Example: Configuring extended direct portal authentication

Network configuration

As shown in Figure 68, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.

Configure extended direct portal authentication. If the host fails security check after passing identity authentication, it can access only subnet 192.168.0.0/24. After passing security check, the host can access other network resources.

Figure 68: Network diagram

Prerequisites

Procedure

  1. Configure a RADIUS scheme:

    # Create a RADIUS scheme named rs1 and enter its view.

    <Switch> system-view
    [Switch] radius scheme rs1
    

    # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

    [Switch-radius-rs1] primary authentication 192.168.0.112
    [Switch-radius-rs1] primary accounting 192.168.0.112
    [Switch-radius-rs1] key accounting simple radius
    [Switch-radius-rs1] key authentication simple radius
    [Switch-radius-rs1] user-name-format without-domain
    

    # Enable RADIUS session control.

    [Switch] radius session-control enable
    

    # Specify a session-control client with IP address 192.168.0.112 and shared key 12345 in plaintext form.

    [Switch] radius session-control client ip 192.168.0.112 key simple 12345
    
  2. Configure an authentication domain:

    # Create an ISP domain named dm1 and enter its view.

    [Switch] domain dm1
    

    # Configure AAA methods for the ISP domain.

    [Switch-isp-dm1] authentication portal radius-scheme rs1
    [Switch-isp-dm1] authorization portal radius-scheme rs1
    [Switch-isp-dm1] accounting portal radius-scheme rs1
    [Switch-isp-dm1] quit
    

    # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

    [Switch] domain default enable dm1
    
  3. Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.

    [Switch] acl advanced 3000
    [Switch-acl-ipv4-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
    [Switch-acl-ipv4-adv-3000] rule deny ip
    [Switch-acl-ipv4-adv-3000] quit
    [Switch] acl advanced 3001
    [Switch-acl-ipv4-adv-3001] rule permit ip
    [Switch-acl-ipv4-adv-3001] quit
    

    [NOTE: ]

    NOTE:

    Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server.


  4. Configure portal authentication:

    # Configure a portal authentication server.

    [Switch] portal server newpt
    [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
    [Switch-portal-server-newpt] port 50100
    [Switch-portal-server-newpt] quit
    

    # Configure a portal Web server.

    [Switch] portal web-server newpt
    [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal
    [Switch-portal-websvr-newpt] quit
    

    # Enable direct portal authentication on VLAN-interface 100.

    [Switch] interface vlan-interface 100
    [Switch–Vlan-interface100] portal enable method direct
    

    # Specify portal Web server newpt on VLAN-interface 100.

    [Switch–Vlan-interface100] portal apply web-server newpt
    

    # Configure the BAS-IP as 2.2.2.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.

    [Switch–Vlan-interface100] portal bas-ip 2.2.2.1
    [Switch–Vlan-interface100] quit
    

Verifying the configuration

# Verify that the portal configuration has taken effect.

[Switch] display portal interface vlan-interface 100
 Portal information of Vlan-interface100
     NAS-ID profile: Not configured
     Authorization : Strict checking 
     ACL           : Disabled
     User profile  : Disabled
 IPv4:
     Portal status: Enabled
     Portal authentication method: Direct
     Portal web server: newpt
     Portal mac-trigger-server: Not configured
     Authentication domain: Not configured
     Pre-auth domain: Not configured
     User-dhcp-only: Disabled
     Pre-auth IP pool: Not configured
     Max Portal users: Not configured
     Bas-ip: 2.2.2.1
     User detection:  Not configured
     Action for server detection:
         Server type    Server name                        Action 
         --             --                                 -- 
     Layer3 source network:
         IP address               Mask

     Destination authenticate subnet:
         IP address               Mask
IPv6:
     Portal status: Disabled
     Portal authentication method: Disabled
     Portal web server: Not configured
     Portal mac-trigger-server: Not configured
     Authentication domain: Not configured
     Pre-auth domain: Not configured
     User-dhcp-only: Disabled
     Pre-auth IP pool: Not configured
     Max Portal users: Not configured
     Bas-ipv6: Not configured
     User detection: Not configured
     Action for server detection:
         Server type    Server name                        Action
         --             --                                 --
     Layer3 source network:
         IP address                                        Prefix length

     Destination authenticate subnet: 
         IP address                                        Prefix length 

Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.

# After the user passes identity authentication and security check, use the following command to display information about the portal user.

[Switch] display portal user interface vlan-interface 100
Total portal users: 1
Username: abc
  Portal server: newpt
  State: Online
  VPN instance: N/A
  MAC                IP                 VLAN   Interface
  0015-e9a6-7cfe     2.2.2.2            100    Vlan-interface100
  Authorization information:
    DHCP IP pool: N/A
    User profile: N/A
    Session group profile: N/A
    ACL: 3001
    Inbound CAR: N/A
    Outbound CAR: N/A