华为二层隧道协议L2TP配置教程（一）

华为二层隧道协议L2TP理论知识：http://www.023wg.com/vpn/379.html

1、配置AAA认证和计费

AAA提供了认证、授权和计费三种安全功能，用于管理接入用户，保证安全的连接请求。LAC和LNS通过配置AAA的本地认证或者远程认证功能，对接入的远程用户进行身份验证。

当接入用户只能通过LNS访问Internet时，为了管理接入用户上网时间或使用流量，可以在LNS侧配置计费功能，从而对接入用户的上网时间和流量进行控制。LAC会检查远程用户的用户名称或者域名称，判断是否为该远程用户建立到达LNS的隧道。

用户名称：适用于接入用户少，对用户单独管理，每个接入用户都会独占一条L2TP隧道。如果根据用户名称检查远程用户，则设备使用缺省的default域和default认证方案，其中default认证方案使用缺省的local认证方式，即本地认证。

域名称：适用于接入多个用户，对同一类用户集中管理，具有相同域名的用户共用一条L2TP隧道。如果根据域名称检查远程用户，则需要配置域及域所使用的认证方案。LAC和LNS的AAA认证配置应保持一致。

1、配置本地认证

1.1、进入AAA视图

[Huawei]aaa

[Huawei-aaa]

 

1.2、创建认证方案，并进入认证方案视图

[Huawei-aaa]authentication-scheme ?

  STRING<1-32>   Scheme name,can not include invalid character \ / : < > | @ ' % * " ?

 

[Huawei-aaa]authentication-scheme 023wg.com

Info: Create a new authentication scheme.

[Huawei-aaa-authen-023wg.com]

 

1.3、配置认证方式为local，即本地认证

[Huawei-aaa-authen-023wg.com]authentication-mode ?

  hwtacacs  HWTACACS

  local     Local

  none      None

  radius    RADIUS

 

[Huawei-aaa-authen-023wg.com]authentication-mode local

 

1.4、创建用户域，并进入域视图

[Huawei-aaa]domain ?

  STRING<1-64>   Domain name, can not include invalid character * ? " - --

 

[Huawei-aaa]domain 023wg.com

Info: Success to create a new domain.

[Huawei-aaa-domain-023wg.com]

 

1.5、为创建的域指定认证方案

[Huawei-aaa-domain-023wg.com]authentication-scheme ?

  STRING<1-32>   Scheme name,can not include invalid character \ / : < > | @ ' % * " ?

 

[Huawei-aaa-domain-023wg.com]authentication-scheme 023wg.com

 

1.6、配置本地用户名和密码，作为VPDN用户信息保存在设备中，用于验证接入的远程用户

[Huawei-aaa]local-user ?

  STRING<1-64>   User name, in form of 'user@domain'. Can use wildcard '*',

                 while displaying and modifying, such as *@isp,user@*,*@*.Can

                 not include invalid character / \ : * ? " < > | @ '

 

[Huawei-aaa]local-user LAC001 ?

  access-limit   Set access limit of user(s)

  ftp-directory  Set user(s) FTP directory permitted

  idle-timeout   Set the timeout period for terminal user(s)

  password       Set password

  privilege      Set admin user(s) level

  service-type   Service types for authorized user(s)

  state          Activate/Block the user(s)

  user-group     User group

 

[Huawei-aaa]local-user LAC001 password ?

  cipher  User password with cipher text

 

 [Huawei-aaa]local-user LAC001 password cipher ?

  STRING<1-32>/<32-56>  The UNENCRYPTED/ENCRYPTED password string

 

[Huawei-aaa]local-user LAC001 password cipher www.023wg.com

 

1.7、配置本地用户类型，L2TP协议基于PPP协商，需要指定用户类型为ppp。

[Huawei-aaa]local-user lac001 service-type ?

  8021x     802.1x user

  bind      Bind authentication user

  ftp       FTP user

  http      Http user

  l2tp      L2tp user

  ppp       PPP user

  ssh       SSH user

  sslvpn    Sslvpn user

  telnet    Telnet  user

  terminal  Terminal user

  web       Web authentication user

  x25-pad   X25-pad user

 

[Huawei-aaa]local-user lac001 service-type ppp

 

2、配置远程认证和计费

2.1、创建RADIUS服务器模板，并进入RADIUS服务器模板视图，用于配置RADIUS服务器的参数。

[Huawei]radius-server ?

  authorization  RADIUS authorization server

  template       Add or delete RADIUS server template

 

[Huawei]radius-server template ?

  STRING<1-32>   RADIUS server template's name

 

[Huawei]radius-server template 023wg.com

Info: Create a new server template.

