Login
- Table of Contents
-
- 12-Security Configuration Guide
- 00-Preface
- 01-DAE proxy configuration
- 02-Password control configuration
- 03-Keychain configuration
- 04-Public key management
- 05-PKI configuration
- 06-IPsec configuration
- 07-SSH configuration
- 08-SSL configuration
- 09-Session management
- 10-Object group configuration
- 11-Attack detection and prevention configuration
- 12-IP-based attack prevention configuration
- 13-IP source guard configuration
- 14-ARP attack protection configuration
- 15-ND attack defense configuration
- 16-uRPF configuration
- 17-SAVA configuration
- 18-SAVA-P configuration
- 19-Crypto engine configuration
- 20-Trust level configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-DAE proxy configuration | 156.73 KB |
Contents
Display and maintenance commands for DAE proxy
DAE proxy configuration examples
Example: Configuring DAE proxy
Configuring DAE proxy
About DAE proxy
The DAE proxy feature enables the device to act as the DAE proxy to forward DAE requests and responses between DAE clients and DAE servers.
DAE
Dynamic Authorization Extensions (DAE) to RADIUS is used to disconnect user sessions or change authorization information for online users.
DAE client/server model
DAE uses the client/server model.
· A DAE client resides on a RADIUS server or a separate host. It initiates DAE requests.
· A DAE server is typically a NAS device. It receives DAE requests from DAE clients and sends DAE responses to DAE clients.
DAE packets
Table 1 describes the categories and types of DAE packets. The device identifies the operation objects by, for example, username and user IP address.
Table 1 DAE packet categories and types
|
Category |
Function |
DAE request |
DAE response |
|
Disconnect Message (DM) |
Disconnects sessions of online users. |
Disconnect-Request (DM_REQ) |
· Disconnect-Acknowledgment (DM_ACK) · Disconnect-Negative Acknowledgment (DM_NAK) |
|
Change of Authorization (CoA) message |
Changes authorization information of online users. |
CoA-Request (COA_REQ) |
· CoA-Acknowledgment (COA_ACK) · CoA-Negative Acknowledgment (COA_NAK) |
Application scenarios
DAE proxy is typically used in control-/data-plane separated scenarios, as shown in Figure 1. CPs process control plane services, including access authentication and user management. UPs process data plane services, including packet forwarding and traffic control. If you deploy a DAE proxy, the DAE clients need to maintain only the IP address of the DAE proxy, instead of the IP addresses of all CPs. The configuration and management workload on the DAE clients decreased dramatically.
How DAE proxy works
DAE proxy uses a fixed UDP port to listen for DAE requests from DAE clients and forward DAE responses to DAE clients. At the same time, DAE proxy dynamically enables ephemeral UDP ports to forward DAE requests to DAE servers and receive DAE responses from DAE servers.
The following describes how DAE proxy works:
1. After a user passes authentication and comes online, the DAE client might send a DAE request to the DAE proxy.
2. The DAE proxy searches for the shared key for the source IP address and VPN instance in the request, and uses the key to verify the Authenticator field.
¡ If the shared key is not found or the verification fails, the DAE proxy discards the request.
¡ If the verification succeeds, the DAE proxy creates an ephemeral port to forward the request to the DAE servers in the same VPN as the DAE client.
3. A DAE server resolves the request and deletes user information or changes user authorization information as required. Then, the DAE server encapsulates the processing result in a response and sends the response to the DAE proxy.
4. Upon receiving the response at the ephemeral port, the DAE proxy performs the following tasks:
a. Searches for the shared key by the IP address and VPN instance of the DAE client.
b. Uses the shared key to recalculate and replace the Authenticator field in the response.
c. Sends the response to the DAE client.
DAE proxy waits 10 seconds for the response after it forwards a request. When the timer expires, the DAE proxy ignores the response and does not send any responses to the DAE client.
Protocols and standards
RFC 5176, Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
Prerequisites
Before you configure DAE proxy, perform the following tasks:
· On the interface connected to DAE clients, configure outbound dynamic NAT to translate the source IP address of a RADIUS packet from a CP. The translated IP address must be the same as the IP address of the NAS that manages the CP on the DAE client. For more information about configuring outbound dynamic NAT, see NAT Configuration Guide.
· Perform the following tasks on the DAE server:
¡ Configure DAE client information. The specified DAE client IP address must be the IP address of the DAE proxy.
¡ (Optional.) Specify the DAE request listening port. This port must be the same as the DAE server listening port configured on the DAE proxy.
¡ (Optional.) Configure a trusted DAE client.
For more information about DAE server configuration, see AAA configuration in BRAS Services Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable DAE proxy and enter DAE proxy view.
radius dynamic-author proxy [ listen-port port-number ]
You can specify the DAE proxy listening port number by using this command in system view or using the listen-port port-number command in DAE proxy view. The configurations have the same priority, and the most recent configuration takes effect.
