H3C F100-M L2TP Winradius 设置图文教程 

[H3C]dis ve

H3C Comware Software

Comware software, Version 3.40, Release 1661

Copyright (c) 2004-2009 Hangzhou H3C Technologies Co., Ltd.

All rights reserved.

Without the owner's prior written consent, no decompiling

nor reverse-engineering shall be allowed.

H3C SecPath F100-M uptime is 4 weeks, 0 day, 8 hours, 5 minutes


 CPU type: Mips IDT RC32438 266MHz

 256M bytes DDR SDRAM Memory

 16M bytes Flash Memory

 Pcb      Version:3.0

 Logic    Version:1.0

 BootROM  Version:1.18

 [SLOT 0] 3FE      (Hardware)3.0, (Driver)2.0, (Cpld)1.0


[H3C]dis cu

#

sysname H3C

#

l2tp enable                //使能L2TP(打开防火墙L2TP功能)

#

firewall packet-filter enable            //使能包过滤防火墙

#

firewall packet-filter default permit     //设置缺省过滤动作为允许数据包通过

#

nat dns-map www.abc.com X.X.X.X tcp      //为内网网站服务器设置域名映射

#

firewall statistic system enable         //启用防火墙流量监控统计功能

#

DNS server 61.134.1.4     //设置首选DNS地址

DNS server 218.30.19.40   //设置备用DNS地址

#

radius scheme system

server-type extended                     

radius scheme vpdn                            //创建radius方案VPDN

server-type standard                         //基于RFC协议的RADIUS服务器

primary authentication 10.0.0.11 1812   //设置首选radius认证服务器IP地址及端口(默认端口1812)

primary accounting 10.0.0.11 1813       //设置首选radius计费服务器IP地址及端口(默认端口1813)

accounting optional                          //设置计费方式为可选计费方式

key authentication vpdn                      //设置radius认证服务器密钥

key accounting vpdn                          //设置radius计费服务器密钥

timer response-timeout 5                     //指定响应定时器超时参数为5秒

retry 5                                      //设置报文重发的次数为5次

user-name-format without-domain              //设置送往RADIUS服务器的用户名的格式为不加域名

#

domain system

domain vpdn                                   //增加VPDN域

scheme radius-scheme vpdn                    //设置域认证方案为radius认证

ip pool 1 172.16.200.100 172.16.200.200      //为域内PPP用户分配地址池

#

local-user admin             //创建本地用户admin

password cipher XXXX        //为用户admin创建密码并加密为密文密码

service-type telnet         //指定本地用户服务类型为telnet

level 3                     //指定用户优先级为3(默认为1.3最高)

#

dhcp server ip-pool 30                    //创建DHCP地址池

network 10.0.0.1 mask 255.255.255.0      //为DHCP地址池设置IP地址和掩码

gateway-list 192.168.3.1                 //为DHCP地址池设置网关   

dns-list 61.134.1.4 218.30.19.40         //为DHCP地址池设置DNS服务器

#


#

acl number 2000                 //设置基本ACL

rule 0 permit                  //创建规则允许所有IP包通过

#

acl number 3002                //设置高级ACL(此ACL内rule规则为常用病毒***端口)


rule 10 deny tcp destination-port eq 445

rule 11 deny udp destination-port eq 445

rule 20 deny tcp destination-port eq 135

rule 21 deny udp destination-port eq 135

rule 30 deny tcp destination-port eq 137

rule 31 deny udp destination-port eq netbios-ns

rule 40 deny tcp destination-port eq 138

rule 41 deny udp destination-port eq netbios-dgm

rule 50 deny tcp destination-port eq 139

rule 51 deny udp destination-port eq netbios-ssn

rule 61 deny udp destination-port eq tftp

rule 70 deny tcp destination-port eq 593

rule 80 deny tcp destination-port eq 4444

rule 90 deny tcp destination-port eq 707

rule 100 deny tcp destination-port eq 1433

rule 101 deny udp destination-port eq 1433

rule 110 deny tcp destination-port eq 1434

rule 111 deny udp destination-port eq 1434

rule 120 deny tcp destination-port eq 5554

rule 130 deny tcp destination-port eq 9996

rule 141 deny udp source-port eq bootps

rule 160 permit icmp icmp-type echo

rule 161 permit icmp icmp-type echo-reply

rule 162 permit icmp icmp-type ttl-exceeded

rule 165 deny icmp

rule 999 permit ip

#

interface Virtual-Template1                      //创建虚拟接口板1

ppp authentication-mode chap domain vpdn        //设置域VPDN的PPP验证方式为CHAP

ppp ipcp dns  1.1.1.1 2.2.2.2                   //设置DNS参数(如果有内网DNS服务器则将1.1.1.1改为内网DNS服务器IP地址)

ppp ipcp remote-address forced                  //强制对端使用本端分配的IP地址

ip address 172.16.200.1 255.255.255.0           //设置需捏接口板的IP地址

remote address pool 1                           //设置对端IP地址池

firewall packet-filter 2000 inbound             //在入接口应用包过滤

firewall packet-filter 2000 outbound            //在出接口应用包过滤 (不设置的话×××只能访问内网,不能在拨号以后访问公网)

