ME60-X8

What should I do when Access to the Pre-Authentication Domain on an ME60 Fails

An ME60 is configured with the BAS function and an ACL is configured to define the permitted pre-authentication domain resources

Issue Description

An ME60 is configured with the BAS function and an ACL is configured to define the permitted pre-authentication domain resources. Terminal users use RADIUS authentication and accounting. The ping operation on pre-authentication resources, such as the DNS server, gateway, RADIUS server, and portal server, fails. The authentication on these resources also fails.

The simplified network topology is as follows:

Huawei Router

The ME60 and RADIUS server are attached to the S12708. However, after policy-based routing is

implemented on the users’ authentication traffic imported from the S12708, the traffic is imported to the BAS interface of the ME60 for authentication. After the authentication is complete, the ME60 exchanges authentication packets with the RADIUS server. Details are as follows:

It is found that only the administrative domain user exists in the pre-authentication domain and post-authentication domain.

[ME60]dis domain

Domain name           State        CAR Access-limit   Online  BODNum RptVSMNum

default0              Active         0       283648        0       0         0

default1              Active         0       283648        0       0         0

default_admin         Active         0       283648        1       0         0

net                   Active         0       283648        0       0         0

pre_web               Active         0       283648        0       0         0

Total 1,1 printed

Handling Process

  1. Check the structure and traffic direction of the customer network.
  2. Ping all the servers. It is found that the ping operation fails.
  3. Check whether the configuration file is correct.

sysname ME60

user-group huawei  //Configure a user group.

radius-server group net  //Configure authentication and accounting with the RADIUS server.

radius-server authentication 10.0.0.13 1812

radius-server accounting 10.0.0.13 1813

radius-server shared-key huawei2123

radius-server source interface GigabitEthernet4/0/4

radius-server authorization 10.0.0.13 shared-key [email protected]  //Configure authorization with the RADIUS server.

For details about ACP policy configuration, see the related ME60 manual.

…..

traffic policy web

share-mode

classifier web_permit behavior web_permit

classifier web_deny behavior web_deny

traffic policy web_out

share-mode

classifier web_permit behavior web_permit

classifier web_out behavior web_out

http-redirect enable

domain net  //Configure a post-authentication domain and bind RADIUS authentication and accounting to the RADIUS server group.

authentication-scheme net

accounting-scheme net

radius-server group net

domain pre_web  //Configure a pre-authentication domain that uses none authentication and non-accounting to access the portal server.

authentication-scheme mm

accounting-scheme mm

user-group huawei

web-server 10.0.0.12

web-server url http://10.0.0.12/index_2.html

interface GigabitEthernet4/0/5  //Specifies the BAS interface for authentication.

description TO_S12708_X5/0/8

undo shutdown

ip address 172.31.206.10 255.255.255.248

bas

access-type layer3-subscriber default-domain pre-authentication pre_web authentication net  //Enable Layer 3 authentication on the BAS interface and bind the interface to the pre-authentication domain and post-authentication domain.

traffic-policy web inbound  //Globally enable policy-based routing.

traffic-policy web_out outbound

web-auth-server source interface GigabitEthernet4/0/4

web-auth-server version v2

web-auth-server 10.0.0.12 port 2000 key simple [email protected]  //Configure authentication of the portal server.

It is found that the basic configuration of the customer network is correct, but a command is missing. The customer supposed that some servers in the pre-authentication domain can be accessed so long as traffic resources are permitted. However, a command needs to be run to control the pre-authentication domain access permissions.

ME60-X3

Root Cause

The configuration file does not contain the command for configuring the pre-authentication domain access permissions.

This command is run globally to allow grant access permissions for the resources in the bound domain (pre_web in this example). After this configuration is performed, resources in the pre_web authentication domain can be accessed at IP addresses in the network segment 172.100.0.0. This command can be used together with other domains to achieve none authentication for some network segments. Details are not provided here.

layer3-subscriber 172.100.0.0 172.100.255.255 domain-name pre_web

Tags