This section provides an example for configuring the web authentication (HTTPS address input) and rate limitation.
Applicable products and versions
This configuration example applies to the NE40E/ME60 series products running V600R008C10 or later.
Networking requirements
On the network shown in Figure 1-12, configure web authentication (HTTPS address input) and rate limitation. The configurations include:
1. configure a user group, an IP address pool, pre-authentication and authentication domains, and BAS interfaces;
2. configure AAA authentication and accounting schemes: configure a RADIUS server;
3. configure none authentication and none accounting schemes for the pre-authentication domain. Configure RADIUS authentication and accounting schemes for the authentication domain;
4. configure an ACL to allow a user to access only the web server when the user is in the pre-authentication domain and to redirect the user when the user requests to access other web pages;
5. configure an ACL to redirect DNS packets when the user is in the pre-authentication domain;
6. configure a QoS profile to limit the traffic rate to 10 Mbit/s and apply the profile to the authentication domain.
Figure 1-12 Configuring web authentication (HTTPS address input) and rate limitation 
Table 1-24 Data Preparation
Device | Item | Data |
|---|---|---|
Router | Destination IP address to be specified in ACL rule 5 | 10.1.1.2 |
Destination IP address to be specified in ACL rule 10 | 172.16.0.2 |
Configuration Roadmap
Configure AAA accounting and authentication schemes.
Configure a RADIUS server group.
Configure a domain.
Configure ACLs.
Configure traffic classification and a traffic management policy.
Configure a QoS profile to limit the rates of incoming and outgoing traffic.
Procedure
- Configure the Device.
//Configure AAA authentication schemes # aaa authentication-scheme none authentication-mode none # aaa authentication-scheme radius authentication-mode radius //Configure AAA accounting schemes # aaa accounting-scheme none accounting-mode none # aaa accounting-scheme radius accounting-mode radius //Configure a RADIUS server group # radius-server group 13 radius-server authentication 10.9.7.13.1812 radius-server accounting 10.9.7.13.1813 //Configure the ip pool # ip pool pool1 bas local gateway 172.20.0.1 255.255.255.0 section 0 172.20.0.2 172.20.0.10 //Configure the user group # user-group web-before //Configure ACLs # acl number 6000 rule 5 permit ip source user-group web-before destination ip-address 10.1.1.2 0 rule 10 permit ip source user-group web-before destination ip-address 172.16.0.2 0 # acl number 6001 rule 5 permit ip source user-group web-before # acl number 6002 rule 5 permit udp source-port eq dns destination user-group web-before //Configure traffic classifiers # traffic classifier c1 if-match acl 6000 traffic classifier c2 if-match acl 6001 traffic classifier c3 if-match acl 6002 //Configure traffic behaviors # traffic behavior b1 permit traffic behavior b2 deny traffic behavior b3 dns-redirect //Configure traffic policies # traffic policy p1 classifier c1 behavior b1 classifier c2 behavior b2 traffic policy dns share-mode classifier c3 behavior b3 precedence 1 //Apply the traffic policy globally # traffic-policy p1 inbound traffic-policy dns outbound //Configure a qos-profile # qos-profile 10M car cir 10000 inbound car cir 10000 outbound # //Configure the domain1 # aaa domain domain1 authentication-scheme none accounting-scheme none ip-pool pool1 user-group web-before dns-redirect web-server 10.1.1.2 web-server url http://10.1.1.2:85/portal max-ipuser-reauthtime 0 //Configure the isp1 # aaa domain isp1 authentication-scheme radius accounting-scheme radius radius-server group 13 qos-profile 10M inbound qos-profile 10M outbound //Configure the BAS interface # interface GigabitEthernet 0/1/2.1 vlan-type dot1q 1 ip address 192.168.1.1 255.255.255.0 bas # access-type layer3-subscriber default-domain pre-authentication domain1 //Configure upstream interface # interface GigabitEthernet 0/1/1 ip address 172.16.0.1 255.255.255.0 #
- Verify the configuration.
Run the display access-user domain isp1 command to check information about online users of the specified domain.
