Partners
Log in
Compare Products
Hide
VS
The MSC-ED series is a multi-service carddeveloped by Ruijie Networks for gateway-based authentication and accounting.It is applicable to the RG-N18000 series next-generation, cloud-based coreswitches, and supports exit authentication, traffic-based charging, URL audit,and flow control. It is the industry's first authentication and accountingmodule compatible with multiple switch-based deployment modes. The MSC-ED cardsupports bridge deployment and gateway deployment.
Bridge deployment supports the followingforwarding mechanisms: bridge forwarding, sniffer, and software bypass, all ofwhich require serial connection setup by the MSC-ED card. Bridge deploymentrequires the combined use of the MSC-ED and the RG-N18000.
Gateway deployment is applicable to Layer 3networking and supports policy-based routing (PBR) and forwarding. In thisdeployment mode, the MSC-ED card supports Layer 3 Web authentication and remoteauthentication, but only the specified card version can be used.
| Area | Product Name | Function | Version | Remarks |
| Dormitory area Office area Teaching area | Access, aggregation, and core switch | No functional change | All versions | The function of preventing unauthorized IP address configuration is supported (IP source grade+IP DHCP snooping). |
| Wireless access point (AP) | Wireless forwarding channel | All versions | N/A | |
| Area between the network core and the egress | RG-N18000 | Authentication, Authorization and Accounting (AAA) | N18000_RGOS 11.5 (1) B2 | N/A |
| MSC-ED card | Traffic-based charging | MSC_RGOS 11.1 (8) B1 | N/A | |
| Egress | Powercache | Hotspot caching and use of extranet resources on the intranet | All versions | N/A |
| ACE | Bandwidth guarantee for key applications and users, traffic visualization, URL and IM logging, and accounting | All versions | N/A | |
| EG2000XE | Smart routing, multilink load balancing, domain name server (DNS), and network address translation (NAT) | All versions | N/A | |
| Service area | SAM | AAA server | SAM+ | N/A |
| ePortal | Portal server | 1.43 and later | N/A | |
| SNC | Whole-network topology management, VLAN management, and configuration management | 2.28 and later | N/A | |
| eLog server | Behavior audit | N/A | N/A |
The product name of the authentication andaccounting card is M18000-MSC-ED. The product version is displayed on thecommand-line interface (CLI) of the RG-N18000 chassis and the Web homepage ofthe MSC-ED card.
The following versions need to be specified:MSC-ED card version, RG-N18000 version, SAM+ version, and ePortal version.
Currently, the MSC-ED series has only thefollowing model:
The model is displayed on the Web homepage ofthe MSC-ED card.
I. Installinghardware
Note: For FE cards, line cards, and engineslots, only one slot has no filler panel installed in the standardconfiguration of a chassis before shipment. To insert cards into other slots,remove the filler panels. A filler panel must be installed in a slot without a card;otherwise, the heat dissipation of the device is affected.
1. Wear ESD wrist straps, and ensure that the ESDwrist straps are in good contact with the skin and they are properly grounded.
2. Remove the filler panel from a slot of thechassis.
3. Take a card out of the card box and hold thehandle of the card with both hands. Horizontally hold and place cards whentaking and transferring them. Do not knock the side connected to the backplane.
The hardware installationprocess for the MSC-ED card is similar to that for the RG-N18000 service card.For details, see the N18000 Series Switch Hardware Installation Manual.
II. Checking thehardware status
Connect to a power supply and check whetherthe device operates properly. (The checking process is similar to that forfirewall cards.)
l Check that the card indicator is steady on green.
l Run the show version slots command and check that the card isproperly recognized.
l Run the show run command and check that interfaces are loadedcorrectly in configuration.
III. Checking thecard loading status
IV. Checking thestatus of internal interfaces
The external physical interfaces of theRG-N18000 card are Interface 1 and Interface 2; therefore, internal interfacesare numbered starting from 3, as shown in the following figure.
V. Checking thesoftware status
1. Correct version; 2.Clock synchronization completed; 3. Initial interface shutdown in bridge mode.
Connect a PC to the console port on thedevice panel and perform the following operations:
l Check that the software is loaded properly and CLI commands can beentered on the console.
l Run the show version detail CLI command to check whether thesoftware version is correct.
l Check the clock and related settings. The MSC-ED card must beconfigured with a clock synchronization protocol. By default, a server on theInternet is used as the SNTP server. If the MSC-ED card cannot connect to theInternet, you are advised to change the IP address of the SNTP server to the IPaddress of the RG-N18000 and enable a clock synchronization protocol on theRG-N18000. Accounting and real-name auditing are accurate only when theRG-N18000, MSC-ED, and SAM server have consistent time.
l By default, the MSC-ED card adopts the bridge mode. The TenG0/1 andTenG0/2 interfaces that form a bridge are connected to the TenG1/3 and TenG1/4interfaces of the RG-N18000. To avoid VLAN loops, configure traffic diversionon the TenG1/3 and TenG1/4 interfaces.
The combined use of available products as issummarized as follows:
Product selection is based on two factors:traffic volume and user quantity.
| Main Indicator | Metric | Value |
| Layer 3 authentication | IPv4 Web authentication performance | 1,000 users per second |
| Online terminal capacity | 90,000 dual stack | |
| Online user information synchronization performance (SAM server and RG-N18000) | 100,000 users within 15 minutes | |
| Authentication exemption configuration on the SAM server | Supported | |
| Mapping of one account to multiple terminals (wired and wireless) | Supported | |
| Web authentication client | Supported | |
| Layer 3 authentication deployment modes | Bypass and serial connection | |
| IP spoofing protection during accounting | Supported | |
| Traffic-based charging | IPv4 forwarding performance of a single traffic exit authentication card | 10 Gbps |
| Centralized device connection, 40 Gbps per device | 40 Gbps | |
| Traffic table creation performance per card | 100,000 per second | |
| Traffic table capacity per card, IPv4 | 8,000,000 | |
| Traffic table capacity per card, IPv6 | 1,000,000 | |
| Tiered charging | No decimal during segment charging | Integer |
| Openness | Standard RADIUS interworking | Supported |
| Reliability | RADIUS escape | Supported |
| Portal escape | Supported | |
| Hot standby of the network access authentication card | Supported | |
| AP link backup to solve line card failures | Supported | |
| Audit | Audit | 30,000 concurrent terminals per card, 20,000/s performance per card |
Parallel comparison of product functions:
|
| RG-N18000+MSC card | RSR77 |
| Noise reduction | The noise reduction performance is high, supporting instant page display under the 100,000/s noise condition. (1) When receiving a packet, the RG-N18000 includes a Java script in the packet to trigger redirection. The browser can recognize the Java script and trigger redirection. Because noise packets cannot be recognized, the packets are not redirected to the portal server, thus reducing the server burden. | The noise reduction performance is poor. (1) The RSR77 recognizes Web requests and non-Web requests, and also recognizes lightweight applications based on the User-Agent field in HTTP packets. The RSR77 distinguishes between Web HTTP request packets and non-Web HTTP request packets, and discards the HTTP packets from non-Web applications. |
| Application scenario | (1) Layer 2 access authentication and accounting (2) Layer 3 exit authentication and accounting | Layer 3 exit authentication and accounting |
| Authentication method | Layer 2 Web authentication, Layer 3 Web authentication, and 1x authentication | Layer 3 Web authentication |
| Deployment scenario | (1) Core deployment (2) Bypass deployment (3) Transparent deployment at the egress | (1) Bypass deployment (2) Layer 3 deployment at the egress |
| Performance | 90,000 online terminals; 512-byte and 40-Gbps forwarding bandwidth; no impact on forwarding bandwidth from configuration of accounting-free network segments; formal third-party certificates | 90,000 online terminals; 40-Gbps forwarding bandwidth (bytes unknown); impact on forwarding bandwidth from configuration of accounting-free network segments |
| Perception-free authentication | Supported Layer 3 perception-free authentication under planning | Not supported |
| Flow control | Supported | Supported |
| Accounting principle | Based on duration or traffic | Based on duration or traffic |
| IP spoofing | Solved by DHCP support | Not solved |
| Active/Standby RADIUS | Supported | Unsupported |
| Traffic statistics precision | 4M/4 minutes | 10M/5 minutes |
| URL audit | Supported, with 80,000/s URL audit performance | Supported |
| User group bandwidth management | Supported | Supported |
| Guest authentication by QR code scan | Supported | Unsupported |
| Traffic classification | Eight types | Three types |
| Authentication exemption based on the source and destination IP addresses | Supported | Supported |
| Accounting exemption | Supported | Unsupported |
| Attack prevention | Overall attack prevention per user, which is enabled by default and does not affect performance | Overall attack prevention per user, which affects performance (It is recommended that this function be enabled only when an attack occurs.) |
| Architecture | Separation of authentication, accounting, and forwarding, which meets high performance requirements | Authentication, accounting, and forwarding implemented by cards |
| Reliability | (1) Bypass (2) AA deployment (3) RADIUS and portal escape (4) Multi-VSU feature | (1) RADIUS and portal escape |
| Openness | Support of SAM, free RADIUS, urban hotspot, Srun, and self-developed RADIUS | Support of only SAM |
| Cost | Relatively high | Relatively low |
| Egress | Egress deployment not supported | Support of egress deployment, NAT, and smart routing |
| Carrier solution | DSN disputes between multiple carriers for Web authentication | Supported |
Web Login
Management interface: MGMT
Default management address: 192.168.1.1
Web login URL: http://192.168.1.1
Default account name and password: adminand admin
SSH Login
Default management address: 192.168.1.1
Management interface: MGMT
Default account name and password: adminand admin
Note: You are advised to log in over Web forthe first time. After you configure the management interface address and thegateway in interface configuration mode, log in over SSH or telnet.
Telnet Login
Default management address: 192.168.1.1
Management interface: MGMT
By default, neither the VTY password nor theprivileged password is set. You need to set the Web administrator password andthe telnet password on the System Settings page.
Note: You are advised to log in over Web forthe first time. After you configure the management interface address and thegateway in interface configuration, log in over SSH or telnet.
Console Login
Baud rate: 9,600
Data bits: 8
Parity check: none
Stop bit: 1
Data flow control: none
If your PC comes with HyperTerminal, the COMport is located beside the display interface on the back of the chassis. TheCOM port has nine pins. If you use a laptop without a COM port, connect aserial-to-USB cable.
The MSC-ED card has a console port on itsfront panel, and the port is marked with console.
I. (Recommended)Web-based upgrade
1. Log in to the Web management interface of theMSC-ED card from the intranet.
2. (Note) Change the name of theupgrade package to rgos.bin.
3. Click System Upgrade and select andupload the upgrade package used for local upgrade.
4. Wait until upgrade is successful. Do not performany operations during the upgrade process.
II. Upgrade on CLI
1. Prepare the upgrade file and tool.
Change the name of the main program to beupgraded to rgos.bin. Use the 3CDaemon TFTP tool for CLI upgrade, due tothe large size of the 11.X version.
2. Run 3CDaemon to start a TFTP server, and specifythe location of the program to be upgraded.
Before upgrade, check Windows Firewall,antivirus software settings, and system security policies. Only one TFTP servercan be started, otherwise, port conflict will occur.
3. Log in to the CLI.
Enter the upgrade command upgrade downloadoob_tftp://192.168.51.59/rgos.bin (192.168.51.59 is the IP address of thePC)
Run the showversion command on the CLI to display version information.
Choose Advance > System Settings> Change Password to change your password.
I. Network Mode
If you are an administrator but forget thepassword and cannot log in to the MSC-ED card in Web mode, use a console cableto access the CTRL layer and recover your password. You need to save previousconfigurations before recovery.
