Contents

Configuring value-added services· 2

About value-added services· 2

Configuring ITA service policies· 2

About ITA service policies· 2

Restrictions and guidelines· 2

Configuring an ITA policy· 2

Display and maintenance commands for ITA service policies· 4

Example: Configuring ITA for IPoE users· 4

Configuring EDSG service policies· 8

About EDSG service policies· 8

Restrictions and guidelines· 8

Configuring an EDSG service policy· 10

Display and maintenance commands for EDSG service policies· 11

Example: Configuring EDSG for IPoE users· 11

 

Configuring value-added services

About value-added services

Value-added services refer to customized services provided based on users' basic services.

The following value-added services are available:

·     Intelligent Target Accounting (ITA)—Provides a flexible accounting solution for users that request services of different charge rates. By defining different traffic levels based on the destination addresses of users' traffic, you can use ITA to separate the traffic accounting statistics of different levels for each user.

·     Enhanced Dynamic Service Gateway (EDSG)—Identifies the traffic of different services for a user and provides independent authentication, accounting, and rate limit for the traffic of each service.

Configuring ITA service policies

About ITA service policies

Intelligent Target Accounting (ITA) provides a flexible accounting solution for users that request services of different charge rates. By defining different traffic levels based on the destination addresses of users' traffic, you can use ITA to separate the traffic accounting statistics of different levels for each user.

You must deploy an ITA policy to implement ITA services. ITA accounting is separated from accounting of other services. However, you can configure the device to include the amount of ITA traffic in the overall traffic statistics sent to the accounting server.

To apply ITA accounting levels and traffic policying parameters to traffic of different ITA services on a user group basis, you can specify user groups for an ITA policy.

Restrictions and guidelines

ITA services are supported only by IPoE and PPPoE users.

For dual-stack PPPoE users, do not specify the same accounting level for IPv4 and IPv6 traffic. If you specify the same accounting level for IPv4 and IPv6 traffic, the most recent configuration takes effect.

Configuring an ITA policy

1.     Configure a QoS policy.

Use this QoS policy to remark traffic destined for different IP addresses or subnets with different levels. For more information about QoS, see ACL and QoS Configuration Guide.

2.     Apply the QoS policy to a user profile, to an interface, or globally to all interfaces.

Apply the QoS policy to a user profile:

a.     Configure a user profile and apply the QoS policy to the user profile.

For more information about user profiles, see BRAS Services Configuration Guide.

b.     Authorize the user profile to authenticated users. Choose one of the following tasks:

-     Configure the RADIUS server (in remote authentication) or the device (in local authentication) to assign the user profile.

After a user passes authentication, the RADIUS server or the device assigns a user profile to the user. For more information about using a remote server to assign a user profile, see related documents about the server. For more information about configuring the attributes for network access local users, see BRAS Services Configuration Guide.

-     Specify the user profile in the authentication domain.

If the RADIUS server or the device does not assign a user profile to a user, the user profile specified for the authentication domain is assigned to the user. For more information about specifying the user profile in an authentication domain, see BRAS Services Configuration Guide.

The user profile assigned by a remote server or the device takes precedence over the user profile specified in the authentication domain.

Apply the QoS policy to an interface or globally:

The QoS policy applied to an interface takes effect on all users attached to that interface. For more information about QoS, see ACL and QoS Configuration Guide.

3.     Configure an ITA policy.

a.     Enter system view.

system-view

b.     Create an ITA policy and enter ITA policy view.

ita policy policy-name

c.     Specify accounting methods in the ITA policy.

accounting-method { none | radius-scheme radius-scheme-name [ none ] }

By default, the accounting method is none.

d.     Specify a traffic level for ITA accounting.

accounting-level level { { ipv4 | ipv6 } | [ car { inbound cir committed-information-rate [ pir peak-information-rate ] | outbound cir committed-information-rate [ pir peak-information-rate ] } * } *

By default, no traffic levels are specified for ITA accounting.

e.     (Optional.) Enable accounting merge.

accounting-merge enable

By default, accounting merge is disabled.

f.     (Optional.) Configure access control for users that have used up their ITA data quotas.

traffic-quota-out { offline | online } [ no-accounting-update ]

By default, the device sends accounting-update packets to the server to request new data quotas for the users that have used up their data quotas. A user cannot access the authorized IP subnets if the device does not receive any new data quota from the server for the user.

g.     (Optional.) Specify a user group for the ITA policy.

user-group name group-name [ nat-instance instance-name ]

By default, no user groups are specified for an ITA policy.

h.     (Optional.) Exclude the amount of specific-level ITA traffic from the overall traffic statistics that are sent to the accounting server.

traffic-separate enable [ level level&<1-8> ]

By default, the amount of ITA traffic is included in the overall traffic statistics that are sent to the accounting server.

