Me60

00479807
Quidway ME60 Multiservice Control Gateway V100R006C05
Configuration Guide - BRAS Services

Issue Date 05 2010-06-01
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Issue 05 (2010-06-01)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services
About This Document
About This Document

Purpose
This manual describes the rationales and configurations of BRAS services, including AAA, address management, user management, BRAS access, value-added service, ANCP, and user information backup.
Related Versions
The following table lists the product versions related to this document. Product Name ME60 Version V100R006C05
Intended Audience
This document is intended for:
l l l l
Commissioning engineers Data configuration engineers Network monitoring engineers System maintenance engineers
Organization
This document is organized as follows. Chapter 1 BRAS Service Overview Content This chapter describes the concepts and features of the BRAS.
iii
Issue 05 (2010-06-01)
About This Document
Chapter 2 AAA Configuration
Content This chapter describes the concept, rationale, and configuration of AAA and provides several configuration examples. This chapter describes the concept, rationale, and configuration of address management and provides several configuration examples. This chapter describes the concept, rationale, and configuration of user management and provides several configuration examples. This chapter describes the concept, rationale, and configuration of BRAS access and provides several configuration examples. This chapter describes the concept and rationale of the valueadded service and methods of configuring the COPS server, service policy, DSG service, CIPN service, and SIG service. In addition, this chapter provides several configuration examples. This chapter describes the concept and configuration of ANCP and provides several configuration examples. This chapter describes the rationales and configurations of local user information backup and remote user information backup and provides several configuration examples. This chapter describes the RADIUS attributes supported by the ME60. This chapter describes the HWTACACS attributes supported by theME60. The appendixes list the glossaries, acronyms and abbreviations mentioned in the manual. The index lists keywords that can be used as entries to help the reader to fetch the required information quickly.
3 Addresses Management
4 User Management
5 BRAS Access Configuration 6 VAS Configuration
7 ANCP Configuration 8 User Information Backup Configuration 9 RADIUS Attributes 10 HWTACACS Attributes A Glossary B Acronyms and Abbreviations
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
iv
Issue 05 (2010-06-01)
About This Document
Symbol
Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
General Conventions
The general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected.
Issue 05 (2010-06-01)
About This Document
Convention [ x | y | ... ] { x | y | ... }*
Description Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
GUI Conventions
The GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
vi
Issue 05 (2010-06-01)
About This Document
Action Click Double-click Drag
Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Updates in Issue 05 (2010-06-01)

Fifth commercial release. Fixing Bugs.

fourth commercial release. Fixing Bugs.

Third commercial release. Fixing Bugs.

Second commercial release. Fixing Bugs.

Initial commercial release.
Issue 05 (2010-06-01)
vii
Contents
Contents
About This Document...................................................................................................................iii 1 BRAS Service Overview...........................................................................................................1-1
1.1 Definition of the BRAS Service......................................................................................................................1-2 1.2 Features of the BRAS Service.........................................................................................................................1-2 1.2.1 User Identification..................................................................................................................................1-3 1.2.2 Authentication, Authorization, and Accounting.................................................................................... 1-3 1.2.3 IP Address Management........................................................................................................................ 1-3 1.2.4 User Management.................................................................................................................................. 1-3 1.2.5 Service Control.......................................................................................................................................1-3
2 AAA Configuration...................................................................................................................2-1
2.1 Introduction to AAA....................................................................................................................................... 2-2 2.1.1 Authentication........................................................................................................................................2-2 2.1.2 Authorization..........................................................................................................................................2-3 2.1.3 Accounting.............................................................................................................................................2-4 2.1.4 RADIUS Protocol.................................................................................................................................. 2-7 2.1.5 HWTACACS Protocol.........................................................................................................................2-11 2.1.6 ACL Delivered by the RADIUS Server...............................................................................................2-11 2.1.7 References............................................................................................................................................2-17 2.2 Configuring AAA Schemes..........................................................................................................................2-17 2.2.1 Establishing the Configuration Task....................................................................................................2-17 2.2.2 Configuring an Authentication Scheme...............................................................................................2-18 2.2.3 Configuring an Accounting Scheme....................................................................................................2-20 2.2.4 (Optional) Configuring an Authorization Scheme...............................................................................2-21 2.2.5 (Optional) Configuring a Recording Scheme.......................................................................................2-23 2.2.6 Checking the Configuration.................................................................................................................2-24 2.3 Configuring the RADIUS Server..................................................................................................................2-24 2.3.1 Establishing the Configuration Task....................................................................................................2-25 2.3.2 Creating a RADIUS Server Group.......................................................................................................2-26 2.3.3 Configuring the RADIUS Authentication and Accounting Servers....................................................2-26 2.3.4 (Optional) Configuring the Algorithm for Selecting the RADIUS Server..........................................2-27 2.3.5 (Optional) Configuring the Negotiated Parameters of the RADIUS Server........................................2-28 2.3.6 (Optional) Disabling RADIUS Attributes............................................................................................2-30 Issue 05 (2010-06-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services 2.3.7 (Optional) Configuring RADIUS Attribute Translation......................................................................2-30 2.3.8 (Optional) Configuring the Tunnel Password Delivery Mode.............................................................2-31 2.3.9 (Optional) Configuring the Class Attribute to Carry the CAR Value..................................................2-32 2.3.10 (Optional) Configuring the Format of the NAS-Port Attribute..........................................................2-32 2.3.11 (Optional) Configuring the Source Interface of the RADIUS Server Group.....................................2-33 2.3.12 (Optional) Configuring the RADIUS Authorization Server..............................................................2-34 2.3.13 (Optional) Configuring the Status Parameters of the RADIUS Server..............................................2-34 2.3.14 (Optional) Configuring the Extended Source Ports of RADIUS.......................................................2-35 2.3.15 Checking the Configuration...............................................................................................................2-35
2.4 Configuring the HWTACACS Server...........................................................................................................2-36 2.4.1 Establishing the Configuration Task....................................................................................................2-36 2.4.2 Creating an HWTACACS Server Template........................................................................................2-37 2.4.3 Configuring HWTACACS Servers......................................................................................................2-37 2.4.4 Configuring the Source IP Address of the HWTACACS Server.........................................................2-38 2.4.5 (Optional) Configuring the Negotiated Parameters of the HWTACACS Server................................2-39 2.4.6 (Optional) Configuring Timers of the HWTACACS Server...............................................................2-40 2.4.7 (Optional) Configuring Retransmission of Stop-Accounting Packet...................................................2-41 2.4.8 Checking the Configuration.................................................................................................................2-41 2.5 Storing Local CDRs......................................................................................................................................2-41 2.5.1 Establishing the Configuration Task....................................................................................................2-42 2.5.2 Creating a Local CDR Pool..................................................................................................................2-42 2.5.3 Configuring the CDR Server................................................................................................................2-43 2.5.4 (Optional) Configuring CDR Alarm Threshold...................................................................................2-44 2.5.5 (Optional) Configuring Mode of Backing Up CDRs in the Cache......................................................2-44 2.5.6 (Optional) Configuring CDR Backup Interval.....................................................................................2-45 2.5.7 (Optional) Backing Up CDRs Manually..............................................................................................2-46 2.5.8 Checking the Configuration.................................................................................................................2-46 2.6 Maintaining AAA..........................................................................................................................................2-46 2.6.1 Displaying AAA Information...............................................................................................................2-47 2.6.2 Debugging AAA..................................................................................................................................2-48 2.6.3 Clearing AAA Information..................................................................................................................2-48 2.7 Configuration Examples................................................................................................................................2-49 2.7.1 Example for Configuring RADIUS Authentication and Accounting..................................................2-49 2.7.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization..................2-52 2.7.3 Example for Configuring the RADIUS Server to Deliver ACLs.........................................................2-56
3 Addresses Management............................................................................................................3-1
3.1 Introduction.....................................................................................................................................................3-2 3.1.1 Overview of Address Management........................................................................................................3-2 3.1.2 IPv4 Address management.....................................................................................................................3-2 3.1.3 IPv6 Address management.....................................................................................................................3-4 3.2 Configuring the DHCP Server........................................................................................................................3-4 3.2.1 Establishing the Configuration Task......................................................................................................3-5 x Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-06-01)
Contents
3.2.2 Creating a DHCP Server Group.............................................................................................................3-5 3.2.3 Configuring DHCP Servers....................................................................................................................3-6 3.2.4 (Optional) Setting the Algorithm for Selecting DHCP Servers.............................................................3-6 3.2.5 (Optional) Configuring the DHCP Release Agent Function..................................................................3-7 3.2.6 (Optional) Configuring the DHCP Global Parameters.......................................................................... 3-7 3.2.7 (Optional) Configuring the ME60 to Trust DHCP Option 82............................................................... 3-8 3.2.8 (Optional) Configuring Transparent Transmission of DHCP Packets...................................................3-9 3.2.9 Checking the Configuration.................................................................................................................3-10 3.3 Configuring the IPv4 Address Pool..............................................................................................................3-10 3.3.1 Establishing the Configuration Task....................................................................................................3-10 3.3.2 Creating an Address Pool.....................................................................................................................3-11 3.3.3 Configuring Address Pool Attributes...................................................................................................3-12 3.3.4 Configuring an Address Segment........................................................................................................3-13 3.3.5 (Optional) Configuring the Address Lease..........................................................................................3-14 3.3.6 (Optional) Configuring Address Protection.........................................................................................3-14 3.3.7 (Optional) Configuring a DHCP Option..............................................................................................3-15 3.3.8 Associating an Address Pool with an DHCP Server Group.................................................................3-16 3.3.9 Checking the Configuration.................................................................................................................3-16 3.4 Configuring the IPv6 Address Prefix............................................................................................................3-17 3.4.1 Establishing the Configuration Task....................................................................................................3-17 3.4.2 Creating an IPv6 Address Prefix..........................................................................................................3-17 3.4.3 Configuring the Value and Length of the IPv6 Address Prefix...........................................................3-18 3.4.4 Checking the Configuration.................................................................................................................3-18 3.5 Maintaining Addresses..................................................................................................................................3-19 3.5.1 Displaying Address Management Information....................................................................................3-19 3.5.2 Debugging DHCP................................................................................................................................3-19 3.6 Configuration Examples................................................................................................................................3-20 3.6.1 Example for Allocating an Address from the Local Address Pool......................................................3-20 3.6.2 Example for Allocating an Address from the Remote Address Pool...................................................3-22 3.6.3 Example for Assigning Addresses to Users from the Relay Address Pool..........................................3-23 3.6.4 Example for Allocating a Fixed IP Address to the Local Account......................................................3-26 3.6.5 Example for Allocating IPv6 Addresses..............................................................................................3-30
4 User Management......................................................................................................................4-1
4.1 Introduction.....................................................................................................................................................4-2 4.1.1 Domain...................................................................................................................................................4-2 4.1.2 User Account and Password...................................................................................................................4-4 4.1.3 Static User..............................................................................................................................................4-6 4.2 Configuring a Domain.....................................................................................................................................4-6 4.2.1 Establishing the Configuration Task......................................................................................................4-6 4.2.2 Creating a Domain................................................................................................................................. 4-7 4.2.3 Specifying AAA Schemes......................................................................................................................4-8 4.2.4 Specifying Servers..................................................................................................................................4-9 Issue 05 (2010-06-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xi
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services 4.2.5 Specifying an IPv4 Address Pool or an IPv6 Address Prefix..............................................................4-10 4.2.6 (Optional) Configuring the Maximum Number of Access Users........................................................4-11 4.2.7 (Optional) Configuring the Maximum Number of Sessions for an Account.......................................4-12 4.2.8 (Optional) Configuring User Priority...................................................................................................4-12 4.2.9 (Optional) Specifying Groups..............................................................................................................4-13 4.2.10 (Optional) Specifying Profile and Policy...........................................................................................4-14 4.2.11 (Optional) Configuring Service Type for Domain Users...................................................................4-16 4.2.12 (Optional) Configuring the Reserved Bandwidth..............................................................................4-17 4.2.13 (Optional) Configuring Additional Functions....................................................................................4-18 4.2.14 (Optional) Activating a Domain.........................................................................................................4-21 4.2.15 Checking the Configuration...............................................................................................................4-21
4.3 Configuring User Account Parsing...............................................................................................................4-21 4.3.1 Establishing the Configuration Task....................................................................................................4-22 4.3.2 Configuring the Domain Name Delimiter............................................................................................4-22 4.3.3 Configuring the Location of the Domain Name...................................................................................4-23 4.3.4 Configuring the Parsing Direction of the Domain Name.....................................................................4-23 4.3.5 (Optional) Configuring the Realm Name Delimiter.............................................................................4-24 4.3.6 (Optional) Configuring the Location of the Realm Domain Name......................................................4-25 4.3.7 (Optional) Configuring the Parsing Direction of the Realm Name......................................................4-25 4.3.8 Configuring the Parsing Sequence.......................................................................................................4-26 4.3.9 Checking the Configuration.................................................................................................................4-27 4.4 Configuring the User Name Format and Password of an IPoX User............................................................4-27 4.4.1 Establishing the Configuration Task....................................................................................................4-27 4.4.2 Configuring the Domain Name Delimiter............................................................................................4-28 4.4.3 Configuring the Location of the Domain Name...................................................................................4-28 4.4.4 Configuring the Generation Mode of the User Name of an IPoX User...............................................4-28 4.4.5 Configuring the Password of an IPoX User.........................................................................................4-30 4.4.6 Checking the Configuration.................................................................................................................4-30 4.5 Configuring Static Users...............................................................................................................................4-31 4.5.1 Establishing the Configuration Task....................................................................................................4-31 4.5.2 Creating a Static User...........................................................................................................................4-32 4.5.3 (Optional) Configuring the User Name Format and Password of the Static User...............................4-32 4.5.4 (Optional) Configuring a Local Account.............................................................................................4-32 4.5.5 Checking the Configuration.................................................................................................................4-33 4.6 Maintaining User Management.....................................................................................................................4-33 4.7 Configuration Examples................................................................................................................................4-34 4.7.1 Example for Configuring Static Users Using Remote Authentication.................................................4-34 4.7.2 Example for Configuring Static Users Using Local Authentication....................................................4-38
5 BRAS Access Configuration....................................................................................................5-1

5.1 Introduction to Access Protocols.....................................................................................................................5-3 5.1.1 Concept of Access Protocol...................................................................................................................5-3 5.1.2 Classification of the Access Protocols...................................................................................................5-3 xii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-06-01)
Contents
5.2 Introduction to Authentication Methods.........................................................................................................5-5 5.2.1 Web Authentication and Fast Authentication........................................................................................5-5 5.2.2 Binding Authentication..........................................................................................................................5-7 5.2.3 PPP Authentication................................................................................................................................5-7 5.2.4 802.1X Authentication...........................................................................................................................5-8 5.2.5 References..............................................................................................................................................5-9 5.3 Configuring Web Authentication....................................................................................................................5-9 5.3.1 Establishing the Configuration Task....................................................................................................5-10 5.3.2 Configuring the Web Authentication Server........................................................................................5-11 5.3.3 Configuring Pre-authentication Domain on the BAS Interface...........................................................5-11 5.3.4 (Optional) Configuring the Portal Protocol..........................................................................................5-12 5.3.5 (Optional) Configuring Mandatory Web Authentication.....................................................................5-13 5.3.6 (Optional) Configuring the Service Type for Domain Users...............................................................5-14 5.3.7 Checking the Configuration.................................................................................................................5-14 5.4 Configuring the 802.1X Template................................................................................................................5-15 5.4.1 Establishing the Configuration Task....................................................................................................5-15 5.4.2 Creating an 802.1X Template..............................................................................................................5-16 5.4.3 Configuring the Timeout of Authentication Response........................................................................5-16 5.4.4 Configuring the Timeout and Retransmission Count of the Request Packets.....................................5-17 5.4.5 (Optional) Configuring the Timeout and Retransmission Count of the Keepalive Packets................5-17 5.4.6 (Optional) Configuring the Re-authentication Interval........................................................................5-18 5.4.7 Configuring the ME60 to Terminate EAP Packets..............................................................................5-19 5.4.8 (Optional) Configuring the ME60 to Deliver the EAP-SIM Authentication Parameters....................5-19 5.4.9 Checking the Configuration.................................................................................................................5-20 5.5 Configuring a User VLAN............................................................................................................................5-20 5.5.1 Establishing the Configuration Task....................................................................................................5-20 5.5.2 Configuring the User-Termination Mode on the Master Interface (for Layer-3 Leased Lines)..........5-21 5.5.3 Configuring the Mapping Between the Control VLAN and Termination Sub-Interface (for Layer-3 Leased Lines).............................................................................................................................................................5-21 5.5.4 Configuring Packet Termination on the Sub-Interface (for Layer-3 Leased Lines)............................5-22 5.5.5 Creating User VLANs (for Users Not Using Layer-3 Leased Lines)..................................................5-23 5.5.6 Checking the Configuration.................................................................................................................5-24 5.6 Configuring the BAS Interface.....................................................................................................................5-24 5.6.1 Establishing the Configuration Task....................................................................................................5-25 5.6.2 Creating a BAS Interface.....................................................................................................................5-26 5.6.3 Configuring the Access Type and Attributes of Users.........................................................................5-26 5.6.4 Configuring the Authentication Method..............................................................................................5-27 5.6.5 (Optional) Configuring the Limit to Access Users..............................................................................5-28 5.6.6 (Optional) Specifying a Domain..........................................................................................................5-28 5.6.7 (Optional) Configuring Logical Parameters of the BAS Interface.......................................................5-30 5.6.8 (Optional) Configuring the User Locating Function............................................................................5-31 5.6.9 (Optional) Configuring Additional Functions......................................................................................5-32 5.6.10 (Optional) Configuring Other Parameters..........................................................................................5-35 Issue 05 (2010-06-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xiii
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services 5.6.11 (Optional) Blocking the BAS Interface..............................................................................................5-36 5.6.12 Checking the Configuration...............................................................................................................5-37
5.7 Configuring the Access Response Delay Policy...........................................................................................5-37 5.7.1 Establishing the Configuration Task....................................................................................................5-37 5.7.2 Configuring the Access Response Delay Policy on the Equipment.....................................................5-38 5.7.3 Configuring Access Response Delay Policy on the BAS Interface.....................................................5-39 5.7.4 Checking the Configuration.................................................................................................................5-40 5.8 Configuring the Common IPoX Access Service...........................................................................................5-40 5.8.1 Establishing the Configuration Task....................................................................................................5-40 5.9 Configuring the Common PPPoX Access Service........................................................................................5-43 5.9.1 Establishing the Configuration Task....................................................................................................5-43 5.10 Configuring the 802.1X Access Service.....................................................................................................5-46 5.10.1 Establishing the Configuration Task..................................................................................................5-46 5.11 Configuring the Leased Line Access Service..............................................................................................5-48 5.11.1 Establishing the Configuration Task..................................................................................................5-48 5.12 Configuring the IPv6 Access Service..........................................................................................................5-51 5.12.1 Establishing the Configuration Task..................................................................................................5-51 5.13 Managing Online Users...............................................................................................................................5-53 5.13.1 Establishing the Configuration Task..................................................................................................5-54 5.13.2 Displaying Online Users.................................................................................................................... 5-54 5.13.3 Disconnecting Online Users...............................................................................................................5-55 5.14 Maintaining BRAS Access..........................................................................................................................5-56 5.14.1 Displaying the BRAS Access Information.........................................................................................5-56 5.14.2 Clearing the BRAS Access Information............................................................................................ 5-58 5.14.3 Debugging BRAS Access.................................................................................................................. 5-58 5.15 Configuration Examples..............................................................................................................................5-59 5.15.1 Example for Configuring the Common IPoE Access Service for VPN Users...................................5-60 5.15.2 Example for Configuring the Common IPoEoVLAN Access Service.............................................. 5-63 5.15.3 Example for Configuring the Common IPoEoQ Access Service.......................................................5-66 5.15.4 Example for Configuring the PPPoE Access Service........................................................................5-68 5.15.5 Example for Configuring PPPoE Leased Line Access...................................................................... 5-71 5.15.6 Example for Configuring the PPPoEoVLAN Access Service...........................................................5-73 5.15.7 Example for Configuring the PPPoEoQ Access Service...................................................................5-76 5.15.8 Example for Configuring the 802.1X Access Service....................................................................... 5-78 5.15.9 Example for Configuring Ethernet Layer-2 Leased Line Access...................................................... 5-81 5.15.10 Example for Configuring Ethernet Layer-3 Leased Line Access.................................................... 5-82 5.15.11 Example for Configuring the IPv6 (PPP) Access Service............................................................... 5-84 5.15.12 Example for Configuring the IPv6 (ND) Access Service................................................................ 5-87
6 VAS Configuration....................................................................................................................6-1
6.1 Introduction.....................................................................................................................................................6-2 6.1.1 Service Overview...................................................................................................................................6-2 6.1.2 Overview of COPS.................................................................................................................................6-3 xiv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-06-01)
Contents
6.1.3 Overview of the DSG Service................................................................................................................6-4 6.1.4 Overview of the DAA Service...............................................................................................................6-6 6.1.5 Overview of the CIPN Service...............................................................................................................6-7 6.1.6 Overview of the SIG Service.................................................................................................................6-9 6.1.7 References............................................................................................................................................6-10 6.2 Configuring the COPS Server.......................................................................................................................6-10 6.2.1 Establishing the Configuration Task....................................................................................................6-11 6.2.2 Configuring the Source Interface of the COPS Server.........................................................................6-11 6.2.3 (Optional) Configuring the Timeout Time of the COPS Open Message.............................................6-13 6.2.4 Creating a COPS Server Group............................................................................................................6-13 6.2.5 Configuring the COPS Server..............................................................................................................6-14 6.2.6 (Optional) Configuring the Client Identifier........................................................................................6-14 6.2.7 (Optional) Configuring the Flow Keeping Time..................................................................................6-15 6.2.8 (Optional) Configuring the Shared Key...............................................................................................6-15 6.2.9 Activating the COPS Servers...............................................................................................................6-16 6.2.10 Checking the Configuration...............................................................................................................6-16 6.3 Configuring the Value-added Service Policy................................................................................................6-17 6.3.1 Establishing the Configuration Task....................................................................................................6-17 6.3.2 Creating a Value-added Service Policy................................................................................................6-18 6.3.3 Specifying the Accounting Scheme.....................................................................................................6-18 6.3.4 Specifying the Traffic Policy...............................................................................................................6-18 6.3.5 (Optional) Configuring the Idle Cut Function......................................................................................6-19 6.3.6 (Optional) Configuring the Global Parameter......................................................................................6-20 6.3.7 Checking the Configuration.................................................................................................................6-20 6.4 Configuring the DSG Service.......................................................................................................................6-20 6.4.1 Establishing the Configuration Task....................................................................................................6-21 6.4.2 Enabling the Value-Added Service......................................................................................................6-22 6.4.3 Configuring the Policy Server..............................................................................................................6-22 6.4.4 Binding the Policy Server to the Domain.............................................................................................6-22 6.4.5 Configuring the Value-added Service Policy.......................................................................................6-23 6.4.6 Applying the Value-added Service Policy to a Domain.......................................................................6-23 6.4.7 Configuring the Accounting Mode of the VAS...................................................................................6-24 6.4.8 Configuring a User Group....................................................................................................................6-25 6.4.9 Checking the Configuration.................................................................................................................6-26 6.5 Configuring the DAA Service.......................................................................................................................6-26 6.5.1 Establishing the Configuration Task....................................................................................................6-27 6.5.2 Enabling the Value-Added Service......................................................................................................6-28 6.5.3 Configuring the Policy Server..............................................................................................................6-28 6.5.4 Configuring a DAA Service Policy......................................................................................................6-28 6.5.5 Applying the Value-added Service Policy to a Domain.......................................................................6-29 6.5.6 Binding the Policy Server to the Domain.............................................................................................6-30 6.5.7 Checking the Configuration.................................................................................................................6-30 Issue 05 (2010-06-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xv
Contents
6.6 Configuring the CIPN Service......................................................................................................................6-31 6.6.1 Establishing the Configuration Task....................................................................................................6-31 6.6.2 Enabling the Value-Added Service......................................................................................................6-32 6.6.3 Configuring the CIPN-E4P COPS Server............................................................................................6-32 6.6.4 Configuring the CIPN-IAP COPS Server............................................................................................6-32 6.6.5 Binding a COPS Server to a Domain...................................................................................................6-32 6.6.6 Configuring a User Group....................................................................................................................6-33 6.6.7 Checking the Configuration.................................................................................................................6-34 6.7 Configuring the SIG Service.........................................................................................................................6-34 6.7.1 Establishing the Configuration Task....................................................................................................6-34 6.7.2 Enabling the Value-Added Service......................................................................................................6-35 6.7.3 Configuring the SIG Server..................................................................................................................6-36 6.7.4 Binding a SIG Server to a Domain.......................................................................................................6-36 6.7.5 Configuring a User Group....................................................................................................................6-36 6.7.6 Checking the Configuration.................................................................................................................6-37 6.8 Maintaining VASs.........................................................................................................................................6-37 6.8.1 Displaying the VASs Information........................................................................................................6-37 6.8.2 Debugging VASs..................................................................................................................................6-38 6.9 Configuration Examples................................................................................................................................6-38 6.9.1 Example for Configuring the DSG Service..........................................................................................6-39 6.9.2 Example for Configuring the DAA Service.........................................................................................6-43 6.9.3 Example for Configuring the CIPN Service........................................................................................ 6-49
7 ANCP Configuration.................................................................................................................7-1
7.1 Introduction.....................................................................................................................................................7-2 7.1.1 ANCP Overview....................................................................................................................................7-2 7.1.2 ANCP Application.................................................................................................................................7-3 7.1.3 References..............................................................................................................................................7-4 7.2 Configuring ANCP Functions.........................................................................................................................7-5 7.2.1 Establishing the Configuration Task......................................................................................................7-5 7.2.2 Enabling ANCP......................................................................................................................................7-6 7.2.3 Configuring the Source Interface of the ANCP Session........................................................................7-7 7.2.4 (Optional) Configuring the ANCP Session Parameters.........................................................................7-7 7.2.5 Configuring the ANCP Neighbor Profile...............................................................................................7-8 7.2.6 (Optional) Triggering Configuration of the ANCP Access Line.........................................................7-10 7.2.7 (Optional) Enabling ANCP OAM Detection.......................................................................................7-10 7.2.8 Enabling Automatic Adjustment of Downlink Bandwidth..................................................................7-11 7.2.9 Checking the Configuration.................................................................................................................7-11 7.3 Maintaining ANCP........................................................................................................................................7-12 7.3.1 Displaying ANCP Running Information..............................................................................................7-12 7.3.2 Clearing ANCP Running Information..................................................................................................7-12 7.3.3 Debugging ANCP................................................................................................................................ 7-13 7.4 Configuration Examples................................................................................................................................7-13 xvi Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-06-01)
Contents
7.4.1 Example for Configuring ANCP Functions.........................................................................................7-13
8 User Information Backup Configuration..............................................................................8-1

8.1 Introduction.....................................................................................................................................................8-2 8.1.1 Background............................................................................................................................................8-2 8.1.2 Local Information Backup.....................................................................................................................8-2 8.1.3 Remote Information Backup..................................................................................................................8-3 8.2 Configuring Local Information Backup..........................................................................................................8-6 8.2.1 Establishing the Configuration Task......................................................................................................8-6 8.2.2 Enabling Local Information Backup......................................................................................................8-6 8.2.3 (Optional) Setting the Alarm Threshold of User Information ...............................................................8-7 8.2.4 Checking the Configuration...................................................................................................................8-7 8.3 Configuring Remote Information Backup Platform........................................................................................8-7 8.3.1 Establishing the Configuration Task......................................................................................................8-8 8.3.2 Configuring VRRP.................................................................................................................................8-8 8.3.3 Configuring the Remote Backup Server..............................................................................................8-10 8.3.4 Configuring a Remote Backup Profile.................................................................................................8-10 8.3.5 Checking the Configuration.................................................................................................................8-11 8.4 Configuring Remote Information Backup.....................................................................................................8-11 8.4.1 Establishing the Configuration Task....................................................................................................8-12 8.4.2 Configuring Traffic Diverting from the Network Side to the User Side..............................................8-12 8.4.3 Binding the Remote Backup Profile to the Interface or Domain Through Which a User Goes Online .......................................................................................................................................................................8-14 8.4.4 (Optional) Setting NAS Parameters.....................................................................................................8-15 8.4.5 (Optional) Adjusting User Information Backup...................................................................................8-15 8.4.6 Checking the Configuration.................................................................................................................8-16 8.5 Maintaining...................................................................................................................................................8-16 8.5.1 Displaying Backup Information...........................................................................................................8-17 8.5.2 Clearing Backup Information...............................................................................................................8-17 8.6 Configuration Examples................................................................................................................................8-17 8.6.1 Example for Configuring User Information Backup Based on Direct Tunnel Protection...................8-17 8.6.2 Example for Configuring User Information Backup Based on Network Side Tunnels and Downstream Smartlink.......................................................................................................................................................8-26 8.6.3 Example for Configuring User Information Backup in Exclusive Address Pool Mode (address pool route) .......................................................................................................................................................................8-32
9 RADIUS Attributes....................................................................................................................9-1
9.1 Standard RADIUS Attributes..........................................................................................................................9-2 9.2 Huawei RADIUS+1.0 Attributes....................................................................................................................9-9 9.3 Huawei RADIUS+1.1 Attributes..................................................................................................................9-12 9.4 Micorsoft RADIUS Attributes......................................................................................................................9-20 9.5 DSL Forum RADIUS Attributes...................................................................................................................9-21 9.6 Description of RADIUS Attributes...............................................................................................................9-23 9.6.1 Acct-Session-ID (44)............................................................................................................................9-23 Issue 05 (2010-06-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xvii
Contents
Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services 9.6.2 Calling-Station-Id (31).........................................................................................................................9-23 9.6.3 Class (25)..............................................................................................................................................9-24 9.6.4 Connect-Port (128)...............................................................................................................................9-25 9.6.5 NAS-Identifier (32)..............................................................................................................................9-25 9.6.6 NAS-Port (5)........................................................................................................................................9-25 9.6.7 NAS-Port-Id (87)..................................................................................................................................9-26
10 HWTACACS Attributes........................................................................................................10-1 A Glossary.....................................................................................................................................A-1 B Acronyms and Abbreviations.................................................................................................B-1
xviii
Issue 05 (2010-06-01)
Figures
Figures
Figure 1-1 Networking model of the broadband access.......................................................................................1-2 Figure 2-1 RADIUS Packet flow.........................................................................................................................2-7 Figure 2-2 Format of the RADIUS packet...........................................................................................................2-8 Figure 2-3 Networking of RADIUS authentication and accounting..................................................................2-50 Figure 2-4 Networking of HWTACACS authentication, accounting, and authorization.................................. 2-53 Figure 2-5 Networking for the RADIUS server to deliver the ACL..................................................................2-56 Figure 3-1 Networking of allocating IP addresses with the local address pool................................................. 3-20 Figure 3-2 Networking of allocating IP addresses with the remote address pool..............................................3-22 Figure 3-3 Networking of assigning addresses to users from the relay address pool........................................ 3-24 Figure 3-4 Networking of allocating a fixed IP address to the local account.................................................... 3-26 Figure 3-5 Networking of allocating IPv6 addresses.........................................................................................3-30 Figure 4-1 Sketch map of domains.......................................................................................................................4-2 Figure 4-2 Networking for configuring static users adopting remote authentication........................................ 4-35 Figure 4-3 Networking for configuring static users adopting local authentication............................................4-38 Figure 5-1 Structure of the PPPoEoVLAN protocol stack...................................................................................5-3 Figure 5-2 Structure of the access protocol stacks on the BRAS.........................................................................5-4 Figure 5-3 Typical networking of web authentication.........................................................................................5-6 Figure 5-4 Networking of the IPoE access service............................................................................................ 5-41 Figure 5-5 Networking of the IPoEoVLAN access service............................................................................... 5-41 Figure 5-6 Networking of the IPoEoQ access service........................................................................................5-41 Figure 5-7 Networking of the PPPoE access service.........................................................................................5-44 Figure 5-8 Networking of the PPPoEoVLAN access service............................................................................5-44 Figure 5-9 Networking of the PPPoEoQ access service.................................................................................... 5-44 Figure 5-10 Networking of the common IPoE access service........................................................................... 5-60 Figure 5-11 Networking of the common IPoEoVLAN access service.............................................................. 5-64 Figure 5-12 Networking of the common IPoEoQ access service.......................................................................5-66 Figure 5-13 Networking of the PPPoE access service.......................................................................................5-69 Figure 5-14 Networking diagram of PPPoE leased line access......................................................................... 5-71 Figure 5-15 Networking of the PPPoEoVLAN access service..........................................................................5-74 Figure 5-16 Networking of the PPPoEoQ access service.................................................................................. 5-76 Figure 5-17 Networking of the 802.1X access service.......................................................................................5-79 Figure 5-18 Networking of layer-2 leased line access....................................................................................... 5-81 Figure 5-19 Networking of Ethernet layer-3 leased line access.........................................................................5-83 Issue 05 (2010-06-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xix
Figures
Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services Figure 5-20 Networking of PPP ND access.......................................................................................................5-85 Figure 5-21 Networking of IPv6 ND access......................................................................................................5-87
Figure 6-1 COPS message structure.....................................................................................................................6-4 Figure 6-2 COPS object structure........................................................................................................................6-4 Figure 6-3 Networking model of the DSG service...............................................................................................6-5 Figure 6-4 DSG service flowchart........................................................................................................................6-5 Figure 6-5 Basic networking diagram of DAA....................................................................................................6-7 Figure 6-6 Networking of the CIPN service........................................................................................................6-8 Figure 6-7 Networking of the SIG service.........................................................................................................6-10 Figure 6-8 Networking of the DSG service........................................................................................................6-39 Figure 6-9 Networking diagram of DAA...........................................................................................................6-44 Figure 6-10 Networking of the CIPN service....................................................................................................6-50 Figure 7-1 Typical ANCP networking.................................................................................................................7-3 Figure 7-2 Networking for configuring ANCP..................................................................................................7-14 Figure 8-1 Networking for local information backup..........................................................................................8-2 Figure 8-2 Networking diagram of ring Ethernet access of remote information backup backup........................8-5 Figure 8-3 Networking diagram of tree Ethernet access of remote information backup backup.........................8-5 Figure 8-4 Example for configuring user information backup based on direct tunnel protection.....................8-18 Figure 8-5 Example for configuring user information backup based on network side tunnels and downstream Smartlink.............................................................................................................................................................8-26 Figure 8-6 Example for configuring user information backup in exclusive address pool mode ......................8-33
xx
Issue 05 (2010-06-01)
Tables
Tables
Table 2-1 Authentication modes of the ME60.....................................................................................................2-2 Table 2-2 Authorization modes of the ME60.......................................................................................................2-4 Table 2-3 Accounting mode of the ME60............................................................................................................2-4 Table 2-4 Description of fields in a local CDR....................................................................................................2-5 Table 2-5 RADIUS attributes for translation..................................................................................................... 2-10 Table 2-6 Differences between the HWTACACS protocol and the RADIUS protocol.................................... 2-11 Table 2-7 Description of fields in the classifier string delivered by the RADIUS server..................................2-13 Table 2-8 Description of fields in the behavior string delivered by the RADIUS server.................................. 2-15 Table 3-1 IPv4 address pools supported by the ME60.........................................................................................3-2 Table 3-2 DHCP functions of the ME60..............................................................................................................3-3 Table 3-3 Description of DHCP options in the ME60.........................................................................................3-4 Table 4-1 Default domains on the ME60.............................................................................................................4-3 Table 5-1 PPP authentication protocols................................................................................................................5-8 Table 8-1 Comparison of traffic-diverting schemes...........................................................................................8-13
Issue 05 (2010-06-01)
xxi
1 BRAS Service Overview
1
About This Chapter
BRAS Service Overview
This chapter describes the concept and features of the BRAS service. 1.1 Definition of the BRAS Service This section describes the concept of the BRAS service. 1.2 Features of the BRAS Service This section describes the features of the BRAS service.
Issue 05 (2010-06-01)
1-1
1.1 Definition of the BRAS Service

This section describes the concept of the BRAS service. When providing the BRAS service, the ME60 functions as a BRAS. Compared with the narrowband service in which users dial in through the public switched Telephone network (PSTN) by using a modem. the broadband service provides higher bandwidth. For users, the terms broadband and narrowband mean different speeds of access to network resources. Figure 1-1 shows a networking model of the broadband access. Figure 1-1 Networking model of the broadband access
RADIUS Server Portal Server ME60
Internet
NMS
DSLAM LAN Switch AP
subscriber subscriber
subscriber
Based on the transmission medium, broadband access is classified into the following: asymmetric digital subscriber line (ADSL) access, Ethernet access through category-5 twisted pair, and wireless local area network (WLAN) access. The transmission medium is visible to users. The terminal users are connected to the ME60 through devices such as the digital subscriber line access multiplexer (DSLAM) and LAN switch. The difference between access methods is screened by the access device and the ME60 is not aware of the access methods of users.
1.2 Features of the BRAS Service

This section describes the features of the BRAS service. The major features of a BRAS are as follows. 1.2.1 User Identification
1-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-06-01)
1.2.2 Authentication, Authorization, and Accounting 1.2.3 IP Address Management 1.2.4 User Management 1.2.5 Service Control
1.2.1 User Identification

Users can access the ME60 through the following protocols:
l l l l l l l l
IPoE: IP over Ethernet IPoEoVLAN: IP over Ethernet over VLAN IPoEoQ: IP over Ethernet over QinQ PPPoE: Point-to-Point Protocol over Ethernet PPPoEoVLAN: PPPoE over VLAN PPPoEoQ: PPPoE over QinQ 802.1X ND: Neighbor Discovery
The ME60 supports Point-to-Point Protocol (PPP) authentication, web authentication, fast authentication, binding authentication, and 802.1X authentication. For details about the authentication methods, see chapter 5 "BRAS Access Configuration."
NOTE
For details about the ND protocol, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.
1.2.2 Authentication, Authorization, and Accounting

The ME60 can carry out authentication, authorization and accounting (AAA). It supports the following AAA protocols such as the Remote Authentication Dial in User Service (RADIUS) protocol and Huawei Terminal Access Controller Access Control System (HWTACACS) protocol. For details about the AAA configuration, see chapter 2 "AAA Configuration."
1.2.3 IP Address Management

The ME60 allocates IP addresses to users by using the IPv4 address pool or IPv6 address pool. For details about address management, see chapter 3 "Address Management."
1.2.4 User Management

The ME60 manages users based on domains. For details about user management, see chapter 4 "User Management."
1.2.5 Service Control

The ME60 provides access services and value added services (VASs). In the access services, the ME60 functions as the BRAS; in the value-added services, the ME60 functions as the BRAS
Issue 05 (2010-06-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3
and Dynamic Service Gateway (DSG). For details about value-added services, see chapter 6 "VAS Configuration."
1-4
Issue 05 (2010-06-01)
2 AAA Configuration
2
About This Chapter
AAA Configuration
This chapter describes the concept, rationale, and configuration of AAA and provides several configuration examples. 2.1 Introduction to AAA This section describes the concept and rationale of AAA. 2.2 Configuring AAA Schemes This section describes the procedure for configuring AAA schemes. 2.3 Configuring the RADIUS Server This section describes the procedure for configuring the RADIUS server. 2.4 Configuring the HWTACACS Server This section describes the procedure for configuring the HWTACACS server. 2.5 Storing Local CDRs This section describes the procedure for configuring the ME60 to store local CDRs. 2.6 Maintaining AAA This section describes the commands used to display and clear the AAA information and the commands used to debug the AAA function. 2.7 Configuration Examples This section provides several configuration examples of AAA.
Issue 05 (2010-06-01)
2-1
2 AAA Configuration
2.1 Introduction to AAA

This section describes the concept and rationale of AAA. 2.1.1 Authentication 2.1.2 Authorization 2.1.3 Accounting 2.1.4 RADIUS Protocol 2.1.5 HWTACACS Protocol 2.1.6 ACL Delivered by the RADIUS Server 2.1.7 References
2.1.1 Authentication
The authentication function verifies the identity of an access user. The ME60 can authenticate the user based on the user name and the password. The ME60 supports the four main authentication modes and combined applications of these authentication modes, as described in Table 2-1. Table 2-1 Authentication modes of the ME60 Authentication Mode None authentication Local authentication Description The user is trusted by the carrier and the ME60 does not verify the user. This mode is not recommended. The user information (such as user name and password) is configured on the ME60. The ME60 performs authentication for the user. Local authentication features high speed, which lowers the operation cost, but the amount of stored information depends on the device hardware. The ME60 functions as the client to communicate with the RADIUS server. The user information is configured on the RADIUS server. The ME60 sends the user name and the password to the RADIUS server through the RADIUS protocol. The RADIUS server authenticates the user, and then returns the result to the ME60. The ME60 functions as the client to communicate with the HWTACACS server. The user information is configured on the HWTACACS server. The ME60 sends the user name and the password to the HWTACACS server through the HWTACACS protocol. The HWTACACS server authenticates the user, and then returns the result to the ME60. RADIUS authentication is performed first. If the RADIUS server does not respond after the ME60 retransmits authentication packets certain times, the ME60 performs local authentication.
Issue 05 (2010-06-01)
RADIUS authentication
HWTACACS authentication
RADIUS-local authentication
2-2
2 AAA Configuration
Authentication Mode RADIUS-none authentication HWTACACS-local authentication HWTACACS-none authentication Local-RADIUS authentication Local-HWTACACS authentication
Description RADIUS authentication is performed first. If the RADIUS server does not respond after the ME60 retransmits authentication packets certain times, the user passes the authentication directly. HWTACACS authentication is performed first. If the HWTACACS server does not respond during the timeout period, the ME60 performs local authentication. HWTACACS authentication is performed first. If the HWTACACS server does not respond during the timeout period, the user passes the authentication directly. Local authentication is performed first. If the user name is not configured on the ME60, the ME60 initiates the RADIUS authentication. Local authentication is performed first. If the user name is not configured on the ME60, the ME60 initiates the HWTACACS authentication.
2.1.2 Authorization
Authorization specifies the services that a user can use. Authorization can be performed when a user attempts to go online. After the user is authenticated, the ME60 authorizes the user by using the service attributes configured in the user domain or delivered by the AAA server. Authorization can also be performed after a user goes online. The network administrator can modify the service attributes of the user on the RADIUS server, and then modify the services used by the user dynamically through the Change of Authorization (CoA) packet. The user is kept online in this process. Such authorization is called dynamic authorization. Dynamic authorization is applied to value-added services. For details about value-added services and CoA packet, see chapter 6 "VAS Configuration." The ME60supports HWTACACS authorization for the commands run by an online user. If a command is authorized, the user can run this command; otherwise, the HWTACACS server displays the error information to notify the user that command authorization fails and the command cannot be run. This function is command authorization.
Authorization Mode
The ME60 supports four authentication modes, as described in Table 2-2.
Issue 05 (2010-06-01)
2-3
2 AAA Configuration
Table 2-2 Authorization modes of the ME60 Authorization Mode None authorization Local authorization If-authenticated authorization Description The user is trusted by the carrier and is authorized directly by the carrier. The user is authorized by the ME60 based on the user attributes that are configured on the ME60. The authorization mode is adopted for the local or remote authentication users, namely, for all the users except the users using no authentication. After a user passes the authentication, the ME60 authorizes the user and obtains the authorization information from the user domain. The user is authorized by the HWTACACS server.
HWTACACS authorization
Authorization Service Attributes

The ME60 authorizes users by using the service attributes configured in the user domain or delivered by the AAA server according to the configured authorization modes. For attributes such as the bandwidth attribute and traffic control attribute, the priority of the attribute delivered by the AAA server is higher than the priority of the attribute configured in the domain. When the attribute configured in the domain and the attribute delivered by the AAA server exist at the same time, the ME60 uses the attribute delivered by the AAA server. The attribute configured in the domain takes effect when the AAA server does not support or deliver the service attribute.
2.1.3 Accounting
Accounting Mode
The accounting function helps record usage of network resources by users. The ME60 supports three accounting modes, as described in Table 2-3. Table 2-3 Accounting mode of the ME60 Accounting Mode None accounting RADIUS accounting HWTACACS accounting Description ME60The ME60 does not perform accounting. ME60The ME60 sends the accounting packets to the RADIUS server. Then the RADIUS server performs accounting. ME60The ME60 sends the accounting packets to the HWTACACS server. Then, the HWTACACS server performs accounting.
2-4
Issue 05 (2010-06-01)
2 AAA Configuration
In the RADIUS and HWTACACS accounting modes, the ME60 generates accounting packets when a user logs in or logs out, and then sends them to the RADIUS or HWTACACS server. The server then performs accounting based on the information in the packets, such as login time, logout time and traffic volume. The ME60 supports real-time accounting. It means that the ME60 generates accounting packets periodically and sends the accounting packets to the accounting server when a user is online. Real-time accounting reduces the time of accounting abnormality to the utmost extent when a device or link fault causes the interruption of communications between the ME60 and server.
Local CDR
If the communication between the ME60 and the accounting server is interrupted, the accounting server cannot receive the stop-accounting packet of the user. As a result, the accounting is abnormal. To solve this problem, you can configure the ME60 to store the Charging Data Records (CDRs) locally. Local CDRs are stored in the cache of the ME60 and you can run the display local-bill cache command to view the local CDRs.
[Quidway] display local-bill cache 0 1 Contents of Bill 1: -------------------------------------------------------------Bill-No : 15 Session-Id: ME600600800000020079574f000073 User-name : user@huawei Start-Time: 2007/02/02 10:10:18 Stop-Time : 2007/02/02 10:17:11 Elapse : 0:06:53 IP-Addr : 192.0.64.253 MAC : 0001-6c8c-907f IPv6-Addr : :: Auth-Type : PPP Access-Type: PPPoE Port-No : 6/0/8 VLAN : 200 Status : 2(offline) Code : 1, Ref: 21 Acc Data before Tariff Switch, 1 Priority : 0 : User-received: Bytes=24480 , Pkts=408 User-sent: Bytes=35088 , Pkts=408 Acc Data after Tariff Switch, 1 Priority : 0 : User-received: Bytes=24480 , Pkts=408 User-sent: Bytes=35088 , Pkts=408 -------------------------------------------------------------Total printed 1 bills from cache.
Table 2-4 describes the fields in a CDR. Table 2-4 Description of fields in a local CDR Field Bill-No Session-Id Description Indicates the sequence number of a CDR. The value is an integer of four bytes. Indicates the ID of an accounting session. TheME60 supports three versions: version 1, version 2, and version 3, in which the length of session ID is 33 bytes, 16 bytes, and 8 bytes respectively. Indicates the user name. The value is a combination of letters and digits and consists of a maximum of 64 characters. The format is user@domain.
User-name
Issue 05 (2010-06-01)
2-5
2 AAA Configuration
Field Start-Time
Description Indicates the accounting start time, that is, the time when a user goes online. The value is the number of seconds that have passed since 1970-01-01 0:00. Indicates the accounting stop time. Indicates the online duration of the user. Indicates the IP address of the user, in dotted decimal notation, for example, 12.1.255.9. Indicates the MAC address of the user. The value is a string of hexadecimal numbers in the format of XXXX-XXXX-XXXX. Indicates the IPv6 address of the user. For the format of the IPv6 address, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services. Indicates the authentication method for the user. Indicates the access type of the user. Indicates the number of the physical interface or trunk interface of the ME60 that the user is connected to. Indicates the ID of the VLAN the user connects to. The value ranges from 1 to 4094. Indicates the type of the CDR. 0 indicates invalid CDR; 1 indicates the real-time accounting CDR; 2 indicates the offline CDR; 3 indicates the incorrect CDR (with CRC error). The ME60 can locally store only the CDRs generated after the user logs out. Indicates the external cause of user logout. It is the standard logout cause specified in RFC 2866 for remote accounting. Refer to RFC 2866 for details. Indicates the internal cause of user logout. It is the supplement to the external cause and provides a more detailed description of the logout cause. Generally, this field is not required. Indicates the traffic volume before tariff switch, including the upstream traffic volume in bytes and in packets, and the downstream traffic volume in bytes and in packets. Indicates the accounting level. The ME60 supports only level 0. Indicates the traffic volume after tariff switch, including the upstream traffic volume in bytes and in packets, and the downstream traffic volume in bytes and in packets. Indicates the traffic received by the user, namely, the downstream traffic. Indicates the traffic sent by the user, namely, the upstream traffic.
Stop-Time Elapse IP-Addr MAC IPv6-Addr
Auth-Type Access-Type Port-No VLAN Status
Code
Ref
Acc Data before Tariff Switch Priority Acc Data after Tariff Switch User-received User-sent
2-6
Issue 05 (2010-06-01)
2 AAA Configuration
The local CDRs are stored in a cache, namely the local CDR pool. You can create or delete the CDR pool of the ME60 by running certain commands. If the local CDR pool does not exist, local CDRs cannot be generated. The ME60 can back up the CDRs in the cache. CDRs in the cache can be backed up to the CF card, to the billing server through TFTP, or not be backed up. CDRs can be backed up automatically or manually. CDRs in the cache can also be backed up to the CF card or the billing server. Bills in the CF card can be backed up to the billing server. The name of the CDR files backed up to the billing server is as follows: Prefix of the file name-time-code number.lam. CDRs are stored in the CDR files in the form of ASCII code. \t is used to separate different items and no other characters are added if the length of the item is shorter than the defined length. Entries in a CDR are separated by \r\n. When the local CDR pool is deleted, the local CDRs in the pool are also deleted. Therefore, you need to manually back up the local CDRs before deleting the local CDR pool. After the local CDR pool is deleted, the ME60 does not generate any local CDR. When the usage of CDRs in the cache or the CF card exceeds the alarm threshold, the ME60 sends an alarm to the network management system and terminals.
2.1.4 RADIUS Protocol

The AAA function can be implemented through various protocols, among which the RADIUS protocol is used most widely. The RADIUS protocol is an application layer protocol used between the ME60 and the RADIUS server. The RADIUS protocol specifies the procedure for transmitting the user information and accounting information between the ME60 and the RADIUS server and the format of packets. The RADIUS protocol has the following features:
l l
It uses UDP as the transmission protocol, with real-time capability. It adopts the retransmission mechanism and the backup server mechanism, with high reliability. It is easy to implement and is applicable to the multithreading structure in the case of heavy access traffic on the server.
RADIUS message flow

The RADIUS protocol is based on the client/server model. Figure 2-1 shows the authentication message flow. The message flows in accounting and authorization are similar. Figure 2-1 RADIUS Packet flow
Subscriber Username/Password Request Response RADIUS Client RADIUS Server
Issue 05 (2010-06-01)
2-7
2 AAA Configuration
1. 2. 3. 4.
When a user logs in to the ME60, the user sends the user name and password to the ME60. The ME60 functions as the RADIUS client and sends an authentication request to the RADIUS server. After receiving the valid authentication request, the RADIUS server authenticates the user based on the user name and password. After the authentication, the RADIUS server returns the authorization information to the ME60.
NOTE
The authentication information transmitted between the ME60 and the RADIUS server must be encrypted. In this way, the user information can be prevented from being misused on an unsafe network.
Format of the RADIUS packet

Figure 2-2 shows the format of the RADIUS packet. Figure 2-2 Format of the RADIUS packet
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Code Identifier Length
Authenticator
Attribute......
The fields of the RADIUS packet are described as follows:

l l
Code: indicates the type of RADIUS packet, such as access request, access permit, and accounting request. Identifier: consists of numerals. The identifiers of the RADIUS packets sent in sequence are in an ascending order. The values of the Identifier field in the request message and the response message must be the same. Length: indicates the length of the packet including the Code, Identifier, Length, Authenticator and Attribute fields. Authenticator: is used by the RADIUS server and the RADIUS client to authenticate each other. Attribute: indicates the body of the RADIUS packet. This field contains specific authentication, authorization, or configuration information. One or more attributes can be contained in this field and their sequence is fixed.
l l l
Disabling RADIUS Attributes

Generally, a RADIUS server interconnects with multiple BRASs of a vendor or different vendors. The BRASs of certain vendors require the RADIUS server to deliver an attribute to support a specific feature, but the BRASs from other vendors do not support the delivered attribute and cannot parse the attribute.
2 AAA Configuration
Huawei BRAS may interconnect with the RADIUS servers of different vendors. Some of RADIUS servers require Huawei BRAS to send certain attributes, but other RADIUS servers cannot process these attributes. In this case, errors may occur. You can disable certain RADIUS attributes on the ME60 so that the ME60 can ignore the incompatible attributes when receiving RADIUS packets. This function prevents the failure to analyze incompatible attributes. You can also configure the ME60 to ignore certain attributes when sending RADIUS packets, and thus the ME60 does not encapsulate the disabled attributes in the packets to be sent. If you do not disable these RADIUS attributes, the ME60 can process only the RADIUS packets containing the attributes listed in Appendix A "RADIUS Attributes."
Translating RADIUS Attributes

RADIUS servers of various vendors support different RADIUS attributes, and the vendors also define RADIUS attributes in different ways. This makes interconnection between the ME60 and RADIUS servers more difficult. The ME60 can translate RADIUS attributes to the specified formats to solve this problem. The RADIUS attribute translation function is described as follows:
l
Rationale of RADIUS attribute translation The ME60 supports attribute translation for both the sent and received packets. In a packet to be sent, if attribute A is translated to attribute B, the type of the encapsulated attribute is A, but the content and format of the attribute are the same as those of attribute B. In a received packet, if attribute A is translated to attribute B, the ME60 parses attribute A by considering it as attribute B. That is, the received attribute is attribute B after the attribute translation.
Rules of RADIUS attribute translation When configuring the RADIUS attribute translation function, note the following:
The source attribute and target attribute must be of the same type. RADIUS attributes are classified into three types: integer, string, and address. The source attribute and target attribute must be of the same type; otherwise, the translation fails.
The source attribute and target attribute must be supported in the RADIUS packets. For example, the User-Name (1) attribute is contained only in the authentication request packet, and it is not supported by the authentication accept packet and authentication reject packet. The Framed-Route (22) attribute is contained only in the authentication accept packet, and it is not supported in the authentication request packet. Therefore, the User-Name (1) attribute can be translated only in the authentication request. In the authentication response, the User-Name (1) attribute cannot be translated. Other attributes cannot be translated into the Framed-Route (22) attribute in the authentication request.
NOTE
The following attributes cannot be translated: Password (2), CHAP-Challenge (60), CHAP-Password (3), Tunnel-Type (64), Tunnel-MediumType (65), Tunnel-Server-Endpoint (67), Tunnel-Password (69), Tunnel-Private-Group-id (81), Tunnel-Assignment-id (82), Tunnel-Preference (83), EAP-Message (79), Message-Authenticator (80), Tunnel-Client-Endpoint (66)
Issue 05 (2010-06-01)
2-9
2 AAA Configuration
l
Modes of RADIUS attribute translation RADIUS attribute translation is classified into the following modes:
Format translation of the same attribute This mode is commonly used, and the original purpose of RADIUS attribute translation is translating an attribute from one format to another. Format translation ensures that a RADIUS attribute can be translated to the formats specified by different carriers. For example, the NAS-Port-Id attribute has two formats. The ME60 uses the new format and the RADIUS server may use the old format. In this case, you can run the radiusattribute translate nas-port-id nas-port-identify-old receive send command on the ME60.
Translation between different attributes This mode ensures interconnection between the devices that support different types of RADIUS attributes. For example, a device of Huawei delivers the priority of the administrator through the private attribute Exec-Privilege (26-29), but the device of another vendor delivers the priority of the administrator through the Login-Service (15) attribute. If the two devices use the same RADIUS server, the carrier requires the device of Huawei to deliver the priority of the administrator through the Login-Service (15) attribute. In this case, you can configure RADIUS attribute translation. Configure the Login-Service (15) attribute as the source attribute, and the Exec-Privilege (26-29) attribute as the target attribute. Thus, when the ME60 parses the Login-Service attribute in the received authentication response packet, it considers the Login-Service attribute as the Exec-Privilege attribute. In this mode, the attributes that conform to the rules of attribute translation can be translated.
Table 2-5 lists the RADIUS attributes that are usually translated. For details about these attributes, see Appendix A "RADIUS Attributes." Table 2-5 RADIUS attributes for translation Source Attribute NAS-Port(5) Target Attribute NAS-Port-New NAS-Port-Qinq NAS-Port-Cid NAS-Port-Id(87) NAS-Port-Identify-Old User-Name(1) NAS-Port-Id-Uppercase NAS-Identifier(32) Calling-Station-Id(31) User-Name(1) NAS-Identify-Sim Calling-Station-Id-Old NAS-Port-Id(87) NAS-Identifier(32) Connect-Port(128) Connect-Port-New
2-10
Issue 05 (2010-06-01)
2 AAA Configuration
2.1.5 HWTACACS Protocol

The HWTACACS protocol is an enhanced security protocol of TACACS (RFC 1492). This protocol is similar to the RADIUS protocol. By using the HWTACACS protocol, the ME60 communicates with the HWTACACS server in the client/server model. Compared with the RADIUS protocol, the transmission and encryption features of the HWTACACS protocol is more reliable. Therefore, HWTACACS is more suitable for access control. Table 2-6 shows the differences between the HWTACACS protocol and the RADIUS protocol. Table 2-6 Differences between the HWTACACS protocol and the RADIUS protocol HWTACACS Uses TCP, and thus the data transmission on the network is reliable. Encrypts the entire packet. Separates the authentication from the authorization. Is applicable to the security control. Supports the authorization for the configuration commands of the ME60. RADIUS Uses UDP. Encrypts only the password field. Conducts the authentication and authorization at the same time. Is applicable to accounting. Does not support the authorization for the configuration commands of the ME60.
Because authentication can be separated from authorization, users can be authenticated by the local device and authorized by the HWTACACS server.
2.1.6 ACL Delivered by the RADIUS Server

The RADIUS authentication accept packet and the Change of Authorization (CoA) packet carry Huawei private attribute Hw-Data-Filter (26-82). Based on this attribute, the ME60 can receive the ACL delivered by the RADIUS server. In addition, the ME60 supports dynamic modification of the ACL delivered by the RADIUS server.
Process of Delivering the Static ACL

When a user logs in to the ME60, the RADIUS server can deliver the ACL through the HwData-Filter attribute contained in the RADIUS authentication accept packet. If the user is already online, the RADIUS server can deliver the ACL or modify the ACL that is already delivered to the ME60 through the Hw-Data-Filter attribute contained in the CoA packet. The RADIUS server delivers the ACL or modifies the ACL delivered to the ME60 through the following process: 1. The user initiates an access request to the ME60 through PPP dial-up, IP packets, or DHCP packets.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-11
Issue 05 (2010-06-01)
2 AAA Configuration
2.
The ME60 responds to the access request and obtains the user name and password by interacting with the user. The ME60 functions as the RADIUS client and sends an authentication request to the RADIUS server. After receiving the valid authentication request, the RADIUS server authenticates the user based on the user name and password. After the user passes the authentication, the RADIUS server sends the authorization information of the user to the ME60 through the authentication response packet. The authentication response packet contains the Hw-Data-Filter attribute. parses the Hw-Data-Filter attribute in the authentication response packet, and then binds the classifier and behavior defined by the Hw-Data-Filter attribute to the remote traffic policy named _remote-server-defined-policy. The remote traffic policy is generated by the system automatically when the system starts. When the user connects to the Internet or other network resources, the ME60 controls the activities of the user based on the traffic policy. When the user is online, the network administrator changes the traffic classifier and behavior on the RADIUS server. The RADIUS server then delivers the new policy through the CoA packet. ME60When receiving the CoA packets from the RADIUS server, the ME60 parses the HwData-Filter attribute in the CoA packet, and then binds the classifier and the behavior defined in this attribute to remote-server-defined-policy or modifies the classifier and behavior in remote-server-defined-policy. When the user connects to the Internet or other network resources, the ME60 controls the activities of the user based on the traffic policy.
3. 4.
5.
6. 7.
8.
9.
Hw-Data-Filter Attribute
The Hw-Data-Filter attribute is denoted by a series of character strings. In a character string, fields are separated by semicolons. These character strings are classified into the following types:
l
Classifier string The format of a classifier string delivered by the RADIUS server is as follows: Hw-Data-Filter = "type;classifier-name;behavior-name;protocol;srctype;source={sourceip-addr;source-ip-mask;source-port-list | user-group};dsttype;dest={dest-ip-addr;dest-ipmask;dest-port-list | user-group};dscp;fragment;syn-flag;precedence;" The format of the port-list field is [min_port_number-max_port_number]. Table 2-7 shows the meaning of these fields. The classifier to be delivered by the RADIUS server must be configured in the preceding format on the remote RADIUS server. When configuring the classifier, note the following points:
The type, classifier name, and behavior-name fields are mandatory. Other fields are optional. When the RADIUS server delivers an ACL for users except for layer-3 leased-line users, either the source or the dest field of each rule in the classifier string must be specified with a user group. In addition, the specified user group must be delivered through the Filter-ID attribute or configured in the authentication domain. Otherwise, the ACL delivered by the RADIUS server does not take effect. This field must be delivered with the Hw-Data-Filter attribute and follow the classifier string.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 05 (2010-06-01)
2-12
2 AAA Configuration
Table 2-7 Description of fields in the classifier string delivered by the RADIUS server Field type classifier-name Description Indicates the type of the attribute string. For the classifier string, the value is 1. Indicates the name of the classifier. The value is a string of 1 to 31 characters. If multiple hw-Data-Filter attributes are delivered and the attributes contain the same classifier name and behavior name, it indicates that multiple ACL rules are added to one classifier. Indicates the name of the behavior. The value is a string of 1 to 31 characters. The classifier string contains only the behavior name. The behavior mapping this behavior name is contained in the behavior string. Indicates the protocol number in the ACL rule. The value is an integer ranging from 0 to 255. If the value of the field is null or 0, it indicates that any protocol that runs over the IP protocol can be used. Indicates the type of the subsequent field. The value is an integer. When the value is 1, the subsequent field is user-group. When the value is 2, the subsequent field is source-ip-addr + source-ip-mask + source-port-list. Indicates the source IP address in the ACL rule. The value is in a dotted decimal notation. Indicates the mask of the source IP address in the ACL rule. The value is in a dotted decimal notation. The value cannot be a wildcard mask. Indicates the source user group in the ACL rule. The value is a string of 1 to 32 characters. Indicates the source port number in the ACL rule. The format is [min-max], where min and max are integers ranging from 1 to 65535. The values of min and max indicate the minimum and maximum values of the port number for TCP. The port number is valid only if the value of the protocol field is 6 (indicating TCP) or 17 (indicating UDP). In other cases, the port number is invalid. Indicates the type of the subsequent field. The value is an integer. When the value is 1, the subsequent field is user-group. When the value is 2, the subsequent field is dest-ip-addr + dest-ip-mask + destport-list. Indicates the destination IP address in the ACL rule. The value is in a dotted decimal notation. Indicates the mask of the destination IP address in the ACL rule. The value is in a dotted decimal notation. The value cannot be a wildcard mask. Indicates the destination user group in the ACL rule. The value is a string of 1 to 32 characters.
behavior-name
protocol
srctype
source-ip-addr source-ip-mask
user-group (source) source-port-list
dsttype
dest-ip-addr dest-ip-mask
user-group (dest)
Issue 05 (2010-06-01)
2-13
2 AAA Configuration
Field dest-port-list
Description Indicates the destination port number in the ACL rule. The format is [min-max], where min and max are integers ranging from 1 to 65535. The values of min and max indicate the minimum and maximum values of the port number for TCP. The port number is valid only if the value of the protocol field is 6 (indicating TCP) or 17 (indicating UDP). In other cases, the port number is invalid. Indicates the DSCP value in the ACL rule. The value is an integer ranging from 0 to 63. Indicates the packet fragmentation type in the ACL rule. The value is an integer ranging from 1 to 5.
l l l l l
dscp fragment
1: non-fragment 2: non-subseq 3: fragment-subseq 4: fragment 5: fragment-spe-first
syn-flag
Indicates the synchronization flag in the ACL rule. The value is an integer ranging from 0 to 63. The synchronization flag is valid only if the value of the protocol field is 6 (indicating TCP). In other cases, the synchronization flag is invalid. Indicates the precedence in the ACL rule. The value is an integer ranging from 0 to 7. The mapping between the precedence and the parameters in a rule is as follows:
l l l l l l l l
precedence
0: routine 1: priority 2: immediate 3: flash 4: flash-override 5: critical 6: internet 7: network
Behavior string The format of a behavior string delivered by the RADIUS server is as follows: Hw-Data-Filter = "type;behaviorname;action;remarkdscp;remark802.1p;RedirectNexthop;traffic-statistic; traffic-statisticsummary;cir;cbs;pir;pbs;car-summary;hitcount;" Table 2-8 shows the meaning of these fields. The behavior to be delivered by the RADIUS server must be configured in the preceding format on the remote RADIUS server. When configuring the behavior, note the following points:
2-14
Issue 05 (2010-06-01)
2 AAA Configuration
The type and behavior-name fields are mandatory. Other fields are optional. If no behavior is delivered, the default behavior (permit) is adopted. Each classifier maps a behavior name. A classifier can contain multiple rules. Behaviors with the same name can have the same contents, but a behavior name cannot map multiple classifiers.
Table 2-8 Description of fields in the behavior string delivered by the RADIUS server Field type behavior-name action Description Indicates the type of the attribute string. For the behavior string, the value is 2. Indicates the name of the behavior. The value is a string of 1 to 31 characters. Indicates the behavior used. The value 0 indicates the deny behavior, and the value 1 indicates the permit behavior. If this field is not delivered, the permit behavior is adopted. Indicates the parameter for re-marking the DSCP value. The value is an integer ranging from 0 to 63. If this field is empty, it indicates that the parameter for re-marking the DHCP value is not delivered. Indicates the parameter for re-marking the 802.1P value. The value is an integer ranging from 0 to 7. If this field is empty, it indicates that the parameter for re-marking the 802.1P value is not delivered. Indicates the next hop where the user packet is redirected. The value is in a dotted decimal notation. Indicates whether to enable traffic statistics. If the value is 0, the traffic statistics function is disabled. If the value is 1, the traffic statistics function is enabled. If this field is empty, it indicates that this field is not delivered. Indicates whether to collect the statistics of the specified traffic. If the value is 0, the traffic defined by the classifier mapping the behavior is not counted as user traffic. If the value is 1, the traffic defined by the classifier mapping the behavior is counted as user traffic. If this field is empty, the trafficstatistic-summary attribute is not delivered. Indicates the CIR value. The value is an integer ranging from 8 to 10000000. If this field is empty, the CIR value is not delivered. Indicates the CBS value. The value is an integer ranging from 10000 to 4294967295. If this field is empty, the CBS value is not delivered. Indicates the PIR value. The value is an integer ranging from 8 to 10000000. If this field is empty, the PIR value is not delivered.
remarkdscp
remark802.1p
RedirectNexthop traffic-statistic
traffic-statisticsummary
cir
cbs
pir
Issue 05 (2010-06-01)
2 AAA Configuration
Field pbs
Description Indicates the PBS value. The value is an integer ranging from 1 to 4294967295. If this field is empty, the PBS value is not delivered. Indicates the traffic control mode. If the value is 0, the traffic defined by the classifier mapping the behavior is controlled separately based on the CAR parameters. If the value is 1, the traffic defined by the classifier mapping the behavior is controlled together with other types of traffic according to the CAR. If this field is empty, the car summary attribute is not delivered. Indicates the hitcount attribute of the behavior. If the value is 0, the system does not count the number of times the ACL is hit. If the value is 1, the system counts the number of times the ACL is hit.
car-summary
hitcount
A RADIUS authentication accept packet or CoA packet can contain multiple Hw-Data-Filter attributes. If multiple Hw-Data-Filter attributes have the same classifier name and behavior name, it indicates that these ACL rules are added to a classifier. Up to 16 classifiers can be delivered to the ME60 and each classifier can have up to 32 rules. The total number of rules cannot exceed 128. The relation between the rules in the same classifier is logical OR. When the RADIUS server delivers ACLs, a RADIUS packet contains at most 4096 characters. The total number of ACL rules delivered by the RADIUS server, the global ACLs, and the lawful interception ACL rules cannot exceed 4096. When the number of ACL rules delivered by the RADIUS exceeds 4096, the user can go online, but the ACL rules do not take effect. If other users go offline, certain space of the rule table is freed so that the ACL rules delivered by the RADIUS server takes effect. When you configure the RADIUS server to deliver ACLs, note the following:
l
The system automatically generates a remote traffic policy named _remote-serverdefined-policy. The classifier and behavior delivered through the Hw-Data-Filter attribute are bound to this traffic policy. When the first classifier and behavior are delivered to the local end and are bound to the remote traffic policy, the global ACL is enabled automatically. If multiple classifier names and behavior names are delivered, the last classifier name and behavior name delivered take effect. Even though optional fields in the classifier string and behavior string delivered by the RADIUS server are null, they must be separated by semicolons. Two semicolons identify a field. When the format of Hw-Data-Filter delivered by the RADIUS is incorrect or the ACL content is incorrect, the user cannot go online. But the user can still go online when the system cannot detect the ACL type. If a user group is specified in the ACL rule delivered by the RADIUS server, the specified user group must be delivered through the Filter-ID attribute or configured in the user
2-16
2 AAA Configuration
authentication domain. Otherwise, the ACL delivered by the RADIUS server does not take effect.
l
If the classifier and behavior are not configured on the local end, the classifier or behavior delivered by the RADIUS in a RADIUS authentication accept packet or a CoA packet cannot be a null string; otherwise, the user cannot go online and the RADIUS server fails to deliver the ACL. The classifier or behavior delivered by the RADIUS server cannot be modified or deleted on the local end. The local classifier and behavior can be bound to remote-server-defined-policy on the ME60 when names of the local classifier and behavior are delivered from the RADIUS server in a RADIUS authentication accept packet or a CoA packet and the local classifier and behavior are null strings.
NOTE
l l
The format of a null classifier string is type;classifier-name;behavior-name;;;;;;;;;;;;;;. The format of a null behavior string is type;behavior-name;;;;;;;;;;;;;. For details about the ACL, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.
2.1.7 References
For more information about the AAA, refer to the relevant documents.
l l l l
RFC 2865: Remote Authentication Dial In User Service (RADIUS) (June 2000) RFC 2866: RADIUS Accounting (June 2000) RFC 2869: RADIUS Extensions (June 2000) RFC 1992: An Access Control Protocol, Sometimes Called TACACS (July 1993)
2.2 Configuring AAA Schemes

