介紹一個Web認證方案示例,結合配置組網圖來理解業務的配置過程。配置示例包括組網需求、思路準備、操作步驟和配置文件。
適用產品和版本
適用於V800R010C00及以後版本的ME60系列路由器。
組網需求
Web認證指的是用戶上網時需要在Portal頁面輸入用戶名和密碼,認證通過後即可訪問網絡。
圖1-17 二層IPoE接入Web認證組網圖
配置思路
採用如下思路配置Web認證:
- 創建2個域:認證前域pre-web,認證後域after-auth。
- 配置AAA方案
- 創建RADIUS服務器組
- 在認證前域pre-web下配置強制重定向到指定的Web服務器,綁定只能訪問有限資源的用戶組,綁定不認證模板和不計費的模板
- 在認證後域after-auth下配置綁定RADIUS認證的認證模板和計費模板
- BAS口下配置認證前域及認證後域
操作步驟
- 創建2個域,認證前域pre-web、認證後域after-auth。# 配置認證前域pre-web,認證後域after-auth。
<huawei> system-view
[~HUAWEI] aaa
[*HUAWEI-aaa] domain pre-web
[*HUAWEI-aaa-domain-pre-web] commit
[~HUAWEI-aaa-domain-pre-web] quit
[*HUAWEI-aaa] domain after-auth
[*HUAWEI-aaa-domain-after-auth] commit
[~HUAWEI-aaa-domain-after-auth] quit
[~HUAWEI] quit
/<huawei>
2 . 配置AAA方案和RADIUS服務器組。
- 配置RADIUS服務器組rd2。
[~HUAWEI] radius-server group rd2
[*HUAWEI-radius-rd2] radius-server authentication 192.168.8.249 1812
[*HUAWEI-radius-rd2] radius-server accounting 192.168.8.249 1813
[*HUAWEI-radius-rd2] radius-server type standard
[*HUAWEI-radius-rd2] radius-server shared-key-cipher Root@1234
[*HUAWEI-radius-rd2] commit
[~HUAWEI-radius-rd2] quit
- 配置認證方案auth2為RADIUS認證。
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme auth2
[*HUAWEI-aaa-authen-auth2] authentication-mode radius
[*HUAWEI-aaa-authen-auth2] commit
[~HUAWEI-aaa-authen-auth2] quit
- 配置計費方案acct2為RADIUS計費。
[*HUAWEI-aaa] accounting-scheme acct2
[*HUAWEI-aaa-accounting-acct2] accounting-mode radius
[*HUAWEI-aaa-accounting-acct2] commit
[~HUAWEI-aaa-accounting-acct2] quit
[~HUAWEI-aaa] quit
- 配置認證方案auth3為不認證。
[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme auth3
[*HUAWEI-aaa-authen-auth3] authentication-mode none
[*HUAWEI-aaa-authen-auth3] commit
[~HUAWEI-aaa-authen-auth3] quit
- 配置計費方案acct3為不計費。
[*HUAWEI-aaa] accounting-scheme acct3
[*HUAWEI-aaa-accounting-acct3] accounting-mode none
[*HUAWEI-aaa-accounting-acct3] commit
[~HUAWEI-aaa-accounting-acct3] quit
[~HUAWEI-aaa] quit
3 . 配置地址池
[~HUAWEI] ip pool pool2 bas local
[*HUAWEI-ip-pool-pool2] gateway 172.16.1.1 255.255.255.0
[*HUAWEI-ip-pool-pool2] section 0 172.16.1.2 172.16.1.200
[*HUAWEI-ip-pool-pool2] dns-server 192.168.8.252
[*HUAWEI-ip-pool-pool2] commit
[~HUAWEI-ip-pool-pool2] quit
4 . 配置認證前域pre-web,該域用戶只能受限訪問Web認證頁面,綁定不認證模板和不計費模板。
- 在認證前域下使能http重定向功能,並綁定不認證模板和不計費模板。
[~HUAWEI] user-group web-before
[*HUAWEI] aaa
[*HUAWEI-aaa] http-redirect enable
[*HUAWEI-aaa] domain pre-web
[*HUAWEI-aaa-domain-pre-web] authentication-scheme auth3
[*HUAWEI-aaa-domain-pre-web] accounting-scheme acct3
[*HUAWEI-aaa-domain-pre-web] ip-pool pool2
[*HUAWEI-aaa-domain-pre-web] user-group web-before
[*HUAWEI-aaa-domain-pre-web] web-server 192.168.8.251
[*HUAWEI-aaa-domain-pre-web] web-server url http://192.168.8.251
- 配置Web認證服務器
[*HUAWEI] web-auth-server 192.168.8.251 key webvlan
- 配置ACL規則。
配置ACL規則6004,匹配源地址為web-before用戶組的所有流量,以便阻止此類流量的訪問。
[~HUAWEI] acl number 6004
[*HUAWEI-acl-ucl-6004] rule 3 permit ip source user-group web-before destination user-group web-before