If the configurations are unimportant, youcan press the RESET button on the panel in the power-on state for 8s to resetthe card to default settings. The default IP address is 192.168.1.1, and thedefault username and password are both admin.
II. Network Topology
III. Configuration Tips
1. If you need to save previous configurations, geta console cable ready for password recovery. Restart the device and recover thepassword at the Boot layer.
2. After the device is restarted, password recoveryis completed at the Boot layer, which will cause a network interruption.Perform password recovery when the network can be disconnected.
IV. Configuration Steps
(1) Perform the following operations torecover your password:
a. Connect a console cable to the console port of the MSC-ED card, andconnect a network cable to the internal network port of the ACE.
b. Configure the network device by using HyperTerminal.
Choose Start > Programs >Accessories > Communication to start the HyperTerminalprogram. (By default, Windows Server 2003 does not come with HyperTerminal, andyou need to install HyperTerminal using the Add/Remove Programs tool in ControlPanel.) The following dialog box is displayed when you use HyperTerminal forthe first time.
Enter an area code (for example, 099) andclick OK. The following dialog box is displayed.
Click OK to start HyperTerminal. Entera name and click OK.
Select the COM port connected to the consolecable for Connect to, and click OK.
In the COM Attributes dialog box,click Restore Defaults then OK. The HyperTerminal configurationwindow is displayed, with the cursor blinking in the upper left corner.
The default baud rate is 9,600.
Press Enter to enter user mode(Ruijie>) on the network device.
(2) Power off then on the device. Keep pressing the shortcut key Ctrl+Con the HyperTerminal interface until the main menu is displayed, as shown inthe following figure.
(3) Press the shortcut key Ctrl+Q to open the U-Boot CLI,enter the main_config_password_clear command, and press Enter.The device restarts automatically and enters its system without password input(the password does not need to be entered only at that time).
(4) Change the privileged password and the Web administrator password indevice configuration mode as follows:
Set a new Web administratorpassword.
Ruijie#conf t
Ruijie(config)# webmaster level 0 username admin password admin //new usernameand password are admin
Ruijie(config)#exit
Ruijie(config)# enable secret admin //enable password is admin
Ruijie#write //save the configuration
The new password takes effect after beingsaved. Restart is not required.
Because users are also authenticated on theconsole port when Web authentication is enabled, you need to change thepassword for user authentication; otherwise, you cannot log in to the consoleport after exit. To change the password, re-set the telnet login password onthe Web management interface, or configure a telnet user and a password on theCLI.
Ruijie(config)#username admin password admin
Note: Do not exit the system before youchange the password; otherwise, you need to input the old password to re-enterthe system.
V. Verification
Use the new password to log in to the MSC-EDcard. The following figure shows the login page.
1. Logs are stored in a flash drive directory
2. Display Logs
(1) Run the show logging command to display logs.
(1) Run the more flash:syslog_1.txt commandto display the log information in the syslog_1.txt file in the dirdirectory.
3. Copy Logs
(1) Copy logs over TFTP. (The TFTP servicemust be enabled on the PC. For example, the IP address of the PC is192.168.1.1.)
copy flash:/syslog/syslog_xxx.text tftp://192.168.1.1/syslog_xxx.text //Connectthe network cable of the PC to the router interface, or:
copy flash:/syslog/syslog_xxx.text oob_tftp://192.168.1.1/syslog_xxx.text //Connect the network cable to the MGMT interface on theglobal management mainboard.
flash:/syslog/syslog_xxx.text is a sample path.
(2) Copy logs using a USB flash drive.
copy flash:syslog/syslog_xxx.textusb0:sw1_m1.syslog_xxx.text //Connecta USB flash drive to the M1 management board of SW1.
The deployment process involves thefollowing functional components:
1. RG-N18000 chassis: data traffic diversion,authentication, and access to partial network resources before authentication
2. MSC-ED service card: accounting, flow control,and URL audit
3. Authentication and accounting system:authentication and account configuration
Precautions:
1. For properrecognition of the MSC-ED line card, use the correct switch version for theMSC-ED authentication solution.
2. Only thegeneric version of the MSC-ED authentication solution is available. If you needto use the MSC-ED line card in conjunction with the simplified networksolution, contact the product TAC.
3. The MSC-EDauthentication solution supports new features such as Layer 2/3 Webauthentication and remote authentication. Do not use these features with thesimplified network solution.
Working Principle
l A user opens the Internet Explorer and initiates an HTTP request foraccessing a website.
l The network access server (NAS) intercepts the HTTP request andredirects the user to the portal server because the user was not authenticated before.The NAS adds related parameters to the portal URL. For parameter details, seethe description of CHAP authentication.
l The portal server pushes the Web authentication page to the user.
l The user fills in an account name, password, and other informationon the authentication page, and then submits the information to the portalserver.
l The portal server submits the account name and password to the NASin order to initiate authentication.
l The NAS sends the account name and password to the RADIUS server forauthentication. The RADIUS server determines user validity based on the userinformation, and then returns the RADIUS access-accept/reject response to theNAS.
l The NAS returns the authentication result to the portal server.
l The portal server pushes a page containing the authentication resultto the user.
l The portal server returns a response to the NAS to indicate thereception of the authentication result.
l The NAS sends a Start Accounting packet.
Remarks:
Web authentication acceleration supportsdirect access to the portal page for authentication. Redirection is notrequired.
Difference from the first-generation portalserver: Authentication is jointly completed by the NAS and the RADIUS server,which effectively reduces the burden on the portal server.
Flowchart of packet exchange:
Configuration Steps
aaa new-model //Enable AAA.
radius-server host 192.168.197.79 key ruijie //RADIUS authentication server
aaa authorization network default group radius //AAA configuration reference, which may varyaccording to the actual service deployment.
aaa authentication web-auth default group radius //Enable Web authentication.
aaa accounting update periodic 20 //AAA configuration reference, which may varyaccording to the actual service deployment.
aaa accounting update //AAA configuration reference, which may vary accordingto the actual service deployment.
aaa accounting network default start-stop group radius//AAA configuration reference,which may vary according to the actual service deployment.
web-auth template eportalv2 //Authentication temp
ip 192.168.197.79
url http://192.168.197.79:8080/eportal/index.jsp //Add the RG-N18000 to the portal server.
web-auth portal key ruijie //Configure a key for the portal server.
web-auth direct-host 49.209.88.101 //(Optional) Configure a list of users exemptfrom authentication.
interface range GigabitEthernet 0/2-3 //Enable Web authentication in interfaceconfiguration mode.
web-auth enable eportalv2 //Enable Web authentication in interface configurationmode.
Note: The Webauthentication adopted by the MSC-ED traffic equipment room solution isdifferent from that adopted by the campus network 3.0 solution.
This function allows users to add the portalpage to their Internet Explorer favorites and then click the portal link in theFavorites directory to perform authentication, removing the need toenter URLs in the address bar of the browser. The NAS port number for userswith this function enabled is 0 on the Operation> Online User page of the SAM server.
Configuration Reference
web-auth portal eportalv2
Working Principle
IPFIX is used to update user trafficaccounting information. It encapsulates the authentication information on theegress gateway as TCP packets according to the IPFIX-defined format and sendsthe packets to the configured server, which then updates the correspondingaccounting information.
IPFIX transfers flow records as templates.Before sending flow records, IPFIX creates a template according to the recordformat and sends the template to the server. The template defines theattributes and length of the fields in the flow record. IPFIX defines hundredsof field attributes, and each attribute corresponds to an identifier used toindicate the meaning of the attribute. For example, an attribute marked by 8indicates the source IP address. Upon receiving the template, the serverdetermines the format of subsequent IPFIX flow records and parses these recordsaccording to the format.
If the RADUIS server is RG-SAM+, perform thefollowing configuration. If the RADIUS server is not RG-SAM+, consult thebackground.
IPFIX configuration reference for RG-SAM+:
web-auth acct-method ipfix //Set the Web authentication and accounting mode to the IPFIX mode.
ip auth-flow export destination 192.168.1.6 4739 //Upload traffic information to the SAMserver.
Mandatory
When an authenticated user goes offlineabnormally (for example, the user disconnects the network cable or powers offthe device) and then connects to the Internet in another dorm room, the usercannot perform authentication because the user is still in the online state.
Flowchart of no-traffic detection:
Configuration Reference
You can set the period allowed for users tostay online with no traffic detected. Once a user is detected with no trafficduring that period, the user is forced offline. The period determines how longthe user has to wait in order to perform re-authentication after portmigration. The configuration command is as follows:
Offline-detect interval xx (precise to minutes) threshold 0 (threshold isset to 0)
The MSC-ED solution supports no-trafficdetection, but does not support low-traffic detection.
offline-detect interval 5 threshold 0
You can connect two or more MSC-ED cards inAP binding mode according to deployment requirements.
You can configure an AP interface for loadbalancing and hot standby between the MSC-ED cards. In the following figure, aninterface of MSC-ED1 and an interface of MSC-ED2 are configured to form AP3 andAP4 respectively. Users' uplink traffic (traffic from the user side to theInternet) is diverted to AP3, whereas users' downlink traffic (traffic from theInternet to the user side) is diverted to AP4. AP3 adopts an AP load balancingalgorithm based on the source IP address, whereas AP4 adopts an AP loadbalancing algorithm based on the destination IP address. If the uplink trafficof users who use IP1 to access the extranet is distributed to MSC-ED1 (whichimplements load balancing based on the source IP address), the downlink trafficof those users is also distributed to MSC-ED1 using the key of the loadbalancing algorithm based on the destination IP address. Such a solution mustensure that the load balancing algorithm based on the source IP address andthat based on the destination IP address are the same. When MSC-ED1 fails,services are switched over to MSC-ED2 to implement hot standby.
Configuration description:
Ruijie(config)#int ag 3
Ruijie(config-if-AggregatePort 3)#sw a vlan 2
Ruijie(config-if-AggregatePort 3)#aggregateportload-balance src-ip (The MSC-EDcards implement load balancing for uplink traffic based on the source IPaddress.)
Ruijie(config)#int ag 4
Ruijie(config-if-AggregatePort 4)#sw a vlan 2
Ruijie(config-if-AggregatePort 4)# aggregateportload-balance dst-ip (The MSC-ED cards implement load balancing fordownlink traffic (returned from the extranet) based on the destination IPaddress.)
Ruijie(config)# msc path vlan 2 dev-input Ag1dev-output Ag2 msc-input Ag3 msc-output Ag4 //(Set the direction of traffic diversion.)
Path-based Traffic Diversion
Traffic coming from the RG-N18000 is divertedto the MSC-ED card. Then the traffic is sent from another port of the MSC-EDcard back to the RG-N18000 for forwarding, as shown in the following figure.
Configuration example:
msc path vlan 2000 dev-input ag1 dev-output ag2msc-input ag 3 msc-output ag 4 //Traffic coming from the AG1 port of the RG-N18000 is diverted to the internalAG3 port of the MSC-ED card. Then the traffic is sent from the AG4 internalport of the MSC-ED card to the AG2 port of the RG-N18000 for forwarding.
Manual Bypass
User traffic is forwarded directly by theRG-N18000 without entering the MSC-ED card, as shown in the following figure.
Configuration command: msc switch direct
You can use the bypass enable obs force commandwhen the optical bypass switch (OBS) is deployed.
Mirror-based Traffic Diversion
Mirror the uplink port of the RG-N18000 tothe MSC-ED card, mirror the TX packets on the uplink port to internal Port 1 ofthe MSC-ED card, and mirror the RX packets on the uplink port to internal Port2 of the MSC-ED card.
