Сравнение версий

Старая версия 2

changes.mady.by.user Отдел Документации

Сохранено

по сравнению с

Новая версия Текущий

changes.mady.by.user Отдел Документации

Сохранено

Ключ

  • Эта строка добавлена.
  • Эта строка удалена.
  • Изменено форматирование.

...

Step

Description

Command

Keys

1

Add RADIUS server to the list of used servers and switch to its configuration mode.

esr(config)# radius-server host
{ <IP-ADDR> | <IPV6-ADDR> }
[ vrf <VRF> ]

esr(config-radius-server)#

<IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of  [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];

<VRF> – VRF instance name, set by the string of up to 31 characters.

2

Set the password for authentication on remote RADIUS server.

esr(config-radius-server)# key ascii-text
{ <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string of [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

3

Create AAA profile.

esr(config)# aaa radius-profile <NAME>

<NAME> – server profile name, set by the string of up to 31 characters.

4

Specify RADIUS server in AAA profile.

esr(config-aaa-radius-profile)# radius-server host
{ <IP-ADDR> | <IPV6-ADDR> }

<IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

5

Create DAS server.

esr(config)# das-server <NAME>

<NAME> – DAS server name, set by the string of up to 31 characters.

6

Set the password for authentication on remote DAS server.

esr(config-das-server)# key ascii-text
{<TEXT>|encrypted <ENCRYPTED-TEXT> }

<TEXT> – string of [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

7

Create AAA DAS profile.

esr(config)# aaa das-profile <NAME>

<NAME> – DAS profile name, set by the string of up to 31 characters.

8

Specify DAS server in DAs profile.

esr(config-aaa-das-profile)#  das-server <NAME>

<NAME> – DAS server name, set by the string of up to 31 characters.

9

Configure BRAS.

esr(config)# subscriber-control [ vrf <VRF> ]

<VRF> – VRF instance name, set by the string of up to 31 characters, within which the user control will operate.

10

Select the profile of dynamic authorization servers to which CoS queries from PCRF will be sent.

esr(config-subscriber-control)# aaa das-profile <NAME>

<NAME> – DAS profile name, set by the string of up to 31 characters.

11

Select RADIUS server profile to obtain the user service parameters.

esr(config-subscriber-control)# aaa services-radius-profile
<NAME>

<NAME> – RADIUS server profile name, set by the string of up to 31 characters.

12

Select RADIUS server profile to obtain the user session parameters.

esr(config-subscriber-control)# aaa sessions-radius-profile
<NAME>

<NAME> – RADIUS server profile name, set by the string of up to 31 characters.

13

Set router IP address that will be used as source IP address in transmitted RADIUS packets.

esr(config-subscriber-control)# nas-ip-address <ADDR>

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

14

Enable session authentication by MAC address (optional).

esr(config-subscriber-control)# session mac-authentication


15

Organize transparent filter-based transmission of administrative traffic (DHCP, DNS and etc.).

esr(config-subscriber-control)# bypass-traffic-a с l <NAME>

<NAME> – name of the ACL being bound, set by the string of up to 31 characters.

16

Switch to the default service configuration mode.

esr(config-subscriber-control)# default-service


17

Bind the specified QoS class to the default service.

esr(config-subscriber-default-service)# class-map <NAME>

<NAME> – name of the class being bound, set by the string of up to 31 characters.

18

Specify a name of the URL list that will be used to filtrate HTTP/HTTPS traffic of non-authenticated users.

esr(config-subscriber-default-service)# filter-name
{ local<LOCAL-NAME> | remote<REMOTE-NAME> }

<LOCAL-NAME> – URL profile name, set by the string of up to 31 characters;

<REMOTE-NAME> – remote server URL list name, set by the string of up to 31 characters.

19

Specify the actions that should be applied for HTTP/HTTPS packets, whose URL is included in the list of URL assigned by the 'filter-name' command.

esr(config-subscriber-default-service)# filter-action<ACT>

<ACT> – allocated action:

  • permit – traffic transfer is permitted;
  • deny – traffic transfer is denied.

redirect <URL> – redirect to the specified URL will be carried out, set by the string of up to 255 characters.

20

Specify the actions that should be applied for HTTP/HTTPS packets, whose URL is not included in the list of URL assigned by the 'filter-name' command.

esr(config-subscriber-default-service)# default -action<ACT>

<ACT> – allocated action:

  • permit – traffic transfer is permitted;
  • deny – traffic transfer is denied.

redirect <URL> – redirect to the specified URL will be carried out, set by the string of up to 255 characters.

21

Enable user control profile.

esr(config-subscriber-control)# enable


22

Change the identifier of a network interface (physical, sub interface or network bridge) (optional).

esr(config-if)# location <ID>

<ID> – network interface identifier, set by the string of up to 220 characters.

23

Enable user control on the interface.

esr(config-if-gi)# service-subscriber-control
{any| object-group <NAME>}

<NAME> – IP addresses profile name, set by the string of up to 31 characters.

24

Enable iterative query of quota value when it expires for user services with a configured restriction on the amount of traffic or time (optional).

esr(config-subscriber-control)# quota-expired-reauth


25

Enable session authentication by IP address (optional).

esr(config-subscriber-control)# session ip-authentication


26

Enable transparent transmission of backup traffic for BRAS (optional).

esr(config-subscriber-control)# backup traffic-processing
transparent


27

Specify the interval after which currently unused URL lists will be removed (optional).

esr(config)# subscriber-control unused-filters-remove-delay
<DELAY>

<DELAY> – time interval in seconds, takes values of [10800..86400].