[*HUAWEI-acl-ucl-6004] rule 5 permit ip source user-group web-before destination ip-address any
[~HUAWEI-acl-ucl-6004] quit
配置ACL規則6005,匹配web-before用戶組和Web認證服務器及DNS服務器之間的訪問流量,以便允許此類流量通過。
[~HUAWEI] acl number 6005
[*HUAWEI-acl-ucl-6005] rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
[*HUAWEI-acl-ucl-6005] rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
[*HUAWEI-acl-ucl-6005] rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
[*HUAWEI-acl-ucl-6005] rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
[*HUAWEI-acl-ucl-6005] rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
[*HUAWEI-acl-ucl-6005] rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
[~HUAWEI-acl-ucl-6005] quit
配置ACL規則6006,匹配目的地址為web-before用戶組的所有流量,以便阻止此類流量的訪問。
[~HUAWEI] acl number 6006
[*HUAWEI-acl-ucl-6006] rule 5 permit ip destination user-group web-before
[~HUAWEI-acl-ucl-6006] quit
配置ACL規則6008,匹配源地址為web-before用戶組,目的端口為www或8080的TCP報文,以便對此類報文進行HTTP重定向。
[~HUAWEI] acl number 6008
[*HUAWEI-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-port eq www
[*HUAWEI-acl-ucl-6008] rule 10 permit tcp source user-group web-before destination-port eq 8080
[~HUAWEI-acl-ucl-6008] quit
- 配置流量管理策略。
# 配置流分類。
[~HUAWEI] traffic classifier web-out
[*HUAWEI-classifier-web-out] if-match acl 6006
[*HUAWEI-classifier-web-out] commit
[~HUAWEI-classifier-web-out] quit
[~HUAWEI] traffic classifier web-be-permit
[*HUAWEI-classifier-web-be-permit] if-match acl 6005
[*HUAWEI-classifier-web-be-permit] commit
[~HUAWEI-classifier-web-be-permit] quit
[*HUAWEI] traffic classifier web-be-deny
[*HUAWEI-classifier-web-be-deny] if-match acl 6004
[*HUAWEI-classifier-web-be-deny] commit
[~HUAWEI-classifier-web-be-deny] quit
[~HUAWEI] traffic classifier redirect
[*HUAWEI-classifier-redirect] if-match acl 6008
[*HUAWEI-classifier-redirect] commit
[~HUAWEI-classifier-redirect] quit
# 配置流行為。
[~HUAWEI] traffic behavior web-out
[*HUAWEI-behavior-web-out] deny
[*HUAWEI-behavior-web-out] commit
[~HUAWEI-behavior-web-out] quit
[~HUAWEI] traffic behavior perm1
[*HUAWEI-behavior-perm1] permit
[*HUAWEI-behavior-perm1] commit
[~HUAWEI-behavior-perm1] quit
[~HUAWEI] traffic behavior deny1
[*HUAWEI-behavior-deny1] deny
[~HUAWEI-behavior-deny1] quit
[~HUAWEI] traffic behavior redirect
[*HUAWEI-behavior-redirect] http-redirect plus
[*HUAWEI-behavior-redirect] commit
[~HUAWEI-behavior-redirect] quit
# 配置流策略。
[~HUAWEI] traffic policy web-out
[*HUAWEI-policy-web-out] share-mode
[*HUAWEI-policy-web-out] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web-out] classifier web-out behavior web-out
[*HUAWEI-policy-web-out] commit
[~HUAWEI-policy-web-out] quit
[~HUAWEI] traffic policy web
[*HUAWEI-policy-web] share-mode
[*HUAWEI-policy-web] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web] classifier redirect behavior redirect
[*HUAWEI-policy-web] classifier web-be-deny behavior deny1
[*HUAWEI-policy-web] commit
[~HUAWEI-policy-web] quit
# 在全局下應用策略。
[*HUAWEI] traffic-policy web inbound
