Example: Configuring cross-subnet portal authentication for MPLS L3VPNs
Network configuration
As shown in Figure 82, the PE device Switch A provides portal authentication for the host in VPN 1. A portal server in VPN 3 acts as the portal authentication server, portal Web server, and RADIUS server.
Configure cross-subnet portal authentication on Switch A, so the host can access network resources after passing identity authentication.
Figure 82: Network diagram
Prerequisites
Before enabling portal authentication, configure MPLS L3VPN and specify VPN targets for VPN 1 and VPN 3 so that VPN 1 and VPN 3 can communicate with each other. This example describes only the access authentication configuration on the user-side PE. For information about MPLS L3VPN configurations, see MPLS L3VPN configuration in MPLS Configuration Guide.
Configure the RADIUS server correctly to provide authentication and accounting functions.
Procedure
Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<SwitchA> system-view [SwitchA] radius scheme rs1
# For the RADIUS scheme, specify the VPN instance that is bound to the interface connected to the portal/RADIUS server. This example uses VPN instance vpn3. (For information about the VPN instance, see the MPLS L3VPN configuration on Switch A.)
[SwitchA-radius-rs1] vpn-instance vpn3
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
[SwitchA-radius-rs1] primary authentication 192.168.0.111 [SwitchA-radius-rs1] primary accounting 192.168.0.111 [SwitchA-radius-rs1] key accounting simple radius [SwitchA-radius-rs1] key authentication simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[SwitchA-radius-rs1] user-name-format without-domain
# Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. This address must be the same as that of the portal device specified on the portal authentication server to avoid authentication failures.
[SwitchA-radius-rs1] nas-ip 3.3.0.3 [SwitchA-radius-rs1] quit
# Enable RADIUS session control.
[SwitchA] radius session-control enable
Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[SwitchA] domain dm1
# Configure AAA methods for the ISP domain.
[SwitchA-isp-dm1] authentication portal radius-scheme rs1 [SwitchA-isp-dm1] authorization portal radius-scheme rs1 [SwitchA-isp-dm1] accounting portal radius-scheme rs1 [SwitchA-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
[SwitchA] domain default enable dm1
Configure portal authentication:
# Configure a portal authentication server.
[SwitchA] portal server newpt [SwitchA-portal-server-newpt] ip 192.168.0.111 vpn-instance vpn3 key simple portal [SwitchA-portal-server-newpt] port 50100 [SwitchA-portal-server-newpt] quit
# Configure a portal Web server.
[SwitchA] portal web-server newpt [SwitchA-portal-websvr-newpt] url http://192.168.0.111:8080/portal [SwitchA-portal-websvr-newpt] vpn-instance vpn3 [SwitchA-portal-websvr-newpt] quit
# Enable cross-subnet portal authentication on VLAN-interface 3.
[SwitchA] interface vlan-interface 3 [SwitchA–Vlan-interface3] portal enable method layer3
# Specify portal Web server newpt on VLAN-interface 3.
[SwitchA–Vlan-interface3] portal apply web-server newpt
# Configure the BAS-IP as 3.3.0.3 for portal packets sent from VLAN-interface 3 to the portal authentication server.
[SwitchA–Vlan-interface3] portal bas-ip 3.3.0.3 [SwitchA–Vlan-interface3] quit
Verifying the configuration
# Verify the portal configuration by executing the display portal interface command. (Details not shown.)
# After the user passes authentication, execute the display portal user command to display the portal user information.
[SwitchA] display portal user all Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: vpn3 MAC IP VLAN Interface 000d-88f7-c268 3.3.0.1 3 Vlan-interface3 Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL: N/A Inbound CAR: N/A Outbound CAR: N/A