华为二层隧道协议L2TP配置教程(一)6 n: S [$ ~: j# p7 d- c
1、配置AAA认证和计费
6 x9 q* y- f R AAA提供了认证、授权和计费三种安全功能,用于管理接入用户,保证安全的连接请求。LAC和LNS通过配置AAA的本地认证或者远程认证功能,对接入的远程用户进行身份验证。 2 S1 R1 V( `6 X) o& \1 v e) k! Q
当接入用户只能通过LNS访问Internet时,为了管理接入用户上网时间或使用流量,可以在LNS侧配置计费功能,从而对接入用户的上网时间和流量进行控制。LAC会检查远程用户的用户名称或者域名称,判断是否为该远程用户建立到达LNS的隧道。
4 K6 C9 D* O# T( X9 h" Z 用户名称:适用于接入用户少,对用户单独管理,每个接入用户都会独占一条L2TP隧道。如果根据用户名称检查远程用户,则设备使用缺省的default域和default认证方案,其中default认证方案使用缺省的local认证方式,即本地认证。 4 A: R& @5 w* D- p7 ^' a6 o L
域名称:适用于接入多个用户,对同一类用户集中管理,具有相同域名的用户共用一条L2TP隧道。如果根据域名称检查远程用户,则需要配置域及域所使用的认证方案。LAC和LNS的AAA认证配置应保持一致。 ( }5 O! e( h& t/ R* x }
1、配置本地认证
1 Y5 ?: q1 h5 K1 Q8 ] 1.1、进入AAA视图
3 T2 Q5 k$ r5 r) j [Huawei]aaa
# {, x6 H% Y$ }% Q- T [Huawei-aaa]
" V; B* r `" ]( i( h( u5 a
6 V2 p: e5 N& ?2 E$ S5 h1 t 1.2、创建认证方案,并进入认证方案视图 & i4 ^" G0 Q2 i* t- w1 \! H
[Huawei-aaa]authentication-scheme ? 0 P5 U+ `$ |' F9 l \$ m- F
STRING<1-32> Scheme name,can not include invalidcharacter \ / : < > | @ ' % * " ?
; q7 m" n. s2 k. y: r( F# g% P8 w
[Huawei-aaa]authentication-scheme vlan5.com
. B, e( B, G! L" S6 z2 n Info: Create a new authentication scheme.
8 b; B* E* z' i [Huawei-aaa-authen-vlan5.com]
( f i. Y: U, v9 r& b8 G$ r$ t. I) b* j, G3 c# D
1.3、配置认证方式为local,即本地认证
L- j4 g0 U4 E1 O+ N O4 P' p0 X' w [Huawei-aaa-authen-vlan5.com]authentication-mode ?
/ U. u: @. b t' s6 w6 A1 b: @1 h. Z hwtacacs HWTACACS
+ R) i7 f) ?2 g# ?- u8 n0 F local Local
; R7 v( y) F' ~6 b9 D" x none None
* b: B: N- Z! h7 n8 h# Q radius RADIUS
% i+ O& x, c. m2 ?
* }$ s. V- |* O7 e# o [Huawei-aaa-authen-vlan5.com]authentication-mode local
; a9 R- w. k2 t3 h
; l1 t U3 R2 d4 m7 H 1.4、创建用户域,并进入域视图
$ n" s2 u& p0 O$ c# S' ^ f- c! @4 H5 P [Huawei-aaa]domain ? . a" _0 r4 s% }9 X; ^$ H
STRING<1-64> Domain name, can not include invalidcharacter * ? " - --
, W, k" q! M' U6 T" s) f
3 Q j. A3 J" k/ m$ z: t% t4 F. j [Huawei-aaa]domain vlan5.com
4 c0 i/ O/ }# D% Z8 V; b- g% O Info: Success to create a new domain.
5 E& q# D1 S. `) u3 E, E! Q, | [Huawei-aaa-domain-vlan5.com] , Q0 [) x \9 H. x
9 [/ f/ ^) L. U* D, _ 1.5、为创建的域指定认证方案
6 { B, w A- d6 e4 }- ` [Huawei-aaa-domain-vlan5.com]authentication-scheme ? ( N" E L G9 m2 l
STRING<1-32> Scheme name,can not include invalidcharacter \ / : < > | @ ' % * " ? 1 o, ?1 o5 [" j; b8 T
6 l$ q; L4 z; h, u# e
[Huawei-aaa-domain-vlan5.com]authentication-scheme vlan5.com ' G9 J& Y l7 N
4 G1 @/ R( O ~4 @% H" P2 v
1.6、配置本地用户名和密码,作为VPDN用户信息保存在设备中,用于验证接入的远程用户
~ ]5 B0 l# b& a q0 {) H: H' g- {# \ [Huawei-aaa]local-user ?
