Example: Configuring Web authentication by using the RADIUS authentication method
Network configuration
As shown in Figure 90, the host is directly connected to the device through HundredGigE 1/0/1.
Configure Web authentication on HundredGigE 1/0/1, and use a RADIUS server to perform authentication and authorization for the users.
Configure the device to push customized Web authentication pages to users and use HTTP to transfer the authentication data.
Figure 90: Network diagram
Procedure
Configure the RADIUS server properly to provide authentication and accounting functions for users. In this example, the username is configured as user1 on the RADIUS server. (Details not shown.)
Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the switch. In this example, the file is abc.zip.
Create VLANs, assign IP addresses to the VLAN interfaces, and assign interfaces to the VLANs. Make sure the host, the RADIUS server, and the device can reach each other. (Details not shown.)
Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1.
<Device> system-view [Device] radius scheme rs1
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
[Device-radius-rs1] primary authentication 192.168.0.112 [Device-radius-rs1] primary accounting 192.168.0.112 [Device-radius-rs1] key authentication simple radius [Device-radius-rs1] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[Device-radius-rs1] user-name-format without-domain [Device-radius-rs1] quit
Configure an authentication domain:
# Create an ISP domain named dm1.
[Device] domain dm1
# Configure AAA methods for the ISP domain
[Device-isp-dm1] authentication lan-access radius-scheme rs1 [Device-isp-dm1] authorization lan-access radius-scheme rs1 [Device-isp-dm1] accounting lan-access radius-scheme rs1 [Device-isp-dm1] quit
Configure a local portal Web service:
# Create an HTTP-based local portal Web service.
[Device] portal local-web-server http
# Specify the file abc.zip as the default authentication page file for the local portal Web service. (This file must exist in the directly root directory of the storage medium.)
[Device-portal-local-websvr-http] default-logon-page abc.zip
# Specify 80 as the port number listened by the local portal Web service.
[Device–portal-local-websvr-http] tcp-port 80 [Device-portal-local-websvr-http] quit
Configure Web authentication:
# Create Web authentication server named user.
[Device] web-auth server user
# Specify http://20.20.0.1/portal/ as the redirection URL for the Web authentication server.
[Device-web-auth-server-user] url http://20.20.0.1/portal/
# Specify the IP address of the Web authentication server as 20.20.0.1 (the IP address of Loopback 0) and the port number as 80.
[Device-web-auth-server-user] ip 20.20.0.1 port 80 [Device-web-auth-server-user] quit
# Specify domain dml as the Web authentication domain.
[Device] interface hundredgige 1/0/1 [Device-HundredGigE1/0/1] web-auth domain dm1
# Enable Web authentication by using Web authentication server user.
[Device-HundredGigE1/0/1] web-auth enable apply server user [Device-HundredGigE1/0/1] quit
Verifying the configuration
# Display Web authentication user information after user user1 passes Web authentication.
<Device> display web-auth user Total online web-auth users: 1 User Name: user1 MAC address: acf1-df6c-f9ad Access interface: HundredGigE1/0/1 Initial VLAN: 1 Authorization VLAN: N/A Authorization ACL ID: N/A Authorization user profile: N/A