BRAS IPOE authentication fail switchover to other authentication domain
- 0 Followed
- 0Collected ,9Browsed
Problem Description
Customer requirements are as follows:
All users are on the same downlink port. For terminals without MAC binding attempting to go online for the first time, PORTAL authentication is performed first. During authentication, they can select binding MAC to go online or one-time online. If binding MAC to go online is selected, the RADIUS will record the MAC.
Huawei BRAS implementation method: It first performs an IPOE MAC authentication. If the authentication fails, the terminal is redirected to the preauthentication domain of IPOE WEB for WEB authentication. After MAC binding, the address pool takes effect during the next IPOE authentication.
If authentication fails, place it in pre-iswufe; if successful, it becomes iswufe
Process Analysis
None
Solution
Corresponding to our company configuration:
[CR16010-F-Route-Aggregation1.3333]dis th
#
interface Route-Aggregation1.3333
description PORTAL-TEST
ip subscriber initiator arp enable
user-vlan dot1q vid 3333
dhcp session-mismatch action fast-renew
portal bas-ip 10.87.0.6
ip subscriber unclassified-ip ip match 10.195.0.1 10.195.127.253
ip subscriber l2-connected enable
ip subscriber authentication-method web
ip subscriber pre-auth domain officepcipoe
ip subscriber web-auth domain iswufe
ip subscriber initiator unclassified-ip enable
#
return
#
domain name officepcipoe
authentication ipoe radius-scheme shenlan
authorization ipoe radius-scheme shenlan
accounting ipoe radius-scheme shenlan
authen-fail online domain officepcwebbefore
#
return
#
domain name officepcwebbefore
authorization-attribute user-group webbefore
authorization-attribute ip-pool officepc
authentication ipoe none
authorization ipoe none
accounting ipoe none
web-server url http://wifi.swufe.edu.cn
web-server ip 10.9.254.52
web-server ip 10.9.254.53 secondary
web-server url-parameter ac-type value H3c
web-server url-parameter nas-ip value 10.87.0.6
IPoE authentication -- authenticated users enter the pre-domain officepcipoe authentication. If RADIUS authentication fails, switchover to another domain officepcwebbefore, trigger URL IPoE web authentication. At this time, the customized URL binds the MAC and re-authenticates. After successful authentication, users enter the officepcipoe domain. At this point, RADIUS authentication should succeed.