4.     Specify the ITA policy on the RADIUS server or in the authentication domain on the device.

The ITA policy assigned by a RADIUS server takes precedence over the ITA policy specified in the authentication domain.

Display and maintenance commands for ITA service policies

Execute display commands in any view.

 

Task	Command
Display ITA policy information.	display ita policy [ policy-name ]
Display statistics about ITA service users.	display value-added-service user ita
Display information about an ITA service user that uses a specific IP address.	display value-added-service user { ip-address ipv4-address | ipv6-address ipv6-address } [ vpn-instance vpn-instance-name ] [ verbose ]
Display information about an ITA service user that uses a specific ID.	display value-added-service user user-id user-id ita-level level
Display information about an ITA service user that uses a specific username.	display value-added-service user username username [ verbose ]

 

NOTE: For more information about commands used to display ITA service user information, see AAA commands in BRAS Services Command Reference.

 

Example: Configuring ITA for IPoE users

Network configuration

As shown in Figure 1, the router performs IPoE authentication.

Configure the router to meet the following requirements:

·     Use RADIUS server 1 to perform authentication, authorization, and accounting for IPoE users.

·     Use RADIUS server 2 to perform ITA accounting for IPoE users. The traffic destined for the FTP server is configured as level 1 traffic. The router counts the traffic as IPv4 traffic.

·     Exclude ITA traffic statistics from the overall traffic statistics reported to RADIUS server 1.

·     Prohibit users from accessing the FTP server after their level-1 data quotas are used up.

The RADIUS servers are FreeRADIUS servers.

Figure 1 Network diagram

‌

Prerequisites

# Configure IP addresses for interfaces, and make sure the network connections are available.

Configuring RADIUS servers

Configure RADIUS client information on RADIUS server 1 and RADIUS server 2.

# Configure the clients.conf file.

client 4.4.4.2/32 {

ipaddr = 4.4.4.2

netmask=32

secret=radius

}

client 5.5.5.2/32 {

ipaddr = 5.5.5.2

netmask=32

secret=radius

}

# Add the IP address of the user and the user password in the users file.

2.2.2.2  Cleartext-Password :="radius"

Configuring the router

1.     Configure a RADIUS scheme for AAA:

# Create a RADIUS scheme named rs1 and enter RADIUS scheme view.

<Router> system-view

[Router] radius scheme rs1

# Specify the primary RADIUS authentication server at 4.4.4.1.

[Router-radius-rs1] primary authentication 4.4.4.1

# Specify the primary RADIUS accounting server at 4.4.4.1.

[Router-radius-rs1] primary accounting 4.4.4.1

# Set the authentication shared key to radius in plaintext form for secure communication between the router and RADIUS server 1.

[Router-radius-rs1] key authentication simple radius

# Set the accounting shared key to radius in plaintext form for secure communication between the router and RADIUS server 1.

[Router-radius-rs1] key accounting simple radius

# Exclude domain names from the usernames sent to RADIUS server 1.

[Router-radius-rs1] user-name-format without-domain

[Router-radius-rs1] quit

2.     Configure a RADIUS scheme for the ITA service:

# Create a RADIUS scheme named rs2 and enter RADIUS scheme view.

[Router] radius scheme rs2

# Specify the primary accounting server at 5.5.5.1.

[Router-radius-rs2] primary accounting 5.5.5.1

# Set the accounting shared key to radius in plaintext form for secure communication between the router and RADIUS server 2.

