Configuring direct portal authentication using local portal Web server

As shown in Figure 68, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP. The switch acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.

Configure direct portal authentication on the switch. Before a user passes portal authentication, the user can access only the local portal Web server. After passing portal authentication, the user can access other network resources.

• Configure IP addresses for the host, switch, and server as shown in Figure 68 and make sure they can reach each other.

• Configure the RADIUS server correctly to provide authentication and accounting functions.

• Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the switch.

1. Configure a RADIUS scheme:

   # Create a RADIUS scheme named rs1 and enter its view.

   <Switch> system-view
   [Switch] radius scheme rs1
   

   # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

   [Switch-radius-rs1] primary authentication 192.168.0.112
   [Switch-radius-rs1] primary accounting 192.168.0.112
   [Switch-radius-rs1] key authentication simple radius
   [Switch-radius-rs1] key accounting simple radius
   

   # Configure the switch to remove the ISP domain name from the usernames sent to the RADIUS server.

   [Switch-radius-rs1] user-name-format without-domain
   [Switch-radius-rs1] quit
   

   # Enable the RADIUS session-control feature.

   [Switch] radius session-control enable
   

2. Configure an authentication domain:

   # Create an ISP domain named dm1 and enter its view.

   [Switch] domain dm1
   

   # Configure AAA methods for the ISP domain.

   [Switch-isp-dm1] authentication portal radius-scheme rs1
   [Switch-isp-dm1] authorization portal radius-scheme rs1
   [Switch-isp-dm1] accounting portal radius-scheme rs1
   [Switch-isp-dm1] quit
   

   # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

   [Switch] domain default enable dm1
   

3. Configure portal authentication:

   # Configure the portal Web server name as newpt and URL as the IP address of the portal authentication-enabled interface or a loopback interface (except 127.0.0.1).

   [Switch] portal web-server newpt
   [Switch-portal-websvr-newpt] url http://2.2.2.1:2331/portal
   [Switch-portal-websvr-newpt] quit 
   

   # Enable direct portal authentication on VLAN-interface 100.

   [Switch] interface vlan-interface 100
   [Switch–Vlan-interface100] portal enable method direct
   

   # Specify the portal Web server newpt on VLAN-interface 100.

   [Switch–Vlan-interface100] portal apply web-server newpt
   [Switch–Vlan-interface100] quit
   

   # Create a local portal Web server. Use HTTP to exchange authentication information with clients.

   [Switch] portal local-web-server http
   

   # Specify file abc.zip as the default authentication page file for local portal authentication. (Make sure the file exist under the root directory of the switch.)

   [Switch–portal-local-websvr-http] default-logon-page abc.zip
   

   # Set the HTTP service listening port number to 2331 for the local portal Web server.

   [Switch–portal-local-webserver-http] tcp-port 2331
   [Switch–portal-local-websvr-http] quit
   

# Verify that the portal configuration has taken effect.

[Switch] display portal interface vlan-interface 100
 Portal information of Vlan-interface 100
     VSRP instance: --
     VSRP state: N/A
     Authorization                   Strict checking 
     ACL                             Disabled
     User profile                    Disabled
 IPv4:
     Portal status: Enabled
     Authentication type: Direct
     Portal Web server: newpt
     Authentication domain: Not configured
     Pre-auth IP pool: Not configured
     BAS-IP: Not configured
     User Detection:  Not configured
     Action for server detection:
         Server type    Server name                        Action 
         --             --                                 -- 
     Layer3 source network:
         IP address               Mask

     Destination authenticate subnet:
         IP address               Mask
IPv6:
     Portal status: Disabled
     Authentication type: Disabled
     Portal Web server: Not configured
     Authentication domain: Not configured
     Pre-auth IP pool: Not configured
     BAS-IPv6: Not configured
     User detection: Not configured
     Action for server detection:
         Server type    Server name                        Action
         --             --                                 --
     Layer3 source network:
         IP address                                        Prefix length

     Destination authenticate subnet: 
         IP address                                        Prefix length

A user can perform portal authentication through a Web page. Before passing the authentication, the user can access only the authentication page http://2.2.2.1:2331/portal and all Web requests will be redirected to the authentication page. After passing the authentication, the user can access other network resources.

# After the user passes authentication, use the following command to display information about the portal user.

[Switch] display portal user interface vlan-interface 100
Total portal users: 1
Username: abc
  Portal server: newpt
  State: Online
  VPN instance: --
  MAC                IP                 VLAN   Interface
  0015-e9a6-7cfe     2.2.2.2            --     vlan-interface 100
  Authorization information:
    IP pool: N/A
    User profile: N/A
    Session group profile: N/A
    ACL: N/A
    CAR: N/A