學校路由器場景配置案例：配置二層IPoE接入示例（Web認證）

介紹一個Web認證方案示例，結合配置組網圖來理解業務的配置過程。配置示例包括組網需求、思路準備、操作步驟和配置文件。

適用產品和版本

適用於V800R010C00及以後版本的ME60系列路由器。

組網需求

Web認證指的是用戶上網時需要在Portal頁面輸入用戶名和密碼，認證通過後即可訪問網絡。

圖1-17 二層IPoE接入Web認證組網圖

配置思路

採用如下思路配置Web認證：

1. 創建2個域：認證前域pre-web，認證後域after-auth。
2. 配置AAA方案
3. 創建RADIUS服務器組
4. 在認證前域pre-web下配置強制重定向到指定的Web服務器，綁定只能訪問有限資源的用戶組，綁定不認證模板和不計費的模板
5. 在認證後域after-auth下配置綁定RADIUS認證的認證模板和計費模板
6. BAS口下配置認證前域及認證後域

操作步驟

1. 創建2個域，認證前域pre-web、認證後域after-auth。# 配置認證前域pre-web，認證後域after-auth。

<huawei> system-view
[~HUAWEI] aaa
[*HUAWEI-aaa] domain pre-web
[*HUAWEI-aaa-domain-pre-web] commit
[~HUAWEI-aaa-domain-pre-web] quit 

[*HUAWEI-aaa] domain after-auth
[*HUAWEI-aaa-domain-after-auth] commit
[~HUAWEI-aaa-domain-after-auth] quit
[~HUAWEI] quit
/<huawei>

2 . 配置AAA方案和RADIUS服務器組。

• 配置RADIUS服務器組rd2。

[~HUAWEI] radius-server group rd2
[*HUAWEI-radius-rd2] radius-server authentication 192.168.8.249 1812
[*HUAWEI-radius-rd2] radius-server accounting 192.168.8.249 1813
[*HUAWEI-radius-rd2] radius-server type standard
[*HUAWEI-radius-rd2] radius-server shared-key-cipher Root@1234
[*HUAWEI-radius-rd2] commit
[~HUAWEI-radius-rd2] quit

• 配置認證方案auth2為RADIUS認證。

[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme auth2
[*HUAWEI-aaa-authen-auth2] authentication-mode radius
[*HUAWEI-aaa-authen-auth2] commit
[~HUAWEI-aaa-authen-auth2] quit

• 配置計費方案acct2為RADIUS計費。

[*HUAWEI-aaa] accounting-scheme acct2
[*HUAWEI-aaa-accounting-acct2] accounting-mode radius
[*HUAWEI-aaa-accounting-acct2] commit
[~HUAWEI-aaa-accounting-acct2] quit
[~HUAWEI-aaa] quit

• 配置認證方案auth3為不認證。

[~HUAWEI] aaa
[*HUAWEI-aaa] authentication-scheme auth3
[*HUAWEI-aaa-authen-auth3] authentication-mode none
[*HUAWEI-aaa-authen-auth3] commit
[~HUAWEI-aaa-authen-auth3] quit

• 配置計費方案acct3為不計費。

[*HUAWEI-aaa] accounting-scheme acct3
[*HUAWEI-aaa-accounting-acct3] accounting-mode none
[*HUAWEI-aaa-accounting-acct3] commit
[~HUAWEI-aaa-accounting-acct3] quit
[~HUAWEI-aaa] quit

3 . 配置地址池

[~HUAWEI] ip pool pool2 bas local
[*HUAWEI-ip-pool-pool2] gateway 172.16.1.1 255.255.255.0
[*HUAWEI-ip-pool-pool2] section 0 172.16.1.2 172.16.1.200
[*HUAWEI-ip-pool-pool2] dns-server 192.168.8.252
[*HUAWEI-ip-pool-pool2] commit
[~HUAWEI-ip-pool-pool2] quit

4 . 配置認證前域pre-web，該域用戶只能受限訪問Web認證頁面，綁定不認證模板和不計費模板。

• 在認證前域下使能http重定向功能，並綁定不認證模板和不計費模板。

[~HUAWEI] user-group web-before
[*HUAWEI] aaa
[*HUAWEI-aaa] http-redirect enable
[*HUAWEI-aaa] domain pre-web
[*HUAWEI-aaa-domain-pre-web] authentication-scheme auth3
[*HUAWEI-aaa-domain-pre-web] accounting-scheme acct3
[*HUAWEI-aaa-domain-pre-web] ip-pool pool2 