When the MSC-ED card fails, only accountingis affected.
Configure traffic diversion on the uplink anddownlink ports of the RG-N18000.
monitor session 1 destination interface AggregatePort1 switch
monitor session 1 source interface GigabitEthernet2/2/25 tx
monitor session 2 destination interface AggregatePort2 switch
monitor session 2 source interface GigabitEthernet2/2/25 rx
Configure port mirroring.
Remarks: 2/2/25 is the uplink port, and2/2/23 is the downlink port.
The following figure shows the flowchart ofPBR-based traffic diversion.
Ports connected between the MSC-ED card andthe RG-N18000:
Deployment logic:
1. Configure the device interconnection address.
2. Configure an ACL for the network segments thatrequire authentication.
3. Design PBR.
4. (Optional) Configure track support.
5. Enable PBR and Web authentication in interfaceconfiguration mode.
Step 1: Configure the deviceinterconnection address.
To implement PBR-based traffic diversion,reconstruct the Layer 2 interfaces connected between the MSC-ED card and theRG-N18000 into Layer 3 interfaces.
Step 2: Configure an ACL for network thesegments that require authentication.
Method 1:
Filter marked user traffic to preventaccounting-free traffic from entering the MSC-ED card. pay attention to themarking direction.
Clarify the source and destination of datatraffic, and define any correctly for extranet access traffic andintranet access traffic.
Method 2:
You can configure network segments to beexempt from authentication to protect the traffic defined with any any fromanomalies. When traffic from authentication-free network segments enters theMSC-ED card, the traffic is transferred to the authentication-free VRF or isblocked.
Step 3: Configure PBR-based trafficdiversion on the ingress and egress of the RG-N18000.
Note:
On the MSC-ED card, the WANport is fixed to TenG0/2 and the LAN port is fixed to TenG0/1.
The set ip policyno-ttl-decrease command (mandatory) is used to disable the function ofdeducting the TTL hops of traffic entering the MSC-ED card.
The set ip policyl3-auth command (mandatory) is used to divert users exempt fromauthentication to the authentication-free VRF.
Step 4: Configure PBR-based trafficdiversion on the ingress and egress of the RG-N18000.
Note: This version supportsLayer 3 Web authentication.
Step 5: Log in to the MSC-ED card andenable PBR-based traffic diversion.
Configure the MSC-ED card to enter gatewaymode. Then the card restarts automatically.
Step 6: Configure track support.
For details, see section 4.2.16 "Track Support for the RNS."
Scenario description:
Mirror the uplink port of the RG-N18000 tothe MSC-ED card, mirror the TX packets on the uplink port to internal Port 1 ofthe MSC-ED card, and mirror the RX packets on the uplink port to internal Port2 of the MSC-ED card.
When the MSC-ED card fails, only accountingis affected.
Configuration example:
1. Mirror configuration: Configure TE 2/4/24 as theuplink port of the RG-N18000.
monitor session 1 destination interface AggregatePort1 switch
monitor session 1 source interface TenGigabitEthernet2/4/24 tx
monitor session 2 destination interface AggregatePort2 switch
monitor session 2 source interface TenGigabitEthernet2/4/24 rx
2. Configure the uplink and downlink ports of theRG-N18000.
interface GigabitEthernet 1/3/13
switchport access vlan 11
redirect destination interface TenGigabitEthernet2/4/24 acl ipv4 in
web-auth enable eportalv2
interface TenGigabitEthernet 2/4/24
switchport access vlan 11
redirect destination interface GigabitEthernet 1/3/13acl ipv4 in
Apply an ACL to the ports.
ip access-list extended ipv4
10 permit ip any any
3. Configure the internal ports of the MSC-ED card.
interface AggregatePort 1
aggregateport load-balance src-ip
switchport access vlan 222
interface AggregatePort 2
aggregateport load-balance dst-ip
switchport access vlan 333
Mandatory
The IPv6 feature ensures normal forwarding ofIPv6 data during the IPv4 authentication control process.
IPv6 can be deployed in strict, loose, orcompatible mode.
[Deployment mode] [IPv4 packet forwardingrule] [IPv6 packet forwarding rule]
[Strict mode] [Packets compliant with theIPv4+MAC criteria are forwarded] [IPv6 packets are forwarded.]
[Loose mode] [Packets compliant with theIPv4+MAC criteria are forwarded] [All IPv6 packets are forwarded.]
Configuration command reference:
Ruijie(config)#address-bind ipv6-mode ?
looseIPV6 loose mode (Recommend)
strictIPV6 strict mode (default: strict);
Clock synchronization must be configured forthe MSC-ED card to maintain clock consistency with the background and thusensure proper accounting.
Configure the time zones of the RG-N18000 andthe MSC-ED card to be consistent. (The time zone of the MSC-ED card is managedby the SNTP server.)
Configuration example: clock timezonedongba +8 0
Configure NTP master on the RG-N18000.
Configuration example: ntp master 8
The RG-N18000 is the system time source andprovides the NTP server to the MSC-ED card.
For otherconfigurations, see section 4.3.4 "(Mandatory) Clock Synchronization."
Configuration Steps
1. Configure a list of authentication-free sites.
Configure a list of sites that users canaccess without authentication. A common application scenario is that users candownload the Su client from a public resource site before authentication. Toconfigure the IP addresses of authentication-free sites (straight-throughsites), run the following command in global configuration mode:
http redirect direct-site
2. Configure authentication-free addresses.
Web authentication is implemented based onthe port status (enabled or disabled). Some IP addresses can be accessedwithout authentication, for example, the IP addresses accessed by managers andthe IP addresses of printers, hydroelectric systems, and other publicresources. To configure a list of authentication-free IP addresses or networksegments, run the following command in global configuration mode:
web-auth direct-host
3. Configure a secure channel.
An ACL-based authentication-free mechanismcan be configured globally or based on ports.
Deployment in globalconfiguration mode:
ip access-list extended safe(extended acl)
1 per ip host xxxx xxxxxx
security global access-group safe
The roles that take part in the AAA processinclude users, the NAS, AAA server, and portal server. Users cannot access theInternet when the portal server cannot respond timely to users' authenticationrequests due to a failure. To address this problem, the RG-N18000 provides theportal escape function. The RG-N18000 monitors the performance of the portalserver in real time. When the portal server fails, automatic configurations aremade to allow new users to access the Internet without authentication whilemaintaining the network access of existing online users, providing favorableuser experience.
Notes:
l The portal detection function must be configured when the escapefunction is used.
l If multiple portal servers are configured, the escape function takeseffect only when none of the portal servers is available.
l The escape function is intended only for the portal server, not theRADIUS server.
Configuration commands:
safe web-auth portal-escape [nokick] // Command used to configure the portal escapefunction:
web-auth portal-check interval 3 retransmit 3 // Command used to configure the portaldetection interval and times:
Configuration description:
Configure the portal escape function if thecontinuity of critical services on the network needs to be maintained when theportal server fails. The portal detection function must be configured togetherwith the portal escape function. When nokick is specified, users willnot be forced offline when escape takes effect; when nokick is notspecified, all users will be forced offline.
The roles that take part in the AAA processinclude users, the NAS, AAA server, and portal server. Users cannot access theInternet when the portal server cannot respond timely to users' authenticationrequests due to a failure. To address this problem, the RG-N18000 provides theRADIUS escape function. The RG-N18000 monitors the performance of the RADIUSserver in real time. When the RADIUS server fails, automatic configurations aremade to allow new users to access the Internet without authentication whilemaintaining the network access of existing online users, providing favorableuser experience.
Configuration command:
radius-server host xxx.xxx.xxx.xxx test usernameruijie key ruijie //ip address ofSAM server
radius-server dead-criteria time 3 tries 3
web-auth radius-escape
Configuration description:
If the RADIUS server is unavailable, theauthentication page is displayed when users attempt to access the extranet.Users can pass authentication using any account name and password.
Ensure that the dead time of the RADIUSserver is not 0.
QR code scan intended for guests
Configuring the guest QR code scan featureon the SAM+ server
After Web authentication is enabled on the device,unauthenticated users cannot access network content. After authentication-freeURLs are configured, the device permits the traffic of unauthenticated usersthat matches the configured URLs, allowing those users to access the URLs.Because the WeChat app and iPhones require server access, the QR code scanfeature of the WeChat and iPhones do not support QR-code-based authentication.In the new solution, you can deploy a DNS relay on the RG-N18000 to permittraffic from the WeChat app and iPhones.
Configuration example:
N18K(config-if-GigabitEthernet 1/1)#dns-sniffer enable //Enable the DNSrelay function on the uplink port.
N18K(config)#free-url weixin //Configure the WeChat server address as astraight-through address.
N18K(config)# free-url url captive.apple.com //Configure the iPhone server address as astraight-through address.
Note: Because theTencent server uses a unified address, after the WeChat server address isconfigured as a straight-through address, access to other Tencent services isalso permitted without authentication.
Working Principle
When the device is restarted, it generateslarge noises as many users perform authentication. The restart protectionfunction is used to solve the authentication congestion problem of theauthentication server during the restart process.
Enable restart protection for authenticationbased on different IP address segments. Configure the following authenticationsequence: authenticate IP addresses ending with 0 to 7 (for example,x.x.x.0–x.x.x.7) -> authenticate IP addresses ending with 8 to 15. Theauthentication process proceeds to IP addresses ending with greater numbers. Userscan pass authentication within 30 minutes, ensuring device performance andstability.
Configuration example:
Ruijie#conf
Enter configuration commands, one per line. End withCNTL/Z.
Ruijie(config)#auth-reboot protect
Working principle
The DHCP address release notificationfunction is used to notify the RG-N18000 (deployed with the DHCP server) ofDHCP address release, in order to force Web-authenticated users offline. Thisfunction is enabled by default.
You can use the following command to disablethis function.
Configuration example:
Ruijie#conf
Enter configuration commands, one per line. End withCNTL/Z.
Ruijie(config)# web-auth dhcp-server check (enable by default, not recommend to disablethis function)
Remote authentication is only applicable tothe Layer 3 core. After users pass authentication on an access and aggregationswitch, the SAM server synchronizes the users to the RG-N18000, which controlsthe users' access to the extranet and collects traffic statistics using theMSC-ED card.
Configuration Steps
1. Configure the remote authentication server.
[no] remote-auth server host ipv4 [port port-num]
Configure the IP address and source port ofthe remote authentication server. The IP address must be an IPv4 address, andthe source port is optional. If the source port is not configured, any portwith the configured IP address can be connected to the device. If the sourceport is configured, a connection must be set up based on the specified IPaddress and port. Remote authentication is enabled after the IP address andsource port are configured.
2. Configure remote authentication port control.
[no] remote-auth enable
After remote authentication is enabled, thegateway traffic of unauthenticated users is blocked. Remote authenticationcontrol must be configured on the port connected to users requiring remoteauthentication. After remote authentication control is enabled, the gatewaytraffic of all users is blocked. After a remote user passes authentication, a permit-accessentry mapping the user's IP address is delivered. Remote authenticationsupports router interfaces (including AP router interfaces) and SVIs.
3. Configure the SAM server.
Select Use Port 2009 when you add theRG-N18000 to the SAM server.
Internal implementation logic of remoteauthentication
1. After related configuration is complete, theremote authentication component Remote-Auth (RAUTH) listens to TCP Port 2009for server connection setup.
2. When RAUTH receives an online user record, it setsthe user to SCC, which then adds the user to a user database (User-DB) and setsthe user to the SS.
3. The SS permits the gateway traffic coming fromthe IP address and adds the user information to a flow database (Flow-DB). TheMSC-ED card collects traffic statistics on the user based on the informationprovided by the flow database.