This section describes the procedure for configuring AAA schemes. 2.2.1 Establishing the Configuration Task 2.2.2 Configuring an Authentication Scheme 2.2.3 Configuring an Accounting Scheme 2.2.4 (Optional) Configuring an Authorization Scheme 2.2.5 (Optional) Configuring a Recording Scheme 2.2.6 Checking the Configuration
2.2.1 Establishing the Configuration Task

Applicable Environment
The AAA scheme of the ME60 consists of the authentication scheme, the authorization scheme, the accounting scheme, and the recording scheme. The ME60 chooses the authentication, authorization, accounting, and recording modes (local processing, remote processing, or no processing) and relevant parameters for users according to the AAA scheme.
2 AAA Configuration
After an AAA scheme is configured, you can apply this AAA scheme (excluding the recording scheme) to a domain. The ME60 then uses the scheme to perform authentication, authorization, and accounting for users in the domain. You can configure different recording schemes for different transactions in the AAA view.
Pre-configuration Tasks
Before configuring the AAA scheme, complete the following tasks:
l
Configuring the RADIUS Server if RADIUS authentication and RADIUS accounting are adopted Configuring the HWTACACS Server if HWTACACS authentication, authorization, accounting, and recording are adopted
Data Preparation
To configure the AAA scheme, you need the following data. No. 1 2 3 4 5 Data Authentication scheme name, authentication mode, and policy for handling the authentication failure Accounting scheme name, accounting mode, and interval of real-time accounting (Optional) Policy for handling the start-accounting failure and policy for handling the real-time accounting failure (Optional) Authorization scheme name and authorization mode (Optional) Recording scheme name and HWTACACS server template name
2.2.2 Configuring an Authentication Scheme

Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

aaa
The AAA view is displayed. Step 3 Run:

authentication-scheme scheme-name
2-18
Issue 05 (2010-06-01)
2 AAA Configuration
An authentication scheme is created. Step 4 Run:

authentication-mode { hwtacacs | hwtacacs-local | hwtacacs-none | local | localhwtacacs | local-radius | none | radius | radius-local | radius-none }
The authentication mode is configured. The ME60 supports RADIUS authentication, HWTACACS authentication, local authentication, and none authentication. In addition, the ME60 supports secondary authentication. That is, if no response is returned for the first authentication (the remote server does not respond or the user is not configured locally), the ME60 uses another authentication mode. The authentication schemes default0 and default1 are set by default in the ME60. They can be modified but cannot be deleted. By default, the authentication mode of default0 is none authentication; the authentication mode of default1 is RADIUS authentication; the authentication mode of the customized authentication scheme is RADIUS authentication. Step 5 (Optional) Run:
authening authen-fail { offline | online authen-domain domain-name }
The policy for handling the authentication failure handling is configured. The policy for handling the authentication failure refers to the policy used by the ME60 after the user fails to pass the authentication. By default, if the authentication fails, the ME60 forces the user to log out. If you enable the secondary authentication function for the user (for example, after the PPP authentication fails, the web authentication is used), the ME60 keeps the user online when the first authentication fails. In this case, the user is added to a default domain (default0 by default). Step 6 (Optional) Run:
authentication-super { [ hwtacacs | super ] * | none } *
The method of changing the administrative level of an operator is configured. If users want to change their administrative level online, for example, a telnet user at level 2 wants to change the administrative level to 3, they must pass the authentication. ME60The ME60 supports none authentication, HWTACACS authentication, and super authentication for changing the administrative level of an operation user. The ME60 supports secondary authentication. If the super password is not configured for super authentication, or the HWTACACS server does not respond in HWTACACS authentication, you can adopt another authentication scheme according to the configuration. Step 7 (Optional) Run:
authening authen-redirect online authen-domain domain-name
The redirection domain is configured. When a user fails to pass the authentication on the RADIUS server because of incorrect user information, such as the user name, password, domain name, and bound port, the RADIUS server notifies the ME60 that the user passes the authentication. In this case, the ME60 redirects the user to a specified domain. This domain is called redirection domain. After you configure the redirection domain, the users that pass the authentication and the users that actually fail to pass the authentication go online from different domains. By configuring the private IP address pool, UCL-based access control, and security zone in the redirection domain, you can differentiate the functions of address allocation (private addresses
2 AAA Configuration
and public addresses), access control, and NAT for different user domains. In this way, users in different domains are separated by differentiated configuration. This solution saves public IP addresses and prevents unauthorized users from occupying many IP addresses. ----End
2.2.3 Configuring an Accounting Scheme

Context
Procedure
Step 1 Run:
system-view

aaa

accounting-scheme scheme-name
An accounting scheme is created. Step 4 Run:

accounting-mode { hwtacacs | none | radius }
The accounting mode is configured. The ME60supports the RADIUS accounting, HWTACACS accounting, and none accounting. The accounting schemes default0 and default1 are default in the ME60. They can be modified but cannot be deleted. By default, the accounting mode of default0 is none accounting; the accounting mode of default1 is RADIUS accounting; the default accounting mode of the customized accounting scheme is RADIUS accounting. Step 5 (Optional) Run:
accounting interim interval interval [ second ]
The real-time accounting is configured. real-time accounting means that the ME60 generates the accounting packets periodically when a user is online and sends the packets to the remote server. Through real-time accounting, the duration of abnormal accounting can be minimized when the communication between the ME60 and the remote server is interrupted. The interval of real-time accounting can be measured by minutes or seconds. By default, the unit of the interval is minute. Step 6 (Optional) Run:

accounting start-fail { offline | online }
2 AAA Configuration
The policy for handling the start-accounting failure is configured. If the ME60 does not receive the response after sending the accounting-start packet to the remote accounting server, the ME60 adopts the policy for accounting-start failure. This policy may keep the user online or log the user out. By default, the ME60 logs the user out when start-accounting fails. Step 7 (Optional) Run:
accounting interim-fail { max-times times { offline | online } | online } offline |
The policy for handling the real-time accounting failure is configured. If the ME60 does not receive the response after re-sending the real-time accounting packets to the remote accounting server for the certain times, the ME60 adopts the policy for real-time accounting failure. This policy may keep the user online or log the user out. By default, the retransmission count for the real-time accounting packets is 3. When the realtime accounting fails, the ME60 keeps the user online. Step 8 (Optional) Run:
accounting send-update
The ME60 is configured to send the interim packet immediately after receiving the accounting start response. After receiving the accounting response, the ME60 determines whether to send the real-time accounting packet immediately according to the configuration. By default, the ME600 does not send the real-time accounting packet immediately after receiving the accounting response. ----End
2.2.4 (Optional) Configuring an Authorization Scheme

Context
RADIUS authentication is bound to the RADIUS authorization; therefore, when a user is authorized by the RADIUS server, the authorization scheme does not need to be configured. HWTACACS authentication is separated from HWTACACS authorization; therefore, when a user is authorized by the HWTACACS server, the authorization scheme must be bound to the user domain. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

aaa
Issue 05 (2010-06-01)
2-21
2 AAA Configuration

authorization-scheme scheme-name
An authorization scheme is created. Step 4 Run:

authorization-mode { hwtacacs [ if-authenticated | local | none ] | ifauthenticated | local | none }
The authorization mode is configured. The ME60 supports HWTACACS authorization, if-authenticated authorization, local authorization, and direct authorization. In if-authenticated authorization, if the user passes the authentication and the authentication mode is not none, the ME60 authorizes the user; otherwise, the authorization fails. If the HWTACACS authorization mode is used, you can select another authorization mode as the secondary mode. If the HWTACACS server does not respond, the ME60 uses the secondary mode. The default authorization scheme is not set in the ME60. Step 5 (Optional) Run:
authorization-cmd { admin-level hwtacacs [ local ] | no-response-policy { offline [ max-times max-times ] | online }
The HWTACACS authorization for commands is configured. If command line authorization is required after a user logs in to the router through Telnet or SSH, you can configure the command authorization method to HWTACACS authorization. After the configuration, every command entered by this user must be authorized by the HWTACACS server. If the authorization is successful, the user can run the command. Otherwise, the HWTACACS server displays a message to notify the user of an authorization failure, and the user cannot run the command. If the router does not receive the authorization result from the HWTACACS server within the configured timeout duration, the authorization times out and the command cannot be run. Local authorization can be used as an alternate method of authorizing command lines. If the authorization of commands fails because the HWTACACS server is faulty, the commands can be authorized locally. A user can be authorized to use a set of self-defined commands. You can also configure the policy for treating the online users when the command authorization fails because the HWTACACS server does not respond or no users are configured on the ME60. When the authorization fails, you can choose to keep the users online, or force the users to log out when the number of authorization failures reaches the threshold.
2-22
Issue 05 (2010-06-01)

NOTE
2 AAA Configuration
The policy for treating the online users is applicable only if the authorization of commands fails because the HWTACACS server does not response or no users are configured on the ME60. The following cases cannot trigger this policy:
l l
The HWTACACS server runs normally, but the commands entered by a user do not pass the authorization on the server. The HWTACACS server does not respond and local authorization is used, but command has a level higher than the level configured on the ME60 and thus the authorization fails.
----End
2.2.5 (Optional) Configuring a Recording Scheme

Context
Procedure
Step 1 Run:
system-view

aaa

recording-scheme scheme-name
A recording scheme is created. The default authorization scheme is not configured on the ME60. Step 4 Run:
recording-mode hwtacacs template-name
The recording mode is configured. Step 5 Run:

quit

system recording-scheme scheme-name
The scheme of recording system events is configured. A system event refers to the event that influences the entire system, such as system resetting. Step 7 Run:
outbound recording-scheme scheme-name
The scheme of the recording outbound operations is configured.

2 AAA Configuration
An outbound operation refers to an operation performed by the ME60 on other equipment when the ME60 functions as a Telnet client. Step 8 Run:
cmd recording-scheme scheme-name
The scheme of recording the command line operations is configured. A command line operation refers to an operation performed by a user on the ME60. ----End
2.2.6 Checking the Configuration

Run the following commands to check the previous configuration. Action Check the configuration of the authentication scheme. Check the configuration of the accounting scheme. Check the configuration of the authorization scheme. Check the configuration of the recording scheme. Command display authentication-scheme [ scheme-name ]
display accounting-scheme [ scheme-name ]
display authorization-scheme [ scheme-name ]
display recording-scheme [ scheme-name ]
2.3 Configuring the RADIUS Server

This section describes the procedure for configuring the RADIUS server. 2.3.1 Establishing the Configuration Task 2.3.2 Creating a RADIUS Server Group 2.3.3 Configuring the RADIUS Authentication and Accounting Servers 2.3.4 (Optional) Configuring the Algorithm for Selecting the RADIUS Server 2.3.5 (Optional) Configuring the Negotiated Parameters of the RADIUS Server 2.3.6 (Optional) Disabling RADIUS Attributes 2.3.7 (Optional) Configuring RADIUS Attribute Translation 2.3.8 (Optional) Configuring the Tunnel Password Delivery Mode
2 AAA Configuration
2.3.9 (Optional) Configuring the Class Attribute to Carry the CAR Value 2.3.10 (Optional) Configuring the Format of the NAS-Port Attribute 2.3.11 (Optional) Configuring the Source Interface of the RADIUS Server Group 2.3.12 (Optional) Configuring the RADIUS Authorization Server 2.3.13 (Optional) Configuring the Status Parameters of the RADIUS Server 2.3.14 (Optional) Configuring the Extended Source Ports of RADIUS 2.3.15 Checking the Configuration

When the RADIUS protocol is used, you need to configure the RADIUS server. A RADIUS server group is a set of RADIUS servers that have the same attributes (excluding the IP addresses and port numbers) and function in active/standby or load balancing mode.
None.
Data Preparation
To configure the RADIUS server, you need the following data. No. 1 2 3 4 5 6 7 8 9 10 11 Data Name of the RADIUS server group (Optional) Algorithm of the RADIUS server IP address and port number of the RADIUS authentication server IP address and port number of the RADIUS accounting server (Optional) Protocol version of the RADIUS server (Optional) Cipher key of the RADIUS server (Optional) User name format adopted by the RADIUS server (Optional) Traffic unit of the RADIUS server (Optional) Response timeout time of the RADIUS server and retransmission count of the RADIUS packets (Optional) RADIUS attributes that need to be disabled (Optional) Source RADIUS attributes, target RADIUS attributes in translation, and option of enabling the RADIUS attribute translation function
Issue 05 (2010-06-01)
2 AAA Configuration
No. 12 13
Data (Optional) Option of carrying the CAR value in Class attribute of the RADIUS packets (Optional) IP address of the RADIUS authorization server, VPN instance, shared key, RADIUS server group which the RADIUS authorization server belongs to, and duration of retaining the authorization response (Optional) Number of response failure events used to determine whether the RADIUS server is abnormal and the duration before the RADIUS server is restored to the Up state (Optional) Number of extended source ports of the RADIUS server and start source port number
14
15
2.3.2 Creating a RADIUS Server Group

Context
The ME60 supports up to 1024 RADIUS server groups. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

radius-server group group-name
A RADIUS server group is created. After a RADIUS server group is created, the system displays the RADIUS view. If the RADIUS server group already exists, you can enter the RADIUS view directly. ----End
2.3.3 Configuring the RADIUS Authentication and Accounting Servers

Context
When configuring the RADIUS server, you need to set the following parameters:
l l
IP addresses of authentication and accounting servers VPN instance of authentication or accounting server (The default setting is VPN instances public.)
2-26

l l
2 AAA Configuration
Port numbers of the authentication server and accounting server (1812 and 1813 by default) Weights of authentication server and accounting server (applicable only to the load-sharing mode and the default value is 0.)
NOTE
The RADIUS servers can use the same IP address. That is, a RADIUS server functions as an authentication and accounting server.
Procedure
Step 1 Run:
system-view

The RADIUS view is displayed. Step 3 Run:

radius-server authentication { ip-address [ vpn-instance instance-name ] | ipv6address } port [ weight weight-value ]
The RADIUS authentication server is configured. Step 4 Run:

radius-server accounting { ip-address [ vpn-instance instance-name ] | ipv6address } port [ weight weight-value ]
The RADIUS accounting server is configured. Step 5 (Optional) Run:

radius-server accounting-stop-packet resend [ resend-times ]
The number of times the accounting-stop packet is retransmitted is configured. By default, the accounting-stop packet is retransmitted 0 times. ----End
2.3.4 (Optional) Configuring the Algorithm for Selecting the RADIUS Server
Context
When multiple authentication or accounting servers are configured in the RADIUS server group, you can configure the algorithm for selecting the RADIUS servers. The algorithm of selecting the RADIUS server is classified into loading-balancing and primary/secondary.
l l
Loading-balancing: The ME60 allocates the load based on the weights of the servers. Primary/Secondary: The first configured server functions as the primary server, and the others act as the secondary servers.

2 AAA Configuration
Procedure
Step 1 Run:
system-view


radius-server algorithm { loading-share | master-backup }
The algorithm for selecting the RADIUS server is configured. By default, the algorithm for selecting the RADIUS server is primary/secondary. ----End
2.3.5 (Optional) Configuring the Negotiated Parameters of the RADIUS Server

Context
The negotiated parameters specify the conventions of the RADIUS protocol and message format used for communication between the RADIUS server and the ME60. The negotiated parameters are as follows:
l
Version of the RADIUS protocol The ME60 supports the standard RADIUS protocol, the RADIUS+1.0 protocol, and the RADIUS+1.1 protocol.

The IP Hotel server supports the RADIUS+1.0 protocol. The Portal server supports the RADIUS+1.1 protocol.
Cipher key The cipher key is used to encrypt user passwords and generate the response authenticator. When the RADIUS server sends an authentication packet, it encrypts the user password and other important data by using the MD5 algorithm. This ensures that the authentication data is secure during transmission. The cipher key on the ME60 must be the same as the cipher key of the RADIUS server so that both parties of the authentication to identify each other. The cipher key is case sensitive.
User name format On the ME60, a user name is in the format of user@domain. Certain RADIUS servers do not support the user name that contains a domain name. Therefore, you must set the format of the user name that the ME60 sends to the RADIUS server according to the requirement of the RADIUS server.
Traffic unit The traffic units used by different RADIUS servers may be different. The ME60 supports various traffic units to keep consistency with the RADIUS server. The ME60supports four traffic units: byte, KB, MB, and GB.
2-28
Issue 05 (2010-06-01)

l
2 AAA Configuration
Retransmission parameters After sending a packet to the RADIUS server, the ME60 re-sends the packet if the response is not returned within the specified time. In this way, packet loss caused by temporary network congestion can be prevented. The retransmission parameters of the RADIUS server are the timeout time and the retransmission count.
Procedure
Step 1 Run:
system-view


radius-server type { standard | plus10 | plus11 }
The protocol version of the RADIUS server is configured. By default, the RADIUS server uses the standard RADIUS protocol. Or run:
radius-server shared-key key-string [ authentication | accounting ] ip-address [ vpn-instance instance-name ] port-number [ weight weight ]
The cipher key of the RADIUS server is configured. You can configure a cipher key for each RADIUS server. By default, the cipher key of the RADIUS server is huawei. Or run:
radius-server user-name { domain-included | original }
The format of the user name in the RADIUS packets is configured. By default, the user name of the RADIUS server contains the domain name. Or run:
radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit of the RADIUS packets is configured. This command is not applicable to any server that uses the HUAWEI RADIUS+1.0 protocol or the HUAWEI RADIUS+1.1 protocol. Or run:
radius-server { timeout seconds | retransmit times }*
The retransmission parameters of the RADIUS packets are set. By default, the response timeout time is 5 seconds and the retransmission count is 3. Or run:
2 AAA Configuration
radius-attribute agent-circuit-id format { cn | tr-101 }
The ID format of the circuit through which RADIUS packets enter the upstream device is set. ----End
2.3.6 (Optional) Disabling RADIUS Attributes

Context
This function is configured in a RADIUS server group and takes effect only on the RADIUS servers in this group. You can disable up to 64 attributes in a RADIUS server group. The ME60 can disable the RADIUS attributes of both the sender and receiver. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view


radius-attribute disable attr-description { receive | send }*
The RADIUS attributes are disabled. ----End
2.3.7 (Optional) Configuring RADIUS Attribute Translation

Context
RADIUS servers of various vendors support different RADIUS attributes, and the vendors also define RADIUS attributes in different ways. This makes interconnection between the ME60 and RADIUS servers more difficult. The ME60 provides the attribute translation function to solve this problem. When the ME60 sends or receives RADIUS packets, it can encapsulate or parse the src-attribute attribute by using the format of dest-attribute. By doing this, the ME60 can interconnect with different types of equipment. This function is usually applied when one attribute has multiple formats. For example, the nasport-id attribute has a new format and an old format. The ME60 uses the new format. If the RADIUS server uses the old format, you can run the radius-attribute translate nas-port-id nas-port-identify-old receive send command on the ME60. Do as follows on the ME60.
2 AAA Configuration
Procedure
Step 1 Run:
system-view


radius-server attribute translate
RADIUS attribute translation is enabled. Step 4 Run:

radius-attribute translate src-attribute dest-attribute { send | receive }*
The RADIUS attribute translation function is configured. ----End
2.3.8 (Optional) Configuring the Tunnel Password Delivery Mode

Context
The RADIUS protocol specifies that the RADIUS server must deliver the tunnel password in cipher text. Most of RADIUS servers, however, do not conform to this specification. Therefore, the ME60 supports configuration of the tunnel password delivery mode so that the ME60 can interconnect with various types of RADIUS servers. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view


radius-attribute tunnel-password { cipher | simple }
The mode in which the RADIUS server delivers the tunnel password is configured. By default, the ME60 requires the RADIUS server to deliver the tunnel password in cipher text. ----End
2 AAA Configuration
2.3.9 (Optional) Configuring the Class Attribute to Carry the CAR Value
Context
As specified in the standard RADIUS protocol, the Class attribute carried in an access accept packet sent from the RADIUS server to the client must be returned to the accounting server without any change in an accounting request packet. Based on the standard protocol, the ME60 makes extensions by adding the function of transferring the committed access rate (CAR) values. That is, in the implementation of the Class attribute (RADIUS attribute 25), the ME60 translates the attribute value into CAR.
NOTE
To meet the requirements of various RADIUS servers, the ME60 can transfer the CAR value to the RADIUS server with either attribute 25 (through the previous commands) or attribute 26.
Procedure
Step 1 Run:
system-view


radius-server class-as-car
The Class attribute is configured to carry the CAR value. By default, the RADIUS attribute does not carry any CAR value. ----End
2.3.10 (Optional) Configuring the Format of the NAS-Port Attribute

Context
Procedure
Step 1 Run:
system-view

2-32
Issue 05 (2010-06-01)
2 AAA Configuration

radius-server format-attribute {nas-port format-string |nas-port-id vendor vendorid }
The format of the NAS-Port attribute and format of the NAS-Port-Id attribute are configured.
NOTE
When configuring the format of the NAS-Port-Id attribute, note the following:
l l l
If the vendor ID is 2352, the ME60 encapsulates the NAS-Port-Id attribute by using the default format of the NAS-Port-Id attribute defined by Redback. If the vendor ID is 2636, the ME60 encapsulates the NAS-Port-Id attribute by using the default format of the NAS-Port-Id attribute defined by Juniper. For other vendors, the ME60 encapsulates the NAS-Port-Id attribute by using the original format of the NAS-Port-Id attribute.
----End
2.3.11 (Optional) Configuring the Source Interface of the RADIUS Server Group
Context
On the ME60, you can configure the source interface in the system view or for each RADIUS server group. Thus the RADIUS servers use the source interface of the RADIUS server group to interact with the ME60. If the source interface of the RADIUS server group is not configured, the RADIUS servers use the global source interface. Do as follows on the ME60.
Procedure
l Configuring the global source interface of all the RADIUS servers 1. Run:
system-view
The system view is displayed. 2. Run:

radius-server source interface interface-type interface-number
The global source interface of all the RADIUS servers is configured. l Configuring the source interface of a specified RADIUS server group 1. Run:
system-view

The RADIUS view is displayed. 3. Run:

radius-server source interface interface-type interface-number
Issue 05 (2010-06-01)
2-33
2 AAA Configuration
The source interface of the RADIUS server group is configured. ----End
2.3.12 (Optional) Configuring the RADIUS Authorization Server

Context
You need to configure the RADIUS authorization server for the dynamic service so that the RADIUS server can dynamically authorize a user when the user selects the dynamic service. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

radius-server authorization ip-address [ vpn-instance instance-name ] { shared-key key | server-group groupname } *[ ack-reserved-interval interval ]
The global RADIUS authorization server is configured. If you need to retain the RADIUS authorization response packet to respond to the retransmitted packets from the RADIUS authorization server, configure the duration of retaining the authorization response when configuring the RADIUS authorization server. ----End
2.3.13 (Optional) Configuring the Status Parameters of the RADIUS Server

Context
The configuration is valid for all the RADIUS servers. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

radius-server { dead-count times | dead-interval interval | dead-time time }
The parameters used to determine the status of the RADIUS server are set. By default, the ME60 considers that the RADIUS server is abnormal when the RADIUS server fails to respond to 10 executive packets sent from the ME60 within 5 seconds. The ME60 waits for 3 minutes before restoring the status of the RADIUS server.
2 AAA Configuration
If the ME60 does not receive any response packets after sending RADIUS packets certain times (configured by the preceding command), and the interval between the first packet to the last packet (determined by dead-count) that the RADIUS server fails to respond to is longer than dead-interval, the ME60 determines that the RADIUS server works abnormally and changes the status of the RADIUS server to Down. After setting the status of the RADIUS server to Down, the ME60 waits for a certain period (set by the preceding command) to set the status of the RADIUS server to Up. At the same time, the ME60 tries to establish a connection with the RADIUS server. If the connection cannot be established, the ME60 sets the status of the RADIUS server to Down again. ----End
2.3.14 (Optional) Configuring the Extended Source Ports of RADIUS

Context
After you configure the extended source ports of RADIUS, the ME60 increases the number of unrepeated packets sent to the RADIUS server in a certain period of time. After the configuration, the ME60 sends RADIUS packets by using the extended source ports. The first half of extended source ports are used to send and receive RADIUS authentication packets, and the last half of extended source ports are used to send and receive RADIUS accounting packets. If the number of configured extended source ports is an odd number, there are one more authentication ports than accounting ports. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

radius-server extended-source-ports [start-port star-port-number ] port-number port-number
The extended source ports of RADIUS are configured. By default, no extended source ports of RADIUS are configured. In this case, the ME60 uses the default ports, namely, 1812 to send and receive RADIUS authentication packets and 1813 to send and receive RADIUS accounting packets.
NOTE
If you do not specify the start port number when configuring the extended source ports, the system assigns a certain number (configured number) of extended source ports.
----End

Run the following commands to check the previous configuration.
2 AAA Configuration
Action Check the configuration of the RADIUS server group. Check the configuration of the RADIUS authorization server.
Command display radius-server configuration [ group groupname ]
display radius-server authorization configuration
2.4 Configuring the HWTACACS Server

This section describes the procedure for configuring the HWTACACS server. 2.4.1 Establishing the Configuration Task 2.4.2 Creating an HWTACACS Server Template 2.4.3 Configuring HWTACACS Servers 2.4.4 Configuring the Source IP Address of the HWTACACS Server 2.4.5 (Optional) Configuring the Negotiated Parameters of the HWTACACS Server 2.4.6 (Optional) Configuring Timers of the HWTACACS Server 2.4.7 (Optional) Configuring Retransmission of Stop-Accounting Packet 2.4.8 Checking the Configuration

When the HWTACACS protocol is used, you need to configure the HWTACACS server. The ME60 manages the HWTACACS servers by using the HWTACACS server template. An HWTACACS server template is a set of HWTACACS servers with the same attributes (except the IP addresses and the port numbers). The servers in an HWTACACS server template function in primary/secondary mode.
NOTE
You can change the settings of an HWTACACS server template at any time.
None.
Data Preparation
To configure the HWTACACS server, you need the following data.
2 AAA Configuration
No. 1 2 3 4 5 6 7 8 9 10
Data Name of the HWTACACS server group IP address and port number of the HWTACACS authentication server IP address and port number of the HWTACACS accounting server IP address and port number of the HWTACACS authorization server Source IP address of the HWTACACS server (Optional) Cipher key of the HWTACACS server (Optional) User name format of the HWTACACS server (Optional) Traffic unit of the HWTACACS server (Optional) Response timeout time of the HWTACACS server and quiet time of the primary HWTACACS server (Optional) Retransmission count of the stop-accounting packet or the option of disabling the retransmission
2.4.2 Creating an HWTACACS Server Template

Context
The ME60 supports up to 128 HWTACACS server templates. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

hwtacacs-server template template-name
An HWTACACS server template is created. After an HWTACACS server template is created, the system displays the HWTACACS view. If the HWTACACS server template already exists, you can enter the HWTACACS view after running the preceding commands. ----End
2.4.3 Configuring HWTACACS Servers

Context
2 AAA Configuration
Procedure
Step 1 Run:
system-view

The HWTACACS view is displayed. Step 3 Run:

hwtacacs-server authentication ip-address [ port ] [ secondary ]
The HWTACACS authentication server is configured. Or run:

hwtacacs-server accounting ip-address [ port ] [ secondary ]
The HWTACACS accounting server is configured. Or run:

hwtacacs-server authorization ip-address [ port ] [ secondary ]
The HWTACACS authorization server is configured. When configuring the HWTACACS servers, you need to configure the following parameters:
l l l
IP addresses of authentication, accounting, and authorization servers Port numbers of the authentication, accounting, and authorization servers (49 by default) Primary/Secondary attributes of the servers (primary by default)
----End
2.4.4 Configuring the Source IP Address of the HWTACACS Server

Context
The source IP address of the HWTACACS server refers to the source IP address of the packet sent by the ME60 to the HWTACACS server. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

The HWTACACS view is displayed.

2 AAA Configuration
Step 3 Run:
hwtacacs-server source-ip ip-address
The source IP address of the HWTACACS server is configured. By default, the source IP address of a packet is the IP address of the port that sends the packet. ----End
2.4.5 (Optional) Configuring the Negotiated Parameters of the HWTACACS Server

Context
The negotiated parameters specify the conventions of the HWTACACS protocol and message format used for communication between the HWTACACS server and the ME60. The negotiated parameters are as follows:
l
Cipher key The cipher key improves security of the communication between the ME60 and the HWTACACS server. The cipher key on the ME60 must be the same as the cipher key of the HWTACACS server so that both parties of the authentication to identify each other. The cipher key is case sensitive.
User name format On the ME60, a user name is in the format of user@domain. If the HWTACACS server does not support the user name that contains a domain name, you configure the ME60 to send the user name to the HWTACACS server without the domain name.
Traffic unit The ME60 supports four traffic units: byte, KB, MB, and GB, to meet the requirement of the HWTACACS server.
Procedure
Step 1 Run:
system-view


hwtacacs-server shared-key key-string
The cipher key of the HWTACACS server is configured. By default, the cipher key is not configured in the HWTACACS server template. Or run:
2 AAA Configuration
hwtacacs-server user-name domain-included
The format of the user name used by the HWTACACS server is configured. By default, the user name of the HWTACACS server contains the domain name. Or run:
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit used by HWTACACS server is configured. By default, the traffic unit used by the HWTACACS server is byte. ----End
2.4.6 (Optional) Configuring Timers of the HWTACACS Server

Context
If the ME60 sends a packet to the HWTACACS server but does not receive the response within the specified time, the ME60 considers the connection broken. The specified time is the response timeout time of the HWTACACS server.
NOTE
The HWTACACS is implemented based on TCP; therefore, the server response timeout or the TCP timeout may cause the disconnection of the ME60 from the HWTACACS server.
If the ME60 determines that the connection with the primary HWTACACS server is broken, the ME60 waits for a period of time. Then the ME60 re-connects to the primary server. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view


hwtacacs-server timer response-timeout value
The response timeout time of the HWTACACS server is set. By default, the response timeout time of the HWTACACS server is 5 seconds. Step 4 Run:
hwtacacs-server timer quiet value
The time the ME60 waits to re-establish a connection with the primary HWTACACS server is set.
2 AAA Configuration
By default, the ME60 waits 5 minutes before re-establishing a connection with the primary HWTACACS server. ----End
2.4.7 (Optional) Configuring Retransmission of Stop-Accounting Packet

Context
If the HWTACACS accounting mode is used, theME60 generates the stop-accounting packet after a user logs out and sends the packet to the HWTACACS server. If the connectivity of the network is not desirable, you can enable the function of retransmitting the stop-accounting packet to prevent the loss of accounting information. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

hwtacacs-server accounting-stop-packet resend { disable | enable number }
The function of retransmitting the stop-accounting packet is configured. You can enable the function of retransmitting the stop-accounting packet and set the retransmission count, or disable the function. By default, the retransmission function is enabled and the retransmission count is 100. ----End

Run the following command to check the previous configuration. Action Check the configuration of the HWTACACS server template. Command display hwtacacs-server template [ template-name [ verbose ] ]
2.5 Storing Local CDRs

This section describes the procedure for configuring the ME60 to store local CDRs. 2.5.1 Establishing the Configuration Task 2.5.2 Creating a Local CDR Pool
2 AAA Configuration
2.5.3 Configuring the CDR Server 2.5.4 (Optional) Configuring CDR Alarm Threshold 2.5.5 (Optional) Configuring Mode of Backing Up CDRs in the Cache 2.5.6 (Optional) Configuring CDR Backup Interval 2.5.7 (Optional) Backing Up CDRs Manually 2.5.8 Checking the Configuration

The accounting information on the ME60 is a backup of the accounting information on the remote server. When an error occurs on the remote server, the CDRs are stored on the ME60. Therefore, the accounting information will not be lost. On the ME60, the CDRs are stored in the cache. When the cache is full, the ME60 stores the CDRs in the compressed flash (CF) card or backs up the CDRs to the CDR server through TFTP. The CDRs in the cache and CF card can be backed up automatically or manually. The CDRs in the cache are backed up to the CF card or the CDR server. The CDRs in the CF card are backed up to the CDR server. You can create or delete the local CDR pool by running related commands. The local CDR storage function is implemented based on the local CDR pool. If the local CDR pool does not exist, this function does not take effect, and CDRs are not backed up.
None.
Data Preparation
To configure local CDR storage, you need the following data. No. 1 2 3 4 Data IP address of the CDR server and name of the CDR file (Optional) Alarm threshold of the CDRs in the CF card and the cache (Optional) Interval for backing up the CDRs in the CF card and the cache (Optional) Mode of backing up the CDRs in the cache
2.5.2 Creating a Local CDR Pool

Context
You can create or delete the local CDR pool by running related commands on the ME60. The local CDRs can be stored only after the local CDR pool is created. When the local CDR pool is
2 AAA Configuration
deleted, the local CDRs in the pool are also deleted. Therefore, you need to manually back up the local CDRs before deleting the local CDR pool. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

local-aaa-server
The local AAA view is displayed. Step 3 Run:

local-bill-pool enable
A local CDR pool is created. By default, no local CDR pool exists on the ME60. ----End
2.5.3 Configuring the CDR Server

Context
The ME60 connects to the CDR server through TFTP to back up the CDRs. Therefore, the TFTP server program must run on the CDR server and a working directory must be specified. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

local-aaa-server

bill-server ip-address filename file-name
The CDR server is configured. To configure the CDR server on the ME60, specify the IP address of the CDR server and the prefix of the CDR file name. On the ME60, the CDR format is file name suffix-timenumber.lam.
2 AAA Configuration
For example, the prefix of the file name is backupfile, the backup time is 15:26 March. 15, 2005, and 10 files are generated in the backup. Then the name of the fifth file is backupfile-200503151526-5.lam. ----End
2.5.4 (Optional) Configuring CDR Alarm Threshold

Context
The ME60 can send an alarm to the network management system (NMS) and the terminal when the number of CDRs in the cache or the CF card reaches the threshold. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

local-aaa-server

local-bill cache alarm-threshold threshold
The alarm threshold of the CDRs in the cache is configured. By default, the alarm threshold of the CDRs in the cache is 75%. Step 4 Run:
local-bill cfcard alarm-threshold threshold
The alarm threshold of the CDRs in the CF card is configured. By default, the alarm threshold of the CDRs in the CF card is 75%. ----End
2.5.5 (Optional) Configuring Mode of Backing Up CDRs in the Cache

Context
The CDRs in the cache may be backed up to the CF card, backed up to the CDR server through TFTP, or not backed up. Do as follows on the ME60.
2 AAA Configuration
Procedure
Step 1 Run:
system-view

local-aaa-server

local-bill cache backup-mode { cfcard | none | tftp }
The mode of backing up the CDRs in the cache is configured. By default, the CDRs in the cache are backed up in the CF card. ----End
2.5.6 (Optional) Configuring CDR Backup Interval

Context
The ME60 can back up the CDRs in the cache and the CF card periodically. The CDRs in the cache can be backed up to the CF card or the CDR server, depending on the CDR backup mode. See "2.5.5 (Optional) Configuring Mode of Backing Up CDRs in the Cache." The CDRs in the CF card can be backed up to the CDR server. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

local-aaa-server

local-bill cache backup-interval interval
The interval for backing up the CDRs in the cache is configured. By default, the interval for backing up the CDRs in the cache is 1440 minutes. Step 4 Run:
local-bill cfcard backup-interval interval
The interval for backing up the CDRs in the CF card is configured. By default, the interval for backing up the CDRs in the CF card is 1440 minutes. ----End
2 AAA Configuration
2.5.7 (Optional) Backing Up CDRs Manually

Context
On the ME60, you can back up the CDRs in the cache and the CF card manually. The CDRs in the cache can be backed up to the CF card or the CDR server, depending on the CDR backup mode. See "2.5.5 (Optional) Configuring Mode of Backing Up CDRs in the Cache." The CDRs in the CF card can be backed up to the CDR server. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

local-aaa-server

local-bill cache backup
The CDRs in the cache are backed up manually. Step 4 Run:

local-bill cfcard backup [ file-name ]
The CDRs in the CF card are backed up manually. When backing up the CDRs in the CF card, you can specify the prefix of the CDR file name. If the prefix is not specified, the setting provided in 2.5.2 Creating a Local CDR Pool is used. ----End

Run the following command to check the previous configuration. Action Check the configuration of the local CDR storage function. Command display local-bill { cache start-no count | configuration | information }
2.6 Maintaining AAA

This section describes the commands used to display and clear the AAA information and the commands used to debug the AAA function.
2 AAA Configuration
2.6.1 Displaying AAA Information 2.6.2 Debugging AAA 2.6.3 Clearing AAA Information
2.6.1 Displaying AAA Information

After the preceding configuration, run the following display commands in any view to view the AAA information and check the configuration. For detailed information, refer to the Quidway ME60 Multiservice Control Gateway Command Reference. Action Display the AAA information. Display the configuration of the authentication scheme. Display the configuration of the accounting scheme. Display the configuration of the authorization scheme. Display the configuration of the recording scheme. Display the RADIUS attributes. Display the configuration of the RADIUS server group. Display information about the stopaccounting packet of the HWTACACS server. Display the configuration of the HWTACACS server template. Display the local accounting information. Display the configuration of the RADIUS authorization server. Display the statistics of packets on the RADIUS server. Display the traffic policy delivered by the RADIUS server. Display the traffic classifier delivered by the RADIUS server. Command display aaa configuration display authentication-scheme [ scheme-name ] display accounting-scheme [ scheme-name ] display authorization-scheme [ scheme-name ] display recording-scheme [ scheme-name ] display radius-attribute [ attribute-name ] display radius-server configuration [ group group-name ] display hwtacacs-server accounting-stop-packet { all | number | ip ip-address } display hwtacacs-server template [ templatename [ verbose ] ] display local-bill { cache start-no count | configuration | information } display radius-server authorization configuration display radius-server packet ip-address ipaddress [ vpn-instance ] { accounting | authentication } display traffic policy remote-server-defined [ policy-name ] display traffic classifier remote-server-defined [ classifier-name ]
Issue 05 (2010-06-01)
2-47
2 AAA Configuration
Action Display the traffic behavior delivered by the RADIUS server. Display the ACL delivered by the RADIUS server.
Command display traffic behavior remote-server-defined [ behavior-name ] display acl { all | remote-defined-acl-number }
NOTE
The number of the ACL delivered by the RADIUS server ranges from 10000 to 11023.
2.6.2 Debugging AAA
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all command to disable the debugging immediately. When an AAA fault occurs, run the following debugging commands in the user view to locate the fault. For the procedure for displaying the debugging information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management. Action Enable the RADIUS debugging. Check whether a user can pass the RADIUS authentication. Enable the HWTACACS debugging. Command debugging radius packet test-aaa user-name password radius-group groupname [ chap | pap ] debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
2.6.3 Clearing AAA Information

To clear the AAA information, run the following reset commands in the user view. Action Clear the statistics information of the HWTACACS server. Clear the statistics of the HWTACACS stop-accounting packets. Clear all the CDRs in the CF card (in the local AAA view).
2-48
Command reset hwtacacs-server statistics { all | accounting | authentication | authorization } reset hwtacacs-server accounting-stoppacket { all | ip ip-address } local-bill cfcard reset
Issue 05 (2010-06-01)
2 AAA Configuration
Action Clear the maximum number of online users in the history (in the system view).
Command reset max-onlineusers
2.7 Configuration Examples

This section provides several configuration examples of AAA.
NOTE
In actual networking, the license needs to be loaded. For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
2.7.1 Example for Configuring RADIUS Authentication and Accounting 2.7.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization 2.7.3 Example for Configuring the RADIUS Server to Deliver ACLs
2.7.1 Example for Configuring RADIUS Authentication and Accounting

Networking Requirements
As shown in Figure 2-3, the requirements on networking are as follows:
l
The RADIUS server performs authentication and accounting for the users in domain isp1. The RADIUS server with address 129.7.66.66 is the primary authentication and accounting server. The RADIUS server with address 129.7.66.67 is the secondary authentication and accounting server. The authentication port number is 1812 and the accounting port number is 1813.
NOTE
For the introduction to the domain, see chapter 4 "User Management."
Issue 05 (2010-06-01)
2-49
2 AAA Configuration
Networking Diagram
Figure 2-3 Networking of RADIUS authentication and accounting
129.7.66.66 RADIUS (master) 129.7.66.67 RADIUS (backup)
user1@isp1
Internet user2@isp1 ME60
user3@isp1
Configuration Procedure
NOTE
Only the procedures related to the AAA are mentioned.
1.
Configure the ME60. # Enter the AAA view.

[Quidway] aaa
# Configure authentication scheme auth1. Configure the authentication mode to RADIUS authentication.
[Quidway-aaa] authentication-scheme auth1 [Quidway-aaa-authen-auth1] authentication-mode radius [Quidway-aaa-authen-auth1] quit
# Configure accounting scheme acct1. Configure the accounting mode to RADIUS accounting.
[Quidway-aaa] accounting-scheme acct1 [Quidway-aaa-accounting-acct1] accounting-mode radius [Quidway-aaa-accounting-acct1] quit [Quidway-aaa]quit
# Configure the RADIUS server group.

[Quidway] radius-server group huawei
# Configure the algorithm for selecting the RADIUS server.

[Quidway-radius-huawei] radius-server algorithm master-backup
# Configure the RADIUS primary authentication and accounting server and the port numbers for authentication and accounting.
[Quidway-radius-huawei] radius-server authentication 129.7.66.66 1812 [Quidway-radius-huawei] radius-server accounting 129.7.66.66 1813
# Configure the RADIUS secondary authentication and accounting server and the port numbers for authentication and accounting.
[Quidway-radius-huawei] radius-server authentication 129.7.66.67 1812
2-50
Issue 05 (2010-06-01)
2 AAA Configuration
[Quidway-radius-huawei] radius-server accounting 129.7.66.67 1813
# Configure other parameters of the RADIUS server group.

[Quidway-radius-huawei] [Quidway-radius-huawei] [Quidway-radius-huawei] [Quidway-radius-huawei] radius-server type standard radius-server retransmit 2 radius-server shared-key hello quit
# Configure the domain isp1.

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit authentication-scheme auth1 accounting-scheme acct1 radius-server group huawei quit
2.
Verify the configuration. # View the configuration of authentication scheme auth1.

[Quidway] display authentication-scheme auth1 Authentication-scheme-name : auth1 Authentication-method : RADIUS Authentication-fail-policy : Offline Authentication-fail-domain : -
# View the configuration of accounting scheme acct1.

[Quidway] display accounting-scheme acct1 Accounting-scheme-name : Accounting-method : Realtime-accounting-switch : Realtime-accounting-interval(sec) : Start-accounting-fail-policy : Realtime-accounting-fail-policy : Realtime-accounting-failure-retries : acct1 RADIUS Disabled Offline Online 3
# View the configuration of RADIUS server group huawei.

[Quidway] display radius-server configuration group huawei --------------------------------------------------------Server-group-name : huawei Authentication-server: IP:129.7.66.66 Port:1812 Weight[0] Vpn:Authentication-server: IP:129.7.66.67 Port:1812 Weight[0] Vpn:...... Accounting-server : IP:129.7.66.66 Port:1813 Weight[0] Vpn:Accounting-server : IP:129.7.66.67 Port:1813 Weight[0] Vpn:...... Protocol-version : radius Shared-secret-key : hello Retransmission : 2 ...... Packet send algorithm: Master-Backup
[UP] [UP] [UP] [UP]
# View the configuration of domain isp1.

[Quidway] display domain name isp1 verbose .... Domain-name : isp1 ...... Authentication-scheme-name : auth1 Accounting-scheme-name : acct1 RADIUS-server-group : huawei ..........
Configuration Files
#
Issue 05 (2010-06-01)
2-51
2 AAA Configuration
sysname Quidway # radius-server group huawei radius-server authentication 129.7.66.66 1812 weight 0 radius-server authentication 129.7.66.67 1812 weight 0 radius-server accounting 129.7.66.66 1813 weight 0 radius-server accounting 129.7.66.67 1813 weight 0 radius-server shared-key hello radius-server retransmit 2 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group huawei # return
2.7.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization

As shown in Figure 2-4, the networking requirements are as follows:
l
The HWTACACS server performs authentication, authorization, and accounting for the users in domain isp2. The real-time accounting is performed every 2 minutes. The HWTACACS server with address 130.7.66.66 is the primary AAA server. The HWTACACS server with address 130.7.66.67 is the secondary AAA server. The authentication port number is 1000; the accounting port number is 1001; the authorization port number is 1002. The IP address of the billing server is 10.10.10.1 and the prefix of the CDR file name is bill. The alarm thresholds of the CDRs in the cache and the CF card are both 80% and the interval for automatic CDR backup is 24 hours.
l l l
2-52
Issue 05 (2010-06-01)
2 AAA Configuration
Networking Diagram
Figure 2-4 Networking of HWTACACS authentication, accounting, and authorization
130.7.66.66 HWTACACS (master) 130.7.66.67 HWTACACS (backup)
user1@isp2
Internet user2@isp2 ME60
user3@isp2
Bill Server 10.10.10.1
NOTE
Only the procedures related to the AAA are mentioned.
1.
Configure the ME60. # Configure an authentication scheme auth2. Configure the authentication mode to HWTACACS authentication.
[Quidway] aaa [Quidway-aaa] authentication-scheme auth2 [Quidway-aaa-authen-auth2] authentication-mode hwtacacs [Quidway-aaa-authen-auth2] quit
# Configure an accounting scheme acct2. Set the accounting mode to HWTACACS accounting.
[Quidway-aaa] accounting-scheme acct2 [Quidway-aaa-accounting-acct2] accounting-mode hwtacacs [Quidway-aaa-accounting-acct2] accounting interim interval 2 [Quidway-aaa-accounting-acct2] quit
# Configure an authorization scheme author2. Configure the authorization mode to the HWTACACS authorization.
[Quidway-aaa] authorization-scheme author2 [Quidway-aaa-author-author2] authorization-mode hwtacacs [Quidway-aaa-author-author2] quit [Quidway-aaa] quit
# Create a CDR pool.

[Quidway] local-aaa-server [Quidway-local-aaa-server] local-bill-pool enable
# Configure the CDR server.

[Quidway-local-aaa-server] bill-server 10.10.10.1 filename bill
# Configure the alarm threshold of CDRs.

[Quidway-local-aaa-server] local-bill cache alarm-threshold 80 [Quidway-local-aaa-server] local-bill cfcard alarm-threshold 80
Issue 05 (2010-06-01)
2-53
2 AAA Configuration
# Configure the interval for automatically backing up CDRs.

[Quidway-local-aaa-server] local-bill cache backup-interval 1440 [Quidway-local-aaa-server] local-bill cfcard backup-interval 1440
# Configure the HWTACACS server template.

[Quidway] hwtacacs-server template hw2
# Configure the primary HWTACACS AAA server and the port numbers for authentication, authorization, and accounting.
[Quidway-hwtacacs-hw2] hwtacacs-server authentication 130.7.66.66 1000 [Quidway-hwtacacs-hw2] hwtacacs-server accounting 130.7.66.66 1001 [Quidway-hwtacacs-hw2] hwtacacs-server authorization 130.7.66.66 1002
# Configure the secondary HWTACACS AAA server and the port numbers for authentication, authorization, and accounting.
[Quidway-hwtacacs-hw2] hwtacacs-server authentication 130.7.66.67 1000 secondary [Quidway-hwtacacs-hw2] hwtacacs-server accounting 130.7.66.67 1001 secondary [Quidway-hwtacacs-hw2] hwtacacs-server authorization 130.7.66.67 1002 secondary
# Configure the shared key of the HWTACACS server template.

[Quidway-hwtacacs-hw2] hwtacacs-server shared-key hello [Quidway-hwtacacs-hw2] quit
# Configure domain isp2.

[Quidway] aaa [Quidway-aaa] domain isp2 [Quidway-aaa-domain-isp2] [Quidway-aaa-domain-isp2] [Quidway-aaa-domain-isp2] [Quidway-aaa-domain-isp2] [Quidway-aaa-domain-isp2] [Quidway-aaa] quit authentication-scheme auth2 accounting-scheme acct2 authorization-scheme author2 hwtacacs-server hw2 quit
2.
Verify the configuration. # View the configuration of authentication scheme auth2.

[Quidway] display authentication-scheme auth2 Authentication-scheme-name : auth2 Authentication-method : HWTACACS authentication Authentication-fail-policy : Offline Authentication-fail-domain : -

[Quidway] display accounting-scheme acct2 Accounting-scheme-name : acct2 Accounting-method : HWTACACS ...... Realtime-accounting-interval(sec) : 120 ......
# View the configuration of authorization scheme acct2.

[Quidway] display authorization-scheme author2 -------------------------------------------------------------------------Authorization-scheme-name : author2 Authorization-method : HWTACACS authorization Authorization-cmd level 0 : disabled Authorization-cmd level 1 : disabled Authorization-cmd level 2 : disabled Authorization-cmd level 3 : disabled --------------------------------------------------------------------------
# View the configuration of HWTACACS server template hw2.

[Quidway] display hwtacacs-server template hw2 -------------------------------------------------------------------------HWTACACS-server template index : 0 HWTACACS-server template name : hw2 Primary-authentication-server : 130.7.66.66:1000
2-54
Issue 05 (2010-06-01)
2 AAA Configuration
Primary-authorization-server : 130.7.66.66:1002 Primary-accounting-server : 130.7.66.66:1001 Secondary-authentication-server : 130.7.66.67:1000 Secondary-authorization-server : 130.7.66.67:1002 Secondary-accounting-server : 130.7.66.67:1001 Current-authentication-server : 130.7.66.66:1000 Current-authorization-server : 130.7.66.66:1002 Current-accounting-server : 130.7.66.66:1001 Source-IP-address : 0.0.0.0 Shared-key : hello ...... --------------------------------------------------------------------------
# View the configuration of the domain isp2.

[Quidway] display domain name isp2 verbose .... Domain-name : isp2 .......... Authentication-scheme-name : auth2 Accounting-scheme-name : acct2 Authorization-scheme-name : author2 .......... TACACS-server-group : hw2 ..........
# View the configuration of the local CDRs.

[Quidway] display local-bill configuration Cache-backup-mode: Backup-interval(min): Bill-server-IP-address: Bill-filename-prefix: Cfcard or Hd 1440 10.10.10.1 bill
Configuration Files
# sysname Quidway # hwtacacs-server template hw2 hwtacacs-server authentication 130.7.66.66 1000 hwtacacs-server authentication 130.7.66.67 1000 secondary hwtacacs-server authorization 130.7.66.66 1002 hwtacacs-server authorization 130.7.66.67 1002 secondary hwtacacs-server accounting 130.7.66.66 1001 hwtacacs-server accounting 130.7.66.67 1001 secondary hwtacacs-server shared-key hello # aaa authentication-scheme auth2 authentication-mode hwtacacs accounting-scheme acct2 accounting-mode hwtacacs accounting interim interval 2 authorization-scheme author2 authorization-mode hwtacacs domain default0 domain default1 domain default_admin domain isp2 authentication-scheme auth2 accounting-scheme acct2 hwtacacs-server hw2 authorization-scheme author2 # local-aaa-server local-bill cache alarm-threshold 80 local-bill cfcard alarm-threshold 80 bill-server 10.10.10.1 filename bill
Issue 05 (2010-06-01)
2-55
2 AAA Configuration
local-bill-pool enable return
2.7.3 Example for Configuring the RADIUS Server to Deliver ACLs

l l
The user belongs to domain isp1. RADIUS authentication and RADIUS accounting are adopted. The IP address of the RADIUS server is 192.168.7.200; the authentication port number is 1645; the accounting port number is 1646; the shared key is huawei. The RADIUS server delivers the ACL rules to control users. When users in user group huawei access the network segment 1.2.0.0/16 and the port number ranges from 100 to 500, the bandwidth for these users is 1 Mbit/s. The ME60 counts the number of times the network segment is accessed. The ACL rules can be dynamically modified through the RADIUS server. OSPF runs between the ME60 and network segment 1.2.0.0/16.
l l
Networking Diagram
Figure 2-5 Networking for the RADIUS server to deliver the ACL
RADIUS Server 192.168.7.200
ETH2/1/12 192.168.7.1/24 Access Network user1@isp1 ETH2/1/15.1
172.1.1.1/24 POS2/0/0 1.2.0.0/16 POS2/0/0 172.1.1.2/24
ME60
1. Configure the ME60. # Configure an authentication scheme auth1. Configure the authentication mode to RADIUS authentication.
[Quidway-aaa] authentication-scheme auth1 [Quidway-aaa-authen-auth1] authentication-mode radius [Quidway-aaa-authen-auth1] quit
# Configure an accounting scheme acct1. Configure the accounting mode to RADIUS accounting.
[Quidway-aaa] accounting-scheme acct1 [Quidway-aaa-accounting-acct1] accounting-mode radius [Quidway-aaa-accounting-acct1] quit
2-56
Issue 05 (2010-06-01)

[Quidway-aaa] quit
2 AAA Configuration
# Configure a RADIUS server group itellin.

[Quidway] radius-server group itellin [Quidway-radius-itellin] radius-server authentication 192.168.7.200 1645 [Quidway-radius-itellin] radius-server accounting 192.168.7.200 1646 [Quidway-radius-itellin] radius-server shared-key huawei [Quidway-radius-itellin] quit
# Configure the RADIUS authorization server.

[Quidway] radius-server authorization 192.168.7.200 server-group itellin shar ed-key huawei
NOTE
You need to configure the RADIUS authorization server only when dynamic RADIUS authorization is required.
# Configure the address pool.

[Quidway] ip pool pool1 local [Quidway-ip-pool-pool1] gateway 200.1.1.1 24 [Quidway-ip-pool-pool1] section 0 200.1.1.2 200.1.1.200

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] authentication-scheme auth1 accounting-scheme acct1 ip-pool pool1 radius-server group itellin quit
# Configure the virtual template.

[Quidway] interface Virtual-Template 1
# Configure the BAS interface.

[Quidway] interface Ethernet2/1/15.1 [Quidway-Ethernet2/1/15.1] pppoe-server bind virtual-template 1 [Quidway-Ethernet2/1/15.1] user-vlan 100 [Quidway-Ethernet2/1/15.1-vlan-100-100] bas [Quidway-Ethernet2/1/15.1-bas] access-type layer2-subscriber [Quidway-Ethernet2/1/15.1-bas] quit [Quidway-Ethernet2/1/15.1] quit
# Configure the uplink interface.

[Quidway] interface Ethernet2/1/12 [Quidway-Ethernet2/1/12] ip address 192.168.7.1 24 [Quidway-Ethernet2/1/12] quit
# Configure a route to enable users to access network segment 1.2.0.0/16 after they log in.
[Quidway] interface Pos 5/0/0 [Quidway-Pos5/0/0] ip address 172.1.1.1 255.255.255.0 [Quidway-Pos5/0/0] quit [Quidway] router id 1.1.1.1 [Quidway] ospf [Quidway-ospf-1] import-route unr [Quidway-ospf-1] area 0 [Quidway-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
NOTE
Complete the following configurations on the ME60:

l l l
Configure the IP address of Pos2/0/0 to 172.1.1.2/24. Configure the router ID. Configure OSPF. Run the network network 1.2.0.0 0.0.255.255 command to advertise the route in area 0.
Issue 05 (2010-06-01)
2-57
2 AAA Configuration
2.
Configure the remote RADIUS server. # Do as follows on the remote RADIUS server with IP address 192.168.7.200:
l
Configure the IP address of the uplink interface and the shared key. Make sure that they are the same as those configured on the ME60. Configure the network segment for users. Make sure that the addresses in the address pool for users are included in the network segment. Configure domain isp1 and the user account. Configure the service policy. The format is as follows: hw-Data-Filter = "1;clas1;beha1;6;1;huawei;2;1.2.0.0;255.255.0.0;100-500;;;;5;";hwData-Filter = "2;beha1;;;;;;;1000;;;;;1;";Filter-ID = "huawei"
l l
For details, refer to the manual of the RADIUS server. 3. Verify the configuration. # View the configuration of RADIUS server group itellin.
<Quidway> display radius-server configuration group itellin --------------------------------------------------------Server-group-name : itellin Authentication-server: IP:192.168.7.200 Port:1645 Weight[0] [UP] Vpn: ...... Accounting-server : IP:192.168.7.200 Port:1646 Weight[0] [UP] Vpn: ...... Protocol-version : radius Shared-secret-key : huawei Retransmission : 3 Timeout-interval(s) : 5 Acct-Stop-Packet Resend : NO Acct-Stop-Packet Resend-Times : 0 Traffic-unit : B ClassAsCar : NO User-name-format : Domain-included Attribute-translation: NO Packet send algorithm: Master-Backup

<Quidway> display domain name isp1 verbose ......... Domain-name : isp1 Domain-state : Active Domain-type : Normal domain ............ Authentication-scheme-name : auth1 Accounting-scheme-name : acct1 RADIUS-server-group : itellin IP-address-pool-name : pool1 ................
# View the remote traffic policy generated by the system.

[Quidway] display traffic policy remote-server-defined Remote Server Defined Traffic Policy Information: Policy: remote-server-defined-policy Classifier: default-class Behavior: be Firewall: permit
After a user logs in, the RADIUS server delivers an ACL for the user. You can find the traffic policy, classifier, behavior, and rules on the ME60. # View information about the classifier delivered by the RADIUS server.

[Quidway] display traffic classifier remote-server-defined Remote Server Defined Classifier Information: Classifier: clas1 Operator: OR Rule(s) : if-match acl 10000
2 AAA Configuration
# View information about the behavior delivered by the RADIUS server.

[Quidway] display traffic behavior remote-server-defined Remote Server Defined Behavior Information: Behavior: beha1 Committed Access Rate: CIR 1024 (Kbps), PIR 0 (Kbps), CBS 128000 (byte), PBS 320512 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Hitcount
# View information about the traffic policy delivered by the RADIUS server.
[Quidway] display traffic policy remote-server-defined Remote Server Defined Traffic Policy Information: Policy: remote-server-defined-policy Classifier: default-class Behavior: be Firewall: permit Classifier: clas1 Behavior: beha1 Committed Access Rate: CIR 1000 (Kbps), PIR 0 (Kbps), CBS 125000 (byte), PBS 313000 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Hitcount
# View the ACL rule delivered by the RADIUS server.

[Quidway] display acl 10000 Remote-server-defined ACL 10000, 1 rule Acl's step is 5 rule 5 permit tcp source user-group huawei destination ip-address 1.2.0.0 0.0.255.2 55 destination-port range 100 500 precedence critical (0 times matched) Notes: For ACLs statistics of traffic policy, please use the following command: display traffic policy statistics.
Configuration Files
# sysname Quidway # router id 1.1.1.1 # radius-server group itellin radius-server authentication 192.168.7.200 1645 weight 0 radius-server accounting 192.168.7.200 1646 weight 0 # radius-server authorization 192.168.7.200 shared-key huawei server-group itellin # interface Ethernet2/1/12 ip address 192.168.7.1 255.255.255.0 # interface Ethernet2/1/15 # interface Ethernet2/1/15.1 pppoe-server bind Virtual-Template 1 user-vlan 100
Issue 05 (2010-06-01)
2-59
2 AAA Configuration
bas access-type layer2-subscriber # interface Virtual-Template1 # interface Pos5/0/0 ip address 172.1.1.1 255.255.255.0 # aaa authentication-scheme sch1 authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group itellin ip-pool pool1 # ospf 1 import-route unr area 0.0.0.0 network 172.1.1.0 0.0.0.255 # return
2-60
Issue 05 (2010-06-01)
3
About This Chapter
Addresses Management
This chapter describes the concept, rationale, and configuration of the address management function and provides several configuration examples. 3.1 Introduction This section describes the concept of address management. 3.2 Configuring the DHCP Server This section describes the procedure for configuring the DHCP server. 3.3 Configuring the IPv4 Address Pool This section describes the procedure for configuring the IPv4 address pool. 3.4 Configuring the IPv6 Address Prefix This section describes the procedure for configuring the IPv6 address prefix. 3.5 Maintaining Addresses This section describes the describes the commands used to display addresses and debug the DHCP function. 3.6 Configuration Examples This section provides several configuration examples of address management.
Issue 05 (2010-06-01)
3-1
3.1 Introduction
This section describes the concept of address management. 3.1.1 Overview of Address Management 3.1.2 IPv4 Address management 3.1.3 IPv6 Address management
3.1.1 Overview of Address Management

The ME60 allows a user to access the network by obtaining an IP address dynamically or configuring a fixed IP address.
l
Obtaining IP address dynamically A user can obtain an IP address after interacting with the ME60 through the protocol such as the Dynamic Host Configuration Protocol (DHCP) or IPCP/IPv6CP (for only the PPP users). After the user goes offline, the IP address is assigned to other users.
Configuring a fixed IP address A user can configure a fixed IP address on the computer. After the user goes offline, the fixed IP address cannot be assigned to other users.
The ME60 can allocate address segments through the IPCP protocol. The gateway address and mask of the address segment must be delivered by the RADIUS server. Thus the ME60 can allocate a gateway and a mask to a family user. Multiple user terminals can be connected to the gateway and the terminals in the same network segment can communicate with each other.
NOTE
After a user obtains an IP address, the ME60 adds the network segment route for the user. If the user wants to access other network users or addresses, the route to the user network segment must be advertised by using the import-route unr command. For details of the command, refer to the Quidway ME60 Multiservice Control Gateway Command Reference.
3.1.2 IPv4 Address management

IPv4 Address Pool
The ME60 manages IPv4 addresses in IPv4 address pools. The address pools are classified into local address pools, remote address pools, and relay address pools, as described in Table 3-1. Table 3-1 IPv4 address pools supported by the ME60 Type Local address pool Relay address pool Description A local address pool is managed by the ME60. The ME60 allocates IP addresses, extends the lease, and reclaims the IP addresses in the address pool. A relay address pool provides IP addresses for the users at the network side. The ME60 allocates IP addresses, extends the lease, and reclaims IP addresses in the relay address pool.
3-2
Type Remote address pool
Description A remote address pool is a mapping of the remote DHCP server or the Boot Protocol (BOOTP) server. Real IP addresses are not configured in the remote address pool. It only specifies the mapping DHCP or BOOTP server. When a remote address pool is used, the ME60 can initiate a request for a user or relay a user's request to apply for an IP address, request the DHCP or BOOTP server to extend the lease of the IP address, or request the DHCP or BOOTP server to reclaim the IP address.
You can configure up to 4096 address pools (local address pools and remote address pools) on the ME60. A local address pool can be divided into multiple (at most 8) address segments. Each address segment contains up to 65536 IP addresses. Except the invalid addresses (such as X. 0.0.0), each address pool can provide up to 512k valid addresses. The IP addresses of address pools in different VPN instances can overlap each other; therefore, the ME60 supports private addresses. For the description of address pools of VPN instances, refer to 7 "Service Wholesale Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - VPN.
DHCP Function
When allocating IP addresses to users, the ME60 can function as a DHCP server, a DHCP proxy, or a DHCP client. It can allocate IP addresses to users from the local address pools or the remote address pools, as described in Table 3-2. Table 3-2 DHCP functions of the ME60 Function DHCP server Description The ME60 functions as the DHCP server to allocate IP addresses in the local address pool to users. The ME60 also allocates IP addresses in the relay address pool to the users that use a DHCP proxy. As a DHCP proxy, the ME60 forwards the DHCP request of a user to the DHCP/BOOTP server. Then, the DHCP/BOOTP server allocates an IP address to the user. The ME60functions as a DHCP client to apply for an IP address to the DHCP/BOOTP server, and then allocates the IP address to the IPoX user.
DHCP proxy
DHCP client
DHCP Option
On the ME60, the DHCP option is used to carry the user's information. Generally, the ME60 uses Option 60 and Option 82, as described in Table 3-3.
Issue 05 (2010-06-01)
3-3
Table 3-3 Description of DHCP options in the ME60 Option ID Option 60 Description When a terminal device, such as the set top box of the digital TV, accesses the network, the ME60 cannot identify its domain according to its user name. Therefore, the ME60 cannot allocate IP address to the device. In this case, the terminal device uses Option 60 to carry the domain information when initiating the DHCP request. After receiving the DHCP request, the ME60 allocates the IP address to the device according to the domain information contained in Option 60. When receiving a DHCP request, the DHCP or BOOTP server cannot identify the physical location of the user. In this case, the server can only allocate the IP address to the user from the address pool in sequence. This method cannot meet the address requirement of the user. As a DHCP proxy, the ME60 adds the physical location of the user to Option 82 and relays the DHCP packet of the user to the DHCP or BOOTP server. Then, the DHCP server allocates an IP address to the user according to the location information.
Option 82
3.1.3 IPv6 Address management

An IPv6 address consists of an address prefix (64 digits) and an interface ID (64 digits). An interface ID uniquely maps a MAC address of the user's computer; therefore, the interface ID does not need to be configured on the ME60. The ME60 supports stateless address auto-configuration. That is, the user's computer can configure a local IPv6 address. The address contains the prefix advertised by the ME60. You need to configure the IPv6 address prefix on the ME60 and bind the prefix to the user domains. After going online, a user obtains the IPv6 prefix from the ME60 through the ND protocol. Then, the prefix is combined with the interface IDs to form a valid IPv6 address.
3.2 Configuring the DHCP Server

This section describes the procedure for configuring the DHCP server. 3.2.1 Establishing the Configuration Task 3.2.2 Creating a DHCP Server Group 3.2.3 Configuring DHCP Servers 3.2.4 (Optional) Setting the Algorithm for Selecting DHCP Servers 3.2.5 (Optional) Configuring the DHCP Release Agent Function 3.2.6 (Optional) Configuring the DHCP Global Parameters 3.2.7 (Optional) Configuring the ME60 to Trust DHCP Option 82 3.2.8 (Optional) Configuring Transparent Transmission of DHCP Packets

When IP addresses are allocated by a remote DHCP server, you need to configure the parameters of the DHCP server on the ME60, such as the IP address of the DHCP server. Then, the ME60 can communicate with the DHCP server. The ME60 manages DHCP servers through DHCP server groups.
None.
Data Preparation
To configure the DHCP server, you need the following data. No. 1 2 3 4 5 6 Data Name of the DHCP server group IP addresses and VPN instances of the primary and secondary DHCP servers (Optional) Status of the DHCP release agent function (enabled or disabled) (Optional) Status of the function of detecting invalid DHCP servers (enabled or disabled) and the detection interval if the function is enabled (Optional) Mode of DHCP packet check (strict or loose) (Optional) Format of DHCP Option 60 (with the domain name or not) and the method of matching the domain name if Option 60 contains the domain name
3.2.2 Creating a DHCP Server Group

Context
Procedure
Step 1 Run:
system-view

dhcp-server group group-name
Issue 05 (2010-06-01)
3-5
A DHCP server group is created. ----End
3.2.3 Configuring DHCP Servers

Context
Procedure
Step 1 Run:
system-view

The DHCP server group view is displayed. Step 3 Run:

dhcp-server ip-address [ vpn-instance vpn-instance ] [ weight weight-value ]
The DHCP servers are configured. A primary DHCP server and a secondary DHCP server can be configured in a DHCP server group. ----End
3.2.4 (Optional) Setting the Algorithm for Selecting DHCP Servers

Context
Procedure
Step 1 Run:
system-view


dhcp-server algorithm { loading-share | master-backup }
The algorithm for selecting DHCP servers is set. When there are more than one server in a DHCP server group, you can specify either of the loading-share mode and the master/backup mode for selecting DHCP servers.

l l
Loading-share: The ME60 distributes the load according to the weight of the servers. Master/backup: The ME60 specifies the first server as the master server and the others as backup servers.
By default, the algorithm for selecting DHCP servers is master/backup. ----End
3.2.5 (Optional) Configuring the DHCP Release Agent Function

Context
With the DHCP release agent function, the ME60 sends a DHCP release packet to the DHCP server for the user after it detects that the user is offline through the address resolution protocol (ARP). Do as follows on the ME60.
Procedure
Step 1 Run:
system-view


release-agent
The DHCP release agent is configured. By default, the DHCP release agent is enabled. ----End
3.2.6 (Optional) Configuring the DHCP Global Parameters

Context
Procedure
Step 1 Run:
system-view

dhcp invalid-server-detecting [ interval ]
The interval for detecting invalid DHCP servers is configured.