[Router-radius-rs2] key accounting simple radius

# Exclude domain names from the usernames sent to RADIUS server 2.

[Router-radius-rs1] user-name-format without-domain

[Router-radius-rs1] quit

3.     Configure a packet matching rule.

# Configure traffic classifier class1 to match data packets of IPoE or PPPoE authenticated users and match ACL 3000.

[Router] traffic classifier class1 operator and

[Router-classifier-class1] if-match authenticated-user

[Router-classifier-class1] if-match acl 3000

[Router-classifier-class1] quit

4.     Configure a QoS policy for the ITA service:

# Configure IPv4 advanced ACL 3000 and enter its view.

[Router] acl advanced 3000

# Permit all packets destined for 1.1.1.1.

[Router-acl-ipv4-adv-3000] rule 0 permit ip destination 1.1.1.1 0

[Router-acl-ipv4-adv-3000] quit

# Create a traffic class named classifier_1.

[Router] traffic classifier classifier_1

# Define a match criterion for traffic class classifier_1 to match advanced ACL 3000.

[Router-classifier-classifier_1] if-match acl 3000

[Router-classifier-classifier_1] quit

# Create a traffic behavior named behavior_1 and enter traffic behavior view.

[Router] traffic behavior behavior_1

# Mark level-1 traffic for ITA accounting.

[Router-behavior-behavior_1] remark account-level 1

# Measure the traffic in bytes.

[Router-behavior-behavior_1] accounting byte

[Router-behavior-behavior_1] quit

# Define a QoS policy named policy and enter QoS policy view.

[Router] qos policy policy

# Associate traffic class classifier_1 with traffic behavior behavior_1 in the QoS policy.

[Router-qospolicy-policy] classifier classifier_1 behavior behavior_1

[Router-qospolicy-policy] quit

# Apply QoS policy policy to all inbound traffic on the interface.

[Router] interface ten-gigabitethernet 3/0/1

[Router-ten-GigabitEthernet3/0/1] qos apply policy policy inbound

[Router–ten-GigabitEthernet3/0/1] quit

5.     Configure an ITA policy:

# Create an ITA policy named ita and enter ITA policy view.

[Router] ita policy ita

# Configure the accounting method for users that match the ITA policy.

[Router-ita-policy-ita] accounting-method radius-scheme rs2

# Specify level-1 traffic for ITA accounting and count the traffic as IPv4 traffic.

[Router-ita-policy-ita] accounting-level 1 ipv4

# Exclude the amount of ITA traffic from the overall traffic statistics that are sent to RADIUS server 1.

[Router-ita-policy-ita] traffic-separate enable

# Prohibit users from accessing the authorized IP subnets after their ITA data quotas are used up.

[Router-ita-policy-ita] traffic-quota-out offline

[Router-ita-policy-ita] quit

6.     Configure an ISP domain:

# Create an ISP domain named dm1 and enter ISP domain view.

[Router] domain name dm1

# Configure the authentication, authorization, and accounting methods for IPoE users in the domain.

[Router-isp-dm1] authentication ipoe radius-scheme rs1

[Router-isp-dm1] authorization ipoe radius-scheme rs1

[Router-isp-dm1] accounting ipoe radius-scheme rs1

# Apply ITA policy ita to the ISP domain.

[Router-isp-dm1] ita-policy ita

[Router-isp-dm1] quit

7.     Configure IPoE:

# Enter the view of Ten-GigabitEthernet 3/0/1.

[Router] interface ten-gigabitethernet 3/0/1

# Enable IPoE and configure Layer 3 access mode on the port.

[Router–ten-GigabitEthernet3/0/1] ip subscriber routed enable

# Enable the unclassified-IP users.

[Router–ten-GigabitEthernet3/0/1] ip subscriber initiator unclassified-ip enable

# Specify dm1 as the ISP domain.

[Router–ten-GigabitEthernet3/0/1] ip subscriber unclassified-ip domain dm1

# Set the password to radius in plaintext form for IPoE authentication.

[Router–ten-GigabitEthernet3/0/1] ip subscriber password plaintext radius

[Router–ten-GigabitEthernet3/0/1] quit

Verifying the configuration

# Use password radius to pass IPoE authentication on the host. (Details not shown.)

# Verify that RADIUS server 2 performs accounting for the IPoE user when the user accesses the FTP server at 1.1.1.1. (Details not shown.)

# Verify that RADIUS server 1 performs accounting for the non-ITA traffic of the IPoE user. (Details not shown.)

# Display statistics about value-added-service users. Verify that the online IPoE user is assigned an ITA policy.

<Router> display value-added-service user

Configuring EDSG service policies

About EDSG service policies

Enhanced Dynamic Service Gateway (EDSG) identifies the traffic of different services for a user and provides independent authentication, accounting, and rate limit for the traffic of each service.

