WiFi认证平台对接华为ME60实现微信、短信、访客和MAC快速认证应用

2019-01-29T19:15:00



配置三层IPoE接入(Portal推送)示例

介绍一个三层IPoE接入(Portal推送)的配置示例,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、思路准备、操作步骤和配置文件。

组网需求

如图1所示,三层IPoE接入组网需求为:

用户归属于isp2域,经DHCP Relay设备ME60A,从ME60B的GE1/0/2接口下以三层IPoE方式接入。

用户采用Web认证,并采用RADIUS认证模式和RADIUS计费模式。

RADIUS服务器地址为192.168.8.249,认证和计费端口分别是1812和1813,采用标准RADIUS协议,密钥为hello。

DNS服务器地址为192.168.8.252。

Web服务器、Web认证服务器和Portal服务器集成到一台设备上,Portal服务器地址为192.168.8.251。

为了提升Portal推送的准确率,需要配置基于流的Portal推送。如果用户访问指定的网页(IP地址:4.4.4.4),要进行Portal推送。

图1 三层IPoE(Portal推送)配置举例组网图

配置思路

配置思路如下,以下除了DHCP中继功能外,其他功能都是在ME60B上配置的:

配置ME60A的DHCP中继功能

配置认证方案和计费方案

配置RADIUS服务器组

配置地址池

配置Web认证的认证前域和认证域

配置Web认证服务器

配置Portal服务器

配置Portal业务策略

配置UCL规则和流量管理策略

配置BAS接口和上行接口

数据准备

完成此配置举例,需要准备以下数据:

认证模板的名称和认证方式

计费模板的名称和计费方式

RADIUS服务器组名称,RADIUS认证服务器和RADIUS计费服务器的IP地址、端口号

地址池名称、网关地址、DNS服务器地址

域的名称

Portal业务策略

Portal服务器地址

UCL规则

流量管理策略

BAS接口参数

操作步骤

在ME60A和ME60B上分别配置接口IP地址。

配置ME60A

<me60a> system-view
[ME60A] interface GigabitEthernet1/0/2
[ME60A-GigabitEthernet1/0/2] ip address 11.11.11.1 255.255.255.0
[ME60A-GigabitEthernet1/0/2] quit
[ME60A] interface GigabitEthernet1/0/1.1
[ME60A-GigabitEthernet1/0/1.1] ip address 192.168.1.2 255.255.255.0
[ME60A-GigabitEthernet1/0/1.1] vlan-type dot1q 1
[ME60A-GigabitEthernet1/0/1.1] quit

配置ME60B

[ME60B] interface GigabitEthernet1/0/2.1
[ME60B-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0
[ME60B-GigabitEthernet1/0/2.1] vlan-type dot1q 1
[ME60B-GigabitEthernet1/0/2.1] quit
在ME60A上配置Relay功能。
[ME60A] interface GigabitEthernet1/0/2
[ME60A-GigabitEthernet1/0/2] dhcp select relay
[ME60A-GigabitEthernet1/0/2] ip relay address 192.168.1.1
[ME60A-GigabitEthernet1/0/2] quit
在ME60B上配置网络侧地址池,网关与Relay (ME60A) 入接口的IP地址在同一个网段。
<me60b> system-view
[ME60B] ip pool huawei bas local
[ME60B-ip-pool-huawei] gateway 11.11.11.1 24
[ME60B-ip-pool-huawei] section 0 11.11.11.2 11.11.11.255
[ME60B-ip-pool-huawei] dns-server 192.168.8.252
[ME60B-ip-pool-huawei] quit

配置AAA方案

配置认证方案

[ME60B] aaa
[ME60B-aaa] authentication-scheme auth2
[ME60B-aaa-authen-auth2] authentication-mode radius
[ME60B-aaa-authen-auth2] quit

配置计费方案

[ME60B-aaa] accounting-scheme acct2
[ME60B-aaa-accounting-acct2] accounting-mode radius
[ME60B-aaa-accounting-acct2] quit
[ME60B-aaa] quit

配置RADIUS服务器组

[ME60B] radius-server group rd2
[ME60B-radius-rd2] radius-server authentication 192.168.8.249 1812
[ME60B-radius-rd2] radius-server accounting 192.168.8.249 1813
[ME60B-radius-rd2] radius-server type standard
[ME60B-radius-rd2] radius-server shared-key hello
[ME60B-radius-rd2] quit