28

Specify the interval after which, if a user has not sent any packets, the session is considered to be outdated and is removed from the device (optional).

esr(config-subscriber-default-service)# session-timeout
<SEC>

<SEC> – time interval in seconds, takes values of [120..3600].

29

Specify the VRRP group on the basis of which user control service status is determined (primary/redundant) (optional).

esr(config-subscriber-control)# vrrp-group <GRID>

<GRID> – VRRP router group identifier, takes values in the range of [1..32].

30

Define destination TCP ports from which the traffic will be redirected to the router HTTP Proxy server (optional).

esr(config-subscriber-control)# ip proxy http listen-ports <NAME>

<NAME> – TCP/UDP ports profile name, set by the string of up to 31 characters.

31

Define HTTP Proxy server port on the router (optional).

esr(config-subscriber-control)# ip proxy http redirect-port <PORT>

<PORT> – port number, set in the range of [1..65535].

32

Define destination TCP ports from which the traffic will be redirected to the router HTTPS Proxy server (optional).

esr(config-subscriber-control)# ip proxy https listen-ports <NAME>

<NAME> – TCP/UDP ports profile name, set by the string of up to 31 characters.

33

Define HTTPS Proxy server port on the router (optional).

esr(config-subscriber-control)# ip proxy https redirect-port <PORT>

<PORT> – port number, set in the range of [1..65535].

34

Set router IP address that will be used as source IP address in HTTP/HTTPS packets transmitted by Proxy server (optional).

esr(config-subscriber-control)# ip proxy source-address <ADDR>

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

35

Specify URL address of the server providing lists of traffic filtration applications (optional).

esr(config)# subscriber-control apps-server-url <URL>

<URL> – reference address, set by the string from 8 to 255 characters.

36

Enable the application control on the interface (optional).

esr(config-if-gi)# subscriber-control application-filter <NAME>

<NAME> – application profile name, set by the string of up to 31 characters.

37

Set/clear the upper bound of BRAS sessions amount (optional).

esr(config-subscriber-control)# thresholds sessions-number high  <Threshold>

<Threshold> – number of BRAS sessions:

  • [0-50000] – for ESR-1700;
  • [0-10000] – for ESR-1200/1000/1500/1511/3100/3200 and WLC-3200;
  • [0-1000] – for ESR-100/200.

38

Set/clear the lower bound of BRAS sessions amount (optional).

esr(config-subscriber-control)# thresholds sessions-number low   <Threshold>

<Threshold> – number of BRAS sessions:

  • [0-50000] – for ESR-1700;
  • [0-10000] – for ESR-1200/1000/1500/1511/3100/3200 and WLC-3200;
  • [0-1000] – for ESR-100/200.

Scroll Pagebreak

Example of configuration with SoftWLC

...

Блок кода
esr(config)# ip access-list extended DHCP
esr(config-acl)#  rule 10
esr(config-acl-rule)# action permit
esr(config-acl-rule)# match protocol udp
esr(config-acl-rule)# match source-address any
esr(config-acl-rule)# match destination-address any
esr(config-acl-rule)# match source-port 68
esr(config-acl-rule)# match destination-port 67
esr(config-acl-rule)# enable
esr(config-acl-rule)# exit
esr(config-acl)# rule 11
esr(config-acl-rule)# action permit
esr(config-acl-rule)# match protocol udp
esr(config-acl-rule)# match source-address any
esr(config-acl-rule)# match destination-address any
esr(config-acl-rule)# match source-port any
esr(config-acl-rule)# match destination-port 53
esr(config-acl-rule)# enable
esr(config-acl-rule)#exit
esr(config-acl)# exit

...

Then, create rules for redirecting to portal and passing traffic to the Internet:
...
 Блок  кода
 Acct-Interim-Interval = <SECONDS>, 
...
Service name for a session (A – the service is enabled, N – the service is disabled):
...
 Блок  кода
esr(config)# das-server das
esr(config-das-server)# key ascii-text encrypted 8CB5107EA7005AFF
esr(config-das-server)#  exit
esr(config)#  aaa das-profile bras_das
esr(config-aaa-das-profile)#  das-server das
esr(config-aaa-das-profile)# exit
esr(config)#  vlan 10
esr(config-vlan)#  exit
...
Then, create rules for redirecting to portal and passing traffic to the Internet:
...
 Блок  кода
esr(config)#  subscriber-control
esr(config-subscriber-control)# aaa das-profile bras_das
esr(config-subscriber-control)# aaa sessions-radius-profile bras_radius
esr(config-subscriber-control)# aaa services-radius-profile bras_radius_servers
esr(config-subscriber-control)# nas-ip-address 192.168.1.1
esr(config-subscriber-control)# session mac-authentication
esr(config-subscriber-control)# bypass-traffic-acl BYPASS
esr(config-subscriber-control)# default-service
esr(config-subscriber-default-service)# class-map BYPASS
esr(config-subscriber-default-service)# filter-name local defaultserv
esr(config-subscriber-default-service)# filter-action permit
esr(config-subscriber-default-service)# default-action redirect http://192.
168.1.2:8080/eltex_portal
esr(config-subscriber-default-service)# session-timeout 121
esr(config-subscriber-default-service)# exit
esr(config-subscriber-control)# enable
esr(config-subscriber-control)# exit
...
Perform the following settings on the interfaces that require BRAS operation (minimum one interface is required for the successful start):
...