* P' I. d0 U& k, ^1 e! o' L STRING<1-64> User name, in form of 'user@domain'. Can usewildcard '*',
8 p+ J2 S$ g l. W( S whiledisplaying and modifying, such as *@isp,user@*,*@*.Can 1 Q3 u3 U- s k; w3 E' x+ V) N
not includeinvalid character / \ : * ? " < > | @ ' ( L# W% P1 G# J, Z1 F* z
1 [# H4 ^" l8 @# o6 H [Huawei-aaa]local-user LAC001 ?
8 H! e o0 a3 [7 i5 U" L( [6 @- } access-limit Set access limit of user(s)
' \$ l% ?* e7 g4 [: z4 l' ] ftp-directory Set user(s) FTP directory permitted
2 L* n7 ~4 D7 B+ F2 T$ ? idle-timeout Set the timeout period for terminal user(s)
: f% ~) I2 j' ^& G+ H password Set password , _5 B7 D; \3 D2 ]! P# a
privilege Set admin user(s) level . |& p: h" s: x, D/ E
service-type Service types for authorized user(s) 4 _+ @- P8 z% l. Z9 G' B. `5 y* p
state Activate/Block the user(s) . K& k6 b* x7 Y1 Q
user-group User group ! j& T) b6 {! m
' d+ k, C4 ?! d0 ^1 W! _' T
[Huawei-aaa]local-user LAC001 password ? ) }3 J( U% g k, G0 ^
cipher User password with cipher text 8 h- s- Q6 q4 g* S# ]7 p% _
6 @' G/ [# [$ k4 I2 F
[Huawei-aaa]local-user LAC001password cipher ? ( S0 ]7 z5 x. m% X1 J) e
STRING<1-32>/<32-56> The UNENCRYPTED/ENCRYPTED password string 0 Z* \% `5 _& m
$ n+ O! _$ G8 d! K9 `$ ?! K [Huawei-aaa]local-user LAC001 password cipher www.vlan5.com , r; y# s, }0 u" p- l& ^) r+ ]% H
7 ?9 W: X' i5 z+ e* `
1.7、配置本地用户类型,L2TP协议基于PPP协商,需要指定用户类型为ppp。
2 D4 a8 q, \2 o. Q9 b0 p! \* N [Huawei-aaa]local-user lac001 service-type ? # d& H$ F+ F9 _; I1 y9 v
8021x 802.1x user ' E9 ?! z0 w: U/ W: j5 o6 V
bind Bind authentication user
+ ~; r( _- D8 N- a- E( V ftp FTP user 0 b. m2 ]$ ]! G4 x7 X$ k, ]* z
http Http user - _( _+ R' v1 F" l0 k
l2tp L2tp user
# r; u; o% B6 }) ~0 P3 {* U7 y ppp PPP user
" e) F, R% f F ssh SSH user ) h/ s* m" `" Y9 s
sslvpn Sslvpn user
& ~1 n& o# ^ H( I telnet Telnet user " i5 Y" V3 F5 @2 _1 o2 I
terminal Terminal user
4 v& [3 m% {2 @) S1 P; R7 Q web Web authentication user
% m' P0 v ^# M$ l5 ~ x25-pad X25-pad user
0 F' d( C# a, l; n3 i |2 @) c$ W3 F. T6 M6 j
[Huawei-aaa]local-user lac001 service-type ppp
: P ?$ z# ^. { K/ S
. r+ Y# T$ {$ P" C7 z1 p* H 2、配置远程认证和计费 ' _. {+ b) j, t! j
2.1、创建RADIUS服务器模板,并进入RADIUS服务器模板视图,用于配置RADIUS服务器的参数。 $ [- }& `& j) r
[Huawei]radius-server ?
