Example for Configuring a RADIUS Server to Assign IP Addresses from an Address Pool Based on PPPoE+
This section provides an example for configuring a RADIUS server to assign IP addresses from an address pool based on PPPoE+. With the Option 82 function enabled, a BRAS assigns IP addresses to PPPoE users based on the address pool information carried in an authentication response packet sent by the RADIUS server.
Networking Requirements
On the network shown in Figure 1, a user initiates a PPPoE dialup. The PPPoE+ function is enabled on the OLT. When transparently transmitting PPPoE packets, the OLT inserts the access-line-id (PPPoE+) information that identifies the physical location of a user into the PPPoE packets. The Option 82 function is enabled on the BRAS. The BRAS trusts the access-line-id information in the packets sent by a client and does not change the access-line-id information before forwarding the packets from the client to the RADIUS server. The RADIUS attribute dictionary file needs to be loaded on the RADIUS server in advance. After receiving an authentication request packet from a user, the RADIUS server delivers the IPv4 address pool attribute through the Framed-Pool attribute in an authentication response packet based on the access-line-id information carried in the authentication request packet. Also, the RADIUS server delivers the IPv6 address pool attribute through the Framed-IPv6-Pool (100) and HW-Delegated-IPv6-Prefix-Pool (191) attributes in the authentication response packet. The address pool name configured on the BRAS must be the same as that on the RADIUS server. The BRAS assigns an IP addresses to the user based on the address pool information carried in the authentication response packet.
Configuration Roadmap
Configure AAA schemes.
Configure a RADIUS server group.
- Configure address pools.
Configure a user access domain.
- Configure the BRAS to generate a DUID for the DHCPv6 server.
- Configure a virtual template.
- Configure interfaces.
Configure routing protocols.
Data Preparation
- Virtual template number
- Authentication and accounting schemes and their names
- RADIUS server group name and RADIUS server addresses
- DNS server address
- Name of the delegation prefix pool for IPv6 users, assignable prefixes, and prefix lengths
- Name of the delegation address pool for IPv6 users
- User access domain
- IPv4 and IPv6 addresses of interfaces
Procedure
- Configure AAA schemes.
# Configure an authentication scheme.
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] authentication-scheme auth1 [*HUAWEI-aaa-authen-auth1] authentication-mode radius [*HUAWEI-aaa-authen-auth1] quit [*HUAWEI-aaa] commit
# Configure an accounting scheme.
[~HUAWEI-aaa] accounting-scheme acct1 [*HUAWEI-aaa-accounting-acct1] accounting-mode radius [*HUAWEI-aaa-accounting-acct1] quit [*HUAWEI-aaa] quit [*HUAWEI] commit
- Configure a RADIUS server group.
[~HUAWEI] radius-server group rd1 [*HUAWEI-radius-rd1] radius-server authentication 192.168.7.249 1645 [*HUAWEI-radius-rd1] radius-server accounting 192.168.7.249 1646 [*HUAWEI-radius-rd1] radius-server shared-key-cipher hello@123 [*HUAWEI-radius-rd1] quit [*HUAWEI] commit
- Configure a local address pool for IPv4 users.
[~HUAWEI] ip pool pool_v4 bas local [~HUAWEI-ip-pool-pool_v4] gateway 172.16.0.1 255.255.255.0 [~HUAWEI-ip-pool-pool_v4] section 0 172.16.0.2 172.16.0.200 [~HUAWEI-ip-pool-pool_v4] quit [~HUAWEI] commit
- Configure address pools for IPv6 users.
Configure a delegation prefix pool for ND users.
[~HUAWEI] ipv6 prefix pre_nd delegation [~HUAWEI-ipv6-prefix-pre_nd] prefix 2001:db8:1::/48 delegating-prefix-length 64 [~HUAWEI-ipv6-prefix-pre_nd] slaac-unshare-only [~HUAWEI-ipv6-prefix-pre_nd] quit
- Configure a delegation address pool for ND users.
[~HUAWEI] ipv6 pool pool_nd bas delegation [~HUAWEI-ipv6-pool-pool_nd] prefix pre_nd [~HUAWEI-ipv6-pool-pool_nd] dns-server 2001:db8:1::2 2001:db8:1::3 [~HUAWEI-ipv6-pool-pool_nd] quit
- Configure a delegation prefix pool for PD users.
[~HUAWEI] ipv6 prefix pre_pd delegation [~HUAWEI-ipv6-prefix-pre_pd] prefix 2001:db8:2::/48 delegating-prefix-length 60 [~HUAWEI-ipv6-prefix-pre_pd] pd-unshare-only [~HUAWEI-ipv6-prefix-pre_pd] quit
- Configure a delegation address pool for PD users.