4. When the traffic threshold or the update periodis reached, the SS sends traffic statistics to the SCC, which thentransparently transmits the statistics to RAUTH.
5. RAUTH locates the online user based on the IPaddress in the traffic statistics, encapsulates the user information into anIPFIX message, and sends the message to the IPFIX, which then sends the userinformation to the server for accounting.
After modularization, the SS is integrated onthe PD as an interface for receiving information from the PI (which providesservices related to switch hardware).
The SCC is a component of the PI andfunctions as a security control center. The SCC delivers entries related to thePI's security functions.
Message types of remote authenticationduring the packet capture process
#1 message: The server instructs theRG-N18000 to block the gateway traffic of a user (NULL).
#2 message: The server notifies the RG-N18000that a user is in arrears.
#3 message: The server notifies the RG-N18000that a user goes online.
#4 message: The server notifies the RG-N18000that a user goes offline.
#5 message: The server notifies the RG-N18000that a user has no available duration.
#6 message: The server notifies the RG-N18000that a user has no traffic (NULL).
#7 message: The RG-N18000 acknowledges anotification sent by the server.
#8 message: The server instructs theRG-N18000 to synchronize online users.
#9 message: the last packet during online usersynchronization.
#10 message: heartbeat packet.
#11 message: The RG-N18000 notifies theserver that a user's traffic quota has run out.
PBR Logic
1. Identify routes.
2. Define a PBR template.
3. Invoke the template.
Cisco PBR Configuration Reference
My3377(config)#access-list 10 permit 192.168.1.0 //Mark the traffic that needs to be diverted.
My3377(config)#access-list 20 permit 192.168.2.0 //Same as above.
My3377(config)#route-map nexthop permit 10 //Specify a name.
My3377(config-route-map)#match ip address 10 //Match with a list.
My3377(config-route-map)#set ip next-hop192.168.100.1 //Configure apolicy.
My3377(config-route-map)#exit
My3377(config)#route-map nexthop permit 20
My3377(config-route-map)#match ip address 20
My3377(config-route-map)#set ip next-hop 192.168.100.2//Configure another policy.
My3377(config-route-map)#exit
My3377(config)#route-map nexthop permit 30
My3377(config)#int s2/1
My3377(config-if)#ip policy route-map nexthop //Invoke the policies in interface configuration mode.
My3377(config-if)#exit
Huawei PBR Configuration Reference
1. Identify routes.
[Quidway] acl 3001
[Quidway-acl-adv-3001] rule permit ip source10.1.40.0 0.0.0.255 destination 10.1.40.0 0.0.0.255 //permit
[Quidway-acl-adv-3001] quit
2. Define a PBR template.
Configure traffic classification.
#Create traffic classification packets on theQuidway.
[Quidway] traffic classifier a
[Quidway-classifier-a] if-match acl 3001
[Quidway-classifier-a] quit
#Create Traffic Behavior A on the Quidway.
[Quidway-classifier-a] quit [Quidway] trafficbehavior a
[Quidway-behavior-a] redirect ip-nexthop 10.1.99.5 //Redirect the traffic from Network Segment40 to the next hop address 10.1.99.5.
[Quidway-behavior-a] quit
#Create Traffic Policy A on the Quidway andbind traffic classification with Traffic Behavior A.
[Quidway] traffic policy a
[Quidway-trafficpolicy-a] classifier a behavior a
3. Invoke the template.
[Quidway] interface gigabitethernet 0/0/0
[Quidway-Gigabitethernet0/0/0] traffic-policy ainbound
[Quidway-Gigabitethernet0/0/0] quit
ZTE PBR Configuration Reference
1. Identify routes.
acl extended number 100
rule 5 permit ip 10.50.0.0 0.0.3.255 0.0.0.0255.255.255.255
2. Define a PBR template.
route-map name ZY permit 100
match ip address 100
set default ip next-hop 10.0.0.1
set default interface g7/5
set default interface g7/10
3. Invoke the template.
interface gei_7/5
ip policy route-map ZY
interface gei_7/10
ip policy route-map ZY
The phase 3 solution makes improvement to theRNS function, which can be used by PBR.
1. Monitor the directly connected interface of theMSC-ED card over ICMP echo.
ip rns 1 icmp-echo192.168.1.2 timeout 6000
ip rns 2 icmp-echo192.168.1.3 timeout 6000
ip rns 3 icmp-echo192.168.1.4 timeout 6000
ip rns 4 icmp-echo192.168.1.5 timeout 6000
2. Configure track support for the RNS.
track 100 rns-list 1
track 200 rns-list 2
track 300 rns-list 3
track 400 rns-list 4
3. Enable track support for the RNS.
route-map pbr-upload permit 10
set ip next-hop verify-availability 19.1.1.2 track 100
set ip next-hop verify-availability 19.1.1.3 track 200
set ip next-hop verify-availability 19.1.1.4 track 300
set ip next-hop verify-availability 19.1.1.5 track 400
route-map pbr-download permit 10
set ip next-hop verify-availability 19.1.2.2 track 100
set ip next-hop verify-availability 19.1.2.3 track 200
set ip next-hop verify-availability 19.1.2.4 track 300
set ip next-hop verify-availability 19.1.2.5 track 400
Working Principle
The bypass function of the OBS is used totransfer traffic to the bypass link so that traffic does not enter the switchconnected to the OBS when the OBS transitions to the bypass state.
The straight-through bypass function of aswitch is applicable in the environment where the switch is connected to theMSC-ED card, but not to the OBS. When the switch enters the bypass state, thetraffic that otherwise enters the MSC-ED card is transferred to thestraight-through path of the switch that is configured by the msc pathcommand.
Bypass detection:
You can add multiple line cards to adetection group. When the bypass detection function detects that all line cardsof the group are abnormal, it prompts that the detection group is abnormal.
You can configure multiple detection groups.When the bypass detection function detects that a group is abnormal, itswitches to the bypass state. When the group is recovered, it switches back tothe non-bypass state.
The bypass detection function allows you toassociate the detected MSC-ED card with a track ID. You can configure tracksupport for the RNS to detect the MSC-ED card and associate with the same trackID to configure bypass detection for the RNS.
Configuration example:
bypass enable obs //Enablethe bypass function of the OBS.
bypass enable switch-direct //Enablethe straight-through bypass function of the switch.
bypass group 1 dev 1 slot 7
bypass group 2 dev 1 slot 6 track 6
bypass group 2 dev 1 slot 5 track 5 //Add the MSC-ED cards in Slot 5 and Slot 6 to Group 2.
ip rns 5 //Configure ICMP detection.
icmp-echo 210.77.16.23
frequency 6000
ip rns 6
icmp-echo 210.77.16.22
frequency 6000
ip rns schedule 5 start-time now life forever //Configure the scheduling method, start time,and time to live (TTL) of an IP RNS test.
ip rns schedule 6 start-time now life forever
ip rns reaction-configuration 5 react allfailaction-type Track //Configurethe proactive threshold monitoring and triggering mechanism for the IP RNStest.
ip rns reaction-configuration 6 react allfailaction-type Track
track 5 rns 5
track 6 rns 6
Working Principle
The DHCP server is deployed on the RG-N18000and sends notification messages to the RG-N18000. Web-authenticated users areforced offline when the DHCP address is released.
Configuration example
Ruijie#conf
Enter configuration commands, one per line. End withCNTL/Z.
Ruijie(config)# web-auth dhcp-server check
:
Note:
Because the dhcp-guard commandconfigures rate limiting based on five MAC addresses by default, you need tomake adjustments manually.
1. Check the threshold.
Ruijie#show nfpp dhcp-guard summary
(Format of column Rate-limit and Attack-threshold isper-src-ip/per-src-mac/per-port.)
Interface StatusIsolate-periodRate-limitAttack-threshold
Global Enable 0-/5/1200 -/10/1500
Maximum count of monitored hosts: 20000
Monitor period: 600s
2. Change the threshold of nfpp dhcp-guard Rate-limit per-src-macto that of nfpp dhcp-guard Rate-limit per-port.
Recommended configuration:
N18K #sh run | be nfpp
nfpp
dhcp-guard rate-limit per-src-mac 8000
dhcp-guard attack-threshold per-src-mac 8000
Working Principle
When a user connects to the Internet for thefirst time, the user must perform Web authentication. After Layer 3 forwarding,the packet does not contain the MAC address of the user's terminal. Therefore,the MAC addresses of terminals must be obtained by other means during initialauthentication. After the DHCP monitoring function is enabled, all DHCP packetsare copied to generate DHCP snooping entries. Then the DHCP snooping functionis used to provide entry notifications.
The RG-N18000 learns the association betweenIP address and MAC address through DHCP snooping. When the Web authenticationserver generates user entries used for authentication, it needs to query theMAC addresses of terminals based on their IP addresses and encapsulate the MACaddresses used for authentication. (The server background can bind MACaddresses with usernames only after the server obtains the MAC addresses.)
When a user performs authentication byclicking the portal link in Favorites, the Web authentication server,after receiving a portal authentication request, obtains the user's MAC addressbased on the IP address contained in the request, in order to create a userentry.
When the user applies for DHCP uponsubsequent access to the Internet, IPoE authentication is triggered, wherebythe MAC address contained in the DHCP request is used as the username andpassword. After authentication, the Web authentication server delivers a routeto permit the user entry.
Configuration example:
1. Run the ip dhcp snooping monitor command in globalconfiguration mode.
2. Run the ipoe-auth enable command on the port configured withWeb authentication control.
3. In the scenario where the gateway mode is used and the DHCP serveris located on the RG-N18000, because the IPoE controlled port is different fromthe interface learned by DHCP snooping entries, you need to run the followingcommand to configure interface binding for IPoE authentication:
ipoe-auth binding source interface xxx destination interface yyy
source indicatesthe interface learned by DHCP snooping, and destination indicates theIPoE controlled port.
Note:
IPoE perception-free authentication is onlyapplicable in the scenario where the DHCP server is located on the RG-N18000 orthe RG-N18000 is connected in the uplink direction.
[Important] You can only configure an AAAmethod list when IPoE is implemented in Layer 3 scenarios, but you cannotconfigure dot1x.
The escape function takes effect for IPoEusers when the RADIUS server fails.
Working Principle
l The test account of the RADIUS server can be configured on theRG-N18000 for server detection. The RG-N18000 triggers RADIUS escape when itdetects that the RADIUS server is unreachable, or it cannot interact properlywith the server. When new users trigger authentication, the RG-N18000 returnsthe successful result without password verification.
l When the RADIUS server is recovered, packet exchange using the testaccount is restored, allowing the RG-N18000 to determine that the RADIUS serveris normal and disable the escape function.
l If the test account is not configured on the RG-N18000, theRG-N18000 determines whether the RADIUS server is abnormal according to theexchange of authentication packets. The RG-N18000 enables the escape functionwhen it detects that the RADIUS server is abnormal. However, when the RADIUSserver is recovered, the RG-N18000 cannot restore the server status.
After you run the ipoe-auth enablecommand in interface configuration mode, run the ipoe-auth criticalcommand to enable authorization for new authenticated users when the RADIUSserver is unreachable.
In addition, run the ipoe-auth criticalrecovery action reinitialize command. If the escape function is enabled ona port, authenticated users on the port can access the Internet withoutre-authentication after the RADIUS server is recovered. The RG-N18000 initiatesauthentication only to users authenticated in escape mode during RADIUS serverinaccessibility.