If the interval for detecting invalid DHCP servers is 0, the ME60 does not detect invalid DHCP servers. Step 3 Run:
dhcp check-server-pkt { loose | strict }
The check options of the DHCP packets are configured. Step 4 Run:
dhcp option-60 domain-included [ exact-match | partial-match ]
DHCP Option 60 is configured. You need to determine whether DHCP Option 60 contains the domain name and the method of matching the domain name. By default, DHCP Option 60 does not contain the domain name. If DHCP Option 60 contains the domain name, the domain name is exactly matched by default. Step 5 Run:
dhcp slot-id max-sessions user-number
The maximum number of DHCP users that are allowed to access the specified board on the ME60 is set. By default, the maximum number of DHCP users that are allowed to access the specified board is determined by the license file. Step 6 Run:
dhcp-server ip-address [ vpn-instance vpn-instance ] send-discover-speed packetnumber time
The packet transmission rate of the DHCP server group is limited. By default, the packet transmission rate of the DHCP server group is unlimited. Step 7 Run:
dhcp-user-slot-warning-threshold threshold-value
The threshold for triggering the alarm about excessive DHCP users on a board is set. Step 8 Run:
dhcp-user-warning-threshold threshold-value
The threshold for triggering the alarm about excessive global DHCP users is set. ----End
3.2.7 (Optional) Configuring the ME60 to Trust DHCP Option 82

Context
DHCP Option 82 is an option field in a DHCP packet and is used to identify the physical location of a user. The ME60 considers DHCP Option 82 in two ways:
l
Trusts DHCP Option 82. The ME60 considers Option 82 in the DHCP packets sent by the client valid and sends the DHCP packets to the DHCP server without changing Option 82. The ME60 also uses DHCP Option 82 to notify the RADIUS server of the physical location of the user.
3-8
Issue 05 (2010-06-01)
If the DHCP packet sent by the client does not contain Option 82, the ME60 determines the physical location of the user according to the user information such as the VLAN, and then creates the Option 82 field.
l
Distrusts DHCP Option 82. The ME60 does not trust Option 82 even if the DHCP packet sent by the client contains Option 82. The ME60 determines the physical location of the user according to the user information such as the VLAN, and then creates a new Option 82 field.
Procedure
Step 1 Run:
system-view

interface interface-type interface-number
The interface view is displayed. Step 3 Run:

bas
The BAS interface view is displayed. Step 4 Run:

client-option82
The interface is configured to trust DHCP Option 82. If Option 82 of the client needs to be sent to the RADIUS server or the COPS server, you must run the client-option82 command on the BAS interface. ----End
3.2.8 (Optional) Configuring Transparent Transmission of DHCP Packets

Context
When the user shuts down the STB, and then restarts it immediately, the ME60 cannot detect that the user goes offline and retains the user entry. When receiving the DHCP Discover packet that the STB sends after restart, the ME60 forces the user to go offline and waits until the user sends a DHCP Discover packet to obtain the address through DHCP. Some STBs, however, send only one DHCP Discover packet after they restart. In this case, the users cannot go online after shutting down their STBs. You can configure the function of transparently transmitting DHCP packets to solve this problem. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

dhcp through-packet
The function of transparently transmitting DHCP packets is configured. By default, the ME60 is not configured with this function. After the function of transparently transmitting DHCP packets is configured, the ME60 transparently transmits the DHCP Discover, DHCP Offer, and DHCP Request packets to the DHCP server or users if the user entries exit, that is, the users are online. ----End

Run the following command to check the previous configuration. Action Check the configuration of the DHCP server. Command display dhcp-server group [ group-name ]
3.3 Configuring the IPv4 Address Pool

This section describes the procedure for configuring the IPv4 address pool. 3.3.1 Establishing the Configuration Task 3.3.2 Creating an Address Pool 3.3.3 Configuring Address Pool Attributes 3.3.4 Configuring an Address Segment 3.3.5 (Optional) Configuring the Address Lease 3.3.6 (Optional) Configuring Address Protection 3.3.7 (Optional) Configuring a DHCP Option 3.3.8 Associating an Address Pool with an DHCP Server Group 3.3.9 Checking the Configuration

To allocate IPv4 addresses to users, you need to configure the IPv4 address pool. If the IP address is allocated by the ME60, you need to configure a local address pool. If the IP address is allocated
by the DHCP server or the BOOTP server, you need to configure a remote address pool on the ME60.
Before configuring the IPv4 address pool, complete the following task:
l
Configuring the DHCP Server if a remote address pool is used
Data Preparation
To configure the IPv4 address pool, you need the following data. No. 1 2 3 4 5 6 7 Data Name of the address pool Gateway address of address pool, IP address of the DNS server (optional), IP address of the NetBIOS server (optional), DNS suffix (optional), and VPN instance (optional) Number of address segments and start and end addresses of each address segment (applied to local address pools) (Optional) Address lease of the address pool (applied to local address pools) (Optional) Excluded or conflicting IP addresses in the address pool and IP addresses to be reclaimed (applied to local address pools) (Optional) Definitions of DHCP options (applied to local address pools) Name of the DHCP server group (applied to remote address pools)
3.3.2 Creating an Address Pool

Context
Procedure
Step 1 Run:
system-view

ip poolpool-name [ local [ slave ] | relay | remote ]
An address pool is created. You can use the preceding command to specify the active/standby mode of a local address pool. Up to 4096 address pools can be configured in the system, including local address pools, relay address pools, and remote address pools. The names of the address pools must be different.
When the ME60 shares a global address pool, you must specify the active/standby mode of the address pool. In this case, the utilization of the address pool is 50%, and you must configure sufficient address space in the active address pool. When the ME60 binds an address pool to a remote backup template, you need not specify the active/standby mode. In this case, the utilization of the address pool is 100%. ----End
3.3.3 Configuring Address Pool Attributes

Context
Procedure
Step 1 Run:
system-view

ip pool pool-name
The address pool view is displayed. Step 3 Run:

gateway ip-address mask
The gateway address of the pool is configured. Step 4 (Optional) Run:

dns-server ip-address [ secondary ]
The domain name server (DNS) of the address pool is configured. You can configure only one primary DNS server and one secondary DNS server for an address pool. Step 5 (Optional) Run:
dns-suffix suffix-name
The DNS suffix of the address pool is configured. The DNS suffix of the address pool is used to support attribute 15 of the DHCP protocol, to facilitate the resolution of domain names. Step 6 (Optional) Run:
netbios-name-server ip-address [ secondary ]
The NetBIOS server of the address pool is configured. You can configure only one primary NetBIOS server and one secondary NetBIOS server for an address pool. Step 7 (Optional) Run:
rebinding-time days [ hours [ minutes ] ]
The rebinding time of IP addresses is set.

By default, the rebinding time of IP addresses is 87.5% of the lease of the address pool. Step 8 (Optional) Run:
renewal-time days [ hours [ minutes ] ]
The renewal time of IP addresses is set. By default, the renewal time of IP addresses is 50% of the lease of the address pool. Step 9 (Optional) Run:
reserved ip-address { lease | mac }
The reservation type of IP addresses is set. By default, IP addresses are not reserved. An IP address is taken back from a user when the user logs off. Step 10 (Optional) Run:
sip-server { { ip-address ip-address } &<1~8> | { list server-name } &<1~8> }
The IP address or name of the SIP server is specified. By default, no SIP server is specified. Step 11 (Optional) Run:
vpn-instance instance-name
The VPN instance of the address pool is configured. Step 12 (optional) Run:
priority priority
The priority of a local IP address pool is configured. Step 13 (optional) Run:

alloc-order { big-first | small-first }
The order of allocating IP addresses from a local IP address pool is configured. ----End
3.3.4 Configuring an Address Segment

Context
The IP addresses in the address pool and the IP address of the gateway must be in the same subnet. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

ip pool pool-name
Issue 05 (2010-06-01)
3-13
The local address pool view is displayed. Step 3 Run:

section section-num start-ip-address [ end-ip-address ]
An address segment is configured. Up to eight address segments can be configured in an address pool. An address segment contains at most 65536 IP addresses. The address segments cannot overlap each other. ----End
3.3.5 (Optional) Configuring the Address Lease

Context
When the IP address used by a client expires, the lease of the IP address must be extended. The lease is extended automatically, as long as the IP address is valid.
NOTE
If ACLs are configured by the user on the device to filter out certain packets, configure the device in the ACL view to allow related packets to pass through. In this manner, the loss of DHCP packets sent by the user for extending the IP address lease is prevented. The packet loss can cause the failure to extend the IP address. The packets use UDP ports 67 and 68.
Procedure
Step 1 Run:
system-view

ip pool pool-name

lease days [ hours [ minutes ] ]
The lease of the address pool is configured. By default, the lease of the IP addresses in an address pool is three days. If the lease is set to 0, it indicates that the lease of the IP addresses is not limited. ----End
3.3.6 (Optional) Configuring Address Protection

Context
Methods of protecting addresses in an address pool are as follows:
l
Locking the IP address pool

3-14
You can lock an IP address pool by running the related commands. When the IP address pool is locked, IP addresses in the address pool cannot be assigned to users. This method is usually used in the situation where some IP addresses in the address pool are already occupied by users. If you lock the address pool, no IP address is assigned to users. After all users log out and the occupied IP addresses are released, you can delete the address pool.
l
Excluding the IP address You can use this method in a complex network plan to exclude certain IP addresses. Setting the conflict flag If an IP address in the address pool cannot be used because it conflicts with the IP address of a device, you can set its flag to Conflict. When the conflict is cleared, you can reset the flag manually.
Reclaiming the IP address If an IP address in the address pool is in the Occupied state but no user is using it, you can reclaim the IP address by running the related command.
Procedure
Step 1 Run:
system-view

ip pool pool-name

lock
The address pool is locked. Or run:

excluded-ip-address start-ip-address [ end-ip-address ]
An IP address or an address segment is excluded. Or run:

conflict-ip-address start-ip-address [ end-ip-address ]
The IP address conflicting flag is set. Or run:

recycle start-ip-address [ end-ip-address ]
An IP address or an address segment is reclaimed. ----End
3.3.7 (Optional) Configuring a DHCP Option

Context
DHCP provides a framework for parameter transmission over the TCP/IP network. The DHCP client and the server can transmit the negotiated parameters and the control information to each other through the option codes. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

ip pool pool-name

option code { ip ip-address | string string }
An DHCP option is configured. Up to four option codes can be configured in an address pool. ----End
3.3.8 Associating an Address Pool with an DHCP Server Group

Context
Procedure
Step 1 Run:
system-view

ip pool pool-name remote
The remote address pool view is displayed. Step 3 Run:

The address pool is associated with a DHCP server group. ----End

Run the following command to check the previous configuration.
Action Check the configuration of the IPv4 address pool.
Command display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-address ] ] | all | used ] ] [ vpn-instance instance-name ]
3.4 Configuring the IPv6 Address Prefix

This section describes the procedure for configuring the IPv6 address prefix. 3.4.1 Establishing the Configuration Task 3.4.2 Creating an IPv6 Address Prefix 3.4.3 Configuring the Value and Length of the IPv6 Address Prefix 3.4.4 Checking the Configuration

To allocate IPv6 addresses to users, you need to configure the IPv6 address prefix. The configured IPv6 address prefix can be applied to a domain. For details, see chapter 4 "User Management."
Before configuring the IPv6 address prefix, complete the following task:
l
Enabling the IPv6 processing capability For details, see chapter 7 "Basic IPv6 Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.
Data Preparation
To configure the IPv6 address prefix, you need the following data. No. 1 2 Data Name of the IPv6 address prefix Value and length of the IPv6 address prefix
3.4.2 Creating an IPv6 Address Prefix

Context
Procedure
Step 1 Run:
system-view

ipv6 prefix prefix-name
An IPv6 address prefix is created. Up to 1024 IPv6 address prefixes can be configured on the ME60. ----End
3.4.3 Configuring the Value and Length of the IPv6 Address Prefix
Context
Procedure
Step 1 Run:
system-view

ipv6 prefix prefix-name
The IPv6 address prefix view is displayed. Step 3 Run:

prefix ipv6-prefix-address/prefix-length
The value and length of the IPv6 address prefix are configured. ----End

Run the following command to check the previous configuration. Action Check the configuration of the IPv6 prefix. Command display ipv6 prefix [ prefix-name ]
3-18
Issue 05 (2010-06-01)
3.5 Maintaining Addresses

This section describes the describes the commands used to display addresses and debug the DHCP function. 3.5.1 Displaying Address Management Information 3.5.2 Debugging DHCP
3.5.1 Displaying Address Management Information

After the preceding configuration, run the following display commands in any view to display the address management information and verify the effect of the configuration. For detailed information, refer to the Quidway ME60 Multiservice Control Gateway - Command Reference. Action Display the configuration of the IPv4 address pool. Display the configuration of the DHCP server group. Display information about a DHCP server. Display the statistics on a DHCP server. Display the configuration of the IPv6 address prefix. Command display ip pool [ name pool-name [ section-num [ start-ip-address [ end-ip-address ] ] | all | used ] ] [ vpn-instance vpn-instance-name ] display dhcp-server group [ group-name ] display dhcp-server item ip-address [ vpn-instance vpn-instance ] display dhcp-server statistics ip-address [ vpninstance vpn-instance ] display ipv6 prefix [ prefix-name ]
3.5.2 Debugging DHCP
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs during address management, run the following debugging commands in the user view to locate the fault. For the procedure for displaying the debugging information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
Issue 05 (2010-06-01)
3-19
Action Enable debugging of the DHCP client packets. Enable debugging of the DHCP server packets. Enable debugging of the DHCP relay packets. Enable debugging of the DHCP agent packets.
Command debugging dhcpc packet debugging dhcps packet debugging dhcpr packet debugging dhcpa packet slot-id

This section provides several configuration examples of address management.
NOTE
3.6.1 Example for Allocating an Address from the Local Address Pool 3.6.2 Example for Allocating an Address from the Remote Address Pool 3.6.3 Example for Assigning Addresses to Users from the Relay Address Pool 3.6.4 Example for Allocating a Fixed IP Address to the Local Account 3.6.5 Example for Allocating IPv6 Addresses
3.6.1 Example for Allocating an Address from the Local Address Pool
l l l
Addresses in the local address pool are allocated to the users in domain isp1. The IP addresses in the address pool range from 20.20.20.2 to 20.20.20.100. The gateway address is 20.20.20.1. The address of the DNS server for the address pool is 40.40.40.1.
NOTE
For the procedure for configuring a domain, see 4 chapter "User Management."
Networking Diagram
Figure 3-1 Networking of allocating IP addresses with the local address pool
GE1/0/2 access network user@isp1

3-20
ME60
Issue 05 (2010-06-01)
NOTE
Only the procedures related to the IPv4 address pool are provided.
1.
Configure the local address pool.

[Quidway] ip pool isp1_pool [Quidway-ip-pool-isp1_pool] [Quidway-ip-pool-isp1_pool] [Quidway-ip-pool-isp1_pool] [Quidway-ip-pool-isp1_pool] local dns-server 40.40.40.1 gateway 20.20.20.1 255.255.255.0 section 0 20.20.20.2 20.20.20.100 quit
2.

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] ip-pool isp1_pool
3.
Verify the configuration. # View the configuration of local address pool isp1_pool.
[Quidway] display ip pool name isp1_pool Pool-Name : isp1_pool Pool-No : 0 Lease : 3 Days 0 Hours 0 Minutes Option-Code 0 : Option-Value 0 : Option-Code 1 : Option-Value 1 : Option-Code 2 : Option-Value 2 : Option-Code 3 : Option-Value 3 : DNS-Suffix : Primary-DNS : 40.40.40.1 Secondary-DNS : Primary-NBNS : Secondary-NBNS : Position : Local Status : Unlocked Gateway : 20.20.20.1 Mask : 255.255.255.0 Vpn instance : ----------------------------------------------------------------------ID start end total used idle conflicted disable ----------------------------------------------------------------------0 20.20.20.2 20.20.20.100 99 0 99 0 0 -----------------------------------------------------------------------

[Quidway] display domain name isp1 verbose ...... Domain-name : isp1 ........ IP-address-pool-name : isp1_pool
Configuration Files
# sysname Quidway # ip pool isp1_pool local gateway 20.20.20.1 255.255.255.0 section 0 20.20.20.2 20.20.20.100 dns-server 40.40.40.1 # aaa domain isp1 ip-pool isp1_pool #
Issue 05 (2010-06-01)
3-21
return
3.6.2 Example for Allocating an Address from the Remote Address Pool
l l
Addresses in the remote address pool are allocated to the users in domain isp1. The address of the DHCP server mapping the remote address pool is 40.40.40.2. The DHCP release agent function is enabled. The secondary DHCP server is not configured.
Networking Diagram
Figure 3-2 Networking of allocating IP addresses with the remote address pool
GE1/0/2 GE2/0/2 access network user@isp2 ME60 DHCP Server
NOTE
Only the procedures related to the IPv4 address pool are provided.
1.
Configure the DHCP server. # Configure a DHCP server group.

[Quidway] dhcp-server group group1 [Quidway-dhcp-server-group-group1] dhcp-server 40.40.40.2 [Quidway-dhcp-server-group-group1] quit
# Configure the global DHCP parameters.

[Quidway] dhcp invalid-server-detecting 60 [Quidway] dhcp check-server-pkt strict [Quidway] dhcp option-60 domain-included
2.
Configure the remote address pool.

[Quidway] ip pool isp2_pool [Quidway-ip-pool-isp2_pool] [Quidway-ip-pool-isp2_pool] [Quidway-ip-pool-isp2_pool] remote gateway 30.30.30.1 255.255.255.0 dhcp-server group group1 quit
3.

[Quidway] aaa [Quidway-aaa] domain isp2 [Quidway-aaa-domain-isp2] ip-pool isp2_pool
4.
Verify the configuration. # View the configuration of DHCP server group group1.
[Quidway] display dhcp-server group group1
3-22
Issue 05 (2010-06-01)

Group-Name Release-Agent Primary-Server Vpn instance Status Secondary-Server Vpn instance Status : : : : : : : : group1 Support 40.40.40.2 up -
# View the configuration of remote address pool isp2_pool.

[Quidway] display ip pool name isp2_pool Pool-Name : isp2_pool Pool-No : 1 DHCP-Group : group1 Primary-DNS : Secondary-DNS : Primary-NBNS : Secondary-NBNS : Position : Remote Status : Unlocked Gateway : 30.30.30.1 Mask : 255.255.255.0 Vpn instance : -----------------------------------------------------------------------ID start end total used idle conflicted disable ----------------------------------------------------------------------0 30.30.30.0 30.30.30.255 256 0 256 0 0 -----------------------------------------------------------------------

[Quidway] display domain name isp2 verbose ... Domain-name : isp2 ......... IP-address-pool-name : isp2_pool
Configuration Files
# sysname Quidway # dhcp invalid-server-detecting 60 dhcp option-60 domain-included # dhcp-server group group1 dhcp-server 40.40.40.2 # ip pool isp2_pool remote gateway 30.30.30.1 255.255.255.0 dhcp-server group group1 # aaa domain isp2 ip-pool isp2_pool # return
3.6.3 Example for Assigning Addresses to Users from the Relay Address Pool
As shown in Figure 3-3, ME60A assigns addresses to users in the domain isp2 from the remote address pool; ME60B functions as the DHCP server.
Issue 05 (2010-06-01)
3-23
Figure 3-3 Networking of assigning addresses to users from the relay address pool
Access Network user@isp2
GE1/0/2
GE2/0/2 121.0.0.1 GE2/0/2 121.0.0.2 ME60A ME60B
NOTE
This section lists only the procedures related to the IPv4 address pool.
1.
Configure a DHCP server. # Configure a DHCP server group.

[ME60A] dhcp-server group group1 [ME60A-dhcp-server-group-group1] dhcp-server 121.0.0.2 [ME60A-dhcp-server-group-group1] quit
# Configure global DHCP parameters.

[ME60A] dhcp invalid-server-detecting 60 [ME60A] dhcp check-server-pkt strict [ME60A] dhcp option-60 domain-included
2.
Configure a remote address pool.

[ME60A] ip pool isp2_pool [ME60A-ip-pool-isp2_pool] [ME60A-ip-pool-isp2_pool] [ME60A-ip-pool-isp2_pool] remote gateway 23.0.0.1 255.255.255.0 dhcp-server group group1 quit
3.
Configure domain isp2.

[ME60A] aaa [ME60A-aaa] domain isp2 [ME60A-aaa-domain-isp2] ip-pool isp2_pool [ME60A-aaa-domain-isp2] quit [ME60A-aaa] quit
4.
Configure a routing protocol so that users can be connected to ME60A after obtaining IP addresses.
[ME60A] interface GigabitEthernet 2/0/2 [ME60A-GigabitEthernet2/0/2] undo shutdown [ME60A-GigabitEthernet2/0/2] ip address 121.0.0.1 24 [ME60A-GigabitEthernet2/0/2] quit [ME60A] ip route-static 0.0.0.0 0.0.0.0 121.0.0.2
5.
Configure ME60B. Configure a relay address pool.

[ME60B] ip pool isp2_pool [ME60B-ip-pool-isp2_pool] [ME60B-ip-pool-isp2_pool] [ME60B-ip-pool-isp2_pool] relay gateway 23.0.0.1 255.255.255.0 section 1 23.0.0.2 23.0.0.253 quit
Configure a routing protocol so that users can be connected to ME60B after obtaining IP addresses.
[ME60B] interface GigabitEthernet 2/0/2 [ME60B-GigabitEthernet2/0/2] undo shutdown [ME60B-GigabitEthernet2/0/2] ip address 121.0.0.2 24 [ME60B-GigabitEthernet2/0/2] quit
3-24
Issue 05 (2010-06-01)

[ME60B] ip route-static 23.0.0.0 255.255.255.0 121.0.0.1
6.
Verify the configuration. # Check the configurations of the DHCP server group group1.
[Quidway] display dhcp-server group group1 Group-Name : group1 Release-Agent : Support Primary-Server : 121.0.0.2 Vpn instance : Status : up Secondary-Server : Vpn instance : Status : -
# Check the configuration of the remote address pool isp2_pool.

[Quidway] display ip pool name isp2_pool Pool-Name : isp2_pool Pool-No : 1 DHCP-Group : group1 Primary-DNS : Secondary-DNS : Primary-NBNS : Secondary-NBNS : Position : Remote Status : Unlocked Gateway : 23.0.0.1 Mask : 255.255.255.0 Vpn instance : -----------------------------------------------------------------------ID start end total used idle conflicted disable ----------------------------------------------------------------------0 23.0.0.2 23.0.0.253 252 0 252 0 0 -----------------------------------------------------------------------
# Check the configurations of the domain isp2.

[Quidway] display domain name isp2 verbose .... Domain-name : isp2 ...... IP-address-pool-name : isp2_pool
Configuration Files
Configuration file of ME60A
# sysname ME60A # interface GigabitEthernet2/0/2 undo shutdown ip address 121.0.0.1 255.255.255.0 # dhcp invalid-server-detecting 60 dhcp option-60 domain-included # dhcp-server group group1 dhcp-server 121.0.0.2 # ip pool isp2_pool remote gateway 23.0.0.1 255.255.255.0 dhcp-server group group1 # aaa domain isp2 ip-pool isp2_pool # ip route-static 0.0.0.0 0.0.0.0 121.0.0.2 # return
Configuration file of ME60B

# sysname ME60B # interface GigabitEthernet2/0/2 undo shutdown ip address 121.0.0.2 255.255.255.0 # ip pool isp2_pool relay gateway 23.0.0.1 255.255.255.0 section 1 23.0.0.2 23.0.0.253 # ip route-static 23.0.0.0 255.255.255.0 121.0.0.1 # return
3.6.4 Example for Allocating a Fixed IP Address to the Local Account

l l l l
The user dials in through PPP and uses local authentication. The user uses a fixed IP address 10.10.10.10. The user belongs to domain isp3. The user and users in other networks can access each other after they go online.
Networking Diagram
Figure 3-4 Networking of allocating a fixed IP address to the local account
Access Network user@isp3 10.10.10.10
GE7/0/2.1
20.20.20.1/24 GE7/0/0 GE4/0/0 20.20.20.2/24
30.30.30.0/24
ME60
NOTE
Only the procedures performed on the ME60 are mentioned.
1.
Configure the authentication scheme.

<Quidway> system-view [Quidway] aaa [Quidway-aaa] authentication-scheme auth3 [Quidway-aaa-authen-auth3] authentication-mode local [Quidway-aaa-authen-auth3] quit [Quidway-aaa] quit
2.
Configure the local address pool.

[Quidway] ip pool isp3_pool local [Quidway-ip-pool-isp3_pool] gateway 10.10.10.1 255.255.255.0 [Quidway-ip-pool-isp3_pool] section 0 10.10.10.2 10.10.10.200
3-26
Issue 05 (2010-06-01)
[Quidway-ip-pool-isp3_pool] excluded-ip-address 10.10.10.10 [Quidway-ip-pool-isp3_pool] quit
3.

[Quidway] aaa [Quidway-aaa] domain isp3 [Quidway-aaa-domain-isp3] [Quidway-aaa-domain-isp3] [Quidway-aaa-domain-isp3] [Quidway-aaa-domain-isp3] [Quidway-aaa] quit authentication-scheme auth3 accounting-scheme default0 ip-pool isp3_pool quit
4.
Configure a local account.

[Quidway] local-aaa-server [Quidway-local-aaa-server] user user@isp3 ip-address 10.10.10.10 authentication-type p [Quidway-local-aaa-server] quit
5.
Configure the related interfaces. # Configure a virtual template interface.

[Quidway] interface Virtual-Template 1 [Quidway-Virtual-Template1] quit

[Quidway] interface GigabitEthernet 7/0/2 [Quidway-GigabitEthernet7/0/2] undo shutdown [Quidway-GigabitEthernet7/0/2] interface GigabitEthernet 7/0/2.1 [Quidway-GigabitEthernet7/0/2.1] pppoe-server bind virtual-template 1 [Quidway-GigabitEthernet7/0/2.1] user-vlan 100 [Quidway-GigabitEthernet7/0/2.1-vlan-100-100] bas [Quidway-GigabitEthernet7/0/2.1-bas] access-type layer2-subscriber
6.
Advertise the route to the network segment of the access user. # Configure the uplink interface.
[Quidway] interface GigabitEthernet 7/0/0 [Quidway-GigabitEthernet7/0/0] undo shutdown [Quidway-GigabitEthernet7/0/0] ip address 20.20.20.1 24 [Quidway-GigabitEthernet7/0/0] quit
# Advertise the route to the network segment of the access user.

[Quidway] ospf 1 [Quidway-ospf-1] import-route unr [Quidway-ospf-1] area 0 [Quidway-ospf-1-area-0.0.0.0] network 20.20.20.0 0.0.0.255 [Quidway-ospf-1-area-0.0.0.0] quit [Quidway-ospf-1] quit
NOTE
Do as follows on the peer router:

l l l
Configure the IP address of GE4/0/0 to 20.20.20.2/24. Configure OSPF. Run the network command to advertise the route to network segment 20.20.20.0/24 in area 0. If 30.30.30.0/24 is the route of the user network segment, run the import-route unr command to advertise the route; otherwise, run the network command to advertise the route.
7.
Verify the configuration. # View the configuration of remote address pool isp3_pool.
[Quidway] display ip pool name isp3_pool Pool-Name : isp3_pool Pool-No : 0 Lease : 3 Days 0 Hours 0 Minutes Option-Code 0 : Option-Value 0 : Option-Code 1 : -
Issue 05 (2010-06-01)
3-27

Option-Value 1 : Option-Code 2 : Option-Value 2 : Option-Code 3 : Option-Value 3 : DNS-Suffix : Primary-DNS : Secondary-DNS : Primary-NBNS : Secondary-NBNS : Position : Local Status : Unlocked Gateway : 10.10.10.1 Mask : 255.255.255.0 Vpn instance : --------------------------------------------------------------------------ID start end total used idle conflicted disable -------------------------------------------------------------------------0 10.10.10.2 10.10.10.200 199 0 198 0 1 --------------------------------------------------------------------------

[Quidway] display domain name isp2 verbose ..... Domain-name : isp3 Domain-state : Active Domain-type : Normal domain Service-type : HSI ....... Authentication-scheme-name : auth3 Accounting-scheme-name : default0 IP-address-pool-name : isp3_pool ......
Enter the user name user@isp3 and the password vlan on the PPP client, and you log in successfully. # Check whether user user@isp3 is online.
<Quidway> display access-user username user@isp3 -------------------------------------------------------------------------UserID Username Interface IP address MAC -------------------------------------------------------------------------0 user@isp3 GE7/0/2.1 10.10.10.10 0016-ecb7-a879 -------------------------------------------------------------------------Total 1
# Display the detailed information about the user with the user ID 0. You can see that the IP address of the user is 10.10.10.10 and the user is a PPP user that uses local authentication.
<Quiway> display access-user user-id 0 User access index User name Domain-name User access Interface QinQVlan/UserVlan User MAC User IP address User access type Service-type User authentication type Normal-server-group Two-level-acct-server-group Physical-acct-server-group Authen method Current authen method Authen result Action flag Authen state Author state Accounting method User access time Accounting start time Accounting state : : : : : : : : : : : : : : : : : : : : : : : 0 user@isp3 isp3 GigabitEthernet7/0/2.1 0/100 0016-ecb7-a879 10.10.10.10 PPPoE HSI PPP authentication Local Local Success Idle Authed Idle None 2007/12/05 10:36:00 2007/12/05 10:36:00 Ready
3-28
Issue 05 (2010-06-01)

EAP user MD5 end User MSIDSN name Idle-cut-data (time,rate) VPN instance GRE group UserGroup QOS-profile-name Multicast-profile Max Multicast List Number UpPriority DownPriority Policy-route-nexthop Up CAR enable Up committed information rate Up peak information rate Down shaping enable Down committed information rate Down peak information rate QOS scheduler mode If flow info contain l2-head Up packets number(high,low) Up bytes number(high,low) Down packets number(high,low) Down bytes number(high,low) Time remained Option82 information : : : : : : : : : : : : : : : : : : : : : : : : : : :
No No 0 minute, 60 Kbyte/minute -default 4 0 0 No 0 (Kbps) 0 (Kbps) No 0 (Kbps) 0 (Kbps) DEFAULT Yes (0,0) (0,0) (0,0) (0,0) -
# You can find that the route to the network segment of the user is advertised by checking the routing table. The user can ping through address 30.30.30.1.
<Quidway> display ip routing-table Route Flags: R - relied, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 11 Routes : 11 Destination/Mask 20.20.20.0/24 0/0 20.20.20.1/32 Direct 0 0 20.20.20.255/32 Direct 0 0 10.10.10.0/24 Unr 61 0 10.10.10.1/32 Unr 61 0 10.10.10.10/32 Unr 63 0 GigabitEthernet7/0/2.1 30.30.30.0/24 O_ASE 150 1 127.0.0.0/8 Direct 0 0 127.0.0.1/32 Direct 0 0 127.255.255.255/32 Direct 0 0 255.255.255.255/32 Direct 0 0 D D D D D D 127.0.0.1 127.0.0.1 0.0.0.0 127.0.0.1 30.30.30.30 InLoopBack0 InLoopBack0 NULL0 InLoopBack0 GigabitEthernet7/0/0 InLoopBack0 InLoopBack0 InLoopBack0 InLoopBack0 Proto Pre Cost 0 Flags NextHop D 20.20.20.1 Interface GigabitEthernet7/
Direct 0
20.20.20.2 D 127.0.0.1 D 127.0.0.1 D 127.0.0.1 D 127.0.0.1
Configuration Files
# sysname Quidway # interface Virtual-Template1 # interface GigabitEthernet7/0/0 undo shutdown ip address 20.20.20.1 255.255.255.0 # interface GigabitEthernet7/0/2 undo shutdown # interface GigabitEthernet7/0/2.1 pppoe-server bind Virtual-Template 1 user-vlan 100
Issue 05 (2010-06-01)
3-29
bas access-type layer2-subscriber # ip pool isp3_pool local gateway 10.10.10.1 255.255.255.0 section 0 10.10.10.2 10.10.10.200 excluded-ip-address 10.10.10.10 # aaa authentication-scheme auth3 authentication-mode local domain isp3 authentication-scheme auth3 accounting-scheme default0 ip-pool isp3_pool # local-aaa-server user user@isp3 password simple vlan ip-address 10.10.10.10 authentication-type # ospf 1 import-route unr area 0.0.0.0 network 20.20.20.0 0.0.0.255 # return
3.6.5 Example for Allocating IPv6 Addresses

The networking requirements are as follows:
l l
You need to allocate addresses to the IPv6 users in domain isp3. The prefix of the IPv6 addresses is 2001:0410::0:1/64.
Networking Diagram
Figure 3-5 Networking of allocating IPv6 addresses
Access Network IPv6-User@isp3 ME60
NOTE
Only the procedures related to the IPv6 address prefix are provided.
1.
Configure an IPv6 address prefix.

<Quidway> system-view [Quidway] ipv6 prefix prefix1 [Quidway-ipv6-prefix-prefix1] prefix 2001:0410::0:1/64 [Quidway-ipv6-prefix-prefix1] quit
2.
3-30


[Quidway] aaa [Quidway-aaa] domain isp3 [Quidway-aaa-domain-isp3] prefix prefix1
3.
Verify the configuration. # View the configuration of IPv6 prefix prefix1.

[Quidway] display ipv6 prefix prefix1 -----------------------------------------------------------Prefix Name : prefix1 Prefix Index : 0 Prefix Address : 2001:410::1 Prefix Length : 64 Prefix Status : Valid ------------------------------------------------------------
# Display the configuration of domain isp3.

[Quidway] display domain name isp3 verbose .... Domain-name : isp3 ...... IPv6-Prefix-name : prefix1(ACTIVE) ......
Configuration Files
# sysname Quidway # ipv6 prefix prefix1 prefix 2001:410::1/64 # aaa domain isp3 prefix prefix1 # return
Issue 05 (2010-06-01)
3-31
4 User Management
4
About This Chapter
User Management
This chapter describes the concept, rationale, and configuration of user management and provides several configuration examples. 4.1 Introduction This section describes the concept of user management. 4.2 Configuring a Domain This section describes the procedure for configuring a domain. 4.3 Configuring User Account Parsing This section describes the procedure for configuring the user account parsing function. 4.4 Configuring the User Name Format and Password of an IPoX User This section describes the procedure for configuring the user name format and password of an IPoX user. 4.5 Configuring Static Users This section describes the procedure for configuring static users. 4.6 Maintaining User Management This section describes the commands used to display information about user management. 4.7 Configuration Examples This section provides several configuration examples of user management.
Issue 05 (2010-06-01)
4-1
4 User Management
4.1 Introduction
This section describes the concept of user management. 4.1.1 Domain 4.1.2 User Account and Password 4.1.3 Static User
4.1.1 Domain
The ME60 manages users based on domains. Every user belongs to a particular domain. The users in a domain have the same service attributes. In general, a domain uses the name of the Internet service provider (ISP) or the name of a service of the ISP.
Relation Between Domains and User Accounts

In the ME60, all the user accounts are configured on the AAA (RADIUS/HWTACACS) server, except the accounts that do not need to be authenticated, the accounts authenticated locally, and the accounts that are not charged. The domains of the user accounts on the AAA server must be configured on the ME60. Figure 4-1 shows the sketch map of the domains. Figure 4-1 Sketch map of domains
john@isp1 smith@isp1 ...... kane@isp1 rose@isp2 bill@isp2 ...... norton@isp2 mary@isp3 niken@isp3 ...... fejy@isp3
......
RADIUS/ HWTACACS ME60

isp1 isp2 ...... isp3
The priority of the service attributes of the domain is lower than the priority of the service attributes delivered by the AAA server. When the attribute configured in the domain and the attribute delivered by the AAA server exist at the same time, the ME60 uses the attribute delivered by the AAA server. The attribute configured in the domain takes effect when the AAA server does not support or deliver the service attribute. For example, the user priority of domain isp1 is set to 3 on the ME60, and the priority delivered to user user1@isp1 by the RADIUS server is 5. Then, the ME60 sets the priority of user user1@isp1 to 5.
Default Domain
A default domain always exists in the system. You can modify the service attribute of the domain but cannot delete the domain.
4 User Management
The default domains on the ME60 are default0, default1, and default_admin, as described in Table 4-1. Table 4-1 Default domains on the ME60 Default Domain default0 Purpose Domain default0 is the default domain for users before the authentication. When a user logs in to the ME60 but is not authenticated, the ME60 does not identify the domain of the user. The ME60 considers that the user belongs to default0. Domain default1 is the default domain for users during the authentication. If the user name entered by the user does not contain a domain name, the ME60 considers that the user belongs to default1. Domain default_admin is the default domain for operators. When an operator logs in to the ME60 through Telnet or SSH, if the user name entered by the operator does not contain a domain name, the ME60 considers that the user belongs to default_admin. Default Attributes No authentication, no accounting
default1
RADIUS authentication and RADIUS accounting RADIUS authentication and no accounting
default_admin
Domains Configured on the BAS Interface

The following domains can be configured on a BAS interface:
l
Pre-authentication domain This type of domain is used by web authentication users to obtain addresses. Users open the web page and enter the user account that the system generated according to the configuration and the password. For details, see "4.4 Configuring the User Name Format and Password of an IPoX User." After successful authentication, the user obtains an IP address and the control authority through the user group number in this domain. After web authentication, the user obtains only the authority to access the web authentication server and the DNS server. The authority is controlled by the user group and ACL. If the pre-authentication domain is not configured on the BAS interface, the ME60 uses default0 as the pre-authentication domain.
Default authentication domain If the user account does not contain a domain name, the authentication scheme, accounting scheme, and RADIUS policy of the default authentication domain are applied to the user. The IPoX users using the fast authentication and binding authentication also use the authentication scheme, accounting scheme, and RADIUS policy of the default authentication domain. If the pre-authentication domain is not configured on the BAS interface, the ME60 uses default1 as the default authentication domain.
Mandatory authentication domain If this domain is configured, the authentication scheme, accounting scheme, and RADIUS policy of this domain are applied to the user regardless of the domain name that the user
Issue 05 (2010-06-01)
4-3
4 User Management
enters. The domain name of the user is not changed during authentication. If the user does not enter the domain name, the name of this domain is added to the account.
l
Mandatory replacement authentication domain If this domain is configured, the authentication scheme, accounting scheme, and RADIUS policy of this domain are applied to the user regardless of whether the user enters the domain name or the domain name that the user enters. During authentication, the domain of the user is forcibly replaced by this domain. If the user does not enter the domain name, the ME60 adds the name of this domain to the entered user name to form a user account.
Roaming domain When the user enters the user account, the authentication scheme, accounting scheme, and RADIUS policy of this domain are applied the user if the entered domain name is not configured on the ME60. The user account must contain a domain name; otherwise, the roaming domain policy cannot be used. The user account is not changed during the authentication. If the roaming domain is not configured on the BAS interface, the ME60 uses default1 as the default roaming domain.
Authentication domain When connecting to the Internet, a user enters a user account that may include a domain name. The entered domain name specifies the authentication domain of the user. In this case, the authentication scheme, accounting scheme, and RADIUS policy of the authentication domain are applied to the user, if the domain exists on the ME60 and the BAS interface is not configured with a mandatory authentication domain or mandatory replacement authentication domain.
Permit domain The user who accesses the BAS interface is considered as the user of this domain.
4.1.2 User Account and Password

User Account Format
The user account on the ME60 is in the format of user name + domain name delimiter + domain name, or domain name + domain name delimiter + user name. You can run the related command to set the name of the user domain to be on the left or right of the delimiter. A user account can contain two delimiters: realm name delimiter and domain name delimiter. For example, in A/B@C, "/" is a realm name delimiter and @ is a domain name delimiter.
User Account Parsing

ME60The ME60 manages users based on domains. Therefore, the ME60 needs to parse the domain name from the user account. The ME60 can parse the user name and domain name according to the domain name delimiter and realm name delimiter. The parsing result depends on the conditions such as the domain name delimiter, location of the domain name, realm name delimiter, location of the realm name, parsing direction of the domain name, and parsing priorities. The rules for parsing a user account are as follows:
l
If the realm name delimiter is configured, and the domain-first keyword is specified, the system parses the realm name according to the realm name delimiter, realm name parsing
4-4
4 User Management
direction, and position of the realm domain name. The system then parses the string excluding the realm name and realm name delimiter.
l
If no realm name delimiter is configured, the system parses the user account according to the domain name delimiter, location of the domain name, and parsing direction of the domain name. If the parsing priority is realm-first, the realm name delimiter is configured, and the user account contains the realm name delimiter, the system parses the user account according to the realm name delimiter, location of the realm domain name, and parsing direction of the realm name. The domain name delimiter, location of the domain name, and parsing direction of the domain name are not involved in the parsing process. If the parsing priority is realm-first and the realm name delimiter is configured, but the user account does not contain the realm name delimiter, the system parses the user account according to the domain name delimiter, location of the domain name, and parsing direction of the domain name.
NOTE
The authentication domain and authorization domain used when the user logs in to the ME60 depend on the domain parsed from the user account and the domain configured on the BAS interface. For details, see "Domains Configured on the BAS Interface."
User Account Generation Mode

The user account can be entered by a user on the client or generated by the ME60 automatically in a certain format. The generation mode is related to the authentication mode used by the user when the user goes online.
l
PPP authentication, 802.1X authentication, and web authentication Specified clients are used for these authentication modes; therefore, when a user goes online by adopting one of these authentication modes, the user account is entered on the authentication client. If the user account entered by the user does not contain a domain name, the default domain name or the one configured on the BAS interface is used. For details about the domains configured on the BAS interface, see "Domains Configured on the BAS Interface."
Binding authentication, fast authentication, and pre-authentication No specified clients are used for these authentication modes. When a user goes online by adopting any of these authentication modes, the ME60 generates a user account in a specified formats to authenticate and manage the user. The format of the user account is user name + domain name delimiter + domain name or domain name + domain name delimiter + user name. The domain name is the name of the pre-authentication domain or the name of the authentication domain configured on the BAS interface. The user name is generated according to the configuration and has the following formats:
The ME60 uses the IP address contained in the access request packet as the user name. This method is applicable to only the access users whose packets contain IP addresses, such as the layer 3 users and static users. The ME60 uses the MAC address contained in the access request packet as the user name. The ME60 uses Option 82 contained in the access request packet as the user name. The ME60 uses the host name as the user name. The host name is configured by running the sysname host-name command in the system view.
Issue 05 (2010-06-01)
4 User Management
The ME60 uses a combination of information such as the IP address, MAC address, Option 82, and host name as the user name. The information in the user name is arranged in the sequence of configuring the parameters. The ME60 generates the user name in the format set by the vlanpvc-to-username command according to the access interface and VLAN information of the user.
4.1.3 Static User

A static user is a user that uses a fixed IP address. The user can configure a stationary IP address on the computer, and the operator configures the IP address as a valid address on the ME60. The static user is different from the DHCP user and PPP user in the method of obtaining an IP address. A DHCP user obtains an IP address through DHCP and a PPP user obtains an IP address through PPP negotiation. But their AAA and BRAS features are the same on the BRAS. ME60 performs authentication, accounting, and authorization for static users when they go online.
4.2 Configuring a Domain

This section describes the procedure for configuring a domain. 4.2.1 Establishing the Configuration Task 4.2.2 Creating a Domain 4.2.3 Specifying AAA Schemes 4.2.4 Specifying Servers 4.2.5 Specifying an IPv4 Address Pool or an IPv6 Address Prefix 4.2.6 (Optional) Configuring the Maximum Number of Access Users 4.2.7 (Optional) Configuring the Maximum Number of Sessions for an Account 4.2.8 (Optional) Configuring User Priority 4.2.9 (Optional) Specifying Groups 4.2.10 (Optional) Specifying Profile and Policy 4.2.11 (Optional) Configuring Service Type for Domain Users 4.2.12 (Optional) Configuring the Reserved Bandwidth 4.2.13 (Optional) Configuring Additional Functions 4.2.14 (Optional) Activating a Domain 4.2.15 Checking the Configuration

To perform AAA on users based on a domain, you need to configure the domain.
4 User Management
Before configuring a domain, complete the following tasks:
l l l
Configuring the authentication, accounting, and authorization schemes Configuring the RADIUS server group if RADIUS authentication and accounting are used Configuring the HWTACACS server template if HWTACACS authentication, accounting, and authorization are used Configuring the IPv4 address pool
Data Preparation
To configure a domain, you need the following data. No. 1 2 3 Data Domain name Names of authentication scheme, accounting scheme, and authorization scheme RADIUS server group name, HWTACACS server template name, COPS server group name, IP address/URL address/mode of the mandatory web authentication server, and IP address of the DNS server Name of the IPv4 address pool (Optional) Maximum number of users and maximum number of connections that can be set up per second (Optional) User group, GRE group, L2TP group, VPN instance, and security zone (Optional) Names of the 802.1X template, QoS profile, and VAS policy (Optional) Options of enabling the captive portal, time-range-based control, idle-cut, mandatory PPP authentication, policy routing, IP address usage warning, traffic statistics, and accounting packet copy functions, and the relevant parameters
4 5 6 7 8
NOTE
The attributes configured in the domain, such as the user priority, user group, idle-cut parameters, timerange-based QoS, QoS profile, queue profile, VAS policy, policy-based route, multicast, and reauthentication timeout, are valid only for the users that go online after the attributes are configured. The attributes are invalid for the users that are already online.
4.2.2 Creating a Domain

Context
Procedure
Step 1 Run:
4 User Management
system-view

aaa

domain domain-name
A domain is created. Up to 1024 domains can be created on the ME60. The ME60 has three default domains: default0, default1, and default_admin. For the description of the default domains, see "Default Domaindomaindefault domain". ----End
4.2.3 Specifying AAA Schemes

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
The domain view is displayed. Step 4 Run:

authentication-scheme scheme-name
The authentication scheme is specified for the domain. By default, user-defined domain uses authentication scheme default1; domain default0 uses authentication scheme default0; domain default1 uses authentication scheme default1; domain default_admin uses authentication scheme default1. Step 5 Run:
The accounting scheme is specified for the domain.

4 User Management
By default, user-defined domain uses accounting scheme default1; domain default0 uses accounting scheme default0; domain default1 uses accounting scheme default1; domain default_admin uses accounting scheme default0. Step 6 Run:
authorization-scheme scheme-name
The authorization scheme is specified for the domain. By default, no authorization scheme is specified for the domain. ----End
4.2.4 Specifying Servers

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

hwtacacs-server template-name
An HWTACACS server template is specified for the domain. By default, no HWTACACS server template is specified for the domain. Or run:
A RADIUS server group is specified for the domain. By default, no RADIUS server group is specified for the domain. Or run:
cops-server group group-name
A Common Open Policy Service (COPS) server group is specified for the domain. By default, no COPS server group is specified for the domain. Or run:
web-server { url url | ip-address | mode { get | post } }
Issue 05 (2010-06-01)
4-9
4 User Management
The mandatory web authentication server is specified. By default, no mandatory web authentication server is specified for the domain. Or run:
dns ip-address [ secondary ]
The DNS server is specified. By default, no DNS server is specified for the domain. The ME60 supports COPS servers of various types to send value-added service policies to the same user. Therefore, you can bind multiple COPS server groups to a domain. Currently, you can bind a maximum of four types of COPS servers, that is, DSG, SIG, CIPN-E4P, and CIPNIAP, at the same time to a domain. Note that you can bind only one COPS server for each type. By default, no HWTACACS server template, RADIUS server group, COPS server group, mandatory web authentication server, and DNS server is specified for a domain. ----End
4.2.5 Specifying an IPv4 Address Pool or an IPv6 Address Prefix

Context
An IPv4 address pool can be either a local or remote address pool. For the configuration of the IPv4 address pool, see chapter 3 "Address Management." Up to 128 IPv4 address pools can be specified in a domain. An address pool can be applied to multiple domains. The sequence number of an address pool configured in a domain can be changed. The number of address pools configured in a domain determines the range of the available sequence number. For example, if 10 address pools are configured in a domain, the range of sequence number that can be changed is 1 to 10. Only one IPv6 address prefix can be specified in a domain. An IPv6 address prefix can be applied in only one domain. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

ip-pool pool-name [ move-to position ]
4-10
Issue 05 (2010-06-01)
4 User Management
An IPv4 address pool is specified for the domain. Or run:

prefix prefix-name
The IPv6 address prefix is specified. Step 5 (Optional) Run: ip-pool mapping source-pool-name poolname to { local-pool } &<1-16> The address pool delivered by the RADIUS server is mapped to local address pools. ----End
4.2.6 (Optional) Configuring the Maximum Number of Access Users

Context
By limiting the number of users in a domain, you can ensure the performance of the ME60. When the number of users reaches the maximum value, the subsequent access requests are denied. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

access-limit max-number
The maximum number of access users is configured. By default, the maximum number of access users in a domain is 147456. ----End
Issue 05 (2010-06-01)
4-11
4 User Management
4.2.7 (Optional) Configuring the Maximum Number of Sessions for an Account

Context
By limiting the number of users that use the same account, you can ensure the performance of the ME60. When the number of users that use the same account reaches the maximum value, the subsequent access requests are denied. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

user-max-session max-session-number
The maximum number of sessions for an account is configured. By default, the number of sessions that use the same account is not limited. ----End
4.2.8 (Optional) Configuring User Priority

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
4-12
Issue 05 (2010-06-01)
4 User Management

user-priority { upstream | downstream } { priority | trust-8021p-inner | trust-8021p-outer | trust-dscp-inner | trust-dscp-outer | unchangeable | trust-expinner | trust-exp-outer }
The priority of the users in the domain is configured. Only one user priority can be configured in a domain.
l l l l
priority: specifies the priority of the user. The value ranges from 0 to 7. trust-8021p-inner: indicates that the user priority is the inner 802.1p of the layer-2 packets. trust-8021p-outer: indicates that the user priority is the outer 802.1p of the layer-2 packets. trust-dscp-inner: indicates that the user priority is the DSCP value of the inner tags carried in user packets. trust-dscp-outer: indicates that the user priority is the DSCP value of the outer tags carried in user packets. unchangeable: indicates to retain the original user priority. trust-exp-inner: indicates that the user priority is the EXP value of the inner MPLS label. trust-exp-outer: indicates that the user priority is the EXP value of the outer MPLS label.
l l l
By default, the uplink user priority and the downlink user priority are both 0. ----End
4.2.9 (Optional) Specifying Groups

Context
The following groups can be configured for a domain:
l
User group As one of the premises for the ACL control of users, a user group is used to control the user access authority. The ME60 supports up to 1024 user groups.
GRE group For the description of the GRE group, refer to 7 "Service Wholesale Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - VPN.
L2TP group For the description of the L2TP group, refer to 3 "L2TP Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - VPN.
VPN instance For the description of the VPN instance of a domain, refer to 7 "Service Wholesale Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - VPN.
Security zone For the description of security zone, refer to 2 "Firewall Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - Security.

4 User Management
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

user-group group-name
A user group is specified for the domain. By default, no user group is specified for the domain. If another user group needs to be redirected to, you can run the authening authen-redirect online authen-domain domain-name command in the view of the authentication scheme of the domain to redirect to another domain, and then configure a user group for the redirection domain. In this manner, the users that pass the authentication and the users that actually fail to pass the authentication go online from different domains. Or run:
gre-group group-name
A GRE group is specified for the domain. By default, no GRE group is specified for the domain. Or run:
l2tp-group group-name
An L2TP group is specified for the domain. By default, no L2TP group is specified for the domain. Or run:
A VPN instance is specified for the domain. By default, no VPN instance is specified for the domain. Or run:
zone zone-name
A security zone is specified for the domain. By default, no security zone is specified for the domain. ----End
4.2.10 (Optional) Specifying Profile and Policy

Context
A domain can reference the following profiles and policies:

l
4 User Management
802.1X profile For the description of the 802.1X profile, see chapter 5 "BRAS Access Configuration." QoS profile For the description of the QoS profile, see chapter 3 "QoS Scheduling Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS. Only one QoS profile for common users and one QoS profile for the L2TP users at the LNS side can be applied to a domain.
Queue profile For the description of the queue profile, see chapter 3 "QoS Scheduling Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
Multicast profile For the description of the multicast profile, see chapter 9 "Multicast Control Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Multicast.
VAS policy For the description of the VAS policy, see chapter 6 "DSG Configuration."
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

dot1x-template dot1x-template-number
An 802.1X template is specified for the domain. By default, the domain uses 802.1X profile 1. Or run:
qos profile qos-profile-name [ [ inbound | outbound ] lns-gts ]
A QoS profile is specified for the domain. By default, the domain references QoS profile default for common users, other than the QoS profile for the L2TP users at the LNS side.
NOTE
The inbound, outbound, and lns-gts parameters are valid only for the L2TP users at the LNS side.
Or run:
queue-profile queue-profile-name
Issue 05 (2010-06-01)
4-15
4 User Management
A queue profile is specified for the domain. Or Run:

value-added-service policy policy-name
A VAS policy is specified for the domain. Or Run:

value-added-service accounting-type { cops group-name | default | none | radius group-name }
The accounting mode for value-add services in the domain is specified. ----End
4.2.11 (Optional) Configuring Service Type for Domain Users

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

service-type { hsi | stb }
The service type is configured. By default, the service type for users is HSI service. The high speed Internet access (HSI) service is a common access service for PPP, DHCP, 802.1x, leased line, and static users. The STB service is an access service for the DHCP users using settop boxes (STBs). For common DHCP users and layer-2 leased line users, if the type of services configured in the domain is STB, the user type is STB. For layer-3 leased line users, static users, PPP users, and 802.1x users, the user type is HSI regardless of the type of services configured in the domain. When HSI users go offline, they can obtain new IP addresses and go online again. The HSI service does not support remote backup up of user information. STB users cannot go online again after they go offline. The STB service supports remote backup of user information. For
4 User Management
details about remote backup of user information, see chapter 8 "User Information Backup Configuration." ----End
4.2.12 (Optional) Configuring the Reserved Bandwidth

Context
You need to run the bandwidth-tune cir command in the domain that non-STB users belong to. A family can have up to eight STB users and eight HSI users.
NOTE
The reserved bandwidth function of an STB user can be performed only when the client-option82 and iptv shaping commands are run on the BAS interface, and Option 82 is carried when the STB user goes online. For details about the client-option82 and iptv shaping commands, refer to the Quidway ME60 Multiservice Control Gateway Command Reference. Only the users with the same interface, same VLAN, and same Option 82 are considered to be in the same family.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

bandwidth-tune cir cir-value [ pir pir-value ]
The reserved bandwidth for the STB user is configured. By default, no bandwidth is reserved for the STB users in the domain. An STB user should take precedence over a computer user to obtain the bandwidth. When an STB user goes online, the bandwidth for common terminals in the same family is reduced until the STB user has the reserved bandwidth. An STB user can go online even if the bandwidth for common terminal users is smaller than the reserved bandwidth of the STB user. When a common terminal user goes online, the user uses the reduced bandwidth if an STB user is configured with the reserved bandwidth in the same family. ----End
4 User Management
4.2.13 (Optional) Configuring Additional Functions

Context
A domain has the following additional functions:
l
Captive portal After a user passes authentication and accesses an external network for the first time, the ME60 forcibly redirects the user's access request to a server, usually the carrier's portal server. Therefore, the first website accessed by the user is the carrier's website.
Time-based control The domain is automatically blocked in a specified period. During this period, the users of this domain cannot access the network. After the period, the domain is reactivated automatically, and the domain users are allowed to access the Internet again.
Idle cut When the traffic volume of a user keeps lower than a threshold in a period, the ME60 considers the user idle and disconnects the user. You need to set the idle time and the traffic threshold for the idle cut function. The idle cut function configured in a domain controls only the basic traffic of a user. The multicast traffic and the VAS traffic that is not configured with summary feature are not included in the basic traffic. Therefore, the idle cut function is invalid for them.
Mandatory PPP authentication Generally, the authentication mode (PAP, CHAP, or MSCHAP) of the PPP user is negotiated by the PPP client and the virtual template interface. After the mandatory authentication mode of the PPP users is configured in a domain, the users in the domain are authenticated in this mode.
Policy-based routing In packet forwarding, the ME60 forwards packets according to the destination addresses of the packets. With the policy-based routing function, however, the ME60 forwards packets according to the address specified in the user domain.
IP address usage alarm After the alarm threshold for the usage (in percentage) of IP addresses is set in a domain, the ME60 sends a trap to the network management system (NMS) when the usage of IP addresses exceeds the threshold. If you cancel the alarm threshold, the ME60 does not send the trap to the NMS, regardless of the usage of IP addresses.
Traffic statistics The traffic statistics function involves the total traffic statistics and the upstream and downstream traffic statistics of users.
Accounting packet copy The accounting packet copy function is used to send accounting packets to two RADIUS servers at the same time. You can enable this function when multiple copies of original accounting information are required (for example, multiple ISPs are connected together). In this case, the accounting packets need to be sent to two RADIUS servers at the same time, and will be used as the original accounting information in future settlement.
Re-authentication timeout
4-18
4 User Management
The re-authentication timeout is valid for layer-3 pre-authentication users. If a layer-3 preauthentication user does not pass the authentication within the re-authentication interval, the ME60 disconnects this user.
l
Policy adopted when users' quota is used up The ME60 adopts a certain policy after the quota (traffic or session time) of an online user is used up. The ME60 may log the user out, keep the user online, or redirect the user to a specified page.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

portal-server { ip-address | url url-string | redirect-limit times }
And
pppoe-url url-string
The captive portal is configured. By default, the captive portal is disabled. It is recommended to specify the IP address of the portal server to prevent any impact on user access when DNS faults occur. Or run:
time-range { domain-block | qos-profile } { range-name | enable }
The time-based control is configured. You can configure up to four time ranges, which have equal priority. By default, the time-based control is disabled. Or run:
idle-cut idle-time-length idle-rate
The idle cut function is configured. By default, the idle time is 0. That is, the idle cut function is disabled. If the value of idle-rate is 0, the idle cut function is disabled. Or run:
ppp-force-authtype { chap | mschap_v1 | mschap_v2 | pap }
The mandatory PPP authentication is configured.

4 User Management
By default, the mandatory PPP authentication is not configured. Or run:

policy-route ip-address
Policy-based routing is configured. By default, policy-based routing is disabled. Or run:

ip-warning-threshold threshold
The IP address usage alarm function is configured. By default, the IP address usage alarm function is not configured. Or run:
flow-bill
The function of collecting the total traffic statistics is enabled. By default, function of collecting the total traffic statistics is disabled and the function of collecting the user's upstream and downstream traffic statistics is enabled. Or run:
flow-statistic { down | up } *
The function of collecting the traffic of users is enabled. Or run:

accounting-copy radius-server radius-name
The accounting packet copy function is enabled. By default, the accounting packet copy function is disabled. Or run:
max-ipuser-reauthtime time-value
The re-authentication timeout is configured. By default, the re-authentication timeout is 300 seconds. Or run:
quota-out { offline | online | redirect url url-string }
The policy adopted for online users when the quota is used up is configured. By default, the ME60 disconnects a user when the quota of the user is used up. Or run:
radius-no-response lease-time time
The lease in case of no response from the RADIUS server is set for DHCP users. By default, the lease in case of no response from the RADIUS server is 3000s for DHCP users. ----End
4 User Management
4.2.14 (Optional) Activating a Domain

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

undo block
The domain is activated. By default, a domain is active. ----End

Run the following command to check the previous configuration. Action Check the configuration of the domain. Command display domain [ name domain-name | [ verbose ] | vpn-instance vpninstance-name ] * ]
4.3 Configuring User Account Parsing

This section describes the procedure for configuring the user account parsing function. 4.3.1 Establishing the Configuration Task 4.3.2 Configuring the Domain Name Delimiter 4.3.3 Configuring the Location of the Domain Name 4.3.4 Configuring the Parsing Direction of the Domain Name 4.3.5 (Optional) Configuring the Realm Name Delimiter
4 User Management
4.3.6 (Optional) Configuring the Location of the Realm Domain Name 4.3.7 (Optional) Configuring the Parsing Direction of the Realm Name 4.3.8 Configuring the Parsing Sequence 4.3.9 Checking the Configuration

The ME60 can parse the user name and domain name from a user account according to the domain name delimiter and realm delimiter. With this function, the ME60 can replace the user name or domain name as required.
None.
Data Preparation
To configure the user name parsing function, you need the following data. No. 1 2 3 4 5 6 7 Data Domain name delimiter Location of the domain name Parsing direction of the domain name (Optional) Realm name delimiter (Optional) Location of the realm domain name (Optional) Parsing direction of the realm name Parsing priority
NOTE
The configured domain name delimiter, realm name delimiter, and parsing direction of the domain name are valid for the users that go online after the configuration is complete. For the users that go online before the configuration, the configuration takes effect after they go online the next time.
4.3.2 Configuring the Domain Name Delimiter

Context
A user account in the ME60 consists of a user name and a domain name. The user name and domain name are separated by the domain name delimiter. For example, if the defined domain name delimiter is @, the user account of user1 in domain dom1 is user1@dom1 or dom1@user1.
4 User Management
Procedure
Step 1 Run:
system-view

aaa

domain-name-delimiter delimiter
The domain name delimiter is configured. By default, the domain name delimiter is @. ----End
4.3.3 Configuring the Location of the Domain Name

Context
Procedure
Step 1 Run:
system-view

aaa

domain-location { after-delimiter | before-delimiter }
The location of the domain name is configured. By default, the domain name goes after the domain name delimiter. ----End
4.3.4 Configuring the Parsing Direction of the Domain Name

4 User Management
Context
The domain name can be parsed from left to right or from right to left. The user name and domain name vary with the parsing direction even when they are parsed from the same user account with the same domain name location. For example, the user account is username@dom1@dom2 and the domain name is after the delimiter. When the domain is parsed from left to right, the user name is username and the domain name is dom1@dom2. When the domain is parsed from right to left, the user name is username@dom1 and the domain name is dom2. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

aaa

domainname-parse-direction { left-to-right | right-to-left }
The parsing direction of the domain name is configured. By default, the domain name is parsed from left to right. ----End
4.3.5 (Optional) Configuring the Realm Name Delimiter

Context
The realm name delimiter separates the realm name from the realm domain name. For example, if the realm name delimiter is defined as @, the realm name is a, and the realm domain name is b, the user account is a@b or b@a. The ME60 supports the realm name delimiter and the domain name delimiter, therefore, the ME60 can parse the user account that contains two delimiters. When one delimiter cannot be found, the ME60 searches for the other delimiter. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

aaa
4-24
Issue 05 (2010-06-01)
4 User Management

realm-name-delimiter delimiter
The realm name delimiter is configured. By default, the realm delimiter is not configured. ----End
4.3.6 (Optional) Configuring the Location of the Realm Domain Name

Context
The realm domain name can be placed before or behind the realm name delimiter. The direction depends on the parsing direction of the realm name. When the realm name is parsed from left to right, the characters before the realm name delimiter refer to the characters on the left side of the delimiter, and the characters behind the realm name delimiter refer to the characters on the right side of the delimiter. When the realm name is parsed from right to left, the characters before the realm name delimiter refer to the characters on the right side of the delimiter, and the characters behind the realm name delimiter refer to the characters on the left side of the delimiter. For example, the user account is a@b, and the realm name delimiter is @. When the realm name is parsed from left to right, the string before the realm domain name refers to a and the string after the realm domain name refers to b. If the realm name is parsed from right to left, the string before the realm domain name refers to b, and the string after the realm domain name refers to a. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

aaa

realm-location { after-delimiter | before-delimiter }
The location of the realm name is configured. By default, the realm domain name goes before the realm name delimiter. ----End
4.3.7 (Optional) Configuring the Parsing Direction of the Realm Name

4 User Management
Context
The realm name can be parsed from left to right or from right to left. The realm name and realm domain name vary with the parsing direction even when they are parsed from the same user account with the same realm domain name location. For example, the user account is a@b/a, the realm name delimiter is @, and the realm domain name is before the delimiter. When the realm name is parsed from left to right, the realm name is b/a and the realm domain name is a. If the realm name is parsed from right to left, the realm name is a, and the realm domain name is b/a. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

aaa

realmname-parse-direction { left-to-right | right-to-left }
The parsing direction of the realm name is configured. By default, the realm name is parsed from left to right. ----End
4.3.8 Configuring the Parsing Sequence

Context
Procedure
Step 1 Run:
system-view

aaa

parse-priority { domain-first | realm-first }
The parsing sequence is configured.

