ITA configuration example for IPoE users
Network requirements
As shown in Figure 23, the router performs IPoE authentication.
Configure the router to meet the following requirements:
Use RADIUS server 1 to perform authentication, authorization, and accounting for IPoE users.
Use RADIUS server 2 to perform ITA accounting for IPoE users. The traffic destined for the FTP server is configured as level 1 traffic. The router counts the traffic as IPv4 traffic.
Exclude ITA traffic statistics from the overall traffic statistics reported to RADIUS server 1.
Prohibit users from accessing the FTP server after their level-1 data quotas are used up.
Figure 22: Network diagram
Configuration procedure
Configure RADIUS server 1 and RADIUS server 2:
This example uses FreeRADIUS servers.
# Configure the clients.conf file.
client 4.4.4.2/32 { ipaddr = 4.4.4.2 netmask=32 secret=radius } client 5.5.5.2/32 { ipaddr = 5.5.5.2 netmask=32 secret=radius }
# Configure the IP address of the user and the authorized user profile in the users file.
2.2.2.2 Cleartext-Password :="radius" Filter-Id :="profile1"
Configure the router:
Configure the IP address of each interface, as shown in Figure 23. (Details not shown.)
Configure a RADIUS scheme for AAA:
# Create a RADIUS scheme named rs1 and enter RADIUS scheme view.
<Router> system-view [Router] radius scheme rs1
# Specify the primary RADIUS authentication server at 4.4.4.1.
[Router-radius-rs1] primary authentication 4.4.4.1
# Specify the primary RADIUS accounting server at 4.4.4.1.
[Router-radius-rs1] primary accounting 4.4.4.1
# Set the authentication shared key to radius in plaintext form for secure communication between the router and RADIUS server 1.
[Router-radius-rs1] key authentication simple radius
# Set the accounting shared key to radius in plaintext form for secure communication between the router and RADIUS server 1.
[Router-radius-rs1] key accounting simple radius
# Exclude domain names from the usernames sent to RADIUS server 1.
[Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit
Configure a RADIUS scheme for the ITA service:
# Create a RADIUS scheme named rs2 and enter RADIUS scheme view.
[Router] radius scheme rs2
# Specify the primary accounting server at 5.5.5.1.
[Router-radius-rs2] primary accounting 5.5.5.1
# Set the accounting shared key to radius in plaintext form for secure communication between the router and RADIUS server 2.
[Router-radius-rs2] key accounting simple radius
# Exclude domain names from the usernames sent to RADIUS server 2.
[Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit
Configure a QoS policy for the ITA service:
# Configure IPv4 advanced ACL 3000 and enter its view.
[Router] acl number 3000
# Permit all packets destined for 1.1.1.1.
[Router-acl-adv-3000] rule 0 permit ip destination 1.1.1.1 0 [Router-acl-adv-3000] quit
# Create a traffic class named classifier_1.
[Router] traffic classifier classifier_1
# Define a match criterion for traffic class classifier_1 to match advanced ACL 3000.
[Router-classifier-classifier_1] if-match acl 3000 [Router-classifier-classifier_1] quit
# Create a traffic behavior named behavior_1 and enter traffic behavior view.
[Router] traffic behavior behavior_1
# Mark level-1 traffic for ITA accounting.
[Router-behavior-behavior_1] remark account-level 1
# Measure the traffic in bytes.
[Router-behavior-behavior_1] accounting byte [Router-behavior-behavior_1] quit
# Define a QoS policy named policy and enter QoS policy view.
[Router] qos policy policy
# Associate traffic class classifier_1 with traffic behavior behavior_1 in the QoS policy.
[Router-qospolicy-policy] classifier classifier_1 behavior behavior_1 [Router-qospolicy-policy] quit
Configure a user profile for the ITA service:
# Create a user profile named profile1 and enter user profile view.
[Router] user-profile profile1
# Apply QoS policy policy to the inbound traffic of the users associated with the user profile.
[Router-user-profile-profile1] qos apply policy policy inbound [Router-user-profile-profile1] quit
Configure an ITA policy:
# Create an ITA policy named ita and enter ITA policy view.
[Router] ita policy ita
# Configure the accounting method for users who match the ITA policy.
[Router-ita-policy-ita] accounting-method radius-scheme rs2
# Specify level-1 traffic for ITA accounting and count the traffic as IPv4 traffic.
[Router-ita-policy-ita] accounting-level 1 ipv4
# Exclude the amount of ITA traffic from the overall traffic statistics that are sent to RADIUS server 1.
[Router-ita-policy-ita] traffic-separate enable
# Prohibit users from accessing the authorized IP subnets after their ITA data quotas are used up.
[Router-ita-policy-ita] traffic-quota-out offline [Router-ita-policy-ita] quit
Configure an ISP domain:
# Create an ISP domain named dm1 and enter ISP domain view.
[Router] domain dm1
# Configure the authentication, authorization, and accounting methods for IPoE users in the domain.
[Router-isp-dm1] authentication ipoe radius-scheme rs1 [Router-isp-dm1] authorization ipoe radius-scheme rs1 [Router-isp-dm1] accounting ipoe radius-scheme rs1
# Apply ITA policy ita to the ISP domain.
[Router-isp-dm1] ita-policy ita [Router-isp-dm1] quit
Configure IPoE:
# Enter the view of GigabitEthernet 1/0/2.
[Router] interface gigabitethernet 1/0/2
# Enable IPoE and configure Layer 3 access mode on GigabitEthernet 1/0/2.
[Router–GigabitEthernet1/0/2] ip subscriber routed enable
# Enable the unclassified-IP users.
[Router–GigabitEthernet1/0/2] ip subscriber initiator unclassified-ip enable
# Specify dm1 as the ISP domain.
[Router–GigabitEthernet1/0/2] ip subscriber unclassified-ip domain dm1
# Set the password to radius in plaintext form for IPoE authentication.
[Router–GigabitEthernet1/0/2] ip subscriber password plaintext radius [Router–GigabitEthernet1/0/2] quit
Verifying the configuration
# Use password radius to pass IPoE authentication on the host. (Details not shown.)
# Verify that RADIUS server 2 performs accounting for the IPoE user when the user accesses the FTP server at 1.1.1.1. (Details not shown.)
# Verify that RADIUS server 1 performs accounting for the non-ITA traffic of the IPoE user. (Details not shown.)
# Display detailed information about the sessions of online IPoE users. Verify that the user is assigned the user profile and has generated ITA traffic statistics.
<Router> display ip subscriber session verbose