[*HUAWEI-aaa-domain-pre-web] user-group web-before
[*HUAWEI-aaa-domain-pre-web] web-server 192.168.8.251
[*HUAWEI-aaa-domain-pre-web] web-server url http://192.168.8.251

• 配置Web認證服務器

[*HUAWEI] web-auth-server 192.168.8.251 key webvlan

• 配置ACL規則。

配置ACL規則6004，匹配源地址為web-before用戶組的所有流量，以便阻止此類流量的訪問。

[~HUAWEI] acl number 6004
[*HUAWEI-acl-ucl-6004] rule 3 permit ip source user-group web-before destination user-group web-before
[*HUAWEI-acl-ucl-6004] rule 5 permit ip source user-group web-before destination ip-address any
[~HUAWEI-acl-ucl-6004] quit

配置ACL規則6005，匹配web-before用戶組和Web認證服務器及DNS服務器之間的訪問流量，以便允許此類流量通過。

[~HUAWEI] acl number 6005
[*HUAWEI-acl-ucl-6005] rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
[*HUAWEI-acl-ucl-6005] rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
[*HUAWEI-acl-ucl-6005] rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
[*HUAWEI-acl-ucl-6005] rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
[*HUAWEI-acl-ucl-6005] rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
[*HUAWEI-acl-ucl-6005] rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
[~HUAWEI-acl-ucl-6005] quit

配置ACL規則6006，匹配目的地址為web-before用戶組的所有流量，以便阻止此類流量的訪問。

[~HUAWEI] acl number 6006 

[*HUAWEI-acl-ucl-6006] rule 5 permit ip destination user-group web-before
[~HUAWEI-acl-ucl-6006] quit

配置ACL規則6008，匹配源地址為web-before用戶組，目的端口為www或8080的TCP報文，以便對此類報文進行HTTP重定向。

[~HUAWEI] acl number 6008
[*HUAWEI-acl-ucl-6008] rule 5 permit tcp source user-group web-before destination-port eq www
[*HUAWEI-acl-ucl-6008] rule 10 permit tcp source user-group web-before destination-port eq 8080
[~HUAWEI-acl-ucl-6008] quit

• 配置流量管理策略。

# 配置流分類。

[~HUAWEI] traffic classifier web-out
[*HUAWEI-classifier-web-out] if-match acl 6006
[*HUAWEI-classifier-web-out] commit
[~HUAWEI-classifier-web-out] quit
[~HUAWEI] traffic classifier web-be-permit
[*HUAWEI-classifier-web-be-permit] if-match acl 6005
[*HUAWEI-classifier-web-be-permit] commit
[~HUAWEI-classifier-web-be-permit] quit
[*HUAWEI] traffic classifier web-be-deny
[*HUAWEI-classifier-web-be-deny] if-match acl 6004
[*HUAWEI-classifier-web-be-deny] commit
[~HUAWEI-classifier-web-be-deny] quit
[~HUAWEI] traffic classifier redirect
[*HUAWEI-classifier-redirect] if-match acl 6008
[*HUAWEI-classifier-redirect] commit
[~HUAWEI-classifier-redirect] quit

# 配置流行為。

[~HUAWEI] traffic behavior web-out
[*HUAWEI-behavior-web-out] deny
[*HUAWEI-behavior-web-out] commit
[~HUAWEI-behavior-web-out] quit
[~HUAWEI] traffic behavior perm1
[*HUAWEI-behavior-perm1] permit
[*HUAWEI-behavior-perm1] commit 

[~HUAWEI-behavior-perm1] quit
[~HUAWEI] traffic behavior deny1
[*HUAWEI-behavior-deny1] deny
[~HUAWEI-behavior-deny1] quit
[~HUAWEI] traffic behavior redirect
[*HUAWEI-behavior-redirect] http-redirect plus
[*HUAWEI-behavior-redirect] commit
[~HUAWEI-behavior-redirect] quit

# 配置流策略。

[~HUAWEI] traffic policy web-out
[*HUAWEI-policy-web-out] share-mode
[*HUAWEI-policy-web-out] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web-out] classifier web-out behavior web-out
[*HUAWEI-policy-web-out] commit
[~HUAWEI-policy-web-out] quit
[~HUAWEI] traffic policy web
[*HUAWEI-policy-web] share-mode
[*HUAWEI-policy-web] classifier web-be-permit behavior perm1
[*HUAWEI-policy-web] classifier redirect behavior redirect
[*HUAWEI-policy-web] classifier web-be-deny behavior deny1
[*HUAWEI-policy-web] commit
[~HUAWEI-policy-web] quit

