(Optional) Configuring Additional Functions for a Domain
Many additional functions, such as time-based control, policy-based routing, traffic statistics, and IP address usage alarms, can be configured for a domain.
Context
Additional functions that can be configured for a domain include:
Time-based control
Time-based control allows the NetEngine 8000 F to automatically block a domain in a specified period. During this period, online users of the domain are logged out, and new user access through this domain is not allowed. After the period elapses, the domain is reactivated automatically, and use access through this domain is allowed.
Idle cut
Idle cut enables the NetEngine 8000 F to consider a user idle and disconnect the user if the traffic volume of the user keeps being lower than a threshold in a period. Idle cut takes effect based on the specified idle period and traffic volume threshold.
The idle cut function configured for a domain is effective only for the basic traffic of a user, not for the multicast traffic or the VAS traffic that is not configured with the summary feature.
Mandatory PPP authentication
After a mandatory authentication mode is configured for a domain, the users in the domain are authenticated in the configured mode, not the one (such as PAP, CHAP, or MSCHAP) that is negotiated between the PPP clients and virtual template.
Policy-based routing
With policy-based routing configured for a domain, the NetEngine 8000 F determines a forwarding egress according to the address specified for the user domain, not a packet destination address.
IP address usage alarm
An alarm threshold can be set for the IP address usage (in percentage) of a domain, so that the NetEngine 8000 F can report a trap to the network management system (NMS) when the IP address usage exceeds the threshold.
Traffic statistics collection
The traffic statistics collection function can be configured for a domain, so that the NetEngine 8000 F can collect the total traffic statistics, as well as upstream and downstream traffic statistics, of users in the domain.
Accounting packet copy
The accounting packet copy function allows the NetEngine 8000 F to copy accounting information to another RADIUS accounting server group, besides the general RADIUS accounting server group. The accounting information in a copy server is used as the original accounting information in accounting settlement.
Configure this function if multiple copies of original accounting information are needed (for example, when multiple ISPs exist on a network).
Function to stop sending real-time accounting packets to accounting copy servers
If an accounting copy server cannot process a large number of real-time accounting packets due to limited performance, configure the device to stop sending real-time accounting packets to the server.
Re-authentication timeout
The re-authentication timeout function allows the NetEngine 8000 F to disconnect a Layer 3 pre-authentication user if the user fails to pass the authentication within the maximum re-authentication time.
Policy for online users when their quotas are used up
A policy can be configured for the NetEngine 8000 F to take for an online user when the user's quota is used up. For example, the NetEngine 8000 F can be configured to forcibly log out the user, keep the user online, or redirect the user to a specified portal.
Host route tagging
The host route tagging function allows the NetEngine 8000 F to import route tags based on routing policies and advertise different host routes to different networks by setting and categorizing route tags for host routes of IPv4 users and network segment routes generated based on the RADIUS-delivered Framed-Route attribute.
Function to stop accounting within a specified time period
This function enables the NetEngine 8000 F to stop accounting for users in a domain within a specified time period. After the specified period elapses, the device starts accounting for the users again.
Procedure
- Run system-view
The system view is displayed.
- Run aaa
The AAA view is displayed.
- Run domain domain-name
The domain view is displayed.
- Run time-range domain-block { name range-name | enable }
Time-based control is configured.
You can configure up to four time ranges. All of them can take effect.
- Run idle-cut idle-time { idle-data | zero-rate } [ inbound | outbound ]
The idle cut function is configured.
Run the idle-cut command if some users cannot access the Internet due to an exception but can access the Internet after being logged out once. The idle-cut function can take effect on upstream traffic, downstream traffic, or both according to the parameter you specify. If you do not specify the inbound or outbound parameter, the idle-cut function takes effect on both upstream and downstream traffic.
- Run ppp-force-authtype { chap | mschap_v1 | mschap_v2 | pap }
Mandatory PPP authentication is configured.
- Run policy-route { next-hop-ip-address | next-hop-ipv6-address }
Policy-based routing is configured.
- Run ip-warning-threshold { upper-limit-value | lower-limit lower-limit-value }
The IP address usage alarm function is configured.
- Run flow-bill
The function to collect the total traffic statistics is enabled.
- Run flow-statistic { down | up } *
The function to collect the upstream or downstream traffic statistics is enabled.
- Run accounting-copy radius-server group-name
The function to send accounting packet copies is enabled.
- Run radius-server accounting-copy realtime disable
The device is configured to stop sending real-time accounting packets to RADIUS accounting copy servers.
After this command is run, the device will not send real-time accounting packets to copy servers, regardless of whether the servers have been configured in the domain.
- Run max-ipuser-reauthtime time-value
The re-authentication timeout function is configured.
- Run quota-out { offline | online | redirect url url-string [ redirect-stop-accounting ] | send-realtime-accounting }
A policy is configured. It determines how the device handles an online user when the user's quota is used up.
This command takes effect only when a user's quota is used up and the user is in the specified domain. If the user domain is changed by a CoA packet sent from a policy server and the quota-out command is not configured in the new domain, the user will be logged out when the quota is used up.
If the RADIUS protocol type is set to non-standard, a real-time accounting packet is sent to the RADIUS server to apply for a new quota when a user's quota is used up. If the RADIUS server responds with zero quota, the user is redirected based on the quota-out redirect url url-string [ redirect-stop-accounting ] command configuration.
If you want a user to be directly redirected when the user's quota is used up, you must set the RADIUS protocol type to standard and run the quota-out redirect url url-string [ redirect-stop-accounting ] command.
- Run radius-no-response lease-time time
A lease is set for DHCP users. The lease is delivered for DHCP users when the RADIUS server does not respond.
- Run redirect-domain effect-attribute { user-group | web-url | qos-profile | accounting-scheme | ip-unr-tag }
The fields that can take effect are specified. The configuration applies to the domain specified in CoA messages or to the redirection domain of users whose quotas are used up.
- Run ip unr tag tag-value route-type host-route framed-route
A route tag is set for host routes of IPv4 users and network segment routes generated based on the RADIUS-delivered Framed-Route attribute.
- Run reallocate-ip-address
IP address reallocation is enabled in a domain
The reallocate-ip-address command is effective only for web users.
- Run time-range non-accounting time-range-name
The device is configured to stop accounting within a specified time period for users in a specified domain.
- Run commit
The configuration is committed.