配置域

配置default0域,作为Web认证的认证前域。

[ME60B] user-group huawei
[ME60B] aaa
[ME60B-aaa] domain default0
[ME60B-aaa-domain-default0] user-group huawei
[ME60B-aaa-domain-default0] web-server 192.168.8.251
[ME60B-aaa-domain-default0] web-server url http://192.168.8.251
[ME60B-aaa-domain-default0] ip-pool huawei
[ME60B-aaa-domain-default0] quit

配置Portal业务策略

[ME60B] service-group portal-group
[ME60B] service-policy name portal-policy portal
[ME60B-service-policy-pt] service-group portal-group
[ME60B-service-policy-pt] quit

配置认证域isp2,域下绑定Portal业务策略

[ME60B-aaa] domain isp2
[ME60B-aaa-domain-isp2] authentication-scheme auth2
[ME60B-aaa-domain-isp2] accounting-scheme acct2
[ME60B-aaa-domain-isp2] radius-server group rd2
[ME60B-aaa-domain-isp2] portal-server 192.168.8.251
[ME60B-aaa-domain-isp2] portal-server url http://192.168.8.251/portal/admin/
[ME60B-aaa-domain-isp2] service-policy portal-policy
[ME60B-aaa-domain-isp2] quit
[ME60B-aaa] quit

配置Web认证服务器

[ME60B] web-auth-server 192.168.8.251

配置UCL

配置用户在前域时,重定向到Web认证页面的UCL规则,其中UCL 6000里配置的是允许用户访问的网页的IP地址。

[ME60B] acl 6000
[ME60B-acl-ucl-6000] rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0
[ME60B-acl-ucl-6000] rule 15 permit ip source ip-address 127.0.0.1 0  destination user-group huawei

说明:
配置针对127.0.0.1的UCL是为了让上送ME60B设备CPU的用户报文能顺利通过。如果是在BSUA/MSUA单板上配置BAS接口,则需要配置针对127.0.0.1的UCL;如果是在BSUF-21/BSUF-40单板上配置BAS接口,则此处的127.0.0.1也可以替换为地址池gateway地址11.11.11.1。

[ME60B-acl-ucl-6000] rule 20 permit ip source user-group huawei destination ip-address 192.168.8.252 0
[ME60B-acl-ucl-6000] rule 25 permit ip source ip-address 192.168.8.252 0  destination user-group huawei
[ME60B-acl-ucl-6000] rule 30 permit ip source user-group huawei destination ip-address 192.168.8.249 0
[ME60B-acl-ucl-6000] rule 35 permit ip source ip-address 192.168.8.249 0  destination user-group huawei
[ME60B-acl-ucl-6000] rule 40 permit ip source user-group huawei destination ip-address 192.168.8.251 0
[ME60B-acl-ucl-6000] rule 45 permit ip source ip-address 192.168.8.251 0  destination user-group huawei
[ME60B] acl 6001
[ME60B-acl-ucl-6001] rule 10 permit tcp source user-group huawei destination-port eq www
[ME60B-acl-ucl-6001] rule 15 permit tcp source user-group huawei destination-port eq 8080
[ME60B-acl-ucl-6001] rule 20 permit ip source user-group huawei

配置用户在认证域时,访问指定的网页会被重定向到Portal推送页面的UCL规则,其中4.4.4.4为指定的某个网页的IP地址,192.168.8.251为PORTAL服务器地址

ME60B] acl 7000
ME60B-acl-ucl-7000] rule 5 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq www
ME60B-acl-ucl-7000] rule 10 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq 8080
ME60B-acl-ucl-7000] rule 15 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq www
ME60B-acl-ucl-7000] rule 20 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq 8080
ME60B-acl-ucl-7000] quit

配置流量管理策略

[ME60B] traffic classifier web_permit
[ME60B-classifier-web_permit] if-match acl 6000
[ME60B-classifier-web_permit] quit
[ME60B] traffic behavior web_permit
[ME60B-behavior-web_permit] permit
[ME60B-behavior-web_permit] quit
[ME60B] traffic classifier web_deny
[ME60B-classifier-web_deny] if-match acl 6001
[ME60B-classifier-web_deny] quit

[ME60B] traffic behavior web_deny
[ME60B-behavior-web_deny] http-redirect
[ME60B-behavior-web_deny] quit
[ME60B] traffic behavior portal
[ME60B-behavior-portal] if-match acl 7000
[ME60B-behavior-portal] quit
[ME60B] traffic behavior portal
[ME60B-behavior-portal] redirect-cpu portal
[ME60B-behavior-portal] quit
[ME60B] traffic policy l3-ipoe
[ME60B-policy-l3-ipoe] classifier portal behavior portal
[ME60B-policy-l3-ipoe] classifier web_permit behavior web_permit
[ME60B-policy-l3-ipoe] classifier web_deny behavior web_deny
[ME60B-policy-l3-ipoe] quit