# 在全局下應用策略。

[*HUAWEI] traffic-policy web inbound
[*HUAWEI] traffic-policy web-out outbound

5 . 配置認證後域after-auth

[*HUAWEI-aaa] domain after-auth
[*HUAWEI-aaa-domain-after-auth] authentication-scheme auth2
[*HUAWEI-aaa-domain-after-auth] accounting-scheme acct2
[*HUAWEI-aaa-domain-after-auth] radius-server group rd2
[*HUAWEI-aaa-domain-after-auth] commit
[~HUAWEI-aaa-domain-after-auth] quit
[HUAWEI-aaa] quit

6 . BAS口下配置認證前域、認證後域及認證方法

[~HUAWEI] license 

[*HUAWEI-license]active bas slot 1
[*HUAWEI-license] commit
[~HUAWEI-license]quit
[~HUAWEI] interface GigabitEthernet0/1/0
[*HUAWEI-GigabitEthernet0/1/0] bas
[*HUAWEI-GigabitEthernet0/1/0-bas] access-type layer2-subscriber default-domain pre-authentication pre-web authentication after-auth
[*HUAWEI-GigabitEthernet0/1/0-bas] authentication-method web

配置文件

#
 sysname HUAWEI
#
license
 active bas slot 1
#
user-group web-before
#
radius-server group rd2
 radius-server authentication 192.168.8.249 1812 weight 0
 radius-server accounting 192.168.8.249 1813 weight 0 
 radius-server shared-key-cipher Root@1234
#
acl number 6004
 rule 3 permit ip source user-group web-before destination user-group web-before
 rule 5 permit ip source user-group web-before destination ip-address any
#
acl number 6005
 rule 5 permit ip source user-group web-before destination ip-address 192.168.8.251 0
 rule 10 permit ip source ip-address 192.168.8.251 0 destination user-group web-before
 rule 15 permit ip source user-group web-before destination ip-address 192.168.8.252 0
 rule 20 permit ip source ip-address 192.168.8.252 0 0 destination user-group web-before
 rule 25 permit ip source user-group web-before destination ip-address 127.0.0.1 0
 rule 30 permit ip source ip-address 127.0.0.1 0 destination user-group web-before
#
acl number 6006
 rule 5 permit ip destination user-group web-before
#
acl number 6008
 rule 5 permit tcp source user-group web-before destination-port eq www
 rule 10 permit tcp source user-group web-before destination-port eq 8080
#
traffic classifier web-out operator or
 if-match acl 6006
traffic classifier web-be-permit operator or
 if-match acl 6005
traffic classifier web-be-deny operator or 

 if-match acl 6004
traffic classifier redirect operator or
 if-match acl 6008
#
traffic behavior web-out
 deny
traffic behavior perm1
traffic behavior deny1
 deny
traffic behavior redirect
 http-redirect
#
traffic policy web-out
 share-mode
 classifier web-be-permit behavior perm1
 classifier web-out behavior web-out
traffic policy web
 share-mode
 classifier web-be-permit behavior perm1
 classifier redirect behavior redirect 
 classifier web-be-deny behavior deny1
#
ip pool pool2 bas local
 gateway 172.16.1.1 255.255.255.0
 section 0 172.16.1.2 172.16.1.200
 dns-server 192.168.8.252
#
aaa
 http-redirect enable
 authentication-scheme auth2
 authentication-scheme auth3
 authentication-mode none
 #
 accounting-scheme acct2
 accounting-scheme acct3
 accounting-mode none
 #
 domain pre-web
 authentication-scheme auth3
 accounting-scheme acct3
 ip-pool pool2
 user-group web-before
 web-server 192.168.8.251
 web-server url http://192.168.8.251
 web-server url-parameter
 
 domain after-auth
 authentication-scheme auth2
 accounting-scheme acct2
 radius-server group rd2 

#
interface GigabitEthernet0/1/0
 bas
 #
 access-type layer2-subscriber default-domain pre-authentication pre-web authentication after-auth
 authentication-method web
#
 traffic-policy web inbound
 traffic-policy web-out outbound

往期連接：