4 User Management
If the parsing sequence is set to domain-first, the realm domain name is excluded from the user account and the domain name is parsed from the remaining characters . By default, the parsing sequence in the system is domain-first. ----End

Run the following command to check the previous configuration. Action Check the configuration of the domain name parsing function. Command display aaa configuration
4.4 Configuring the User Name Format and Password of an IPoX User
This section describes the procedure for configuring the user name format and password of an IPoX user. 4.4.1 Establishing the Configuration Task 4.4.2 Configuring the Domain Name Delimiter 4.4.3 Configuring the Location of the Domain Name 4.4.4 Configuring the Generation Mode of the User Name of an IPoX User 4.4.5 Configuring the Password of an IPoX User 4.4.6 Checking the Configuration

When users adopting binding authentication, fast authentication and pre-authentication go online, they cannot enter the user name and password on the client as the users adopting PPP authentication, 802.1x authentication and web authentication do. To authenticate and manage IPoX users, the ME60 provides the function of configuring the password and the method of generating the user name of IPoX users.
None.
Data Preparation
To configure the user name format and password of the IPoX user, you need the following data.
4 User Management
No. 1 2 3 4
Data Domain name delimiter Location of the domain name User name format of an IPoX user Password of the IPoX user
4.4.2 Configuring the Domain Name Delimiter

For the configuration procedure, see "4.3.2 Configuring the Domain Name Delimiter."
4.4.3 Configuring the Location of the Domain Name

For the configuration procedure, see "4.3.3 Configuring the Location of the Domain Name."
4.4.4 Configuring the Generation Mode of the User Name of an IPoX User
Context
The ME60 can generate the user name of an IPoX user by using the following parameters:
l
gateway-address The ME60 uses the gateway address contained in the access request packet as the user name.
ip-address The ME60 uses the IP address contained in the access request packet as the user name. This method is applicable to only the access users whose packets contain IP addresses, such as the layer 3 users and static users.
mac-address The ME60 uses the MAC address contained in the access request packet as the user name. option60 The ME60 uses Option 60 contained in the access request packet as the user name. option82 The ME60 uses Option 82 contained in the access request packet as the user name. sysname The ME60 uses the host name as the user name. The host name is configured by running the sysname host-name command in the system view.
Original user name format The ME60 generates the user name according to the information about the access interface and VLAN of the user, and the format version configured by the vlanpvc-to-username command. The format of the user name is as follows:
When you run the vlanpvc-to-username command to set the version of the user name format to version10, the format of the user name generated on the Ethernet interface is
4-28
4 User Management
host name + - + slot number (2 bits) + card number (1 bit) + port number (2 bits) + VLAN ID (7 bits) + domain name delimiter (1 bit) + domain name.
When you run the vlanpvc-to-username command to set the version of the user name format to standard, turkey, or version20, the format of the user name generated on the Ethernet interface is host name + - + slot number (2 bits) + card number (1 bit) + port number (2 bits) + outer VLAN ID (4 bits) + 0 +inner VLAN ID (4 bits) + domain name delimiter (1 bit) + domain name.
The ME60 can combine any of the gateway-address, ip-address, mac-address, option60, option82, and sysname parameters form an IPoX user name. The generated user name contains the information matching these parameters. The sequence of the parameters in the user name is consistent with the sequence of configuring the parameters. When configuring the format of the user name for an IPoX user, pay attention to the following points:
l
The option82 keyword is valid only when the access request packet of the user contains Option 82 and the BAS interface is configured to trust Option 82 on the client. If ip-address keyword, option82 keyword, or both of them are selected but the selected mode is invalid, the system generates the user name by using the original format. The ipaddress and option82 keywords are invalid in some cases. For example, ip-address keyword is selected but the access request packet does not contain an IP address, or option82 keyword is selected but the access request packet does not contain Option 82 or the BAS interface does not trust Option 82. If you run the default-user-name multiple times, the later configuration overwrites the previous configuration, and the last configuration takes effect. If the generated user name contains more than 64 characters, the first 64 characters are taken as the user name.
NOTE
If you do not run the default-user-name command to configure the format of the user name, the system generates the user name of the IPoX user according to the format configured with the vlanpvc-tousername command.
Procedure
Step 1 Run:
system-view

aaa

default-user-name [ template template-name ] include { gateway-address separator [ username-seprator ] | ip-address separator [ username-seprator ] | mac-address separator [ username-seprator ] | option60 [ username-seprator ] | option82 [ [ username-seprator ] | sub-option sub-option offset offset parse-mode { binary length-value | hex length-value { class1 | class2 | class3 } | string lengthvalue } ] | sysname [ username-seprator ] } *
Issue 05 (2010-06-01)
4-29
4 User Management
The ME60 is configured to generate the user name of the IPoX user according to the information in the user access request packet. Or run:
vlanpvc-to-username { standard | turkey | version10 | version20 }
The ME60 is configured to generate the user name of the IPoX user by using the original format. By default, the original format of the user name of the IPoX user is the format defined in version 20. ----End
4.4.5 Configuring the Password of an IPoX User

Context
Procedure
Step 1 Run:
system-view

aaa

default-password { cipher cikeyworder-password | simple simple-password }
The password of the IPoX user is configured. The differences between the cipher and simple keywords are as follows:
l
If the cipher keyword is selected, the password is displayed in cipher text in the configuration file regardless of whether the input password is encrypted. If the simple keyword is selected, the password is displayed in plain text in the configuration file.
If the password is set to cipher text and the input string is not encrypted, the string can contain 1 to 16 characters. When the input string is encrypted, the string must contain 24 characters. ----End

4-30
Issue 05 (2010-06-01)
4 User Management
Action Check the format of the generated IPoX user name.
Command display vlanpvc-to-username
4.5 Configuring Static Users

This section describes the procedure for configuring static users. 4.5.1 Establishing the Configuration Task 4.5.2 Creating a Static User 4.5.3 (Optional) Configuring the User Name Format and Password of the Static User 4.5.4 (Optional) Configuring a Local Account 4.5.5 Checking the Configuration

If a user requires a fixed IP address, you can configure the user to a static user. The IP address of the static user must be contained in a configured address pool. If the address is in a local address pool, run the excluded-ip-address command to exclude the address pool to prevent the address from being allocated to other users dynamically.
Before configuring a static user, complete the following tasks:
l l
Configuring the address pool Excluding the IP address of static user from the address pool (for only the local address pool) Configuring the DHCP server (applicable to remote address allocation) Loading the license For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
l l
Data Preparation
To configure a static user, you need the following data. No. 1 2 Data (Optional) Domain name of the static user IP address, VPN instance (optional), MAC address (optional), and access interface (optional) of the static user
Issue 05 (2010-06-01)
4 User Management
4.5.2 Creating a Static User

Context
Procedure
Step 1 Run:
system-view

static-user start-ip-address [ end-ip-address ] [ vpn-instance instance-name ] [ export ] [ domain-name domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan ] ] | mac-address mac-address | detect ] *
A static user is created. When creating a static user, you can specify the IP address (including the VPN instance of the IP address), the interface (FE, GE, Eth-Trunk, or VE interface) through which the user is connected to the ME60, the domain, and the MAC address. The detect keyword means the ME60 actively detects whether the static user is online. If this keyword is not set, the user can go online only after the user's computer sends the ARP packet. By default, no static user is created in the ME60. ----End
4.5.3 (Optional) Configuring the User Name Format and Password of the Static User
When a static user adopts the binding authentication, fast authentication, or pre-authentication, the system generates the user name according to the configuration. For the configuration of the password and user name format see "4.4 Configuring the User Name Format and Password of an IPoX User."
4.5.4 (Optional) Configuring a Local Account

Context
When a static user adopts the local authentication, you need to configure a local account on the local AAA server. When configuring the local account for the static user, you can specify the parameters such as the user name, password, authentication mode, idle-cut, user state, and QoS profile for the user. If the specified user name does not exist, the system automatically adds an account that matches the user name. For the attributes that you do not set, the system adopts the default settings. If the specified user name already exists, the system modifies the attributes of the account. When typing the user names, you can use wildcard * to separate multiple user names.
4 User Management
Procedure
Step 1 Run:
system-view

local-aaa-server
The local AAA server view is displayed. Step 3 Run:

user username { password {simple simple-password | cipher cipher-password } | authentication-type type-mask | block | callback-nocheck | callback-number | ftpdirectory | idle-cut | ip-address | level | password | qos-profile qos-profile } *
A local account is configured. By default, the settings of the account attributes are as follows:
l l l l l l
The access limit is disabled. The access type is A, that is, all access types are allowed. The status is active. The idle-cut function is disabled. The password is vlan. The default QoS profile is used.
----End

Run the following command to check the previous configuration. Action Check the configuration of the static user. Command display static-user [ domain-name domain-name | { interface interface-type interface-number [ vlan start-vlan-id [ end-vlan-id ] | pvc start-vpi/vci [ end-vpi/vci ] ] | slot slot-number } | ip-address startip-address [ end-ip-address ] [ vpn-instance instance-name ] ] *
4.6 Maintaining User Management

This section describes the commands used to display information about user management. After the preceding configuration, run the following display command in any view to display the user management information and verify the effect of the configuration. For detailed information, refer to the Quidway ME60 Multiservice Control Gateway - Command Reference.
4 User Management
Action Display the configuration of a domain. Check the configuration of a static user.
Command display domain [ name domain-name [ verbose ]| vpninstance vpn-instance-name ] * ] display static-user [ domain-name domain-name | interface interface-type interface-number [ vlan start-vlan-id [ end-vlanid ] ] | slot slot-number | ip-address start-ip-address [ end-ipaddress ] [ vpn-instance instance-name ] ] *

This section provides several configuration examples of user management.
NOTE
l l
For the configuration example of the domain, see the configuration examples in chapter 2 "AAA Configuration" and chapter 3 "Address Management." In actual networking, you need to load the license. For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
4.7.1 Example for Configuring Static Users Using Remote Authentication 4.7.2 Example for Configuring Static Users Using Local Authentication
4.7.1 Example for Configuring Static Users Using Remote Authentication

l
Users user1@isp1 and user2@isp1 belong to the same domain isp1 and they log in to the ME60 as static users from interface 8/0/2.1. The LAN switch tags the user packets with VLAN 1 and VLAN 2. The two users use web authentication, and the RADIUS authentication mode and the RADIUS accounting mode are adopted. The IP address of user1@isp1 is 172.82.1.100, which is obtained from the ME60; the IP address of user2@isp1 is 172.82.2.200, which is obtained from the external DHCP server. The two static users are VPN users and they belong to VPN1. Users are added to the VPN and can be connected through VPN1. The IP address of the RADIUS server is 192.168.7.249 and the port numbers for authentication and accounting are 1812 and 1813 respectively. The RADIUS server adopts standard RADIUS protocol and the key is hello. The IP address of the web authentication server is 192.168.8.251 and the key is webvlan. The IP address of the external DHCP server is 192.168.8.252.
l l
4-34
Issue 05 (2010-06-01)
4 User Management
Networking Diagram
Figure 4-2 Networking for configuring static users adopting remote authentication
DHCP server RADIUS server Web Server 192.168.8.252 192.168.8.249 192.168.8.251
VLAN1
user1@isp1
GE8/0/2.1
GE7/0/2 192.168.8.1
VLAN2 user2@isp1
LAN Switch
ME60
1. Configure the VPN instance.
<Quidway> system-view [Quidway] ip vpn-instance vpn1 [Quidway-vpn-instance-vpn1] route-distinguisher 100:1 [Quidway-vpn-instance-vpn1] vpn-target 100:1 both [Quidway-vpn-instance-vpn1] quit
2.

[Quidway] aaa [Quidway-aaa] authentication-scheme auth1 [Quidway-aaa-authen-auth1] authentication-mode radius [Quidway-aaa-authen-auth1] quit
3.
Configure the accounting scheme.

[Quidway-aaa] accounting-scheme acct1 [Quidway-aaa-accounting-acct1] accounting-mode radius [Quidway-aaa-accounting-acct1] quit [Quidway-aaa] quit
4. 5.
Configure the web authentication server.

[Quidway] web-auth-server 192.168.8.251 key webvlan
Configure the RADIUS server group.

[Quidway] radius-server group rd1 [Quidway-radius-rd1] radius-server [Quidway-radius-rd1] radius-server [Quidway-radius-rd1] radius-server [Quidway-radius-rd1] radius-server [Quidway-radius-rd1] quit authentication 192.168.8.249 1812 accounting 192.168.8.249 1813 type standard shared-key hello
6.
Configure the DHCP server group.

[Quidway] dhcp-server group dg1 [Quidway-dhcp-server-group-dg1] dhcp-server 192.168.8.252 [Quidway-dhcp-server-group-dg1] quit
7.
Configure the ACL to limit the user access only to the web server before the Web authentication. #Configure a user group.
Issue 05 (2010-06-01)
4-35
4 User Management
[Quidway] user-group Huawei
# Configure ACL rules.

[Quidway] acl 6000 match-order auto [Quidway-acl-ucl-6000] rule deny ip source user-group huawei destination ip-add ress any [Quidway-acl-ucl-6000] rule permit ip source user-group huawei destination ipadd Ress 192.168.8.251 0.0.0.255 [Quidway-acl-ucl-6000] quit
# Configure the traffic classifier.

[Quidway] traffic classifier c1 [Quidway-classifier-c1] if-match acl 6000 [Quidway-classifier-c1] quit
# Configure the traffic behavior.

[Quidway] traffic behavior b1 [Quidway-behavior-b1] permit [Quidway-behavior-b1] quit
# Configure the traffic policy.

[Quidway] traffic policy policy [Quidway-trafficpolicy-policy] classifier c1 behavior b1 [Quidway-trafficpolicy-policy] quit
# Apply the traffic policy globally.

[Quidway] traffic-policy policy inbound [Quidway] traffic-policy policy outbound
8.
Configure the address pool.

[Quidway] ip pool pool1 [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway] ip pool pool2 [Quidway-ip-pool-pool2] [Quidway-ip-pool-pool2] [Quidway-ip-pool-pool2] [Quidway-ip-pool-pool2] local gateway 172.82.1.1 255.255.255.0 section 0 172.82.1.2 172.82.1.200 excluded-ip-address 172.82.1.100 vpn-instance vpn1 quit remote gateway 172.82.2.1 255.255.255.0 dhcp-server 192.168.8.252 vpn-instance vpn1 quit
9.
Configure domains. # Configure the pre-authentication domain default0.

[Quidway] aaa [Quidway-aaa] domain default0 [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] ip-pool pool1 ip-pool pool2 user-group huawei vpn-instance vpn1 quit
# Configure the user domain isp1.

[Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 vpn-instance vpn1 quit
10. Configure the BAS interface.

[Quidway] interface GigabitEthernet 8/0/2.1 [Quidway-GigabitEthernet8/0/2.1] uservlan 1 2 [Quidway-GigabitEthernet8/0/2.1-vlan-1-2] quit [Quidway-GigabitEthernet8/0/2.1] bas [Quidway-GigabitEthernet8/0/2.1-bas] access-type layer2-subscriber
4-36
Issue 05 (2010-06-01)
4 User Management
[Quidway-GigabitEthernet8/0/2.1-bas] authentication-method web [Quidway-GigabitEthernet8/0/2.1-bas] default-domain authentication isp1 [Quidway-GigabitEthernet8/0/2.1-bas] vpn-instance vpn1 [Quidway-GigabitEthernet8/0/2.1-bas] quit [Quidway-GigabitEthernet8/0/2.1] quit
11. Configure the static users.

[Quidway] static-user 172.82.1.100 172.82.1.100 vpn-instance vpn1 GigabitEthernet8/0/2.1 vlan 1 detect domain-name isp1 [Quidway] static-user 172.82.2.200 172.82.2.200 vpn-instance vpn1 GigabitEthernet8/0/2.1 vlan 2 domain-name isp1 interface interface
12. Configure the uplink interface.

[Quidway] interface GigabitEthernet 7/0/2 [Quidway-GigabitEthernet7/0/2] ip address 192.168.8.1 255.255.255.0
Configuration Files
# sysname Quidway # user-group huawei # ip vpn-instance vpn1 route-distinguisher 100:1 vpn-target 100:1 export-extcommunity vpn-target 100:1 import-extcommunity # radius-server group rd1 radius-server authentication 192.168.8.249 1812 weight 0 radius-server accounting 192.168.8.249 1813 weight 0 radius-server shared-key hello # acl number 6000 match-order auto rule 5 permit ip source user-group huawei destination ip-address 192.168.8.0 0. 0.0.255 rule 10 deny ip source user-group huawei destination ip-address any # traffic classifier c1 operator or if-match acl 6000 # traffic behavior b1 # traffic policy policy classifier c1 behavior b1 traffic-policy policy inbound traffic-policy policy outbound # interface GigabitEthernet8/0/2.1 uservlan 1 2 bas access-type layer2-subscriber default-domain authentication isp1 vpn-instance vpn1 authentication-method web # interface GigabitEthernet7/0/2 ip address 192.168.8.1 255.255.255.0 # dhcp-server group dg1 dhcp-server 192.168.8.252 # ip pool pool1 local vpn-instance vpn1 gateway 172.82.1.1 255.255.255.0 section 0 172.82.1.2 172.82.1.200 excluded-ip-address 172.82.1.100 # ip pool pool2 remote vpn-instance vpn1
Issue 05 (2010-06-01)
4-37
4 User Management

gateway 172.82.2.1 255.255.255.0 dhcp-server group dg1 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 user-group huawei vpn-instance vpn1 ip-pool pool1 ip-pool pool2 domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 vpn-instance vpn1 # web-auth-server 192.168.8.251 port 50100 key webvlan # static-user 172.82.1.100 172.82.1.100 vpn-instance vpn1 net8/0/2.1 vlan 1 detect domain-name isp1 static-user 172.82.2.200 172.82.2.200 vpn-instance vpn1 net8/0/2.1 vlan 2 domain-name isp1 # return interface GigabitEther interface GigabitEther
4.7.2 Example for Configuring Static Users Using Local Authentication

l
The user log in to the ME60 from interface 7/0/2.1 as a static user and the IP address of the user is 172.192.0.8. The user uses the local authentication mode. The system uses the IP address carried in the user packet as the user name.
l l
Networking Diagram
Figure 4-3 Networking for configuring static users adopting local authentication
access network
GE7/0/2.1 GE7/0/0 192.168.8.1 ME60 Internet
1. Configure the authentication scheme.
[Quidway] aaa [Quidway-aaa] authentication-scheme local [Quidway-aaa-authen-local] authentication-mode local
4-38
Issue 05 (2010-06-01)

[Quidway-aaa-authen-local] quit
4 User Management
2.
Configure the user name format and password of the user.

[Quidway-aaa] default-user-name include ip-address . [Quidway-aaa] default-password simple test [Quidway-aaa] quit
3.
Configure the local account.

[Quidway] local-aaa-server [Quidway-local-aaa-server] user 172.192.0.8@isp1 password simple test authentication-type a [Quidway-local-aaa-server] quit
4.

[Quidway] ip pool pool1 [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] local gateway 172.192.0.1 255.255.255.0 section 0 172.192.0.2 172.192.0.200 excluded-ip-address 172.192.0.8 quit
5.
Configure the domain.

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit authentication-scheme local accounting-scheme default0 ip-pool pool1 quit
6.
Configure the BAS interface.

[Quidway] interface GigabitEthernet 7/0/2 [Quidway-GigabitEthernet7/0/2] undo shutdown [Quidway-GigabitEthernet7/0/2] interface GigabitEthernet 7/0/2.1 [Quidway-GigabitEthernet7/0/2.1] user-vlan 100 [Quidway-GigabitEthernet7/0/2.1-vlan-100-100] quit [Quidway-GigabitEthernet7/0/2.1] bas [Quidway-GigabitEthernet7/0/2.1-bas] access-type layer2-subscriber [Quidway-GigabitEthernet7/0/2.1-bas] authentication-method bind [Quidway-GigabitEthernet7/0/2.1-bas] default-domain authentication isp1 [Quidway-GigabitEthernet7/0/2.1-bas] quit [Quidway-GigabitEthernet7/0/2.1] quit
7.
Configure the static user.

[Quidway] static-user 172.192.0.8 interface GigabitEthernet 7/0/2.1 vlan 100 detect
8.
Configure the uplink interface.

Configuration Files
# sysname Quidway # interface GigabitEthernet7/0/0 undo shutdown ip address 192.168.8.1 255.255.255.0 # interface GigabitEthernet7/0/2 undo shutdown # interface GigabitEthernet7/0/2.1 user-vlan 100 bas access-type layer2-subscriber default-domain authentication-method bind #
authentication isp1
Issue 05 (2010-06-01)
4-39
4 User Management

ip pool pool1 local gateway 172.192.0.1 255.255.255.0 section 0 172.192.0.2 172.192.0.200 excluded-ip-address 172.192.0.8 # aaa default-user-name include ip-address . default-password simple test authentication-scheme local authentication-mode local domain isp1 authentication-scheme local accounting-scheme default0 ip-pool pool1 # local-aaa-server user 172.192.0.8@isp1 password simple test authentication-type B # static-user 172.192.0.8 172.192.0.8 interface GigabitEthernet7/0/2.1 vlan 100 detect # return
4-40
Issue 05 (2010-06-01)
5 BRAS Access Configuration
5
About This Chapter
BRAS Access Configuration
This chapter describes the concepts, rationales, and configurations of IPoX access, PPPoX access, 802.1X access, and leased line access and provides several configuration examples. 5.1 Introduction to Access Protocols This section describes the concept and classification of access protocols. 5.2 Introduction to Authentication Methods This section describes the authentication methods. 5.3 Configuring Web Authentication This section describes the procedure for configuring web authentication. 5.4 Configuring the 802.1X Template This section describes the procedure for configuring the 802.1X Template. 5.5 Configuring a User VLAN This section describes the procedure for configuring a user VLAN. 5.6 Configuring the BAS Interface This section describes the procedure for configuring the BAS interface. 5.7 Configuring the Access Response Delay Policy This section describes the procedure for configuring the access response delay policy. 5.8 Configuring the Common IPoX Access Service This section describes the procedure for configuring the common IPoX access service. 5.9 Configuring the Common PPPoX Access Service This section describes the procedure for configuring the common PPPoX access service. 5.10 Configuring the 802.1X Access Service This section describes the procedure for configuring the 802.1X access service. 5.11 Configuring the Leased Line Access Service This section describes the procedure for configuring the leased line access service. 5.12 Configuring the IPv6 Access Service This section describes the procedure for configuring the IPv6 access service.
5.13 Managing Online Users This section describes the method of managing online users. 5.14 Maintaining BRAS Access This section describes the commands used to display information about the BRAS access and debug the BRAS access function. 5.15 Configuration Examples This section provides several configuration examples of BRAS access.
5-2
Issue 05 (2010-06-01)
5.1 Introduction to Access Protocols

This section describes the concept and classification of access protocols. 5.1.1 Concept of Access Protocol 5.1.2 Classification of the Access Protocols
5.1.1 Concept of Access Protocol

As mentioned in 1 "BRAS Service Overview," the difference between access methods is screened by the access device and the ME60 is not aware of the access methods of users. The ME60 detects only the encapsulation format of user packets and it differentiates users based on the protocol stack of the packets. For example, a user connects to the ME60 through the LAN switch (the LAN switch tags the packets with VLAN ID). The user then initiates the access request by dialing in through the PPPoE. Figure 5-1 shows the structure of the protocol stack. In this mode, the IP packet of the user is encapsulated with PPP, PPPoE, and Ethernet, and tagged with the VLAN ID. Therefore, this access protocol is called PPPoEoVLAN. Figure 5-1 Structure of the PPPoEoVLAN protocol stack
PC
TCP/UDP IP PPP PPPoE ETH network cable ethernet frame PPPoE Connection ETH Q optical fiber ethernet frame PPP Connection
LAN Switch
ME60
TCP/UDP IP PPP PPPoE ETH Q Forward
VLAN Tag based 802.1Q
For the PPPoEoVLAN packet, the ME60 must be able to identify the VLAN tag and parse the Ethernet frame, the PPPoE packet and the PPP packet. The ME60 can then obtain the IP packet. You need to perform the following configurations on the ME60:
l
Configure the Ethernet sub-interface to enable the ME60 to identify the VLAN tag and parse the Ethernet frame. Bind an Ethernet sub-interface to the virtual template so that the ME60 can parse the PPP and PPPoE packets.
5.1.2 Classification of the Access Protocols

The ME60 allows individual users or leased line users to connect the Internet by using any access method. For the description of individual users, refer to the Quidway ME60 Multiservice Control
Gateway Feature Description - BRAS Services. The access protocols are classified into the following types:
l l l
IPoX (IPoE, IPoEoVLAN, IPoEoQ, and IPoEoA) PPPoX (PPPoE, PPPoEoVLAN, PPPoEoQ, PPPoA, and PPPoEoA) 802.1X
Figure 5-2 shows the protocol stacks supported by the ME60. The protocol stacks used the user side and access device are not mentioned here. Figure 5-2 Structure of the access protocol stacks on the BRAS
TCP/UDP IP ETH TCP/UDP IP ETH Q TCP/UDP IP ETH Q Q TCP/UDP IP ETH AAL5
IPoE
IPoEoVLAN
IPoEoQ
IPoEoA
TCP/UDP IP PPP PPPoE ETH TCP/UDP IP PPP PPPoE ETH Q TCP/UDP IP PPP PPPoE ETH Q Q TCP/UDP IP PPP PPPoE AAL5 TCP/UDP IP PPP AAL5
PPPoE
PPPoEoVLAN
PPPoEoQ
PPPoEoA
PPPoA
Based on the service processing method on the ME60, the PPPoX access is classified into common PPPoX access and PPP leased line access. The protocols for IPoX access are as follows:
l l l
Common IPoX access: IPoE, IPoEoVLAN, IPoEoQ, and IPoEoA Layer-3 leased line access: IPoE, IPoEoVLAN, and IPoEoQ Layer-2 leased line access: IPoE, IPoEoVLAN, IPoEoQ, and IPoEoA
Based on the service processing method on the ME60, the PPPoX access is classified into common PPPoX access and PPP leased line access. The protocol stack used in common PPPoX access consists of PPPoE, PPPoEoVLAN, PPPoEoQ, PPPoA, and PPPoEoA. The protocol stack used in PPP leased line access consists of PPPoE, PPPoEoVLAN, PPPoA, and PPPoEoA.
5-4
Issue 05 (2010-06-01)

NOTE
The structure of the 802.1X protocol stack is similar to the structure of the PPPoE, PPPoEoVLAN, and PPPoEoQ protocol stacks except that the Ethernet protocol of the 802.1X protocol stack carries the EAR protocol. For details about the 802.1X service, see "5.2.4 802.1X Authentication." The protocol stacks for leased line access are IPoE, IPoEoVLAN, IPoEoQ, and IPoEoA. For details about leased line access, see "5.11 Configuring the Leased Line Access Service." The Neighbor Discovery (ND) protocol is used by the IPv6 users. The structure of the protocol stack is similar to the structure of the IPoE, IPoEoVLAN, and IPoEoQ protocol stacks. For details about ND access, see "5.12 Configuring the IPv6 Access Service." IPv6 users can also dial in through PPP. The protocol stack used in this access type is similar to the PPPoE, PPPoEoVLAN, and PPPoEoQ protocol stacks. The difference is that this protocol stack carries IPv6 network protocols.
l l
5.2 Introduction to Authentication Methods

This section describes the authentication methods. 5.2.1 Web Authentication and Fast Authentication 5.2.2 Binding Authentication 5.2.3 PPP Authentication 5.2.4 802.1X Authentication 5.2.5 References
5.2.1 Web Authentication and Fast Authentication

Terms
l
Web authentication Web authentication is an authentication method that requires users to log in to the authentication page of the authentication server and enter their user names and passwords to verify their identities.
Fast authentication Fast authentication is the simplified web authentication. The user opens the web page for authentication but does not need to enter the user name and password. The ME60 generates the user name and password (vlan) according to information about the BAS interface from which the user logs in.
Mandatory web authentication If the user that requires web authentication or fast authentication attempts to access an unauthorized address before authentication, the ME60 redirects the access request to the web authentication server. The mandatory web authentication server is different from the captive portal. The mandatory web authentication server is used to redirect the unauthorized access requests before authentication, and the captive portal is used to redirect the first access request of user after authentication.
Portal protocol The portal protocol of Huawei is used to exchange information between the web servers and other devices. The portal protocol is based on the client/server model and uses UDP to transfer data. In web authentication, the portal protocol is used for the communication between the web authentication server and the ME60. In this case, the ME60 functions as the client. After
Issue 05 (2010-06-01)
5-5
obtaining the user name and password entered by the user, the web authentication server sends them to the ME60 through the portal protocol.
Web Authentication Networking

Figure 5-3 shows the networking of web authentication. After accessing the ME60, a user needs to log in to the web authentication server for authentication. The user can connect to the Internet after the authentication succeeds. Figure 5-3 Typical networking of web authentication
Web server
subscriber
Access Network
Internet ME60
subscriber
RADIUS server
Web Authentication Process

The web authentication process is as follows: 1. The user logs in to the web authentication server directly or redirected to the web authentication server forcibly by the ME60. The user then downloads the client software for heartbeat detection. In web authentication, the user must enter the user name and the password in the web authentication page and submit the information to the web authentication server. In fast authentication, the user can submit an authentication request without entering the user name and password. The web authentication server obtains the user name and password provided by the user or the system, and sends them to the ME60 through the portal protocol. The ME60 sends the user name and the password to the RADIUS server or the HWTACACS server. If the authentication is successful, the ME60 grants the related right to the user, and notifies the web authentication server through the portal protocol. The web authentication server then displays a page indicating successful authentication for the user. The user connects to the Internet, and the ME60 starts the accounting. The client of the user sends heartbeat packets to notify the ME60 about the online status of the user. If the web authentication server fails to receive the heartbeat packet within a particular period of time, it considers that the user has become offline abnormally and notifies the ME60. The ME60 then disconnects the user and stops accounting. The user can also send a disconnection request to the web authentication server through the client. In this case, the web authentication server requests the ME60 to disconnect the user immediately and stop accounting.
2.
3. 4.
5. 6.
7.
5-6
5.2.2 Binding Authentication

Binding authentication means that the ME60 creates an account and a password based on the user location. In binding authentication, the user triggers the authentication by sending the IP packet to the ME60; otherwise, the ME60 can trigger the authentication by detecting the online user through the ARP. The ME60 then generates the user name and password according to the location of the user and sends them to the RADIUS server for authentication.
5.2.3 PPP Authentication

PPP Overview
The Point to Point Protocol (PPP) protocol is a link layer protocol that transmits the network layer packets on a point-to-point (P2P) link. PPP is widely used because it supports user authentication, synchronous and asynchronous transmission and is easy to extend. The PPP suite consists of the Link Control Protocol (LCP), Network Control Protocol (NCP), and its extended protocol. The PAP, CHAP, and MSCHAP protocols are extended protocols used for network security authentication.
l l l
LCP is used to negotiate some link parameters, and establishes and maintains the links. NCP is used to negotiate parameters of network layer protocols. PAP, CHAP, and MSCHAP are used to authenticate users.
Before creating the link, PPP needs to go through a series of negotiations. 1. PPP needs to go through the LCP negotiation. The two parties negotiate the parameters such as the MRU, magic number, authentication methods and asynchronous character mapping. For details, refer to RFC1661. After the LCP negotiation, PPP begins to create the link. If CHAP or PAP authentication is configured, PPP begins CHAP or PAP authentication. After the authentication, PPP goes through the NCP negotiation, such as the negotiation of PPP Internet Protocol Control Protocol (IPCP) and PPP Internetworking Packet Exchange Control Protocol (IPXCP). In the IPCP negotiation, the server allocates IP addresses to the clients. If any negotiation fails, the link is disconnected. The ME60 can allocate address segments through the IPCP negotiation. Thus, the ME60 can allocate a gateway address and mask to a family. Multiple user terminals can be connected to the gateway and the terminals in the same network segment can communicate with each other.
2. 3.
PPP Authentication Protocols

The ME60 supports the Password Authentication Protocol (PAP), the Challenge Handshake Authentication Protocol (CHAP), and the Microsoft CHAP (MSCHAP), as described in Table 5-1.
Table 5-1 PPP authentication protocols Protocol PAP Description In the PAP authentication, handshake packets are exchanged twice. The password is in plain text. The process of the PAP authentication is as follows: 1. The authenticated party sends the user name and password to the authenticator. 2. The authenticator checks whether the user name exists and whether the password is correct, and then returns a response (Acknowledge or Not Acknowledge). CHAP In the CHAP authentication, handshake packets are exchanged thrice. The password is in cipher text. The process of CHAP authentication is as follows: 1. The authenticator sends a Challenge packet that is randomly generated to the authenticated party. 2. The authenticated party encrypts the random packet by using its own password and the MD5 algorithm and then sends the cipher packet (Response) to the authenticator. 3. The authenticator encrypts the original packet by using the password saved locally and the MD5 algorithm. It compares the two cipher packets and then sends back a response (Acknowledge or Not Acknowledge) according to the comparison result. MSCHAP MSCHAP, which is extended by Microsoft, derives from the CHAP protocol. Encryption and hashing algorithm are integrated into the MSCHAP protocol. Therefore, the MSCHAP authentication is suitable for the LAN users. The MACHAP protocol has two versions, namely, MACHAP V1 and MACHAP V2.
5.2.4 802.1X Authentication

Overview of the 802.1X
The IEEE Std 802.1X-2001 (802.1X) protocol derives from the 802.11 protocol used in the wireless local area network (WLAN). At the beginning, it was used to control the link layer access of wireless users and to verify user identities. In extended 802.1X, Ethernet frames can be used as the bearer packets for the Ethernet and other wired access modes. On the ME60, the 802.1X protocol can be used for the WLAN users and other ordinary wired access users. 802.1X uses the Extensible Authentication Protocol (EAP) as its authentication protocol and the EAP over LAN (EAPoL) protocol as the link layer protocol.
EAP
The EAP (described in RFC 3748) protocol is an extended authentication protocol of the PPP. Different from the PPP authentication process, the ME60 chooses the authentication method according to the actual situation through EAP, instead of negotiating the authentication method
through LCP. EAP can be used to exchange more information through LCP so that the ME60 can decide the authentication mechanism. The EAP packet is encapsulated in the Information field of the PPP frame. The protocol value is 0xc227.
EAPoL
In the 802.1X protocol, the Ethernet frames with type value 0x888e are used as the bearer packets of the 802.1X protocol, namely, EAPoL packets. EAPoL applies to only the EAP control packets. The user packets are sent in the Ethernet frames.
802.1X Authentication Process

The 802.1X authentication process is as follows: 1. 2. 3. 4. 5. A user enters the user name and the password through the 802.1X dialer. The dialer sends an authentication request packet (EAPoL packet) to the ME60. In the transmission, the packet may be tagged with a VLAN ID. The ME60 interacts with the user through EAP to obtain the user name and password, and conducts the (local or remote) authentication. If the user passes the authentication, the ME60 allocates an IP address through DHCP. The user can go online. By sending handshake packets, the ME60 communicates with the 802.1X dialer periodically to check the status of the online user.
5.2.5 References
For more information about PPP, PPPoE, EAP, and 802.1X, refer to the following documents.
l l l l l
RFC 1332: The PPP Internet Protocol Control Protocol (IPCP) (May 1992) RFC 1570: PPP LCP Extensions (January 1994) RFC 1661: The Point-to-Point Protocol (PPP) (July 1994) RFC 1662: PPP in HDLC-like Framing (July 1994) RFC 1877: PPP Internet Protocol Control Protocol Extensions for Name Server Addresses (December 1995) RFC 2153: PPP Vendor Extensions (May 1997) RFC 2484: PPP LCP Internationalization Configuration Option (January 1999) RFC 2516: A Method for Transmitting PPP Over Ethernet (PPPoE) (February 1999) RFC 3748: Extensible Authentication Protocol (EAP) (June 2004) IEEE Std 802.1X-2001: IEEE Standard for Local and metropolitan area networks-PortBased Network Access Control
l l l l l
5.3 Configuring Web Authentication

This section describes the procedure for configuring web authentication. 5.3.1 Establishing the Configuration Task
5.3.2 Configuring the Web Authentication Server 5.3.3 Configuring Pre-authentication Domain on the BAS Interface 5.3.4 (Optional) Configuring the Portal Protocol 5.3.5 (Optional) Configuring Mandatory Web Authentication 5.3.6 (Optional) Configuring the Service Type for Domain Users 5.3.7 Checking the Configuration

When users use web authentication, you need to configure the web authentication server.
Before configuring web authentication, complete the following tasks:
l l
Configuring the default pre-authentication domain (See chapter 4 "User Management.") Configure an address pool for the use of the default domain before authentication. (See chapter 3 "Address Management.") Configuring the access control list (ACL) to control the rights of the users in the default pre-authentication domain The users in the domain can access only the web authentication server, the DNS server, the loopback address and other required servers. For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.
Data Preparation
To configure web authentication, you need the following data. No. 1 2 3 4 5 Data IP address, port number, VPN instance, and shared key of the web authentication server Portal protocol version, listen port number, and source interface of the ME60 Whether to transparently transmit the RADIUS message to the web authentication server Default pre-authentication domain at the BAS interface (Optional) Whether to use the mandatory web authentication
5-10
Issue 05 (2010-06-01)
5.3.2 Configuring the Web Authentication Server

Context
When configuring the web authentication server, you need to configure the following parameters:
l l l l
IP address and VPN instance of the server Port number of the server Shared key of the server Whether the ME60 reports its own IP address to the server
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:T

web-auth-server ip-address [ vpn-instance instance-name ] [ port port-number ] [ key key-string ] [ nas-ip-address ]
The web authentication server is configured. By default, no web authentication server is configured in the ME60. If the web authentication server is configured, the default port number is 50100, the default shared key is null, and the ME60 does not send its IP address to the web authentication server. ----End
5.3.3 Configuring Pre-authentication Domain on the BAS Interface

Context
In web authentication , a user cannot obtain an IP address and has no right to access the web authentication server because the user is authorized before the authentication. In this case, the user cannot be authenticated. To solve this problem, the ME60 provides a default pre-authentication domain, which can be configured on an interface. The web authentication users that are not authenticated belong to this domain. The unauthenticated user obtains an IP address from the domain, and accesses the web authentication server with the right granted by that domain. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:

access-type layer2-subscriber
The access type of the user is set to layer-2 access. Step 4 Run:
default-domain pre-authentication domain-name
The pre-authentication domain is specified. By default, the pre-authentication domain on the BAS interface is default0. ----End
5.3.4 (Optional) Configuring the Portal Protocol

Context
The configuration of the portal protocol involves the following parameters, which are applicable to all the web authentication servers:
l
Portal protocol version The portal protocol has two versions, namely, V1 and V2. Listening port number The listen port number refers to the port number used by the ME60 to listen to the web authentication server messages.
Source interface of packets After the source interface is configured, the ME60 uses the IP address of the source interface as the source IP address of the portal packets. Usually, the source interface is set to a management interface or loopback interface of the ME60.
Transparent transmission of RADIUS packets Transparent transmission means that the ME60 forwards the RADIUS packet to the web authentication server without any processing.
Procedure
Step 1 Run:
system-view

web-auth-server version v2 [ v1 ]
The portal protocol version is set. By default, the ME60 supports both V1 and V2. Or run:
web-auth-server listening-port port
5-12
Issue 05 (2010-06-01)
The listening port number of the ME60 is specified. By default, the ME60 uses port 2000 to listen to the messages from the web authentication server. Or run:
web-auth-server source interface interface-type interface-number
The source interface for the ME60 to send packets is configured. By default, the source interface of portal packets is not configured on the ME60. The ME60 uses the IP address of the outgoing interface of the packets as the source IP address. Or run:
web-auth-server reply-message
The ME60 is configured to transparently transmit RADIUS packets. By default, the ME60 transparently transmits RADIUS packets to the web authentication server. ----End
5.3.5 (Optional) Configuring Mandatory Web Authentication

Context
Mandatory web authentication means that the ME60 redirects the access request of a user to the specified web server for authentication if the user accesses a URL without permission before the authentication. Based on mandatory web authentication, the ME60 implements the following functions:
l
Push to the first page After a user passes the authentication, the web server displays the page that the user tries to access before authentication. The user does not need to enter the URL of the page again.
Personalized portal During web authentication, the ME60 sends the physical location of the personalized site to the portal server. The portal server then pushes the personalized authentication page to the user terminal.
NOTE
If the ME60 sends the physical location of the personalized site and physical location of itself to the portal server simultaneously, the portal server can identify the ME60 among multiple BRASs.
Procedure
Step 1 Run:
system-view

aaa
The AAA view is displayed.

Step 3 Run:
domain domain-name
The view of the pre-authentication domain is displayed. Step 4 Run:

web-server { url url | ip-address | mode { get | post } | redirect-key { mscg-ip mscg-ip-key | user-ip-address user-ip-key | user-location user-location-key } | user-first-url-key { key-name | default-name } }
The mandatory web authentication server is configured. The format of URL to which access requests are redirected in the mandatory web authentication is http://www.isp.com/ index.htm. It is recommended to specify the IP address of the WEB server to prevent any impact on user access when DNS faults occur. The ME60 supports two modes for accessing the HTTP page: get and post. The two modes define different formats of packets exchanged between the ME60 and the HTTP page. ----End
5.3.6 (Optional) Configuring the Service Type for Domain Users

Context
Procedure
Step 1 Run:
system-view

domain domain-name

service-type hsi
The service type for domain users is configured to HSI. ----End

Run the following commands to check the previous configuration. Action Check the configuration of the web authentication server.
5-14
Command display web-auth-server configuration
Issue 05 (2010-06-01)
Action Check the configuration of the domain.
Command display domain [ name domain-name |[ vpn-instance vpn-instancename ] ]
5.4 Configuring the 802.1X Template

This section describes the procedure for configuring the 802.1X Template. 5.4.1 Establishing the Configuration Task 5.4.2 Creating an 802.1X Template 5.4.3 Configuring the Timeout of Authentication Response 5.4.4 Configuring the Timeout and Retransmission Count of the Request Packets 5.4.5 (Optional) Configuring the Timeout and Retransmission Count of the Keepalive Packets 5.4.6 (Optional) Configuring the Re-authentication Interval 5.4.7 Configuring the ME60 to Terminate EAP Packets 5.4.8 (Optional) Configuring the ME60 to Deliver the EAP-SIM Authentication Parameters 5.4.9 Checking the Configuration

When 802.1X authentication is required, you need to configure the 802.1X template on the ME60. The 802.1X template specifies the parameters negotiated between the ME60 and the 802.1X client. After configuring an 802.1X template, you can reference it in a domains. The ME60 can then perform the 802.1X negotiation with the parameters defined in the template during 802.1X authentication. For details, see chapter 4 "User management.
None.
Data Preparation
To configure an 802.1X template, you need the following data. No. 1 2
Issue 05 (2010-06-01)
Data 802.1X template number Timeout of authentication response

No. 3 4 5 6 7
Data Timeout and retransmission count of Request packets (Optional) Timeout and retransmission count of Keepalive packets (Optional) Re-authentication interval Option of terminating the EAP packets (Optional) Option of delivering the EAP-SIM authentication parameters
5.4.2 Creating an 802.1X Template

Context
Procedure
Step 1 Run:
system-view

An 802.1X template is created. 802.1X templates are identified by numbers. The 802.1X template numbered 1 in the system can only be modified but cannot be deleted. You can create up to 255 802.1X templates. ----End
5.4.3 Configuring the Timeout of Authentication Response

Context
The timeout of the authentication response refers to the how long the ME60 waits for the response after it sends the authentication packet to the authentication server. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

5-16
Issue 05 (2010-06-01)
The 802.1X template view is displayed. Step 3 Run:

authentication timeout time
The timeout of the request packets is configured. By default, the timeout is 30 seconds. ----End
5.4.4 Configuring the Timeout and Retransmission Count of the Request Packets
Context
The ME60 requests the user information from the 802.1X client by sending the request (EAPRequest) packets. After sending a request packet, if the ME60 does not receive the response (EAP-Response) in the specified time, it re-sends the request packet. If the ME60 does not receive the response after the specified retransmission attempts, it stops setting up the connection with the client. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view


request { interval time | retransmit times } *
The timeout and retransmission count of the request packets are set. By default, the timeout of request packets is 30 seconds and the retransmission count is 2. ----End
5.4.5 (Optional) Configuring the Timeout and Retransmission Count of the Keepalive Packets
Context
As specified in the 802.1X protocol, the client only needs to send the EAPoL-Logoff packet when the user goes offline, and the server does not respond. If the packet is lost during the transmission, the server cannot obtain the logout information of the user on time, so the accounting may be abnormal.
The ME60 periodically sends the keepalive packet (EAP-Request/Identity) to the 802.1X client and receives the response packet (EAP-Response/Identity). The ME60 checks whether the client is online by using this handshake mechanism. If the ME60 does not receive the response (EAP-Response) in the specified time, it re-sends the keepalive packet. If the ME60 does not receive the response after the specified retransmission attempts, it considers the user offline and clears the connection resources. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view


keepalive { interval time | retransmit times } *
The timeout and retransmission count of the keepalive packets are set. By default, the timeout of keepalive packets is 20 seconds, and the default retransmission count is 0. That is, the handshake mechanism is not used. ----End
5.4.6 (Optional) Configuring the Re-authentication Interval

Context
Re-authentication means that the ME60 can periodically send the authentication requests (EAPRequest) to the 802.1X client to trigger the authentication. This function is used to verify the users to prevent authorized users from logging in through this 802.1X logical port. If the reauthentication is very frequent, the system performance declines. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view


reauthentication interval time
5-18
Issue 05 (2010-06-01)
The re-authentication interval is configured. By default, the re-authentication interval is 3600 seconds (one hour). ----End
5.4.7 Configuring the ME60 to Terminate EAP Packets

Context
As suggested by the RFC 3748, the network device can process the EAP packets through the following two methods:
l
Terminate the EAP packets. The network device obtains the user information through the PAP/CHAP negotiation with the client, and then sends the user information to the authentication server for authentication. Transparently transmit the EAP packets as the pass-through agent. The network device transparently transmits the EAP packets to the remote server. The remote server and the client then conduct the authentication.
Procedure
Step 1 Run:
system-view


eap-end [ chap | pap ]
The ME60 is configured to terminate EAP packets. By default, the ME60 transparently transmits the EAP packets to the server, instead of terminating them. ----End
5.4.8 (Optional) Configuring the ME60 to Deliver the EAP-SIM Authentication Parameters
Context
The ME60 supports EAP-SIM authentication. You can enable or disable the function of delivering the authentication parameters (such as IP address of the user, IP address of the equipment, and the ACName of the equipment) to the authentication server. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view


eap-sim-parameter
The ME60 is configured to deliver the authentication parameters. By default, the ME60 does not deliver the authentication parameters to the authentication server. ----End

Run the following command to check the previous configuration. Action Check the configuration of the Dot1X template. Command display dot1x-template number
5.5 Configuring a User VLAN

This section describes the procedure for configuring a user VLAN. 5.5.1 Establishing the Configuration Task 5.5.2 Configuring the User-Termination Mode on the Master Interface (for Layer-3 Leased Lines) 5.5.3 Configuring the Mapping Between the Control VLAN and Termination Sub-Interface (for Layer-3 Leased Lines) 5.5.4 Configuring Packet Termination on the Sub-Interface (for Layer-3 Leased Lines) 5.5.5 Creating User VLANs (for Users Not Using Layer-3 Leased Lines) 5.5.6 Checking the Configuration

A sub-interface on the ME60 can be bound to the user VLAN so that the ME60 can identify the users that can access this sub-interface.
None.
Data Preparation
To configure a user VLAN, you need the following data. No. 1 2 3 Data Sub-interface number ID of the user VLAN (Optional) ID of the QinQ VLAN
5.5.2 Configuring the User-Termination Mode on the Master Interface (for Layer-3 Leased Lines)
Context
Procedure
Step 1 Run:
system-view

The view of the Ethernet master interface for receiving packets of the access users is displayed. Step 3 Run:
mode user-termination
The user-termination mode is configured on the interface. When running this command on the master interface, make sure that no sub-interface is configured on the master interface. ----End
5.5.3 Configuring the Mapping Between the Control VLAN and Termination Sub-Interface (for Layer-3 Leased Lines)
Context
Procedure
Step 1 Run:
system-view

interface interface-type interface-number.subinterface-number
The view of the Ethernet sub-interface for receiving packets of the access users is displayed. Step 3 Run:
control-vid vid dot1q-termination [ rt-protocol ]
The mapping between the control VLAN and Dot1q termination sub-interface is configured. Or run:
control-vid vid qinq-termination [ dynamic [ rt-protocol ] ] | local-switch | rtprotocol ]
The mapping between the control VLAN and QinQ termination sub-interface is configured. ----End
Postrequisite
After the user-termination mode is configured on the Ethernet master interface, run the controlvid command on the Ethernet sub-interfaces to identify different sub-interfaces of the same master interface.
5.5.4 Configuring Packet Termination on the Sub-Interface (for Layer-3 Leased Lines)
Context
Procedure
Step 1 Run:
system-view

interface interface-type interface-number.subinterface-number
The view of the Ethernet sub-interface for receiving packets of the access users is displayed. Step 3 Run:
dot1q termination vid low-pe-vid
The function of terminating the packets with one tag is configured. To terminate the received user packets with one tag on the sub-interface, run the dot1q termination vid command on the sub-interface. The value of the tag in the received user packet
must be within the specified range of pe-vid, which is specified in the dot1q termination vid command. Or run:
qinq termination pe-vid pe-vid ce-vid low-ce-vid
The function of terminating packets with two tags is configured. To terminate the received user packets with two tags on the sub-interface, run the qinq termination pe-vid command on the sub-interface. The value of the outer tag in the received user packet must be the same as the value of VLAN ID of the PE that is specified in the qinq termination pe-vid command. The value of the inner tag must be within the value range of VLAN ID of the CE that is specified in this command. ----End
5.5.5 Creating User VLANs (for Users Not Using Layer-3 Leased Lines)
Context
You can configure inner or outer VLANs in batches on the ME60. You can configure up to 4094 inner VLANs or up to 16 outer VLANs at a time. If the any-other keyword is used, all VLANs and QinQ VLANs that are not configured on the physical interface of the sub-interface are configured on this sub-interface. The any-other keyword can be used on only one sub-interface of a physical interface. The any-other keyword cannot be used with the start-vlan, end-vlan or qinq parameters. The ME60 supports dynamic VLAN. Multiple user VLANs can be configured on a sub-interface. The number of VLANs is not limited. Up to 65536 user VLANs can be used at the same time on a board. If certain VLANs are specified and the number of configured VLANs is less than 16384, the configured VLANs take effect immediately; otherwise, the VLANs take effect when users log in. If the any-other keyword is used, the configured VLANs take effect only when users log in. The ME60 supports the aging mechanism of the dynamic VLANs to ensure the reasonable usage of limited VLANs. After the aging time, non-static VLANs that are not in use can be used by other users. The VLANs are, however, marked as static VLANs in the following cases:
l l
The qos service-group, qos vc-group, or qos car command is run in the VLAN view. The access-limit, multicast-profile, or block command is run in the BAS view and the VLAN is specified in the command.
A static VLAN does not age. The ME60 supports up to 4096 static VLANs. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type sub-interface-number
The sub-interface view is displayed. Step 3 Run:

user-vlan { start-vlan [ end-vlan ] Run: [ qinq start-qinq-id [ end-qinq-id ] ] | any-other }
User VLANs are created. After a user VLAN is created, the system enters the VLAN view. By default, no user VLAN is configured on the Ethernet sub-interface. ----End

Run the following commands to check the previous configuration. Action Check the configuration of the VLAN. Check information about the Dot1q termination interface for layer-3 leased lines. Check information about the QinQ termination interface for layer-3 leased lines. Command display vlan total { interface interface-type interface-number | slot } [ dynamic | static ] display dot1q information termination [ interface interface-type interface-number [.subinterface-number ] ]
display qinq information { stacking | termination } [ interface interface-type interface-number [ .subinterface-number ] ]
5.6 Configuring the BAS Interface

This section describes the procedure for configuring the BAS interface. 5.6.1 Establishing the Configuration Task 5.6.2 Creating a BAS Interface 5.6.3 Configuring the Access Type and Attributes of Users 5.6.4 Configuring the Authentication Method 5.6.5 (Optional) Configuring the Limit to Access Users 5.6.6 (Optional) Specifying a Domain
5.6.7 (Optional) Configuring Logical Parameters of the BAS Interface 5.6.8 (Optional) Configuring the User Locating Function 5.6.9 (Optional) Configuring Additional Functions 5.6.10 (Optional) Configuring Other Parameters 5.6.11 (Optional) Blocking the BAS Interface 5.6.12 Checking the Configuration

When an interface is used for broadband user access, you need to configure the interface to a BAS interface and set the access type for the user and other attributes.
Before configuring the BAS interface, complete the following tasks:
l
Configuring the default domain and roaming domains for the users at the BAS interface (See chapter 4 "User Management.") Configuring the RADIUS server group if the accounting packet copy function is required (See chapter 2 "AAA Configuration.")
Data Preparation
To configure the BAS interface, you need the following data. No. 1 2 3 4 5 6 Data Interface number Access type Authentication method (Optional) Maximum number of users on the BAS interface and maximum number of users in the specified VLAN (Optional) Default domain, roaming domain, and permitted domain at the BAS interface (Optional) Option of enabling the functions of ARP proxy, DHCP broadcast, accounting packet copy, IP packet trigger-online, user-based multicast duplication, and 802.1X authentication trigger function (Optional) Option of trusting DHCP Option 82 reported by the client, user detection parameters, VPN instance of non-PPP user, option of supporting the WLAN networking, BAS interface name, and access device type
Issue 05 (2010-06-01)
5-25
5.6.2 Creating a BAS Interface

Context
Procedure
Step 1 Run:
system-view


bas
The BAS interface is created. You can set an interface to the BAS interface by running the bas command in the interface view. You can set a Fast Ethernet (FE) interface, a Gigabit Ethernet (GE) interface, an Eth-Trunk interface, or a virtual Ethernet (VE) interface as the BAS interface. ----End
5.6.3 Configuring the Access Type and Attributes of Users

Context
Procedure
Step 1 Run:
system-view


bas

access-type layer2-subscriber [ bas-interface-name name | default-domain { preauthentication domain-name | authentication [ force | replace ] domain-name } * | accounting-copy radius-server radius-name ] *
5-26
Issue 05 (2010-06-01)
The access type is set to layer-2 access and the attributes of this access type are configured. Or run:
access-type layer2-leased-line user-name username password [ bas-interface-name name | default-domain authentication domain-name | accounting-copy radius-server radius-name | nas-port-type type ] *
The access type is set to layer-2 leased line and the attributes of this access type are configured. Or run:
access-type layer3-leased-line user-name username password [ bas-interface-name name | default-domain authentication domain-name | accounting-copy radius-server radius-name | nas-port-type type ] *
The access type is set to layer-3 leased line and the attributes of this access type are configured. When setting the access type on the BAS interface, you can set the service attributes of the access users at the same time. You can also set these attributes in the subsequent configuration. The access type cannot be configured on the Ethernet interface that is added to the Eth-Trunk. You can only configure the access type on the Eth-Trunk interface. If there is an online user at the BAS interface, you can change the access type at the interface only if the online user is a leased line user. When the user access type is set to leased-line access, the ME60 authenticates the user immediately. ----End
5.6.4 Configuring the Authentication Method

Context
Procedure
Step 1 Run:
system-view


bas

authentication-method { { ppp | dot1x | { web | fast } } * | bind }
The authentication method of the user is set.

You can set the authentication method for only the layer-2 user. You can configure multiple authentication methods on an interface but you should note the following:
l l
Web authentication conflicts with fast authentication. Binding authentication conflicts with other authentication methods.
By default, the BAS interface uses PPP authentication. ----End
5.6.5 (Optional) Configuring the Limit to Access Users

Context
Procedure
Step 1 Run:
system-view


bas

access-limit number
The limit of access users on the interface is configured. Or run:

access-limit user-number [ start-vlan start-vlan [ end-vlan end-vlan ] [ qinq qinqvlan ] ]
The limit of access users in certain VLANs is configured. By default, the number of users on the BAS interface is not limited. If you run the user-vlan any-other command to configure the user VLAN, you cannot set the limit of access users in the VLAN. ----End
5.6.6 (Optional) Specifying a Domain

Context
You can configure the following domains on the BAS interface:

l
Default pre-authentication domain The default pre-authentication domain is applicable to the users who use web authentication and fast authentication. Before a user is authenticated, the ME60 does not know the domain of the user. In this case, the ME60 considers that the user belongs to the default preauthentication domain.
Default authentication domain If a user does not enter the domain name for the authentication, the ME60 considers that the user belongs to the default authentication domain. When configuring the default domain, you can set the force and replace keywords.
force: The user is moved to the default authentication domain forcibly regardless of the domain name contained in the user name. The user is authenticated and authorized through the policies of the default domain. The domain name in the user name is not changed. replace: The user is moved to the default authentication domain forcibly. Meanwhile, the domain name in the user name is also changed to the default domain name.
Roaming domain The roaming domain is used if the user enters an unidentifiable domain name. If the user enters an unidentifiable domain name, the ME60 adds the user to the roaming domain for authentication.
Permitted domain The ME60 allows users to go online through the permitted domain. If the user attempts to use other domains, the ME60 denies the access. Up to four permitted domains can be specified on a BAS interface.
Procedure
Step 1 Run:
system-view


bas

default-domain pre-authentication domain-name
The pre-authentication domain is specified. By default, the pre-authentication domain on the BAS interface is default0. Or run:
default-domain authentication [ force | replace ] domain-name
The default authentication domain is specified. By default, the default authentication domain of the BAS interface is default1.
Or run:roam-domain domain-nameThe roaming domain is specified. By default, the default roaming domain of the BAS interface is default1. Or run:
permit-domain domain-name &<1-4>
The permitted domain is specified. By default, no permitted domain is specified on the BAS interface. That is, all domains are permitted. ----End
5.6.7 (Optional) Configuring Logical Parameters of the BAS Interface

Context
Before configuring the logical parameters of the BAS interface, configure the access type of the BAS interface to layer- access (layer2-subscriber. The logical parameters have the following functions in remote user information backup:
l
If you configure the same logical IP address on the BAS interfaces of the active and standby ME60s, the NAS-IP-Address attributes in the packets sent from the active ME60 and the standby ME60 to the RADIUS server and the DHCP server are the same. If you configure the same logical host name and the logical port on the BAS interfaces of the active and standby ME60s, the NAS-Port, NAS-Port-ID, and Option 82 attributes in the packets sent from the active ME60 and the standby ME60 to the RADIUS server and the DHCP server are the same.
Procedure
Step 1 Run:
system-view


bas

nas logic-ip ip-address
The logical IP address of the BAS interface is configured. By default, the logical IP address is not configured on a BAS interface.
After you configure the logical IP address of the BAS interface, the value of the NAS-IP-Address attribute contained in the packet sent from the ME60 to the RADIUS server and the DHCP server is the logical IP address configured on the BAS interface. Or run:nas logic-port interface-type interface-numberThe logical port of the BAS interface is configured. By default, the logical port is not configured on a BAS interface. Or run:nas logic-sysname host-nameThe logical host name of the BAS interface is configured. By default, the logical host name is not configured on the BAS interface. After the logical host name and logical port are configured on a BAS interface, the user name, Option 82, and attributes of a user are generated in the following ways:
l
The user name of an IPoX user using pre-authentication or binding authentication contains the logical host and the logical port number. When the system generates or changes Option 82, the Option 82 field contains the logical host name and the logical port number. The system generates Option 82 in the case such as the user has no Option 82. The system changes Option 82 in the case such the ME60 does not trust Option 82 of the user. The NAS-Port attribute and the NAS-Port-ID attribute for the users' RADIUS authentication contain the logical host name and the logical port number. If the logical host name cannot be obtained, these attributes contain only the logical port number.
----End
5.6.8 (Optional) Configuring the User Locating Function

Context
Currently, IP DSLAMs are used as the main devices for broadband access. An IP DSLAM terminates PVC packets of a user and forwards the packets to the uplink device by encapsulating the packets in the Ethernet frames. Information about the PVC and port of the user is replaced by the VLAN ID used in Ethernet. According to the IEEE protocol, only 4096 VLAN IDs can be set. The authentication device can obtain only fuzzy location information of the user, namely, the VLAN ID shared by many users. The accurate location of the user cannot be obtained, which causes many security problems to the broadband telecom network. To solve this problem, the ME60 uses the following features to locate users:
l
DHCP Option 82 In the broadband telecom network, the DSLAM captures DHCP packets, and then inserts the vendor specific attribute (VSA) of DHCP Option 82 to the DHCP packets. The VSA records information about the physical port of the user. If you have run the client-option82 command on the BAS interface, the VSA is then sent to the BRAS, DHCP server, and RADIUS server to inform them of the user location. The management system performs the corresponding security policy and address allocation policy according to the location of the user.
PPPoE+ The DSLAM captures the PPPoE discovery packets, and inserts the VSA of PPPoE to the packets. The VSA records information about the physical port of the user. If you have run the client-option82 command on the BAS interface, the VSA is then sent to the BRAS and RADIUS server to inform them of the user location. The management
Issue 05 (2010-06-01)
5-31
system performs the corresponding security policy and address allocation policy according to the location of the user.
l
VBAS The IP DSLAM and BAS are considered as a virtual entity, namely, the virtual broadband access server (VBAS). The VBAS protocol is a query protocol used between the DSLAM and BRAS. The BRAS uses the VBAS protocol to query the DSLAM for the user location. After receiving a user packet, the BRAS queries the DSLAM for the information about the physical port where the user resides. After obtaining the physical location of the user, the BRAS processes the information as follows: If the BRAS functions as the DHCP relay, it sends the physical location information of the user to the DHCP server. For the PPPoE user that is authenticated by the RADIUS server, the BRAS sends the physical location information of the user to the RADIUS server. The RADIUS server authenticates the user and the DHCP server assigns an address to the user.
Procedure
Step 1 Run:
system-view


bas

client-option82
The function of locating a user through DHCP Option 82 or PPPoE is enabled. By default, the function of locating a user through DHCP Option 82 or PPPoE is disabled. Or run:
vbas
The function of locating a user through the VBAS is enabled. By default, the function of locating a user through the VBAS is disabled. ----End
5.6.9 (Optional) Configuring Additional Functions

Context
You can configure the following functions on the BAS interface:

l
ARP proxy The ARP proxy is used for the mutual access among users on the same BAS interface. The users on the same interface are separated from each other by VLAN/PVC. Therefore, to enable the users to access each other, you must enable the ARP proxy. The ARP proxy can be enabled for only the layer-2 individual users and layer-2 leased line users on the BAS interface. The ARP proxy function can only be disabled for ARP packets on the same BAS interface. The ARP proxy between BAS interfaces is always enabled and cannot be disabled.
DHCP broadcast Generally, the DHCP packets are sent on the BAS interface in unicast mode. In certain special situations, you may need to enable the broadcast function to broadcast DHCP packets.
Accounting packet copy The accounting packet copy function is used to send accounting packets to two RADIUS servers at the same time. You can enable this function when multiple copies of original accounting information are required (for example, multiple ISPs are connected together). In this case, the accounting packets need to be sent to two RADIUS servers at the same time, and will be used as the original accounting information in future settlement.
Access triggered by IP packet A static user can trigger the authentication by sending the IP packet. Access triggered by IPv6 packet An ND user can trigger the authentication by sending the IPv6 packet. If this function is enabled on the BAS interface, ND users can go online only by sending IPv6 packets to trigger the authentication.
Access triggered by ARP packet A user can trigger the authentication by sending the ARP packet. User-based Multicast Duplication Generally, after receiving a multicast packet, the ME60 copies the packet for each physical port. The layer-2 device then copies the packet to the users in the multicast group. If the layer-2 device does not have the IGMP snooping, it cannot identify the users in the multicast group. In this case, you need to enable the user-based multicast duplication on the interface of ME60. The ME60 then copies the packet to users directly.
802.1X Authentication Trigger The 802.1X authentication trigger means that the ME60 initiates an authentication request to an 802.1X user after it detects that the user goes online.
Procedure
Step 1 Run:
system-view

Issue 05 (2010-06-01)
5-33

bas

arp-proxy
The ARP proxy is enabled. By default, the ARP proxy is disabled for users in the same VLAN or PVC on a BAS interface. Or run:
dhcp-broadcast
The DHCP broadcast function is enabled. By default, the DHCP broadcast function is disabled on the BAS interface. Or run:
accounting-copy radius-server radius-name
The accounting packet copy function is enabled. By default, the accounting packet copy function is disabled on the BAS interface. Or run:
ip-trigger
The function of triggering authentication by IP packets is enabled. By default, this function is disabled on the BAS interface. Or run:
ipv6-trigger
The function of triggering authentication by IPv6 packets is enabled. By default, this function is disabled on the BAS interface. Or run:
arp-trigger
The function of triggering authentication by ARP packets is enabled. By default, this function is disabled on the BAS interface. Or run:
multicast copy by-session
The user-based multicast duplication function is enabled. By default, this function is disabled on the BAS interface. Or run:
dot1x authentication trigger
The function of triggering 802.1X authentication is enabled. By default, this function is disabled on the BAS interface. Or run:
option82-relay-mode dslam
5-34
Issue 05 (2010-06-01)
The Option 82 information of the DSLAM is added to the NAS-Port-Id attribute. By default, the ME60 does not add the Option 82 information of the DSLAM to the NAS-Port-Id attribute. Or run:
option82-relay-mode include
The Option 82 information included in the NAS-Port-Id attribute is configured. By default, when the Option 82 information is trusted, the NAS-Port-Id attribute includes only the link ID in the Option 82 information. Or run:
option82-relay-mode subopt
The mode in which the link ID or remote agent ID is transmitted is configured. By default, the link ID or remote agent ID is transmitted in the form of a character string. ----End
5.6.10 (Optional) Configuring Other Parameters

Context
You can configure the following parameters on the BAS interface:
l
User detection parameters The ME60 can periodically detect whether a user on a BAS interface is online through ARP. To configure the user detection function, you need to set the number of detection attempts and the detection interval.
VPN instance of non-PPP users Generally, the VPN instances of the PPP users are delivered by the RADIUS server and the VPN instances of the non-PPP users are configured on the BAS interface.
WLAN You can determine whether the BAS interface supports the WLAN networking. If the BAS interface supports the WLAN , you need to determine whether the AS authorization information is accepted.
BAS interface name You can configure the name of a BAS interface so that you can remember and manage the BAS interface easily.
Access device type If the access user type on a BAS interface is leased line, you need to set the type of the access device. The device type is used for the ME60 to send authentication requests to the RADIUS server.
Procedure
Step 1 Run:
system-view

Issue 05 (2010-06-01)
5-35

bas

user detect retransmit number interval time
The user detection parameters are configured. By default, the number of detection attempts is 5 and the detection interval is 30 seconds. Or run:
The VPN instance of non-PPP user is configured. By default, non-PPP users on the BAS interface belong to VPN instance public. Or run:
wlan sim { as-authorization | no-as-authorization }
The WLAN networking is supported or not supported. By default, the BAS interface does not support the WLAN networking. Or run:
bas-interface-name name
The name of the BAS interface is configured. By default, the BAS interface does not have a name. Or run:
nas-port-type { async | sync | isdn-sync | isdn-async-v120 | isdn-async-v110 | virtual | piafs | hdlc | x.25 | x.75 | g.3-fax | sdsl | adsl-cap | adsl-dmt | idsl | ethernet | xdsl | cable | wireless-other | 802.11 }
The type of the access device is configured. By default, the type of the access device is Ethernet. ----End
5.6.11 (Optional) Blocking the BAS Interface

Context
Procedure
Step 1 Run:
system-view

The interface view is displayed.

Step 3 Run:
bas

block [ start-vlan start-vlan [ end-vlan end-vlan ] [ qinq qinq-vlan ] ]
The BAS interface is blocked. On a main interface, if no parameter is contained in the block command, it indicates that the entire interface is blocked. On a sub-interface, you can lock some or all VLANs. The blocked VLANs cannot be accessed by users. ----End

Run the following command to check the previous configuration. Action Check the configuration of the BAS interface. Command display bas-interface [ interface-type interface-number ]
5.7 Configuring the Access Response Delay Policy

This section describes the procedure for configuring the access response delay policy. 5.7.1 Establishing the Configuration Task 5.7.2 Configuring the Access Response Delay Policy on the Equipment 5.7.3 Configuring Access Response Delay Policy on the BAS Interface 5.7.4 Checking the Configuration

In the PPPoX access and IPoX access triggered by DHCP, the client detects the accessed servers through the layer-2 broadcast (such as PADI packet of PPPoE and Discover packet of DHCP), and then the client selects one from the responding servers. This access mechanism causes the following problems:
l
When two ME60s function in the active/standby mode, due to the downstream network, the access response of the active ME60 reaches the client later than the access response of the standby ME60, which makes users access the standby ME60. When the ME60s function in load balancing mode, delay balancing or load balancing according to the set ratio may not be implemented because of different delays of the response from the two devices .
Issue 05 (2010-06-01)
You can set response time of the PPPoE and DHCP access request for users so that clients can access specified servers according to the response time of different devices. Thus, the active/ standby and load balancing in the ME60 networking can be implemented.
None.
Data Preparation
To configure the access response delay, you need the following data. No. 1 2 Data Access response delay parameters of the equipment, such as the change step of the user count, the minimum response delay time, and the maximum response delay time Access response delay parameters of the BAS interface, such as the access delay time, the response delay policy, and the access node ID
NOTE
To configure the access response delay policy, perform the step of Configuring the Access Response Delay Policy on the Equipmentor the step of Configuring Access Response Delay Policy on the BAS Interface as required.
5.7.2 Configuring the Access Response Delay Policy on the Equipment

Context
ME60To implement automatic active/standby switchover and load balancing, the ME60 dynamically adjusts the PPP and DHCP access response delay when the number of access users on the equipment changes. The access delay time is determined by the step of user count, number of access users, and maximum delay time.
l
If the result of number of access users/step + minimum delay is equal to or smaller than the maximum delay, the access delay of the user = (number of access users/step + minimum delay) x 100 ms. If the result of number of access users/step + minimum delay is larger than the maximum delay, the access delay of the user = maximum delay x 100 ms. If the result of number of access users/step is not an integer, adopt the integer portion of the result.
For example, if the step is 3000; the maximum delay is 7; the minimum delay is 3; then the access delay of users 0-2999 is 300 ms (3 x 100 ms). The access delay of users 3000-5999 is 400 ms (4 x 100 ms). The access delay of users 6000-8999 is 500 ms (5 x 100 ms). The access delay of users 9000-11999 is 600 ms (6 x 100 ms). The access delay of users 12000-14999 is 700 ms (7 x 100 ms). The access delay of users with sequence number larger than 14999 is 700 ms.
Procedure
Step 1 Run:
system-view

aaa

access-delay step step-value minimum minimum-time maximum maximum-time
The access response delay policy is configured. By default, the access delay policy is not configured in the system. ----End
5.7.3 Configuring Access Response Delay Policy on the BAS Interface

Context
You can configure the access delay policy on a BAS interface when the access type of the BAS interface is layer-2 subscriber or layer-2 leased line. You can configure the access delay based on different attributes as follows:
l
Configure the access delay policy based on the even or odd MAC addresses so that active/ standby selection and load balancing can be implemented between the devices based on the parity of MAC addresses. Configure the access delay policy based on the access node ID so that active/standby selection and load balancing can be implemented between the devices based on the access node ID.
Procedure
Step 1 Run:
system-view


access-delay delay-time [ circuit-id-include access-node-id | even-mac | odd-mac ]
The access delay policy is configured on the BAS interface.

