ITA configuration example for IPoE users

As shown in Figure 23, the router performs IPoE authentication.

Configure the router to meet the following requirements:

• Use RADIUS server 1 to perform authentication, authorization, and accounting for IPoE users.

• Use RADIUS server 2 to perform ITA accounting for IPoE users. The traffic destined for the FTP server is configured as level 1 traffic. The router counts the traffic as IPv4 traffic.

• Exclude ITA traffic statistics from the overall traffic statistics reported to RADIUS server 1.

• Prohibit users from accessing the FTP server after their level-1 data quotas are used up.

1. Configure RADIUS server 1 and RADIUS server 2:

   This example uses FreeRADIUS servers.

   # Configure the clients.conf file.

   client 4.4.4.2/32 {
   ipaddr = 4.4.4.2
   netmask=32
   secret=radius
   }
   client 5.5.5.2/32 {
   ipaddr = 5.5.5.2
   netmask=32
   secret=radius
   }
   

   # Configure the IP address of the user and the authorized user profile in the users file.

   2.2.2.2  Cleartext-Password :="radius"
   Filter-Id :="profile1"
   

2. Configure the router:

   1. Configure the IP address of each interface, as shown in Figure 23. (Details not shown.)

   2. Configure a RADIUS scheme for AAA:

      # Create a RADIUS scheme named rs1 and enter RADIUS scheme view.

      <Router> system-view
      [Router] radius scheme rs1
      

      # Specify the primary RADIUS authentication server at 4.4.4.1.

      [Router-radius-rs1] primary authentication 4.4.4.1
      

      # Specify the primary RADIUS accounting server at 4.4.4.1.

      [Router-radius-rs1] primary accounting 4.4.4.1
      

      # Set the authentication shared key to radius in plaintext form for secure communication between the router and RADIUS server 1.

      [Router-radius-rs1] key authentication simple radius
      

      # Set the accounting shared key to radius in plaintext form for secure communication between the router and RADIUS server 1.

      [Router-radius-rs1] key accounting simple radius
      

      # Exclude domain names from the usernames sent to RADIUS server 1.

      [Router-radius-rs1] user-name-format without-domain
      [Router-radius-rs1] quit
      

   3. Configure a RADIUS scheme for the ITA service:

      # Create a RADIUS scheme named rs2 and enter RADIUS scheme view.

      [Router] radius scheme rs2
      

      # Specify the primary accounting server at 5.5.5.1.

      [Router-radius-rs2] primary accounting 5.5.5.1
      

      # Set the accounting shared key to radius in plaintext form for secure communication between the router and RADIUS server 2.

      [Router-radius-rs2] key accounting simple radius
      

      # Exclude domain names from the usernames sent to RADIUS server 2.

      [Router-radius-rs1] user-name-format without-domain
      [Router-radius-rs1] quit
      

   4. Configure a QoS policy for the ITA service:

      # Configure IPv4 advanced ACL 3000 and enter its view.

      [Router] acl number 3000
      

      # Permit all packets destined for 1.1.1.1.

      [Router-acl-adv-3000] rule 0 permit ip destination 1.1.1.1 0
      [Router-acl-adv-3000] quit
      

      # Create a traffic class named classifier_1.

      [Router] traffic classifier classifier_1
      

      # Define a match criterion for traffic class classifier_1 to match advanced ACL 3000.

      [Router-classifier-classifier_1] if-match acl 3000
      [Router-classifier-classifier_1] quit
      

      # Create a traffic behavior named behavior_1 and enter traffic behavior view.

      [Router] traffic behavior behavior_1
      

      # Mark level-1 traffic for ITA accounting.

      [Router-behavior-behavior_1] remark account-level 1
      

      # Measure the traffic in bytes.

      [Router-behavior-behavior_1] accounting byte
      [Router-behavior-behavior_1] quit
      

      # Define a QoS policy named policy and enter QoS policy view.

      [Router] qos policy policy
      

      # Associate traffic class classifier_1 with traffic behavior behavior_1 in the QoS policy.

      [Router-qospolicy-policy] classifier classifier_1 behavior behavior_1
      [Router-qospolicy-policy] quit
      

   5. Configure a user profile for the ITA service:

      # Create a user profile named profile1 and enter user profile view.

      [Router] user-profile profile1
      

      # Apply QoS policy policy to the inbound traffic of the users associated with the user profile.

      [Router-user-profile-profile1] qos apply policy policy inbound
      [Router-user-profile-profile1] quit
      

   6. Configure an ITA policy:

      # Create an ITA policy named ita and enter ITA policy view.

      [Router] ita policy ita
      

      # Configure the accounting method for users who match the ITA policy.

      [Router-ita-policy-ita] accounting-method radius-scheme rs2
      

      # Specify level-1 traffic for ITA accounting and count the traffic as IPv4 traffic.

      [Router-ita-policy-ita] accounting-level 1 ipv4
      

      # Exclude the amount of ITA traffic from the overall traffic statistics that are sent to RADIUS server 1.

      [Router-ita-policy-ita] traffic-separate enable
      

      # Prohibit users from accessing the authorized IP subnets after their ITA data quotas are used up.

      [Router-ita-policy-ita] traffic-quota-out offline
      [Router-ita-policy-ita] quit
      

   7. Configure an ISP domain:

      # Create an ISP domain named dm1 and enter ISP domain view.

      [Router] domain dm1
      

      # Configure the authentication, authorization, and accounting methods for IPoE users in the domain.

      [Router-isp-dm1] authentication ipoe radius-scheme rs1
      [Router-isp-dm1] authorization ipoe radius-scheme rs1
      [Router-isp-dm1] accounting ipoe radius-scheme rs1
      

      # Apply ITA policy ita to the ISP domain.

      [Router-isp-dm1] ita-policy ita
      [Router-isp-dm1] quit
      

   8. Configure IPoE:

      # Enter the view of GigabitEthernet 1/0/2.

      [Router] interface gigabitethernet 1/0/2
      

      # Enable IPoE and configure Layer 3 access mode on GigabitEthernet 1/0/2.

      [Router–GigabitEthernet1/0/2] ip subscriber routed enable
      

      # Enable the unclassified-IP users.

      [Router–GigabitEthernet1/0/2] ip subscriber initiator unclassified-ip enable
      

      # Specify dm1 as the ISP domain.

      [Router–GigabitEthernet1/0/2] ip subscriber unclassified-ip domain dm1
      

      # Set the password to radius in plaintext form for IPoE authentication.

      [Router–GigabitEthernet1/0/2] ip subscriber password plaintext radius
      [Router–GigabitEthernet1/0/2] quit
      

# Use password radius to pass IPoE authentication on the host. (Details not shown.)

# Verify that RADIUS server 2 performs accounting for the IPoE user when the user accesses the FTP server at 1.1.1.1. (Details not shown.)

# Verify that RADIUS server 1 performs accounting for the non-ITA traffic of the IPoE user. (Details not shown.)

# Display detailed information about the sessions of online IPoE users. Verify that the user is assigned the user profile and has generated ITA traffic statistics.

<Router> display ip subscriber session verbose