! Z) q% h. {8 n authorization RADIUS authorization server 0 }/ @0 j: G& |0 `+ u
template Add or delete RADIUS server template
3 x2 r0 f5 L$ ]* {/ C& R/ c2 r8 }8 l4 O6 o; d
[Huawei]radius-server template ? 7 \) _$ o4 R7 B- O) r% U
STRING<1-32> RADIUS server template's name " A9 }6 u5 V6 W% k4 g
* L) z; [ a: I! u
[Huawei]radius-server template vlan5.com
" W: f. B- S/ w9 ?, V9 D/ o7 n Info: Create a new server template. 4 t) P* t# w6 F7 m4 D
[Huawei-radius-vlan5.com] 5 D2 y8 b) ?$ }7 d9 {% N- e3 y8 i
4 l& ^7 l8 p/ J& ~3 l6 z! ? 2.2、配置RADIUS服务器的IP地址和端口号
1 e# r. X) J. D [Huawei-radius-vlan5.com]radius-server ? . ^# p9 A! a4 r1 i( b# [- [8 d
accounting Configure accounting server 9 I4 x2 q1 s: b0 N
accounting-stop-packet Configure the resending value ofaccounting-stop-packet
- r7 }5 M6 V4 C; q7 B6 q attribute Configure the function ofattribute translation + j3 i {* G; e( y [8 L) O
authentication Configure authentication server ! @# I( y! }7 [/ _* t% R
dead-time Configure dead time
6 g& t x; ~" p) a5 U) J; M detect-server Detect-server - x7 \4 C( P2 I& W
nas-port-format Configure NAS-Port format $ }, O& y7 ]% e/ U7 G8 i2 i" j3 _
nas-port-id-format Configure NAS-Port-Id format 0 ]9 Q/ \3 g( O0 q+ a
retransmit Configure server retransmission 9 O I" ?9 l7 r( T% I
shared-key Configure server shared-key
4 w9 t1 S, @$ x' E6 \- A2 i testuser Testuser ( U7 L6 X1 a& s! i) x% z
timeout Configure server timeout 5 S0 a: t9 Z& ^( \9 `7 u; E
traffic-unit Configure the octets of format ! e9 D. W3 I2 A/ u: o
user-name Configure the format of username 8 Y$ n- i2 u3 w Y8 D
+ r/ C2 {, F5 M2 a
[Huawei-radius-vlan5.com]radius-server authentication ?
( O8 V P* O: L( ~& a" P8 X# @ X.X.X.X IP address of the server % z: N: }8 o+ _" q' b7 @, D
X:X::X:X IPv6 address of the server . g8 F3 J- d5 L* ~; K
" U8 H5 }: Y: Z, x* c$ O! p$ g% y, N [Huawei-radius-vlan5.com]radius-server authentication 10.1.1.2 ?
( A v5 L& n- I$ \ INTEGER<1-65535> Port of the server
+ \! V- B# Z/ [. }2 g; W
# _$ D3 d8 X' h4 m9 r [Huawei-radius-vlan5.com]radius-server authentication 10.1.1.2 9999 - o4 p8 a+ G& t% { E+ i
9 i1 x) K* z: D: k$ R Z6 t/ B
2.3、配置RADIUS计费服务器地址 & u0 ]9 @* A8 u1 o! K- W- h
[Huawei-radius-vlan5.com]radius-server accounting ? * z, a# Z. }% ~/ M. I3 B1 i9 l% m' R
X.X.X.X IP address of the server
1 |6 Z2 w* ` V/ G7 Z. J: R X:X::X:X IPv6 address of the server
) `% o2 _6 H/ a0 y
0 U* U) E3 Y4 V/ o$ z4 R [Huawei-radius-vlan5.com]radius-server accounting 10.1.1.3 ? " q5 S( x: x. m8 J7 d. N
INTEGER<1-65535> Port of the server
" c: k4 P* \& Y+ z( R X2 Z8 K& a8 k2 T
[Huawei-radius-vlan5.com]radius-server accounting 10.1.1.3 9999
3 R# o; H4 |6 Z8 o% [1 q1 S. h8 A3 F8 _& u0 e( p0 A% S
2.4、配置和RADIUS服务器连接时的共享密钥 " [. {- v# E/ p
[Huawei-radius-vlan5.com]radius-server shared-key ?
6 k+ J5 {" S6 X6 o0 k! F STRING<1-16>/<32> TheUNENCRYPTED/ENCRYPTED password string
) |- m. M) G& X# s% d cipher Radius server password with ciphertext 1 m) Y8 {* R s0 m) f" c6 g7 O* T4 B
