The attributes delivered by the RADIUS server take effect
only when there are corresponding configurations on the NetEngine 8000 F.
Context
Access service template
After an access service template
is configured, the RADIUS server can send the service template name
and control user traffic by time segment.
When the authentication
response message sent by the RADIUS server includes the HW-Access-Service
attribute, the traffic bandwidth restriction is based on the QoS profile
rule bound to the service template. When the QoS profile not containing
a time segment and the QoS profile containing a time segment in an
access service template exist at the same time, the QoS profile containing
a time segment has a higher priority than the QoS profile not containing
a time segment.
If an in-use QoS profile in an access service
template is modified, the modification takes effect in real time.
If all QoS profiles in an access service template are removed, the
QoS profile that is previously bound to the user takes effect.
Static route synchronization from the RADIUS server to the NetEngine 8000 F
This function enables the NetEngine 8000 F to periodically or immediately synchronize static routes
with those delivered by the RADIUS server. Static route synchronization
requests, if not acknowledged, will be retransmitted before the maximum
allowable number of times is reached.
Update of user names and domains based on CoA messages
In the web authentication
scenario where a portal server cannot exchange authentication messages
with a BRAS, you can configure the portal server to exchange authentication
messages with a RADIUS server. To enable a BRAS to update user names
based on those delivered in CoA messages and switch users to the domains
carried in the RADIUS-delivered user names, run the radius-server
coa update username command.
Procedure
- Create an access service template.
- Run system-view
The system view is displayed.
- Run access-service service-name
The access service template view is displayed.
- Run qos-profile profile-name
The default QoS profile bound to the access service template
is configured.
Each access service template can be bound only with one QoS profile
not containing a time segment.
- Run qos-profile profile-name time-range time-range-name
The QoS profile (containing a time segment) bound to the
access service template is configured.
Each access service template can be bound with up to 16 different
time segments.
- Run commit
The configuration is committed.
- Enable static route synchronization from the RADIUS server
to the NetEngine 8000 F.
- Run system-view
The system view is displayed.
- Run aaa route-download server-group group-name base-user-name user-name password { simple | cipher } password [ download-interval interval-value | retry-interval retry-interval-value | retry-max-count retry-count | tag tag-value | cost cost-value | synchronization synchronization ]
The NetEngine 8000 F is enabled to periodically synchronize static routes with
those delivered by the RADIUS server.
- (Optional) Run aaa route-download recover-delay delay-time
Delayed advertisement is configured for static routes downloaded
from a RADIUS server after the NetEngine 8000 F is restarted and configurations are restored.
In
BRAS multi-device backup scenarios, after the aaa route-download command is run to enable the NetEngine 8000 F to download static routes from a RADIUS server at an interval,
you must also run the aaa route-download recover-delay command to configure delayed advertisement of static routes downloaded
from a RADIUS server.
In BRAS multi-device backup scenarios,
after the aaa route-download command is run to enable the NetEngine 8000 F to download static routes from a RADIUS server at an interval,
the master and backup devices download static routes from the RADIUS
server, but the cost value of the static routes downloaded to the
master device is less than that of the static routes downloaded to
the backup device. If the master device is restarted and immediately
downloads static routes from the RADIUS server and advertises them
to the network side, network-side traffic will be transmitted to the
master device. However, batch backup of user information has not yet
completed, and the master device cannot process traffic. Therefore,
the traffic is transmitted to the backup device through the link between
the master and backup devices. If the network traffic volume is greater
than the bandwidth of the link between the master and backup devices,
the downstream traffic may be interrupted.
To prevent this problem,
run the aaa route-download recover-delay command
to configure delayed advertisement of static routes downloaded from
a RADIUS server after the NetEngine 8000 F is restarted and configurations are restored so that the NetEngine 8000 F can advertise the static routes after user information
is backed up. When the master device is restarted, the network-side
traffic is switched to the new master device, preventing a traffic
detour.
- Run clear ip routes aaa-download [ [ vpn-instance vpn-name ] [ ip-address mask-len | ipv6-address prefix-length ] | all ]
Static routes delivered by the RADIUS server are cleared
from the NetEngine 8000 F.
- Run aaa route-download now force
The NetEngine 8000 F is configured to immediately synchronize static routes
with those delivered by the RADIUS server.
- Run commit
The configuration is committed.
- Update user names based on CoA messages and switch users
to new domains.
- Run system-view
The system view is displayed.
- Run radius-server
coa update username
The device is enabled to update user names based on those
delivered in CoA messages and switch users to the domains carried
in the RADIUS-delivered user names.
- Run commit
The configuration is committed.
Result
Run the display access-service command in any view
to check information about the access service template.
Run the display aaa
route-download config command in any view to check
configurations about static route synchronization from the RADIUS
server to the NetEngine 8000 F.
Run the display aaa route command in any view to check whether
static routes are successfully delivered by the RADIUS server.