[~HUAWEI] ipv6 pool pool_pd bas delegation [~HUAWEI-ipv6-pool-pool_pd] prefix pre_pd [~HUAWEI-ipv6-pool-pool_pd] dns-server 2001:db8:1::2 2001:db8:1::3 [~HUAWEI-ipv6-pool-pool_pd] quit
- Configure a user access domain named isp1.
[~HUAWEI] aaa [~HUAWEI-aaa] domain isp1 [*HUAWEI-aaa-domain-isp1] authentication-scheme auth1 [*HUAWEI-aaa-domain-isp1] accounting-scheme acct1 [*HUAWEI-aaa-domain-isp1] radius-server group rd1 [*HUAWEI-aaa-domain-isp1] commit [~HUAWEI-aaa-domain-isp1] prefix-assign-mode unshared [~HUAWEI-aaa-domain-isp1] ip-pool pool_v4 [~HUAWEI-aaa-domain-isp1] ipv6-pool pool_nd [~HUAWEI-aaa-domain-isp1] ipv6-pool pool_pd [~HUAWEI-aaa-domain-isp1] quit [~HUAWEI-aaa] quit
- Configure the BRAS to generate a DUID for the DHCPv6 server.
[~HUAWEI] dhcpv6 duid llt Warning:The change of DUID will cause the accessed user work abnormally.
- Configure a virtual template.
[*HUAWEI] interface Virtual-Template1 [*HUAWEI-Virtual-Template1] ppp authentication-mode chap [*HUAWEI-Virtual-Template1] quit [*HUAWEI] commit
- Configure interfaces.
- Configure routing protocols.
Configuration Files
# sysname HUAWEI # radius-server group rd1 radius-server shared-key-cipher %^%#Q'!i-TMV5&@=QE}g/QK2ouBHee8WB|s|mB%^% radius-server authentication 192.168.7.249 1645 weight 0 radius-server accounting 192.168.7.249 1646 weight 0 # aaa authentication-scheme auth1 authentication-mode radius accounting-scheme acct1 accounting-mode radius # ip pool pool_v4 bas local gateway 172.16.0.1 255.255.255.0 section 0 172.16.0.2 172.16.0.200 # ipv6 prefix pre_nd delegation prefix 2001:db8:1::/48 delegating-prefix-length 64 slaac-unshare-only # ipv6 pool pool_nd bas delegation prefix pre_nd dns-server 2001:db8:1::2 2001:db8:1::3 # ipv6 prefix pre_pd delegation prefix 2001:db8:2::/48 delegating-prefix-length 60 pd-unshare-only # ipv6 pool pool_pd bas delegation prefix pre_pd dns-server 2001:db8:1::2 2001:db8:1::3 # aaa domain isp1 authentication-scheme auth1 accounting-scheme acct1 radius-server group rd1 prefix-assign-mode unshared ip-pool pool_v4 ipv6-pool pool_nd ipv6-pool pool_pd # dhcpv6 duid llt # interface Virtual-Template1 ppp authentication-mode chap # isis 100 is-level level-2 cost-style wide network-entity 86.0451.1720.2803.5003.00 ipv6 enable topology ipv6 ipv6 preference 20 # interface GigabitEthernet0/1/2 # interface GigabitEthernet0/1/2.10 pppoe-server bind Virtual-Template 1 ipv6 enable ipv6 address auto link-local user-vlan 4003 bas access-type layer2-subscriber default-domain authentication isp1 client-option82 authentication-method ppp web authentication-method-ipv6 ppp web # interface GigabitEthernet0/1/1 ipv6 enable ipv6 address 2001:db8:8::7 128 ipv6 address auto link-local ip address 10.2.1.1 24 isis enable 100 isis ipv6 enable 100 isis ipv6 cost 50 level-2 # interface LoopBack100 ipv6 enable ipv6 address 2001:db8:7::7 127 ipv6 address auto link-local ip address 10.10.10.10 16 isis enable 100 isis ipv6 enable 100 # bgp 100 group group1 internal peer group1 connect-interface LoopBack100 group group2 external peer group2 connect-interface LoopBack100 peer 2001:db8:7::2101 as-number 100 peer 2001:db8:7::2101 group group1 peer 2001:db8:7::2102 as-number 100 peer 2001:db8:7::2102 group group1 peer 2.2.2.2 as-number 101 peer 2.2.2.2 group group2 peer 3.3.3.3 as-number 101 peer 3.3.3.3 group group2 ipv4-family unicast import-route unr # ipv6-family unicast import-route unr # return