After a user passes RADIUS authentication, the RADIUS server assigns EDSG service policies to the user. Then, the device uses the matching local EDSG service policies to provide the following service-based functions for the user:

·     Independent authentication—Provides independent authentication for each EDSG service of the user. The device performs authentication on each EDSG service of the user based on the EDSG authentication methods specified in the corresponding EDSG service policy. The EDSG authentication methods might differ from those used for non-EDSG services. The user is authorized to use the EDSG service after passing the EDSG authentication for the service. The user's access to the EDSG service is restricted to the authorization attributes for the service.

If an EDSG username and an EDSG password are specified for a user, the RADIUS server uses the username and password to authenticate the user. If no username or password is specified for the user, the RADIUS server uses the username and password that the user enters during login.

·     Independent accounting—Provides independent accounting for each EDSG service of the user. The device performs accounting on each EDSG service of the user based on the EDSG accounting methods specified in the corresponding EDSG service policy. The EDSG accounting methods might differ from those used for non-EDSG services. For example, EDSG can identify intranet traffic and extranet traffic as two different EDSG services and use different charging levels to charge traffic of the two EDSG services.

·     Independent rate limit—Provides independent rate limit for each EDSG service of the user. For example, if a user subscribes an online video service from a website, the service provider authorizes the corresponding EDSG service policy to the user. The policy will perform independent accounting on the online video service and preferentially guarantee the bandwidth for the service when congestion occurs.

·     Dynamic authorization—Authorizes one or more EDSG service policies to a user based on the service requirements of the user. If the user stops an EDSG service, the device cancels authorization of the corresponding EDSG service policies.

Restrictions and guidelines

EDSG services are supported only for IPoE and PPPoE users. IPoE users include static users, unknown sourced users, DHCP users, and IPoE Web-authenticated users.

For a user, the priorities of ITA policies and EDSG service policies are as follows:

·     If the RADIUS server assigns both an ITA policy and EDSG service policies to the user, only the ITA policy takes effect.

·     If the RADIUS server assigns only EDSG service policies to the user, the EDSG policies take effect.

EDSG policies and inbound rate limit (configured by using qos lr inbound) cannot take effect at the same time. If both features are configured, EDSG policies take effect.

You cannot configure EDSG policies and the following user-based QoS policies at the same time:

·     User-based GTS (configured by using qos gts in user profile view).

·     Queue configuration for session packets that use the user profile (configured by using qos queue in user profile view).

·     QoS outbound weight (configured by using qos weight outbound in user profile view).

·     Applying a queue scheduling profile (configured by using qos apply qmprofile in user profile view).

For EDSG service policies to take effect correctly, make sure the enabling status of dual-stack separate rate limit (configured by using rate-limit dual-stack separate) is the same for different EDSG service policies.

For the same user, do not configure EDSG service policies and interface-based QoS policy application (qos apply scheduler-policy in interface view) at the same time.

When the RADIUS server assigns EDSG service policies, follow these restrictions and guidelines:

·     If the RADIUS server assigns multiple EDSG service policies that have different IDs, all the assigned EDSG service policies take effect. If the RADIUS server assigns multiple EDSG service policies that have the same ID, the EDSG service policy that successfully triggers EDSG authentication takes effect.

·     If the RADIUS server authorizes CAR parameters to a user after the user passes EDSG authentication, the assigned CAR parameters take priority over those specified in the EDSG service policy.

·     The device supports EDSG service policy names and EDSG usernames and passwords assigned by the RADIUS server only through proprietary attributes H3C-AV-Pair and Cisco-AVPair. If the RADIUS server assigns the information through other attributes, you must enable the RADIUS attribute translation feature and configure attribute conversion rules on the device.

·     The EDSG username specified on the RADIUS server cannot contain more than 253 characters. The password for a PPP user cannot contain more than 128 characters and the password for an IPoE user cannot contain more than 64 characters.

·     If the RADIUS server assigns multiple EDSG service policies, make sure all the policies have the same rate limit mode for IPv4 and IPv6 EDSG traffic.

The device stops to provide an EDSG service for a user when one of the following conditions exists:

·     The route between the device and the RADIUS server becomes unreachable.

·     The user has used up all the data quota.

·     The user's session timer expires.

·     The start-accounting or update-accounting process for the EDSG service fails.

·     The user's non-EDSG session is terminated.

When you configure EDSG service traffic rate limit, follow these restrictions and guidelines:

·     For the same user, EDSG in-band rate limit takes precedence over the following group-based QoS policies:

¡     GTS configured for a session group profile (configured by using qos gts in session group profile view).