The packet forwarding process for Layer 3authentication with the MSC-ED card is as follows: After packets aretransferred over the authentication VRF route, traffic is diverted to theMSC-ED card for accounting and traffic policy implementation; then the trafficis diverted to the RG-N18000 for forwarding over the VRF0 route.
1. When a packet enters the RG-N18000 over the authentication-enabledport and then is forwarded over the authentication VRF route, the RG-N18000queries the host routing table over SIP. If the host routing table does nothave a matching entry, the packet is matched with the FP entry. Then Webauthentication is performed. After the user passes authentication, a SIPauthentication routing entry is delivered to the routing table.
2. If the host routing table has a matching entry, the packet ismatched with the FP entry and forwarded to the MSC-ED card for accounting andtraffic policy implementation.
3. The MSC-ED card forwards the packet to the RG-N18000, which thenforwards the packet over a regular route.
In the general educationsector, authentication is required for access between different schools. Layer3 authentication can be considered as intranet authentication, but such anauthentication scenario does not have the MSC-ED card. For this reason,intranet authentication cannot be performed based on the traffic diversionmechanism applicable to the MSC-ED card. In this case, packet forwarding mustbe enabled for the authentication VRF route.
Working Principle
1. When authenticated users access the extranet without the MSC-EDcard, packets are forwarded to the extranet based on the default next hopspecified by PBR.
2. After an intranet user passes authentication, the RG-N18000 deliversan authentication route prefixed with the user's IP address. The RG-N18000queries the routing module to obtain the route's egress (next hop) and sets thecomplete route to the hardware. The route has a higher priority than the routewith the default PBR-specified next hop.
3. When a user accesses an intranet, the packet is forwarded bymatching an authentication route entry on the hardware.
4. Because packets are forwarded by matching authentication routeentries during the intranet access authentication process when the MSC-ED cardis not used, a CLI command is provided to determine whether to enable theRG-N18000 to change the forwarding mode from traffic diversion (when the MSC-EDcard is used) to authentication routing.
Configuration example:
N18K(config)#auth-route forward
This operation will make smaller capacity and clearall users. Are you sure to continue? (Y/N)y
The following table lists the impact on theoriginal solution after forwarding is enabled in authentication routing mode.(Only core scenarios are considered, and intranet access authentication is notrequired in transparent transmission mode.)
| Scenario | Description | Result |
| Intranet access authentication not required MSC-ED card available | Extranet traffic is diverted to the MSC-ED card through PBR. | No impact Supported capacity: 10,000 online terminals You are advised to disable forwarding in authentication routing mode. |
| Forwarding during the intranet access authentication process MSC-ED card available | Extranet traffic and intranet traffic are diverted to the MSC-ED card through PBR. (The route specified by PBR has a higher forwarding priority than regular routes.) | No impact Supported capacity: 10,000 online terminals You are advised to disable forwarding in authentication routing mode. |
| Intranet access authentication not required MSC-ED card not available | Extranet traffic is forwarded to the next hop specified by PBR. | No impact Supported capacity: 10,000 online terminals You are advised to disable forwarding in authentication routing mode. |
| Forwarding during the intranet access authentication process MSC-ED card not available | Extranet traffic is forwarded to the default next hop specified by PBR. Intranet traffic is forwarded to the next hop. | Forwarding in authentication routing mode must be supported at Phase 4. |
Evaluation of theimpact on the original solution caused by forwarding in authentication routingmode.
Note:
The RG-N18000 supports 10,000 users duringforwarding in authentication routing mode.
The roles that take part in the AAA processinclude users, the NAS, AAA server, and Portal server. In the actualenvironment, authentication is enabled on a single interface but multipleportal servers are deployed due to server performance limit. Therefore, Layer 3authentication supports the multi portal server feature. Packets are forciblysent to the specified portal server according to users' SIP information, andthe portal server pushes the Web authentication page to users. In this way,packets can be distributed to different portal servers, reducing the trafficburden on a single server.
Implementation process:
1. Configure a template for the Web authentication module and bind thetemplate to the portal server and RADIUS authentication and accounting server.By default, the default RADIUS server is bound if you do not configure theserver explicitly.
2. Bind SIP to the template ID for the Web authentication module.Different SIP records can be bound to the same template ID or differenttemplate IDs.
3. The Web authentication module delivers the SIP-template ID bindingrelationship to the SS module.
4. A user opens the Internet Explorer and initiates an HTTP request foraccessing a website.
5. The NAS intercepts the HTTP request, and the SS registers the kernelpacket reception/transmission interface and determines that authentication isenabled on the packet ingress. Because the user is not authenticated, the SSfills in the DSCP field of the packet with the corresponding template IDaccording to the SIP information of the packet, and forwards the packet to theWeb authentication module of the NAS.
6. The Web authentication module determines that authentication isenabled on the port that receives the packet. Then it parses the DSCP field ofthe HTTP packet to obtain the template ID bound to the portal server, andforwards the packet to the specified portal server. The Web authenticationmodule adds related parameters to the portal URL. For parameter details, seethe description of CHAP authentication.
7. The portal server pushes the Web authentication page to the user.
8. The user fills in an account name, password, and other informationon the authentication page, and then submits the information to the portalserver.
9. The portal server submits the account name and password to the NASin order to initiate authentication.
10. The NAS sends the account name and password to the RADIUS serverbound with the template ID for authentication. The RADIUS server determinesuser validity according to the user information, and then returns the RADIUSaccess-accept/reject response to the NAS.
11. The NAS returns the authentication result to the portal server.
12. The portal server pushes a page containing the authentication resultto the user.
13. The portal server returns a response to the NAS to indicate thereception of the authentication result.
14. The NAS sends a Start Accounting packet.
Quick configuration case:
Configuration example:
Configure the RADIUS authentication andaccounting server as follows:
aaa group server radius xjd1
server 192.168.1.13
aaa group server radius xjd3
server 192.168.1.25
aaa accounting network default start-stop group xjd3
aaa authentication web-auth default group xjd3 >>> Configure the default RADIUS server named xjd.
aaa accounting network xjd1 start-stop group xjd1
aaa authentication web-auth xjd1 groupxjd1>>> Configure the RADIUS server named xjd1.
Configure multiple templates as follows:
web-auth template eportalv2
ip 172.18.105.9
url http://172.18.105.9:8080/eportal/index.jsp
web-auth template t1 v2
ip 172.18.105.11
url http://172.18.105.11:8080/eportal/index.jsp
authentication xjd1
accounting xjd1
Bind the t1 template to the portal server172.18.105.11 and to the RADIUS server 192.168.1.13 named xjd1.
web-auth template t2 v2
ip 172.18.105.12
url http://172.18.105.12:8080/eportal/index.jsp
Bind the t2 template to the portal server172.18.105.12 and to the default RADIUS server 192.168.1.1.25 named xjd3.
(Mandatory) Delete ports except HTTP Port80 as follows (the IP mapping feature only supportsHTTP Port 80, but the RG-N18000 enables HTTP Port 80 and HTTP Port 443 bydefault):
no http redirect port 443
Configure mapping rules as follows:
web-auth mapping 1 ip-mapping 102.0.0.0 255.0.0.0template t1
web-auth mapping 1 ip-mapping 104.0.0.0 255.0.0.0template t2
Apply the IP mapping feature and enableauthentication on a port as follows:
The HTTP request packets that match the IPmapping rules are forcibly forwarded to the portal server associated with thecorresponding template. (Packets with SIP in the 102.0.0.0/8 network segmentare forcibly forwarded to the portal server bound with the t1 template, and thexjd3 RADIUS server bound with the t1 template implements authentication andaccounting. Packets with SIP in the 104.0.0.0/8 network segment are forciblyforwarded to the portal server bound with the t2 template, and the xjd1 RADIUSserver bound with the t2 template implements authentication and accounting.)Packets with SIP in other network segments are forcibly forwarded to the portalserver bound with the default eportalv2 template, and the default xjd3 RADIUSserver implements authentication and accounting.
interface GigabitEthernet 3/5
switchport access vlan 2
web-auth apply-mapping 1 //Apply the mapping rules on the port.
web-auth enable eportalv2
Note:
The IP-portal mapping feature has thefollowing restrictions in the scenario where users perform authentication byclicking the portal link in Favorites:
1. Only the default template-bound RADIUS server issupported in the scenario where users with static IP addresses performauthentication by clicking the portal link in Favorites.
The reasons are as follows:
l A user clicks the portal link in Favorites and submits theuser's account name and password to the portal server. Because the packet doesnot enter the authentication port of the NAS, the SS module of the NAS does notchange the DSCP value of the packet. The Web authentication module does notknow the authentication port associated with the packet and therefore cannotobtain the template bound with the authentication port.
l The portal server submits the account name and password to the NASin order to initiate authentication.
l The NAS sends the account name and password to the default RADIUSserver because it cannot obtain the template.
l In the case that the IP mapping rules are applied on theauthentication port and the template is bound with a non-default RADIUS server,the default RADIUS server determines that the user is invalid because it doesnot store the user's account name and password, causing an authenticationfailure.
2. When users with dynamic IP addresses performLayer 3 authentication in gateway mode, the DHCP-learned interface must bebound to the Web controlled port. In this way, when users click the portal linkin Favorites, the users can obtain the Web controlled port according tothe interface for DHCP address allocation and then obtain the correct templateand the bound RADIUS server according to the Web controlled port.
The function of Web authentication attackprevention is used to discard packets that exceed the rate limit in the case ofan authentication attack, in order to prevent other users from performingauthentication for Internet access when the switch is attacked.
Configurationexample: Ruijie(config)#webauth-rate xx xx //rate limit per user
Forwarding Attack Prevention
1. Connection limit
In the case of virus infection or an attack,an IP address may initiate many connections, causing resource depletion on theMSC-ED card (which supports up to 8,000,000 connections). Therefore, the numberof connections must be limited in the actual environment. It is recommendedthat the connection limit be set in the range 3,000 to 12,000 for PCs andsmaller than 200,000 for servers. (The specific connection limit for a PCdepends on whether the PC has tethering or other behaviors. Afterconfiguration, you can check the number of IP connections to determine whetherto increase the connection limit.) Because the connection limit varies greatlybetween PCs and servers, two policies are configured (the latter policy takeseffect first):
(a) For all users (PCs), set the connection limit inthe range 3,000 to 12,000 per IP address.
(b) For the specified user group (all servers areadded to the user group), set the connection limit in the range 200,000 to500,000 per IP address.
Note:
l The connection limit per IP address is only supported on the userbasis.
l The connection limit takes effect only for real IP addresses (whichare used for TCP connection setup). To prevent attacks that use forged IPaddresses to send non-TCP packets, configure a new flow session strategy, as shownin the following figure.
2. Global new connection limit
The preceding description introduces a typeof attacks that deplete resources by setting up many connections from an IPaddress. Another type attacks targets at forwarding performance by setting upmany connections within a short time. For a connection to set up, all enabledfunction modules need to match the full policy set, which greatly consumesforwarding performance. If many connections are set up within a short time, theperformance of the MSC-ED card will become unstable, affecting Internet accessexperience. You can limit the number of new connections to prevent this type ofattack.
Steps for configuring a new connectionlimit:
1) Default global configuration
For simplified configuration, the MSC-ED carddelivers default parameters, as shown in the following figure.
Note:
l Virtual hosts refer to IP addresses without a TCP connection. ExceptDNSs, regular devices set up TCP connections. Therefore, related configurationshave the effect of IP spoofing protection.
l It is recommended that the new connection limit for PCs be set inthe range 50 and 300. The default value 2,000 is the new connection limit forservers of universities.