After the access deplay policy is configured, the system delays the response to the first packet from a layer-2 access user on this BAS interface according to the configured policy. For DHCP users and PPP users, if the circuit-id-include keyword is selected, you need to run the client-option82 command to configure the ME60 to trust DHCP Option 82 and PPPoE+ information sent by the client. The access delay policy takes effect after the configuration. ----End

Run the following commands to check the previous configuration. Action Check the configuration of the global dynamic delay. Check the configuration of the delay policy on the BAS interface. Command display aaa configuration
display bas-interface [ interface-type interface-number ]
5.8 Configuring the Common IPoX Access Service

This section describes the procedure for configuring the common IPoX access service. 5.8.1 Establishing the Configuration Task

The IPoX access service is an access authentication service. In the common IPoX access service, a user can connect to the Internet through Ethernet or asymmetric digital subscriber line (ADSL). The user can use a fixed IP address or obtain an IP address through DHCP. Web authentication, fast authentication, or binding authentication can be used in the common IPoX access service. Depending on the networking, the common IPoX services can be classified into the IPoE service, IPoEoVLAN service, and IPoEoQ service.
l
IPoE
In the IPoE access service, an IP packet is encapsulated into the Ethernet frame on the Ethernet card of the user's computer, and then is sent to the ME60 without any other change. In the networking of the IPoE access service, a computer is connected to the Ethernet interface of the ME60 through a layer-2 device (such as a HUB and a LAN switch). The layer-2 device, however, does not change or encapsulate IPoE packets. Figure 5-4 shows the networking of the IPoE access service.
Figure 5-4 Networking of the IPoE access service

Eth IP Data Eth IP Data
Internet
subscriber Lanswitch ME60
IPoEoVLAN
In the IPoEoVLAN access service, an IP packet is encapsulated into an IPoE packet on the Ethernet card of the user's computer, and is then tagged with a VLAN ID by the LAN switch. The tagged IPoE packet is called an IPoEoVLAN packet, which is ultimately sent to the ME60. In the networking of the IPoEoVLAN access service, a computer is connected to Ethernet interface of the ME60 through a switch that supports 802.1Q. Figure 5-5 shows the networking of the IPoEoVLAN access service. Figure 5-5 Networking of the IPoEoVLAN access service
Eth IP Data Eth Q IP Data
Internet
subscriber LAN Switch ME60
IPoEoQ
In the IPoEoQ access service, an IP packet is encapsulated into an IPoE packet on the Ethernet card of the user's computer, and is then tagged with a VLAN ID by the LAN switch close to the user. The tagged IPoE packet is called an IPoEoVLAN packet. The IPoEoVLAN packet is then tagged with another VLAN ID by the LAN switch close to the ME60. This packet is the IPoEoQ packet, which is ultimately sent to the ME60. In the networking of the IPoEoQ access service, a computer is connected to Ethernet interface of the ME60 through two switches that support 802.1Q. Figure 5-6 shows the networking of the IPoEoQ access service. Figure 5-6 Networking of the IPoEoQ access service
Eth IP Data Q Eth IP Data Q Q Eth IP Data
Internet
subscriber LAN Switch LAN Switch ME60
Issue 05 (2010-06-01)
5-41
Before configuring the common IPoX access service, complete the following task:
l
Loading the BRAS license Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management..
Data Preparation
To configure the common IPoX access service, you need the following data. No. 1 2 3 4 5 6 7 Data Authentication scheme, accounting scheme, and authorization scheme (applicable to the HWTACACS authentication) Name of the RADIUS server group or HWTACACS server template Name of the IPv4 address pool User domain (Optional) Parameters related to the web authentication server Number of the VE interface (applicable to the IPoEoA access) User VLAN ID (applicable to the IPoEoVLAN access and the IPoEoQ access) Or the PVC value pair (applicable to the IPoEoA access) 8 Parameters of the BAS interface
Configuration Procedures
To configure the IPoX access service, perform the following procedures. No. 1 2 3 4 5 6 7
5-42
Procedure Configuring AAA Schemes Configuring the RADIUS server group or the HWTACACS server template Configuring the IPv4 address pool Configuring the domain Configuring the web authentication (applicable to the web authentication) Configuring the ACL (applicable to the web authentication) Configuring the VE interface (applicable to the IPoEoA access)
No. 8
Procedure Binding the sub-interface to VLANs (applicable to the IPoEoVLAN access and the IPoEoQ access) Or configuring the PVC (applicable to the IPoEoA access)
9 10
Bridging the PVC and the VE interface (applicable to the IPoEoA access) Configuring the BAS interface
NOTE
The configuration of the common IPoX access service consists of multiple procedures. The details are not mentioned here because all the procedures are described in the following chapters:
l l l l l l
For the procedures for configuring the AAA schemes, RADIUS server group, and HWTACACS server template, see chapter 2 "AAA Configuration." For the procedure for configuring the IPv4 address pool, see chapter 3 "Address Management." For the procedure for configuring a domain, see chapter 4 "User Management." For the procedure for configuring web authentication, see "Configuring Web Authentication." For the procedure for configuring the ACL, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services. For the procedures for configuring the VE interface and PVC, and bridging the VE interface and the PVC, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - Interfaces and Links. For the procedure for configuring the BAS interface, see "Configuring BAS Interface."
5.9 Configuring the Common PPPoX Access Service

This section describes the procedure for configuring the common PPPoX access service. 5.9.1 Establishing the Configuration Task

The PPPoX access service is an access authentication service. In the PPPoX service, a user can dial in to the ME60 through PPP, and then obtain an address and be authenticated. Depending on the networking, the common PPPoX services can be classified into the following services:
l
PPPoE
In the PPPoE access service, a PPP packet is encapsulated into the Ethernet frame on the Ethernet card of the user's computer, and then is sent to the ME60 without any other change. In the networking of the PPPoE access service as shown in Figure 5-7, a computer is connected to the Ethernet interface of the ME60 through a layer-2 device (such as a HUB and a LAN Switch). The layer-2 device, however, does not change or encapsulate PPPoE packets.
Figure 5-7 Networking of the PPPoE access service

Eth PPPoE PPP IP Data Eth PPPoE PPP IP Data
Internet
subscriber Lanswitch ME60
PPPoEoVLAN
In the PPPoEoVLAN access service, a PPP packet is encapsulated into a PPPoE packet on the Ethernet card of the user's computer, and is then tagged with a VLAN ID by the LAN switch. The tagged PPPoE packet is called a PPPoEoVLAN packet, which is ultimately sent to the ME60. In the networking of the PPPoEoVLAN access service, a computer is connected to Ethernet interface of the ME60 through a switch that supports 802.1Q. Figure 5-8 shows the networking of the PPPoEoVLAN access service. Figure 5-8 Networking of the PPPoEoVLAN access service
Eth PPPoE PPP IP Data Eth Q PPPoE PPP IP Data
Internet
subscriber LAN Switch ME60
PPPoEoQ
In the PPPoEoQ access service, a PPP packet is encapsulated into an PPPoE packet on the Ethernet card of the user's computer, and is then tagged with a VLAN ID by the LAN switch close to the user. The tagged PPPoE packet is called a PPPoEoVLAN packet. The PPPoEoVLAN packet is then tagged with another VLAN ID by the LAN switch close to the ME60. This packet is the PPPoEoQ packet, which is ultimately sent to the ME60. In the networking of the PPPoEoQ access service, a computer is connected to Ethernet interface of the ME60 through two switches that support 802.1Q. Figure 5-9 shows the networking of the PPPoEoQ access service. Figure 5-9 Networking of the PPPoEoQ access service
IP Data IP Data IP Data PPP PPPoE Eth PPP PPPoE Eth Q PPP PPPoE Eth Q Q
Internet
subscriber LAN Switch LAN Switch ME60
5-44
Issue 05 (2010-06-01)
Before configuring the PPPoX access service, complete the following task: Loading the BRAS license Refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management..
Data Preparation
To configure the common PPPoX access service, you need the following data. No. 1 2 3 4 5 6 7 Data Virtual template number Authentication scheme, accounting scheme, and authorization scheme (applicable to the HWTACACS authentication) Name of the RADIUS server group or HWTACACS server template Name of the IPv4 address pool User domain Number of the VE interface (applicable to the PPPoEoA access) User VLAN ID (applicable to the PPPoEoVLAN access and the PPPoEoQ access) Or the PVC value pair (applicable to the PPPoA access and the PPPoEoA access) 8 Parameters of the BAS interface
To configure the PPPoX access service, perform the following procedures. No. 1 2 3 4 5 6 7 Procedure Configuring the virtual template interface Configuring AAA Schemes Configuring the RADIUS server group or the HWTACACS server template Configuring the IPv4 address pool Configuring the domain Configuring the VE interface (applicable to the PPPoEoA access) Binding the interface to the virtual template interface (applicable to the PPPoE access, the PPPoEoVLAN access, and the PPPoEoQ access)
Issue 05 (2010-06-01)
No.
Procedure Or specifying a virtual template for the VE interface (applicable to the PPPoEoA access)
Binding the sub-interface to VLANs (applicable to the PPPoEoVLAN access and the PPPoEoQ access) Or configuring the PVC value pair (applicable to only the PPPoEoA access and the PPPoEoA access)
Bridging the PVC and virtual template interface (applicable to the PPPoA access) Bridging the PVC and the VE interface (applicable to only the PPPoEoA access)
10
Configuring the BAS interface
NOTE
The configuration of the common PPPoX access service consists of multiple procedures. The details are not mentioned here because all the procedures are described in the following chapters:
l l l l l
For the procedure for configuring the virtual template interface, refer to the Quidway ME60 Multiservice Control Gateway . For the procedures for configuring the AAA schemes, RADIUS server group, and HWTACACS server template, see chapter 2 "AAA Configuration." For the procedure for configuring the IPv4 address pool, see 3 "Address Management." For the procedure for configuring a domain, see chapter 4 "User Management." For the procedures for configuring the VE interface and PVC, and bridging the VE interface and the PVC, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - Interfaces and Links. For the procedure for configuring the BAS interface, see "Configuring BAS Interface."
5.10 Configuring the 802.1X Access Service

This section describes the procedure for configuring the 802.1X access service. 5.10.1 Establishing the Configuration Task

The networking of the 802.1X access service is the same as the networking of IPoE or IPoEoVLAN. The EAP packet is encapsulated into an EAPoL packet on the Ethernet interface of the user's computer. The EAPoL packet is then sent to the ME60 directly. Alternatively, the EAPoL packet may be tagged with a VLAN ID by a LAN switch before it arrives at the ME60.
Before configuring the 802.1X access service, complete the following task:

l
Data Preparation
To configure the 802.1X access service, you need the following data. No. 1 2 3 4 5 6 7 Data 802.1X template number Authentication scheme, accounting scheme, and authorization scheme (applicable to the HWTACACS authentication) Name of the RADIUS server group or HWTACACS server template Name of the IPv4 address pool User domain User VLAN ID (applicable to the access to an Ethernet sub-interface) Parameters of the BAS interface
To configure the 802.1X access service, perform the following procedures. No. 1 2 3 4 5 6 7 Procedure Configuring the 802.1x Template Configuring AAA Schemes Configuring the RADIUS server group or the HWTACACS server template Configuring the IPv4 address pool Configuring a domain and binding the 802.1X template to the domain Binding the sub-interface to the VLAN (applicable to the access through subinterface) Configuring the BAS interface
Issue 05 (2010-06-01)
5-47

NOTE
The 802.1X access service configuration consists of multiple procedures. The details are not mentioned here because all the procedures are described in the following chapters:
l l l l l
For the procedure for configuring the 802.1X template, see "5.4 Configuring the 802.1X Template." For the procedures for configuring the AAA schemes, RADIUS server group, and HWTACACS server template, see chapter 2 "AAA Configuration." For the procedure for configuring the IPv4 address pool, see chapter 3 "Address Management." For the procedure for configuring a domain, see chapter 4 "User Management." For the procedure for configuring the BAS interface, see "5.6 Configuring the BAS Interface."
5.11 Configuring the Leased Line Access Service

This section describes the procedure for configuring the leased line access service. 5.11.1 Establishing the Configuration Task

In the leased line access service, an Ethernet interface of the ME60 or some of the VLANs belonging to the interface are leased to a group of users. A leased line may connect multiple computers, but the leased line users are regarded as a single user on the ME60. The ME60 conducts centralized authentication, accounting, bandwidth control, access right control, and QoS control for the users. Based on the networking modes and the service processing methods, the leased line can be classified into layer-2 leased line, layer-3 leased line, and PPP leased line.
l
Layer-2 leased line Through the layer-2 devices such as a layer-2 LAN switch, the layer-2 leased line users access an interface of the ME60 or the VLAN under the interface. Leased line users can use the static IP addresses, or obtain the IP addresses from the ME60 through the DHCP protocol. The ME60 provides the BRAS function for layer-2 leased line users. The ME60 supports layer-2 leased line access based on IPoE, IPoEoVLAN, IPoEoQ, or IPoEoA.
Layer-3 leased line Through the layer-3 devices such as a router, the layer-3 leased line users access an interface of the ME60 or the VLAN on the interface. The router allocates addresses to the leased line users. In the layer-3 leased line service, the ME60 functions as a forwarding router. It checks the validity of a user's source IP address based on interface, and controls the bandwidth. When you configure a layer-3 leased line, ensure a route exist on the ME60 to enable the packets with the destination address of layer-3 leased line network segment to be routed to the layer-3 egress router. The ME60 supports layer-3 leased line access based on IPoE, IPoEoVLAN, or IPoEoQ.
PPP leased line The PPP leased line accesses the ME60 through the layer-3 devices such as a router. In the PPP leased line service, a layer-3 device dials in to the ME60 as a layer-2 user through PPP.
5-48
Issue 05 (2010-06-01)
Therefore, the ME60 can only see a layer-2 user, instead of the actual users under the layer-3 device.
The upstream packets of the layer-3 users are sent to the ME60 through the PPP link and forwarded as the packets of a single user. The ME60 generates a route to the layer-3 device according to the Framed-Route message sent from the RADIUS server. In this way, the downstream packets with the destination address of the PPP leased line network segment can be delivered to the PPP egress router through the PPP link.
The ME60 considers the PPP leased line as a layer-2 user; therefore, the configuration of the PPP leased line is the same as the configuration of the common PPPoX access service and is not mentioned here. For details, see "5.9 Configuring the Common PPPoX Access Service." On the RADIUS server, you need to configure the Framed-Route and Framed-IP-Address attributes for the PPP leased line. The Framed-IP-Address attribute is optional. The FramedRoute attribute specifies the route to the network connected to the layer-3 device and the next hop. The Framed-IP-Address attribute specifies the IP address of the layer-3 device. On the layer-3 device, you need to configure the route to the network segment specified by the Framed-Route attribute. For example, if Framed-Route = 142.142.142.1/24 144.244.244.244, you need to configure a route to 142.142.142.1/24 on the layer-3 device. The ME60 supports the PPP leased lines that use the protocol stacks of PPPoE, PPPoEoVLAN, PPPoEoQ, PPPoA, and PPPoEoA.
NOTE
The ME60 allows the RADIUS server to deliver up to eight Framed-Route attributes at a time, but these attributes must specify the same next hop.
Before configuring the leased line access service, complete the following task:
l
Loading the license For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
Data Preparation
To configure the leased line access service, you need the following data. No. 1 2 3 4 5 6
Issue 05 (2010-06-01)
Data Authentication scheme, accounting scheme, and authorization scheme (applicable to the HWTACACS authentication) Name of the RADIUS server group or HWTACACS server template Name of IPv4 address pool (applicable to the layer-2 leased line) User domain Number of the VE interface (applicable to the layer-2 leased line using the IPoEoA protocol stack) User VLAN ID (applicable to the leased line access on an Ethernet sub-interface)
No.
Data Or PVC value pair (applicable to the layer-2 leased line using the IPoEoA protocol stack)
7 8 9
Parameters of the BAS interface User name and password of the leased line Network segment of the user (applicable to the layer-3 leased line)
To configure the leased line access service, perform the following procedures. No. 1 2 3 4 5 6 Procedure Configuring AAA Schemes Configuring the RADIUS server group or the HWTACACS server template Configuring the IPv4 address pool (applicable to the layer-2 leased line access) Configuring the domain Configuring the VE interface (applicable to the layer-2 leased line using the IPoEoA protocol stack) Configuring the user VLAN (applicable to the access through the Ethernet subinterface) Or configuring the PVC (applicable to the layer-2 leased line using the IPoEoA protocol stack) 7 8 9 Configuring the ARP broadcast function (applicable to the layer-3 leased line through the Ethernet sub-interface) Bridging the VE interface and the PVC (applicable to the layer-2 leased line using the IPoEoA protocol stack) Configuring the BAS interface
5-50
Issue 05 (2010-06-01)

NOTE
The leased line service configuration consists of multiple procedures. The details are not mentioned here because all the procedures are described in the following chapters:
l l l l l
For the procedures for configuring the AAA schemes, RADIUS server group, and HWTACACS server template, see chapter 2 "AAA Configuration." For the procedure for configuring the IPv4 address pool, see 3 "Address Management." For the procedure for configuring a domain, see chapter 4 "User Management." For the procedure for configuring the user VLAN, see "5.5 Configuring a User VLAN." For the procedures for configuring the ARP broadcast function, VE interface and PVC, and bridging the VE interface and the PVC, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - Interfaces and Links. For the procedure for configuring the BAS interface, see "5.6 Configuring the BAS Interface."
5.12 Configuring the IPv6 Access Service

This section describes the procedure for configuring the IPv6 access service. 5.12.1 Establishing the Configuration Task

The IPv6 access service provides the access, authentication, and accounting services for the IPv6 users. PPP authentication, the web authentication, fast authentication, and binding authentication can be applied to users. Users can log to the ME60 by dialing in through PPP, sending ND packets, or sending IPv6 packets. Based on the method of obtaining addresses, IPv6 access services are classified into the following types:
l
PPP IPv6 access In this access mode, a user dials in to the ME60 through the PPP client. The ME60 assigns the interface ID to the PPP client during IPv6CP negotiation. The PPP client generates a local link address by using the interface ID, and initiates the stateless address allocation to obtain the address prefix from the ME60. Then, the client adds the address prefix to the interface ID to form a global address through which the user can connect to the Internet.
ND access In this access mode, an ND user sends ND packets or IPv6 packets to trigger the access process. The client generates the interface ID based on the MAC address of the interface, and initiates the stateless address allocation to obtain the address prefix from the ME60. Then, the client adds the address prefix to the interface ID to form a global address through which the user can connect to the Internet.
Dual-stack access In this access mode, a user has an IPv4 address and an IPv6 address. The user can dial in through PPP or send IP packets to trigger the access process.
Issue 05 (2010-06-01)
5-51
In the dual-stack access service, the ME60 assigns an IPv4 address and an IPv6 address to the user according to the corresponding processes.
NOTE
l l
The ME60 supports the IPv6 access service only on the Ethernet interface. The configuration of the dual-stack access service is similar to the configuration of the IPv6 access service. The difference is that you need to configure an address pool and bind it to the domain in the dual-stack access service.
Before configuring the IPv6 access service, complete the following tasks:
l
Loading the license For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
Enabling the ME60 to forwarding IPv6 packets For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.
Configuring the local link address of the interface For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.
Enabling the IPv6 function on the interface For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.
Data Preparation
To configure the IPv6 access service, you need the following data. No. 1 2 3 4 5 6 7 Data Number of the virtual template interface (applicable to PPP authentication) Authentication scheme and accounting scheme Name of the RADIUS server group Name of the IPv6 address pool User domain Parameters related to the web authentication server (applicable to web authentication) Parameters of the BAS interface
To configure the IPv6 access service, perform the following procedures.
No. 1 2 3 4 5 6 7 8 9 10
Procedure Configuring the virtual template interface (applicable to PPP authentication) Configuring AAA Schemes Configuring the RADIUS server group Configuring the IPv6 address prefix Configuring the domain and specifying the IPv6 address prefix Configuring web authentication (applicable to web authentication) Configuring the ACL (applicable to web authentication) Configuring the virtual template interface (applicable to PPP authentication) Binding the sub-interface to the VLAN (applicable to the access through subinterface) Configuring the BAS interface
NOTE
The IPv6 access service configuration consists of multiple procedures. The details are not mentioned here because all the procedures are described in the following chapters:
l
For the procedure for configuring the virtual template interface and specifying the virtual template for an interface, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide Interfaces and Links. For the procedures for configuring the AAA schemes and the RADIUS server group, see chapter 2 "AAA Configuration." For the procedure for configuring the IPv6 address prefix, see chapter 3 "Address Management." For the procedure for configuring a domain, see chapter 4 "User Management." For the procedure for configuring web authentication, see "Configuring Web Authentication." For the procedure for configuring the ACL, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services. For the procedure for binding a VLAN to a sub-interface, see "Configuring User VLAN." For the procedure for configuring the BAS interface, see "Configuring BAS Interface."
l l l l l l l
5.13 Managing Online Users

This section describes the method of managing online users. 5.13.1 Establishing the Configuration Task 5.13.2 Displaying Online Users 5.13.3 Disconnecting Online Users
Issue 05 (2010-06-01)
5-53

The operator can manage the online users through the ME60, including displaying online users and disconnecting the users.
Before managing online users, complete the following task :
l
Configuring the access method and authentication method for the BAS interface
Data Preparation
To manage online users, you need the following data. No. 1 2 3 4 5 6 7 8 Data User names of online users Domain names of online users Access interface names or types/numbers of online users and VLAN IDs of online users IP addresses and VPN instances of online users MAC addresses of online users Address pool containing the IP addresses of the online users IDs of online users Slot numbers of online users
5.13.2 Displaying Online Users

Run the following commands to display information about online users. Action Display information about the online user with the specified user name. Display information about online users with the specified domain name. Command display access-user username [ | include ] user-nametext display access-user domain domain-name [ verbose ]
5-54
Issue 05 (2010-06-01)
Action Display information about the online user with the specified MAC address. Display information about the online user with the specified IP address. Display information about online users on the specified interface. Display information about the online user with the specified user ID. Display information about online users in the specified slot. Display information about the online users ion the specified period. Display information about the online users with the specified access line ID. Display information about the online L2TP users on the specified LAC tunnel. Display information about the online L2TP users that use the specified source address of the tunnel.
Command display access-user mac-address mac-address
display access-user ip-address ip-address [ vpninstance instance-name ] display access-user interface interface-type interfacenumber [ vlan vlan-id ] [ qinq qinq-id ] [ verbose ] display access-user user-id user-id [ vas ]
display access-user slot [ slot-id ] display access-user time time [ verbose ]
display access-user circuit-id [ | include ] circuit-id-text
display access-user remote-name tunnel-name
display access-user lac-ip-address lac-ip-address
5.13.3 Disconnecting Online Users

Context
Procedure
Step 1 Run:
system-view

aaa
Issue 05 (2010-06-01)
5-55

cut access-user username name { local | radius | none | all }
The online user with the specified user name is disconnected. Or run:
cut access-user domain domain-name
The online users in the specified domain are disconnected. Or run:

cut access-user mac-address mac-address
The online user with the specified MAC address is disconnected. Or run:
cut access-user ip-address ip-address [ vpn-instance instance-name ]
The online user with the specified IP address is disconnected. Or run:

cut access-user interface interface-type interface-number [ vlan-id vlan-id ]
The online users on the specified interface are disconnected. Or run:

cut access-user user-id start-no [ end-no ]
The online user with the specified user ID is disconnected. Or run:

cut access-user ip-pool pool-name
The online users using the IP addresses in the specified address pool are disconnected. Or run:
cut access-user slot slot-id
All the users on the specified board are disconnected. ----End
5.14 Maintaining BRAS Access

This section describes the commands used to display information about the BRAS access and debug the BRAS access function. 5.14.1 Displaying the BRAS Access Information 5.14.2 Clearing the BRAS Access Information 5.14.3 Debugging BRAS Access
5.14.1 Displaying the BRAS Access Information

After the preceding configuration, run the following display commands in any view to view the AAA information and check the configuration. For detailed information, refer to the Quidway ME60 Multiservice Control Gateway Command Reference. Action Display the configuration of the web authentication server. Display the configuration of the 802.1X template. Display the configuration of the BAS interface. Display the limit of user count on an interface. Display the maximum number of users on a board. Display the maximum number of concurrent online users in history. Display the ratio of successful calls of various users. Display the login fail record of the users Command display web-auth-server configuration display dot1x-template number display bas-interface [ interface-type interfacenumber [ vlan vlan-id [ qinq qinq-vlan ] ] display port access-limit interface [ interfacetype interface-number | slot slot-id ] display slot-warning-threshold display most-onlineuser display call rate display aaa online-fail-record [ domain_name domain-name | [ interface interface-type interfacenumber [ vlan vlan-id [ qinq qinq-vlan ] ] | macaddress mac-address | user-type type | username user-name ]* | slot slot | time begin-time end-time [ date begin-date end-date ] ] display aaa online-fail-record statistics display aaa offline-record [ domain_name domain-name | offline-reason { arp_detect_fail | idle_cut | ppp_echo_fail | ppp_user_request | realtime_acct_fail | session_timeout | stop_acct_fail | user_request } | [ interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan ] ] | mac-address mac-address | user-type type | username user-name ]* | slot slot | time begin-time end-time [ date begin-date enddate ] ] display aaa offline-record statistics
Display the statistics of login failure reasons. Display the logout records of the users.
Display the statistics of logout reasons.
Issue 05 (2010-06-01)
5-57
Action Display the abnormal logout records of the users.
Command display aaa abnormal-offline-record [ domain_name domain-name | [ interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan ] ] | mac-address mac-address | user-type type | username user-name ]* | slot slot | time begin-time end-time [ date begin-date enddate ] ]
5.14.2 Clearing the BRAS Access Information
CAUTION
The BRAS access information cannot be restored after you clear it. Therefore, be cautious of clearing the BRAS running information. To clear the BRAS access information, run the following reset commands in the system view. Action Clear all the login failure records of the users. Clear all the logout records of the users. Clear all the abnormal logout records of the users. Clear the maximum number of online users in the history. Clear the statistics of the put-through rate. Command reset aaa online-fail-record reset aaa offline-record reset aaa abnormal-offline-record reset most-onlineuser reset call rate
5.14.3 Debugging BRAS Access
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all command to disable the debugging immediately.
5-58
Issue 05 (2010-06-01)
When a fault occurs during BRAS access, run the following debugging commands in the user view to locate the fault. For the procedure for displaying the debugging information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management. Action Debug the packets of the web authentication. Debug the packets of the PPP protocol. Debug the packets of the PPPoE protocol. Command debugging web packet debugging ppp { chap | ipcp | lcp | pap } packet interface interface-type interface-number debugging pppoe packet interface interface-type interface-number
NOTE
In the commands that debugs the PPP packets and PPPoE packets, the value of interface-number must be the number of a main interface, but the displayed debugging information contains the information about the main interface and its sub-interfaces.

This section provides several configuration examples of BRAS access.
NOTE
In actual networking, you need to load the license. For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
5.15.1 Example for Configuring the Common IPoE Access Service for VPN Users 5.15.2 Example for Configuring the Common IPoEoVLAN Access Service 5.15.3 Example for Configuring the Common IPoEoQ Access Service 5.15.4 Example for Configuring the PPPoE Access Service 5.15.5 Example for Configuring PPPoE Leased Line Access 5.15.6 Example for Configuring the PPPoEoVLAN Access Service 5.15.7 Example for Configuring the PPPoEoQ Access Service 5.15.8 Example for Configuring the 802.1X Access Service 5.15.9 Example for Configuring Ethernet Layer-2 Leased Line Access 5.15.10 Example for Configuring Ethernet Layer-3 Leased Line Access 5.15.11 Example for Configuring the IPv6 (PPP) Access Service 5.15.12 Example for Configuring the IPv6 (ND) Access Service
Issue 05 (2010-06-01)
5-59
5.15.1 Example for Configuring the Common IPoE Access Service for VPN Users
l l
The user belongs to domain isp2 and accesses GE8/0/2 of the ME60 through IPoE. Web authentication, the RADIUS authentication, and the RADIUS accounting are adopted for the user. The IP address of the RADIUS server is 192.168.7.249 and the port numbers for authentication and accounting are 1812 and 1813 respectively. The RADIUS server adopts standard RADIUS protocol and the key is hello. The user is a VPN user and belongs to VPN instance vpn1. The IP address of the DNS server is 192.168.8.252. The IP address of the web authentication server is 192.168.8.251 and the key is webvlan. The network side interface is GE7/0/2.
l l l l
Networking Diagram
Figure 5-10 Networking of the common IPoE access service
DNS server 192.168.8.252 Web server RADIUS server 192.168.8.251 192.168.8.249
Access Network
subscriber@isp2
GE8/0/2
GE7/0/2 192.168.8.1 ME60
Internet
CAUTION
For the users adopting web authentication, the default pre-authentication domain is mandatory, which is default0. 1. Configure the VPN instance.
<Quidway> system-view [Quidway] ip vpn-instance vpn1 [Quidway-vpn-instance-vpn1] route-distinguisher 100:1
5-60
Issue 05 (2010-06-01)

[Quidway-vpn-instance-vpn1] vpn-target 100:1 both [Quidway-vpn-instance-vpn1] quit
2.
Configure the AAA schemes. # Configure the authentication scheme.

<Quidway> system-view [Quidway] aaa [Quidway-aaa] authentication-scheme auth2 [Quidway-aaa-authen-auth2] authentication-mode radius [Quidway-aaa-authen-auth2] quit
# Configure the accounting scheme.

3.

4.

[Quidway] ip pool pool2 [Quidway-ip-pool-pool2] [Quidway-ip-pool-pool2] [Quidway-ip-pool-pool2] [Quidway-ip-pool-pool2] [Quidway-ip-pool-pool2] local gateway 172.82.1.1 255.255.255.0 section 0 172.82.1.2 172.82.1.200 dns-server 192.168.8.252 vpn-instance vpn1 quit
5.
Configure the related domains. # Configure domain default0 as the pre-authentication domain.
[Quidway] user-group huawei [Quidway] aaa [Quidway-aaa] domain default0 [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0]
ip-pool pool2 user-group huawei service-type hsi web-server 192.168.8.251 web-server url http://192.168.8.251 vpn-instance vpn1 quit
# Configure domain isp2 as the authentication domain for web authentication.

[Quidway-aaa] domain isp2 [Quidway-aaa-domain-isp2] [Quidway-aaa-domain-isp2] [Quidway-aaa-domain-isp2] [Quidway-aaa-domain-isp2] [Quidway-aaa-domain-isp2] [Quidway-aaa-domain-isp2] [Quidway-aaa] quit authentication-scheme auth2 accounting-scheme acct2 radius-server group rd2 service-type hsi vpn-instance vpn1 quit
6. 7.
Configure the web authentication server.

Configure the ACL. # Configure the ACL rules.

[Quidway] acl number 6000 [Quidway-acl-ucl-6000] rule deny ip source user-group huawei [Quidway-acl-ucl-6000] acl number 6001 [Quidway-acl-ucl-6001] rule permit ip source user-group huawei destination ipaddress 192.168.8.251 0.0.0.0
Issue 05 (2010-06-01)
5-61
[Quidway-acl-ucl-6001] rule permit ip source user-group huawei destination ipaddress 192.168.8.252 0.0.0.0 [Quidway-acl-ucl-6001] rule permit ip source user-group huawei destination ipaddress 127.0.0.1 0.0.0.0 [Quidway-acl-ucl-6001] quit

[Quidway] traffic classifier c1 [Quidway-classifier-c1] if-match acl 6000 [Quidway-classifier-c2] quit [Quidway] traffic classifier c2 [Quidway-classifier-c2] if-match acl 6001 [Quidway-classifier-c2] quit [Quidway] traffic behavior deny1 [Quidway-behavior-deny1] deny [Quidway-behavior-deny1] traffic behavior perm1 [Quidway-behavior-perm1] permit [Quidway-behavior-perm1] quit [Quidway] traffic policy action1 [Quidway-policy-action1] classifier c2 behavior perm1 [Quidway-policy-action1] classifier c1 behavior deny1 [Quidway-policy-action1] quit
# Apply the traffic policy globally.

[Quidway] traffic-policy action1 inbound [Quidway] traffic-policy action1 outbound
8.
Configure the interfaces. # Configure the BAS interface.

[Quidway-GigabitEthernet8/0/2] bas [Quidway-GigabitEthernet8/0/2-bas] access-type layer2-subscriber [Quidway-GigabitEthernet8/0/2-bas] authentication-method web [Quidway-GigabitEthernet8/0/2-bas] default-domain authentication isp2 [Quidway-GigabitEthernet8/0/2-bas] vpn-instance vpn1 [Quidway-GigabitEthernet8/0/2-bas] quit [Quidway-GigabitEthernet8/0/2] quit

[Quidway] interface GigabitEthernet 7/0/2 [Quidway-GigabitEthernet7/0/2] ip address 192.168.8.1 255.255.255.0 [Quidway-GigabitEthernet7/0/2] ip binding vpn-instance vpn1
Configuration Files
# sysname Quidway # user-group huawei # ip vpn-instance vpn1 route-distinguisher 100:1 vpn-target 100:1 export-extcommunity vpn-target 100:1 import-extcommunity # radius-server group rd2 radius-server authentication 192.168.8.249 1812 weight 0 radius-server accounting 192.168.8.249 1813 weight 0 radius-server shared-key hello # # acl number 6000 rule 5 deny ip source user-group huawei # acl number 6001 rule 5 permit ip source user-group huawei destination ip-address 192.168.8.251 0 rule 10 permit ip source user-group huawei destination ip-address 192.168.8.252 0 rule 15 permit ip source user-group huawei destination ip-address 127.0.0.1 0.0.0.0 #
5-62
Issue 05 (2010-06-01)

traffic classifier c2 operator and if-match acl 6001 traffic classifier c1 operator and if-match acl 6000 # traffic behavior perm1 traffic behavior deny1 deny # traffic policy action1 classifier c2 behavior perm1 classifier c1 behavior deny1 traffic-policy action1 inbound traffic-policy action1 outbound # interface GigabitEthernet8/0/2 bas access-type layer2-subscriber default-domain vpn-instance vpn1 authentication-method web # interface GigabitEthernet7/0/2 ip address 192.168.8.1 255.255.255.0 ip binding vpn-instance vpn1 # ip pool pool2 local vpn-instance vpn1 gateway 172.82.1.1 255.255.255.0 section 0 172.82.1.2 172.82.1.200 dns-server 192.168.8.252 # aaa authentication-scheme auth2 accounting-scheme acct2 domain default0 service-type hsi web-server 192.168.8.251 web-server url http://192.168.8.251 user-group huawei vpn-instance vpn1 ip-pool pool2 domain isp2 authentication-scheme auth2 accounting-scheme acct2 service-type hsi radius-server group rd2 # return
authentication isp2
5.15.2 Example for Configuring the Common IPoEoVLAN Access Service

l
The user belongs to domain isp3 and accesses GE8/0/2.1 of the ME60 through common IPoEoVLAN. The LAN switch tags the user packets with VLAN 1 and VLAN 2. Web authentication, the RADIUS authentication, and the RADIUS accounting are adopted for the user. The IP address of the RADIUS server is 192.168.7.249 and the port numbers for authentication and accounting are 1812 and 1813 respectively. The RADIUS server adopts standard RADIUS protocol and the key is hello.
Issue 05 (2010-06-01)

l l
The IP address of the DNS server is 192.168.8.252. The network side interface is GE7/0/2.
Networking Diagram
Figure 5-11 Networking of the common IPoEoVLAN access service
DNS server 192.168.8.252 RADIUS server 192.168.8.249
VLAN1 subscriber1@isp3 GE8/0/2.1 VLAN2 subscriber2@isp3 ME60 GE7/0/2 192.168.8.1
Internet
1. Configure the AAA schemes. # Configure the authentication scheme.

2.

3.

[Quidway] ip pool pool3 [Quidway-ip-pool-pool3] [Quidway-ip-pool-pool3] [Quidway-ip-pool-pool3] [Quidway-ip-pool-pool3]
NOTE
local gateway 172.82.2.1 255.255.255.0 section 0 172.82.2.2 172.82.2.200 dns-server 192.168.8.252 quit
The configured address pool is used in the default authentication domain. You do not need to configure the default pre-authentication domain because a user that adopts binding authentication can be authenticated automatically when the user goes online.
5-64
Issue 05 (2010-06-01)
4.

[Quidway] aaa [Quidway-aaa] domain isp3 [Quidway-aaa-domain-isp3] [Quidway-aaa-domain-isp3] [Quidway-aaa-domain-isp3] [Quidway-aaa-domain-isp3] [Quidway-aaa-domain-isp3] [Quidway-aaa] quit authentication-scheme auth3 accounting-scheme acct3 radius-server group rd3 ip-pool pool3 quit
CAUTION
When a user obtains an IP address in binding authentication, the ME60 authenticates the user automatically. Therefore, you do not need to configure the ACL to control the network access rights of users before authentication. Instead, the access right needs to be restricted only after authentication. 5. Configure the interfaces. # Configure the BAS interface.
[Quidway] interface GigabitEthernet 8/0/2.1 [Quidway-GigabitEthernet8/0/2.1] user-vlan 1 2 [Quidway-GigabitEthernet8/0/2.1-vlan-1-2] quit [Quidway-GigabitEthernet8/0/2.1] bas [Quidway-GigabitEthernet8/0/2.1-bas] access-type layer2-subscriber [Quidway-GigabitEthernet8/0/2.1-bas] authentication-method bind [Quidway-GigabitEthernet8/0/2.1-bas] default-domain authentication isp3 [Quidway-GigabitEthernet8/0/2.1-bas] quit [Quidway-GigabitEthernet8/0/2.1] quit
NOTE
The user name for binding authentication is automatically generated based on the location where the user accesses the ME60. Therefore, the user name on the RADIUS server must be configured according to the name generation rule. The password is vlan. For the format of user name for binding authentication, refer to the description of the vlanpvcto-username command in the Quidway ME60 Multiservice Control Gateway Command Reference.

Configuration Files
# sysname Quidway # radius-server group rd3 radius-server authentication 192.168.8.249 1812 weight 0 radius-server accounting 192.168.8.249 1813 weight 0 radius-server shared-key hello # interface GigabitEthernet8/0/2.1 user-vlan 1 2 bas access-type layer2-subscriber default-domain authentication isp3 authentication-method bind # interface GigabitEthernet7/0/2 ip address 192.168.8.1 255.255.255.0 #
Issue 05 (2010-06-01)
5-65

ip pool pool3 local gateway 172.82.2.1 255.255.255.0 section 0 172.82.2.2 172.82.2.200 dns-server 192.168.8.252 # aaa authentication-scheme auth3 accounting-scheme acct3 domain isp3 authentication-scheme auth3 accounting-scheme acct3 radius-server group rd3 ip-pool pool3 # return
5.15.3 Example for Configuring the Common IPoEoQ Access Service

l
The user accesses GE 8/0/8.2 of the ME60 through common IPoEoQ. LAN Switch 1 tags the user packets with VLAN 1 and VLAN 2. LAN Switch 2 tags the user packets with QinQ 100. The user belongs to domain isp1 and adopts fast authentication and RADIUS accounting. The IP address of the authentication server is 192.168.8.251 and the key is webvlan. The IP address of the RADIUS server is 192.168.7.249. The authentication port number is 1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted. The shared key is itellin. The IP address of the DNS server is 192.168.7.252.
l l l
Networking Diagram
Figure 5-12 Networking of the common IPoEoQ access service
DNS server 192.168.8.252 Web server RADIUS server 192.168.8.251 192.168.8.249
VLAN1 QinQ100 user1@isp1 GE8/0/8.2 Lanswitch1 Lanswitch2 ME60 GE7/0/1 192.168.7.1 VLAN2 user2@isp1
Internet
5-66
Issue 05 (2010-06-01)

2.

[Quidway] radius-server group rd1 [Quidway-radius-rd1] radius-server authentication 192.168.7.249 1812 [Quidway-radius-rd1] radius-server accounting 192.168.7.249 1813 [Quidway-radius-rd1] radius-server shared-key itellin [Quidway-radius-rd1] quit
3.

[Quidway] ip pool pool1 [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] local gateway 172.82.0.1 255.255.0.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 quit
4.
Configure the related domains. # Configure domain default0 as the pre-authentication domain.
[Quidway] user-group huawei [Quidway] aaa [Quidway-aaa] domain default0 [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0] [Quidway-aaa-domain-default0]
ip-pool pool1 user-group huawei service-type hsi web-server 192.168.8.251 web-server url http://192.168.8.251 quit

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 service-type hsi quit
5. 6.
Configure the authentication server.

Configure the Ethernet interface. # Configure the user VLAN.

[Quidway] interface GigabitEthernet 8/0/8.2 [Quidway-GigabitEthernet8/0/8.2] user-vlan 1 2 qinq 100 [Quidway-GigabitEthernet8/0/8.2-vlan-1-2-QinQ-100] quit

[Quidway-GigabitEthernet8/0/8.2] bas [Quidway-GigabitEthernet8/0/8.2-bas] [Quidway-GigabitEthernet8/0/8.2-bas] [Quidway-GigabitEthernet8/0/8.2-bas] [Quidway-GigabitEthernet8/0/8.2-bas] access-type layer2-subscriber default-domain authentication isp1 authentication-method fast quit
Issue 05 (2010-06-01)
5-67

[Quidway-GigabitEthernet8/0/8.2] quit

Configuration Files
# sysname Quidway # radius-server group rd1 radius-server authentication 192.168.7.249 1812 weight 0 radius-server accounting 192.168.7.249 1813 weight 0 radius-server shared-key itellin # interface GigabitEthernet8/0/8 # interface GigabitEthernet8/0/8.2 user-vlan 1 2 qinq 100 bas access-type layer2-subscriber default-domain authentication isp1 authentication-method fast # interface GigabitEthernet7/0/1 ip address 192.168.7.1 255.255.255.0 # web-auth-server 192.168.8.251 port 50100 key webvlan # ip pool pool1 local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 service-type hsi web-server 192.168.8.251 web-server url http://192.168.8.251 user-group huawei ip-pool pool1 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 service-type hsi radius-server group rd1 # return
5.15.4 Example for Configuring the PPPoE Access Service

l
users belong to isp1 and access the Internet through GE 8/0/1 of the ME60 by using PPPoE dial-up. RADIUS authentication and RADIUS accounting are adopted.
5-68
Issue 05 (2010-06-01)

l
The IP address of the RADIUS server is 192.168.7.249 and the ports for authentication and accounting are 1645 and 1646 respectively. The protocol is RADIUS+1.1 and the key is itellin. The IP address of the DNS server is 192.168.7.252. The network side interface is GE7/0/1.
l l
Networking Diagram
Figure 5-13 Networking of the PPPoE access service
RADIUS server DNS server 192.168.7.252 192.168.7.249
Access Network subscriber@isp1
GE8/0/1 ME60
GE7/0/1 192.168.7.1
Internet
1. Configure the authentication scheme.
2.

3.

[Quidway] radius-server group rd1 [Quidway-radius-rd1] radius-server [Quidway-radius-rd1] radius-server [Quidway-radius-rd1] radius-server [Quidway-radius-rd1] radius-server [Quidway-radius-rd1] quit authentication 192.168.7.249 1645 accounting 192.168.7.249 1646 type plus11 shared-key itellin
4.

5.

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] authentication-scheme auth1 [Quidway-aaa-domain-isp1] accounting-scheme acct1
Issue 05 (2010-06-01)
5-69
[Quidway-aaa-domain-isp1] radius-server group rd1 [Quidway-aaa-domain-isp1] ip-pool pool1 [Quidway-aaa-domain-isp1] quit [Quidway-aaa] quit
6.

[Quidway-GigabitEthernet8/0/1] bas [Quidway-GigabitEthernet8/0/1-bas] access-type layer2-subscriber [Quidway-GigabitEthernet8/0/1-bas] authentication-method ppp [Quidway-GigabitEthernet8/0/1-bas] quit [Quidway-GigabitEthernet8/0/1] quit
7.

8.
Configure the routing protocol.

[Quidway] rip [Quidway-rip-1] version 2 [Quidway-rip-1] network 174.100.0.0
Configuration Files
# sysname Quidway # radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte # interface GigabitEthernet8/0/1 bas access-type layer2-subscriber authentication-method ppp # interface GigabitEthernet7/0/1 ip address 192.168.7.1 255.255.255.0 # ip pool pool1 local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 # rip 1 version 2 network 174.100.0.0 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 ip-pool pool1 # return
5-70
Issue 05 (2010-06-01)
5.15.5 Example for Configuring PPPoE Leased Line Access

l
users belong to isp1 and access the Internet through GE 8/0/1 of the ME60 by using PPPoE dial-up. The device connected with the ME60 is a router that supports dial-up. The IP address of the virtual template (VT) interface on the ME60 is 174.100.1.1. RADIUS authentication and RADIUS accounting are adopted. The IP address of the RADIUS server is 192.168.7.249 and the ports for authentication and accounting are 1645 and 1646 respectively. The protocol is RADIUS+1.1 and the key is itellin. The IP address of the DNS server is 192.168.7.252. The network side interface is GE 7/0/1.
l l l
l l
Networking Diagram
Figure 5-14 Networking diagram of PPPoE leased line access
GE8/0/1 subscriber@isp1 Router ME60
GE7/0/1 192.168.7.1
Internet
1. Configure a VT interface.
<Quidway> system-view [Quidway] interface Virtual-Template 1 [Quidway-Virtual-Template1] ppp authentication-mode chap [Quidway-Virtual-Template1] ip address 174.100.1.1 255.255.255.0 [Quidway-Virtual-Template1] quit
2.

3.

[Quidway-aaa] accounting-scheme acct1 [Quidway-aaa-accounting-acct1] accounting-mode radius [Quidway-aaa-accounting-acct1] quit
Issue 05 (2010-06-01)
5-71

[Quidway-aaa] quit
4.

5.

6.

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 virtual-template 1 ip-pool pool1 quit
7.
Specify the VT interface for the access interface.

[Quidway] interface GigabitEthernet 8/0/1 [Quidway-GigabitEthernet8/0/1] pppoe-server bind virtual-template 1
8.

9.

10. Configure the routing protocol.

[Quidway] rip [Quidway-rip-1] version 2 [Quidway-rip-1] network 174.100.0.0
Configuration Files
# sysname Quidway # radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte # interface Virtual-Template1 ip address 174.100.1.1 255.255.255.0 # interface GigabitEthernet8/0/1 pppoe-server bind Virtual-Template 1 bas access-type layer2-subscriber authentication-method ppp
5-72
Issue 05 (2010-06-01)

# interface GigabitEthernet7/0/1 ip address 192.168.7.1 255.255.255.0 # ip pool pool1 local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 # rip 1 version 2 network 174.100.0.0 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 virtual-template 1 ip-pool pool1 # return
5.15.6 Example for Configuring the PPPoEoVLAN Access Service

l
The user belongs to domain isp1 and connects to GE8/0/1.1 of the ME60 through PPPoEoVLAN. The LAN switch tags user packets with VLAN 1 and VLAN 2. RADIUS authentication and RADIUS accounting are adopted. The IP address of the RADIUS server is 192.168.7.249 and the ports for authentication and accounting are 1645 and 1646 respectively. The protocol is RADIUS+1.1 and the key is itellin. The IP address of the DNS server is 192.168.7.252. The network side interface is GE7/0/1.
l l
l l
Issue 05 (2010-06-01)
5-73
Networking Diagram
Figure 5-15 Networking of the PPPoEoVLAN access service
VLAN1 subscriber1@isp1 GE8/0/1.1 VLAN2 subscriber2@isp1 ME60 GE7/0/1 192.168.7.1
Internet
1. Configure a VT interface.
<Quidway> system-view [Quidway] interface Virtual-Template 1 [Quidway-Virtual-Template1] ppp authentication-mode chap [Quidway-Virtual-Template1] quit
2.

3.

4.

5.

6.

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] authentication-scheme auth1 [Quidway-aaa-domain-isp1] accounting-scheme acct1 [Quidway-aaa-domain-isp1] radius-server group rd1
5-74
Issue 05 (2010-06-01)

[Quidway-aaa-domain-isp1] ip-pool pool1 [Quidway-aaa-domain-isp1] quit [Quidway-aaa] quit
7.
Bind the sub-interface to the virtual template interface.

[Quidway] interface GigabitEthernet 8/0/1.1 [Quidway-GigabitEthernet8/0/1.1] user-vlan 1 2 [Quidway-GigabitEthernet8/0/1.1-vlan-1-2] quit [Quidway-GigabitEthernet8/0/1.1] pppoe-server bind virtual-template 1
8.

[Quidway-GigabitEthernet8/0/1.1] bas [Quidway-GigabitEthernet8/0/1.1-bas] access-type layer2-subscriber [Quidway-GigabitEthernet8/0/1.1-bas] authentication-method ppp [Quidway-GigabitEthernet8/0/1.1-bas] quit [Quidway-GigabitEthernet8/0/1.1] quit
9.

Configuration Files
# sysname Quidway # radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte # interface Virtual-Template1 # interface GigabitEthernet8/0/1 # interface GigabitEthernet8/0/1.1 pppoe-server bind Virtual-Template 1 user-vlan 1 2 bas access-type layer2-subscriber authentication-method ppp # interface GigabitEthernet7/0/1 ip address 192.168.7.1 255.255.255.0 # ip pool pool1 local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 ip-pool pool1 # return
Issue 05 (2010-06-01)
5-75
5.15.7 Example for Configuring the PPPoEoQ Access Service

l
The user accesses GE 8/0/8.2 of the ME60 through common PPPoEoQ. LAN Switch 1 tags the user packets with VLAN 1 and VLAN 2. LAN Switch 2 tags the user packets with QinQ 100. The user is a VPN user and belongs to VPN instance vpn2. RADIUS authentication and RADIUS accounting are adopted. The IP address of the RADIUS server is 192.168.7.249. The authentication port number is 1812 and the accounting port number is 1813. The standard RADIUS protocol is adopted. The shared key is itellin. The IP address of the DNS server is 192.168.7.252.
l l
Networking Diagram
Figure 5-16 Networking of the PPPoEoQ access service
user1@isp1 GE8/0/8.2 ME60 GE7/0/1 192.168.7.1 LANSwitch1 LANSwitch2 user2@isp1
1. Configure the VPN instance.
<Quidway> system-view [Quidway] ip vpn-instance vpn2 [Quidway-vpn-instance-vpn2] route-distinguisher 200:2 [Quidway-vpn-instance-vpn2] vpn-target 200:2 both [Quidway-vpn-instance-vpn2] quit
2.
Configure a VT interface.
<Quidway> system-view [Quidway] interface Virtual-Template 1 [Quidway-Virtual-Template1] ppp authentication-mode chap [Quidway-Virtual-Template1] quit
3.

[Quidway] aaa [Quidway-aaa] authentication-scheme auth1 [Quidway-aaa-authen-auth1] authentication-mode radius
5-76
Issue 05 (2010-06-01)

[Quidway-aaa-authen-auth1] quit
4.

5.

6.

[Quidway] ip pool pool1 [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] local gateway 172.82.0.1 255.255.0.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 vpn-instance vpn2 quit
7.

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 ip-pool pool1 vpn-instance vpn2 quit
8.
Configure the Ethernet interface. # Specify the virtual template interface for the sub-interface.
[Quidway] interface GigabitEthernet 8/0/8.2 [Quidway-GigabitEthernet8/0/1.1] pppoe-server bind virtual-template 1
# Configure the user VLAN.

[Quidway-GigabitEthernet8/0/8.2] user-vlan 1 2 qinq 100 [Quidway-GigabitEthernet8/0/8.2-vlan-1-2-QinQ-100] quit

[Quidway-GigabitEthernet8/0/8.2] bas [Quidway-GigabitEthernet8/0/8.2-bas] access-type layer2-subscriber [Quidway-GigabitEthernet8/0/8.2-bas] authentication-method ppp [Quidway-GigabitEthernet8/0/8.2-bas] vpn-instance vpn2 [Quidway-GigabitEthernet8/0/8.2-bas] quit [Quidway-GigabitEthernet8/0/8.2] quit
9.

[Quidway] interface GigabitEthernet 7/0/1 [Quidway-GigabitEthernet7/0/1] ip address 192.168.7.1 255.255.255.0 [Quidway-GigabitEthernet7/0/1] ip binding vpn-instance vpn2
Configuration Files
# sysname Quidway # ip vpn-instance vpn2 route-distinguisher 200:2 vpn-target 200:2 export-extcommunity vpn-target 200:2 import-extcommunity # radius-server group rd1
Issue 05 (2010-06-01)
5-77
radius-server authentication 192.168.7.249 1812 weight 0 radius-server accounting 192.168.7.249 1813 weight 0 radius-server shared-key itellin # interface Virtual-Template1 # interface GigabitEthernet8/0/8 # interface GigabitEthernet8/0/8.2 pppoe-server bind Virtual-Template 1 user-vlan 1 2 qinq 100 bas access-type layer2-subscriber vpn-instance vpn2 authentication-method ppp # interface GigabitEthernet7/0/1 ip address 192.168.7.1 255.255.255.0 ip binding vpn-instance vpn2 # ip pool pool1 local vpn-instance vpn2 gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 vpn-instance vpn2 ip-pool pool1 # return
5.15.8 Example for Configuring the 802.1X Access Service

l l l
The user belongs to domain isp4 and accesses GE1/0/2 of the ME60 through 802.1X. RADIUS authentication and RADIUS accounting are adopted. The IP address of the RADIUS server is 192.168.7.249 and the ports for authentication and accounting are 1645 and 1646 respectively. The protocol is RADIUS+1.1 and the key is itellin. The IP address of the DNS server is 192.168.7.252. The network side interface is GE2/0/1.
l l
5-78
Issue 05 (2010-06-01)
Networking Diagram
Figure 5-17 Networking of the 802.1X access service
DNS server RADIUS server 192.168.7.252 192.168.7.249
GE1/0/2 ME60
GE2/0/1 192.168.7.1
Internet
1. Configure the 802.1x template.
<Quidway> system-view [Quidway] dot1x-template 4 [Quidway-dot1x-template-4] [Quidway-dot1x-template-4] [Quidway-dot1x-template-4] [Quidway-dot1x-template-4] [Quidway-dot1x-template-4] [Quidway-dot1x-template-4] authentication timeout 20 request interval 20 retransmit 3 reauthentication interval 1800 keepalive interval 15 retransmit 2 eap-end chap quit
2.

3.

4.

5.

6.

[Quidway] aaa [Quidway-aaa] domain isp4 [Quidway-aaa-domain-isp4] authentication-scheme auth4
Issue 05 (2010-06-01)
5-79

[Quidway-aaa-domain-isp4] [Quidway-aaa-domain-isp4] [Quidway-aaa-domain-isp4] [Quidway-aaa-domain-isp4] [Quidway-aaa-domain-isp4] [Quidway-aaa-domain-isp4] [Quidway-aaa] quit

accounting-scheme acct4 radius-server group rd4 ip-pool pool4 dot1x-template 4 service-type hsi quit
7.

[Quidway] interface GigabitEthernet 1/0/2 [Quidway-GigabitEthernet1/0/2] bas [Quidway-GigabitEthernet1/0/2-bas] access-type layer2-subscriber [Quidway-GigabitEthernet1/0/2-bas] authentication-method dot1x [Quidway-GigabitEthernet1/0/2-bas] quit [Quidway-GigabitEthernet1/0/2] quit
8.

[Quidway] interface GigabitEthernet 2/0/1 [Quidway-GigabitEthernet2/0/1] ip address 192.168.7.1 255.255.255.0 [Quidway-GigabitEthernet2/0/1] quit
Configuration Files
# sysname Quidway # radius-server group rd4 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte # interface GigabitEthernet1/0/2 bas access-type layer2-subscriber authentication-method dot1x # interface GigabitEthernet2/0/1 ip address 192.168.7.1 255.255.255.0 # ip pool pool4 local gateway 172.82.1.1 255.255.255.0 section 0 172.82.1.2 172.82.1.200 dns-server 192.168.7.252 # dot1x-template 4 authentication timeout 20 request retransmit 3 interval 20 reauthentication interval 1800 keepalive retransmit 2 interval 15 eap-end chap # aaa authentication-scheme auth4 accounting-scheme acct4 domain default0 domain default1 domain default_admin domain isp4 authentication-scheme auth4 accounting-scheme acct4 service-type hsi radius-server group rd4 dot1x-template 4 ip-pool pool4 # return
5-80
Issue 05 (2010-06-01)
5.15.9 Example for Configuring Ethernet Layer-2 Leased Line Access

l l l l l
The Ethernet layer-2 leased line is connected to GE1/0/7.1 of the ME60. The user name of the leased line is layer2lease1@isp1 and password is hello. The VLAN IDs range from 1 to 100. The leased line users obtain an IP address from the ME60 through DHCP. RADIUS authentication and RADIUS accounting are adopted. The IP address of the RADIUS server is 192.168.7.249 and the ports for authentication and accounting are 1645 and 1646 respectively. The protocol is RADIUS+1.1 and the key is itellin. The IP address of the DNS server is 192.168.7.252. The network side interface is GE7/0/1.
l l
Networking Diagram
Figure 5-18 Networking of layer-2 leased line access
RADIUS Server DNS Server 192.168.7.249 192.168.7.252
VLAN1 VLAN2 ...... LAN Switch VLAN100 ME60
GE1/0/7.1
GE7/0/1 192.168.7.1
Internet
NOTE
For the configurations of AAA, RADIUS, address pool, domain isp1, and the uplink interface, see "Example for Configuring PPPoE Access Service".
1.
Configure the interface.

<Quidway> system-view [Quidway] interface GigabitEthernet 1/0/7.1 [Quidway-GigabitEthernet1/0/7.1] user-vlan 1 100 [Quidway-GigabitEthernet1/0/7.1-vlan-1-100] quit
Issue 05 (2010-06-01)
5-81
CAUTION
If the access interface is an Ethernet sub-interface, you must configure the VLAN. If the access interface is an Ethernet interface, do not configure the VLAN. You can configure multiple VLANs at the layer-2 leased line interface. 2. Configure the BAS interface.
[Quidway-GigabitEthernet1/0/7.1] bas [Quidway-GigabitEthernet1/0/7.1-bas] access-type layer2-leased-line user-name layer2lease1 hello default-domain authentication isp1 [Quidway-GigabitEthernet1/0/7.1-bas] quit [Quidway-GigabitEthernet1/0/7.1] quit
Configuration Files
# sysname Quidway # radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte # interface GigabitEthernet1/0/7 # interface GigabitEthernet1/0/7.1 user-vlan 1 100 bas access-type layer2-leased-line user-name layer2lease1 hello default-domain authentication isp1 # interface GigabitEthernet7/0/1 ip address 192.168.7.1 255.255.255.0 # # ip pool pool1 local gateway 172.82.0.1 255.255.255.0 section 0 172.82.0.2 172.82.0.200 dns-server 192.168.7.252 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 ip-pool pool1 # return
5.15.10 Example for Configuring Ethernet Layer-3 Leased Line Access


l l l l
The Ethernet layer-3 leased line is connected to GE1/0/6.1 of the ME60. The user name of the leased line is layer3lease1@isp1. The network segment for the layer-3 leased line users is 202.17.1.0/24. RADIUS authentication and RADIUS accounting are adopted. The IP address of the RADIUS server is 192.168.7.249 and the ports for authentication and accounting are 1645 and 1646 respectively. The protocol is RADIUS+1.1 and the key is itellin. The network side interface is GE7/0/1.
Networking Diagram
Figure 5-19 Networking of Ethernet layer-3 leased line access
RADIUS Server 192.168.7.249
GE1/0/6.1 192.168.1.1/24 Router ME60 192.168.1.2/24
GE7/0/1
Internet
Internet
202.17.1.0/24
NOTE
For the configurations of AAA, RADIUS, address pool, domain isp1, and the uplink interface, see "Example for Configuring PPPoE Access Service."
1.
Configure the VLAN.

<Quidway> system-view [Quidway] interface GigabitEthernet 1/0/6 [Quidway-GigabitEthernet1/0/6] mode user-termination [Quidway-GigabitEthernet1/0/6] interface GigabitEthernet 1/0/6.1 [Quidway-GigabitEthernet1/0/6.1] control-vid 1 dot1q-termination [Quidway-GigabitEthernet1/0/6.1] dot1q termination vid 3
CAUTION
If the access interface is an Ethernet sub-interface, you must configure the VLAN. If the access interface is an Ethernet interface, do not configure the VLAN. You can configure only one VLAN at the layer-3 leased line interface. 2. 3.
Issue 05 (2010-06-01)
Configure the ARP broadcast function.

[Quidway-GigabitEthernet1/0/6.1] arp broadcast enable
Configure the IP address.

[Quidway-GigabitEthernet1/0/6.1] ip address 192.168.1.1 255.255.255.0
4.

[Quidway-GigabitEthernet1/0/6.1] bas [Quidway-GigabitEthernet1/0/6.1-bas] access-type layer3-leased-line user-name layer3lease1 hello default-domain authentication isp1 [Quidway-GigabitEthernet1/0/6.1-bas] quit [Quidway-GigabitEthernet1/0/6.1] quit
5.
Configure the static route.

[Quidway] ip route-static 202.17.1.0 255.255.255.0 192.168.1.2
Configuration Files
# sysname Quidway # # radius-server group rd1 radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 radius-server shared-key itellin radius-server type plus11 radius-server traffic-unit kbyte # interface GigabitEthernet1/0/6 mode user-termination # interface GigabitEthernet1/0/6.1 control-vid 1 dot1q-termination dot1q termination vid 3 arp broadcast enable ip address 192.168.1.1 255.255.255.0 bas access-type layer3-leased-line user-name layer3lease1 hello default-domain authentication isp1 # interface GigabitEthernet7/0/1 ip address 192.168.7.1 255.255.255.0 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 # ip route-static 202.17.1.0 255.255.255.0 192.168.1.2 # return
5.15.11 Example for Configuring the IPv6 (PPP) Access Service

l
As shown in Figure 5-20, the user belongs to isp5 and is connected to GE 8/0/3 of the ME60 in ND mode. PPP authentication is used. RADIUS authentication and RADIUS accounting are adopted.
5-84
Issue 05 (2010-06-01)

l
The address of the RADIUS server is 3001:0410::1:1 and the ports for authentication and accounting are 1645 and 1646 respectively. The protocol is standard RADIUS and the key is hello. The address of the DNS server is 3001:0410::1:2.
Networking Diagram
Figure 5-20 Networking of PPP ND access
DNS server 3001:0410::1:2 RADIUS server 3001:0410::1:1
GE8/0/3 ME60
GE7/0/3
Internet
1. Enable IPv6 and configure a DNS server.
<Quidway> system-view [Quidway] ipv6 [Quidway] dns server ipv6 3001:0410::1:2
2.
Configure the virtual template interface.

[Quidway] interface Virtual-Template 5 [Quidway-Virtual-Template5] ppp authentication-mode pap [Quidway-Virtual-Template5] quit
3.


4.

[Quidway] radius-server group rd5 [Quidway-radius-rd5] radius-server [Quidway-radius-rd5] radius-server [Quidway-radius-rd5] radius-server [Quidway-radius-rd5] radius-server [Quidway-radius-rd5] quit authentication 3001:0410::1:1 1645 accounting 3001:0410::1:1 1646 type standard shared-key hello
5.
Issue 05 (2010-06-01)
Configure the IPv6 address prefix.

[Quidway] ipv6 prefix prefix5 [Quidway-ipv6-user-prefix-prefix5] prefix 2001:0410::0:1/64 [Quidway-ipv6-user-prefix-prefix5] quit
6.

[Quidway] aaa [Quidway-aaa] domain isp5 [Quidway-aaa-domain-isp5] [Quidway-aaa-domain-isp5] [Quidway-aaa-domain-isp5] [Quidway-aaa-domain-isp5] [Quidway-aaa-domain-isp5] [Quidway-aaa] quit authentication-scheme auth5 accounting-scheme acct5 radius-server group rd5 prefix prefix5 quit
7.
Configure the related interfaces. # Enable the IPv6 function and specify the virtual template for the interface.
[Quidway] interface GigabitEthernet 8/0/3 [Quidway-GigabitEthernet8/0/3] pppoe-server bind virtual-template 5 [Quidway-GigabitEthernet8/0/3] ipv6 enable [Quidway-GigabitEthernet8/0/3] ipv6 address auto link-local


[Quidway] interface GigabitEthernet [Quidway-GigabitEthernet7/0/3] ipv6 [Quidway-GigabitEthernet7/0/3] ipv6 [Quidway-GigabitEthernet7/0/3] ipv6 [Quidway-GigabitEthernet7/0/3] ipv6 7/0/3 enable address auto link-local address 2001::/64 eui-64 address 3001::1/64
Configuration Files
# sysname Quidway # ipv6 # dns server ipv6 3001:410::1:2 # radius-server group rd5 radius-server authentication 3001:410::1:1 1646 weight 0 radius-server shared-key hello # interface Virtual-Template5 ppp authentication-mode pap # interface GigabitEthernet7/0/3 ipv6 enable ipv6 address 2001::/64 eui-64 ipv6 address 3001::1/64 ipv6 address auto link-local # # interface GigabitEthernet8/0/3 pppoe-server bind Virtual-Template 5 ipv6 enable ipv6 address auto link-local bas access-type layer2-subscriber # ipv6 prefix prefix5 prefix 2001:410::1/64 #
5-86
Issue 05 (2010-06-01)

aaa authentication-scheme auth5 accounting-scheme acct5 domain isp5 authentication-scheme auth5 accounting-scheme acct5 radius-server group rd5 prefix prefix5 # return
5.15.12 Example for Configuring the IPv6 (ND) Access Service

l
As shown in Figure 5-21, the user belongs to domain isp6 and accesses the ME60 form GE 8/0/6 through ND. Binding authentication is used for the user. RADIUS authentication and RADIUS accounting are adopted. The address of the RADIUS server is 3001:0410::1:1 and the ports for authentication and accounting are 1645 and 1646 respectively. The protocol is standard RADIUS and the key is hello. The address of the DNS server is 3001:0410::1:2.
l l
Networking Diagram
Figure 5-21 Networking of IPv6 ND access
DNS server 3001:0410::1:2 RADIUS server 3001:0410::1:1
GE8/0/6 ME60
GE7/0/3
Internet
1. Enable IPv6 and configure a DNS server.
<Quidway> system-view [Quidway] ipv6 [Quidway] dns server ipv6 3001:0410::1:2
2.

Issue 05 (2010-06-01)
5-87

3.

[Quidway] radius-server group rd6 [Quidway-radius-rd6] radius-server [Quidway-radius-rd6] radius-server [Quidway-radius-rd6] radius-server [Quidway-radius-rd6] radius-server [Quidway-radius-rd6] quit authentication 3001:0410::1:1 1645 accounting 3001:0410::1:1 1646 type standard shared-key hello
4.
Configure the IPv6 address prefix.

[Quidway] ipv6 prefix prefix6 [Quidway-ipv6-user-prefix-prefix6] prefix 4001:0410::0:1/64 [Quidway-ipv6-user-prefix-prefix6] quit
5.

[Quidway] aaa [Quidway-aaa] domain isp6 [Quidway-aaa-domain-isp6] [Quidway-aaa-domain-isp6] [Quidway-aaa-domain-isp6] [Quidway-aaa-domain-isp6] [Quidway-aaa-domain-isp6] [Quidway-aaa] quit authentication-scheme auth6 accounting-scheme acct6 radius-server group rd6 prefix prefix6 quit
6.
Configure the interface. #Enable the IPv6 function on the interface.

[Quidway] interface GigabitEthernet 8/0/6 [Quidway-GigabitEthernet8/0/6] ipv6 enable [Quidway-GigabitEthernet8/0/6] ipv6 address auto link-local

[Quidway-GigabitEthernet8/0/6] bas [Quidway-GigabitEthernet8/0/6-bas] access-type layer2-subscriber [Quidway-GigabitEthernet8/0/6-bas] authentication-method bind [Quidway-GigabitEthernet8/0/6-bas] quit [Quidway-GigabitEthernet8/0/6] quit
NOTE
If the user sends IPv6 packets to trigger the access process, you need to run the ipv6-trigger command on the BAS interface.