3. Configure a DAE client.
client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]
By default, no DAE clients are configured.
You can configure multiple DAE clients. The DAE proxy forwards DAE requests from only DAE clients that are configured by using this command.
4. Specify the UDP port for listening for DAE requests from DAE clients.
listen-port port-number
By default, the listening port for DAE requests is 3799.
To prevent loss of DAE requests, disable DAE proxy before you change the listening port.
5. Configure a DAE server.
server { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
By default, no DAE servers are configured.
You can configure multiple DAE servers. The DAE proxy forwards DAE requests to and receives DAE responses from only DAE servers that are configured by using this command.
6. Configure the DAE server listening port.
server port dest-port
By default, the DAE server listening port is 3799.
To prevent loss of DAE response packets, disable DAE proxy before you modify this port setting.
Display and maintenance commands for DAE proxy
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display DAE proxy settings and statistics. |
display radius dynamic-author proxy |
|
Clear DAE proxy statistics. |
reset radius dynamic-author proxy statistics |
DAE proxy configuration examples
Example: Configuring DAE proxy
Network configuration
As shown in Figure 2, the hosts use manually configured IP addresses or dynamically obtain IP addresses, and they access the BRASs by IPoE through Layer 3 networks.
· Configure the BRAS to support IPoE in control-/data-plane separated mode.
· Configure the free RADIUS server to provide authentication, authorization, and accounting services.
· Configure Device as the DAE proxy to manage the CPs.
Prerequisites
# Assign IP addresses to interfaces and configure routes. Make sure the network connections are available.
# Configure the management and control channels and protocol tunnels between the CPs and UPs. For more information, see H3C vBRAS1000-CP CP and UP Separation Configuration Guide.
Procedure
1. Configure the RADIUS server:
# Add a RADIUS client that uses IP address 5.5.5.1 and secret radius to the clients.conf file.
client 5.5.5.1/32 {
ipaddr = 5.5.5.1
netmask=32
secret=radius
}
# Add a user that uses username 2.2.2.1 and password a123456 to the users file.
2.2.2.1 Cleartext-Password :="a123456"
2. Configure the DAE proxy:
# Enable DAE proxy and enter DAE proxy view.
<Device> system-view
[Device] radius dynamic-author proxy
# Specify the listening port for DAE requests to 2000.
[Device-radius-da-proxy] listen-port 2000
# Configure a DAE client that uses IP address 5.5.5.2 and plaintext shared key radius.
[Device-radius-da-proxy] client ip 5.5.5.2 key simple radius
# Configure the DAE server listening port.
[Device-radius-da-proxy] server port 3798
# Configure DAE servers that use IP addresses 4.4.4.1 and 6.6.6.1.
[Device-radius-da-proxy] server ip 4.4.4.1
[Device-radius-da-proxy] server ip 6.6.6.1
[Device-radius-da-proxy] quit
# Configure ACL 3000 to permit packets that are destined for the authentication port or accounting port of the RADIUS server.
[Device] acl number 3000
[Device-acl-adv-3000] rule 1 permit udp destination-port eq 1812
[Device-acl-adv-3000] rule 2 permit udp destination-port eq 1813
[Device-acl-adv-3000] quit
# Configure outbound dynamic NAT on the interface that is connected to the RADIUS server. Translate the source IP addresses of RADIUS packets permitted by ACL 3000 to the IP address of the interface.
[Device] interface ten-gigabitethernet 3/0/3
[Device-Ten-GigabitEthernet3/0/3] ip address 5.5.5.1 255.255.255.0
[Device-Ten-GigabitEthernet3/0/3] nat outbound 3000
[Device-Ten-GigabitEthernet3/0/3] quit
3. Configure UP 1:
# Configure the BRAS to operate in user plane mode.
<UP1> system-view
[UP1] work-mode user-plane
4. Configure UP 2 in the same way UP 1 is configured. (Details not shown.)
5. Configure CP 1:
# Create a RADIUS scheme named rs1 and enter its view.
<CP1> system-view
[CP1] radius scheme rs1
# Configure the primary authentication and accounting servers and the keys.
[CP1-radius-rs1] primary authentication 5.5.5.2
[CP1-radius-rs1] primary accounting 5.5.5.2
[CP1-radius-rs1] key authentication simple radius
[CP1-radius-rs1] key accounting simple radius
# Exclude the ISP name from usernames sent to the RADIUS server.
[CP1-radius-rs1] user-name-format without-domain
[CP1-radius-rs1] quit
b. Configure the DAE server:
