Configuring re-DHCP portal authentication with extended functions

Network requirements

As shown in Figure 54:

Figure 54: Network diagram

Configuration prerequisites and guidelines

Configuration procedure

  • Configure a RADIUS scheme:

  • # Create a RADIUS scheme named rs1 and enter its view.

    <Switch> system-view
    [Switch] radius scheme rs1
    

    # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended.

    [Switch-radius-rs1] server-type extended
    

    # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

    [Switch-radius-rs1] primary authentication 192.168.0.113
    [Switch-radius-rs1] primary accounting 192.168.0.113
    [Switch-radius-rs1] key accounting simple radius
    [Switch-radius-rs1] key authentication simple radius
    [Switch-radius-rs1] user-name-format without-domain
    

    # Configure the IP address of the security policy server.

    [Switch-radius-rs1] security-policy-server 192.168.0.114
    [Switch-radius-rs1] quit
    
  • Configure an authentication domain:

  • # Create an ISP domain named dm1 and enter its view.

    [Switch] domain dm1
    

    # Configure AAA methods for the ISP domain.

    [Switch-isp-dm1] authentication portal radius-scheme rs1
    [Switch-isp-dm1] authorization portal radius-scheme rs1
    [Switch-isp-dm1] accounting portal radius-scheme rs1
    [Switch-isp-dm1] quit
    

    # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user.

    [Switch] domain default enable dm1
    
  • Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001) for Internet resources:

  • [Switch] acl number 3000
    [Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
    [Switch-acl-adv-3000] rule deny ip
    [Switch-acl-adv-3000] quit
    [Switch] acl number 3001
    [Switch-acl-adv-3001] rule permit ip
    [Switch-acl-adv-3001] quit
    

    Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server.

  • Configure portal authentication:

  • # Configure the portal server as follows:

    [Switch] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal
    

    # Configure the switch as a DHCP relay agent, and enable the IP address check function.

    [Switch] dhcp enable
    [Switch] dhcp relay server-group 0 ip 192.168.0.112
    [Switch] interface vlan-interface 100
    [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0
    [Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub
    [Switch-Vlan-interface100] dhcp select relay
    [Switch-Vlan-interface100] dhcp relay server-select 0
    [Switch-Vlan-interface100] dhcp relay address-check enable
    

    # Enable re-DHCP portal authentication on the interface connecting the host.

    [Switch–Vlan-interface100] portal server newpt method redhcp
    [Switch–Vlan-interface100] quit