(1) Configuration per IP address
You can configure the new connection (session)limit for a single IP address to meet the new connection requirements ofparticular devices and forcibly specify the IP address as a real IP address(after which TCP connection setup is not required for the IP address). Then youcan apply the new connection limit to the real IP address.
3. Local attack prevention
To prevent attacks at the management layer(for example, heavy traffic is sent to the management IP address), you canenable local attack prevention for ensuring normal telnet and Web functions.You can configure rate limiting for the traffic sent to the management layerand set IP addresses exempt from rate limiting. The following figure shows theconfiguration interface. The IP address 1.1.1.1 is not rate-limited.
After flood attack prevention is enabled, anACL is delivered, in which the deny section contains the protocolsexempt from rate limiting, including routing protocols, UDP packets for DNSresolution and NTP, and TCP packets related to the telnet and Web functions.
ip access-list extended 2397
10 deny ospf any any
20 deny 112 any any
30 deny udp any eq domain any
40 deny udp any eq ntp any
50 deny tcp any any eq telnet
60 deny tcp any any eq www
1000 permit ip any any
list-remark //Local attack prevention
Access mode
1) Overview
You can select the gateway mode or the bridgemode as the access mode based on your needs.
In gateway mode, all network interfaces areLayer 3 interfaces, and packets are forwarded based on a routing table.
In bridge mode, all network interfaces areLayer 2 interfaces, and packets are forwarded based on a bridge mapping table.Packets that are forwarded normally will not be modified.
(1) Access mode selection
Log in to the Web management interface of theMSC-ED card, and choose Network > Interface > OperationMode.
Interface Configuration
(1) Configuration in gateway mode
The MSC-ED card in gateway mode has fourLayer 3 interfaces, one of which is a management interface and the other three10-GB interfaces.
(a) Management interface configuration
The management interface is used to managethe MSC-ED card. You only need to configure an IP address and a gateway addresson the interface.
Log in to the Web management interface ofthe MSC-ED card, and choose Network > Interface > BasicInterface Setting.
(b) 10-GB interface configuration
The 10-GB interfaces are Layer 3interfaces. You can configure IP addresses, NAT, PBR, and other routingfunctions on the interfaces.
Log in to the Web management interface ofthe MSC-ED card, and choose Network > Interface > BasicInterface Setting.
2) Configuration in bridge mode
The MSC-ED in bridge mode has a managementinterface and three 10-GB interfaces. The management interface is a Layer 3interface used to manage the MSC-ED card, whereas the 10-GB interfaces areLayer 2 interfaces used to configure a bridge mapping table and implementbridge forwarding.
a) Management interface configuration
b) Bridge mapping table configuration
The MSC-ED card has three 10-GBinterfaces; therefore, up to two bridge mapping tables can be configured.
Log in to the Web management interface ofthe MSC-ED card, and choose Network > Interface > BasicInterface Setting. You can configure two bandwidth lines (that is, bridgemapping tables).
Note:
The first bandwidth line requires two 10-GBinterfaces and supports two operation modes:
l In bridge forwarding mode, the MSC-ED card implements the followingfunctions on incoming packets: traffic recognition, traffic blocking, flowcontrol, and traffic audit.
l In software bypass mode, the MSC-ED card collects statistics onincoming and outgoing packets on interfaces, and then forwards the packetsdirectly.
The second bandwidth line requires only one10-GB interface and only supports the single-interface bridge mode.
In single-interface bridge mode, theinterface does not forward packets, but is only used to exchange accountingdata. It is different from the management interface.
Enabling correlation between the MSC-ED cardand the RG-N18000 is a key configuration step.
IPFIX configuration example:
1. Exempt the 10.0.0.0/8 network segment allocatedto teachers from accounting.
2. Implement accounting for other network segments.
Step 1: Add teachers to an IP object group.
Step 2: Configure Policy 1 and set TrafficType to China Unicom.
Step 3: Configure Policy 2, and set SourceIP Group (network segment for teachers) to 1 and Traffic Typeto Accounting-exempt.
Step 4: Check the configured policies. (Thepolicy on top is matched preferentially.)
Clock synchronization must be configured forthe MSC-ED card to maintain clock consistency with the background and thusensure proper accounting.
1. Configure the time zones of the RG-N18000 andthe MSC-ED card to be consistent. (The time zone of the MSC-ED card is managedby the SNTP server.)
Configuration example: clock timezonedongba +8 0
Configure the NTP master on the RG-N18000.
Configuration example: ntp master 8
2. Configure the NTP function on the MSC-ED card(applicable to the CLI version).
sntp interval 60
sntp server xxx.xxx.xxx.xxx //The address is the address of the RG-N18000.
sntp enable
3. Configure the NTP function on the MSC-ED card(applicable to the Web version).
The following figure shows how to configurethe data management interface of the MSC-ED card. The interface is used for accountinginformation transfer and clock synchronization.
The following figure shows how to configurethe SNTP Web function of the MSC-ED card.
Overview
URL audit is intended to monitor and recordthe website access behaviors of intranet users.
Working Principle
URL, short for uniform resource locator, isalso called the Web address.
The URL audit function can recognize the URLcontained in the HTTP header in data streams. After you enable this function,you can extract user information and the URLs accessed by users in order torecord the users' website access behaviors. If this function is not enabled,such information is not recorded.
Configuration Steps
Log in to the Web management interface of theMSC-ED card and choose Flow Control > URL audit.
After you enable URL audit, the MSC-ED cardperforms auditing of intranet users' website access behaviors.
Note:
Because the MSC-ED card does not have a harddisk, URL audit logs cannot be stored locally but must be sent to a log server.
You can connect the MSC-ED card to the eLogserver, and you only need to set the server IP address and use the default Port20000, as shown in the preceding figure.
I. Requirements
l Intranet users can access the Internet only after real-nameauthentication.
l Flow control must be implemented to limit the bandwidth of intranetusers.
l Set the maximum upload bandwidth to 100 kbps and the maximumdownload bandwidth to 100 kbps for real-name users.
II. Configuration Tips
Real-name flow control is based on theusernames used for authentication, not based on IP addresses.
Because the flow control effect is related tothe actual egress bandwidth, the actual egress bandwidth must be confirmed.
III. ConfigurationSteps
Choose Flow Control and click NewPolicy to configure a policy used to limit the download speed of real-nameusers. The steps are as follows:
(1) Select an interface and set a policy name.
(2) Select the traffic entrance channel, and set theguaranteed bandwidth (CIR), maximum bandwidth (PIR), and other information. Youcan also select No rate limit or Drop.
(3) Select the type of real-name users forassociation.
(4) Set the effective time. You can leave thisparameter as it is.
(5) Check the configured policy.
The SAM+ server implements rate limitingbased on user names. When the data of a user named Yang Lin enters the MSC-EDcard, the policy automatically takes effect.
IV. Verification
The rate of users is limited to about 100kbps.
1. Log in to the SAM+ management page, chooseSystem > Device to add the IP address of the RG-N18000. The gateway modemust be enabled.
2. Because the source MAC addresses for egress gateway authenticationare the same, choose System > System Settings and select Not Enable for MACExclusive Safeguard.
3. For other settings, see the simplified network configuration.
Steps:
1. Log in to the SAM+ management page.
2. Choose Billing > Billing Policy, selectInternet Traffic Billing, and click Add.
3. Select Enable Cumulative Segment Charging.
4. Choose Billing > Billing Policy, selectCustom, and click Add.
5. Configure a segment billing policy.
6. Associate the billing policy with a package.
7. Add the users who subscribe to the package tothe user template.
SMP server configuration differences
The SMP server also delivers authenticationand accounting policies to users connected to the MSC-ED card. Different fromthe SAM+ server, the SMP server does not deliver the user group attributefield. After users pass authentication, the MSC-ED card cannot rate-limit usergroups based on the negotiated field.
Solution: Configure the filter id fieldon the SMP server.
Step 1: Configure RADIUS attributeauthorization.
Step 2: Add the filter id field,define the attribute name, and set the attribute number to 11.
Step 3: Associate the user template with the filter-idattribute.
The accounting update function is used tosynchronize online user information between the RG-N18000 and the SAM server.When online user information is available on the RG-N18000 but not available onthe SAM server, the RG-N18000 sends an accounting update packet to the SAMserver. When the SAM server checks that a user has no online information, itforces the user offline.
SAM server configuration:
To understand the onsite condition and develop deployment requirements,we need to understand the overall solution.
Note 1:
l In the Layer 2 solution, the MSC-ED card cannot be used inconjunction with the WS and FW cards.
l In the Layer 3 solution, the MSC-ED card can be used in conjunctionwith other service cards.
Note 2:
l The Layer 2 solution requires the MSC-ED card and the RG-N18000 tobe serially connected as a whole to the network.
l In the Layer 3 solution, the MSC-ED card is deployed independentlyon a network device in PBR traffic diversion mode.
Note 3:
In the Layer 2 solution, the MSC-EDintegrated device has two types of structural combination: Layer 2 policy-basedtraffic diversion and port mirroring. The following figure shows the MSC-EDintegrated device.
The following figure shows the MSC-ED carddeployed in bypass mode.
The following figure shows the MSC-ED carddeployed in mirror mode.
To understand the onsite condition anddevelop deployment requirements, we need to understand the overall solution.
1. Combination forms:
Traffic diversion in bridge mode (Layer 2):The RG-N18000 chassis and the MSC-ED card are bundled for sale, and the MSC-EDcard cannot be used in conjunction with the WS and FW cards.
Traffic diversion in gateway mode (Layer 3):The MSC-ED card is deployed as an independent component and can be used withthe RG-N18000 of the corresponding version.
2. Difference in terms of service flow:
Traffic diversion in bridge mode (Layer 2):The traffic that enters the MSC-ED card is Layer 2 traffic.
Traffic diversion in gateway mode (Layer 3):The traffic that enters the MSC-ED card is Layer 3 traffic.
3. Difference in terms of traffic diversion
Traffic diversion inbridge mode (Layer 2): The internal bypass mode is implemented through Layer 2ACL-based redirection. Traffic diversion is completed using the PATHcommand.
Traffic diversion ingateway mode (Layer 3): The internal bypass mode is implemented through Layer 3PBR.
4. Switchover when a port is down due to a hardwarefault
Traffic diversion in bridge mode (Layer 2):The MSC-ED card is suspended when a port is down due to a hardware fault.Traffic is flooded out from the correct VLAN. Accounting fails. Then traffic isrestored automatically.
Traffic diversion in gateway mode (Layer 3):The MSC-ED card is suspended when a port is down due to a hardware fault. PBRand accounting fail. Then traffic is restored automatically.
5. Switchover when a port is up following ahardware fault
Traffic diversion in bridge mode (Layer 2):The MSC-ED card is suspended when a port is up following a hardware fault. TheOBS is configured with the automatic bypass function. Traffic is flooded outfrom the correct VLAN. Accounting fails. Then traffic is restoredautomatically.
Traffic diversion in gateway mode (Layer 3):The MSC-ED card is suspended when a port is up following a hardware fault. TheDLDP detection function is configured. PBR and accounting fail. Then traffic isrestored automatically.
6. Version capability
Phase 2 version (beta version): Only thebridge mode is supported, and the command for configuring the automatic bypassfunction is complex.
Phase 3 version (formal version): The bridgemode and gateway mode are supported. The command for configuring the Layer 2automatic bypass function is simplified. Layer 3 Web authentication issupported.
To ensure successful initial configuration,the following configuration template is developed for your reference:
I. Network Topology
1. The configuration template is applicable toLayer 2 bridge mode deployment.
2. Slot 1accommodates the relay card which is used to transfer users' service data andfunctions as the LAN and WAN egresses for the MSC-ED card.
