[NE Configuration Cases in Education Scenarios] Example for configuring common Web authentication + DAA (rate limit)

This section describes how to configure the common web authentication + DAA (rate limit).

Applicable products and versions

This configuration example applies to the NE40E/ME60 series products running V800R008C00 or later.

Networking Requirements

The campus network shown in Figure 1-13 needs to meet the following requirements to allow students to access an extranet and implement rate limit and accounting:

1. Internet access: students access BRASs over switches and access the portal server for user authentication;

2. independent rate limit and accounting: rate limit and accounting are required if a student wants to access an extranet (192.168.100/24). The RADIUS server delivers the DAA service to implement rate limit and accounting, with the bandwidth limited to 10 Mbit/s and the tariff level set to 1.

Figure 1-13 Networking for common web authentication + DAA (rate limit)

imgDownload?uuid=cef7418fbd4a47368a15b3e

Configuration Roadmap

Configure an AAA server.
Configure a RADIUS server.
Configure a web server.
Configure an address pool.
Enable the value-added service function.
Configure a user group.
Configure a DAA traffic policy and a common web authentication policy.
Configure a QoS profile.
Configure a DAA service policy.
Configure an authentication domain.
Configure a BAS interface.

Procedure

Configure a AAA server.

#
aaa
 http-redirect enable
  authentication-scheme radius           //Configure a RADIUS authentication scheme.
  authentication-scheme none             //Set the authentication mode to none.
  authentication-mode none
 #
 accounting-scheme radius                //Configure an accounting scheme.
 accounting-scheme none
  accounting-mode none
 #

Configure a RADIUS server.

#
radius-server group radius             
radius-server authentication 192.168.8.249 1812 weight 0  //Configure a RADIUS authentication server. 
radius-server accounting 192.168.8.249 1813 weight 0      //Configure a RADIUS accounting server.
#

Configure a web server.

#
web-auth-server 192.168.8.251 port 50100 key simple huawei   //Configure the IP address of a portal server.
#

Configure an address pool.

#
ip pool pool1 bas local
 gateway 10.100.100.1 255.255.255.0
 section 0 10.100.100.2 10.100.100.200
#

Enable the value-added service function.
```
#
value-added-service enable
#
```

Configure a user group.

#
user-group preweb                    //Configure a user group named preweb.
user-group daa                       //Configure a user group named daa.
#

Configure a DAA traffic policy and a common web authentication policy.

# //Configure a UCL policy.
acl number 6000
rule 20 permit ip source user-group preweb destination ip-address 192.168.8.251 0
rule 25 permit ip source ip-address 192.168.8.251 0 destination user-group preweb
#
acl number 6001
rule 5 permit tcp source user-group preweb destination-port eq www
rule 10 permit tcp source user-group preweb destination-port eq 8080
#
acl number 6002
rule 5 permit ip source ip-address any destination user-group preweb
rule 10 permit ip source user-group preweb destination ip-address any
#
acl number 6999
rule 5 permit ip source user-group daa destination ip-address 192.168.100.0 0.0.0.255
rule 10 permit ip source ip-address 192.168.100.0 0.0.0.255 destination user-group daa
# //Configure a traffic classifier.
traffic classifier web-deny operator or
if-match acl 6002
traffic classifier web-permit operator or
if-match acl 6000
traffic classifier daa operator or
if-match acl 6999
traffic classifier preweb operator or
if-match acl 6001
# //Configure a traffic behavior.
traffic behavior web-deny //Configure a traffic behavior named web-deny.
deny
traffic behavior web-permit //Configure a traffic behavior named web-permit.
traffic behavior daa //Configure a traffic behavior named daa.
traffic-statistic //Enable traffic statistics collection for the DAA service.
car //Enable traffic policing for the DAA service.
tariff-level 1 //Set the tariff level of the DAA service to 1.
#
traffic behavior preweb //Configure a traffic behavior named preweb.
http-redirect //Push web pages to the online PC user.
# //Configure a traffic policy and bind it to the traffic behavior and traffic classifier.
traffic policy daa //Configure a traffic policy named daa.
share-mode
statistics enable
classifier daa behavior daa
traffic policy preweb //Configure a traffic policy named preweb.
share-mode
classifier web-permit behavior web-permit
classifier preweb behavior preweb
classifier web-deny behavior web-deny
# //Globally apply the traffic policy.
accounting-service-policy daa //Globally apply the traffic policy daa that distinguishes accounting based on destination addresses.
traffic-policy preweb inbound //Globally apply the traffic policy preweb.
#

Configure a QoS profile.

#
qos-profile 10M              
 car cir 10000 cbs 1870000 green pass red discard
#

Configure a DAA service policy.

#
value-added-service policy daa daa     //Configure a DAA service policy.
 accounting-scheme radius
 traffic-separate enable               //Configure accounting and rate limit of the DAA service not counted in the overall accounting and rate limit of the user.
 rate-limit-mode car outbound          //Configure CAR.
 tariff-level 1 qos-profile 10M        //Configure the tariff level and the corresponding QoS profile.
#

Configure an authentication domain.

#
aaa
 domain swjf                                           //Configure an authentication domain named swjf.
  authentication-scheme radius
  accounting-scheme radius
  ip-pool pool1
  value-added-service account-type radius radius     //Configure the DAA accounting mode as radius.
  value-added-service policy daa                     //Configure a DAA policy named daa.
  domain preweb                                      //Configure an authentication domain named preweb for DHCP and web authentication.
  authentication-scheme none
  accounting-scheme none
  ip-pool pool1
  user-group preweb                                 //Bind the domain to the user group preweb.
  web-server 192.168.8.251                          //Configure a web authentication server.
  web-server url http://192.168.8.251               //Configure the redirection URL for forcible web authentication in the domain. 
  radius-server group radius                        //Bind the domain to the RADIUS server group.
  user-group daa                                    //Bind the domain to the user group daa.

#

Configure an interface.

#                                                                                              //Configure a BAS interface.
interface GigabitEthernet1/1/0
 bas
  #                                                                                           
  access-type layer2-subscriber default-domain pre-authentication preweb authentication swjf   //Configure the BAS interface as a common Layer 2 user interface. Configure a pre-authentication domain named preweb and an authentication domain named swjf.
  authentication-method web                                                                   //Configure the web authentication mode.
#

Verify the configuration.
Run the display value-added-service user user-id command to view statistics about the value-added service for DAA users.