Got it

portal authentication for BRAS user on ME60

Latest reply: Dec 29, 2018 13:17:00 1647 8 10 0 0

(1) Configure the WEB authentication server and user group:

           Web-auth-server enable

           Web-auth-server source interface LoopBack 1

           Web-auth-server 167.1.1.1 port 2000 key cipher Huawei

           User-group pre

(2) Configure the source interface of the ME60 and WEB authentication server:

          Interface LoopBack 1

             Ip address 1.1.1.1 32 (This address should be interworked with the WEB authentication server address)

(3) Configure the pre-domain of WEB authentication, the domain name pre-domain; the IP address of the WEB server (forced page server) is 168.1.1.1, and configure DNS redirection to be assigned to this address:

          Domain pre-domain

              Authentication-scheme default0

              Accounting-scheme default0

              Ip pool pool_web

             Dns primary-ip 222.0.0.3

              User-group pre

              Dns-redirect web-server 168.1.1.1 ---- DNS redirected to the web server

(4) Configure the interface between the ME60 and the WEB server.

          Interface GigabitEthernet1/0/2

             Ip address 168.1.1.2 24

(5) Configure the post-authentication domain

Domain isp01 ----radius authentication

  Authentication-scheme default1

  Accounting-scheme default1

  Radius-server group web

  

(6) Interface configuration:

Interface GigabitEthernet1/1/0.1

   User-vlan 1

   Bas

   Access-type layer2-subscriber default-domain pre-authentication pre-domain authentication isp01

   Authentication-method web ---- need to be configured as web authentication

        

(7) Flow policy configuration:

Configure user pre-domain access permissions Allow users to access partial IP addresses:

Acl number 6000

 Rule 5 permit ip source user-group pre destination ip-address 222.0.0.3 0 ----DNS server

Rule 15 permit ip source user-group pre destination ip-address 168.1.1.1 0 ----WEB server

Traffic classifier web-before operator or

 If-match acl 6000

          Traffic behavior web-before

The pre-configuration domain cannot access the address:

   Acl number 6001

          Rule 5 permit ip source user-group pre

     Traffic classifier web-before-deny

         If-match acl 6001

    Traffic behavior deny1

        Deny

Configure an ACL to identify DNS packet redirection:

Acl number 6002

     Rule 5 permit udp source-port eq dns destination user-group pre --- identify DNS packets

Traffic classifier dns operator or

     If-match acl 6002

Traffic behavior redirect

      Dns-redirect --- DNS message is sent to the CPU

(8) Globally enabled traffic policy template

Traffic policy web-before

 Share-mode

 Classifier web-before behavior web-before ------- This configuration must be in the first line, indicating that the underlying forwarding message is allowed.

 Classifier web-before-deny behavior deny1 ---- The rest of the message deny

Traffic policy https-redirect

 Share-mode

 Classifier dns behavior redirect ----- DNS packet redirection

Enable policy template

[huawei]traffic-policy web-before inbound

[huawei]traffic-policy https-redirect outbound

(9) Configure the dns redirect whitelist, and the dns packets that hit the whitelist will not be redirected.

Dns-url permit www.icbc.com (Configure the whitelist, you need to add the corresponding IP address to Permit in the uplink UCL)


  • x
  • convention:

yiyi0519
Created Dec 22, 2018 08:41:38

If we configure the NAT, how to set the portal authentication?
View more
  • x
  • convention:

Finn92
Created Dec 22, 2018 09:23:55

(8) Globally enabled traffic policy template

Traffic policy web-before

Share-mode
about this, i have a question , what's the different of the Share-mode and undo share-mode ?
View more
  • x
  • convention:

yjhd
Created Dec 26, 2018 03:00:26

Configure the interface between the ME60 and the WEB server.

Interface GigabitEthernet1/0/2

Ip address 168.1.1.2 24
View more
  • x
  • convention:

No.9527
Created Dec 26, 2018 03:15:31

This section describes basic concepts of IP over Ethernet (IPoE) access, helping you quickly configure IPoE access.

In IPv4 network access where a user terminal connects to a BRAS's Ethernet interface through a Layer 2 device, such as a LAN switch, the user IP packets are encapsulated into IPoE packets by the user terminal's Ethernet interface before they are transmitted to the BRAS through the Layer 2 device. IPoE is an access mode that allows the BRAS to perform authentication and authorization on users and user services based on the physical or logical user information carried in IPoE packets, such as the MAC address, VLAN ID, and Option 82.
View more
  • x
  • convention:

GongXiaochuan
Created Dec 26, 2018 08:17:10

full steps showing for the configuration of portal authentication for BRAS user on ME60
View more
  • x
  • convention:

SupperRobin
Created Dec 29, 2018 03:40:03

To deploy mobile certificate on the Agile Controller-Campus system, import the root certificate of the enterprise to the Agile Controller-Campus system and import the CRL or configure the Agile Controller-Campus system to automatically obtain the CRL periodically. When users use their own certificates to connect to the network, the Agile Controller-Campus system verifies validity of the certificates using the root certificate. If the Agile Controller-Campus system reads the CRL and detects that a user's certificate has been revoked, it does not allow the user to connect to the network.
View more
  • x
  • convention:

SupperRobin
Created Dec 29, 2018 03:40:19

Configure the logging function that records users' online results.

After the log host on the NE80E/40E is configured to record users' online results, the log host receives user packets sent from the NE80E/40E. The logs carried by the packets are used to analyze the ratio of successful login users.
View more
  • x
  • convention:

littlestone
Created Dec 29, 2018 13:17:00

Portal server is also a server-side system that receives authentication requests from portal clients. Its main function is to provide free portal services and Web-based authentication interfaces, as well as authentication information of interactive authentication clients of access devices.
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.