G1/1 interface: The MSC-ED card storesaccounting information in the local database of the RG-N18000 over IPFIX, andthe RG-N18000 exchanges data with the SAM+ server and the portal+ server overthe G1/1 interface.
T1/45 and T1/46: The MSC-ED card isconnected to the RG-N18000 over internal interfaces. The WAN interface relay isAP2.
T1/47 and T1/48: The MSC-ED card isconnected to the RG-N18000 over internal interfaces. The LAN interface relay isAP1.
3. Slot 2 and Slot3 accommodate two MSC-ED cards, each of which provides 10 Gbps bandwidth in asingle direction. Two cardsprovide 20 Gbps bandwidth. The following figure shows the connection of anMSC-ED card to the chassis.
4. Data transfer direction
(1) A user's access request is sent by the user's downlink device to theRG-N18000, and the user performs Layer 2 authentication on the RG-N18000.
(2) The SAM+ server returns the authentication result to the RG-N18000,which then stores the result in the local database.
(3) The traffic is diverted to the LAN interface of the MSC-ED card bythe Layer 2 PATH (AP1) load balancing function of the RG-N18000.
(4) The MSC-ED card retrieves authentication information from thedatabase of the RG-N18000 in order to perform flow control on the user.
(5) The traffic is forwarded by AP2 to the RG-N18000 over the WANinterface of the MSC-ED card, which then uses the IPFIX function to send accountinginformation over its TenG0/3 interface to the database of the RG-N18000.
(6) The user is allowed to access partial network resources beforeauthentication. The SAM+ server synchronizes the accounting database with theRG-N18000.
5. Recommended implementation steps
Step 1: preparation
(1) Obtain the correct versions of the MSC-ED card, RG-N18000, SAM+server, and ePortal+ server.
Step 2: Implementation on the RG-N18000
(1) Insert the MSC-ED card, line card, andmanagement board. Upgrade to the corresponding versions.
(2) On the RG-N18000, shut down the correspondinginternal interface of the MSC-ED card used for handling users' service data.
(3) Configure the NTP server.
(4) Check that the time of the RG-N18000 isconsistent with that of the SAM+ server and the ePortal+ server respectively.
(5) Configure Web authentication parameters.
(6) Configure routing parameters.
(7) Configure traffic diversion.
Step 3: Implementation on the MSC-ED card
(1) Configure a bridge and a management address.
(2) Enable the service ports between the RG-N18000and the MSC-ED card.
(3) Configure time synchronization and ensure thatthe time of the MSC-ED card is consistent with that of the RG-N18000, SAM+server, and ePortal+ server respectively.
(4) Configure RG-N18000 correlation.
(5) Configure other optional functions of the MSC-EDcard.
Step 4: application software implementation
(1) Add the ePortal+ server and RG-N18000 on the SAM+ server.
(2) Add the RG-N18000 on the ePortal+ server.
(3) Configure a traffic-based charging policy.
Step 5: implementation on other devices
(1) Specify the original traffic diversion scheme and performconfiguration based on PBR.
(2) Check whether the return route for the uplink device is correct.
(3) Test traffic diversion using an address segment. If no problem isfound, divert all traffic.
(4) Do not modify the uplink device and downlink device. When a problemoccurs, shut down the uplink and downlink ports of the RG-N18000 to quicklyrestore the environment.
(5) Enable the automatic switchover function.
II. ConfigurationSteps
The configuration template is only applicableto the RG-N18000. For the configuration templates of other devices, see section4 "Common Functions and Basic Configuration."
aaa new-model
aaa accounting update periodic 15
aaa accounting update
aaa accounting network default start-stop group radius
aaa authorization network default group radius
aaa authentication web-auth default group radius
no aaa log enable
no lldp enable
web-auth portal-escape nokick
web-auth acct-method ipfix
web-auth radius-escape
web-auth portal-check interval 3
ip dhcp pool ABC
network 49.209.123.0 255.255.255.0
dns-server 210.27.176.200 210.27.176.66
default-router 49.209.123.1
ip auth-flow export destination 10.11.2.46 4739
nfpp
no dhcp-guard enable
web-auth template eportalv2
ip 10.11.2.47
url http://10.11.2.47:8080/eportal/index.jsp
ip radius source-interface VLAN 11
radius-server host 10.11.2.46 key ruijie
radius-server dead-criteria time 61 tries 3
ntp master 8
!
ip route 0.0.0.0 0.0.0.0 10.11.2.1
!
offline-detect interval 15 threshold 0
snmp-server community ruijie rw
clock timezone beijing +8 0
!
interface ag1
description TO_Up_Device
switchport access vlan 2000
web-auth enable eportalv2
!
interface ag2
description TO_Down_Device
switchport access vlan 2000
!
interface ag3
sw a vl 2000
!
interface ag4
sw a vl 2000
!
msc path vlan 2000 dev-input ag1 dev-output ag2msc-input ag3 msc-output ag4
I. ImplementationPreparations
1. Pre-implementation topology
2. Environment and implementation site
a. The Cisco 6509 (IP address: *.*.16.112) is acore device providing services to the other four campuses (Campus 1, Campus 2,Campus 3, and Campus 4).
b. The implementation site is located between thecore device and the egress, that is, between the Cisco 6509 (IP address:*.*.16.112) and the Srun server in the topology.
c. The access control mode is Web authentication.
d. The servers are the SAM+ server, ePortal server,and eLog server.
3. Preparation of modules and cables
a. Check whether a single module or multiplemodules are used between the core device and the egress device.
b. Prepare several optical cables.
c. Logical deployment process
Step 1: implementation on the RG-N18000(More details are provided in the following.)
(1) Insert the MSC-ED card, line card, andmanagement board. Upgrade to the corresponding versions.
(2) On the MSC-ED card, shut down Interface 6 andInterface 7 connected to the RG-N18000.
(3) Configure traffic diversion.
(4) Configure Web authentication parameters.
(5) Configure the NTP server.
(6) Check that the time of the RG-N18000 isconsistent with that of the SAM+ server and the ePortal+ server respectively.
(7) Configure routing parameters.
Step 2: Implementation on the MSC-ED card(For details, see section 4 "Common Functions and Basic Configuration.")
(1) Configure a bridge and a management address.
(2) Configure time synchronization and ensure thatthe time of the MSC-ED card is consistent with that of the RG-N18000, SAM+server, and ePortal+ server respectively.
(3) Configure RG-N18000 correlation.
(4) Configure other optional functions of the MSC-EDcard.
Step 2: Application softwareimplementation (For details, see section 4 "Common Functions and Basic Configuration.")
(1) Add the ePortal server and RG-N18000 on the SAM server.
(2) Add the RG-N18000 on the ePortal server.
(3) Configure a traffic-based charging policy.
II. Actual DeploymentProcess
The following figure shows the topology afterdeployment is completed.
Topology description:
The RG-N18000 is added between the Cisco 6509and the Srun server and is connected to the 10-GB optical port of the OBS. TheCisco 6509 is connected to the OBS then to the RG-N18000 over the OBS. TheRG-N18000 is connected to the OBS then to the Srun server over the OBS. You canrun the show interface description command on the RG-N18000 to displayrelated information.
OBS configuration is omitted in thisdocument.
Deployment requirements:
1. Transfer Web authentication to the RG-N18000.
2. IP address planning:
a. Retain the configurations of the originalaccess, aggregation, and core devices, and use the IP addresses planned on thelive network.
b. Configure the core devices in various campusesto work as DHCP servers for allocating IP addresses to all terminals.
3. Authentication-freehost: allows unauthenticated users to access servers and allow particular usersto access the network withoutauthentication.
4. Ensure accurate traffic-based charging forInternet access.
Deployment description:
1. RG-N18000 deployment
Check the operating status as follows:
Check that the noises generated by theRG-N18000 connected to more than 20,000 users do not affect Web authenticationperformance.
Check the CPU usage.
Check the forwarding performance of theRG-N18000 during peak hours.
Check accounting accuracy.
In the preceding figure, the traffic sent bythe network adapter is almost the same as the traffic recorded in theaccounting system. Note that the downlink traffic is 216,466,046/1,024/1,024 =206 Mbps, and the uplink traffic is 80,292,036/1,024/1,024 = 76 Mbps.
Implementation caseof a technology university
I. Networkreconstruction design
Original authentication network of theuniversity
The preceding figure shows the simplifiedegress diagram.
1. Urban hot spots are used as the Web authentication server.
2. The H3C6108E works as a wireless gateway, and the DHCP server islocated on the H3C6108E.
Target network after reconstruction
Reconstruction objective: switch partialtraffic to the RG-N18000 and enable Web authentication on the RG-N18000.
Reconstruction steps:
Step 1: Create an environment where the SAMserver works properly with the RG-N18000 and the MSC-ED card. (This step isdescribed in detail.)
Step 2: Perform cutover of the wireless datastored in the computer center.
Step 3: Observe the authentication processwhen users go online.
II. Implementation
(I) joint commissioning of the MSC-ED cardand the RG-N18000
Networking principle:
Assume that MSC-ED Card 1 is located in Slot2 and MSC-ED Card 2 in Slot 3 of the RG-N18000. That is, The TenG2/3 andTenG3/3 interfaces of the RG-N18000 correspond to the TenG0/1 interface of theMSC-ED card and the interfaces are equivalent to LAN interfaces; the TenG2/4and TenG3/4 interfaces of the RG-N18000 correspond to the TenG0/2 interface ofthe MSC-ED card and they are equivalent to WAN interfaces. The conditions inother slots are similar.
18K Slot2 2/3 -- MSC1 0/1 – LAN port
18K Slot3 3/3 -- MSC2 0/1 – LAN port
18K Slot2 2/4 -- MSC1 0/2 – WAN port
18K Slot3 3/4 -- MSC2 0/2 – WAN port
Step 1: Add TenG2/3 and TenG3/3 to AP1 (LAN).
Step 2: Add TenG2/4 and TenG3/4 to AP2 (WAN).
Step 3: Use the MSC path traffic diversionfunction to point the inbound interface and outbound interface of the RG-N18000to the MSC-ED card.
Step 4: Apply the AP load balancing algorithmto the RG-N18000 to make the forward and return paths consistent.
Step 5: Complete the basic configurations ofthe MSC-ED card.
Step 6: Configure Web authentication on theRG-N18000.
Step 7: Divert user traffic to the RG-N18000.
Step 8: Enable Web authentication and observethe authentication process when users go online.
See the following deployment guide.
Deployment guide:
Step 1: Add TenG2/3 and TenG3/3 to AP1 (LAN).
Step 2: Add TenG2/4 and TenG3/4 to AP2 (WAN).
Step 3: Use the MSC path traffic diversionfunction to point the inbound interface and outbound interface of the RG-N18000to the MSC-ED card.
Step 4: Apply the AP load balancing algorithmto the RG-N18000 to make the forward and return paths consistent.
Configuration example:
Ruijie(config)#int ag 1
Ruijie(config)#switchport access vlan 2000
Ruijie(config)# aggregateport load-balance src-ip (Implementload balancing based on the source IP address in the uplink direction of theMSC-ED card.)
Ruijie(config)#int ag 2
Ruijie(config)#switchport access vlan 2000
Ruijie(config)# aggregateport load-balance dst-ip (Implementload balancing based on the destination IP address in the downlink direction ofthe MSC-ED card.)
Ruijie(config)# msc path vlan 2000 dev-input gi1/8dev-output gi1/9 msc-input Ag1 msc-output Ag2 (Set the direction of trafficdiversion, so that user traffic enters from the GI1/8 interface and exits fromthe GI1/9 interface of the RG-N18000.)