[*HUAWEI] traffic-policy web-out outbound
5 . 配置認證後域after-auth
[*HUAWEI-aaa] domain after-auth
[*HUAWEI-aaa-domain-after-auth] authentication-scheme auth2
[*HUAWEI-aaa-domain-after-auth] accounting-scheme acct2
[*HUAWEI-aaa-domain-after-auth] radius-server group rd2
[*HUAWEI-aaa-domain-after-auth] commit
[~HUAWEI-aaa-domain-after-auth] quit
[HUAWEI-aaa] quit
6 . BAS口下配置認證前域、認證後域及認證方法
[~HUAWEI] license
[*HUAWEI-license]active bas slot 1
[*HUAWEI-license] commit
[~HUAWEI-license]quit
[~HUAWEI] interface GigabitEthernet0/1/0
[*HUAWEI-GigabitEthernet0/1/0] bas
[*HUAWEI-GigabitEthernet0/1/0-bas] access-type layer2-subscriber default-domain pre-authentication pre-web authentication after-auth
[*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method web
配置文件
#
sysname HUAWEI
#
license
active bas slot 1
#
user-group web-before
#
radius-server group rd2
radius-server authentication 192.168.8.249 1812 weight 0
radius-server accounting 192.168.8.249 1813 weight 0
radius-server shared-key-cipher Root@1234
#
acl number 6004
rule 3 permit ip source user-group web-before destination user-group web-before
rule 5 permit ip source user-group web-before destination ip-address any
#
acl number 6005
rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
#
acl number 6006
rule 5 permit ip destination user-group web-before
#
acl number 6008
rule 5 permit tcp source user-group web-before destination-port eq www
rule 10 permit tcp source user-group web-before destination-port eq 8080
#
traffic classifier web-out operator or
if-match acl 6006
traffic classifier web-be-permit operator or
if-match acl 6005
traffic classifier web-be-deny operator or
if-match acl 6004
traffic classifier redirect operator or
if-match acl 6008
#
traffic behavior web-out
deny
traffic behavior perm1
traffic behavior deny1
deny
traffic behavior redirect
http-redirect
#
traffic policy web-out
share-mode
classifier web-be-permit behavior perm1
classifier web-out behavior web-out
traffic policy web
share-mode
classifier web-be-permit behavior perm1
classifier redirect behavior redirect
classifier web-be-deny behavior deny1
#
ip pool pool2 bas local
gateway 172.16.1.1 255.255.255.0
section 0 172.16.1.2 172.16.1.200
dns-server 192.168.8.252
#
aaa
http-redirect enable
authentication-scheme auth2
authentication-scheme auth3
authentication-mode none
#
accounting-scheme acct2
accounting-scheme acct3
accounting-mode none
#
domain pre-web
authentication-scheme auth3
accounting-scheme acct3
ip-pool pool2
user-group web-before
web-server 192.168.8.251
web-server url http://192.168.8.251
web-server url-parameter
domain after-auth
authentication-scheme auth2
accounting-scheme acct2
radius-server group rd2
#
interface GigabitEthernet0/1/0
bas
#
access-type layer2-subscriber default-domain pre-authentication pre-web authentication after-auth
authentication-method web
#
traffic-policy web inbound
traffic-policy web-out outbound
往期連接:
閱讀更多 弱電Bar 的文章