¡     QoS outbound weight for a session group profile (configured by using qos weight outbound in session group profile view).

¡     Queue scheduling profile applied to a session group profile (configured by using qos apply qmprofile in session group profile view).

·     EDSG in-band inbound rate limit (car inbound) can take effect at the same time with the user priority (authorization-attribute user-priority), but outbound rate limit (car outbound) cannot. EDSG in-band outbound rate limit takes precedence over the user priority configuration.

·     For EDSG policies to take effect, do not configure the following features if in-band EDSG rate limit is configured:

¡     Priority trust mode for an interface (qos trust).

¡     CBQ queue. For more information about CBQ queue, see configuring QoS in ACL and QoS Configuration Guide.

¡     Local precedence marking action in a traffic behavior (remark local-precedence).

¡     Action of marking a forwarding class (remark forwarding-class).

¡     Local QoS ID marking action in a traffic behavior (remark qos-local-id).

For more information about EDSG rate limit mode (in-band or out-of-band), see configuring AAA in BRAS Services Configuration Guide.

Configuring an EDSG service policy

Prerequisites

Before configuring EDSG service policies on the device, perform the following tasks:

·     On the RADIUS server, specify EDSG service policies to be assigned to users.

·     To use an EDSG username and an EDSG password to perform EDSG authentication on a user, specify the username and password on the RADIUS server.

·     To perform independent AAA on an EDSG service of a user, configure the authentication, authorization, and accounting methods for the EDSG service on the RADIUS server.

Procedure

1.     Enter system view.

system-view

2.     Create an EDSG service policy and enter EDSG service policy view.

service policy policy-name

3.     Set the ID for the EDSG service policy.

service-id number

By default, no ID is set for an EDSG service policy.

You can set only one ID for an EDSG service policy.

4.     (Optional.) Specify authentication methods for the EDSG service.

authentication-method { none | radius-scheme radius-scheme-name [ none ] }

By default, the device does not perform authentication on the EDSG service.

5.     (Optional.) Specify accounting methods for the EDSG service.

accounting-method { none | radius-scheme radius-scheme-name [ none ] }

By default, the device does not perform accounting on the EDSG service.

6.     Set the rate limit mode for EDSG services.

service rate-limit mode { merge | separate }

By default, the rate limit mode in ISP domain view is used for EDSG services.

The rate limit mode set in EDSG service policy view takes precedence over the rate limit mode set in ISP domain view.

7.     (Optional.) Set CAR parameters for the EDSG service.

car { inbound | outbound } cir cir-value [ pir pir-value ] [ cbs cbs-value ] [ ebs ebs-value ]

By default, no CAR parameters are set for the EDSG service.

8.     (Optional.) Set the EDSG traffic statistics mode.

traffic statistics { merge | separate }

By default, the separate mode is used for EDSG traffic statistics. The device excludes the amount of EDSG traffic from the overall traffic.

9.     (Optional.) Enable separate mode to separately limit the rates of IPv4 and IPv6 EDSG traffic.

rate-limit dual-stack separate

By default, separate rate limit mode for IPv4 and IPv6 EDSG traffic is disabled. The device collectively limits the rate of IPv4 and IPv6 EDSG traffic.

This feature takes effect only when the rate limit mode for EDSG services is set to in-band. To set the rate limit mode for EDSG services to in-band, use the service rate-limit mode merge command in ISP domain view or EDSG service policy view.

Display and maintenance commands for EDSG service policies

Execute display commands in any view.

 

Task	Command
Display EDSG service policy information.	display service policy [ policy-name ]
Display statistics about EDSG service users.	display value-added-service user edsg
Display information about an EDSG user that uses a specific IP address.	display value-added-service user { ip-address ipv4-address | ipv6-address ipv6-address } [ vpn-instance vpn-instance-name ] [ verbose ]
Display information about an EDSG user that uses a specific ID.	display value-added-service user user-id user-id edsg [ service-id service-id ]
Display information about an EDSG user that uses a specific username.	display value-added-service user username username [ verbose ]

 

NOTE: For more information about commands used to display ITA service user information, see AAA commands in BRAS Services Command Reference.

 

Example: Configuring EDSG for IPoE users

Network configuration

As shown in Figure 2, the router performs IPoE authentication. The router marks user packets destined for the Web server and those originated from the Web server as EDSG service packets.

