Login
- Table of Contents
-
- 03-Security Configuration Guide
- 00-Preface
- 01-ARP attack protection configuration
- 02-ASPF configuration
- 03-IP-MAC binding configuration
- 04-Keychain configuration
- 05-ND attack defense configuration
- 06-Password control configuration
- 07-uRPF configuration
- 08-Location identification configuration
- 09-Security zone configuration
- 10-User identification configuration
- 11-MAC learning through a Layer 3 device configuration
- 12-Microsegmentation configuration
- 13-IP-SGT mapping configuration
- 14-SMS configuration
- 15-Trusted access control configuration
- 16-Application account auditing configuration
- 17-Terminal identification configuration
- 18-IPoE configuration
- 19-Flow manager configuration
- 20-Object group configuration
- 21-IP source guard configuration
- 22-Server connection detection configuration
- 23-PKI configuration
- 24-SSL configuration
- 25-Crypto engine configuration
- 26-AAA configuration
- 27-Portal configuration
- 28-IPsec configuration
- 29-Public key management
- 30-Attack detection and prevention configuration
- 31-Security policy configuration
- 32-Session management
- 33-Connection limit configuration
- 34-DDoS protection configuration
- 35-SSH configuration
- 36-SDP zero trust configuration
- 37-APR configuration
- 38-Overbilling prevention configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 38-Overbilling prevention configuration | 92.32 KB |
How overbilling prevention works
Configuring overbilling prevention
Configuring overbilling prevention
Display and maintenance commands for overbilling prevention
Overbilling prevention configuration examples (on security devices)
About overbilling prevention
In today's network environment, accurate billing is essential to maintaining a high customer satisfaction rate. However, if a user's session does not age out promptly after the user goes offline, the external server might keep sending traffic to the offline user's IP address. If this IP address is reassigned to another user, it can cause billing errors for both the offline user and the newly online user, leading to billing issues. The preceding situation might make users distrust the billing system. The overbilling prevention module prevents billing errors caused by untimely session aging.
How overbilling prevention works
To enable the overbilling prevention feature, configure Device as the RADIUS accounting server on the access device and enable the overbilling prevention feature on Device. When a user goes offline, the access device sends Accounting Stop requests to both the RADIUS server and Device. The overbilling prevention module on Device receives and resolves the IP address in the Accounting Stop messages. It then generates an offline user blocking entry based on the IP address to intercept traffic of the offline user and clear the session of the offline user. This feature prevents abnormal billing issues.
Figure 1 Basic workflow of overbilling prevention
As shown in the preceding figure, customer A accesses the Internet through a mobile device and passes authentication by the RADIUS server through the access device. The RADIUS server assigns internal IP address 192.168.1.21 to customer A, and customer A then accesses external server resources. When customer A goes offline, their session does not fully age out. If customer B comes online and gets the same IP address (192.168.1.21), the external server sends data flows intended for customer A to customer B. This causes abnormal billing for customer B.
After you enable the overbilling prevention feature, the access device sends Accounting Stop requests to both the RADIUS server and Device. The overbilling prevention module on Device receives and resolves the IP address (192.168.1.21) in the Accounting Stop messages. It then generates an offline user blocking entry based on the IP address to intercept traffic from the external server to the offline customer A and deletes the user session. The firewall compares the session creation time with the blocking entry update time and deletes sessions created before the blocking entry update time. When customer B comes online and gets the same IP address (192.168.1.21), the system deletes customer A's session. This prevents the external server from sending data flows intended for the offline customer A (192.168.1.21) to customer B, avoiding billing errors for customer B.
Configuring overbilling prevention
Configuring overbilling prevention
About this task
When the overbilling prevention-enabled firewall receives a RADIUS Accounting Stop request from an access device (RADIUS client), it generates an offline user blocking entry. This entry intercepts traffic to the offline user and prevents the server from sending traffic to the offline user.
Restrictions and guidelines
Before you configure this feature, configure the device as the RADIUS accounting server by using the primary accounting command on the access device (RADIUS client). This configuration enables the access device to send Accounting Stop messages to the device. For more information about configuring the RADIUS accounting server, see AAA configuration in Security Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable the overbilling prevention feature.
safebilling enable
By default, the overbilling prevention feature is disabled.
Display and maintenance commands for overbilling prevention
Execute display commands in any view.
|
Task |
Command |
|
Display the offline user blocking entries. |
In standalone mode: display safebilling block [ slot slot-number [ cpu cpu-number ] ] In IRF mode: display safebilling block [chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
Overbilling prevention configuration examples (on security devices)
Example: Configuring internal network users to trigger overbilling prevention by IPoE online/offline events
Network configuration
Configure the overbilling prevention feature on Device B to secure billing for internal network users and prevent abnormal billing.
Figure 2 Network diagram
Procedure
1. Configure the RADIUS server:
This section uses the Linux Free RADIUS server as an example.
