Example: Configuring cross-subnet portal authentication

Network configuration

As shown in Figure 67, Switch A supports portal authentication. The host accesses Switch A through Switch B. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.

Configure Switch A for cross-subnet portal authentication. Before passing the authentication, the host can access only the portal Web server. After passing the authentication, the user can access other network resources.

Figure 67: Network diagram

Prerequisites

Restrictions and guidelines

Make sure the IP address of the portal device added on the portal authentication server is the IP address (20.20.20.1) of the switch's interface connecting the host. The IP address group associated with the portal device is the subnet of the host (8.8.8.0/24).

Procedure

  1. Configure a RADIUS scheme:

    # Create a RADIUS scheme named rs1 and enter its view.

    <SwitchA> system-view
    [SwitchA] radius scheme rs1
    

    # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

    [SwitchA-radius-rs1] primary authentication 192.168.0.112
    [SwitchA-radius-rs1] primary accounting 192.168.0.112
    [SwitchA-radius-rs1] key authentication simple radius
    [SwitchA-radius-rs1] key accounting simple radius
    

    # Exclude the ISP domain name from the username sent to the RADIUS server.

    [SwitchA-radius-rs1] user-name-format without-domain
    [SwitchA-radius-rs1] quit
    

    # Enable RADIUS session control.

    [SwitchA] radius session-control enable
    
  2. Configure an authentication domain:

    # Create an ISP domain named dm1 and enter its view.

    [SwitchA] domain dm1
    

    # Configure AAA methods for the ISP domain.

    [SwitchA-isp-dm1] authentication portal radius-scheme rs1
    [SwitchA-isp-dm1] authorization portal radius-scheme rs1
    [SwitchA-isp-dm1] accounting portal radius-scheme rs1
    [SwitchA-isp-dm1] quit
    

    # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

    [SwitchA] domain default enable dm1
    
  3. Configure portal authentication:

    # Configure a portal authentication server.

    [SwitchA] portal server newpt
    [SwitchA-portal-server-newpt] ip 192.168.0.111 key simple portal
    [SwitchA-portal-server-newpt] port 50100
    [SwitchA-portal-server-newpt] quit
    

    # Configure a portal Web server.

    [SwitchA] portal web-server newpt
    [SwitchA-portal-websvr-newpt] url http://192.168.0.111:8080/portal
    [SwitchA-portal-websvr-newpt] quit
    

    # Enable cross-subnet portal authentication on VLAN-interface 4.

    [SwitchA] interface vlan-interface 4
    [SwitchA–Vlan-interface4] portal enable method layer3
    

    # Specify portal Web server newpt on VLAN-interface 4.

    [SwitchA–Vlan-interface4] portal apply web-server newpt
    

    # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 4 to the portal authentication server.

    [SwitchA–Vlan-interface4] portal bas-ip 20.20.20.1
    [SwitchA–Vlan-interface4] quit
    

Verifying the configuration

# Verify that the portal configuration has taken effect.

[SwitchA] display portal interface vlan-interface 4
 Portal information of Vlan-interface4
     NAS-ID profile: Not configured
     Authorization : Strict checking 
     ACL           : Disabled
     User profile  : Disabled
 IPv4:
     Portal status: Enabled
     Portal authentication method: Layer3
     Portal web server: newpt
     Portal mac-trigger-server: Not configured
     Authentication domain: Not configured
     Pre-auth domain: Not configured
     User-dhcp-only: Disabled
     Pre-auth IP pool: Not configured
     Max Portal users: Not configured
     Bas-ip: 20.20.20.1
     User detection:  Not configured
     Action for server detection:
         Server type    Server name                        Action 
         --             --                                 -- 
     Layer3 source network:
         IP address               Mask

     Destination authenticate subnet:
         IP address               Mask
IPv6:
     Portal status: Disabled
     Portal authentication method: Disabled
     Portal web server: Not configured
     Portal mac-trigger-server: Not configured
     Authentication domain: Not configured
     Pre-auth domain: Not configured
     User-dhcp-only: Disabled
     Pre-auth IP pool: Not configured
     Max Portal users: Not configured
     Bas-ipv6: Not configured
     User detection: Not configured
     Action for server detection:
         Server type    Server name                        Action
         --             --                                 --
     Layer3 source network:
         IP address                                        Prefix length

     Destination authenticate subnet: 
         IP address                                        Prefix length 

A user can perform portal authentication by using the HPE iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.

# After the user passes authentication, use the following command to display information about the portal user.

[SwitchA] display portal user interface vlan-interface 4
Total portal users: 1
Username: abc
  Portal server: newpt
  State: Online
  VPN instance: N/A
  MAC                IP                 VLAN   Interface
  0015-e9a6-7cfe     8.8.8.2            4      Vlan-interface4
  Authorization information:
    DHCP IP pool: N/A
    User profile: N/A
    Session group profile: N/A
    ACL: N/A
    Inbound CAR: N/A
    Outbound CAR: N/A