Configuring extended direct portal authentication

Network requirements

As shown in Figure 54, the host is directly connected to the switch (the access device). The host is assigned with a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.

Configure extended direct portal authentication. If the host fails security check after passing identity authentication, it can access only subnet 192.168.0.0/24. After passing security check, the host can access Internet resources.

Figure 54: Network diagram

Configuration prerequisites

Configure IP addresses for the host, switch, and servers as shown in Figure 54 and make sure they can reach each other.
Configure the RADIUS server properly to provide authentication and accounting functions.

Configuration procedure

Perform the following tasks on the switch.

Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1 and enter its view.

<Switch> system-view
[Switch] radius scheme rs1

# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

[Switch-radius-rs1] primary authentication 192.168.0.112
[Switch-radius-rs1] primary accounting 192.168.0.112
[Switch-radius-rs1] key accounting simple radius
[Switch-radius-rs1] key authentication simple radius
[Switch-radius-rs1] user-name-format without-domain

# Specify the security policy server.

[Switch-radius-rs1] security-policy-server 192.168.0.113
[Switch-radius-rs1] quit

# Enable RADIUS session control.

[Switch] radius session-control enable

Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
```
[Switch] domain dm1
```
# Configure AAA methods for the ISP domain.
```
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal radius-scheme rs1
[Switch-isp-dm1] accounting portal radius-scheme rs1
[Switch-isp-dm1] quit
```
# Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
```
[Switch] domain default enable dm1
```

Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL:

[Switch] acl number 3000
[Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch-acl-adv-3000] rule deny ip
[Switch-acl-adv-3000] quit
[Switch] acl number 3001
[Switch-acl-adv-3001] rule permit ip
[Switch-acl-adv-3001] quit

NOTE:

Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server.

Configure portal authentication:

# Configure a portal authentication server.

[Switch] portal server newpt
[Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
[Switch-portal-server-newpt] port 50100
[Switch-portal-server-newpt] quit

# Configure a portal Web server.

[Switch] portal web-server newpt
[Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[Switch-portal-websvr-newpt] quit

# Enable direct portal authentication on VLAN-interface 100.

[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] portal enable method direct

# Reference the portal Web server newpt on VLAN-interface 100.

[Switch–Vlan-interface100] portal apply web-server newpt

# Configure the BAS-IP as 2.2.2.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.

[Switch–Vlan-interface100] portal bas-ip 2.2.2.1
[Switch–Vlan-interface100] quit

Verifying the configuration

# Verify that the portal configuration has taken effect.

[Switch] display portal interface vlan-interface 100
 Portal information of Vlan-interface100
     Nas id profile: Not configured
 IPv4:
     Portal status: Enabled
     Authentication type: Direct
     Portal Web server: newpt
     Authentication domain: Not configured
     Bas-ip: 2.2.2.1
     User Detection:  Not configured
     Action for server detection:
         Server type    Server name                        Action 
         --             --                                 -- 
     Layer3 source network:
         IP address               Mask

     Destination authenticate subnet:
         IP address               Mask
IPv6:
     Portal status: Disabled
     Authentication type: Disabled
     Portal Web server: Not configured
     Authentication domain: Not configured
     Bas-ipv6: Not configured
     User detection: Not configured
     Action for server detection:
         Server type    Server name                        Action
         --             --                                 --
     Layer3 source network:
         IP address                                        Prefix length

     Destination authenticate subnet: 
         IP address                                        Prefix length

Before a user performs portal authentication by using the HPE iNode client, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests the user initiates will be redirected to the authentication page.

If the user passes the authentication but fails the security check, the user can access only the resources that match ACL 3000.
After passing both the authentication and the security check, the user can access Internet resources that match ACL 3001.

# After the user passes authentication, use the following command to display information about the portal user.

[Switch] display portal user interface vlan-interface 100
Total portal users: 1
Username: abc
  Portal server: newpt
  State: Online
  Authorization ACL: 3001
  VPN instance: --
  MAC                IP                 VLAN   Interface
  0015-e9a6-7cfe     2.2.2.2            100    Vlan-interface100

prev	up	next
Configuring cross-subnet portal authentication	home	Configuring extended re-DHCP portal authentication