# Configure the RADIUS client.
Add the following contents to the file named clients.conf.
client 10.1.1.2/24 {
ipaddr = 10.1.1.2
netmask=24
secret=radius
}
The contents above configure the RADIUS client IP address as 10.1.1.2 and configure the shared key as radius.
# Configure users.
# Add the username and password to the user information file named users.
192.168.1.21 Cleartext-Password :="radius"
The username is the host IP address 192.168.1.21 and the password is radius.
2. Configure Device A:
a. Configure the RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<DeviceA> system-view
[DeviceA] radius scheme rs1
# Configure the primary authentication and accounting servers and the keys for secure RADIUS authentication and accounting communication for the RADIUS scheme.
[DeviceA-radius-rs1] primary authentication 10.1.1.1
[DeviceA-radius-rs1] primary accounting 10.1.1.1
[DeviceA-radius-rs1] key authentication simple radius
[DeviceA-radius-rs1] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[DeviceA-radius-rs1] user-name-format without-domain
[DeviceA-radius-rs1] quit
# Create a RADIUS scheme named rs2 and enter its view.
<DeviceA> system-view
[DeviceA] radius scheme rs2
# Configure the primary accounting server and its key for RADIUS scheme rs2. This ensures that the Accounting Stop requests can reach Device B.
[DeviceA-radius-rs2] primary accounting 12.1.1.1
[DeviceA-radius-rs2] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[DeviceA-radius-rs2] user-name-format without-domain
[DeviceA-radius-rs2] quit
b. Configure an ISP domain:
# Create an ISP domain named dm1 and enter its view.
[DeviceA] domain dm1
# Configure RADIUS schemes rs1 and rs2 for the ISP domain.
[DeviceA-isp-dm1] authentication ipoe radius-scheme rs1
[DeviceA-isp-dm1] authorization ipoe radius-scheme rs1
[DeviceA-isp-dm1] accounting ipoe broadcast radius-scheme rs1 radius-scheme rs2
[DeviceA-isp-dm1] quit
c. Configure IPoE:
# Enter the view of interface GigabitEthernet 1/0/1.
[DeviceA] interface gigabitethernet 1/0/1
# Enable IPoE and configure Layer 3 access mode.
[DeviceA–GigabitEthernet1/0/1] ip subscriber routed enable
# Enable unclassified-IP packet initiation.
[DeviceA–GigabitEthernet1/0/1] ip subscriber initiator unclassified-ip enable
# Configure ISP domain dm1 for unclassified-IP users.
[DeviceA–GigabitEthernet1/0/1] ip subscriber unclassified-ip domain dm1
# Configure plaintext password radius for authentication.
[DeviceA–GigabitEthernet1/0/1] ip subscriber password plaintext radius
[DeviceA–GigabitEthernet1/0/1] quit
3. Configure Device B:
a. Assign IP addresses to interfaces:
# Assign IP addresses to interfaces according to the network diagram.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 12.1.1.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way according to the network diagram. (Details not shown.)
b. Add interfaces to security zones according to the network diagram.
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Untrust] quit
c. Configure security policies:
Configure security policies to allow traffic between security zones untrust and trust, traffic and between security zones trust and local.
# Configure a security policy named trust-untrust to allow normal traffic forwarding between security zones trust and untrust.
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-1-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-1-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-1-trust-untrust] action pass
[DeviceB-security-policy-ip-1-trust-untrust] quit
# Configure the security policy rule named local-trust to allow DeviceB to send packets to resources in security zone trust.
[DeviceB-security-policy-ip] rule name local-trust
[DeviceB-security-policy-ip-2-local-trust] source-zone local
[DeviceB-security-policy-ip-2-local-trust] destination-zone trust
[DeviceB-security-policy-ip-2-local-trust] action pass
[DeviceB-security-policy-ip-2-local-trust] quit
# Configure the security policy rule named trust-local to allow resources in security zone trust to send packets to Device B.
[DeviceB-security-policy-ip] rule name trust-local
[DeviceB-security-policy-ip-3-trust-local] source-zone trust
[DeviceB-security-policy-ip-3-trust-local] destination-zone local
[DeviceB-security-policy-ip-3-trust-local] action pass
[DeviceB-security-policy-ip-3-trust-local] quit
d. Configure the overbilling prevention feature on Device B.
<DeviceB> system-view
[DeviceB] safebilling enable
Verify the configuration
# After the preceding configuration is completed, the offline events of internal network users can trigger the access device to send Accounting Stop requests to the firewall. The firewall then generates blocking entries upon receiving the requests. View the blocking entries to verify that the configuration has succeeded.
<DeviceB> display safebilling block
CPU 0 on slot 1:
Total block entries found: 1
Framed-IP-Address Update time TTL
192.168.1.21 2024-03-23 14:29:41 50s