accounting-scheme none
accounting-mode none
#
domain mac-domain
authentication-scheme portal-mac-auth
accounting-scheme radius
ip-pool pool1
ipv6-pool pool1
mac-authentication enable
radius-server group group1
user-group mac-group
domain web-domain
authentication-scheme none
accounting-scheme none
ip-pool pool1
ipv6-pool pool1
user-group web-group
web-server 10.1.1.10
web-server url http://10.1.1.10
domain after-domain
authentication-scheme radius
accounting-scheme radius
radius-server group group1
#
interface GigabitEthernet0/1/0
ipv6 enable
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
bas
#
access-type layer2-subscriber default-domain pre-authentication mac-domain authentication after-domain
authentication-method web
authentication-method-ipv6 web
#
traffic-policy before-auth-in inbound
traffic-policy before-auth-out outbound
#
web-auth-server 10.1.1.10 key cipher Root@1234
分享到:
閱讀更多 弱電Bar 的文章