simple Radius server password with plaintext
' E. N6 y0 {$ X
8 I# i `* g- Q% L9 b; h [Huawei-radius-vlan5.com]radius-server shared-key cipher ?
/ b0 l+ Q7 u! x0 @* a7 ^ STRING<1-16>/<32> TheUNENCRYPTED/ENCRYPTED password string $ R4 r: c5 @! W y0 S* q
4 D& L8 B' d- y! l8 N+ j
[Huawei-radius-vlan5.com]radius-server shared-key cipher www.vlan5.com
( H$ f% f; G% d- ? F$ q1 w" R4 x! a
2.5、创建认证方案,配置认证方式为radius,即RADIUS服务器认证
2 p( J* x2 r+ X$ S8 u [Huawei-aaa]authentication-scheme vlan5.com 8 `# M& K7 o7 z: }+ N
" o! h4 d. f2 f( a [Huawei-aaa-authen-vlan5.com]authentication-mode ? . _4 L: d1 J* b5 n1 E9 J5 {+ ]
hwtacacs HWTACACS " H7 e. k) m, W+ |( Q
local Local
( ]% r% O$ _* N7 w! X f% b S7 k none None 4 R; f: K/ s! ~3 X) B: V
radius RADIUS # ~7 \2 T3 E! u0 j. I( R: z' G
4 D7 g9 f/ d! q: a# ]" I7 Z [Huawei-aaa-authen-vlan5.com]authentication-mode radius ( p' [& Q7 P: n+ F6 T# a
0 b8 T% [1 U2 d, [9 Z1 B
2.6、创建计费方案,配置计费模式为RADIUS计费。
1 _+ J" l% o, q; p7 J [Huawei-aaa]accounting-scheme vlan5.com ' |. J. _5 _) i' F0 B' {
[Huawei-aaa-accounting-vlan5.com] - ]; |! C( B8 Q! X; i
X7 d; c& }% E, {, Z: s$ r
[Huawei-aaa-accounting-vlan5.com]accounting-mode radius
" z9 Y# _1 L0 G% W+ A" @' }. n! T+ t2 e- D6 [$ u
2.7、配置开始计费失败策略 " D% d9 F! m; c/ t8 t, W
[Huawei-aaa-accounting-vlan5.com]accounting ? 9 s) _& }; l6 e4 D
interim-fail Remote realtime accounting fail policy ' a8 G) K& u& F) |* ]" B1 k4 G
realtime Interim accounting
& g5 K3 g: ]! v" w" H& y start-fail Remote start accounting fail policy 0 K9 b2 ?7 [9 r) h$ L
k1 V( d. t3 [; h, V. s [Huawei-aaa-accounting-vlan5.com]accounting start-fail ?
; I' D7 J* G, _, ` offline Offline # 计费失败后不允许上线 " h3 C/ O/ b; K3 x1 r' ]
online Online # 计费失败后允许上线
2 q) \" w0 h+ A
: H' y5 S/ @# p8 J3 a1 j. N: W 2.8、使能实时计费并设置计费间隔
# M1 k1 ~1 ?, C [Huawei-aaa-accounting-vlan5.com]accounting realtime ? 2 @+ j, |# S6 [3 D7 e) z( z5 h
INTEGER<0-65535> Accounting interval <minute>
+ ~/ B6 f) M8 V
6 @& y' d; _, o* G$ U2 _: ?# g$ x [Huawei-aaa-accounting-vlan5.com]accounting realtime 10 ' H! W5 c+ O1 D1 S
# ?4 G$ c" ~" h y! p
2.9、配置允许的实时计费请求最大无响应次数,以及实时计费失败后采取的策略 + U7 \: g+ T1 W1 q
[Huawei-aaa-accounting-vlan5.com]accounting interim-fail ?
- P1 X& f4 @) i max-times Allow realtime accounting fail times
* Z4 D& b6 X' G* f. z3 ] offline Offline & F$ e5 m j; w. E; a) A- [
online Online 5 t( x; _) _" G: M F& c- |
- d& L3 W: b1 _) J+ d2 {' U% Z" \
[Huawei-aaa-accounting-vlan5.com]accounting interim-fail max-times ?
5 S; a5 j z- W% G! q INTEGER<1-255> Fail times 6 g' y9 H; P8 x% m! e. }) }
( i" J8 ~2 Y% e" u# L2 G: e! }
[Huawei-aaa-accounting-vlan5.com]accounting interim-fail max-times10 ? ; H4 k. D+ W1 [0 k- E
offline Offline # r( u( l& t' ]' K! }
online Online
6 ]3 Y. l# o4 Q+ @2 y" D+ G# G* q. f& \
2.10、创建用户域,为用户域指定认证方案并为为用户域指定RADIUS服务器模板 . Z3 {( [4 T7 [" w# m4 B
[Huawei-aaa]domain vlan5.com
1 Z9 V$ l( B8 X6 y$ P [Huawei-aaa-domain-vlan5.com]
% A0 @" J! ~$ F, w; J& c9 U
- I. ?7 M) l# a( c. P- A [Huawei-aaa-domain-vlan5.com]authentication-scheme vlan5.com
7 V! I* @ f: G+ F$ g$ U
, G0 \! h# }$ Q* F% B6 I1 M- } [Huawei-aaa-domain-vlan5.com]radius-server vlan5.com & A) n5 i' a5 b; ` x7 _; q
- G K4 f* [' Y2 y! J7 ~
2.11、配置域的计费方案 0 w- q; r6 i% Z2 n# q
[Huawei-aaa-domain-vlan5.com]accounting-scheme vlan5.com
* A+ u7 G7 P$ ?$ d% U( p$ ~' q( ? o1 H2 v: q9 U
2.12、如果使用流量计费,需要在域下开启流量统计功能 6 K% g' B3 Z" {9 r
[Huawei-aaa-domain-vlan5.com]statistic enable2 _$ c; ]0 Y# l! E
|
|
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