[Quidway] interface GigabitEthernet [Quidway-GigabitEthernet7/0/3] ipv6 [Quidway-GigabitEthernet7/0/3] ipv6 [Quidway-GigabitEthernet7/0/3] ipv6 [Quidway-GigabitEthernet7/0/3] ipv6 7/0/3 enable address auto link-local address 4001::/64 eui-64 address 3001::1/64
Configuration Files
# sysname Quidway # ipv6 # dns server ipv6 3001:410::1:2 # radius-server group rd6 radius-server authentication 3001:410::1:1 1646 weight 0 radius-server shared-key hello #
5-88
Issue 05 (2010-06-01)

interface GigabitEthernet7/0/3 ipv6 enable ipv6 address 4001::/64 eui-64 ipv6 address 3001::1/64 ipv6 address auto link-local # # interface GigabitEthernet8/0/6 ipv6 enable ipv6 address auto link-local bas access-type layer2-subscriber authentication-method bind # ipv6 prefix prefix6 prefix 4001:410::1/64 # aaa authentication-scheme auth6 accounting-scheme acct6 domain isp6 authentication-scheme auth6 accounting-scheme acct6 radius-server group rd6 prefix prefix6 # return
Issue 05 (2010-06-01)
5-89
6 VAS Configuration
6
About This Chapter
VAS Configuration
This chapter describes the concept and rationale of the value-added service and the configurations of the COPS server, service policy, DSG service, CIPN service, and SIG. This chapter also provides several configuration examples. 6.1 Introduction This section describes the concept of the value-added service. 6.2 Configuring the COPS Server This section describes the procedure for configuring the COPS server. 6.3 Configuring the Value-added Service Policy This section describes the procedure for configuring the value-added service policy. 6.4 Configuring the DSG Service This section describes the procedure for configuring the DSG service. 6.5 Configuring the DAA Service This section describes the procedure for configuring the DAA service. 6.6 Configuring the CIPN Service This section describes the procedure for configuring the CIPN service. 6.7 Configuring the SIG Service This section describes the procedure for configuring the SIG service. 6.8 Maintaining VASs This section provides the commands for displaying VAS information and debugging VASs. 6.9 Configuration Examples This section provides several configuration examples of value-added services.
Issue 05 (2010-06-01)
6-1
6 VAS Configuration
6.1 Introduction
This section describes the concept of the value-added service. 6.1.1 Service Overview 6.1.2 Overview of COPS 6.1.3 Overview of the DSG Service 6.1.4 Overview of the DAA Service 6.1.5 Overview of the CIPN Service 6.1.6 Overview of the SIG Service 6.1.7 References
6.1.1 Service Overview

On the ME60, services are classified into access services and value-added services.
Access Service
The access service provides the basic capability of network access. When users use the access service, the carrier needs to conduct user-based accounting according to the traffic or duration. The policy (such as access right, bandwidth, QoS, and idle-cut) of the access service is usually configured for the users in the domain. In the operation of access services, the ME60 functions as the BRAS and connects users to the carrier's network. The RADIUS server delivers the access service policy to the ME60.
Value-added Service
A value-added service (VAS), such as VoD, gaming, and triple play, is selected by the user when the user logs in to the portal server of the carrier. The value-added services can bring persistent profit for carriers. When users use the value-added service, the carrier can conduct accounting for differentiated services according to the traffic or durations of the services. You can configure the service policy for each value-added service. In the value-added service, the ME60 functions as a BRAS and a Dynamic Service Gateway (DSG), which connects users to a service server and controls the service based on the service flow. The value-added services are deployed based on the access service. When a user logs in, the RADIUS server delivers the access service policy for the user. The policy needs to be modified dynamically when the user uses the value-added service. Generally, the common open policy service (COPS) server delivers the policy of value-added service to the ME60. If the Change of Authorization (CoA) message is supported by the RADIUS server, the RADIUS server can modify the value-added service policy by delivering the CoA message.
6-2
Issue 05 (2010-06-01)

NOTE
6 VAS Configuration
l l
The COPS server can deliver a VAS policy or the name of a VAS policy. If the COPS server delivers the name of a VAS policy, you need to configure the VAS policy on the ME60. The RADIUS server can deliver only the name of a VAS policy; therefore, you need to configure the VAS policy on the ME60.
In the actual application, the ME60 supports three types of VASs: DSG, Carrier IP Network (CIPN), and Safe Immunity Gateway (SIG).
6.1.2 Overview of COPS

COPS Definition
The COPS protocol (RFC 2748) is a simple application layer protocol, which is based on the query/response mode. This protocol is used to exchange policies between the policy server and the client. In the COPS protocol, the policy server is also called the policy decision point (PDP) and the policy client is also called the policy enforcement point (PEP).
Features of COPS
The COPS protocol has the following features: 1. Based on the client/server model. The PEP sends the request, update, and deletion messages to the PDP. The PDP then returns the decision to the PEP. 2. Use the TCP protocol as the transmission protocol. Because of the reliability of the TCP connection, the COPS requires no additional mechanisms to ensure the reliability of message transmission. 3. Use the self-identifying object. COPS uses the self-identifying object structure, which is similar to the RADIUS attribute. Therefore, COPS applies to the information interfaces of various clients. 4. Provide message-level security mechanism. The COPS protocol provides the message-level security mechanism, which is used to authenticate users, protect response, and protect the message integrity. COPS can also use an existing security protocol (such as IPSec) to protect the communication between the PEP and the PDP. 5. Based on status. After the PDP receives the requests (may be in different types) from the PEP, the requests are installed (or saved). The requests status is changed only after the PDP receives the cancellation instruction from the PEP. The responses returned by the PDP vary with the request/decision status. 6. Provide the configurable client. COPS enables you to configure the client on the server. When the configuration information is not required, you can cancel the configurations.
COPS Message Format

A COPS message consists of the COPS header and a serial of typed objects (similar to the RADIUS AVP). Figure 6-1 shows the shows the structure of a COPS message.
6 VAS Configuration
Figure 6-1 COPS message structure

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Version Flag Op Code Message Length Typed Object...... Client-Type
l l
Version: indicates the version of the COPS protocol. Currently, the version is 1. Flag: indicates whether the message is solicited by another COPS message. 1 means solicited and 0 means not solicited. Op Code: indicates the operation type of COPS. 1 refers to request and 2 refers to decision. Client-Type: indicate the client type. It depends on the application scenario of COPS. In the ME60, the clients are classified into DSG, SIG, CIPN-E4P, and CIPN-IAP. Message Length: indicates the length of the entire message, including the header and the object. Typed Object: indicates the typed object. Figure 6-2 shows the structure of the COPS object.
l l
Figure 6-2 COPS object structure

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Length Object contents
C-Num
C-Type
l l l l
Length: indicates the length of the object. C-Num: indicates the class of information in the object. C-Type: indicates the subtype or version of the information in the object. Object contents: indicates the content of the object.
Functions of COPS for VASs

For VASs, COPS is used to exchange the policies between the COPS server and the ME60. The COPS server receives the service information from the portal server, determines the service policies, and delivers the policies to the ME60 through the COPS protocol.
6.1.3 Overview of the DSG Service

The DSG service enables a user to customize the value-added service on the portal server. The ME60 performs accounting and controls services based on the service flow by using the policies delivered by the policy server (namely, the COPS server and the RADIUS server). Figure 6-3 shows a networking model of the DSG access.
6 VAS Configuration
Figure 6-3 Networking model of the DSG service

COPS server Portal server RADIUS server DNS server
subscriber
DSLAM subscriber ME60 subscriber LAN Switch
Internet
Figure 6-4 shows the DSG service flowchart. Figure 6-4 DSG service flowchart
subscriber (1) (2) (3) (4) (5) (6) (7) (8) (9) (11) (12) (13) (14) (15) (18) (19) (20) (16) (17) (10) ME60 RADIUS server COPS server Portal server Service server
Access Service Value-added Service
The process of DSG service is as follows:

6 VAS Configuration
1. 2. 3. 4. 5.
The user initiates an access request to the ME60 through PPP dial-up, IP packets, or DHCP packets. The ME60 responds to the request and requests the user to enter the user name and the password. The user enters the user name and the password, and then submits them to the ME60. The ME60 sends the user name and the password to the RADIUS server for authentication. The RADIUS server returns the authentication result and the access service policy to the ME60 (assuming the user passes the authentication). If you configure the VAS policy in the user domain, the ME60 activates the default VAS automatically. The ME60 requests the policy server for the auto-activated service of the user. The policy server delivers the auto-activated service of the user. The user logs in to the portal server and selects a value-added service. The portal server sends the message related to the service use to the policy server.
6. 7. 8. 9.
10. The portal server sends the message related to the service use to the service server. 11. The policy server customizes the service policy according to the service information and the user information, and then delivers it to the ME60. 12. The user uses the value-added service and accesses the value-added service server. The ME60 controls the service according to the service policy. 13. The ME60 sends the accounting request to the policy server. 14. The policy server responds to the accounting request. 15. The user logs in to the portal server and stops the value-added service. 16. The portal server sends the service stop message to the policy server. 17. The portal server sends the service stop message to the service server. 18. The policy server delivers the service stop message to the ME60. 19. The ME60 sends the stop accounting request to the policy server. 20. The policy server responds to the stop accounting request. The previous process describes only the principle of the service. The actual service process is more complicated or even different from this process. The description of actual service process is not mentioned here.
6.1.4 Overview of the DAA Service

The ME60 supports the Destination Address Accounting (DAA). By collecting statistics of traffic on different networks, such as the national network, international network, local network, and long-distance network through DAA, the ME60 performs accounting with different charge rates. DAA is classified into the basic DAA and dynamic DAA.
l l
The basic DAA is implemented by binding the DAA policy name to a domain. The dynamic DAA is implemented by delivering the policy name by the CPOS server or RADIUS server.
Figure 6-5 shows the basic networking diagram of the DAA.
6-6
Issue 05 (2010-06-01)
6 VAS Configuration
Figure 6-5 Basic networking diagram of DAA

COPS server Portal server RADIUS server DNS server
subscriber
DSLAM subscriber ME60 subscriber LAN Switch
Internet
The flow of DAA messages is as follows: 1. 2. 3. 4. 5. 6. 7. A user sends an access request to the ME60 in different modes (PPP dial-up, IP packet triggering, and DHCP packet triggering). The ME60 responds to the request and requires the user name and password. The user enters the user name and password, and submits them to the ME60. The ME60 submits the user name and password to the RADIUS server for authentication. The RADIUS server returns the authentication result and access service policies to the ME60 (on the assumption that the authentication succeeds). The ME60 generates the DAA service based on the policy configured in the domain or delivered by the RADIUS service. In the user's access to different network segments, such as network 1 of 10.10.0.0/16 and network 2 of 100.100.0.0/16, the ME60 collects separate statistics of the traffic of different network segments and then performs accounting for the traffic with different charge rates according to the configured DAA policy. The ME60 sends accounting information to the RADIUS server. When a user is online, the administrator modifies the bandwidth for a charge rate level of DAA on the RADIUS server and then sends the bandwidth value to the ME60.
8. 9.
10. The ME60 updates the bandwidth of the user according to the new bandwidth sent by the RADIUS server. 11. When the user visits the segment, the ME60 uses the new bandwidth to control user access. 12. When the user is offline, the ME60 deletes the DAA service of the user and informs the RADIUS server of stopping DAA.
6.1.5 Overview of the CIPN Service

The carrier IP network (CIPN) carries services, including the VoIP, VoD, BTV, and Internet services, through a unified service portal. The service portal associates users with service providers to control the value chain of telecom services.
6 VAS Configuration
The CIPN service processes the user information and service policy separately so that users and services are managed in a consistent manner. In the CIPN service, the ME60 and the resource manager (RM) exchange information through two COPS connections: CIPN-E4P connection and CIPN-IAP connection. The CIPN service is applicable only after the CIPN-E4P and CIPN-IAP connections are set up. Only the RM can deliver the CIPN service policy. The policies delivered by the RM must accurately match the quintuple.
CIPN-EAP4 Connection
The CIPN-E4P connection is used to exchange the information about the user physical location of the user between the ME60 and the RM. To receive and control the resources, the RM needs the information such as topology and bandwidth of the bearer network, user physical location, and bandwidth for the service. After the access authentication, the ME60 needs to report the physical location of the user to the policy server. After the user goes online, the ME60 sends the IP address and user name of the user to the RM so that the RM can identify the user and associate the service layer and bearer layer with the user.
CIPN-IAP Connection
The CIPN-IAP connection is used to exchange the information about the service policies between the ME60 and the RM. In the CIPN service, the QoS control policy on the ME60 has the following features:
l l l l l
The ME60 can dynamically receive and implement the QoS policy delivered by the RM. The QoS policy allows multiple flows in a session (identifying a flow by the quintuple). The QoS policy supports permit or deny and marking or re-marking behaviors. The QoS policy is applicable to upstream and downstream flows. The QoS policy is applicable to the packet fragments of the upstream flows.
Figure 6-6 shows the networking of the CIPN service. Figure 6-6 Networking of the CIPN service
Policy Server STB Access Network PC ME60 AAA server VoIP
Internet
6-8
Issue 05 (2010-06-01)
6 VAS Configuration
The process of the CIPN service is as follows: 1. 2. The user initiates an access request to the ME60 either through PPP dial-up or IP packets. The ME60 responds to the request and obtains the user name and password by interacting with the user, and then sends the user name and password to the AAA server for authentication. The AAA server returns the authentication result and the access service policy to the ME60 (assuming the user passes the authentication). The ME60 reports the user information to the CIPN-E4P server. The CIPN-IAP server delivers the service and policy to the user. When the user starts to use the service, the ME60 controls the service according to the service policy. When the user goes offline, the ME60 notifies the CIPN-E4P and CIPN-IAP servers. The servers then delete the user information and the service.
3. 4. 5. 6.
6.1.6 Overview of the SIG Service

The ME60 supports the SIG function. The SIG is deployed at the access layer of a network and checks the security status of network users. Working with the access equipment, the SIG controls the access activities of users according to the access policy to guarantee the availability of the network. With the help of the SIG server, the ME60 can implement the following functions:
l
Checking

Checking whether the client computer is infected by the Worm virus Checking the patch installation on the client computer Isolating the client computer that is infected by the Worm virus to prevent other computers from being infected Isolating the client computer that is not sufficiently secure, to prevent the computer from being infected by other computers Providing suggestions for patch installation, to the client computer Providing suggestions for virus destruction and recovering, to the client computer
Isolating
Recovering

Illegal VoIP detecting and blocking
In the networking of the SIG, to protect the network of the carrier or corporation, the SIG is connected to the access device (ME60) and the Safe Immunity Agent (SIA) is installed on the client. In this way, the network security can be evaluated, controlled and recovered. Figure 6-7 shows the networking of the SIG service.
Issue 05 (2010-06-01)
6-9
6 VAS Configuration
Figure 6-7 Networking of the SIG service

SPS SIG AVG
Access Network PC ME60
Internet
The process of the SIG service is as follows: 1. 2. When the user goes online, the SIA installed on the computer sends a request to the security policy server (SPS), requesting for the version and current security status. The SPS sends necessary information to the SIA, including the knowledge base version of the operating system and software, SIA software version, virus engine version, and virus library version. The SIA checks whether the knowledge base needs to be updated. If the knowledge base needs to be updated, the SIA requires the latest knowledge base version and installs the patch of the specified website according to the knowledge base information (including patch list of the operating system and download website) returned by the SPS. The SIA checks whether the SIA software version, virus engine version, or virus library version needs to be updated. If any of these components needs to be updated, the SIA acquires updating connection from the SPS to update the version. When the user connects to the Internet, the SIA checks whether the user is infected by the Worm virus at fixed intervals. Once the user is infected, the SIA reports the alarm to the SPS. When the SPS receives the alarm, it notifies the BAS. The BAS then redirects the user to an optional anti-virus gateway (AVG), removes the infected packet, and forwards normal packets of the user. The SIA communicates with the SPS through the UDP protocol and the port number is 53.
3.
4.
5.
6.1.7 References
For more information about COPS, refer to the following document.
l
RFC 2748: The COPS (Common Open Policy Service) Protocol (January 2000)
6.2 Configuring the COPS Server

This section describes the procedure for configuring the COPS server. 6.2.1 Establishing the Configuration Task 6.2.2 Configuring the Source Interface of the COPS Server 6.2.3 (Optional) Configuring the Timeout Time of the COPS Open Message 6.2.4 Creating a COPS Server Group
6 VAS Configuration
6.2.5 Configuring the COPS Server 6.2.6 (Optional) Configuring the Client Identifier 6.2.7 (Optional) Configuring the Flow Keeping Time 6.2.8 (Optional) Configuring the Shared Key 6.2.9 Activating the COPS Servers 6.2.10 Checking the Configuration

To use the COPS server to deliver the policies of value-added services, you need to configure the COPS server on the ME60. The ME60 manages COPS servers through COPS server groups. A COPS server group is a set of COPS servers with the same attributes (except IP addresses, VPN instances, port numbers, and weights). The servers in a COPS group function in load sharing mode.
None.
Data Preparation
To configure the COPS server, you need the following data. No. 1 2 3 4 5 6 7 Data Name of COPS server group IP address, VPN instance (optional), port number, client port number, and weight of the COPS server Identifier of the COPS client (Optional) Flow keeping time after the COPS client is disconnected from the server (Optional) Shared key of the COPS servers in the group (Optional) Timeout time of the COPS Open message Source interface through which the ME60 exchanges packets with the COPS server (Choose a global source interface or a source interface of the COPS server group according to your requirements.)
6.2.2 Configuring the Source Interface of the COPS Server

6 VAS Configuration
Context
The source interface of the COPS server is used for the interaction between the ME60 and the COPS server. You must choose either the global source interface of the COPS server or the source interface of the COPS server group; otherwise, the COPS connection cannot be established between the ME60 and the COPS server. When exchanging COPS packets with the COPS server, the ME60 selects the source interface of the COPS server group. If the source interface is not configured in the COPS server group which the COPS server belongs to, the ME60 selects the global source interface. Do as follows on the ME60.
Procedure
l Configuring the global source interface for all the COPS servers 1. Run:
system-view

cops-server source-interface interface-type interface-number
The global source interface for COPS servers is configured. If the global source interface is configured and activated, you must run the undo active command, and then run the active command after modifying the global source interface. The modification then takes effect. By default, the global source interface of COPS servers is not configured. l Configuring the source interface of a COPS server group 1. Run:
system-view

The COPS server group view is displayed. 3. Run:

cops-group source-interface interface-type interface-number
The source interface of the COPS server group is configured. If the source interface of the COPS server group is changed after the COPS server group is activated, the change takes effect after you run the undo active and active commands in sequence. By default, the source interface of the COPS server group is not configured. ----End
6-12
Issue 05 (2010-06-01)
6 VAS Configuration
6.2.3 (Optional) Configuring the Timeout Time of the COPS Open Message
Context
The timeout time of the Open message refers the period of time during which the ME60 waits for the response after it sends an Open message to the COPS server. If the ME60 does not receive the response in the timeout time, it re-sends the Open message. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

cops-server open-timeout time
The timeout time of the COPS Open message is configured. By default, the timeout time of the Open message is 15 seconds. ----End
6.2.4 Creating a COPS Server Group

Context
You can configure up to 1024 server groups in the system. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

cops-server group group-name client-type { cipn-e4p | cipn-iap | sig | dsg }
A COPS server group is created. After a COPS server group is created, the system enters the COPS server group view. If the COPS server group already exists, you can enter the COPS server view directly. When creating a COPS server group, you must specify the client type for the COPS server group, that is, the service for which the client (ME60) connects to the COPS server. The COPS server groups for different clients cannot use the same name. ----End
6 VAS Configuration
6.2.5 Configuring the COPS Server

Context
A COPS server group can contain up to 8 COPS servers, but you can configure at most 128 COPS servers on an ME60. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

The COPS server group view is displayed. Step 3 Run:

cops-server ip-address [ server-port | client-port client-port | vpn-instance instance-name | shared-key shared-key | weight value ] *
The COPS server is configured. When configuring the COPS server, you can specify the IP address, port number, VPN instance, and weight of the server and the port number of the client. ----End
6.2.6 (Optional) Configuring the Client Identifier

Context
The COPS server uses the client identifier (PEP ID) to verify the identity of the client. Generally, the client identifier can be configured to an administrative IP address of the client. The client identifier is configured based on the COPS server group. That is, the ME60 can have multiple client identifiers for different COPS server groups. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view



cops-server pep-id client-id
6 VAS Configuration
The client identifier is configured. To modify the value of pep-id of a COPS server group that is already activated, you should run the undo active command, and then run the undo active command to make the modification effective. The default client identifier is huawei. ----End
6.2.7 (Optional) Configuring the Flow Keeping Time

Context
The flow keeping time refers to the period of time during which the connection information is retained after the client is disconnected from the server. This function prevents the intermittent disconnection caused by network instability. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view


cops-server flow-keeping-time time
The flow keeping time is configured. By default, the flow keeping time of a COPS server is 300 seconds. ----End
6.2.8 (Optional) Configuring the Shared Key

Context
The shared key is used to encrypt the COPS packets. The shared keys on the ME60 and the COPS server must be the same. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
Issue 05 (2010-06-01)
6-15
6 VAS Configuration


cops-server shared-key key-string
The shared key of the COPS server group is configured. To change the shared key of a COPS server group that is already activated, you should run the undo active command, and then run the active command to make the change effective. ----End
6.2.9 Activating the COPS Servers

Context
Procedure
Step 1 Run:
system-view


active
The COPS servers in the COPS server group are activated. The COPS server functions based on the TCP protocol and therefore, the TCP connection must be set up between the COPS server and the ME60. After you activate the COPS servers, the ME60 initiates TCP connections to all the COPS servers in the COPS server group. ----End

Run the following command to check the previous configuration. Action Check the configuration of the COPS server group. Command display cops-server configuration [ group group-name ]
6-16
Issue 05 (2010-06-01)
6 VAS Configuration
6.3 Configuring the Value-added Service Policy

This section describes the procedure for configuring the value-added service policy. 6.3.1 Establishing the Configuration Task 6.3.2 Creating a Value-added Service Policy 6.3.3 Specifying the Accounting Scheme 6.3.4 Specifying the Traffic Policy 6.3.5 (Optional) Configuring the Idle Cut Function 6.3.6 (Optional) Configuring the Global Parameter 6.3.7 Checking the Configuration

A value-added service policy is used to control the value-added service. A value-added service policy includes the accounting scheme, traffic policy, idle-cut feature. The value-added service policies can be applied to domains. After a value-added service policy is applied to a domain, all users in the domain use this policy as the default value-added service policy. If a user uses a value-added service without value-added service policy, the system adopts the default value-added service policy of the user's domain. Otherwise, the system uses the configured value-added service policy of the value-added service.
Before configuring a value-added service policy, complete the following tasks:
l l
Configuring the accounting scheme (see chapter 2 "AAA Configuration") Configuring the traffic policy (refer to the Quidway ME60 Multiservice Control Gateway Configuration guide - QoS.
Data Preparation
To configure a value-added service policy, you need the following data. No. 1 2 3 4 5 Data Name of the value-added service policy Accounting scheme used by the service policy Accounting scheme used by the service policy Optional) Idle-cut data (Optional) Traffic query interval
Issue 05 (2010-06-01)
6-17
6 VAS Configuration
6.3.2 Creating a Value-added Service Policy

Context
Procedure
Step 1 Run:
system-view

A value-added service policy is created. After a value-added service policy is created, the value-added service policy view is displayed. If the value-added service policy already exists, you can enter the value-added service policy view directly. ----End
6.3.3 Specifying the Accounting Scheme

Context
Procedure
Step 1 Run:
system-view

The value-added service policy view is displayed. Step 3 Run:

The accounting scheme is specified for the value-added service policy. By default, the accounting scheme of the value-added service policy is default1. ----End
6.3.4 Specifying the Traffic Policy

Context
6 VAS Configuration
Procedure
Step 1 Run:
system-view


traffic-policy policy-name { in-policy | out-policy }
The traffic policy is specified for the value-added service policy. By default, the traffic policy is not configured in the value-added service policy. ----End
6.3.5 (Optional) Configuring the Idle Cut Function

Context
If the traffic of a service does not reach a certain threshold in a period, the ME60 considers the service as idle and stops the service. The process is idle cut. You need to set the idle time and the traffic threshold. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view


idle-cut idle-time-length idle-rate
The idle-cut function is configured. By default, the idle time is 0. That is, the idle cut function is disabled. If the value of idle-rate is 0, the idle cut function is disabled. ----End
Issue 05 (2010-06-01)
6-19
6 VAS Configuration
6.3.6 (Optional) Configuring the Global Parameter

Context
The value-added service policy has only one global parameter, namely, the interval for traffic query. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

value-added-service traffic-query interval time
The interval for traffic query is configured. By default, the ME60 queries the traffic once every two minutes. ----End

Run the following command to check the previous configuration. Action Check the configuration of the value-added service policy Command display value-added-service policy [ policy-name ]
6.4 Configuring the DSG Service

This section describes the procedure for configuring the DSG service. 6.4.1 Establishing the Configuration Task 6.4.2 Enabling the Value-Added Service 6.4.3 Configuring the Policy Server 6.4.4 Binding the Policy Server to the Domain 6.4.5 Configuring the Value-added Service Policy 6.4.6 Applying the Value-added Service Policy to a Domain 6.4.7 Configuring the Accounting Mode of the VAS 6.4.8 Configuring a User Group
6 VAS Configuration

Network providers have gradually shifted their focus from network construction to service extension after the broadband network has developed. Multiple services, such as BoD, VoD, IPTV, VoIP, Gaming, Video Phone and Triple Play, are widely used. Through the DSG function of the ME60, users can easily select services on the portal server, and the ME60 can adopt the accounting method based on the services. In this way, carriers can provide different services and tariff policies for different users.
Before configuring the DSG, complete the following tasks:
l
Configuring the authentication scheme, accounting scheme, and RADIUS server group (see 2 "AAA Configuration") Configuring the address pool (see chapter 3 "Address Management") Configuring the domains, binding authentication, accounting scheme, address pool and RADIUS server group (see chapter 4 "User Management") Configuring the BAS interface (see chapter 5 "BRAS Access Configuration") Configuring the traffic policy of the VAS (refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS)
NOTE
l l
l l
To deliver Option 82 of the client to the policy server, run the client-option82 or the vbas command on the BAS interface.
Data Preparation
To configure the DSG service, you need the following data. No. 1 Data Parameters of the COPS server, including the IP address, port number, shared key, and PEP-ID For details, see Data Preparation of "Configuring the COPS Server." 2 (Optional) Parameters of the value-added service policy For details, see Data Preparation of "Configuring the Value-added Service Policy."
Issue 05 (2010-06-01)
6-21
6 VAS Configuration
6.4.2 Enabling the Value-Added Service

Context
Procedure
Step 1 Run:
system-view

value-added-service enable
The value-added service is enabled. To use value-added services, you must enable the value-added service. ----End
6.4.3 Configuring the Policy Server

The value-added policy can be delivered through the COPS protocol or the RADIUS protocol as follows:
l
If the value-added policy is delivered through the COPS protocol, you need to configure the COPS server on the ME60. For details about the configuration, see section "Configuring COPS Server." You must set the type of the client to DSG when creating the COPS server group. If the value-added policy is delivered through the RADIUS protocol, you need to configure the RADIUS server on the ME60. For details about the configuration, see chapter "AAA Configuration."
NOTE
This document describes the configuration of only the policy server on the ME60. You also need to configure the remote policy server. For details about the configuration, refer to the relevant configuration document of the server.
6.4.4 Binding the Policy Server to the Domain

Context
Procedure
Step 1 Run:
system-view

aaa
6-22
Issue 05 (2010-06-01)
6 VAS Configuration

domain domain-name

cops-server group server-name
The COPS server group is specified for the domain. Or run:

The RADIUS server group is specified for the domain. The COPS server or RADIUS server used in the domain is used to deliver the value-added service policy. You can run the value-added-service accounting command to specify the accounting server for value-added services. For details, see "Configuring the Accounting Mode of the VAS." ----End
6.4.5 Configuring the Value-added Service Policy

The COPS server can deliver a VAS policy or the name of a VAS policy. The RADIUS server can deliver only the name of a VAS policy.
l
If you select the COPS server to deliver a VAS policy, you need to configure the VAS policy only on the remote COPS server instead of configuring the VAS policy on the ME60. For details about the configuration, refer to the manual of the RADIUS server. If you select the COPS or RADIUS server to deliver the name of a VAS policy, you need to configure the VAS policy on theME60 rather than applying the VAS policy to the domain. For the configuration of the VAS policy, see "Configuring Value-added Service Policy."
6.4.6 Applying the Value-added Service Policy to a Domain

Context
The value-added service policies can be applied to domains. After a value-added service policy is applied to a domain, all users in the domain use this policy as the default value-added service policy. If a user uses a value-added service without a value-added service policy, the system adopts the default value-added service policy of the user's domain. Otherwise, configured valueadded service policy of the value-added service is used. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

6 VAS Configuration
Step 2 Run:
aaa

domain domain-name

A service policy is applied to the domain. By default, a domain does not reference any value-added service policy. ----End
6.4.7 Configuring the Accounting Mode of the VAS

Context
The ME60 can separate VAS accounting policy from the service policy control. The VAS accounting policy can be configured to be the following:
l
cops COPS accounting mode is used. The COPS accounting is performed regardless of whether the VAS policy is bound to the domain. The accounting server is the server configured by the command instead of the server bound to the domain.
default The default accounting mode is used. The default accounting mode is performed in the following situations:
If the VAS policy and the accounting enabling flag are delivered by the COPS server, the accounting server of the VAS is the COPS server. If the VAS policy and the accounting disabling flag are delivered by the COPS server, the system does not charge for the VAS. If the VAS policy is delivered by the RADIUS server, the system finds the local VAS policy according to the policy name delivered by the RADIUS server and performs accounting according to the accounting scheme configured in the policy. If a VAS policy is bound to the domain, the VAS is charged according to the accounting scheme in the VAS policy. Other VASs are charged by the server that delivers the VAS policy.
none The VAS is not charged. If the VAS policy and the accounting enabling flag are delivered by the COPS server, the accounting server of the VAS is the COPS server. Otherwise, the system does not charge for the VAS regardless of the configured accounting scheme.
radius RADIUS accounting is used. RADIUS accounting is performed regardless of whether the VAS policy is bound to the domain. The accounting server is the server configured by the value-added-service policy accounting command instead of the server bound to the domain.
6-24
Issue 05 (2010-06-01)
6 VAS Configuration
When COPS accounting or RADIUS accounting is adopted, the user domain needs to be bound to a server group. Up to one COPS or RADIUS server group for the VAS accounting can be bound to each domain. The accounting policy in the domain affects only the destination server to which the accounting packet is sent. The policy does not affect the accounting parameters such as remaining duration, remaining traffic, and idle-cut feature.
NOTE
l l
The VAS does not support HWTACACS accounting. Accounting is not performed for the SIG and CPIN services; therefore, the SIG and CIPN service policies are not affected by the accounting policy configured in the domain.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

value-added-service accounting { cops cops-server | default | none | radius radiusserver }
The accounting policy of the VAS is configured. The default accounting mode is adopted for the VAS. ----End
6.4.8 Configuring a User Group

Context
The VAS is valid only when there is a user group. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

6 VAS Configuration
Step 2 Run:
A user group is created. Step 3 Run:

aaa

domain domain-name

The user group which the domain belongs to is specified. User groups can be configured on the ME60 or delivered by the RADIUS server. If you select the RADIUS server to deliver user groups, you do not need to configure user groups on the ME60. ----End

Run the following commands to check the previous configuration. Action Check the configuration of the value-added service policy Check the configuration of the COPS server group. Check the configuration of the domain. Command display value-added-service policy [ policy-name ]
display cops-server configuration [ group group-name ]
display domain [ name domain-name | [ vpn-instance vpn-instancename ] ]
6.5 Configuring the DAA Service

This section describes the procedure for configuring the DAA service. 6.5.1 Establishing the Configuration Task 6.5.2 Enabling the Value-Added Service 6.5.3 Configuring the Policy Server 6.5.4 Configuring a DAA Service Policy
6 VAS Configuration
6.5.5 Applying the Value-added Service Policy to a Domain 6.5.6 Binding the Policy Server to the Domain 6.5.7 Checking the Configuration

For the traffic on different networks, such as the national network, international network, local network, and long-distance network through DAA, the ME60 collects the statistics separately and performs accounting with different charge rates. In this manner, carriers can provide differentiated services and tariff policies for different users.
Before configuring the DAA service, complete the following tasks:
l
Loading the BRAS license and DAA license (For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.) Configuring the authentication scheme, accounting scheme, and RADIUS server group (For details, refer to Chapter "AAA Configuration" in the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.) Configuring the address pool (For details, refer to Chapter "Address Management" in the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.) Configuring a domain and the authentication scheme, accounting scheme, address pool, and RADIUS server group that are bound to the domain (For details, refer to Chapter "User Management" in the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.) Configuring a BAS interface (For details, refer to Chapter "BRAS Access Configuration" in the Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.) Configuring the traffic policy of the VAS (For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.)
NOTE
To enable the packet sent from the client to the policy server to carry the Option 82 field, you must run the client-option82 or vbas command on the BAS interface.
Data Preparation
To configure the DAA service, you need the following data. No. 1 Data Parameters of the COPS server, including the IP address, port number, shared key, and PEP-ID (For details, refer to Data Preparation in 6.2 Configuring the COPS Server. Parameters of the DAA service policy, including the policy template name, tariff level, and QoS profile
Issue 05 (2010-06-01)
6 VAS Configuration

Context
Procedure
Step 1 Run:
system-view

6.5.3 Configuring the Policy Server

The value-added policy can be delivered through the COPS protocol or the RADIUS protocol as follows:
l
If the value-added policy is delivered through the COPS protocol, you need to configure the COPS server on the ME60. For details about the configuration, see section "Configuring COPS Server." You must set the type of the client to DSG when creating the COPS server group. If the value-added policy is delivered through the RADIUS protocol, you need to configure the RADIUS server on the ME60. For details about the configuration, see chapter "AAA Configuration."
NOTE
This document describes the configuration of only the policy server on the ME60. You also need to configure the remote policy server. For details about the configuration, refer to the relevant configuration document of the server.
6.5.4 Configuring a DAA Service Policy

Context
Do as follows on the ME60:
Procedure
Step 1 Run:
system-view
6-28
Issue 05 (2010-06-01)
6 VAS Configuration

value-added-service policy policy-name daa
A DAA service policy is created and the service policy view is displayed. Step 3 Run:
tariff-level level qos-profile name
A tariff level is bound to a QoS profile. Or run:

tariff-level level qos-profile name accounting-off
A tariff level is bound to a QoS profile and the service represented by the tariff level is specified not to be charged.
NOTE
For the dynamic DAA service, you need to enable the ME60 to send the packets that are sent when a user logs in to the CPOS server in the AAA view. In addition, you need to create a RADIUS server group with the same name as the CPOS server and configure the RADIUS server group in the RADIUS server view.
----End
6.5.5 Applying the Value-added Service Policy to a Domain

Context
The value-added service policies can be applied to domains. After a value-added service policy is applied to a domain, all users in the domain use this policy as the default value-added service policy. If a user uses a value-added service without a value-added service policy, the system adopts the default value-added service policy of the user's domain. Otherwise, configured valueadded service policy of the value-added service is used. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

A service policy is applied to the domain.

6 VAS Configuration
By default, a domain does not reference any value-added service policy. ----End
6.5.6 Binding the Policy Server to the Domain

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

The COPS server group is specified for the domain. Or run:

The RADIUS server group is specified for the domain. The COPS server or RADIUS server used in the domain is used to deliver the value-added service policy. You can run the value-added-service accounting command to specify the accounting server for value-added services. For details, see "Configuring the Accounting Mode of the VAS." ----End

Run the following commands to check the previous configuration. Action Check the configuration of the value-added service policy
6-30
Command display value-added-service policy [ policy-name ]
Issue 05 (2010-06-01)
6 VAS Configuration
Action Check the configuration of the COPS server group. Check the configuration of the domain.
Command display cops-server configuration [ group group-name ]
6.6 Configuring the CIPN Service

This section describes the procedure for configuring the CIPN service. 6.6.1 Establishing the Configuration Task 6.6.2 Enabling the Value-Added Service 6.6.3 Configuring the CIPN-E4P COPS Server 6.6.4 Configuring the CIPN-IAP COPS Server 6.6.5 Binding a COPS Server to a Domain 6.6.6 Configuring a User Group 6.6.7 Checking the Configuration

The CIPN service processes the user information and policy information separately. To manage users and services uniformly, you can create a unified service portal through CIPN.
Before configuring the CIPN service, complete the following tasks:
l
Configuring the authentication scheme, accounting scheme, and RADIUS server group (See chapter 2 "AAA Configuration.") Configuring the address pool (See chapter 3 "Address Management.") Configuring the domains, binding authentication, accounting scheme, address pool and RADIUS server group (See chapter 4 "User Management.") Configuring the BAS interface (see chapter 5 "BRAS Access Configuration")
NOTE
l l
To deliver Option 82 of the client to the policy server, run the client-option82 or the vbas command on the BAS interface.
Issue 05 (2010-06-01)
6-31
6 VAS Configuration
Data Preparation
To configure the CIPN service, you need the following data. No. 1 2 Data Server group name, IP address, client ID, and port number of the CIPN-E4P COPS server group Server group name, IP address, client ID, and port number of the CIPN-IAP COPS server group
NOTE
This document describes only the configuration on the ME60. For the configuration of the service policy on the COPS server, refer to the related configuration guides.

Context
Procedure
Step 1 Run:
system-view

6.6.3 Configuring the CIPN-E4P COPS Server

See "Configuring COPS Server" to configure the CIPN-E4P COPS server. You must set the client type to CIPN-E4P when creating the COPS server group.
6.6.4 Configuring the CIPN-IAP COPS Server

See "Configuring COPS Server" to configure the CIPN-IAP COPS server. You must set the client type to CIPN-IAP when creating the COPS server group.
6.6.5 Binding a COPS Server to a Domain

Context
Only the COPS server can deliver the CIPN service policy.
6 VAS Configuration
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

The COPS server group is specified for the domain. For the CIPN service, the domain must be bound to a CIPN-E4P COPS server. ----End

Context
Procedure
Step 1 Run:
system-view


aaa

domain domain-name

6 VAS Configuration

Run the following commands to check the previous configuration. Action Check the configuration of the value-added service policy Check the configuration of the COPS server group. Check the configuration of the domain. Command display value-added-service policy [ policy-name ]
display cops-server configuration [ group group-name ]
6.7 Configuring the SIG Service

This section describes the procedure for configuring the SIG service. 6.7.1 Establishing the Configuration Task 6.7.2 Enabling the Value-Added Service 6.7.3 Configuring the SIG Server 6.7.4 Binding a SIG Server to a Domain 6.7.5 Configuring a User Group 6.7.6 Checking the Configuration

In the broadband network, certain computer clients transfer the software infected by viruses through the network intentionally or unintentionally. A majority of terminal users lack security awareness and they do not update virus feature codes, system patches, or software patches, which greatly affects the network security. The SIG supported by the ME60 detect and isolate the virus on time. In addition, the SIG provides patch installation suggestions and functions of detecting and blocking illegal VoIP. Thus, the
6 VAS Configuration
problem of network storm and network attack caused by the Worm virus can be solved effectively and the network quality is improved.
Before configuring the SIG, complete the following tasks:
l
Configuring the authentication scheme, accounting scheme, and RADIUS server group (See chapter 2 "AAA Configuration.") Configuring the address pool (See chapter 3 "Address Management.") Configuring the domains, binding authentication, accounting scheme, address pool and RADIUS server group (see 4 "User Management") Configuring the BAS interface (See chapter 5 "BRAS Access Configuration.")
l l
Data Preparation
To configure the SIG service, you need the following data. No. 1 2 3 Data (Optional) Name of the user group Parameters of the SIG server, including the IP address, port number, shared key, and PEP-ID Source interface through which the ME60 interacts with the COPS server
NOTE
This document describes only the configuration on the ME60. For the configuration of the service policy on the COPS server, refer to the related configuration guides.

Context
Procedure
Step 1 Run:
system-view

The value-added service is enabled.

6 VAS Configuration
To use value-added services, you must enable the value-added service. ----End
6.7.3 Configuring the SIG Server

See "Configuring COPS Server" to configure the SIG server. You must set the client type to SIG when creating the COPS server group.
6.7.4 Binding a SIG Server to a Domain

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

The SIG server group is specified for the domain. ----End

Context
Procedure
Step 1 Run:
system-view

6-36
Issue 05 (2010-06-01)
6 VAS Configuration

aaa

domain domain-name


Run the following commands to check the previous configuration. Action Check the configuration of a value-added service policy. Check the configuration of the domain. Command display value-added-service policy [ policy-name ]
6.8 Maintaining VASs

This section provides the commands for displaying VAS information and debugging VASs. 6.8.1 Displaying the VASs Information 6.8.2 Debugging VASs
6.8.1 Displaying the VASs Information

After the preceding configuration, run the following display commands in any view to view information about value-added services and check the configuration. For detailed information, refer to the Quidway ME60 Multiservice Control Gateway Command Reference.
Issue 05 (2010-06-01)
6-37
6 VAS Configuration
Action Display the configuration about the COPS server group. Check the information about value-added services.
Command display cops-server configuration [ group groupname ] display value-added-service { cipn [ slot slot-id ] | dpiservice [ dpi-sid dpi-service-id ] | flow [ slot slot-id [ fid flow-id ] [ verbose ] ] | ip [ ip-address ] | service [ slot slot-id [ sid service-id ] | sig-policy [ sig-policyid ] | user [ ip-address ip-address [ vpn-instance instance-name ] | service | slot slot-id | user-id user-id | username username [ detail ] | without-service ] } display value-added-service policy [ policy-name ]
Check the configuration of the value-added service policy.
6.8.2 Debugging VASs
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all command to disable the debugging immediately. When a fault occurs when value-added service is running, run the following debugging command in the user view to locate the fault. For the procedure for displaying the debugging information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management. Action Debug the COPS packets. Command debugging cops packet

This section provides several configuration examples of value-added services.
NOTE
In actual networking, you need to load the BRAS license and DSG license. For details, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
6.9.1 Example for Configuring the DSG Service 6.9.2 Example for Configuring the DAA Service 6.9.3 Example for Configuring the CIPN Service
6-38
Issue 05 (2010-06-01)
6 VAS Configuration
6.9.1 Example for Configuring the DSG Service

l l
The COPS server is used to deliver the VAS policy. The IP address of the COPS server is 10.10.10.1, the port number is 3288, and the shared key is hello. The client ID is 1.1.1.1. The service policy for the users in domain isp1 is: the RADIUS accounting is used, the idle-cut duration is 10 minutes, the idle-cut traffic threshold is 1 kbit/s, and the service bandwidth is 1 Mbit/s. The IP address of the RADIUS authentication server is 10.10.10.2 and the port number is 1813. The IP address of the RADIUS accounting server is 10.10.10.2 and the port number is 1813. Other parameters adopt the default values. Binding authentication is adopted.
Networking Diagram
Figure 6-8 Networking of the DSG service
RADIUS server 10.10.10.2
ME60 user1@isp1 Access network GE7/0/2 GE7/0/0 192.168.1.1/24 COPS server 10.10.10.1 Backbone network
user2@isp1

[Quidway] aaa [Quidway-aaa] accounting-scheme acct1 [Quidway-aaa-accounting-acct1] accounting-mode radius [Quidway-aaa-accounting-acct1] quit [Quidway-aaa] quit

[Quidway] radius-server group group1
Issue 05 (2010-06-01)
6-39
6 VAS Configuration

[Quidway-radius-group1] radius-server authentication 10.10.10.2 1812 [Quidway-radius-group1] radius-server accounting 10.10.10.2 1813 [Quidway-radius-group1] quit
2.

[Quidway] ip pool pool1 [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] [Quidway-ip-pool-pool1] local gateway 100.100.100.1 24 section 0 100.100.100.2 100.100.100.200 quit
3.
Enable the value-added service.

[Quidway] value-added-service enable [Quidway] send online-message enable
4.
Configure the COPS server group.

[Quidway] cops-server [Quidway-cops-group1] [Quidway-cops-group1] [Quidway-cops-group1] [Quidway-cops-group1] [Quidway-cops-group1] group group1 client-type dsg cops-server 10.10.10.1 3288 cops-server pep-id 1.1.1.1 cops-server shared-key hello active quit
5.
Configure the value-added service policy. # Configure the user group.

[Quidway] user-group isp1

[Quidway] acl 6001 [Quidway-acl-ucl-6001] rule permit ip source user-group isp1 destination any [Quidway-acl-ucl-6001] quit [Quidway] traffic classifier class1 [Quidway-classifier-class1] if-match acl 6001 [Quidway-classifier-class1] quit [Quidway] traffic behavior behavior1 [Quidway-behavior-behavior1] car cir 1000 pir 5000 cbs 1000000 pbs 5000000 [Quidway-behavior-behavior1] quit [Quidway] traffic policy policy1 [Quidway-trafficpolicy-policy1] classifier class1 behavior behavior1 [Quidway-trafficpolicy-policy1] quit
# Configure the service policy.

[Quidway] value-added-service policy policy1 [Quidway-vas-policy-policy1] accounting-scheme acct1 [Quidway-vas-policy-policy1] idle-cut 10 1 [Quidway-vas-policy-policy1] traffic-policy policy1 in-policy [Quidway-vas-policy-policy1] traffic-policy policy1 out-policy [Quidway-vas-policy-policy1] quit
6.

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit
NOTE
authentication-scheme auth1 accounting-scheme acct1 radius-server group group1 cops-server group group1 user-group isp1 value-added-service policy policy1 ip-pool pool1 quit
l l
You need to bind the value-added service policy to the domain only when a user uses the default value-added service. If the user group is delivered by the RADIUS server, the user group does not need to be bound to the domain.
6-40
Issue 05 (2010-06-01)
6 VAS Configuration
7.
Configure the interfaces. # Configure the BAS interface.

[Quidway] interface GigabitEthernet 7/0/2 [Quidway-GigabitEthernet7/0/2] bas [Quidway-GigabitEthernet7/0/2-bas] access-type layer2-subscriber [Quidway-GigabitEthernet7/0/2-bas] authentication-method bind [Quidway-GigabitEthernet7/0/2-bas] quit [Quidway-GigabitEthernet7/0/2] quit

8.
Verify the configuration. # View the configuration of COPS server group group1.
[Quidway] display cops-server configuration group group1 -- Cops group table display ----------------------------------------------Group index : 0 Group name : group1 Client type : dsg Group up or down flag : Down Group active state : Active Secret key : hello Flow keeping time (second) : 300 PEP ID : 1.1.1.1 Group Source interface name : -[state] [server IP addr] [server port] [client port] [weight] [vpn name][server key] Down 10.10.10.1 3288 0 0 ---- End cops group table ---------------------------------------------------
# View the configuration of authentication scheme auth1.

[Quidway] display authentication-scheme auth1 Authentication-scheme-name : auth1 Authentication-method : RADIUS Authentication-super method : Super authentication-super Authentication-fail-policy : Offline Authentication-fail-domain : -......

[Quidway] display accounting-scheme acct1 Accounting-scheme-name : acct1 Accounting-method : RADIUS ......
# View the configuration of RADIUS server group group1.

[Quidway] display radius-server configuration group group1 --------------------------------------------------------Server-group-name : group1 Authentication-server: IP:10.10.10.2 Port:1812 Weight[0] [UP] Vpn: ...... Accounting-server : IP:10.10.10.2 Port:1813 Weight[0] [UP] Vpn: ......
# View the configuration of traffic policy policy1.

[Quidway] display traffic classifier user-defined class1 User Defined Classifier Information: Classifier: class1 Operator: OR Rule(s) : if-match acl 6001 [Quidway] display traffic policy user-defined policy1 User Defined Traffic Policy Information: Policy: policy1 Classifier: default-class Behavior: be
Issue 05 (2010-06-01)
6-41
6 VAS Configuration

Firewall: permit Classifier: class1 Behavior: behavior1 Committed Access Rate: CIR 1000 (Kbps), PIR 5000 (Kbps), CBS 1000000 (byte), PBS 5000000 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard
# View the configuration of service policy policy1.

[Quidway] display value-added-service policy policy1 Service template index Service template name In traffic policy name Out traffic policy name Accounting scheme name Used number of Service Policy Idle detect time length<minutes> Idle flow<Kbytes/min> : : : : : : : : 0 policy1 policy1 policy1 acct1 5 10 1

[Quidway] display domain name isp1 verbose ...... Domain-name : isp1 ...... Authentication-scheme-name : auth1 Accounting-scheme-name : acct1 RADIUS-server-group : group1 ...... User-group-name : isp1 ...... Value-service-name : policy1 Cops-server-name : group1 ...... IP-address-pool-name : pool1 ......
Configuration Files
# sysname Quidway # user-group isp1 # value-added-service enable send online-message enable # radius-server group group1 radius-server authentication 10.10.10.2 1812 weight 0 radius-server accounting 10.10.10.2 1813 weight 0 # acl number 6001 rule 10 permit ip source user-group isp1 # traffic classifier class1 operator and if-match acl 6001 # traffic behavior behavior1 car cir 1000 pir 5000 cbs 1000000 pbs 5000000 green pass yellow pass red discard # traffic policy policy1 classifier class1 behavior behavior1 # interface GigabitEthernet7/0/0 undo shutdown ip address 192.168.1.1 255.255.255.0
6-42
Issue 05 (2010-06-01)

# interface GigabitEthernet7/0/2 undo shutdown bas access-type layer2-subscriber authentication-method bind # ip pool pool1 local gateway 100.100.100.1 255.255.255.0 section 0 100.100.100.2 100.100.100.200 # cops-server group group1 client-type dsg cops-server shared-key hello cops-server pep-id 1.1.1.1 cops-server 10.10.10.1 active # aaa authentication-scheme auth1 accounting-scheme acct1 domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group group1 user-group isp1 ip-pool pool1 cops-server group group1 value-added-service policy policy1 # value-added-service policy policy1 accounting-scheme acct1 traffic-policy policy1 in-policy traffic-policy policy1 out-policy idle-cut 10 1 # return
6 VAS Configuration
6.9.2 Example for Configuring the DAA Service

As shown in Figure 6-9,
l l
The VAS policy is delivered for the user by the CPOS server. The IP address and port number of the CPOS server are 10.10.10.3 and 3288 respectively. The shared key is hello and the client ID is 1.1.1.1. The Value Added Service (VAS) policy used by users in domain isp1 is as follows: Adopting the RADIUS accounting mode, when accessing network 192.168.100.0/24, users in user group domain isp1 are charged with rate level 1 and restricted with a bandwidth of 100 Mbit/s; when accessing network 192.168.200.0/24, they are charged with rate level 5 and restricted with a bandwidth of 5 Mbit/s. The IP address and port number of the RADIUS authentication server are 10.10.10.2 and 1812 respectively. The IP address and port number of the RADIUS accounting server are 10.10.10.2 and 1813 respectively. Other values are defaulted. The user belongs to domain isp1.
Issue 05 (2010-06-01)
6-43
6 VAS Configuration
Networking diagram of configuring DAA

Figure 6-9 Networking diagram of DAA
RADIUS server 10.10.10..2 COPS server 10.10.10..3
192.168.100.0/24 user1@isp1 Access network GE7/0/2 ME60 GE7/0/0.1 GE7/0/1 10.10.10.1/ 24
isp1
isp2
GE7/0/0.2 192.168.200.0/24
user2@isp1
1. Configure AAA. # Configure an authentication scheme.
# Configure an accounting scheme.

# Configure a RADIUS server group.

[Quidway] radius-server [Quidway-radius-group1] [Quidway-radius-group1] [Quidway-radius-group1] group group1 radius-server authentication 10.10.10.2 1812 radius-server accounting 10.10.10.2 1813 quit
2.

3. 4.
Enable a VAS.
[Quidway] value-added-service enable
Configure a COPS server group.

[Quidway] cops-server source-interface gigabitethernet7/0/1 [Quidway] cops-server group group1 client-type dsg [Quidway-cops-group1] cops-server 10.10.10.3 3288
6-44
Issue 05 (2010-06-01)

[Quidway-cops-group1] [Quidway-cops-group1] [Quidway-cops-group1] [Quidway-cops-group1] cops-server pep-id 1.1.1.1 cops-server shared-key hello active quit
6 VAS Configuration
5.
Configure VAS policies. # Configure a user group.

[Quidway] user-group isp1
# Configure a traffic policy.

[Quidway] acl 6001 [Quidway-acl-ucl-6001] rule permit ip source user-group isp1 destination ipaddress 192.168.100.0 0.0.0.255 [Quidway-acl-ucl-6001] quit [Quidway] traffic classifier class1 [Quidway-classifier-class1] if-match acl 6001 [Quidway-classifier-class1] quit [Quidway] traffic behavior behavior1 [Quidway-behavior-behavior1] car [Quidway-behavior-behavior1] tariff-level 1 [Quidway-behavior-behavior1] quit [Quidway] acl 6002 [Quidway-acl-ucl-6002] rule permit ip source user-group isp1 destination ipaddress 192.168.200.0 0.0.0.255 [Quidway-acl-ucl-6002] quit [Quidway] traffic classifier class2 [Quidway-classifier-class2] if-match acl 6002 [Quidway-classifier-class2] quit [Quidway] traffic behavior behavior2 [Quidway-behavior-behavior2] car [Quidway-behavior-behavior2] tariff-level 5 [Quidway-behavior-behavior2] quit [Quidway] traffic policy daa [Quidway-trafficpolicy-daa] classifier class1 behavior behavior1 [Quidway-trafficpolicy-daa] classifier class2 behavior behavior2 [Quidway-trafficpolicy-daa] quit
# Apply traffic policy daa globally.

[Quidway] accounting-service-policy daa
6.
Configure a QoS template. # Configure the scheduling template.

[Quidway] scheduler-profile level1 [Quidway-scheduler-level1] car cir [Quidway-scheduler-level1] car cir [Quidway-scheduler-level1] quit [Quidway] scheduler-profile level2 [Quidway-scheduler-level2] car cir [Quidway-scheduler-level2] car cir [Quidway-scheduler-level2] quit 100000 upstream 100000 downstream 5000 upstream 5000 downstream
# Configure the QoS template.

[Quidway] qos-profile level1 [Quidway-qos-level1] scheduler-profile level1 [Quidway-qos-level1] quit [Quidway] qos-profile level2 [Quidway-qos-level2] scheduler-profile level2 [Quidway-qos-level2] quit
7.
Configure DAA policy template vp-aaa.

[Quidway] value-added-service policy vp-daa daa [Quidway-vas-policy-daa] accounting-scheme acct1 [Quidway-vas-policy-daa] tariff-level 1 qos-profile level1 [Quidway-vas-policy-daa] tariff-level 5 qos-profile level2 [Quidway-vas-policy-daa] quit
8.
Configure a domain.
[Quidway] aaa
Issue 05 (2010-06-01)
6-45
6 VAS Configuration
[Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit
NOTE
authentication-scheme auth1 accounting-scheme acct1 radius-server group group1 cops-server group group1 user-group isp1 value-added-service policy vp-daa ip-pool pool1 quit
l l
The VAS policy needs to be bound to a domain only when the user uses the default VAS. If the RADIUS server delivers the user group, no user group needs to be bound in the domain.
9.
Configure an interface. # Configure a BAS interface.

[Quidway] interface GigabitEthernet 7/0/2 [Quidway-GigabitEthernet7/0/2] bas [Quidway-GigabitEthernet7/0/2-bas] access-type layer2-subscriber [Quidway-GigabitEthernet7/0/2-bas] quit [Quidway-GigabitEthernet7/0/2] quit
# Configure upstream interfaces.

[Quidway] interface GigabitEthernet 7/0/0.1 [Quidway-GigabitEthernet7/0/0.1] vlan-type dot1q 1 [Quidway-GigabitEthernet7/0/0.1] ip address 192.168.100.1 255.255.255.0 [Quidway-GigabitEthernet7/0/0.1] quit [Quidway] interface GigabitEthernet 7/0/0.2 [Quidway-GigabitEthernet7/0/0.2] vlan-type dot1q 2 [Quidway-GigabitEthernet7/0/0.2] ip address 192.168.200.1 255.255.255.0 [Quidway-GigabitEthernet7/0/0.2] quit
# Configure the interface that is respectively connected to the RADIUS server and CPOS server.
10. Verify the configuration. # Check configurations of COPS server group group1.
[Quidway] display cops-server configuration group group1 -- Cops group table display ----------------------------------------------Group index : 0 Group name : group1 Client type : dsg Group up or down flag : Up Group active state : Active Secret key : hello Flow keeping time (second) : 300 PEP ID : 1.1.1.1 Group Source interface name : GigabitEthernet7/0/0 [state][server IPv4 addr][server port][client port][weight][vpn name][server key ] Up 10.10.10.3 3288 0 0 ---- End cops group table ---------------------------------------------------
# Check configurations of authentication scheme auth1.

[Quidway] display authentication-scheme auth1 Authentication-scheme-name : auth1 Authentication-method : RADIUS Authentication-super method : Super authentication-super Authentication-fail-policy : Offline Authentication-fail-domain : -......
# Check configurations of accounting scheme acct1.


[Quidway] display accounting-scheme acct1 Accounting-scheme-name : acct1 Accounting-method : RADIUS ......
6 VAS Configuration
# Check configurations of RADIUS server group group1.

[Quidway] display radius-server configuration group group1 --------------------------------------------------------Server-group-name : group1 Authentication-server: IP:10.10.10.2 Port:1812 Weight[0] [UP] Vpn: ...... Accounting-server : IP:10.10.10.2 Port:1813 Weight[0] [UP] Vpn: ......
# Check configurations of traffic policy daa.

[Quidway] display traffic policy user-defined daa User Defined Traffic Policy Information: Policy: daa Classifier: default-class Behavior: be Firewall: permit Classifier: class1 Behavior: behavior1 Committed Access Rate: CIR 0 (Kbps), PIR 0 (Kbps), CBS 0 (byte), PBS 0 (byte) Conform Action: pass Exceed Action: discard Tariff-level 1 Classifier: class2 Behavior: behavior2 Committed Access Rate: CIR 0 (Kbps), PIR 0 (Kbps), CBS 0 (byte), PBS 0 (byte) Conform Action: pass Exceed Action: discard Tariff-level 5
# Check configurations of service policy vp-daa.

[Quidway] display value-added-service policy vp-daa Service template index : 0 Service template name : vp-daa Service policy type : DAA Tariff level : 1 QoS profile : level1 Tariff level : 5 QoS profile : level2 Accounting scheme name : acct1 Accounting server type : RADIUS Used number of service policy : 0
# Check configurations of domain isp1.

[Quidway] display domain name isp1 verbose ..... Domain-name : isp1 Domain-state : Active Domain-type : Normal domain Service-type : STB ...... Authentication-scheme-name : auth1 Accounting-scheme-name : acct1 RADIUS-server-group : group1 IP-address-pool-name : pool1 ........
Configuration Files
#
Issue 05 (2010-06-01)
6-47
6 VAS Configuration
sysname Quidway # user-group isp1 # cops-server source-interface GigabitEthernet7/0/0 # value-added-service enable # radius-server group group1 radius-server authentication 10.10.10.2 1812 weight 0 radius-server accounting 10.10.10.2 1813 weight 0 # acl number 6001 rule 5 permit ip source user-group isp1 destination ip-address 192.168.100.0 0.0.0.255 # acl number 6002 rule 5 permit ip source user-group isp1 destination ip-address 192.168.200.0 0.0.0.255 # traffic classifier class2 operator or if-match acl 6002 traffic classifier class1 operator or if-match acl 6001 # traffic behavior behavior1 car tariff-level 1 traffic behavior behavior2 car tariff-level 5 # traffic policy daa classifier class1 behavior behavior1 classifier class2 behavior behavior2 accounting-service-policy daa # diffserv domain default # scheduler-profile level1 car cir 100000 cbs 12500000 pbs 31300000 upstream car cir 100000 cbs 12500000 pbs 31300000 downstream # scheduler-profile level2 car cir 5000 cbs 625000 pbs 1565000 upstream car cir 5000 cbs 625000 pbs 1565000 downstream # qos-profile level1 scheduler-profile level1 # qos-profile level2 scheduler-profile level2 # ip pool pool1 local gateway 100.100.100.1 255.255.255.0 section 0 100.100.100.2 100.100.100.200 # cops-server group group1 client-type dsg cops-server shared-key hello cops-server pep-id 1.1.1.1 cops-server 10.10.10.3 active # aaa authentication-scheme auth1 accounting-scheme acct1 domain isp1 authentication-scheme auth1 accounting-scheme acct1
6-48
Issue 05 (2010-06-01)

radius-server group group1 user-group isp1 ip-pool pool1 cops-server group group1 value-added-service policy vp-daa # interface GigabitEthernet7/0/0.1 vlan-type dot1q 1 ip address 192.168.100.1 255.255.255.0 # interface GigabitEthernet7/0/0.2 vlan-type dot1q 2 ip address 192.168.200.1 255.255.255.0 # interface GigabitEthernet7/0/1 ip address 10.10.10.1 255.255.255.0 # interface GigabitEthernet7/0/2 undo shutdown bas access-type layer2-subscriber # value-added-service policy vp-daa daa accounting-scheme acct1 tariff-level 1 qos-profile level1 tariff-level 5 qos-profile level2 # return
6 VAS Configuration
6.9.3 Example for Configuring the CIPN Service

l l
The RM9000 is used to deliver the VAS policy. The IP address of the RM9000 is 192.168.7.250; the port numbers are 3288 and 3299; the shared key is hello. The CIPN-E4P client ID is 1.1.1.1; the port number is 3288. The CIPNIAP client ID is 2.2.2.2; the port number is 3299. The Option 82 attribute of the user is reported to the RM9000. RADIUS authentication and RADIUS accounting are adopted. The IP address of the RADISU server is 192.168.7.251; the authentication port number is 1812; the accounting port number is 1813; the shared key is itellin. The user belongs to domain isp1 and is in the network segment 100.100.100.0/24. The user dials in through PPP.
l l
l l
Issue 05 (2010-06-01)
6-49
6 VAS Configuration
Networking Diagram
Figure 6-10 Networking of the CIPN service
RM9000 192.168.7.251
STB
VLAN 1
VLAN 2 PC VLAN 3
GE1/0/1.1 LAN Switch
GE2/0/1 192.168.7.1/24
Internet
ME60
RADIUS server 192.168.7.250
VoIP


2.

3.
Configure the COPS server. # Configure the source interface for the ME60 to interact with the COPS server.
[Quidway] cops-server source-interface GigabitEthernet 2/0/1
# Configure the CIPN-E4P server.

[Quidway] cops-server group cipne4p client-type cipn-e4p [Quidway-cops-cipne4p] cops-server 192.168.7.251 3288 [Quidway-cops-cipne4p] cops-server pep-id 1.1.1.1 [Quidway-cops-cipne4p] cops-server shared-key hello [Quidway-cops-cipne4p] active [Quidway-cops-cipne4p] quit
# Configure the CIPN-IAP server.


[Quidway] cops-server group cipniap client-type cipn-iap [Quidway-cops-cipniap] cops-server 192.168.7.251 3299 [Quidway-cops-cipniap] cops-server pep-id 2.2.2.2 [Quidway-cops-cipniap] cops-server shared-key hello [Quidway-cops-cipniap] active [Quidway-cops-cipniap] quit
6 VAS Configuration
4.

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa-domain-isp1] [Quidway-aaa] quit accounting-scheme acct1 authentication-scheme auth1 radius-server group rd1 cops-server group cipne4p quit
5.
Configure a user group.

[Quidway] user-group huawei [Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] user-group huawei
NOTE
The user group can be delivered by the RADIUS server. You do not need to configure the user group on the ME60 in this case.
6.
Configure the related interfaces. # Create a virtual template interface.

[Quidway] interface Virtual-Template 1 [Quidway-Virtual-Template1] quit

[Quidway] interface GigabitEthernet 1/0/1.1 [Quidway-GigabitEthernet1/0/1.1] pppoe-server bind virtual-template 1 [Quidway-GigabitEthernet1/0/1.1] user-vlan 1 3 [Quidway-GigabitEthernet1/0/1.1-vlan-1-3] bas [Quidway-GigabitEthernet1/0/1.1-bas] access-type layer2-subscriber [Quidway-GigabitEthernet1/0/1.1-bas] client-option82 [Quidway-GigabitEthernet1/0/1.1-bas] quit [Quidway-GigabitEthernet1/0/1.1] quit

7.
Verify the configuration. # View the configuration of RADIUS server group rd1.
<Quidway> display radius-server configuration group rd1 --------------------------------------------------------Server-group-name : rd1 Authentication-server: IP:192.168.7.250 Port:1812 Weight[0] [UP] Vpn: Authentication-server: Authentication-server: Authentication-server: Authentication-server: Authentication-server: Authentication-server: Authentication-server: Accounting-server : IP:192.168.7.250 Port:1813 Weight[0] [UP] Vpn: Accounting-server : Accounting-server : Accounting-server : Accounting-server : Accounting-server : -
Issue 05 (2010-06-01)
6-51
6 VAS Configuration

Accounting-server : Accounting-server : Protocol-version : radius Shared-secret-key : itellin Retransmission : 3 Timeout-interval(s) : 5 Acct-Stop-Packet Resend : NO Acct-Stop-Packet Resend-Times : 0 Traffic-unit : B ClassAsCar : NO User-name-format : Domain-included Attribute-translation: NO Packet send algorithm: Master-Backup
# View the configuration of CIPN-E4P server cipne4p.

<Quidway> display cops-server configuration group cipne4p -- Cops group table display ------------------------------------------------Group index : 1 Group name : cipne4p Client type : cipn-e4p Group up or down flag : Up Group active state : Active Secret key : hello Flow keeping time (second) : 300 PEP ID : 1.1.1.1 Group Source interface name : -[state][server IPv4 addr][server port][client port][weight][vpn name][server key] Down 192.168.7.251 3288 0 0 ---- End cops group table -----------------------------------------------------
# View the configuration of CIPN-IAP server cipniap.

<Quidway> display cops-server configuration group cipniap -- Cops group table display ------------------------------------------------Group index : 2 Group name : cipniap Client type : cipn-iap Group up or down flag : Up Group active state : Active Secret key : hello Flow keeping time (second) : 300 PEP ID : 2.2.2.2 Group Source interface name : -[state][server IPv4 addr][server port][client port][weight][vpn name][server key] Down 192.168.7.251 3299 0 0 ---- End cops group table -----------------------------------------------------

<Quidway> display domain name isp1 verbose ..... Domain-name : isp1 Domain-state : Active Domain-type : Normal domain .... Authentication-scheme-name : auth1 Accounting-scheme-name : acct1 RADIUS-server-group : rd1 ........ Cops-server-name : cipne4p .... IP-address-pool-name : pool1 TimeRange-Qos : Disabled .....
# View information about the value-added service used by online users.

<Quidway> display value-added-service user ------------------------------------------------------------------------
6-52
Issue 05 (2010-06-01)
6 VAS Configuration
The used user id table are: 2 -----------------------------------------------------------------------<Quidway> display value-added-service user user-id 2 -----------------------------------------------------------------------User access index : 2 State : Used User name : user1@isp1 User slot number : 1 User service number : 1 COPS server name : cipne4p ------------------------------------------------------------------------The used VAS service id table are: ( 1, 3) ------------------------------------------------------------------------The used DPI service id table are: -------------------------------------------------------------------------
# View information about the value-added service being used.

<Quidway> display value-added-service service -----------------------------------------------------------------------The used service id table are: ( 1, 3) -----------------------------------------------------------------------<Quidway> display value-added-service service slot 1 sid 3 Service user id : 2 Flow number : 1 Service type : Cipn Service slot number : 1 Account method : None Account start time : -Normal-server-group : cipniap Accounting-server-type : -Accounting-server-group : -Idle cut data <time,rate> : 0 minute, 60 kbyte/minute Flow up packets(high,low) : (0,0) Flow up bytes(high,low) : (0,0) Flow down packets(high,low) : (0,0) Flow down bytes(high,low) : (0,0) ------------------------------------------------------------------------The used flow id table are: ( 1, 2) -------------------------------------------------------------------------
# View information about the CIPN flow.