#                                         

interface Aux0

async mode flow

#

interface Ethernet0/0                           //进入外网端口视图

description WCN_INTERFACE_WAN                  //为外网端口添加描述

ip address X.X.X.X 255.255.255.252     //设置外网端口IP地址

firewall packet-filter 3002 inbound            //在外网端口入方向应用包过滤规则

firewall packet-filter 3002 outbound           //在外网端口出方向应用包过滤规则

nat outbound 2000                              //设置地址地址转换为easy-ip方式并应用规则2000

nat server protocol tcp global current-interface www inside 192.168.100.11 www  //为内网WEB服务器做端口映射

#

interface Ethernet0/1                       //进入内网端口视图

pppoe-server bind Virtual-Template 1       //在内网端口绑定虚拟端口1

description WCN_INTERFACE_LAN              

ip address 10.0.0.1 255.255.255.0          //设置内网IP地址  

firewall packet-filter 2000 inbound        //在内网端口入方向应用包过滤规则

firewall packet-filter 2000 outbound       //在内网端口出方向应用包过滤规则


#

interface Ethernet0/2

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust              //指定信任域

add interface Ethernet0/1       //将内网端口加入信任域

add interface Virtual-Template1 //将虚拟端口1加入信任域

set priority 85

#

firewall zone untrust            //指定非信任域

add interface Ethernet0/0       //将外网端口加入非信任域

set priority 5

#

firewall zone DMZ

set priority 50

#                                         

firewall interzone local trust   

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

l2tp-group 1                     //指定L2TP组1

undo tunnel authentication      //取消L2TP隧道验证

allow l2tp virtual-template 1   //指定本L2TP组使用的通道对端名字和虚模板

#

dhcp server forbidden-ip 10.0.0.1 10.0.0.20  //指定被保留DHCP服务器IP地址

#

ip route-static 0.0.0.0 0.0.0.0 124.115.213.241 preference 60   //将内网所有IP地址的默认路由设置外外网网关


#


undo firewall defend ip-spoofing   //取消防火墙IP地址欺骗***防护功能

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4             //进入虚拟用户终端接口0到4(创建TELNET用户密码)

user privilege level 3            //设置虚拟用户终端优先级

set authentication  password cipher XXXX   //配置用户终端接口的认证密码,并加密为密文密码

#

return

[H3C]

=================================================================================================================================


蓝色字体标注的为L2TP-radius配置主要内容

=================================================================================================================================

以下为Winradius的配置案例()

1  Winradius 主界面

2、winradius操作菜单

3、winradius高级菜单

4、winradius设置菜单

=============================================================================================================================

                                     下面开始介绍winradius的使用与设置

  1. 进入winradius- 设置-系统-系统设置 ,设置NAS密钥为防火墙 key authentication vpdn 所设置的密钥,这里为vpdn

认证端口为默认的 1812 ,计费端口为默认的 1813 (可自行修改,在防火墙内设置相应的IP与端口即可)

勾选 在系统启动时自动加载  启动时最小化窗口 

如图:

  1. 进入winradius- 设置- 数据库-ODBC设置,在winradius安装文件夹下新建 进入 W inradius .mdb数据库文件,然后点自动配置ODBC

如图:

  1. 进入winradius- 高级-创建radius表。然后 重启 winradius

如图:


  1. 进入 winradius- 设置-计费方法。设置计费方法,(不需要计费的可以不用设置)
  2.  

  1. 进入 winradius- 设置- 认证 方法 。设置winradius认证方法,(默认不需要设置)

如图

如果出现客户端过度消费(即透支)时,因为radius不能在认证通过后断开用户的连接所以会出现透支行为,出现这种情况时可以在

winradius- 设置-认证方法 -预付费  ,将用户的预付费设置一个额度,拒绝那些预付金额少于押金的用户通过认证。

如图:

  1. 进入 winradius- 操作-添加帐号 添加radius用户。(我这里的测试用户名是user,密码是admin)如果需要计费则选择预付费用户,并设置预付费金额。


=============================================================================================================================

好了,现在来使用winradius自带的测试工具 RadiusTest 来测试winradius服务器的假设成功与否。

=================================================================================================================================

成功以后说明winradius 和H3C L2TP的radius服务假设成功。大家可以在客户机上新建L2TP客户端才测试winradius服务器和L2TP的radius服务假设成功与否。

下期将放出 H3C L2TP-radius与Tekradius软件的假设教程和WindowsL2TP客户端的使用方法与说明