[Huawei-radius-023wg.com]

 

2.2、配置RADIUS服务器的IP地址和端口号

[Huawei-radius-023wg.com]radius-server ?

  accounting              Configure accounting server

  accounting-stop-packet  Configure the resending value of accounting-stop-packet

  attribute               Configure the function of attribute translation

  authentication          Configure authentication server

  dead-time               Configure dead time

  detect-server           Detect-server

  nas-port-format         Configure NAS-Port format

  nas-port-id-format      Configure NAS-Port-Id format

  retransmit              Configure server retransmission

  shared-key              Configure server shared-key

  testuser                Testuser

  timeout                 Configure server timeout

  traffic-unit            Configure the octets of format

  user-name               Configure the format of username

 

[Huawei-radius-023wg.com]radius-server authentication ?

  X.X.X.X   IP address of the server

  X:X::X:X  IPv6 address of the server

 

[Huawei-radius-023wg.com]radius-server authentication 10.1.1.2 ?

  INTEGER<1-65535>  Port of the server

 

[Huawei-radius-023wg.com]radius-server authentication 10.1.1.2 9999

 

2.3、配置RADIUS计费服务器地址

[Huawei-radius-023wg.com]radius-server accounting ?

  X.X.X.X   IP address of the server

  X:X::X:X  IPv6 address of the server

 

[Huawei-radius-023wg.com]radius-server accounting 10.1.1.3  ?

  INTEGER<1-65535>  Port of the server

 

[Huawei-radius-023wg.com]radius-server accounting 10.1.1.3  9999

 

2.4、配置和RADIUS服务器连接时的共享密钥

[Huawei-radius-023wg.com]radius-server shared-key ?

  STRING<1-16>/<32>  The UNENCRYPTED/ENCRYPTED password string

  cipher             Radius server password with cipher text

  simple             Radius server password with plain text

 

[Huawei-radius-023wg.com]radius-server shared-key cipher ?

  STRING<1-16>/<32>  The UNENCRYPTED/ENCRYPTED password string

 

[Huawei-radius-023wg.com]radius-server shared-key cipher www.023wg.com

 

2.5、创建认证方案，配置认证方式为radius，即RADIUS服务器认证

[Huawei-aaa]authentication-scheme 023wg.com

        

[Huawei-aaa-authen-023wg.com]authentication-mode ?

  hwtacacs  HWTACACS

  local     Local

  none      None

  radius    RADIUS 

 

[Huawei-aaa-authen-023wg.com]authentication-mode radius

 

2.6、创建计费方案，配置计费模式为RADIUS计费。

[Huawei-aaa]accounting-scheme 023wg.com

[Huawei-aaa-accounting-023wg.com]

        

[Huawei-aaa-accounting-023wg.com]accounting-mode radius

 

2.7、配置开始计费失败策略

[Huawei-aaa-accounting-023wg.com]accounting ?

  interim-fail  Remote realtime accounting fail policy

  realtime      Interim accounting

  start-fail    Remote start accounting fail policy

        

[Huawei-aaa-accounting-023wg.com]accounting start-fail ?

  offline  Offline  # 计费失败后不允许上线

  online   Online  # 计费失败后允许上线

 

2.8、使能实时计费并设置计费间隔

[Huawei-aaa-accounting-023wg.com]accounting realtime ?

  INTEGER<0-65535>  Accounting interval <minute>

        

[Huawei-aaa-accounting-023wg.com]accounting realtime 10

 

2.9、配置允许的实时计费请求最大无响应次数，以及实时计费失败后采取的策略

[Huawei-aaa-accounting-023wg.com]accounting interim-fail ?

  max-times  Allow realtime accounting fail times

  offline    Offline

  online     Online

 

[Huawei-aaa-accounting-023wg.com]accounting interim-fail max-times ?

  INTEGER<1-255>  Fail times

 

[Huawei-aaa-accounting-023wg.com]accounting interim-fail max-times 10 ?

  offline  Offline

  online   Online

 

2.10、创建用户域，为用户域指定认证方案并为为用户域指定RADIUS服务器模板

[Huawei-aaa]domain 023wg.com

[Huawei-aaa-domain-023wg.com]

 

[Huawei-aaa-domain-023wg.com]authentication-scheme 023wg.com

 

[Huawei-aaa-domain-023wg.com]radius-server 023wg.com

 

2.11、配置域的计费方案

[Huawei-aaa-domain-023wg.com]accounting-scheme 023wg.com

 

2.12、如果使用流量计费，需要在域下开启流量统计功能

[Huawei-aaa-domain-023wg.com]statistic enable

华为二层隧道协议L2TP配置教程（二）：http://www.023wg.com/vpn/387.html

 您阅读这篇文章共花了：