Example: Configuring cross-subnet portal authentication for MPLS L3VPNs

Network configuration

As shown in Figure 82, the PE device Switch A provides portal authentication for the host in VPN 1. A portal server in VPN 3 acts as the portal authentication server, portal Web server, and RADIUS server.

Configure cross-subnet portal authentication on Switch A, so the host can access network resources after passing identity authentication.

Figure 82: Network diagram

Prerequisites

Procedure

  1. Configure a RADIUS scheme:

    # Create a RADIUS scheme named rs1 and enter its view.

    <SwitchA> system-view
    [SwitchA] radius scheme rs1
    

    # For the RADIUS scheme, specify the VPN instance that is bound to the interface connected to the portal/RADIUS server. This example uses VPN instance vpn3. (For information about the VPN instance, see the MPLS L3VPN configuration on Switch A.)

    [SwitchA-radius-rs1] vpn-instance vpn3
    

    # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

    [SwitchA-radius-rs1] primary authentication 192.168.0.111
    [SwitchA-radius-rs1] primary accounting 192.168.0.111
    [SwitchA-radius-rs1] key accounting simple radius
    [SwitchA-radius-rs1] key authentication simple radius
    

    # Exclude the ISP domain name from the username sent to the RADIUS server.

    [SwitchA-radius-rs1] user-name-format without-domain
    

    # Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. This address must be the same as that of the portal device specified on the portal authentication server to avoid authentication failures.

    [SwitchA-radius-rs1] nas-ip 3.3.0.3
    [SwitchA-radius-rs1] quit
    

    # Enable RADIUS session control.

    [SwitchA] radius session-control enable
    
  2. Configure an authentication domain:

    # Create an ISP domain named dm1 and enter its view.

    [SwitchA] domain dm1
    

    # Configure AAA methods for the ISP domain.

    [SwitchA-isp-dm1] authentication portal radius-scheme rs1
    [SwitchA-isp-dm1] authorization portal radius-scheme rs1
    [SwitchA-isp-dm1] accounting portal radius-scheme rs1
    [SwitchA-isp-dm1] quit
    

    # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

    [SwitchA] domain default enable dm1
    
  3. Configure portal authentication:

    # Configure a portal authentication server.

    [SwitchA] portal server newpt
    [SwitchA-portal-server-newpt] ip 192.168.0.111 vpn-instance vpn3 key simple portal
    [SwitchA-portal-server-newpt] port 50100
    [SwitchA-portal-server-newpt] quit
    

    # Configure a portal Web server.

    [SwitchA] portal web-server newpt
    [SwitchA-portal-websvr-newpt] url http://192.168.0.111:8080/portal
    [SwitchA-portal-websvr-newpt] vpn-instance vpn3
    [SwitchA-portal-websvr-newpt] quit
    

    # Enable cross-subnet portal authentication on VLAN-interface 3.

    [SwitchA] interface vlan-interface 3
    [SwitchA–Vlan-interface3] portal enable method layer3
    

    # Specify portal Web server newpt on VLAN-interface 3.

    [SwitchA–Vlan-interface3] portal apply web-server newpt
    

    # Configure the BAS-IP as 3.3.0.3 for portal packets sent from VLAN-interface 3 to the portal authentication server.

    [SwitchA–Vlan-interface3] portal bas-ip 3.3.0.3
    [SwitchA–Vlan-interface3] quit
    

Verifying the configuration

# Verify the portal configuration by executing the display portal interface command. (Details not shown.)

# After the user passes authentication, execute the display portal user command to display the portal user information.

[SwitchA] display portal user all
Total portal users: 1
Username: abc
  Portal server: newpt
  State: Online
  VPN instance: vpn3
  MAC                IP                 VLAN   Interface
  000d-88f7-c268     3.3.0.1            3      Vlan-interface3
  Authorization information:
    DHCP IP pool: N/A
    User profile: N/A
    Session group profile: N/A
    ACL: N/A
    Inbound CAR: N/A
    Outbound CAR: N/A