<Quidway> display value-added-service cipn-flow slot 1 -----------------------------------------------------------------------The used flow id table are: ( 1, 2) -----------------------------------------------------------------------<Quidway> display value-added-service cipn-flow slot 1 cipn-flow-id 2 Traffic statistic flag Car flag Service id Flow id Flow car index : : : : : None Up 1 1 2
<Quidway> display value-added-service cipn-flow slot 1 cipn-flow-id 2 verbose -----------------------------------------------------Flow Details -----------------------------------------------------In or out flag : 1 Source ip scope : 172.76.0.2 Source ip mask : 0.0.0.0
Issue 05 (2010-06-01)
6-53
6 VAS Configuration
Destination ip scope Destination ip mask Min source port Min Destination port Protocol type Filter flag Car flag Car index Committed information rate <kbps> Committed burst size <bytes> DSCP value for ip packets : : : : : : : : : : :

1.1.2.5 0.0.0.0 2045 2087 6 Permit Yes 2 8 3072 3
Configuration Files
# sysname Quidway # cops-server source-interface GigabitEthernet2/0/1 # radius-server group rd1 radius-server authentication 192.168.7.250 1812 weight 0 radius-server accounting 192.168.7.250 1813 weight 0 radius-server shared-key itellin # interface Virtual-Template1 # interface GigabitEthernet1/0/1 undo shutdown # interface GigabitEthernet1/0/1.1 pppoe-server bind virtual-template 1 user-vlan 1 3 bas access-type layer2-subscriber client-option82 # interface GigabitEthernet2/0/1 undo shutdown ip address 192.168.7.1 255.255.255.0 # ip pool pool1 local gateway 100.100.100.1 255.255.255.0 section 0 100.100.100.2 100.100.100.200 # cops-server group cipne4p client-type cipn-e4p cops-server shared-key hell0 cops-server pep-id 1.1.1.1 cops-server 192.168.7.251 active # cops-server group cipniap client-type cipn-iap cops-server shared-key hello cops-server pep-id 2.2.2.2 cops-server 192.168.7.251 3299 active # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 ip-pool pool1 cops-server group cipne4p #
6-54
Issue 05 (2010-06-01)

local-aaa-server # return
6 VAS Configuration
Issue 05 (2010-06-01)
6-55
7 ANCP Configuration
7
About This Chapter
ANCP Configuration
This chapter describes the concept and configuration of ANCP and provides several configuration examples. 7.1 Introduction This section describes the concept of ANCP. 7.2 Configuring ANCP Functions This section describes the procedure for configuring the ANCP functions. 7.3 Maintaining ANCP This section describes the commands used to display and clear the ANCP running information and debug ANCP. 7.4 Configuration Examples This section provides a configuration example of ANCP.
Issue 05 (2010-06-01)
7-1
7.1 Introduction
This section describes the concept of ANCP. 7.1.1 ANCP Overview 7.1.2 ANCP Application 7.1.3 References
7.1.1 ANCP Overview

The Access Node Control Protocol (ANCP) provides a channel that controls information exchange between the BRAS and the access node (AN), such as a DSLAM. The ANCP protocol is based on the General Switch Management Protocol Version 3 (GSMPv3). ANCP supplements GSMPv3 with the mechanism for establishing and maintaining the adjacency. The working process of the ANCP protocol is as follows: 1. The AN initiates a TCP connection to the BRAS. The BRAS uses port 6068 as the listening port. After the AN starts, it initiates a TCP connection to the BRAS. The BRAS functions as the TCP server and the AN functions as the TCP client. The AN and the BRAS set up the GSMP adjacency and negotiate the ANCP capabilities . The ANCP defines the capabilities of dynamic topology discovery, line parameters configuration, multicast control, line detection and management, and batch transaction processing. The ME60 supports dynamic topology discovery, line parameters configuration, and link detection and management. ANCP begins to function after the adjacency is set up. ANCP operation process is as follows: (1) Dynamic topology discovery and line information update. The AN monitors the status of the subscriber line at the access side and reports the ID (Access-Loop-Circuit-ID defined by the ANCP protocol), type (such as ADSL), uplink bandwidth, and downlink bandwidth of the active lines to the BRAS through the ANCP protocol. The access line ID is Access-Loop-Circuit-ID defined by the ANCP protocol and is in the same format as the Option 82 attribute in the DHCP control packet or PPPoE+ attribute in the PPP control packet. When the line information changes, the AN notifies the BRAS through the ANCP protocol. The BRAS then updates the line information. (2) A user goes online and the BRAS applies the line information. When a user goes online from a line connected to the AN, the connection request message of the user contains the Option 82 attribute (line ID) or PPPoE+ attribute. The BRAS learns the relation between the user and the line from the Option 82 attribute or PPPoE+ attribute. Based on the line information, the BRAS controls the bandwidth and monitors the traffic of the user. (3) The BRAS delivers the line policy obtained from the RADIUS server to the AN. When a user goes online or subscribes to a service, the RADIUS delivers the related policy to the BRAS according to the line information. The BRAS then delivers the policy to the AN. The AN applies the policy for the user.
2.
3.
(4) The AN performs OAM detection on the physical subscriber line. The BRAS delivers the OAM detection message to the AN through the ANCP protocol. The AN then perform loopback detection on the DSL, and then reports the detection result to the BRAS through the ANCP protocol.
NOTE
In this chapter, the AN refers to the DSLAM device; the physical subscriber line refers to the DSL.
7.1.2 ANCP Application

Figure 7-1 shows the typical ANCP networking. Figure 7-1 Typical ANCP networking
Policy Server
Access line 1 PC Access line 2 VoIP Access line 3 TV
Portal Server
RADIUS Server
Aggregation Network ME60
Video ASP VoIP ASP
ISP
DSLAM
The ME60 implements the following ANCP functions:

l l l
Physical Line Management Service Management OAM Detection for Remote Connections
Physical Line Management

Management of the physical lines involves the following:
l
Dynamic topology discovery To avoid congestion in the access network, the ME60 supports the queuing and scheduling (H-QoS) mechanism. The mechanism requires the BRAS to detect the topology of the access network and the parameters of the access lines. Certain parameters, such as the network rate of the DSL, keep changing, so the ME60 cannot obtain these parameters from the operation maintenance system. Certain parameters,
Issue 05 (2010-06-01)
7-3
such as the uplink traffic of the DSLAM, rarely change, but they must be completely synchronous with the information saved on the BRAS. However, the operation maintenance and management system cannot maintain these parameters through a reliable and scalable method. Dynamic topology discovery helps in solving this problem. The DSL dynamically reports the parameters of the DSL, including the status, actual uplink and downlink rates, maximum uplink and downlink rates, and delay to the BRAS.
l
Line information update When the DSLAM and the integrated access device (IAD) synchronize information about the access line, the line information must be updated if the DSLAM detects the change of the line status. The DSLAM sends the Port Up message to the BRAS to update the bandwidth of the line.
Service Management
In general, parameters of the access line are fixed. For value-added services such as Triple-play, however, the parameters of the DSL must be set on the DSLAM. When users subscribe to services on the self-service website, the DSL parameters need to be updated automatically. After a user goes online, the DSLAM monitors the DHCP and PPPoE control packets and inserts the Option 82 or PPPoE+ attribute into the control packets. The ME60 can find the unique access line of a user by matching the Option 82 attribute in the DHCP control packet or PPPoE+ attribute in the PPPoE control packet with the access line ID (Access-Loop-Circuit-ID defined by the ANCP protocol). When the service of a user changes, the BRAS obtains the parameters of the access line from the policy server or RADIUS server, and then requires the DSLAM to modify the parameters of the access line. In this way, you do not need to configure the BRAS manually on the operation maintenance system or the network management system (NMS).
OAM Detection for Remote Connections

On a traditional ATM line, the connection between the BRAS and the DSLAM is a point-topoint connection. The connectivity between the BRAS and the DSLAM can be tested through ATM OAM (F4/F5). After the ATM network changes to the Ethernet, ATM OAM (F4/F5) is not used. Although IEEE 802.1AG, Y.1730/1731, and IEEE 802.3AH can test the connectivity, locate and isolate faults on an end-to-end connection, not many terminals support these mechanisms. In addition, the ATM DSL supports link-layer OAM. Therefore, in a network where both the DSL and Ethernet exist, the ATM OAM architecture must be used to check and diagnose the network. ANCP can implement this function. You can specify the ACI of a subscriber line by using commands on the BRAS to trigger the detection for a line. When the related DSLAM receives the OAM detection messages sent by the BRAS, the DSLAM triggers the ATM (F4/F5) detection frame on the DSL. On an Ethernet, ANCP can also implement loopback test on an interface. The DSLAM sends the test result to the BRAS. Thus the BRAS can monitor the status of a user or a line.
7.1.3 References
For more information about ANCP, refer to the following documents:
l
RFC3292: General Switch Management Protocol (GSMP) V3 (Jun. 2002).

7-4

l
RFC3293: General Switch Management Protocol (GSMP) Packet Encapsulations for Asynchronous Transfer Mode (ATM), Ethernet and Transmission Control Protocol (TCP) (Jun. 2002). RFC3604: Requirements for Adding Optical Support to the General Switch Management Protocol version 3 (GSMPv3) (Oct. 2003). draft-ietf-ancp-protocol-01.txt: Protocol for Access Node Control Mechanism in Broadband Networks (Feb. 2007). draft-ietf-ancp-framework-02.txt: Framework and Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks. draft-wadhwa-gsmp-l2control-configuration-02.txt: GSMP extensions for Access Node Control Mechanism (Oct. 2006). draft-mammoliti-radius-dsl-vsa-03.txt: DSL Forum Vendor-Specific RADIUS Attributes (Apr. 2006). WT-147: DSL Forum.
7.2 Configuring ANCP Functions

This section describes the procedure for configuring the ANCP functions. 7.2.1 Establishing the Configuration Task 7.2.2 Enabling ANCP 7.2.3 Configuring the Source Interface of the ANCP Session 7.2.4 (Optional) Configuring the ANCP Session Parameters 7.2.5 Configuring the ANCP Neighbor Profile 7.2.6 (Optional) Triggering Configuration of the ANCP Access Line 7.2.7 (Optional) Enabling ANCP OAM Detection 7.2.8 Enabling Automatic Adjustment of Downlink Bandwidth 7.2.9 Checking the Configuration

When ANCP is enabled between the ME60 and the DSLAM, you need to configure the parameters on the ME60 to control the setup of ANCP sessions, control the downstream traffic, and trigger detection.
Before enabling basic functions of ANCP, complete the following tasks:
l
Configuring a loopback interface on the ME60 and ensuring that the loopback route between the DSLAM and the ME60 is reachable For details, refers to the Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Routing.
Issue 05 (2010-06-01)
7-5
l
Configuring user authentication, accounting, authorization, user domain, and address pool For details, see chapter 2 "AAA Configuration", chapter 4 "User Management", and chapter 3 "Address Management."
Configuring the BRAS access feature For details, see chapter 5 "BRAS Access Configuration".
Data Preparation
To configure ANCP functions, you need the following data. No. 1 2 3 4 5 6 7 Data MAC address of the DSLAM Source interface for setting up the ANCP session (Optional) Timeout duration of the ANCP session and the maximum number of packet sending attempts (Optional) Maximum number of lines of each ANCP neighbor (Optional) Keepalive interval of the ANCP session (Optional) Timeout duration of the OAM event triggered by ANCP (Optional) Timeout duration of the configuration event delivered by ANCP
7.2.2 Enabling ANCP

Context
The system monitors the socket and processes the request for setting up the TCP session from the DSLAM only after ANCP is enabled. When ANCP is disabled, all the TCP sessions are disconnected and socket listening is disabled. Do as follows on the ME60.
Procedure
Step 1 Run:
system-view

ancp enable
ANCP is enabled. By default, ANCP is disabled. ----End

7.2.3 Configuring the Source Interface of the ANCP Session

Context
Procedure
Step 1 Run:
system-view

ancp
The ANCP view is displayed. Step 3 Run:

source-interface loopback interface-number
The source interface of the ANCP session is configured. The source interface for a DSLAM to set up a TCP session must be a loopback interface. Change of the source-interface loopback interface-number command or the IP address of the interface does not affect the set up session. The change takes effect after ANCP is disabled and then enabled again. ----End
7.2.4 (Optional) Configuring the ANCP Session Parameters

Context
Procedure
Step 1 Run:
system-view

ancp

session { interval interval-value | retransmit retransmit-value }*
Timeout duration of ANCP sessions and the maximum number of retransmission events are configured. After the TCP session is set up, the ME60 sends the SYN packet to the peer to set up the ANCP session. If the ME60 does not receive the correct response packet, it sends SYN packets
repeatedly until the ANCP session is set up. If the ANCP session is still not set up when the number of retransmission events reaches the set value, the TCP connection is closed. By default, the ME60 sends SYN packets or SYN-ACK packets every 1 second, and the maximum number of retransmission events is 10. ----End
7.2.5 Configuring the ANCP Neighbor Profile

Context
To help you manage the ANCP access lines easily, the ME60 provides the ANCP neighbor profile. You can configure a MAC address in each neighbor profile. If the MAC address in the packet received from the neighbor is the same as the MAC address configured in a neighbor profile, the neighbor is added to this neighbor profile. You can specify the following parameters in the ANCP neighbor profile:
l
Neighbor ID A neighbor ID is the MAC address of the neighbor. After the ANCP session is set up, the ME60 determines whether the peer belongs to a neighbor profile according to the neighbor ID. If the peer does not match any neighbor profile, the ME60 adds the peer to the default neighbor profile.
Maximum number of access lines of an ANCP neighbor This parameter refers to the maximum number of access lines that the ME60 allows an ANCP neighbor to have. If the configured number of maximum number of access lines is smaller than the number of existing access lines of a neighbor, no more access line entry is created, but the previous entries are not changed.
ANCP handshake interval To detect the status of a neighbor (for example, whether the link is Up) in real time, the ME60 sends handshake packets to the neighbor (such as the peer DSLAM) at intervals. The interval is the ANCP handshake interval.
Aging time of the ANCP neighbor line entry When the line of an ANCP neighbor is Down, the ME60 deletes the entry of this line to save system resources. If the aging time is set to 0, the ME60 deletes the entry of a line immediately after the line is Down; otherwise, the ME60 deletes the entry after the aging timer times out.
Timeout duration for configuring the ANCP access line If the ack-mandatory keyword is selected, the ME60 does not wait for the configuration response from the access line after triggering the configuration of the ANCP access line. Otherwise, if the ME60 does not receive the configuration response within the configuration timeout duration, the ME60 considers that the configuration of the access line has failed.
Timeout duration for ANCP OAM detection After the related DSLAM receives the OAM detection message initiated by the ME60, the DSLAM performs OAM detection on its access lines, and then sends the OAM detection result to the ME60. If the ME60 does not receive the response to the ANCP OAM detection within the timeout duration, it considers that the ANCM OAM detection has failed.

Procedure
Step 1 Run:
system-view

ancp

neighbor-profile neighbor-profile-name
An ANCP neighbor profile is created and the neighbor view is displayed. When you create a neighbor profile, the system checks whether the neighbor view with the same name exists. If not, the system creates a new neighbor view and displays the view. If the neighbor view exists, the system displays the view. If the neighbor profile is in use, the profile cannot be deleted. The system provides a default neighbor profile named default-neighbor. If the neighbor discovered through the adjacency protocol does not match any configured neighbor profile, this neighbor is added to default-neighbor. The default neighbor profile cannot be deleted. Step 4 Run:
peer-id peer-id
The ID of the ANCP neighbor is configured. By default, a neighbor profile does not contain any neighbor ID. Step 5 Run:
max-access-loop value
The maximum number of access lines for the ANCP neighbor is configured. By default, the maximum number of access lines for a neighbor is 65536. Or run:
keep-alive interval interval-value
The ANCP handshake interval is configured. By default, the ANCP handshake interval is 10 seconds. Or run:
aging-time value
The ANCP aging time is configured. By default, the aging time of the ANCP neighbor line is 150 seconds. Or run:
access-loop-configure { timeout value | ack-mandatory }
The timeout duration for configuring the ANCP access line is configured. By default, the timeout duration for configuring the access line is 5 seconds.
Or run:
oam timeout time-value
The timeout duration of the ANCP OAM detection response is configured. By default, the timeout duration for ANCP OAM detection is 5 seconds. ----End
7.2.6 (Optional) Triggering Configuration of the ANCP Access Line

Context
Procedure
Step 1 Run:
system-view

ancp

access-loop-configure { circuit-id circuit-id | index index } service-profile profile-name
The name of the line profile delivered to the peer is configured. The configuration of the ANCP access line is triggered. This command is used to trigger configuration of the ANCP access line so that the ME60 can deliver the line profile name to the peer DSLAM. ----End
7.2.7 (Optional) Enabling ANCP OAM Detection

Context
Procedure
Step 1 Run:
system-view

ancp
The ANCP view is displayed.

Step 3 Run:
oam [ count test-counter ] access-loop access-loop-circuit-id
The number of OAM detection events and the ID of the ANCP access line are configured. OAM detection is enabled. To test the connectivity of the remote access line, run this command to enable the ANCP OAM detection. By default, the number of OAM detection events is 5. ----End
7.2.8 Enabling Automatic Adjustment of Downlink Bandwidth

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

ancp auto-qos-adapt
Automatic adjustment of downlink bandwidth is enabled. When the system needs to automatically adjust the downlink bandwidth of a user according to information about the access line, you must run this command in the domain that the user belongs to. By default, the system cannot automatically adjust the downlink bandwidth of a user according to information about the access line. ----End

Issue 05 (2010-06-01)
7-11
Action Check the configuration of the ANCP neighbor profile.
Command display ancp neighbor-profile [ neighbor-profilename ]
7.3 Maintaining ANCP

This section describes the commands used to display and clear the ANCP running information and debug ANCP. 7.3.1 Displaying ANCP Running Information 7.3.2 Clearing ANCP Running Information 7.3.3 Debugging ANCP
7.3.1 Displaying ANCP Running Information

After the preceding configuration, run the following display commands in any view to view the ANCP running information and check the configuration. For detailed information, refer to the Quidway ME60 Multiservice Control Gateway Command Reference. Action Display the configuration of an ANCP neighbor profile. Display the entries of ANCP access lines. Command display ancp neighbor-profile [ neighbor-profilename ] display ancp access-loop [ access-loop-circuitindex | circuit-id circuit-id-text | circuit-id-include circuit-id-include-text | neighbor-profile neighborprofile-name | neighbor-id neighbor-id ] display ancp neighbor [ id mac-address | profile neighbor-profile-name ] display ancp statistic [ neighbor-id ]
Display the status of an ANCP neighbor. Display the statistics of ANCP.
7.3.2 Clearing ANCP Running Information
CAUTION
ANCP running information cannot be restored after you clear it. Therefore, confirm the action before you use the command. To clear ANCP running information, run the following reset commands in the ANCP view.
Action Clear the entries of ANCP access lines.
Command reset access-loop [ circuit-id access-loop-circuitid | neighbor-profile neighbor-profile-name | neighbor-id neighbor-id ] reset neighbor [ profile neighbor-profile-name | id neighbor-id-value ] reset statistic [ neighbor-id ]
Clear ANCP neighbor entries. Clear the running statistics of ANCP.
7.3.3 Debugging ANCP
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all command to disable the debugging immediately. When a fault occurs when ANCP is running, run the following debugging command to debug ANCP and locate the fault. For the procedure for displaying the debugging information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management. Action Enable the debugging of ANCP. Command debugging ancp packet

This section provides a configuration example of ANCP.
NOTE
7.4.1 Example for Configuring ANCP Functions
7.4.1 Example for Configuring ANCP Functions

l
RADIUS authentication and RADIUS accounting are used. The IP address of the RADIUS server is 192.168.7.250; the authentication port number is 1812; the accounting port number is 1813; the shared key is itellin.
Issue 05 (2010-06-01)
l l
Users dials in through DHCP or PPP and they belong to domain isp1. Up to 3000 access lines can be connected to the DSLAM with MAC address 0001-0002-0003. You can configure the access lines of the DLSAM on the ME60. The ME60 can automatically adjust the downlink bandwidth of a user according to the service that the user selects.
l l
Networking Diagram
Figure 7-2 Networking for configuring ANCP
RADIUS Server Portal Server 192.168.7.250 192.168.7.251
ETH2/0/1.1 IAD
ETH2/0/2
Video ASP VoIP ASP
ISP
DSLAM LANSwitch
ME60
Phone
TV
PC
NOTE
This section provides only the configuration of the ME60. For the configurations of the IAD, DSLAM, LAN switch, and RADIUS server, refer to the related configuration manuals.
1.
Configure the BRAS access feature. Based on Figure 7-2, configure the BRAS access feature, including the authentication scheme, accounting scheme, RADIUS server, address pool, domain (for captive portal), BAS interface, and uplink interface to ensure that DHCP users and PPP users can go online from the remote end. For the configuration procedures, see chapter 5 "BRAS Access Configuration."
2.
Configure ANCP functions. # Enable ANCP.

[Quidway] ancp enable
# Configure the source interface of the ANCP session.

[Quidway] interface LoopBack 1 [Quidway-LoopBack1] ip address 1.1.1.1 24 [Quidway-LoopBack1] quit [Quidway] ancp
7-14
Issue 05 (2010-06-01)

[Quidway-ancp] source-interface LoopBack 1
# Configure the ANCP session parameters.

[Quidway-ancp] session interval 10 retransmit 20
# Configure the ANCP neighbor profile.

[Quidway-ancp] neighbor-profile dslam1 [Quidway-ancp-neighbor-dslam1] peer-id 1-2-3 [Quidway-ancp-neighbor-dslam1] max-access-loop 3000 [Quidway-ancp-neighbor-dslam1] quit
#Trigger the configuration of the access lines by running command.

[Quidway-ancp] access-loop-configure circuit-id access1 service-profile profile1 [Quidway-ancp] quit
NOTE
The configuration of access lines can also be implemented through the CoA packet defined by the RADIUS protocol. To implement this function, the CoA packet contains Huawei proprietary attribute Ancp-Profile (26-139).
# Enable auto adjustment of downlink bandwidth.

[Quidway] aaa [Quidway-aaa] domain isp1 [Quidway-aaa-domain-isp1] ancp auto-qos-adapt
3.
Verify the configuration. # Display the configuration of ANCP neighbor profile dslam1.
<Quidway> display ancp neighbor-profile dslam1 Index :1 Neighbor Profile name :dslam1 Neighbor Used state :unused Peer ID :0001-0002-0003 Max access loop number :3000 Access loop configure timeout :5(seconds) Access loop configure ack mandatory :false Access loop aging time :150(seconds) Access loop oam timeout :5(seconds) Keep-alive interval :10(seconds)
# Display information about access line access1.

<Quidway> display ancp access-loop Circuit index Circuit ID Neighbor ID Dsl type Actual datarate upstream Actual datarate downstream The total is 1,printed is 1 circuit-id access1 :0 :access1 :0001-0002-0003 :ADSL2 :143(Kbps) :153(Kbps)
# Display the status of the peer DSLAM.

<Quidway> display ancp neighbor id 1-2-3 Neighbor Profile name Neighbor state Peer ID Peer IP address Peer port Neighbor capacity Neighbor techtype Access loop circuit number Session message interval Session message retransmit Max access loop number Access loop configure timeout Access loop configure ack mandatory Access loop aging time Access loop oam timeout :dslam1 :ESTAB : 0001-0002-0003 :40.1.2.8 :8093 :discovery;line-cfg; :5(5 is DSL) :0 :25(seconds) :255 :3000 :5(seconds) :false :150(seconds) :5(seconds)
Issue 05 (2010-06-01)
7-15
Keep-alive interval Wait-ack timeout

:10(seconds) :30000(milliseconds)
Configuration Files
# sysname Quidway # ancp enable # radius-server group group1 radius-server authentication 192.168.7.250 1812 weight 0 radius-server accounting 192.168.7.250 1813 weight 0 # interface Ethernet2/0/1 # interface Ethernet2/0/1.1 pppoe-server bind Virtual-Template 1 user-vlan 100 bas access-type layer2-subscriber default-domain authentication isp1 authentication-method ppp web # interface Ethernet2/0/2 ip address 192.168.7.1 255.255.255.0 # interface Virtual-Template1 # interface LoopBack1 ip address 1.1.1.1 255.255.255.0 # ip pool pool1 local gateway 172.1.1.1 255.255.255.0 section 0 172.1.1.2 172.1.1.200 # aaa authentication-scheme auth1 accounting-scheme acct1 domain default0 domain default1 domain default_admin domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group group1 portal-server 192.168.7.251 portal-server url http://192.168.7.251 ip-pool pool1 ancp auto-qos-adapt # ancp source-interface LoopBack1 session interval 10 retransmit 20 neighbor-profile default-neighbor neighbor-profile dslam1 peer-id 0001-0002-0003 max-access-loop 3000 # return
7-16
Issue 05 (2010-06-01)
8 User Information Backup Configuration
User Information Backup Configuration
About This Chapter

This chapter describes the rationale and configuration of local user information backup and remote information backup and provides several configuration examples. 8.1 Introduction This section describes the principle and implementation of remote information backup. 8.2 Configuring Local Information Backup This section describes the procedure for configuring the local information backup function. 8.3 Configuring Remote Information Backup Platform This section describes the procedure for configuring the remote information backup platform. 8.4 Configuring Remote Information Backup This section describes the procedure for configuring the remote information backup function. 8.5 Maintaining This section describes how to display and clear backup information. 8.6 Configuration Examples This section describes provides several configuration example of user information backup.
Issue 05 (2010-06-01)
8-1
8.1 Introduction
This section describes the principle and implementation of remote information backup. 8.1.1 Background 8.1.2 Local Information Backup 8.1.3 Remote Information Backup
8.1.1 Background
The ME60 functions as an edge router in the network. The ME60 is connected to the core network to implement the routing function. It is also connected to the convergence layer to terminate layer-2 user packets and implement the user access function. The ME60 must ensure high availability of services. The earlier versions do not support ring networks such as RRPP and do not support service switchover between devices. When faults occur in the device, DHCP users must redial in to resume the service. In this version, the ME60 can back up user information locally or to the remote device to ensure high reliability. Service switchover between the active and standby MPUs can be completed within 50 ms. Bandwidth on demand (BoD) service switchover between devices can be completed within 50 ms. Switchover of common high speed internet (HSI) service between devices can be completed within 200 ms.
8.1.2 Local Information Backup

Networking
Figure 8-1 Networking for local information backup
RADIUS Server Portal Server DHCP Server
Internet
PC
DSLAM
ME60
8-2
Issue 05 (2010-06-01)
DHCP User Information

When a DHCP user logs in, the ADSL modem adds Option 60 to the DHCP packet. The DSLAM then adds Option 82 to the DHCP packets. Option 60 is used for service wholesale. Option 82 is used by the RADIUS or DHCP server for authentication, authorization, and address allocation. The ME60 does not support the authentication and authorization of RADIUS servers. Option 82 can also match the terminals in a family to implement hierarchical QoS scheduling.
Local DHCP Information Backup

When a fault occurs or the user logs out abnormally, the user needs to send IP (or ARP) packets to trigger login. If only one ME60 exists in the network and it does not back up the user information, the ME60 cannot obtain Option 82 and Option 60 from the IP or ARP packets. This causes authentication failure or address allocation error. To ensure normal login of DHCP users, the ME60 needs to record the basic information and Option attribute of users. This process is intra-device backup (local backup). When users re-log in after the device is restarted (except the case where the restart is caused by power-off), the device can restore the user information from the backup record. Currently, the backup information is stored in the high memory. DHCP users can resume the service without redialing in.
8.1.3 Remote Information Backup

Currently, the ME60 can back up DHCP user information, Point to Point Protocol over Ethernet (PPPoE) user information, Web authentication user information, and static user information.L2tp user information and leased line access user information can not backed up. The user information can be backed up on GigabitEthernet interfaces,Eth-Trunk interfaces, and virtual Ethernet (VE) interfaces. The backup information mainly covers:
l
Basic user information, including the user MAC address, session ID, IP address, user name, authentication information, and Option 60 Accounting information, including the accounting ID, traffic information, and duration QoS information, including the user priority and QoS profiles Location information, including the inner and outer VLAN tags, and Option 82
l l l
The backup information is used as follows:

l
Authentication and authorization information: Users do not need to re-dial for authentication. Accounting information: The bill is not lost after the master/slave switchover is performed. Access position information: The bound user can log in at the new position. QoS information: QoS scheduling remains unchanged before and after the master/slave switchover is performed.
l l l
RUI
The Redundancy User Information (RUI) protocol is the Huawei proprietary protocol used to back up user information between devices. The RUI protocol runs over the TCP protocol. RUI defines the type, format, and amount of user information to be transmitted between the two devices.
RBS
With the remote backup server (RBS) feature, TCP functions as a remote backup server through the configuration of TCP parameters and protection tunnels. You can specify an RBS in the RBP. Multiple RBPs can share one TCP connection and protection tunnel. Currently, RUI supports up to four TCP connection. When the remote information backup backup feature is enabled, the device with the greater IP address listens to the socket during the setup of the TCP connection. The device with the smaller IP address, however, initiates the setup of the TCP connection to the peer. After the TCP connection is set up successfully, the backup protocol is used to transmit data in batch backup and real-time backup modes.
RBP
The remote backup profile (RBP) module provides a uniform user interface of remote information backup backup configuration, and applications of various types of remote information backup backup configuration are based on the RBP.
Real-time Backup and Batch Backup

The user information is backed up between devices in real time or in batches. When a user goes online, goes offline, the lease changes or expires, or the administrator disconnects the user, the master ME60 requests the slave ME60 to add, delete, or modify the backup record in real time. If a new backup device is added or the fault is rectified on the backup link, the ME60 adopts the batch backup mode to ensure the same information between devices.
Hot Backup and Warm Backup

After receiving the backup information, the slave ME60 processes the information in hot backup or warm backup mode.
l
Hot backup After receiving the backup information from the master ME60, the slave ME60 immediately generates user information and forwarding entries. When a fault occurs, the service terminal can be switched fast.
Warm backup The slave ME60 does not generate user information and forwarding entries after receiving the backup information from the master ME60. Instead, the slave ME60 stores the information on the main control board. After the master/slave switchover is performed, the slave ME60 generates user information and forwarding entries. The warm backup mode is applicable to N:1 backup, but the service terminal switching time is long.
Access Modes of remote information backup Backup of User Information Supported by the ME60
The ring and tree Ethernet access modes are used for remote information backup backup of user information.
l
Ring Ethernet access
8-4
Issue 05 (2010-06-01)
Figure 8-2 Networking diagram of ring Ethernet access of remote information backup backup
Master
VRRP +BFD
RUI
Backup
As shown in Figure 8-2, the access network is the ring Ethernet network. The two switches on the ring are connected to the master and slave routers respectively. The routers perform authentication, authorization, and accounting for access users and connect to users. The Virtual Router Redundancy Protocol (VRRP) is used to determine the master and slave devices and the RUI protocol is used between devices to synchronize user information. RUI is associated with VRRP, implementing switching of user data forwarded between master and slave devices. The service switchover time depends on the convergence time of the Layer 2 ring.
l
Tree Ethernet access Figure 8-3 Networking diagram of tree Ethernet access of remote information backup backup
Master
Router VRRP BFD
Backup
As shown in Figure 8-3, the access network is the tree Ethernet network. The two switches are connected to the master and slave routers respectively in dual-homing mode. VRRP is used to determine the master and slave devices and the RUI protocol is used between devices to synchronize user information. RUI is associated with VRRP, implementing switching of user data forwarded between master and slave devices.
8.2 Configuring Local Information Backup

This section describes the procedure for configuring the local information backup function.
NOTE
l l
Currently, local information backup provides backup for DHCP users, PPP users, and Web authentication users. DHCP users are divided in to HSI users and non-HSI users. If the service type for the domain is configured to HSI, the users are HSI users; otherwise, the users are non-HSI users. Information about HSI users and non-HSI users is backed up locally. In application, the probability of device power-off is small, so user information loss upon device poweroff is not considered.
8.2.1 Establishing the Configuration Task 8.2.2 Enabling Local Information Backup 8.2.3 (Optional) Setting the Alarm Threshold of User Information 8.2.4 Checking the Configuration

If only one ME60 exists in the network, information about DHCP users is stored in the high memory of the ME60. When the user goes offline or the device is restarted, the user information can be restored from the backup record.
None.
Data Preparation
To configure local information backup, you need the following data. No. 1 Data Alarm threshold of user information
8.2.2 Enabling Local Information Backup

Context
Do as follows on the ME60 that backs up the user information.
Procedure
Step 1 Run:

system-view

local-backup enable
Local information backup is enabled. By default, local information backup is disabled. ----End
8.2.3 (Optional) Setting the Alarm Threshold of User Information

Context
Do as follows on the ME60 that backs up the user information.
Procedure
Step 1 Run:
system-view

local-backup-info alarm-threshold threshold
The alarm threshold of user information is set. When the percentage of user information reaches this threshold, the system generates an alarm and local information backup is stopped. By default, the user information alarm threshold is 75%. ----End

Run the following command to check the previous configuration. Action Check the alarm threshold for local user information backup. Command display local-backup-info alarm-threshold
8.3 Configuring Remote Information Backup Platform

This section describes the procedure for configuring the remote information backup platform. 8.3.1 Establishing the Configuration Task 8.3.2 Configuring VRRP
8.3.3 Configuring the Remote Backup Server 8.3.4 Configuring a Remote Backup Profile 8.3.5 Checking the Configuration

As the edge service router, the ME60 is directly connected to the convergence device. The convergence device is connected to the downstream device such as the DSLAM and multiple upstream ME60s. The backup mode is used between multiple ME60s, that is, when one or multiple ME60s are faulty, services can be fast switched to the slave device. VRRP is enabled between the two ME60s. The downstream convergence device considers the two ME60s as one router. The Bidirectional Forwarding Detection (BFD) is enabled between two interfaces of two ME60s. Thus the ME60s can quickly detect the fault on interfaces and links and trigger service switchover. Similarly, a failure of the transmission device between the ME60 and the LSW may cause an incorrect change of the VRRP status. In this case, you can enable link detection to ensure a correct switchover.
Before establishing the remote information backup platform, complete the following tasks:
l l
Enable BFD on the upstream interfaces of the two devices. Enable link detection and configure Ethernet OAM between the ME60 and the downstream convergence device.
Data Preparation
To establish the remote information backup platform, you need the following data. No. 1 2 3 Data VRRP backup group ID IP addresses of devices that back up each other Backup ID, which is used together with the RBS to determine the RBP that the user belongs to
8.3.2 Configuring VRRP

Context
NOTE
This section provides the basic configuration procedure of VRRP. For more information, see the Quidway ME60 Multiservice Control Gateway Configuration Guide-Reliability.
8-8
Issue 05 (2010-06-01)
Do as follows on the devices that back up each other.
Procedure
l Configure a VRRP backup group. 1. 2. Run: system-view The system view is displayed. Run:interface interface-type interface-numberThe interface view is displayed.
NOTE
The VRRP-enabled interface and the interface through which the user goes online are configured on the same physical interface, or either of the two interfaces is the main interface.
3. 4.
Run: vrrp vrid virtual-router-ID virtual-ip virtual-address A backup group is created and a virtual IP address is assigned. Run: admin-vrrp vrid virtual-router-ID The VRRP group is set to an mVRRP group.
NOTE
The VRRP group specified in this command must be an mVRRP group. The two devices backing up each other must be configured with the same virtual router ID (VRID) and the same virtual IP address. In addition, the virtual IP address must differ from the real IP address.
Configure VRRP switchover. 1. In the view of the interface where the VRRP backup group resides, run the vrrp vrid virtual-router-id track bfd-session bfd-session-id { link | peer } command to track the status of the link BFD session or peer BFD session. (Optional) Run the vrrp vrid virtual-router-id track efm interface interface-type interface-number [ sub interface-number ] command to track the status of the EFM session. (Optional) Run the vrrp vrid virtual-router-id track cfm md md name ma ma name remote-mep mep-id mep-id command to track the CFM session. (Optional) Run the vrrp vrid virtual-router-ID track interface interface-type interface-number [ increased value-increased | reduced value-reduced ] command to track the status of the specified interface.
2.
3. 4.
By default, when an interface being tracked goes down, the priority of the device where the interface resides reduces by 10. increased value-increased: specifies the priority value increased each time the tracked interface goes Down. The value ranges from 1 to 255. reduced value-reduced: specifies a value decrease in the interface priority due to the status change of the tracked interface to Down. The value ranges from 1 to 255.
(Optional) Set the transmission intervals of VRRP advertisement packets. In the view of the interface where the VRRP backup group resides, run the vrrp vrid virtual-router-id timer advertise adver-interval command to set the transmission intervals of VRRP advertise packets. By default, a VRRP advertise packet is sent each second. When the backup group is bound to multiple RBPs and the RBPs are bound to multiple interfaces, short transmission intervals may cause the VRRP status to alternate between Master and Backup frequently. In this situation, you need to enlarge the transmission intervals. You are recommended to set the intervals in this formula: Number of RBPs x Number of sub-interfaces that switch over
Issue 05 (2010-06-01)
8-9
concurrently / 3. For instance, there are two RBPs for VRRP and the two RBPs are bound to 16 sub-interfaces. The intervals are (2 x 16 / 3) = 10 seconds. ----End
8.3.3 Configuring the Remote Backup Server

Context
Do as follows on the devices that back up each other:
Procedure
Step 1 Run:
system-view

remote-backup-server server-name
The remote backup server view is displayed. Step 3 Run:

peer peer-ip-address source source-ip-address port port-id
The TCP connection with the remote server is set up. The peer-ip-address parameter specifies the IP address of the peer device; the local-ipaddress parameter specifies the IP address of the local device. The IP address of the peer device must have been set on a main interface, sub-interface, or logical interface (such as a loopback interface) of the peer device. Similarly, the IP address of the local device must have been set on a main interface, sub-interface, or logical interface (such as a loopback interface) of the local device. In addition, the two IP addresses can be pinged successfully. port-id specifies the number of the interface that is listened to by the server. The numbers of the interfaces for the TCP connection must be the same on the two devices that back up each other. Step 4 (Optional)Run:
traffic backup [ interval interval-value | threshold threshold-value ]
The interval for backing up traffic or the traffic threshold is set. ----End
8.3.4 Configuring a Remote Backup Profile

Context
Do as follows on the devices that back up each other:
Procedure
Step 1 Run:
system-view
8-10
Issue 05 (2010-06-01)

remote-backup-profile profile-name
The remote backup profile view is displayed. Step 3 Run:

peer-backup { hot | warm } enable
Hot backup or warm backup of user information between devices is enabled. By default, user information between devices is processed in hot backup mode. Step 4 Run:
vrrp-id vrid
The VRRP backup group ID is bound to the RBP. The vrid parameter specifies the ID of a VRRP backup group. The value of the vrid parameter must be the same as the VRRP backup group ID configured on the interface. Step 5 Run:
backup-id backup-id remote-backup-server name
The remote backup profile is associated with the RBS. backup-id specifies the remote backup ID. The ME60 can find the remote backup profile that the user belongs to according to the backup ID and the RBS. The backup IDs associated with the remote backup profile on the devices that back up each other must be the same. ----End

Run the following command to check the previous configuration. Action Check information about the remote backup profile. Check information about the remote backup server Command display remote-backup-profile [ profile-name ] display remote-backup-server [ server-name ]
8.4 Configuring Remote Information Backup

This section describes the procedure for configuring the remote information backup function. 8.4.1 Establishing the Configuration Task 8.4.2 Configuring Traffic Diverting from the Network Side to the User Side 8.4.3 Binding the Remote Backup Profile to the Interface or Domain Through Which a User Goes Online 8.4.4 (Optional) Setting NAS Parameters 8.4.5 (Optional) Adjusting User Information Backup

To improve the reliability of the network and shorten the interruption time, you need to configure user information backup between master and slave devices. After the user is connected to the master device, the master device backs up user information to the slave device and the slave device generates user information and sends the forwarding table. When a fault occurs on the network, user routes are controlled so that the user traffic can reach the slave device and is forwarded to the user. The user does not detect the fault during the fault occurrence and can log in again without dialing.
Before configuring remote information backup, complete the following tasks:
l
Enable the BAS function and configure the same BAS parameters on the master and slave devices to allow users to go online. For details, see the "BRAS Access" chapter. Establishing the remote information backup platform Configuring an IP address pool (The IP address pools on the devices that back up each other must be the same.)
l l
Data Preparation
To configure remote information backup, you need the following data. No. 1 2 Data IP address pool name Logical IP address, logical interface, and logical host name
8.4.2 Configuring Traffic Diverting from the Network Side to the User Side
Context
There are several ways to implement user information backup, including address pool route, host route, and tunnel. The difference between these ways is the mode of diverting traffic from the network side to the user side in a master/slave switchover.
l
Address pool route: The master device advertises an address pool route whereas the backup device cancels an address pool route. When a master/slave switchover occurs, the new master and backup devices perform the same operations.
8-12

l
Host route: The master device advertises an address pool route whereas the backup device does not advertise any address pool route. When a master/slave switchover occurs, the backup device takes over the master device and advertises a 32-bit host route. Tunnel: Both the master and backup devices advertise address pool routes, but the cost of the route advertised by the backup device is higher. When a master/slave switchover occurs, the routes remain unchanged.
The below table lists the advantage and disadvantage of each traffic-diverting mode. The tunnel scheme is recommended. Table 8-1 Comparison of traffic-diverting schemes Scheme Address pool route Advantages This scheme is easy to configure; no link needs to be added. Disadvantages Each RBP needs to use an address pool exclusively; therefore, IP addresses are wasted. This scheme does not support load balancing. When there are a great number of users, the switchover impacts the network routes.
Host route
This scheme is easy to configure and its requirements for network performance are low. Multiple RBPs can share the same address pool. Fast switchover is achieved; multiple RBPs can share the same address pool; routes do not need to change in the case of traffic switchover.
Tunnel
You need to configure more tunnels. If a fault occurs when direct links are unavailable, the bandwidth usage at the network side is high.
Procedure
l Tunnel scheme If the exclusive IP address pool mode is adopted, a great number of address pools are needed. This wastes IP addresses. The shared IP address pool mode addresses this problem. To adopt the shared IP address pool mode, ensure that the following conditions are met:

Address pools are not bound to the RBP. Both the master and backup devices need to advertise the address pool segment route and be configured with route policies. In this manner, the address pool segment route advertised by the active device has a higher priority; load balancing is not performed on the router of the network side. A protection tunnel, for example, an MPLS-TE or GRE tunnel, needs to be set up between the master and backup devices. When the uplink of the user fails, the downstream traffic of the user is diverted into the protection tunnel.
Issue 05 (2010-06-01)
The ip-pool command is used in the RBS view to bind the address pool to the RBS. This ensures that traffic at the network side can be forwarded through the protection tunnel before the host route is generated. Run: system-view The system view is displayed. Run:remote-backup-server server-nameThe view of the RBS is displayed. Run:ip-pool pool-name The IP address pool is bound to the RBS. Up to 64 address pools can be bound. Run:tunnel tunnel-name ip-ttl ttl-valueThe tunnel is configured and the TTL value of IP packets is specified.
1. 2. 3. 4. l
Address pool route scheme If the address pool scheme is adopted, you need to plan an address pool for each physical interface and bind the address pool to an RBP. When the RBP becomes the master device, it advertises the address pool segment route. When the RBP becomes the backup device, the address pool segment route is cancelled. In this manner, the route at the network side is under control and the address pool segment route always leads to the active device. By doing so, the device can control the switching of user downstream forwarding paths through interfaces. 1. 2. 3. Run: system-view The system view is displayed. Run:remote-backup-profile profile-nameThe view of the RBP is displayed. Run: ip-pool pool-name The address pool is bound to the RBP.
NOTE
Up to 64 address pools can be bound to a RBP. The master and backup devices must be configured with the same address pool.
Host route scheme If this scheme is adopted, you need to run the export host-route command in the view of the address pool on the backup device. In this manner, the address pool segment route is canceled and the host route is advertised. You need not bind address pools to RBPs or RBSs. 1. 2. 3. Run: system-view The system view is displayed. Run: ip pool pool-name [ local [ slave ] | relay | remote ] An address pool is created. Run: export host-route The address pool is configured to advertise a host route.
----End
8.4.3 Binding the Remote Backup Profile to the Interface or Domain Through Which a User Goes Online
Context
Procedure
l
8-14
Bind the remote backup profile to the interface through which a user goes online.
1. 2.
Run: interface interface-type interface-number The view of the interface through which a user goes online is displayed. Run: remote-backup-profile profile-name The remote backup profile is bound to the interface.
NOTE
A remote backup profile can be bound to up to 16 sub-interfaces of a main interface.
Bind the remote backup profile to the domain through which a user goes online. 1. 2. 3. 4. Run: system-view The system view is displayed. Run:aaa The AAA view is displayed. Run:domain domain-nameThe domain view is displayed. Run: peer-backup enable Information about the user in the domain can be backed up.
----End
8.4.4 (Optional) Setting NAS Parameters

Context
Do as follows on the devices backing up each other so that a user does not have to be authenticated for a second time when the user goes online through the backup device:
Procedure
Step 1 Run: system-view The system view is displayed. Step 2 Run:remote-backup-profile profile-nameThe view of the remote backup profile is displayed. Step 3 Run: nas logic-ip ip-address The logical IP address is assigned. Step 4 Run: nas logic-port interface-name The logical interface is configured. Step 5 Run: nas logic-sysname host-name The logical host name is set. ----End
Result
After the preceding configurations, the packets sent from the devices backing up each other to the RADIUS and DHCP servers contain the same NAS-IP-Address, NAS-Port, NAS-Port-ID, and Option 82 information.
8.4.5 (Optional) Adjusting User Information Backup

Context
Procedure
Step 1 Run: system-view The system view is displayed. Step 2 Run: peer-backup switch-back-time time The time for the backup server to switch services back to the master server is set. On the RBS, the default time to be waited for the backup server to switch services back to the master server is 10 minutes. If Smartlink is configured on the downstream switch connected to the ME60, the switchback waiting time needs to be set to 0 minutes. When the interface goes up, the backup server switches the services back to the master server immediately. In this case, you need to run the carrier up-hold-time command to enlarge the system hold time. In this manner, the system does not respond to the interface status change immediately, and both Smartlink and VRRP status can switch over. Step 3 Run: peer-backup user-limit number The maximum number of remote backup users is set. By default, the maximum number of remote backup users is 1114112. Step 4 Run: peer-backup user-threshold threshold The alarm threshold for the ratio of the number of remote backup users to the device-supporting maximum number of users is set. By default, this alarm threshold is not set. Step 5 Run: peer-backup slave radius-request discard The backup server is instructed to discard RADIUS packets. By default, the backup server of the RBS does not discard RADIUS packets. ----End

Run the following command to check the previous configuration. Action Check information about the remote backup profile. Check information about the remote backup server Check information about the backup user. Command display remote-backup-profile [ profile-name ] display remote-backup-server [ server-name ] display backup-user [ user-id user-id | username { username | include include-text } ]
8.5 Maintaining
This section describes how to display and clear backup information. 8.5.1 Displaying Backup Information 8.5.2 Clearing Backup Information
8.5.1 Displaying Backup Information

After the preceding configurations, run the following display commands in any view to view backup information and check the configurations. For detailed explanation of running information, refer to the Quidway ME60 Multiservice Control Gateway Command Reference. Action Display information about the backup user. Display information about the remote backup server. Command display backup-user [ user-id user-id | username { user-name | include include-text } ] display remote-backup-server [ server-name ]
8.5.2 Clearing Backup Information
CAUTION
Backup information cannot be restored after you clear it. So, confirm the action before you use the command. After the confirmation, run the following reset command in the system view to clear backup information. Action Clear user information on the remote backup server. Command reset remote-backup-server server-name

This section describes provides several configuration example of user information backup. 8.6.1 Example for Configuring User Information Backup Based on Direct Tunnel Protection 8.6.2 Example for Configuring User Information Backup Based on Network Side Tunnels and Downstream Smartlink 8.6.3 Example for Configuring User Information Backup in Exclusive Address Pool Mode (address pool route)
8.6.1 Example for Configuring User Information Backup Based on Direct Tunnel Protection
As shown in Figure 8-4, the user accesses both ME60A and ME60B through the LSW. ME60A and ME60B both run VRRP and work in active/standby mode. ME60A and ME60B are both configured with the user online function, thus allowing users to go online through the master device. You do not need to bind any address pool to the RBPs configured onME60A and ME60B. Configure different costs on ME60A and ME60B or weight of the routing protocol on the interface through the routing policy. This is to achieve traffic reverse at the network side. An MPLS TE tunnel is set up between ME60A and ME60B. When an interface or a link at the network side fails, the traffic at the network side can be sent back along the direct tunnel. Figure 8-4 Example for configuring user information backup based on direct tunnel protection
IP/MPLS
Router C
GE 2/0/0
GE 3/0/0 GE 3/0/0
GE 2/0/0
ME60-A
GE 1/0/0 100.0.0.1/24
ME60-B
GE 1/0/0 100.0.0.2/24
Metro Network
Configuration Roadmap
The configuration roadmap is as follows: 1. Enable the BAS function and configure the same BAS parameters on the master and slave devices to allow users to go online. For details, see the "BRAS Access Configuration" chapter. Set up an MPLS TE tunnel between ME60A and ME60B and ensure that the tunnel is Up. Set up a platform for remote information backup.
2. 3.
8-18
4. 5. 6.
Set the NAS parameters, traffic backup interval, or traffic volume threshold. Configure traffic reverting guidance at the network side. Bind the RBP to the interface and domain through which users go online.
Data Preparation
To complete the configuration, you need the following data:
l l l
VRRP ID IP addresses of the ME60s that back up each other Backup ID (You can determine the RBP to which the user belongs according to the user backup ID and the RBS.)
Procedure
Step 1 Set up a platform for remote information backup.
NOTE
In this example, only the configuration for user information backup is listed.
# Configure a BFD session at the access side to fast detect interface or link faults, and then trigger a VRRP switchover. Here, 100.0.0.2 is the IP address of the GE 1/0/0.2 interface on ME60B.
[ME60A] bfd [ME60A-bfd] quit [ME60A] bfd bfd bind peer-ip 100.0.0.2 [ME60A-bfd-session-bfd] discriminator local 1 [ME60A-bfd-session-bfd] discriminator remote 2 [ME60A-bfd-session-bfd] commit [ME60A-bfd-session-bfd] quit [ME60B] bfd [ME60B-bfd] quit [ME60B] bfd bfd bind peer-ip 100.0.0.1 [ME60B-bfd-session-bfd] discriminator local 2 [ME60B-bfd-session-bfd] discriminator remote 1 [ME60B-bfd-session-bfd] commit [ME60B-bfd-session-bfd] quit
# Check the status of the BFD session. You can view that it is set up and is Up.
[ME60B]display bfd session peer-ip 100.0.0.2 -------------------------------------------------------------------------------Local Remote PeerIpAddr InterfaceName State Type -------------------------------------------------------------------------------1 2 100.0.0.2 Up S_IP_PEER -------------------------------------------------------------------------------Total UP/DOWN Session Number : 1/0
# Configure link detection. Here, EFM is used for link detection.

[ME60A] efm enable [ME60A] interface GigabitEthernet 1/0/0 [ME60A-GigabitEthernet1/0/0] efm enable [ME60A-GigabitEthernet1/0/0] quit [ME60B] efm enable [ME60B] interface GigabitEthernet 1/0/0 [ME60B-GigabitEthernet1/0/0] efm enable [ME60B-GigabitEthernet1/0/0] quit
Issue 05 (2010-06-01)
8-19
# Configure the interface bound to the VRRP status. In this example, the interface is GE 1/0/0.2. Configure monitoring of BFD session status and the network-side interface.
[ME60A] interface gigabitethernet 1/0/0.2 [ME60A-GigabitEthernet1/0/0.2] vlan-type dot1q 200 [ME60A-GigabitEthernet1/0/0.2] ip address 100.0.0.1 255.255.255.0 [ME60A-GigabitEthernet1/0/0.2] vrrp vrid 1 virtual-ip 100.0.0.100 [ME60A-GigabitEthernet1/0/0.2] admin-vrrp vrid 1 [ME60A-GigabitEthernet1/0/0.2] vrrp vrid 1 priority 120 [ME60A-GigabitEthernet1/0/0.2] vrrp vrid 1 track bfd-session 1 peer [ME60A-GigabitEthernet1/0/0.2] vrrp vrid 1 track efm interface GigabitEthernet1/0/0 [ME60A-GigabitEthernet1/0/0.2] vrrp vrid 1 track interface gigabitethernet 2/0/0 reduced 50 [ME60A-GigabitEthernet1/0/0.2] quit
NOTE
To distinguish between the active and standby devices, you need to set different VRRP priorities on the two devices. The device with a higher priority functions as the active one.
[ME60B] interface gigabitethernet 1/0/0.2 [ME60B-GigabitEthernet1/0/0.2] vlan-type dot1q 200 [ME60B-GigabitEthernet1/0/0.2] ip address 100.0.0.1 255.255.255.0 [ME60B-GigabitEthernet1/0/0.2] vrrp vrid 1 virtual-ip 100.0.0.100 [ME60B-GigabitEthernet1/0/0.2] admin-vrrp vrid 1 [ME60B-GigabitEthernet1/0/0.2] vrrp vrid 1 priority 80 [ME60B-GigabitEthernet1/0/0.2] vrrp vrid 1 track bfd-session 2 peer [ME60B-GigabitEthernet1/0/0.2] vrrp vrid 1 track efm interface GigabitEthernet1/0/0 [ME60B-GigabitEthernet1/0/0.2] quit
# Configure the RBS, TCP connection, and traffic backup intervals.

[ME60A] remote-backup-server server1 [ME60A-rm-backup-srv-server1] peer 88.88.88.88 source 22.22.22.22 port 6000 [ME60A-rm-backup-srv-server1] traffic backup interval 10 [ME60A-rm-backup-srv-server1] quit [ME60B] remote-backup-server server1 [ME60B-rm-backup-srv-server1] peer 22.22.22.22 source 88.88.88.88 port 6000 [ME60B-rm-backup-srv-server1] traffic backup interval 10 [ME60B-rm-backup-srv-server1] quit
# Configure a RBP.
[ME60A] remote-backup-profile profile1 [ME60A-rm-backup-prf-profile1] peer-backup hot enable [ME60A-rm-backup-prf-profile1] vrrp-id 1 [ME60A-rm-backup-prf-profile1] backup-id 10 remote-backup-server server1 [ME60A-rm-backup-prf-profile1] quit [ME60B] remote-backup-profile profile1 [ME60B-rm-backup-prf-profile1] peer-backup hot enable [ME60B-rm-backup-prf-profile1] vrrp-id 1 [ME60B-rm-backup-prf-profile1] backup-id 10 remote-backup-server server1 [ME60B-rm-backup-prf-profile1] quit
Step 2 Set the NAS parameters. # Set the NAS parameters.

[ME60A] remote-backup-profile profile1 [ME60A-rm-backup-prf-profile1] nas logic-ip 1.2.3.4 [ME60A-rm-backup-prf-profile1] nas logic-sysname huawei [ME60B] remote-backup-profile profile1 [ME60B-rm-backup-prf-profile1] nas logic-ip 1.2.3.4 [ME60B-rm-backup-prf-profile1] nas logic-sysname huawei
8-20
Issue 05 (2010-06-01)
Step 3 Bind the address pool pool 1 to the RBS and bind the protection path for reverse traffic at the network side. # Configure an address pool.
[ME60A] ip pool pool1 [ME60A-ip-pool-pool1] [ME60A-ip-pool-pool1] [ME60A-ip-pool-pool1] [ME60B] ip pool pool1 [ME60B-ip-pool-pool1] [ME60B-ip-pool-pool1] [ME60B-ip-pool-pool1] local gateway 118.118.0.1 255.255.0.0 section 0 118.118.0.2 118.128.254.254 quit local gateway 118.118.0.1 255.255.0.0 section 0 118.118.0.2 118.128.254.254 quit
# Configure the RBS-bound address pool and specify the protection tunnel for reverse traffic at the network side.
[ME60A] remote-backup-server server1 [ME60A-rm-backup-srv-service1] tunnel 1/0/0 [ME60A-rm-backup-srv-service1] ip-pool pool1 [ME60B] remote-backup-server server1 [ME60B-rm-backup-srv-service1] tunnel 1/0/0 [ME60B-rm-backup-srv-service1] ip-pool pool1
Step 4 Configure the routing policy. # When using the tunnel scheme to advertise a user address pool route on the backup device, configure different costs.
[ME60A] ip ip-prefix [ME60A] route-policy [ME60A-route-policy] [ME60A-route-policy] [ME60A-route-policy] [ME60B] ip ip-prefix [ME60B] route-policy [ME60B-route-policy] [ME60B-route-policy] [ME60B-route-policy] 118 permit 118.118.0.0 16 118 permit node 0 if-match ip-prefix 118 apply cost + 5 quit 118 permit 118.118.0.0 16 118 permit node 0 if-match ip-prefix 118 apply cost + 10 quit
# Configure OSPF to import UNR routes and enable the routing policy.
[ME60A] ospf 1 [ME60A-ospf-1] import-route unr route-policy 118 [ME60B] ospf 1 [ME60B-ospf-1] import-route unr route-policy 118
Step 5 Bind the RBP to the interface through which the user goes online. In this example, the interface is GE 1/0/0.1.
[ME60A] interface gigabitethernet 1/0/0.1 [ME60A-GigabitEthernet1/0/0.1] remote-backup-profile profile1 [ME60A-GigabitEthernet1/0/0.1] quit [ME60B] interface gigabitethernet 1/0/0.1 [ME60B-GigabitEthernet1/0/0.1] remote-backup-profile profile1 [ME60B-GigabitEthernet1/0/0.1] quit
# Enable remote information backup in the domain through which the user goes online.
[ME60A] aaa [ME60A-aaa] domain isp1 [ME60A-aaa-domain-isp1] peer-backup enable [ME60A-aaa-domain-isp1] quit [ME60A-aaa] quit [ME60B] aaa [ME60B-aaa] domain isp1 [ME60B-aaa-domain-isp1] peer-backup enable
Issue 05 (2010-06-01)
8-21

[ME60B-aaa-domain-isp1] quit [ME60B-aaa] quit
Step 6 Verify the configuration. When the remote information backup policy is configured, you can view that profile 1 is bound to GigabitEthernet1/0/0.1 and the master device status is master.
<ME60A> display remote-backup-profile profile1 ----------------------------------------------Profile-Index : 25 Profile-Name : profile1 Remote-backup-server: server1 Backup-ID : 10 VRRP-ID : 1 VRRP-Interface : GigabitEthernet1/0/0.1 Interface : GigabitEthernet1/0/0.1 State : Master Slot-Number : 1 Port-Number : 0 Peer-backup : hot Nas logic-ip : 1.2.3.4 Nas logic-sysname : huawei ----------------------------------------------users as follow: -------------------------------------------------------------------------GigabitEthernet1/0/0.1: UserID Username IP address MAC -------------------------------------------------------------------------17 MSFT#@isp1 118.118.0.76 0015-c505-6bcf <ME60B> display remote-backup-profile profile1 ----------------------------------------------Profile-Index : 25 Profile-Name : profile1 Remote-backup-server: server1 Backup-ID : 10 VRRP-ID : 1 VRRP-Interface : GigabitEthernet1/0/0.1 Interface : GigabitEthernet1/0/0.1 State : Slave Slot-Number : 1 Port-Number : 0 Peer-backup : hot Nas logic-ip : 1.2.3.4 Nas logic-sysname : huawei ----------------------------------------------users as follow: -------------------------------------------------------------------------GigabitEthernet1/0/0.1: UserID Username IP address MAC -------------------------------------------------------------------------17 MSFT#@isp1 118.118.0.76 0015-c505-6bcf
When the RBS is configured, you can view that the TCP status is Established.
<ME60B> display remote-backup-server server1 ----------------------------------------------Server-Index : 1 Server-Name : server1 TCP-State : Established Peer-IP : 22.22.22.22 Source-IP : 88.88.88.88 TCP-Port : 6000 Tunnel : tunnel 1/0/0 --------------------END-INFO-------------------
When the master device fails, the service can be switched over to the backup device. In this manner, users can still go online. ----End
Configuration Files
l

# sysname ME60A # ip pool pool1 local gateway 118.118.0.1 255.255.0.0 section 0 118.118.0.2 118.118.254.254 # efm enable # bfd # mpls lsr-id 22.22.22.22 mpls mpls te mpls rsvpte mpls te cspf # explicit-path 1-2 next hop 133.1.1.7 # aaa domain isp1 authentication-scheme default0 accounting-scheme default0 peer-backup enable ip-pool pool1 # bfd bfd bind peer-ip 100.0.0.2 discriminator local 1 discriminator remote 2 commit # ospf 1 opaque-capability enable import-route unr route-policy 118 area 0.0.0.0 network 113.1.1.0 0.0.0.255 network 113.1.2.0 0.0.0.255 network 22.22.22.22 0.0.0.0 mpls-te enable # route-policy 118 permit node 0 if-match ip-prefix 118 apply cost + 5 # interface gigabitethernet 1/0/0.2 vlan-type dot1q 200 ip address 100.0.0.1 255.255.255.0 vrrp vrid 1 virtual-ip 100.0.0.100 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 track interface gigabitethernet 2/0/0 reduced 50 vrrp vrid 1 track bfd-session 1 peer vrrp vrid 1 track efm interface GigabitEthernet1/0/0 # remote-backup-server server1 peer 88.88.88.88 source 22.22.22.22 port 6000 tunnel 1/0/0
Issue 05 (2010-06-01)
8-23
ip-pool pool1 traffic backup interval 10 # remote-backup-profile profile1 vrrp-id 1 backup-id 10 remote-backup-server server1 nas logic-ip 1.2.3.4 nas logic-sysname huawei # interface LoopBack0 ip address 22.22.22.22 255.255.255.255 # interface Tunnel1/0/0 ip address unnumbered interface LoopBack0 tunnel-protocol mpls te destination 88.88.88.88 mpls te tunnel-id 1 mpls te path explicit-path 1-2 mpls te commit # interface gigabitethernet 1/0/0.1 user-vlan 50 remote-backup-profile profile1 bas access-type layer2-subscriber authentication-method web # interface gigabitethernet 2/0/0 undo shutdown ip address 133.1.2.6 255.255.255.0 # interface gigabitethernet 3/0/0 undo shutdown ip address 133.1.1.6 255.255.255.0 mpls mpls te mpls rsvp-te # return l

# sysname ME60B # ip pool pool1 local gateway 118.118.0.1 255.255.0.0 section 0 118.118.0.2 118.118.254.254 # efm enable # bfd # mpls lsr-id 88.88.88.88 mpls mpls te mpls rsvpte mpls te cspf # explicit-path 2-1 next hop 133.1.1.6 # aaa domain isp1
8-24
Issue 05 (2010-06-01)
authentication-scheme default0 accounting-scheme default0 ip-pool pool1 peer-backup enable # bfd bfd bind peer-ip 100.0.0.1 discriminator local 2 discriminator remote 1 commit # ospf 1 opaque-capability enable import-route unr route-policy 118 area 0.0.0.0 network 113.1.1.0 0.0.0.255 network 113.1.3.0 0.0.0.255 network 88.88.88.88 0.0.0.0 mpls-te enable # route-policy 118 permit node 0 if-match ip-prefix 118 apply cost + 10 # interface gigabitethernet 1/0/0.2 vlan-type dot1q 200 ip address 100.0.0.2 255.255.255.0 vrrp vrid 1 virtual-ip 100.0.0.100 admin-vrrp vrid 1 vrrp vrid 1 track bfd-session 2 peer # remote-backup-server server1 peer 22.22.22.22 source 88.88.88.88 port 6000 ip-pool pool1 traffic backup interval 10 # remote-backup-profile profile1 vrrp-id 1 backup-id 10 remote-backup-server server1 nas logic-ip 1.2.3.4 nas logic-sysname huawei # interface LoopBack0 ip address 88.88.88.88 255.255.255.255 # interface Tunnel1/0/0 ip address unnumbered interface LoopBack0 tunnel-protocol mpls te destination 22.22.22.22 mpls te tunnel-id 1 mpls te path explicit-path 2-1 mpls te commit # interface gigabitethernet 1/0/0.1 user-vlan 50 remote-backup-profile profile1 bas access-type layer2-subscriber authentication-method web # interface gigabitethernet 2/0/0 undo shutdown ip address 133.1.3.6 255.255.255.0 # interface gigabitethernet 3/0/0 undo shutdown ip address 133.1.1.7 255.255.255.0
Issue 05 (2010-06-01)
8-25

mpls mpls te mpls rsvp-te # return
8.6.2 Example for Configuring User Information Backup Based on Network Side Tunnels and Downstream Smartlink
As shown in Figure 8-5, the user accesses both ME60A and ME60B through the LSW. ME60A and ME60B both run VRRP and work in active/standby mode. ME60A and ME60B are both configured with the user online function, thus allowing users to go online through the master device. You do not need to bind any address pool to ME60A and ME60B. Configure different costs on ME60A and ME60B or weight of the routing protocol on the interface through the routing policy. This is to achieve traffic reverse at the network side. When a user side link or interface fails, you can use the tunnel mode to ensure that the network side traffic can be sent back. No direct tunnel needs to be configured between ME60A and ME60B; the network side link has to bear double loads. Smartlink is configured on the downstream switch of ME60. Figure 8-5 Example for configuring user information backup based on network side tunnels and downstream Smartlink
IP/MPLS
Router C
GE 2/0/0
GE 2/0/0
ME60-A
GE 1/0/0 100.0.0.1/24
ME60-B
GE 1/0/0 100.0.0.2/24
Metro Network
8-26
Issue 05 (2010-06-01)
Configuration Roadmap
The configuration roadmap is as follows: 1. Enable the BAS function and configure the same BAS parameters on the master and slave devices to allow users to go online. For details, see the "BRAS Access Configuration" chapter. Set up an MPLS TE tunnel between ME60A and ME60B and ensure that the tunnel is Up. For details, see the chapter "MPLS Configuration." The tunnel between ME60A and ME60B is set up through a network side link. Set up a platform for remote information backup. Configure a protection path for the reverse of the network-side traffic. Bind the RBP to the interface through which users go online.
2.
3. 4. 5.
Data Preparation
l l l
Procedure
Step 1 Set up a remote information backup platform. The following takes ME60A as an example. The configuration on ME60A is similar to that on ME60B.
NOTE
In this example, only the configuration for user information backup is listed. For the other configurations, see the configuration guides for the required configurations.
# Configure a BFD session at the access side to fast detect interface or link faults, and then trigger a VRRP switchover. Here, 100.0.0.2 is the IP address of the GE 1/0/0.2 interface on ME60B.
[ME60A] bfd [ME60A-bfd] quit [ME60A] bfd bfd bind peer-ip 100.0.0.2 [ME60A-bfd-session-bfd] discriminator local 1 [ME60A-bfd-session-bfd] discriminator remote 2 [ME60A-bfd-session-bfd] commit [ME60A-bfd-session-bfd] quit
# Configure link detection. Here, EFM is used for link detection.

[ME60A] efm enable [ME60A] interface GigabitEthernet 1/0/0 [ME60A-GigabitEthernet1/0/0] efm enable [ME60A-GigabitEthernet1/0/0] quit
# Configure VRRP.
[ME60A] interface gigabitethernet 1/0/0.2 [ME60A-GigabitEthernet1/0/0.2] vlan-type dot1q 200 [ME60A-GigabitEthernet1/0/0.2] ip address 100.0.0.1 255.255.255.0 [ME60A-GigabitEthernet1/0/0.2] vrrp vrid 1 virtual-ip 100.0.0.100
Issue 05 (2010-06-01)
8-27

[ME60A-GigabitEthernet1/0/0.2] [ME60A-GigabitEthernet1/0/0.2] [ME60A-GigabitEthernet1/0/0.2] [ME60A-GigabitEthernet1/0/0.2] GigabitEthernet1/0/0 [ME60A-GigabitEthernet1/0/0.1]
NOTE

admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 track bfd-session 1 peer vrrp vrid 1 track efm interface quit
To distinguish between the active and standby devices, you need to set different VRRP priorities on the two devices. The device with a higher priority functions as the active one.
# Configure an RBS.
[ME60A] remote-backup-server server1 [ME60A-rm-backup-srv-server1] peer 88.88.88.88 source 22.22.22.22 port 6000
# Configure a RBP.
[ME60A] remote-backup-profile profile1 [ME60A-rm-backup-prf-profile1] vrrp-id 1 [ME60A-rm-backup-prf-profile1] backup-id 10 remote-backup-server server1 [ME60A-rm-backup-prf-profile1] quit
Step 2 Bind the address pool pool 1 to the RBS and bind the protection path for reverse traffic at the network side. The configuration for ME60B is similar to this. # Configure an address pool.
[ME60A] ip pool pool1 [ME60A-ip-pool-pool1] [ME60A-ip-pool-pool1] [ME60A-ip-pool-pool1] local gateway 118.118.0.1 255.255.255.0 section 0 118.118.0.2 118.118.0.254 quit
# Bind the address pool to the RBS and configure a tunnel protection path.
[ME60A] remote-backup-server server1 [ME60A-rm-backup-srv-server1] ip-pool pool1 [ME60A-rm-backup-srv-server1] ip-pool pool2 [ME60A-rm-backup-srv-server1] tunnel 1/0/0
Step 3 Configure the routing policy. # Configure the routing policy.

