Configuring Layer 2 portal authentication

Network requirements

As shown in Figure 69, a host is directly connected to a switch. The switch performs Layer 2 portal authentication on users connected to port GigabitEthernet 1/0/1. More specifically,

Figure 69: Network diagram

Configuration prerequisites and guidelines

Configuration procedure

  • Configure portal authentication:

  • # Add Ethernet ports to related VLANs and configure IP addresses for the VLAN interfaces. (Details not shown.)

    # Configure PKI domain pkidm, and apply for a local certificate and CA certificate. For more configuration information, see "Configuring PKI."

    # Edit the user-defined authentication pages file, compress it into a zip file named defaultfile, and save the file in the root directory of the access device.

    # Configure SSL server policy sslsvr, and specify to use PKI domain pkidm.

    <Switch> system-view
    [Switch] ssl server-policy sslsvr
    [Switch-ssl-server-policy-sslsvr] pki pkidm
    [Switch-ssl-server-policy-sslsvr] quit
    

    # Configure the local portal server to support HTTPS and reference SSL server policy sslsvr.

    [Switch] portal local-server https server-policy sslsvr
    

    # Configure the IP address of loopback interface 12 as 4.4.4.4.

    [Switch] interface loopback 12
    [Switch-LoopBack12] ip address 4.4.4.4 32
    [Switch-LoopBack12] quit
    

    # Specify IP address 4.4.4.4 as the listening IP address of the local portal server for Layer 2 portal authentication.

    [Switch] portal local-server ip 4.4.4.4
    

    # Enable portal authentication on port GigabitEthernet1/0/1, and specify the Auth-Fail VLAN of the port as VLAN 2.

    [Switch] interface GigabitEthernet1/0/1
    [Switch–GigabitEthernet1/0/1] port link-type hybrid
    [Switch–GigabitEthernet1/0/1] mac-vlan enable
    [Switch–GigabitEthernet1/0/1] portal local-server enable
    [Switch–GigabitEthernet1/0/1] portal auth-fail vlan 2
    [Switch–GigabitEthernet1/0/1] quit
    
  • Configure a RADIUS scheme:

  • # Create a RADIUS scheme named rs1 and enter its view.

    <Switch> system-view
    [Switch] radius scheme rs1
    

    # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended.

    [Switch-radius-rs1] server-type extended
    

    # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

    [Switch-radius-rs1] primary authentication 1.1.1.2
    [Switch-radius-rs1] primary accounting 1.1.1.2
    [Switch-radius-rs1] key accounting simple radius
    [Switch-radius-rs1] key authentication simple radius
    [Switch-radius-rs1] quit
    
  • Configure an authentication domain:

  • # Create and enter ISP domain triple.

    [Switch] domain triple
    

    # Configure AAA methods for the ISP domain.

    [Switch-isp-triple] authentication portal radius-scheme rs1
    [Switch-isp-triple] authorization portal radius-scheme rs1
    [Switch-isp-triple] accounting portal radius-scheme rs1
    [Switch-isp-triple] quit
    

    # Configure triple as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and accounting methods of the default domain are used for the user.

    [Switch] domain default enable triple
    
  • Configure the DHCP relay agent:

  • # Enable DHCP.

    [Switch] dhcp enable
    

    # Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group.

    [Switch] dhcp relay server-group 1 ip 1.1.1.3
    

    # Enable the DHCP relay agent on VLAN-interface 8.

    [Switch] interface vlan-interface 8
    [Switch-Vlan-interface8] dhcp select relay
    

    # Correlate DHCP server group 1 with VLAN-interface 8.

    [Switch-Vlan-interface8] dhcp relay server-select 1
    [Switch-Vlan-interface8] quit
    

    # Enable the DHCP relay agent on VLAN-interface 2.

    [Switch] interface vlan-interface 2
    [Switch-Vlan-interface2] dhcp select relay
    

    # Correlate DHCP server group 1 with VLAN-interface 2.

    [Switch-Vlan-interface2] dhcp relay server-select 1
    [Switch-Vlan-interface2] quit
    

    # Enable the DHCP relay agent on VLAN-interface 3.

    [Switch] interface vlan-interface 3
    [Switch-Vlan-interface3] dhcp select relay
    

    # Correlate DHCP server group 1 with VLAN-interface 3.

    [Switch-Vlan-interface3] dhcp relay server-select 1
    [Switch-Vlan-interface3] quit
    

    Verifying the configuration

    Before user userpt accesses a webpage, the user is in VLAN 8 (the initial VLAN), and is assigned with an IP address on subnet 192.168.1.0/24. When the user accesses a webpage on the external network, the Web request will be redirected to authentication page https://4.4.4.4/portal/logon.htm. After entering the correct username and password, the user can pass the authentication. Then, the device will move the user from VLAN 8 to VLAN 3, the authorized VLAN. You can use the display connection ucibindex command to view the online user information

    <Switch> display connection ucibindex 30
    Slot:  1
    Index=30  , Username=userpt@triple
    MAC=0015-e9a6-7cfe
    IP=192.168.1.2
    IPv6=N/A
    Access=PORTAL  ,AuthMethod=PAP
    Port Type=Ethernet,Port Name= GigabitEthernet1/0/1
    Initial VLAN=8, Authorization VLAN=3
    ACL Group=Disable
    User Profile=N/A
    CAR=Disable
    Priority=Disable
    Start=2009-11-26 17:40:02 ,Current=2009-11-26 17:48:21 ,Online=00h08m19s
     Total 1 connection matched.
    

    Use the display mac-vlan all command to view the generated MAC-VLAN entries, which record the MAC addresses passing authentication and the corresponding VLANs.

    [Switch] display mac-vlan all
      The following MAC VLAN addresses exist:
      S:Static  D:Dynamic
      MAC ADDR         MASK             VLAN ID   PRIO   STATE
      --------------------------------------------------------
      0015-e9a6-7cfe   ffff-ffff-ffff   3         0      D
      Total MAC VLAN address count:1
    

    If a client fails authentication, it will be added to VLAN 2. Use the previously mentioned commands to view the assigned IP address and the generated MAC-VLAN entry for the client.