在全局下应用用户侧流量管理策略

[ME60B] traffic-policy l3-ipoe inbound
[ME60B] traffic-policy l3-ipoe outbound

配置接口

配置BAS接口

[ME60B] interface GigabitEthernet 1/0/2.1
[ME60B-GigabitEthernet1/0/2.1] vlan-type dot1q 1
[ME60B-GigabitEthernet1/0/2.1] ip address 192.168.1.1 255.255.255.0 
[ME60B-GigabitEthernet1/0/2.1] bas
[ME60B-GigabitEthernet1/0/2.1-bas] access-type layer3-subscriber default-domain pre-authentication default0 authentication isp2
[ME60B-GigabitEthernet1/0/2.1-bas] quit
[ME60B-GigabitEthernet1/0/2.1] quit

配置上行接口。

[ME60B] interface GigabitEthernet 1/0/1
[ME60B-GigabitEthernet1/0/1] ip address 192.168.8.1 255.255.255.0
[ME60B-GigabitEthernet1/0/1] quit

配置文件

ME60A的配置文件

#
 sysname ME60A
#
interface 1/0/2
 undo shutdown
 ip address 11.11.11.1 255.255.255.0
 ip relay address 192.168.1.1
 dhcp select relay
#
interface GigabitEthernet1/0/1.1
 vlan-type dot1q 1
 ip address 192.168.1.2 255.255.255.0
#
return

ME60B的配置文件

#
 sysname ME60B
#
user-group huawei
#
radius-server group rd2
 radius-server authentication 192.168.8.249 1812 weight 0
 radius-server accounting 192.168.8.249 1813 weight 0
 radius-server shared-key hello       
#
acl number 6000
rule 10 permit ip source user-group huawei destination ip-address 127.0.0.1 0 
rule 15 permit ip source ip-address 127.0.0.1 0  destination user-group huawei
rule 20 permit ip source user-group huawei destination ip-address 192.168.8.252 0
rule 25 permit ip source ip-address 192.168.8.252 0  destination user-group huawei
rule 30 permit ip source user-group huawei destination ip-address 192.168.8.249 0
rule 35 permit ip source ip-address 192.168.8.249 0  destination user-group huawei
rule 40 permit ip source user-group huawei destination ip-address 192.168.8.251 0
rule 45 permit ip source ip-address 192.168.8.251 0  destination user-group huawei
#
acl number 6001
rule 10 permit tcp source user-group huawei destination-port eq www
rule 15 permit tcp source user-group huawei destination-port eq 8080
rule 20 permit ip source user-group huawei
#
acl number 7000                                                               
rule 5 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq www
rule 10 permit tcp source service-group portal-group destination ip-address 4.4.4.4 0 destination-port eq 8080
rule 15 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq www
rule 20 permit tcp source service-group portal-group destination ip-address 192.168.8.251 0 destination-port eq 8080
#
traffic classifier web_permit operator or
if-match acl 6000
traffic classifier web_deny operator or
if-match acl 6001
traffic classifier portal operator or
if-match acl 7000

#
traffic behavior web_permit
traffic behavior web_deny
http-redirect
traffic behavior portal
redirect-cpu portal

#
traffic policy l3-ipoe
share-mode
classifier portal behavior portal
classifier web_permit behavior web_permit
classifier web_deny behavior web_deny
#
ip pool huawei bas local
 gateway 11.11.11.1 255.255.255.0
 section 0 11.11.11.2 11.11.11.255 
 dns-server 192.168.8.252
#
aaa  
 authentication-scheme auth2
 #
  accounting-scheme acct2 
 #  
 domain default0
  user-group huawei
  web-server 192.168.8.251
  web-server url http://192.168.8.251
  ip-pool huawei
 domain isp2
  authentication-scheme auth2
  accounting-scheme acct2
  radius-server group rd2
  portal-server 192.168.8.251
  portal-server url http://192.168.8.251/portal/admin/
  service-policy portal-policy
#
interface GigabitEthernet1/0/2
 undo shutdown
#
interface GigabitEthernet1/0/2.1
 vlan-type dot1q 1
 ip address 192.168.1.1 255.255.255.0
 bas
 #
  access-type layer3-subscriber default-domain pre-authentication default0 authentication isp2
#
 ip route-static 11.11.11.1 255.255.255.255 192.168.1.2

#
 traffic-policy l3-ipoe inbound
 traffic-policy l3-ipoe outbound
#
 web-auth-server 192.168.8.251
#
return</me60b></me60a>
当前页面是本站的「Baidu MIP」版。发表评论请点击:完整版 »