RADIUS server 1 uses attributes H3C-AV-Pair, Cisco-AVPair, and H3c-Server-String to assign EDSG usernames, EDSG passwords, and EDSG policy names, respectively.

Configure the router to meet the following requirements:

·     Use RADIUS server 1 to perform authentication, authorization, and accounting on non-EDSG services.

·     Use RADIUS server 2 to perform authentication, authorization, and accounting on EDSG services.

·     Use RADIUS server 2 to assign CAR parameters for EDSG services.

·     Enable the attribute translation feature and configure a RADIUS attribute conversion rule to convert the H3c-Server-String attribute to the H3c-AVPair attribute.

The RADIUS servers are FreeRADIUS servers.

Figure 2 Network diagram

 

Prerequisites

Configure IP addresses for interfaces, and make sure the network connections are available.

Restrictions and guidelines

The EDSG username for a user cannot contain more than 253 characters. The EDSG password for a PPP user cannot contain more than 128 characters, and that for an IPoE user cannot contain more than 64 characters.

Configuring the RADIUS servers

1.     Add the following RADIUS client information to the clients.conf files on RADIUS server 1 and RADIUS server 2.

client 4.4.4.2/32 {

ipaddr = 4.4.4.2

netmask=32

secret=radius

}

client 5.5.5.2/32 {

ipaddr = 5.5.5.2

netmask=32

secret=radius

}

2.     Add the following information to the users file on RADIUS server 1.

2.2.2.2 Cleartext-Password :="radius"

H3C-AV-Pair := "edsg-policy:activelist=sp1",

Cisco-AVPair := "edsg-policy:username=[sp1]edsg",

H3c-Server-String := "edsg-policy:password=[sp1]abc"

The information indicates the following:

¡     The password of the IPoE user at 2.2.2.2 is radius.

¡     The authorization EDSG service policy for the user is EDSG service policy sp1.

¡     The EDSG username and password for the user is edsg and abc, respectively.

3.     Add the following information to the users file on RADIUS server 2.

edsg Cleartext-Password := "abc"

H3c-Input-Average-Rate := 700000,

H3c-Input-Peak-Rate := 800000,H3C-Output-Average-Rate = 1000003

H3C-Output-Peak-Rate = 1000004

The information indicates that the EDSG password of EDSG user edsg is abc and the authorization CAR parameters for the user are as follows:

¡     For upstream traffic, the CIR is 700000 bps and the PIR is 800000 bps.

¡     For downstream traffic, the CIR is 1000003 bps, and the PIR is 1000004 bps.

Configuring the router

1.     Configure a RADIUS scheme:

# Create a RADIUS server named rs1 and enter its view.

<Router> system-view

[Router] radius scheme rs1

# Specify the primary authentication server.

[Router-radius-rs1] primary authentication 4.4.4.1

# Specify the primary accounting server.

[Router-radius-rs1] primary accounting 4.4.4.1

# Set the shared key to radius in plaintext form for secure RADIUS communication.

[Router-radius-rs1] key authentication simple radius

# Set the shared key to radius in plaintext form for secure RADIUS communication.

[Router-radius-rs1] key accounting simple radius

# Exclude domain names from the usernames sent to the RADIUS server.

[Router-radius-rs1] user-name-format without-domain

# Enable the RADIUS attribute translation feature.

[Router-radius-rs1] attribute translate

# Configure a RADIUS attribute conversion rule to replace the H3c-Server-String attribute of received RADIUS packets with the H3c-AVPair attribute.