[ME60A] ip ip-prefix [ME60A] route-policy [ME60A-route-policy] [ME60A-route-policy] [ME60A-route-policy] p1 permit 118.118.0.0 24 p1 permit node 0 if-match ip-prefix p1 apply cost + 5 quit
# Configure OSPF to import UNR routes and enable the routing policy.
[ME60A] ospf 1 [ME60A-ospf-1] import-route unr route-policy p1
Step 4 Bind the RBP to the interface through which the user goes online. In this example, GE 1/0/0.1 is the interface for users to go online. Take ME60A as an example. The configuration on ME60B is similar to that on ME60A.
[ME60A] interface gigabitethernet 1/0/0.1 [ME60A-GigabitEthernet1/0/0.1] remote-backup-profile profile1 [ME60A-GigabitEthernet1/0/0.1] quit
# Enable remote information backup in the domain through which the user goes online.
[ME60A] aaa [ME60A-aaa] domain isp1 [ME60A-aaa-domain-isp1] peer-backup enable
8-28
Issue 05 (2010-06-01)

[ME60A-aaa-domain-isp1] ip-pool poo11 [ME60A-aaa-domain-isp1] quit [ME60A-aaa] quit
Step 5 Configure the switchback time and response suppression time.

[ME60A] peer-backup switch-back-time 0 [ME60A] interface GigabitEthernet 1/0/0 [ME60A-GigabitEthernet1/0/0] carrier up-hold-time 2400
NOTE
When recovering from a failure, the master device cannot take over services immediately. This is because in certain situations such as a board or the system resets, there is a delay before the recovery of the system. You can use the following formula to figure out the delay in minutes: Peak number of backup users / 300 / 60. You can increase the delay as required.
Step 6 Verify the configuration. When the RBP is configured successfully, you can view that the backup policy profile 1 is bound to the interface for users to go online and the master device status is master.
<ME60A> display remote-backup-profile profile1 ----------------------------------------------Profile-Index : 25 Profile-Name : profile1 Remote-backup-server: server1 Backup-ID : 10 VRRP-ID : 1 VRRP-Interface : GigabitEthernet1/0/0.1 Interface : GigabitEthernet1/0/0.1 State : Master Slot-Number : 1 Port-Number : 0 Peer-backup : hot ----------------------------------------------users as follow: -------------------------------------------------------------------------GigabitEthernet1/0/0.1: UserID Username IP address MAC -------------------------------------------------------------------------17 MSFT#@isp1 118.118.0.76 0015-c505-6bcf
When the RBS is configured, you can view the TCP connection status is Established.
<ME60A> display remote-backup-server server1 ----------------------------------------------Server-Index : 1 Server-Name : server1 TCP-State : Established Peer-IP : 88.88.88.88 Source-IP : 22.22.22.22 TCP-Port : 6000 Tunnel : tunnel 1/0/0 --------------------END-INFO-------------------
----End
Configuration Files
l
Configuration of ME60A
# sysname ME60A # ip pool pool1 local gateway 118.118.0.1 255.255.255.0 section 0 118.118.0.2 118.118.0.254
Issue 05 (2010-06-01)
8-29

# efm enable # bfd # mpls lsr-id 22.22.22.22
mpls mpls te mpls rsvpte mpls te cspf # aaa domain isp1 authentication-scheme default0 accounting-scheme default0 peer-backup enable ip-pool pool1 # bfd bfd bind peer-ip 100.0.0.2 discriminator local 1 discriminator remote 2 commit # ospf 1 opaque-capability enable import-route unr route-policy p1 area 0.0.0.0 network 113.1.1.0 0.0.0.255 network 22.22.22.22 0.0.0.0 mpls-te enable # route-policy p1 permit node 0 if-match ip-prefix p1 apply cost + 5 # interface gigabitethernet 1/0/0.2 vlan-type dot1q 200 ip address 100.0.0.1 255.255.255.0 vrrp vrid 1 virtual-ip 100.0.0.100 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 track interface gigabitethernet 2/0/0 reduced 50 vrrp vrid 1 track bfd-session 1 peer vrrp vrid 1 track efm interface GigabitEthernet1/0/0 # remote-backup-server server1 peer 88.88.88.88 source 22.22.22.22 port 6000 tunnel 1/0/0 ip-pool pool1 # remote-backup-profile profile1 vrrp-id 1 backup-id 10 remote-backup-server server1 # interface LoopBack0 ip address 22.22.22.22 255.255.255.255 # interface Tunnel1/0/0 ip address unnumbered interface LoopBack0 tunnel-protocol mpls te destination 88.88.88.88
8-30
Issue 05 (2010-06-01)

mpls te tunnel-id 100 mpls te commit # interface gigabitethernet 1/0/0.1 user-vlan 50 remote-backup-profile profile1 bas access-type layer2-subscriber authentication-method web # interface gigabitethernet 2/0/0 undo shutdown ip address 133.1.1.6 255.255.255.0 mpls mpls te mpls rsvp-te # return l
Configuration of ME60B
# sysname ME60B # ip pool pool1 local gateway 118.118.0.1 255.255.255.0 section 0 118.118.0.2 118.118.0.254 # efm enable # bfd # mpls lsr-id 88.88.88.88 mpls mpls te mpls rsvpte mpls te cspf # aaa domain isp1 authentication-scheme default0 accounting-scheme default0 peer-backup enable ip-pool pool1 # bfd bfd bind peer-ip 100.0.0.1 discriminator local 2 discriminator remote 1 commit # ospf 1 opaque-capability enable import-route unr route-policy p1 area 0.0.0.0 network 113.1.2.0 0.0.0.255 network 88.88.88.88 0.0.0.0 mpls-te enable # route-policy p1 permit node 0 if-match ip-prefix p1 apply cost + 10 # interface gigabitethernet 1/0/0.2 vlan-type dot1q 200
Issue 05 (2010-06-01)
8-31
ip address 100.0.0.1 255.255.255.0 vrrp vrid 1 virtual-ip 100.0.0.100 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 track bfd-session 1 peer vrrp vrid 1 track efm interface GigabitEthernet1/0/0 # remote-backup-server server1 peer 22.22.22.22 source 88.88.88.88 port 6000 tunnel 1/0/0 ip-pool pool1 # remote-backup-profile profile1 vrrp-id 1 backup-id 10 remote-backup-server server1 # interface LoopBack0 ip address 22.22.22.22 255.255.255.255 # interface Tunnel1/0/0 ip address unnumbered interface LoopBack0 tunnel-protocol mpls te destination 22.22.22.22 mpls te tunnel-id 100 mpls te commit # interface gigabitethernet 1/0/0.1 user-vlan 50 remote-backup-profile profile1 bas access-type layer2-subscriber authentication-method web # interface gigabitethernet 2/0/0 undo shutdown ip address 133.1.2.6 255.255.255.0 mpls mpls te mpls rsvp-te # return
8.6.3 Example for Configuring User Information Backup in Exclusive Address Pool Mode (address pool route)
As shown in Figure 8-6, the user accesses both ME60A and ME60B through the LSW. ME60A and ME60B both run VRRP and work in active/standby mode. ME60A and ME60B are both configured with the user online function, thus allowing users to go online. When the master device fails, or the network side or user side link on the master device fails, services need to be switched to the backup device quickly. Figure 8-6 shows the exclusive address pool mode. Every RBP on the ME60A and ME60B is bound to an address pool. Reverting of the network side traffic is controlled through the route advertised at the network side. If the status of ME60A and ME60B switches over, the network side route on ME60A is cancelled and ME60B advertises network side routes.
8-32
Issue 05 (2010-06-01)
Figure 8-6 Example for configuring user information backup in exclusive address pool mode
IP/MPLS
Router C
GE 2/0/0
GE 2/0/0
ME60-A
GE 1/0/0 100.0.0.1/24
ME60-B
GE 1/0/0 100.0.0.2/24
Metro Network
Configuration mode
The configuration roadmap is as follows: 1. Enable the user access function and configure the same parameters on the master and slave devices to allow users to go online. For details, see the "BRAS Access Configuration" chapter. Set up a platform for remote information backup. Configure IP address pool binding. Bind the RBP to the interface through which users go online.
2. 3. 4.
Data Preparation
l l l
Issue 05 (2010-06-01)
8-33
Procedure
Step 1 Set up a remote information backup platform. The configuration is similar to that of the other two examples. For more information, see 8.6.1 Example for Configuring User Information Backup Based on Direct Tunnel Protection and 8.6.2 Example for Configuring User Information Backup Based on Network Side Tunnels and Downstream Smartlink. Step 2 Configure IP address binding. Unlike the tunnel scheme, the traffic is diverted from the network side to the user side. The address pool is bound to the RBP, but the RBS is not bound to the address pool. Take ME60A as an example. The configuration of ME60B is similar to this.
[ME60A] remote-backup-profile profile1 [ME60A-rm-backup-prf-profile1] ip-pool pool1
NOTE
The bound address pool named pool 1 has been configured by using the ip pool command in the AAA domain view.
Step 3 Bind the RBP to the interface through which the user goes online. In this example, GE 1/0/0.1 is the interface for users to go online. Take ME60A as an example. The configuration on ME60B is similar to that on ME60A.
[ME60A] interface gigabitethernet 1/0/0.1 [ME60A-GigabitEthernet1/0/0.1] remote-backup-profile profile1 [ME60A-GigabitEthernet1/0/0.1] quit
Step 4 Verify the configuration. When the remote information backup policy is configured, you can view that profile 1 is bound to GigabitEthernet1/0/0.1 and the master device status is master.
<ME60A> display remote-backup-profile profile1 ----------------------------------------------Profile-Index : 25 Profile-Name : profile1 Remote-backup-server: server1 Backup-ID : 10 VRRP-ID : 1 VRRP-Interface : GigabitEthernet1/0/0.1 Interface : GigabitEthernet1/0/0.1 State : Master Slot-Number : 1 Port-Number : 0 Peer-backup : hot ----------------------------------------------users as follow: -------------------------------------------------------------------------GigabitEthernet1/0/0.1: UserID Username IP address MAC -------------------------------------------------------------------------17 MSFT#@isp1 118.118.0.76 0015-c505-6bcf
When the RBS is configured, you can view that the TCP status is Established.
<ME60A> display remote-backup-server server1 ----------------------------------------------Server-Index : 1 Server-Name : server1 TCP-State : Established Peer-IP : 22.22.22.22 Source-IP : 88.88.88.88 TCP-Port : 6000 Tunnel : --------------------END-INFO-------------------
----End
Configuration Files
l

# sysname ME60A # ip pool pool1 local gateway 16.0.0.1 255.255.255.0 section 0 16.0.0.2 16.0.0.100 # aaa domain userdomain1 authentication-scheme default0 accounting-scheme default0 ip-pool pool1 peer-backup enable # bfd bfd bind peer-ip 100.0.0.2 discriminator local 1 discriminator remote 2 commit # interface gigabitethernet 1/0/0.2 vlan-type dot1q 200 ip address 100.0.0.1 255.255.255.0 vrrp vrid 1 virtual-ip 100.0.0.100 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 track bfd-session 1 peer vrrp vrid 1 track interface gigabitethernet 2/0/0 reduced 50 # remote-backup-server server1 peer 88.88.88.88 source 22.22.22.22 port 6000 # remote-backup-profile profile1 vrrp-id 1 backup-id 10 remote-backup-server server1 nas logic-ip 1.2.3.4 nas logic-sysname huawei ip-pool pool1 # interface gigabitethernet 1/0/0.1 user-vlan 50 remote-backup-profile profile1 bas access-type layer2-subscriber authentication-method web # return

# sysname ME60B # ip pool pool1 local gateway 16.0.0.1 255.255.255.0 section 0 16.0.0.2 16.0.0.100 # aaa domain userdomain1 authentication-scheme default0 accounting-scheme default0 ip-pool pool1 peer-backup enable # bfd bfd bind peer-ip 100.0.0.1 discriminator local 2 discriminator remote 1 commit
Issue 05 (2010-06-01)
8-35
# interface gigabitethernet 1/0/0.2 vlan-type dot1q 200 ip address 100.0.0.2 255.255.255.0 vrrp vrid 1 virtual-ip 100.0.0.100 admin-vrrp vrid 1 vrrp vrid 1 track bfd-session 2 peer # remote-backup-server server1 peer 22.22.22.22 source 88.88.88.88 port 6000 # remote-backup-profile profile1 vrrp-id 1 interface gigabitethernet 1/0/0.2 backup-id 10 remote-backup-server server1 nas logic-ip 1.2.3.4 nas logic-sysname huawei ip-pool pool1 # interface gigabitethernet 1/0/0.1 user-vlan 50 remote-backup-profile profile1 bas access-type layer2-subscriber authentication-method web # return
8-36
Issue 05 (2010-06-01)
9 RADIUS Attributes
9
About This Chapter
9.1 Standard RADIUS Attributes 9.2 Huawei RADIUS+1.0 Attributes 9.3 Huawei RADIUS+1.1 Attributes 9.4 Micorsoft RADIUS Attributes 9.5 DSL Forum RADIUS Attributes 9.6 Description of RADIUS Attributes
RADIUS Attributes
This appendix describes the RADIUS attributes supported by the ME60.
Issue 05 (2010-06-01)
9-1
9 RADIUS Attributes
9.1 Standard RADIUS Attributes

No. 1 2 Attribute User-Name User-Password Description Indicates the user name of the user to be authenticated Indicates the password of the user to be authenticated. The attribute is applicable to only the PAP authentication. Indicates the password of the user to be authenticated. The attribute is applicable to only the CHAP authentication. Indicates the device IP address contained in the authentication request packet sent by the ME60 that functions as the NAS. If the RADIUS server group is bound to an interface, the IP address of the interface is used. Otherwise, the IP address of the interface that sends the packet is used. Indicates the number of the physical interface that the user connects to. For the format of this attribute, see "NAS-Port (5)." Indicates the service type of the user.
l
CHAP-Password
NAS-IP-Address
NAS-Port
Service-Type
For an access user, the value of this attribute is 2, indicating that the service type is Framed. For an operator, the value of this attribute is 6, indicating that the service type is Administrator.
Framed-Protocol
For a non-administrator user, the value is always 1, which indicates PPP. For an administrator user, the value is always 6.
9-2
Issue 05 (2010-06-01)
9 RADIUS Attributes
No. 8
Attribute Framed-IP-Address
Description Indicates the IP address of the user.

l
For an operator, this attribute is contained in the access request packet. For a PPP user, this attribute is contained in the access accept packet, indicating the IP address that the RADIUS server assigns to the user. The value 0, 0xFFFFFFFE, 0xFFFFFFFF, or an address belonging to network segment 127.0.0.0/8 or being an multicast address, it indicates that the RADIUS server does not allocate addresses, but the ME60 allocates IP addresses for users.
Framed-IP-Netmask
Indicates the IP address mask allocated by the RADIUS server to users. This attribute is contained in only the authentication accept packet of a PPP user. The attribute must be used together with the Framed-IP-Address attribute. The generated IP addresses in the network segment are assigned to the PPP users. Indicates a user group. If the group name contains @, the strings before @ are obtained as the group name. If multiple Filter-ID attributes are contained in a packet, only the last Filter-ID attribute is valid. therefore, one Filter-ID is recommended in a packet. Indicates the IP address of a login user. 0 or 0xFFFFFFFF indicates that the IP address of the login user is not checked. Indicates the service type that can be used by the login user.
l l l l l
11
Filter-Id
14
Login-IP-Host
15
Login-Service
0: telnet 5: X25-PAD 50: SSH 51: FTP 52: Terminal
18
Reply-Message
Indicates the authentication reply message. It may be a success message or a failure message. The value ranges from 1 to 253 bytes. Indicates the information displayed for users, which is sent from the authentication server, such as a mobile number.
19
Callback-Number
Issue 05 (2010-06-01)
9-3
9 RADIUS Attributes
No. 22
Attribute Framed-Route
Description Indicates the route information delivered from the RADIUS server to the user on the ME60. The format is dest-address/mask next-hop hopcount, in which the mask and hop-count parameters are optional. When the value of next-hop is 0.0.0.0, it indicates that the address of the user is used as the next-hop address. The ME60 allows the RADIUS server to deliver up to 128 Framed-Route attributes at a time, but these attributes must specify the same next hop. The attribute is delivered to only the PPP and L2TP users. When the RADIUS server delivers the Framed Route attribute, you need to configure the virtual template in the domain of the user or configure the RADIUS server to deliver the attributes of the virtual template.
24
State
If the challenge packet sent from the RADIUS server to the ME60contains the attribute, the ME60 must return the attribute in the later access request packet. If the authentication accept packet sent by the RADIUS server to the ME60 contains the attribute, the ME60 must return the attribute in the later accounting request packet. For the standard RADIUS server, the ME60 can use the Class attribute to indicate the CAR parameters. Indicates the attribute specified by a vendor. Indicates the remaining duration of the user, in seconds. In the EAP challenge packet, this attribute indicates the re-authentication duration of EAP users. Indicates the idle-cut time, in seconds. Indicates the service termination method, such as re-authentication or mandatory logout. The value 0 indicates to force the user to log out. The value 1 indicates to perform the reauthentication. Enables the NAS to send the called number (dialed by the user) in the access request packet.
25
Class
26 27
Vendor-Specific Session-Timeout
28 29
Idle-Timeout Termination-Action
30
Called-Station-Id
9-4
Issue 05 (2010-06-01)
9 RADIUS Attributes
No. 31
Attribute Calling_Station_Id
Description Enables the NAS to send the calling number.

l
For the LNS user, the called number AVP is filled in the packet. For the PPP or DHCP user, the MAC address of the user is filled in the packet.
32 33
NAS-Identifier Proxy-State
Indicates the host name of the ME60. Used in the CoA and DM request and response packets. The value of the attribute is the same in the request and response packets. Indicates the type of accounting packet.
l l l
40
Acct-Status-Type
1: start-accounting packet 2: stop-accounting packet 3: real-time accounting packet
41
Acct-Delay-Time
Indicates the time in seconds spent on delivering the accounting request packet. After receiving the accounting request packet, the accounting server deducts the value of AcctDelay-Time from the packet delivery time. The result is the time for the ME60 to generate the accounting request packet. Indicates the number of upstream octets, in Bytes, kbytes, Mbytes, or Gbytes. The unit can be configured through the commands. Indicates the number of downstream octets, in Bytes, kbytes, Mbytes, or Gbytes. The unit can be configured through the commands. Indicates the ID of an accounting session The session IDs of start-accounting packet, stopaccounting packet. and real-time accounting packet must be the same. Indicates the authentication mode of the user. 1 indicates RADIUS authentication; 2 indicates local authentication; 3 indicates remote authentication Indicates how long a user has been online, in seconds. Indicates the number of upstream packets. Indicates the number of downstream packets.
42
Acct-Input-Octets
43
Acct-Output-Octets
44
Acct-Session-Id
45
Acct-Authentic
46 47 48
Acct-Session-Time Acct-Input-Packets Acct-Output-Packets
Issue 05 (2010-06-01)
9-5
9 RADIUS Attributes
No. 49
Attribute Acct-Terminate-Cause
Description Indicates the reason for session (a PPP session) termination.

l l
User-Request (1): The user logs out. Lost Carrier (2): A handshake failure, such as the ARP detection failure and the PPP handshake failure, occurs. Lost Service (3): The LNS requests to tear down the connection. Idle Timeout (4): The user is considered idle and is disconnected. Session Timeout (5): The user is disconnected because the online duration or traffic of the user reaches the threshold. Admin Reset (6): The administrator requests to disconnect the user. Admin Reboot (7): The administrator restarts the ME60. Port Error (8): A port error occurs. NAS Error (9): An internal error occurs on the ME60. NAS Request (10): The ME60 disconnects the user because of the resource change. NAS Reboot (11): The ME60 restarts automatically. Port Unneeded (12): The port is Down. Port preempted (13): The port is preempted. Port Suspended (14): The port is suspended. Service Unavailable (15): The service is unavailable. Callback user (16): The service is a callback service. User Error (17): The user authentication fails or times out. Host Request (18): The ME60 receives the Decline packet from the server.
l l
l l l l
50
Acct-Multi-SessionID
Indicates the ID of multi-session. The attribute is used to identify the relevant sessions in the log. If tunnel users are configured in the system, the attribute indicates the accounting session ID of the tunnel user on the L2TP tunnel. The format of the attribute is the same as the format of Acct-Session-Id. The attribute is not used in other conditions.
9-6
Issue 05 (2010-06-01)
9 RADIUS Attributes
No. 51
Attribute Acct-Link-Count
Description Indicates the number of established links in the MLPPP. The attribute is not used in other conditions. Indicates the number of upstream octets, expressed by the multiple of 4 G (namely 232), in bytes, kbytes, Mbytes, or Gbytes. Indicates the number of downstream octets, expressed by the multiple of 4 G (namely 232), in bytes, kbytes, Mbytes, or Gbytes. Indicates the time when the accounting packet is generated, in seconds. The value is the number of absolute seconds since January 1, 1970 00:00 UTC. Indicates the challenge sent by the ME60 to a PPP CHAP user. Indicates the type of physical ports used by the NAS for user authentication. It can be configured in the BAS interface view. The default value is 15, indicating the Ethernet port. For the LNS users, the value is set to 5, indicating the virtual port. Indicates the maximum number of users that can use the same account. Indicates the protocol type of the tunnel. The value 3 indicates an L2TP tunnel. Indicates the medium carried by the tunnel. The value is always 1, indicating IPv4. Indicates the IP address of the tunnel client Indicates the IP address of the tunnel server. Indicates the accounting session ID used by the tunnel server, in the format of TunnelIDSessionID. Indicates the password that is used in tunnel authenticate. The first two bytes are SALT and the latter 16 bytes indicate the encrypted password. The password ranges from 1 to 16 bits. The password can be set to plain text mode or cipher text mode.
52
Acct-Input-Gigawords
53
Acct-OutputGigawords Event-Timestamp
55
60 61
CHAP-Challenge NAS-Port-Type
62 64 65 66 67 68
Port-Limit Tunnel-Type Tunnel-Medium-Type Tunnel-ClientEndpoint Tunnel-ServerEndpoint Acct-TunnelConnection Tunnel-Password
69
Issue 05 (2010-06-01)
9-7
9 RADIUS Attributes
No. 77
Attribute Connect-Info
Description Indicates the feature of the user connection, such as the downlink CIR. The attribute is delivered by the NAS. Is used to carry the EAP packet. Multiple EAPMessage fields can be contained in a RADIUS packet. Used to carry the encrypted EAP packets to prevent masquerade in EAP authentication. The attribute is applicable only to EAP users and WLAN users. Indicates the private group name of the tunnel. The attribute is parsed, but is not used currently. Huawei RADIUS private protocol RADIUS+1.0 conflicts with the attribute. When the server runs RADIUS+1.0, the server parses the attribute as a private attribute of Huawei. Indicates the tunnel ID. Indicates the priority of the tunnel. When multiple L2TP tunnels have the same priority, the load balancing mode is adopted. When the priorities of multiple L2TPs are different, the active/standby mode is adopted. Indicates the interval of real-time accounting, in seconds. The value ranges from 0 to 3932100. The value 0 indicates that the realtime accounting is not required. The value larger than 3932100 indicates that subsequent users cannot log in to. It is recommended that the value of Acct-Interim-Interval be larger than or equal to 60 seconds. Indicates the number of packets lost on a specified link. The attribute is contained in the accounting packet that contains the AcctStatus-Type and the value of Acct-Status-Type is set to Tunnel-Link-Stop.
79
EAP-Message
80
MessageAuthenticator
81
Tunnel-PrivateGroup-ID
82 83
Tunnel-AssignmentID Tunnel-Preference
85
Acct-Interim-Interval
86
Acct-Tunnel-PacketsLost
9-8
Issue 05 (2010-06-01)
9 RADIUS Attributes
No. 87
Attribute NAS-Port-Id
Description Indicates the slot number, sub-slot number, port number, and VLAN ID. The format is "slot=XX;subslot=XX;port=XXX;VLANID= XXXX;" or "slot=XX;subslot=XX;port=XXX;VPI=XXX ;VCI=XXXX". The format of the attribute is different when QinQ VLAN is used and when the physical location of the user is reported by DHCP Option 82, PPPoE+ information, or VBAS. Indicates the name of the address pool used to allocate IP addresses for users. The attribute is valid only when the ME60 allocates IP addresses for PPP users through the local address pool. The format is address pool name # address segmentor pool name @ address segment. When both "#" and "@" are included, the contents before "#" function as the name of the address pool. The RADIUS server can provide 128 framed pools, among which on-line users can use only 16 framed pools from the beginning. The CUI attribute uniquely identifies a type of user. Indicates the name used by the tunnel initiator during the authentication of tunnel setup. ME60Indicates the IPv6 address of the device. Indicates the interface ID that the RADIUS server assigns to the IPv6 user. Indicates the address prefix that the RADIUS server assigns to the IPv6 user. Indicates the IP address that the IPv6 operator uses to log in to the ME60. Indicates the route of the IPV6 user. Indicates the disconnection cause that is defined in the RFC 3576.
88
Framed-Pool
89 90 95 96 97 98 99 101
Chargeable-UserIdentity Tunnel-Client-AuthID NAS-IPv6-Address Framed-Interface-Id Framed-IPv6-Prefix Login-IPv6-Host Framed-IPv6-Route Error-Cause
9.2 Huawei RADIUS+1.0 Attributes

NOTE
The following attributes may conflict with standard RADIUS attributes and can be used only when ME60 interconnects with the RADIUS server of the RADIUS+1.0 version, that is, the IP Hotel serve.
Issue 05 (2010-06-01)
9-9
9 RADIUS Attributes
No. 80
Attribute Remanent-Volume
Description Indicates the available traffic volume of the user, in kbytes. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the interval in seconds between the latest tariff changing time and the current time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the traffic received before the tariff change, in kbytes. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total traffic received by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the traffic received by the ME60 from the accounting start time to the tariff changing time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the traffic sent before the tariff change, in kbytes. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total traffic sent by the ME60 in the interval. If the tariff is changed in the realtime accounting interval, the attribute indicates the traffic sent by the ME60 from the accounting start time to the tariff changing time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the number of packets received before the tariff change. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total number of packets received by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the number of packets received by the ME60 from the accounting start time to the tariff changing time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0.
81
Tariff-Switch-Interval
111
In-Kb-Before-TSwitch
112
Out-Kb-Before-TSwitch
113
In-Pkts-Before-TSwitch
9-10
Issue 05 (2010-06-01)
9 RADIUS Attributes
No. 114
Attribute Out-Pkts-Before-TSwitch
Description Indicates the number of packets sent before the tariff change. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total number of packets sent by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the number of packets sent by the ME60 from the accounting start time to the tariff changing time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the traffic received after the tariff switching, in kbytes. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total traffic received by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the traffic received by the ME60 from the tariff changing time to the accounting stop time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the traffic received after the tariff change, in kbytes. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total traffic sent by the ME60 in the interval. If the tariff is changed in the realtime accounting interval, the attribute indicates the traffic sent by the ME60 from the tariff changing time to the accounting stop time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the number of packets received after the tariff change. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total number of packets received by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the number of packets received by the ME60 from the tariff changing time to the accounting stop time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0.
115
In-Kb-After-T-Switch
116
Out-Kb-After-TSwitch
117
In-Pkts-After-TSwitch
Issue 05 (2010-06-01)
9-11
9 RADIUS Attributes
No. 118
Attribute Out-Pkts-After-TSwitch
Description Indicates the number of packets sent after the tariff change. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total number of packets sent by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the number of packets sent by the ME60 from the tariff changing time to the accounting stop time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the upstream peak rate, in bit/s. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the upstream average rate, in bit/s. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the upstream basic rate, in bit/s. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the downstream peak rate, in bit/s. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the downstream average rate, in bit/ s. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the downstream basic rate, in bit/s. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the connection index of user. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0. Indicates the access port of the user. The format of port number is host name-vlan-slot number (two digits)-VLANID (four digits) @vlan. The attribute is applicable only to the RADIUS server that runs RADIUS+1.0.
121
Input-Peak-Rate
122
Input-Average-Rate
123
Input-Basic-Rate
124
Output-Peak-Rate
125
Output-Average-Rate
126
Output-Basic-Rate
127
Online-User-Id
128
Connect-port
9.3 Huawei RADIUS+1.1 Attributes
9-12
Issue 05 (2010-06-01)
9 RADIUS Attributes
No. 26-2
Attribute Input-Average-Rate
Description Indicates the upstream average rate, in bit/s. The attribute is applicable only to the standard RADIUS server and portal server (using the RADIUS+1.1 protocol). Indicates the upstream peak rate, in bit/s. Indicates the downstream average rate, in bit/ s. Indicates the downstream peak rate, in bit/s. Indicates the traffic received before the tariff switching, in kbytes. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total traffic received by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the traffic received by the ME60 from the accounting start time to the tariff changing time. The attribute is applicable only to the RADIUS server that runs RADIUS +1.1. Indicates the traffic received before the tariff change, in kbytes. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total traffic sent by the ME60 in the interval. If the tariff is changed in the realtime accounting interval, the attribute indicates the traffic sent by the ME60 from the accounting start time to the tariff changing time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1. Indicates the traffic sent before the tariff change, in kbytes. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total number of packets received by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the number of packets received by the ME60 from the accounting start time to the tariff changing time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1.
26-3 26-5 26-6 26-7
Input-Peak-Rate Output-Average-Rate Output-Peak-Rate In-Kb-Before-TSwitch
26-8
Out-Kb-Before-TSwitch
26-9
In-Pkt-Before-TSwitch
Issue 05 (2010-06-01)
9-13
9 RADIUS Attributes
No. 26-10
Attribute Out-Pkt-Before-TSwitch
Description Indicates the number of packets sent before the tariff change. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total number of packets sent by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the number of packets sent by the ME60 from the accounting start time to the tariff changing time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1. Indicates the traffic received after the tariff switching, in kbytes. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total traffic received by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the traffic received by the ME60 from the tariff changing time to the accounting stop time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1. Indicates the traffic received after the tariff change, in kbytes. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total traffic sent by the ME60 in the interval. If the tariff is changed in the realtime accounting interval, the attribute indicates the traffic sent by the ME60 from the tariff changing time to the accounting stop time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1. Indicates the number of packets received after the tariff change. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total number of packets received by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the number of packets received by the ME60 from the tariff changing time to the accounting stop time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1.
26-11
In-Kb-After-T-Switch
26-12
Out-Kb-After-TSwitch
26-13
In-Pkt-After-T-Switch
9-14
Issue 05 (2010-06-01)
9 RADIUS Attributes
No. 26-14
Attribute Out-Pkt-After-TSwitch
Description Indicates the number of packets sent after the tariff change. If the tariff is not changed in an real-time accounting interval, the attribute indicates the total number of packets sent by the ME60 in the interval. If the tariff is changed in the real-time accounting interval, the attribute indicates the number of packets sent by the ME60 from the tariff changing time to the accounting stop time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1. Indicates the available traffic volume of the user, in kbytes. Indicates the interval in seconds between the latest tariff changing time and the current time. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1. Indicates the operations on the session.
l l l l
26-15 26-16
Remnant-Volume Tariff-Switch-Interval
26-20
Command
1: session trigger request 2: session interrupt request 3: policy setting 4: result
The attribute is applicable only to the RADIUS server that runs RADIUS+1.1. 26-22 26-24 HW-Priority Control-Identifier Indicates the priority of user's service. The value ranges from 0 to 13, 15. Indicates the identifier of the packet re-sent by the server. The identifiers of the re-sent packets in the same session must be the same. The attribute must be returned in the response packet of the client without any change. The attribute is invalid in the start-accounting, realtime accounting, and stop-accounting packets. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1. This attribute takes effect when attribute 26-20 is set to 3 or 4. 0 indicates success, and other values indicates a failure. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1. Indicates the connection index of user. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1.
26-25
Result-Code
26-26
Connect-ID
Issue 05 (2010-06-01)
9-15
9 RADIUS Attributes
No. 26-27
Attribute Portal-URL
Description Indicates the URL in the captive portal service of the PPP user. The attribute is applicable only to the RADIUS server that runs RADIUS+1.1. Indicates the initial directory of the FTP user. Indicates the priorities of the operation users such as a Telnet user. The value ranges from 0 to 15. Indicates the name of the QoS profile for the user. Indicates the SIP server address or name delivered to the DHCP user. The address in dotted decimal notation; the name is in the format of abc.com. Indicates the authorization mode. QS identifies the query status: Acct-Session-ID and FramedIP-Address are returned.
l
26-28 26-29
Ftp-directory Exec-Privilege
26-31 26-32
QoS-Profile HW-SIP-Server
26-34
HW-User-AuthorizeMode
QUC indicates that the upstream QoS parameters (CIR/PIR) are queried. QDC indicates that the downstream QoS parameters (CIR/PIR) are queried. QUF indicates that the upstream traffic information is queried, including the number of packets and bytes. QDF indicates that the downstream traffic information is queried, including the number of packets and bytes.
The preceding queries can be in any combination. For example, you can specify QUFDF to query both upstream and downstream traffic information. 26-35 HW-Renewal-Time Indicates the time interval from address assignment until the DHCP user transitions to the RENEWING state. Indicates the time interval from address assignment until the DHCP user transitions to the REBINDING state. Indicates the time when the ME60 starts, in seconds. The value is the number of absolute seconds since January 1, 1970 00:00 UTC.
26-36
HW-Rebinding-Time
26-59
Startup-Stamp
9-16
Issue 05 (2010-06-01)
9 RADIUS Attributes
No. 26-60
Attribute Ip-Host-Address
Description Indicates the IP address and MAC address contained in the authentication and accounting packets. The format is A.B.C.D HH:HH:HH:HH:HH:HH. The IP address and the MAC address are separated by a blank space. If the user's IP address is not valid during the authentication, set A.B.C.D to 255.255.255.255. Indicates the NCP negotiation type. The value 1 indicates that PPP users performs BCP negotiation. Indicates the VSI name. The value is a string of 1 to 32 characters. Indicates the reduced committed rate. The value is an integer ranging from 0 to 1000000 kbit/s. For a user using the reserved bandwidth, the RADIUS server delivers the bandwidth attribute to the user. The attribute indicates the bandwidth decrement for the user. That is, after an STB user goes online, the bandwidth of this user is reduced by this value. The attribute is used to reduce only the downstream committed rate. Indicates the maximum number of sessions on an L2TP tunnel.
26-70
PPP-NCP-TYPE
26-71 26-79
VSI-NAME Reduced-cir
26-80
Tunnel-session-limit
Issue 05 (2010-06-01)
9-17
9 RADIUS Attributes
No. 26-82
Attribute hw-Data-Filter
Description When a user goes online, the RADIUS server delivers the ACL through this attribute. The format of this attribute is as follows:
l
Format of the classifier string
Hw-Data-Filter = "type=1;classfiername= string[1-31]; behavior-name= string [1-31]; protocol= [0-255];srctype=<1-2>;source= {source-ipaddr; mask=source-ipmask;srcport=sourceport- list | usergroup=string [1-32]};dsttype=<1-2>;dest= {dest-ipaddr; mask=dest-ipmask;dstport=dest-portlist | user-group=string [1-32]};dscp= [0-63];fragment=<1-5>;synflag=< 0-63>;precedence=<0-7>;" For example, 1;classifier1;behaviorname1;0;1;usergroup1; 2;1.1.1.0;0.0.0.255;1-65535;;;;;
l
Format of the behavior string
Hw-Data-Filter = "type=2;behaviorname= string[1-31];action=permit| deny;remarkdscp=[0-63];remark802.1p= [0-7];RedirectNexthop=ip-addr;trafficstatistic= 0|1;traffic-statistic-summary=<0| 1>;cir= [8-10000000];cbs= [10000-4294967295];pir= [8-10000000];pbs= [1-4294967295];carsummary=<0| 1>;hitcount=<0|1>;" For example, 2;behaviorname1;1;;;;1;1;100;50000;;;0; 26-83 26-85 Access-Service Portal-Mode Indicates the access service profile for the user. Indicates the operation mode of the captive portal. The value can be the following:
l l l
PADM Redirect Disable Portal
26-87 26-88 26-89 26-90
hw-Policy-Route hw-Framed-Pool hw-L2TP-terminatecause hw-Multi-AccountMode
Indicates the redirected route, namely, the next hop IP address of the user. This attribute is the same as attribute 88 of the standard RADIUS attribute. Indicates the reason when an L2TP user logs out. Indicates the accounting mode. The value 0 indicates non-multicast accounting and the value 1 indicates multicast accounting.
9-18
Issue 05 (2010-06-01)
9 RADIUS Attributes
No. 26-93 26-94
Attribute Iptv-profile-name VPN-Instance
Description Indicates the name of the multicast profile. The value is a string of 1 to 32 characters. Indicates the VPN instance of the user. The attribute is contained in the authentication success packets. Indicates the name of the value-added service policy. The attribute is carried in the authentication accept packets and the CoA packets. The ME60 supports delivering multiple value-added services either by encapsulating multiple Policy-Name attributes in a packet or by carrying multiple PolicyName attributes through an attribute. Two Policy-Name attributes are separate with a separator |, The ME60 can deliver one DAA service policy name and eight SSG policy names. Up to 16 value-added service policies can be delivered in a packet. The Policy-Name attribute is named Vas-Policy-Name in certain versions. Indicates the group name of the L2TP group. Indicates the address of the multicast group that the user functioning as the multicast source can join and the matching CAR level. The value is a string of 36 bytes and must be formed by numerals ranging from 0 to 9. The first 4 bytes in the value are indicate the IP address of the multicast group. The remaining 32 bytes are used for the multicast CAR. The remaining 32 bytes are divided into 4 segments and each segments consists of 8 bytes. The segments indicate the upstream peak rate, upstream average rate, downstream peak rate, and downstream average rate respectively. The unit of the rates is bit/s. Multiple MulticastSource- Group attributes can be contained in a packet, indicating that the user belongs to multiple multicast groups. Indicates the address of the multicast group that the user functioning as the multicast receiver can join. Multiple Multicast-ReceiveGroup attributes can be contained in a packet, indicating that the user belongs to multiple multicast groups.
26-95
Policy-Name
26-96 26-97
Tunnel-Group-Name Multicast-SourceGroup
26-98
Multicast-ReceiveGroup
Issue 05 (2010-06-01)
9-19
9 RADIUS Attributes
No. 26-99
Attribute Multicast-Type
Description Indicates the multicast type. The value 1 indicates unicast; the value 2 indicates multicast; the value 3 indicates unicast and multicast. Indicates the primary DNS address delivered by the RADIUS server after the authentication succeeds. Indicates the secondary DNS address delivered by the RADIUS server after the authentication succeeds. Indicates the domain name for user authentication. Indicates name of the ANCP template. Indicates the maximum number of programs that a user can require at the same time. Indicates the software version of the equipment. Indicates the product name.
26-135
Primary-DNS
26-136
Secondary-DNS
26-138 26-139 26-143 26-254 26-255
Domain-Name Ancp-Profile hw-Max-List-Num Version Product-ID
9.4 Micorsoft RADIUS Attributes

No. 26-1 Attribute MS-CHAP-Response Description Indicates the response to the challenger in the MS-CHAP authentication. The value contains 50 bytes. Indicates the wrong information rejected by the MS-CHAP authentication packet. The value contains 80 bytes. Indicates the password change attribute in CHAP V2. The value contains 84 bytes. Indicates the new CHAP password generated after the previous password is encrypted. The encrypted password contains 516 bytes, which exceeds the maximum length of a RADIUS attribute. Therefore, the password must be fragmented and encapsulated in multiple attribute fields. Each attribute field contains a 2-byte sequence number for reassembling the fragments.
26-2
MS-CHAP-Error
26-4 26-6
MS-CHAP-CPW-2 MS-CHAP-NT-EncPW
9-20
Issue 05 (2010-06-01)
9 RADIUS Attributes
No. 26-11
Attribute MS-CHAP-Challenge
Description Indicates the CHAP challenger. For MSCHAP authentication, the value contains 8 bytes. For MS-CHAP2 authentication, the value contains 16 bytes. When the MS-CHAP2 password is changed, the value contains 32 bytes. Indicates the MPPE key that the RADIUS server delivers to the NAS. The NAS then encrypts or decrypts the key and sends the key to the AP equipment. This attribute is applicable to only WLAN users. Indicates the response to the challenger in the CHAP2 authentication. The value contains 50 bytes. Indicates that the CHAP2 authentication succeeds. The value contains 42 bytes. Indicates the password change attribute in MSCHAP2. If the password of a user expires, the attribute allows the user to change the password. Indicates the primary DNS server specified for the PPP user after authentication. Indicates the secondary DNS server specified for the PPP user after authentication.
26-16
MS-MPPE-Send-Key
26-25
MS-CHAP2-Response
26-26 26-27
MS-CHAP2-Success MS-CHAP2-CPW
26-28 26-29
MS-Primary-DNSServer MS-Secondary-DNSServer
9.5 DSL Forum RADIUS Attributes

No. 26-1 Attribute Agent-Circuit-Id Description Indicates the circuit ID of the device accessed by a user. The circuit must match with the logical port of the access node, such as DSLAM, in the request of the user. The value is a string of 1 to 32 characters. Indicates the ID of the circuit associated with the login user. The attribute uniquely identifies a user. The value is a string of 1 to 32 characters. Indicates the actual upstream rate of the circuit matching with a user. The value is an integer of four characters.
26-2
Agent-Remote-Id
26-129
Actual-Data-RateUpstream
Issue 05 (2010-06-01)
9-21
9 RADIUS Attributes
No. 26-130
Attribute Actual-Data-RateDownstream Minimum-Data-RateUpstream Minimum-Data-RateDownstream Attainable-Data-RateUpstream Attainable-Data-RateDownstream Maximum-Data-RateUpstream Maximum-Data-RateDownstream Minimum-Data-RateUpstream-Low-Power
Description Indicates the actual downstream rate of the circuit matching with a user. The value is an integer of 4 bytes. Indicates the configured minimum upstream rate of a user. The value is an integer of 4 bytes. Indicates the configured minimum downstream rate of a user. The value is an integer of 4 bytes. Indicates the available maximum upstream rate of a user. The value is an integer of 4 bytes. Indicates the available maximum downstream rate of a user. The value is an integer of 4 bytes. Indicates the configured maximum upstream rate of a user. The value is an integer of 4 bytes. Indicates the configured maximum downstream rate of a user. The value is an integer of 4 bytes. Indicates the configured minimum upstream rate of a user of which the modem is in lowvoltage state (L1/L2). The value is an integer of 4 bytes. Indicates the configured minimum downstream rate of a user of which the modem is in low-voltage state (L1/L2). The value is an integer of 4 bytes. Indicates the maximum delay of the upstream traffic in each line. The value is an integer of 4 bytes. Indicates the actual delay of the upstream traffic in each line. The value is an integer of 4 bytes. Indicates the maximum delay of the downstream traffic in each line. The value is an integer of 4 bytes. Indicates the actual delay of the downstream traffic in each line. The value is an integer of 4 bytes. Indicates the encapsulation type of the access circuit of a user. The value is a string of 1 to 24 characters.
26-131 26-132
26-133 26-134 26-135 26-136
26-137
26-138
Minimum-Data-RateDownstream-LowPower MaximumInterleaving-DelayUpstream Actual-InterleavingDelay-Upstream MaximumInterleaving-DelayDownstream Actual-InterleavingDelay-Downstream Access-LoopEncapsulation
26-139
26-140
26-141
26-142
26-144
9-22
Issue 05 (2010-06-01)
9 RADIUS Attributes
9.6 Description of RADIUS Attributes

9.6.1 Acct-Session-ID (44) 9.6.2 Calling-Station-Id (31) 9.6.3 Class (25) 9.6.4 Connect-Port (128) 9.6.5 NAS-Identifier (32) 9.6.6 NAS-Port (5) 9.6.7 NAS-Port-Id (87)
9.6.1 Acct-Session-ID (44)

The ME60 supports three formats of the Acct-Session-ID attribute and ensures that users use different strings of this attribute. The RADIUS server processes user packets regardless of the format of the Acct-Session-ID attribute. The ME60 supports the following formats of the AcctSession-ID attribute:
l
version1 In Ethernet access, the format of this version is as follows: Host name (7 digits) + slot number (2 digits) + card number (1 digit) + port number (2 digits) + outer VLAN ID (4 digits) + inner VLAN ID (5 digits) + CPUTICK (6 digits, hexadecimal) + connection index of the user (6 digits)
version2 In Ethernet access, the format of this version is as follows: Outer VLAN ID (4 digits) + CPUTICK (6 digits, hexadecimal) + connection index of the user (6 digits)
version3 The format of this version is as follows: CPUTICK (2 digits, hexadecimal) + connection index of the user (6 digits)
NOTE
If the value of the CPUTICK field contains more than two digits, the lower two digits are taken as the CPUTICK value.
l
Format for the DSG server No matter which version you configure on the ME60, the ME60 uses the Acct-Session-ID attribute in the following format for the accounting of the DSG service: Host name (7 digits) + slot number (2 digits) + card number (1 digit) + port number + (2 digit) + DSG + service ID (5 digits) + CPUTICK (6 digits, hexadecimal) + connection index of the user (6 digits)
9.6.2 Calling-Station-Id (31)

The format of the Calling-Station-Id (31) attribute is determined by the user type.
9 RADIUS Attributes
l
For a PPP user or a DHCP user in the Ethernet network, this attribute contains the MAC address of the user, and the format is XX:XX:XX:XX:XX:XX. For an LNS user, this attribute is a string of the AVP 22 attribute, namely, the dialing number attribute on the LAC. For an LAC user in the Ethernet network, the ME60 encapsulates the L2TP AVP in the following format: MAC address interface type slot number/subcard number/port number: outer VLAN ID. Inner VLAN ID Option 82 For an Eth-Trunk interface, the value of the interface type field is trunk. For other interfaces, the value of the interface type field is eth. The Option 82 field is filled by the string following the last space of the actual Option 82 information. If the Option 82 does not exist, this field is filled by 0/0/0/0/0/0.
For a WLAN user, when the ME60 functions as the RADIUS proxy, the format of the attribute is as follows:
The format of the Calling-Station-Id (31) attribute contained in the RADIUS packet that the ME60 receives from the RADIUS client can be XX:XX:XX:XX:XX:XX, XX-XXXX-XX-XX-XX, XXXX:XXXX:XXXX, or XXXX-XXXX-XXXX. The ME60 can parse the attribute in any of these formats. When forwarding the RADIUS packet, the ME60 uses the format of XX:XX:XX:XX:XX:XX. After the Calling-Station-Id (31) attribute is translated to the Calling-Station-Id-old attribute, the attribute contained in the packet received from the RADIUS client can also be XXXXXXXXXXXX. When forwarding the RADIUS packet, the ME60 uses the format of XXXXXXXXXXXX.
In the attribute string, X is a hexadecimal integer. For PPPoA users, the attribute is invalid.
NOTE
l l
9.6.3 Class (25)

The Class attribute can be in the standard format specified in the RFC protocol or contain the CAR parameters. If the radius-server class-as-car command is run in the RADIUS server group view, the Class attribute is parsed into CAR parameters. If the Class attribute contains the CAR parameters, the Class attribute contains at least 32 bytes and the value contains only numbers ranging from 0 to 9. The ME60 processes only the first 32 bytes and divides the 32 bytes into four segments. Each segment contains 8 bytes. The four segments indicate the upstream peak information rate, upstream average rate, down peak information rate, and downstream average rate from the left to the right. The unit of the rates is bit/s. The system supports only one Class attribute. If the RADIUS server delivers more than one Class attribute, the CAR parameters contained in the last Class attribute take effect.
NOTE
l l
The Class attribute containing the CAR parameters is applicable to only the standard RADIUS server. The Class attribute is transmitted to the RADIUS server finally regardless of whether the attribute contains the CAR parameters.
9-24
Issue 05 (2010-06-01)
9 RADIUS Attributes
9.6.4 Connect-Port (128)

The Connect-Port attribute is a string of 32 bytes. The format of this attribute depends on the version configured by the vlanpvc-to-username command and RADIUS attribute translation.
l
Version 1.0 For an Ethernet interface, the format of the Connect-Port attribute is as follows: Host name + - + slot number (2 bytes) + subslot number (1 byte) + port number (1 byte) + VLAN ID (7 bytes) + @vlan
Other versions For an Ethernet interface, the format is as follows:
If the outer VLAN ID is 0, the format of the Connect-Port attribute is: Host name + - + slot number (2 bytes) + subslot number (1 byte) + interface number (1 byte) + VLAN ID (9 bytes) + @vlan
If the outer VLAN ID is not 0, the format of the Connect-Port attribute is: Host name + - + slot number (2 bytes) + subslot number (1 byte) + interface number (1 byte) + outer VLAN ID (4 bytes) + 0 + inner VLAN ID + @vlan
Format of Connect-Port-New After the Connect-Port attribute is translated to the Connect-Port-New attribute, its format is similar to the original format. The difference is that the port number is expanded to 2 bytes.
The system determines the format of the Connect-Port attribute according to the preceding rules. If the attribute string contains less than 32 bytes, 0s are filled. If the attribute string contains more than 32 bytes, the first 32 bytes are used.
9.6.5 NAS-Identifier (32)

The NAS-Identifier attribute indicates the name of the NAS device, namely, the host name. When the NAS-Identifier attribute is translated to the Nas-Identif-Sim attribute through the attribute conversion command, the value of the Nas-Identif-Sim attribute is the name of the BAS interface. If the BAS interface is not configured, the value of the Nas-Identif-Sim attribute is the host name.
9.6.6 NAS-Port (5)

The NAS-Port attribute can be translated to the following formats as required.
Default Format
For an Ethernet interface, the default format of the NAS-Port attribute is as follows: Slot number (8 bits) + subslot number (4 bits) + interface number (8 bits) + VLAN ID (12 bits) If there are two layers of VLANs, only the inner VLAN ID is contained in this attribute.
Format of NAS-Port-New
For an Ethernet interface, the NAS-Port attribute can be translated to the NAS-Port-New attribute, and its format is changed to the following:
9 RADIUS Attributes
Slot number (12 bits) + interface number (8 bits) + VLAN ID (12 bits) If there are two layers of VLANs, only the inner VLAN ID is contained in this attribute.
Format of NAS-Port-Qinq
For an Ethernet interface, the NAS-Port attribute can be translated to the NAS-Port-Qinq attribute, and its format is changed to the following: Slot number (3 bits) + subslot number (1 bit) + interface number (4 bits) + QinQ VLAN ID (12 bits) + VLAN ID (12 bits)
Format of NAS-Port-Cid
The NAS-Port-Cid attribute is encapsulated in the packets of L2TP users and it specifies the CID of an L2TP user. For other types of users, the default format of the NAS-Port attribute is used.
9.6.7 NAS-Port-Id (87)

The NAS-Port attribute can be translated to the following formats as required.
Default Format
The default format of the NAS-Port-Id attribute depends on the vbas, client-option82, and nas logic-port commands run on the BAS interface and the vlanpvc-to-username and radiusattribute-format nas-port-id commands. The format of the NAS-Port-Id attribute is determined by these commands as follows:
l
The format version is configured to version 2.0 by the vlanpvc-to-usernamecommand, and the vbas or client-option82 command is run on the client to enable VBAS or ClientOption 82. If the packet from the client contains the VBAS or Client-Option82 attribute, the NASPort-Id attribute uses the format of the attribute contained in the packet; otherwise:
If the outer VLAN ID is 0, the format of the NAS-Port-Id attribute is as follows: Host name eth slot number/subslot number/interface number: outer VLAN ID. inner VLAN ID
If the outer VLAN ID is not 0, the format of the NAS-Port-Id (87) attribute is as follows: Host name eth slot number/subslot number/interface number: inner VLAN ID
The format version is configured to version 2.0 by the vlanpvc-to-username command, but the vbas or client-option82 command is not run on the client.
If the outer VLAN ID is 0, the format of the NAS-Port-Id (87) attribute is as follows: slot = slot number; subslot = subslot number; port = interface number; vlanid = inner VLAN ID;
If the outer VLAN ID is not 0, the format of the NAS-Port-Id attribute is as follows: slot = slot number; subslot = subslot number; port = port number; vlanid = inner VLAN ID; vlanid2 = outer VLAN ID.
The format version is configured to version 1.0 by the vlanpvc-to-username command, and the vbas or client-option82 command is run on the client to enable VBAS or ClientOption 82.
9-26
9 RADIUS Attributes
The format of the NAS-Port-Id attribute is the same as the format used when the format version is configured to version 2.0 and VBAS or Client-Option 82 is enabled.
l
The format version is configured to version 1.0 by the vlanpvc-to-username command, but the vbas or client-option82 command is not run on the client.
Regardless of the outer VLAN ID, the format of the NAS-Port-Id attribute is as follows: slot = slot number; subslot = subslot number; port = port number; vlanid = inner VLAN ID;
The format version is configured to the standard format by the vlanpvc-to-username command, and the vbas or client-option82 command is run on the client to enable VBAS or Client-Option 82.
For an Ethernet interface or a GE interface, the format of the NAS-Port-Id attribute is as follows: eth slot number/subslot number/interface number: evlan.ivlan client information For an Eth-Trunk interface, the format of the NAS-Port-Id (87) attribute is as follows: trunk slot number/subslot number/interface number: evlan.ivlan client information For a VLL interface, the format of the NAS-Port-Id attribute is as follows: PW slot number/subslot number/interface number: evlan.ivlan
If the packet from the client does not contain the VBAS information or the Client-Option82, the field of client information in the NAS-Port-Id attribute is filled by 0/0/0/0/0/0. If the client information contains spaces, the field of client information in the NAS-PortId attribute is filled by the content following the last space. If the last space is not followed by any information, the field of client information is filled by 0/0/0/0/0/0. If the client information does not contain any space, the field of client information in the NAS-Port-Id attribute is filled by the complete client information. On a main interface, the values of evlan and ivlan are both 4096. If the outer VLAN ID is 0, the value of evlan is 4096, and the value of ivlan is the actual inner VLAN ID.
l
The format version is configured to the standard format by the vlanpvc-to-username command, but the vbas or client-option82 command is not run on the client.
For an Ethernet interface or a GE interface, the format of the NAS-Port-Id attribute is as follows: eth slot number/subslot number/interface number: evlan.ivlan 0/0/0/0/0/0+ For an Eth-Trunk interface, the format of the NAS-Port-Id attribute is as follows: trunk slot number/subslot number/interface number: evlan.ivlan 0/0/0/0/0/0 For a VLL interface, the format of the NAS-Port-Id attribute is as follows: PW slot number/subslot number/interface number: evlan.ivlan For an Eth-Trunk interface, the subslot number is always 0. On a main interface, the values of evlan and ivlan are both 4096. If the outer VLAN ID is 0, the value of evlan is 4096, and the value of ivlan is the actual inner VLAN ID.
The format is configured to the Turkey version by the vlanpvc-to-username command. Regardless of whether VBAS or Client-Option 82 is enabled and whether the packet of the client contains the VBAS information or Client-Option 82, the format of the NAS-Port-Id attribute is: Slot number/interface number evlan:ivlan On a main interface, the values of evlan and ivlan are both 4096. If the outer VLAN ID is 0, the value of evlan is 4096, and the value of ivlan is the actual inner VLAN ID.
Issue 05 (2010-06-01)
9-27
9 RADIUS Attributes
NOTE
In the preceding conditions, if the nas logic-port command is run to configure a logical interface, the slot number, subslot number, port number, and VLAN ID in the NAS-Port-Id attribute are substituted by the information about the logical interface. If the radius-attribute-format nas-port-id command is run to configure the subcard type in the subslot number field of the NAS-Port-Id attribute, the slot number, subslot number, and port number are changed to the corresponding numbers on the board with only one subcard. For example, if the interfaces on the board with two subcards are numbered ETH1/0/0 to ETH1/0/7 (interfaces on subcard 0) and ETH1/1/0 to ETH1/1/7 (interfaces on subcard 1), the interfaces IDs are changed to ETH1/0/0 to ETH1/0/15 after you run the radius-attribute-format nas-port-id command.
Format of NAS-Port-Identify-Old
For an Ethernet interface, the NAS-Port-Id attribute can be translated into the NAS-PortIdentify-Old attribute and its format is changed to the following: Slot number (2 characters) + subslot number (2 characters) + port number (3 characters) + VLAN ID (9 characters) If there are two layers of VLANs, only the inner VLAN ID is contained in the attribute string. Slot number (2 characters) + subslot number (2 characters) + port number (3 characters) + PVC (9 characters)
Format of NAS-Port-Id-Uppercase
If the attribute string contains vlanidxxxx, vlanid is changed to the uppercase string, namely, VLANID.
9-28
Issue 05 (2010-06-01)
10 HWTACACS Attributes
10
Attribute Acl Addr Addr-pool
HWTACACS Attributes
This appendix describes the HWTACACS attributes supported by the ME60. Description Indicates the ACL number of the connection. This attribute is valid only when the value of service is shell and the value of cmd is NULL. The value ranges from 1 to 99. Indicates the IP address of the PPP user. This attribute is valid when the value of Service is PPP and the value of Protocol is IP. Indicates the IP address pool of the PPP user. The ME60 allocates IP addresses for PPP users by using this address pool. This attribute is valid only when value of Service is PPP and the value of Protocol is IP. Indicates the auto-running command. This attribute is valid only when the value of service is shell and the value of cmd is NULL. This is the number of received bytes. K, M, G indicate KByte, MByte, and Gbyte. The default unit is Byte. This is the number of transmitted bytes. K, M, G indicate KByte, MByte, and Gbyte. The default unit is Byte. Indicates the information displayed for users, which is sent from the authentication server, such as a mobile number. This indicates the command running on the shell. The value is a string of up to 251 characters. When the command is recorded, the value of this attribute is a complete command; when the command is authorized, the value of this attribute is the first keyword. This indicates the command parameter used when the command authorization is requested.
Autocmd
Bytes_in Bytes_out Callback-line Cmd
Cmd-arg
Issue 05 (2010-06-01)
10-1
Attribute Dnaverage Dnpeak Dns-servers
Description Indicates the average downstream rate of the user. The unit is bit/s. Indicates the peak downstream rate of the user. The unit is 1/8 of the number of passed bytes. Indicates the IP address of the DNS server. This attribute is valid when the value of Service is PPP and the value of Protocol is IP. Indicates the reason why the user logs out. Indicates the extended reason why the user logs out. Indicates the online duration of the user This indicates an event. In this version, only the accounting packets contain this attribute. The attribute value is sys_acct. Indicates the initial directory of the FTP user. Indicates the password of the gateway. Indicates the idle-cut duration. If a user does not perform any operation within the specified period after logging in to the ME60, the ME60 disconnects the user. The value ranges from 0 to 35790, in minutes. If the value is 0, it indicates that the idle cut function is not enabled. Indicates the IP address of the LNS. Up to five IP addresses are supported. The IP addresses are separated by commas or semicolons. Indicates the number of an L2TP group. This number is the internal index of the L2TP groups in the ME60. Indicates the interval of L2TP hello packets. The value ranges from 60 to 100, in seconds. Indicates that the AVP value pair of L2TP is hidden. An L2TP user is disconnected if no L2TP session exists in the specified period. The value ranges from 0 to 100000, in seconds. Indicates the TOS of the L2TP user. Indicates whether to perform L2TP tunnel authentication. Indicates the checksum of the UDP packet of the L2TP user. Indicates the number of current connections in the MP. Indicates the maximum number of connections bound to the MP. Indicates that the authentication is not required after callback.
Issue 05 (2010-06-01)
Disc_cause Disc_cause_ext Elapsed_time Event Ftpdir Gw-password Ideltime
Ip-addresses
L2tp-group-num L2tp-hello-interval L2tp-hidden-avp L2tp-nosession-timeout
L2tp-tos-reflect L2tp-tunnel-authen L2tp-udp-checksum Mlp_links_current Mlp_links_max Nocallback-verify

10-2
Attribute Nohangup
Description Indicates that the connection is not closed after the command runs automatically. This attribute is valid only when the value of service is shell and the value of cmd is NULL. Indicates the speed of outgoing packets on the NAS. Indicates the speed of incoming packets on the NAS. This is the number of received packets. The field encapsulated in the packet specifies the number of packets. This is the number of transmitted packets. The field encapsulated in the packet specifies the number of packets. Indicates the privilege level of the user. The value ranges from 0 to 3. Indicates the protocol type, including lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, and unknown. This indicates to send the reason recorded by the system. The current reasons are restarting LPU and restarting the slave MPU. Indicate the type of service, namely the service to be authorized and accounted, including slip, ppp, arap, shell, tty-daemon, connection, system, and firewall. Indicates the source IP address that the LAC uses to send L2TP packets to the LNS. Indicates the ID of a task in the ME60. Indicates the time zone of the user Indicates the name of the tunnel initiator. A string of 1 to 29 characters. Indicates the type of the tunnel to be established. The tunnel type is L2TP in the ME60. Indicates the average upstream rate of the user. The unit is bit/ s. Indicates the peak upstream rate of the user. The unit is 1/8 of the number of passed bytes.
Nas_rx_speed Nas_tx_speed Paks_in Paks_out Priv-lvl Protocol
Reason
Service
Source-ip Task_id Timezone Tunnel-id Tunnel-type Upaverage Uppeak
Issue 05 (2010-06-01)
10-3
A Glossary
A
This appendix provides the glossary mentioned in this manual. A access service B BRAS binding authentication
Glossary
A service providing the basic capability of network access.
A functional component running on the ME60, which provides access services for broadband subscribers. An authentication mode in which the ME60 creates a user name and a password for the user according to the location of the user.
D DHCP client DHCP proxy A program that obtains IP addresses from the DHCP/BOOTP server, and then allocates the IP addresses to PPP users. A program that transparently transmits the DHCP request of a user to the DHCP/BOOTP server, which then allocates the IP address to the user. A program that allocates the IP addresses of the local address pool to the users at the user side and allocates the IP addresses of the relay address pool to the users that pass through the DHCP proxy at the network side. An authorization mode in which the user is fully trusted by the carrier and is authorized directly by the carrier. A group of users with the same service attributes. The ME60 manages users through domains.
DHCP server
direct authorization domain
Issue 05 (2010-06-01)
A-1
A Glossary
fast authentication
A simplified Web authentication, in which the user opens the web page for authentication but need not enter the user name and password.
H HWTACACS An enhanced security protocol of TACACS (RFC 1492), through which the ME60 communicates with the HWTACACS server in the client/server mode. An accounting mode in which the ME60 sends the accounting packets to the HWTACACS server, which then performs accounting for the user. An authentication mode in which the ME60 sends the user name and the password to the HWTACACS server by using the HWTACACS protocol. The HWTACACS server authenticates the user, and then returns the result to the ME600. An authorization mode in which the user is authorized by the HWTACACS server.
HWTACACS accounting HWTACACS authentication
HWTACACS authorization
L local address pool local authentication An address pool configured on the ME60 and managed by the ME60. An authentication mode in which the user information is configured on the ME60, and then the ME60 authenticates the user. An authorization mode in which user is authorized by the ME60 based on the user attributes that are configured on the ME60.
local authorization
M mandatory web authentication An authentication method in which the ME60 redirects the access request of an unauthenticated user who uses the web authentication or the fast authentication to the web authentication server for authentication.
O Option 60 A field carrying the domain information when a terminal device initiates a DHCP request. After receiving the DHCP request, the ME60 allocates the IP address to the device according to the domain information contained in the Option 60 field.
A-2
Issue 05 (2010-06-01)
A Glossary
Option 82
A field carrying the physical location information of the user when the ME60 relays a DHCP packet of the user. Then the DHCP server allocates an IP address to the user according to the location information.
P portal protocol A protocol used to exchange information between web servers and other devices. The portal protocol is based on the client/ server model and uses UDP to transfer data.
R RADIUS accounting An accounting mode in which the ME60 sends the accounting packets to the RADIUS server. Then the RADIUS server performs accounting. An authentication mode in which the ME60 sends the user name and the password to the RADIUS server by using the RADIUS protocol. The RADIUS server authenticates the user, and then returns the result to the ME60. An address pool providing IP addresses for the users at the network side. A mapping of the remote DHCP or BOOTP server, which does not provide real IP addresses.
RADIUS authentication
relay address pool remote address pool
S static user A user with a fixed IP address, which is configured by the user.
V value-added service A service selected by the user when the user logs in to the portal server of the carrier.
W web authentication An authentication mode in which the user enters user name and password on the authentication page of the web authentication server for identity authentication.
Issue 05 (2010-06-01)
A-3
B Acronyms and Abbreviations
B
A AAA ACL ADSL AP ARP
Acronyms and Abbreviations
This appendix lists the acronyms and abbreviations mentioned in this menual.
Authentication, Authorization and Accounting Access Control List Asymmetric Digital Subscriber Line Access Point Address Resolution Protocol
B BAS BOOTP BRAS Broadband Access Server Bootstrap Protocol Broadband Remote Access Server
C CAR CF CHAP CLI CMTS CoA COPS Committed Access Rate Compressed Flash Challenge Handshake Authentication Protocol Command Line Interface Cable Modem Terminal System Change of Authorization Common Open Policy Service
D
Issue 05 (2010-06-01) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. B-1
DHCP DNS DSLAM
Dynamic Host Configuration Protocol Domain Name Server Digital Subscriber Line Access Multiplexer
E EAP EAPoL Extensible Authentication Protocol EAP over LAN
F FE Fast Ethernet
G GE GRE Gigabit Ethernet Generic Routing Encapsulation
H HDLC HFC HWTACACS High level Data Link Control Hybrid Fiber-Coaxial Huawei TACACS
I IEEE IP IPCP IPoE IPoEoVLAN IPoX IPSec IPTN ISP Institute of Electrical and Electronics Engineers Internet Protocol Internet Protocol Control Protocol IP over Ethernet IP over Ethernet over VLAN IP over X IP Security IP Telecommunication Network Internet Service Provider
B-2
Issue 05 (2010-06-01)
LAN LCP L2TP
Local Area Network Link Control Protocol Layer 2 Tunneling Protocol
M MAC MSCHAP Media Access Control Microsoft CHAP
N NCP ND NetBIOS Network Control Protocol Neighbor Discovery Network Basic Input/Output System
P PAP PDP PEP PPP PPPoE PPPoEoVLAN PPPoX PSTN Password Authentication Protocol Policy Decision Point Policy Enforcement Point Point-to-Point Protocol Point-to-Point Protocol over Ethernet PPPoE over VLAN PPP over X Public Switched Telekeywordone Network
Q QinQ QoS 802.1Q in 802.1Q Quality of Service
R RADIUS RFC Remote Authentication Dial in User Service Requirement for Comments
Issue 05 (2010-06-01)
B-3
SIG SIM DSG SSH
Safe Immunity Gateway Subscriber Identity Module Dynamic Service Gateway Secure Shell
T TACACS TCP TFTP Terminal Access Controller Access Control System Transmission Control Protocol Trivial File Transfer Protocol
U UDP URL User Datagram Protocol Universal Resource Locator
V VLAN VoD VPN Virtual LAN Video On Demand Virtual Private Network
W WLAN Wireless Local Area Network
B-4
Issue 05 (2010-06-01)

Me60

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Me60

Загружено:

Авторское право:

Доступные форматы

00479807

Quidway ME60 Multiservice Control Gateway V100R006C05

Configuration Guide - BRAS Services

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

Chapter 2 AAA Configuration

5 BRAS Access Configuration 6 VAS Configuration

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

Convention [ x | y | ... ] { x | y | ... }*

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

About This Document

Action Click Double-click Drag

Updates in Issue 05 (2010-06-01)

Updates in Issue 04 (2009-10-15)

Updates in Issue 03 (2009-07-01)

Updates in Issue 02 (2009-03-01)

Updates in Issue 01 (2008-11-15)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

5 BRAS Access Configuration....................................................................................................5-1

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

7.4.1 Example for Configuring ANCP Functions.........................................................................................7-13

8 User Information Backup Configuration..............................................................................8-1

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

1 BRAS Service Overview

BRAS Service Overview

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 BRAS Service Overview

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

1.1 Definition of the BRAS Service

DSLAM LAN Switch AP

1.2 Features of the BRAS Service

Quidway ME60 Multiservice Control Gateway Configuration Guide - BRAS Services

1 BRAS Service Overview

1.2.1 User Identification

1.2.2 Authentication, Authorization, and Accounting

1.2.3 IP Address Management

1.2.4 User Management

1.2.5 Service Control