Configuring Layer 2 portal authentication
Network requirements
As shown in Figure 69, a host is directly connected to a switch. The switch performs Layer 2 portal authentication on users connected to port GigabitEthernet 1/0/1. More specifically,
Use the remote RADIUS server for authentication, authorization and accounting.
Use the remote DHCP server to assign IP addresses to users.
The listening IP address of the local portal server is 4.4.4.4. The local portal server pushes the user-defined authentication pages to users and uses HTTPS to transmit authentication data.
Add users passing authentication to VLAN 3.
Add users failing authentication to VLAN 2, to allow the users to access resources on the update server.
The host obtains an IP address through DHCP. Before authentication, the DHCP server assigns an IP address in segment 192.168.1.0/24 to the host. When the host passes the authentication, the DHCP server assigns an IP address in segment 3.3.3.0/24 to the host. When the host fails authentication, the DHCP server assigns an IP address in segment 2.2.2.0/24 to the host.
Figure 69: Network diagram
Configuration prerequisites and guidelines
Make sure the host, switch, and servers can reach each other before portal authentication is enabled.
Configure the RADIUS server properly to provide normal authentication/authorization/accounting functions for users. In this example, you must create a portal user account with the account name userpt on the RADIUS server, and configure an authorized VLAN for the account.
On the DHCP server, you must specify the IP address ranges (192.168.1.0/24, 3.3.3.0/24, 2.2.2.0/24), specify the default gateway addresses (192.168.1.1, 3.3.3.1, 2.2.2.1), exclude the update server's address 2.2.2.2 from the address ranges for address allocation, specify the leases for the assigned IP addresses and make sure there is a route to the host. To shorten the IP address update time in case of an authentication state change, set a short lease for each address.
Because the DHCP server and the DHCP client are not in the same subnet, you must configure a DHCP relay agent on the subnet of the client. For more information about DHCP relay agent, see Layer 3—IP Services Configuration Guide.
Configuration procedure
Configure portal authentication:
# Add Ethernet ports to related VLANs and configure IP addresses for the VLAN interfaces. (Details not shown.)
# Configure PKI domain pkidm, and apply for a local certificate and CA certificate. For more configuration information, see "Configuring PKI."
# Edit the user-defined authentication pages file, compress it into a zip file named defaultfile, and save the file in the root directory of the access device.
# Configure SSL server policy sslsvr, and specify to use PKI domain pkidm.
<Switch> system-view [Switch] ssl server-policy sslsvr [Switch-ssl-server-policy-sslsvr] pki pkidm [Switch-ssl-server-policy-sslsvr] quit
# Configure the local portal server to support HTTPS and reference SSL server policy sslsvr.
[Switch] portal local-server https server-policy sslsvr
# Configure the IP address of loopback interface 12 as 4.4.4.4.
[Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit
# Specify IP address 4.4.4.4 as the listening IP address of the local portal server for Layer 2 portal authentication.
[Switch] portal local-server ip 4.4.4.4
# Enable portal authentication on port GigabitEthernet1/0/1, and specify the Auth-Fail VLAN of the port as VLAN 2.
[Switch] interface GigabitEthernet1/0/1 [Switch–GigabitEthernet1/0/1] port link-type hybrid [Switch–GigabitEthernet1/0/1] mac-vlan enable [Switch–GigabitEthernet1/0/1] portal local-server enable [Switch–GigabitEthernet1/0/1] portal auth-fail vlan 2 [Switch–GigabitEthernet1/0/1] quit
Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<Switch> system-view [Switch] radius scheme rs1
# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended.
[Switch-radius-rs1] server-type extended
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
[Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key accounting simple radius [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] quit
Configure an authentication domain:
# Create and enter ISP domain triple.
[Switch] domain triple
# Configure AAA methods for the ISP domain.
[Switch-isp-triple] authentication portal radius-scheme rs1 [Switch-isp-triple] authorization portal radius-scheme rs1 [Switch-isp-triple] accounting portal radius-scheme rs1 [Switch-isp-triple] quit
# Configure triple as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and accounting methods of the default domain are used for the user.
[Switch] domain default enable triple
Configure the DHCP relay agent:
# Enable DHCP.
[Switch] dhcp enable
# Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group.
[Switch] dhcp relay server-group 1 ip 1.1.1.3
# Enable the DHCP relay agent on VLAN-interface 8.
[Switch] interface vlan-interface 8 [Switch-Vlan-interface8] dhcp select relay
# Correlate DHCP server group 1 with VLAN-interface 8.
[Switch-Vlan-interface8] dhcp relay server-select 1 [Switch-Vlan-interface8] quit
# Enable the DHCP relay agent on VLAN-interface 2.
[Switch] interface vlan-interface 2 [Switch-Vlan-interface2] dhcp select relay
# Correlate DHCP server group 1 with VLAN-interface 2.
[Switch-Vlan-interface2] dhcp relay server-select 1 [Switch-Vlan-interface2] quit
# Enable the DHCP relay agent on VLAN-interface 3.
[Switch] interface vlan-interface 3 [Switch-Vlan-interface3] dhcp select relay
# Correlate DHCP server group 1 with VLAN-interface 3.
[Switch-Vlan-interface3] dhcp relay server-select 1 [Switch-Vlan-interface3] quit
Verifying the configuration
Before user userpt accesses a webpage, the user is in VLAN 8 (the initial VLAN), and is assigned with an IP address on subnet 192.168.1.0/24. When the user accesses a webpage on the external network, the Web request will be redirected to authentication page https://4.4.4.4/portal/logon.htm. After entering the correct username and password, the user can pass the authentication. Then, the device will move the user from VLAN 8 to VLAN 3, the authorized VLAN. You can use the display connection ucibindex command to view the online user information
<Switch> display connection ucibindex 30 Slot: 1 Index=30 , Username=userpt@triple MAC=0015-e9a6-7cfe IP=192.168.1.2 IPv6=N/A Access=PORTAL ,AuthMethod=PAP Port Type=Ethernet,Port Name= GigabitEthernet1/0/1 Initial VLAN=8, Authorization VLAN=3 ACL Group=Disable User Profile=N/A CAR=Disable Priority=Disable Start=2009-11-26 17:40:02 ,Current=2009-11-26 17:48:21 ,Online=00h08m19s Total 1 connection matched.
Use the display mac-vlan all command to view the generated MAC-VLAN entries, which record the MAC addresses passing authentication and the corresponding VLANs.
[Switch] display mac-vlan all The following MAC VLAN addresses exist: S:Static D:Dynamic MAC ADDR MASK VLAN ID PRIO STATE -------------------------------------------------------- 0015-e9a6-7cfe ffff-ffff-ffff 3 0 D Total MAC VLAN address count:1
If a client fails authentication, it will be added to VLAN 2. Use the previously mentioned commands to view the assigned IP address and the generated MAC-VLAN entry for the client.