[Router-radius-rs1] attribute convert H3c-Server-String to H3c-AVPair received

[Router-radius-rs1] quit

# Create a RADIUS scheme named rs2.

[Router] radius scheme rs2

# Specify the primary authentication server.

[Router-radius-rs2] primary authentication 5.5.5.1

# Set the shared key to radius in plaintext form for secure RADIUS communication with the authentication server.

[Router-radius-rs2] key authentication simple radius

# Specify the primary accounting server.

[Router-radius-rs2] primary accounting 5.5.5.1

# Set the shared key to radius in plaintext form for secure RADIUS communication with the accounting server.

[Router-radius-rs2] key accounting simple radius

# Exclude domain names from the usernames sent to the RADIUS server.

[Router-radius-rs1] user-name-format without-domain

[Router-radius-rs1] quit

2.     Configure an EDSG service policy:

# Create an EDSG service policy named sp1 and enter its view.

[Router] service policy sp1

# Configure the authentication and accounting methods for EDSG users.

[Router-service-policy-sp1] authentication-method radius-scheme rs2

[Router-service-policy-sp1] accounting-method radius-scheme rs2

# Set the EDSG service ID to 1.

[Router-service-policy-sp1] service-id 1

[Router-service-policy-sp1] quit

3.     Configure an authentication domain:

# Create an ISP domain named dm1 and enter its view.

[Router] domain name dm1

# Configure the ISP domain to use RADIUS scheme rs1 for authentication, authorization, and accounting of IPoE users.

[Router-isp-dm1] authentication ipoe radius-scheme rs1

[Router-isp-dm1] authorization ipoe radius-scheme rs1

[Router-isp-dm1] accounting ipoe radius-scheme rs1

[Router-isp-dm1] quit

4.     Configure IPoE authentication:

# Enter the view of Ten-GigabitEthernet 3/0/1.

[Router] interface ten-gigabitethernet 3/0/1

# Enable IPoE and configure the Layer 3 access mode for all IPv4 users on Ten-GigabitEthernet 3/0/1.

[Router–ten-GigabitEthernet3/0/1] ip subscriber routed enable

# Enable the IPv4 unclassified-IP user.

[Router–ten-GigabitEthernet3/0/1] ip subscriber initiator unclassified-ip enable

# Configure ISP domain dm1 for IPv4 unclassified-IP users.

[Router–ten-GigabitEthernet3/0/1] ip subscriber unclassified-ip domain dm1

# Configure the plaintext password as radius for IPv4 individual users.

[Router–ten-GigabitEthernet3/0/1] ip subscriber password plaintext radius

[Router–ten-GigabitEthernet3/0/1] quit

5.     Configure a QoS policy:

# Create advanced ACL 3000, and configure a permit rule to match packets destined for the Web server.

[Router] acl advanced 3000

[Router-acl-ipv4-adv-3000] rule 0 permit ip destination 1.1.1.1 0

[Router-acl-ipv4-adv-3000] quit

# Create advanced ACL 3001, and configure a permit rule to match packets originated from the Web server.

[Router] acl advanced 3001

[Router-acl-ipv4-adv-3001] rule 0 permit ip source 1.1.1.1 0

[Router-acl-ipv4-adv-3001] quit

# Create a traffic class named sp1, and use advanced ACL 3000 as the match criterion in the traffic class.

[Router] traffic classifier sp1

[Router-classifier-sp1] if-match acl 3000

[Router-classifier-sp1] quit

# Create a traffic class named sp2, and use advanced ACL 3001 as the match criterion in the traffic class.

[Router] traffic classifier sp2

[Router-classifier-sp2] if-match acl 3001

[Router-classifier-sp2] quit

# Create a traffic behavior named sp1, and configure the action of marking the EDSG service ID as 1.

[Router] traffic behavior sp1

[Router-behavior-sp1] remark service-id 1

[Router-behavior-sp1] quit

# Create a traffic behavior named sp2, and configure the action of marking the EDSG service ID as 1.

[Router] traffic behavior sp2

[Router-behavior-sp2] remark service-id 1

[Router-behavior-sp2] quit

# Create a QoS policy named sp1, and associate traffic class sp1 with traffic behavior sp1 in the QoS policy.

[Router] qos policy sp1

[Router-qospolicy-sp1] classifier sp1 behavior sp1

[Router-qospolicy-sp1] quit

# Create a QoS policy named sp2, and associate traffic class sp2 with traffic behavior sp2 in the QoS policy.

[Router] qos policy sp2

[Router-qospolicy-sp2] classifier sp2 behavior sp2

[Router-qospolicy-sp2] quit

# Apply QoS policy sp1 to the incoming traffic of Ten-GigabitEthernet 3/0/1 and QoS policy sp2 to the outgoing traffic of Ten-GigabitEthernet 3/0/1.

[Router] interface ten-gigabitethernet 3/0/1

[Router–ten-GigabitEthernet3/0/1] qos apply policy sp1 inbound

[Router–ten-GigabitEthernet3/0/1] qos apply policy sp2 outbound

[Router–ten-GigabitEthernet3/0/1] quit

Verifying the configuration

# Display statistics about value-added-service users. Verify that the IPoE user has been assigned EDSG service policies.

[Router] display value-added-service user