Step 5: Complete the basic configurationsof the MSC-ED card.
1. Log in to the MSC-ED card on the web page, use anetwork cable to connect the network adapter of the PC to the MGMT interface ofthe MSC-ED card, and set the IP address of the network adapter to any IPaddress in the 192.168.1.0 network segment (except 192.168.1.2 and192.168.1.1). Enter http://192.168.1.1in the Internet Explorer to log in to the MSC-ED card, and enter the defaultusername and password admin.
2. Perform configuration in interface configurationmode.
3. Configure attack prevention.
4. Configure RG-N18000 correlation.
5. Configure a traffic-based charging policy.
6. Upgrade the MSC-ED card version.
Step 6: Configure Web authentication onthe RG-N18000.
aaa new-model
aaa accounting update periodic 15
aaa accounting update
aaa authentication web-auth default group radius
radius-server host 10.11.2.46 key ruijie
web-auth portal key ruijie
web-auth template eportalv2
ip 10.11.2.47
url http://10.11.2.47:8080/eportal/index.jsp
web-auth acct-method ipfix //The RG-N18000 sendstraffic accounting information to the SAM server over IPFIX.
ip auth-flow export destination 10.11.2.46 4739 //TheIP address is the SAM server address.
Step 7: Divert user traffic to theRG-N18000.
1. The H3C6108E diverts traffic to the RG-N18000 over PBR.
Configuration example:
a. Configure an ACL.
acl number 3000
rule 0 permit ip source 49.209.88.0 0.0.0.255
b. Configure PBR.
policy-based-route ruijie permit node 1
if-match acl 3000
apply ip-address next-hop 10.11.1.74
c. Apply PBR in interface configuration mode.
interface Ethernet0/1/0
port link-mode route
ip address 10.11.1.73 255.255.255.252
ip policy-based-route ruijie
2. The Cisco 6509 points the return path to the RG-N18000 over a staticroute.
Cisco 6509 configuration example:
ip route 49.209.88.0 255.255.255.0 10.11.1.73
Step 8: Enable Web authentication andcheck whether users are authenticated properly when they go online.
Configuration example:
interface gi1/8
web-auth enable eportalv2
I. JointCommissioning of the SAM Server and the RG-N18000
Auxiliary configuration of the RG-N18000(intended for communication between the RG-N18000 and the SAM server):
interface GigabitEthernet 1/13
description Link-To-SAM
switchport access vlan 11
ip radius souce-interface vlan 11
SAM server configuration
i. Log in to the SAM server.
b. Add the NAS.
c. Add access control.
d. Add a user group.
e. Activate accounts in batches.
3. Verify AP load balancing.
Run the show ipfix on command on thetwo MSC-ED cards and check that each card has traffic statistics.
4. Observe the authentication process when users go online.
Run the show web-auth user all commandon the RG-N18000 to display online user information.
Display the go-online information of users onthe SAM server.
II. ConfigurationTips
To avoid loops, run the traffic diversioncommand of the RG-N18000 and then configure the interface bridge mode of theMSC-ED card.
To avoid loops, when you need to cancel thetraffic diversion command of the RG-N18000, exit the interface bridge mode ofthe MSC-ED card and then exit the bridge mode of the RG-N18000.
Do not run the port migration command whenthe Layer 2 egress solution is used; otherwise, authentication will beabnormal.
Perform the following operations in sequence.Do not skip any operation.
Modify the default passwords of the RG-N18000and the MSC-ED card to prevent malicious operations and securityvulnerabilities.
You can disable theWeb management function of the MSC-ED card when necessary for enhancedsecurity.
The switch-based Layer 3 authentication andaccounting solution was launched at the beginning of 2016, following the launchof the simplified network solution.
The solution is used in conjunction with theMSC-ED card to implement the Layer 3 Web authentication, accounting, and ratelimiting functions.
Functional deployment and distribution:
Authentication: RG-N18000
Accounting: correlation between the MSC-EDcard and the RG-N18000
Rate limiting: correlation between the MSC-EDcard and the RG-N18000
Solution selection and limitations
The MSC-ED Layer 3 authentication solutiononly supports Layer 3 Web authentication.
The solution cannot be used in conjunctionwith Layer 2 authentication.
Authentication is enabled on the interface ofthe RG-N18000 connected to the access device. The user gateway cannot bedeployed on the RG-N18000, but must be deployed in the downlink direction.
To enable perception-free authentication,deploy the DHCP server on the RG-N18000. The address pool can contain up to90,000 addresses.
Up to four MSC-ED cards can be deployed inload balancing mode, providing a maximum rate of 10 Gbps x 4 in a single direction.
Version ID: 4070
MSC-ED authentication and accounting solution(phase 4)
MSC_RGOS11.1(8)B1_MSC-ED_03201819_install.bin
N18000_RGOS11.5(1)B2_CMII_03212221_install.bin
Version upgrade:
Do not use this solution in conjunction withthe simplified network solution in which the simplified gateway is deployed onthe RG-N18000.
MSC-ED card version:
MSC_RGOS11.1(8)B1_MSC-ED_03201819_install.bin
The MSC-ED card must be upgradedindependently. Log in to the Web management interface of the MSC-ED card andupgrade the card in one-click mode. Change the file name to rgos.binduring the upgrade process.
RG-N18000 version:
N18000_RGOS11.5(1)B2_CMII_03212221_install.bin
I. Mapping of theinternal interfaces connected between the MSC-ED card and the RG-N18000
In the preceding figure, the MSC-ED card andthe RG-N18000 exchange data over interconnected interfaces.
On the RG-N18000, only three of the sevenports in the corresponding slot can be used.
The usable ports are Port 3, Port 4, and Port5.
The three ports correspond to Interface 1,Interface 2, and Interface 3 of the MSC-ED card.
Ports have strict service planning. Deployservices in correct ports.
Port description:
LAN interface: transmits uplink traffic fromthe user side to the Internet.
WAN interface: transmits the downlink trafficreturned from the Internet to the user side.
II. Planning andconfiguration of internal interconnection addresses
Switch the corresponding interfaces torouting mode.
Switch to routing mode on the MSC-ED card
Layer 3 authentication adopts PBR-basedtraffic diversion. You need to first switch the MSC-ED card to gateway mode.After switching, Layer 2 ports are changed to Layer 3 IP ports. The MSC-ED cardrestarts when it switches to gateway mode, but the switching does not cause theRG-N18000 to restart.
Log in to the Web management interface of theMSC-ED card, and choose Network > Interface > OperationMode.
Select Gateway mode.
Switch to interface routing mode on theRG-N18000
The preceding figure shows the IP addressconfiguration of ports in the VSU+dual MSC-ED model. If you need to performremote Web management of the MSC-ED cards, you are advised to configure a routedestined for the management network segment. If remote Web management is notrequired, route advertisement is not required for the three interconnectionaddress segments. The configuration process is simple and is omitted in thisdocument.
LAN: 10.10.10.0/24
WAN: 10.10.20.0/24
Management: 10.10.30.0/24
The MSC-ED card collects accountinginformation and therefore has high requirements for the clock source. It isrecommended that the NTP clock source be set to the RG-N18000 for real-timeclock synchronization. Before clock synchronization is completed, the Webmanagement interface and CLI of the MSC-ED card generate alarms indicating lackof clock information. (Accounting information will be inaccurate if clocksynchronization is not performed.)
1. Configure the time zones of the RG-N18000 andthe MSC-ED card to be consistent. (The time zone of the MSC-ED card is managedby the SNTP server.)
Configuration example:
clock timezone dongba +8 0
N18K is configured as NTP master
Configuration example
ntp master 8
2. Configure the NTP function on the MSC-ED card(applicable to the CLI version).
sntp interval 60
sntp server 10.10.30.1
sntp enable
For the latest simplified and phase 4versions, the correlation address is the interface address of the RG-N18000.You are advised to map the TenG0/3 interface of the MSC-ED card to Slot*/5 ofthe RG-N18000 and set the correlation address to the IP address of Slot*/5 (theIP address of the MGMT interface is 10.10.30.1).
Uplink traffic diversion logic
1. When service traffic enters the inbound port ofthe RG-N18000, the PBR-based traffic diversion function configured on the portsets the next hop for the traffic to the LAN interface of the MSC-ED card.
2. When the traffic enters the LAN interface of theMSC-ED card, the PBR-based traffic diversion function sets the next hop for thetraffic to the WAN interface of the RG-N18000.
3. The RG-N18000 forwards the traffic that entersits WAN interface normally.
Downlink traffic diversion logic
1. When the returned service traffic enters the inbound port of theRG-N18000, the PBR-based traffic diversion function configured on the port setsthe next hop for the traffic to the WAN interface of the MSC-ED card.
2. When the traffic enters the WAN interface of the MSC-ED card, thePBR-based traffic diversion function sets the next hop for the traffic to theLAN interface of the RG-N18000.
3. The RG-N18000 forwards the traffic that entersits LAN interface normally.
Traffic diversionconfiguration
Step 1: Configure PBR-based traffic diversionon the MSC-ED card.
Step 2: ConfigurePBR-based traffic diversion on the RG-N18000.
Note 1:
l Authentication will fail if Layer 3 authentication is not configuredor the upload PBR function does not take effect.
l The load-balance command is used to configure load balancingfor multiple MSC-ED cards.
Note 2:
l Traffic diversion takes affect once PBR is invoked. If you have livenetwork services, you are advised to use a test service to check whethertraffic diversion is normal.
l If you do not configure track support for the RNS, add the next hopof PBR. (For details about track support for the RNS, visit http://www.wiz.cn.)
Add the next hop of PBR:
Route-map pbr-upload permit 10
Set ip next-hop 10.10.10.2
Set ip next-hop 10.10.10.3
Route-map pbr-download permit 10
Set ip next-hop 10.10.20.2
Set ip next-hop 10.10.20.3
Enable Layer 3 authentication on the Layer 3interconnected interface. If Web authentication is enabled on the Layer 2interconnected interface, the command executed on the Layer 3 interface isautomatically shielded.
aaa new-model
radius-server host 192.168.197.79 key ruijie
aaa authorization network default group radius
aaa authentication web-auth default group radius
aaa accounting update periodic 20
aaa accounting update
aaa accounting network default start-stop groupradius
How do you like this document ?
Thank you. We will inform you of our response as soon as possible. 
Ruijie Networks websites use cookies to deliver and improve the website experience.
See our cookie policy for further details on how we use cookies and how to change your cookie settings.
Cookie Manager
When you visit any website, the website will store or retrieve the information on your browser. This process is mostly in the form of cookies. Such information may involve your personal information, preferences or equipment, and is mainly used to enable the website to provide services in accordance with your expectations. Such information usually does not directly identify your personal information, but it can provide you with a more personalized network experience. We fully respect your privacy, so you can choose not to allow certain types of cookies. You only need to click on the names of different cookie categories to learn more and change the default settings. However, blocking certain types of cookies may affect your website experience and the services we can provide you.
Through this type of cookie, we can count website visits and traffic sources in order to evaluate and improve the performance of our website. This type of cookie can also help us understand the popularity of the page and the activity of visitors on the site. All information collected by such cookies will be aggregated to ensure the anonymity of the information. If you do not allow such cookies, we will have no way of knowing when you visited our website, and we will not be able to monitor website performance.
This type of cookie is necessary for the normal operation of the website and cannot be turned off in our system. Usually, they are only set for the actions you do, which are equivalent to service requests, such as setting your privacy preferences, logging in, or filling out forms. You can set your browser to block or remind you of such cookies, but certain functions of the website will not be available. Such cookies do not store any personally identifiable information.
Contact Us
How can we help you?
Global / EN