# Enable the RADIUS DAS feature and enter RADIUS DAS view.
[CP1] radius dynamic-author server
# Set the DAE packet listening port to 3798.
[CP1-radius-da-server] port 3798
# Configure a client that uses IP address 4.4.4.2. Set the shared key to radius in plaintext form.
[CP1-radius-da-server] client ip 4.4.4.2 key simple radius
[CP1-radius-da-server] quit
c. Configure an ISP domain:
# Create an ISP domain named dm1 and enter its view.
[CP1] domain name dm1
# Configure ISP domain dm1 to use RADIUS scheme rs1.
[CP1-isp-dm1] authentication ipoe radius-scheme rs1
[CP1-isp-dm1] authorization ipoe radius-scheme rs1
[CP1-isp-dm1] accounting ipoe radius-scheme rs1
[CP1-isp-dm1] quit
d. Configure IPoE:
# Enter the view of Remote-GE1024/1/0/2.
[CP1] interface remote-ge 1024/1/0/2
# Enable IPoE and configure Layer 3 access mode on Remote-GE 1024/1/0/2.
[CP1–Remote-GE1024/1/0/2] ip subscriber routed enable
# Enable unclassified-IP packet initiation on Remote-GE1024/1/0/2.
[CP1–Remote-GE1024/1/0/2] ip subscriber initiator unclassified-ip enable
# Specify dm1 as the ISP domain for unclassified-IP users.
[CP1–Remote-GE1024/1/0/2] ip subscriber unclassified-ip domain dm1
# Configure plaintext password radius for authentication.
[CP1–Remote-GE1024/1/0/2] ip subscriber password plaintext radius
[CP1–Remote-GE1024/1/0/2] quit
e. Configure a route to the RADIUS server:
# Configure a static route to the IP address of the RADIUS server. Specify the IP address of the DAE proxy as the next hop.
[CP1] ip route-static 5.5.5.2 32 4.4.4.2
6. Configure CP 2 in the same way CP 1 is configured. (Details not shown.)
Verifying the configuration
# On CP 1, execute the display access-user command to display online IPoE user information to verify that the host has come online.
# On the DAE proxy, display DAE statistics.
[Device] display radius dynamic-author proxy
Status: Enabled
Listening port: 2000
RADIUS DAE clients:
IP address VPN instance
5.5.5.2 N/A
RADIUS DAE servers:
IP address VPN instance
4.4.4.1 N/A
6.6.6.1 N/A
RADIUS DAE packet statistics (DAE proxy<--->DAE client):
Invalid packets: 0
PacketName DM_REQ DM_ACK DM_NAK COA_REQ COA_ACK COA_NAK
Received 0 0 0 0 0 0
Duplicated 0 0 0 0 0 0
CheckError 0 0 0 0 0 0
NASNotFound 0 0 0 0 0 0
Sent 0 0 0 0 0 0
FailedToSend 0 0 0 0 0 0
RADIUS DAE packet statistics (DAE proxy<--->DAE server):
Invalid packets: 0
PacketName DM_REQ DM_ACK DM_NAK COA_REQ COA_ACK COA_NAK
Sent 0 0 0 0 0 0
FailedToSend 0 0 0 0 0 0
Received 0 0 0 0 0 0
NoContext 0 0 0 0 0 0
When CP 1 receives a Disconnect-Request packet from the DAE client, it disconnects sessions of the matching user. Use the display access-user command to verify that the user connection does not exist.
When CP 1 receives a CoA-Request packet from the DAE client, it changes the authorization information for the matching user. Use the display access-user command to view the latest authorization information of the user connection.
# Verify that the numbers of received and transmitted DM and CoA packets have changed.
[Device] display radius dynamic-author proxy
Status: Enabled
Listening port: 2000
RADIUS DAE clients:
IP address VPN instance
5.5.5.2 N/A
RADIUS DAE servers:
IP address VPN instance
4.4.4.1 N/A
6.6.6.1 N/A
RADIUS DAE packet statistics (DAE proxy<--->DAE client):
Invalid packets: 0
PacketName DM_REQ DM_ACK DM_NAK COA_REQ COA_ACK COA_NAK
Received 1 0 0 1 0 0
Duplicated 0 0 0 0 0 0
CheckError 0 0 0 0 0 0
NASNotFound 0 0 0 0 0 0
Sent 0 1 0 0 1 0
FailedToSend 0 0 0 0 0 0
RADIUS DAE packet statistics (DAE proxy<--->DAE server):
Invalid packets: 0
PacketName DM_REQ DM_ACK DM_NAK COA_REQ COA_ACK COA_NAK
Sent 2 0 0 2 0 0
FailedToSend 0 0 0 0 0 0
Received 0 1 1 0 1 1
NoContext 0 0 0 0 0 0
