Configuring cross-subnet portal authentication
Network requirements
As shown in Figure 68, Router A supports portal authentication. The host accesses Router A through Router B. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.
Configure Router A for cross-subnet portal authentication. Before passing the authentication, the host can access only the portal server. After passing the authentication, the user can access other network resources.
Figure 61: Network diagram
Configuration prerequisites and guidelines
Configure IP addresses for the router and servers as shown in Figure 68 and make sure the host, router, and servers can reach each other.
Configure the RADIUS server correctly to provide authentication and accounting functions.
Make sure the IP address of the portal device added on the portal authentication server is the IP address (20.20.20.1) of the router's interface connecting the host. The IP address group associated with the portal device is the subnet of the host (8.8.8.0/24).
Configuration procedure
Perform the following tasks on Router A.
Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<RouterA> system-view [RouterA] radius scheme rs1
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
[RouterA-radius-rs1] primary authentication 192.168.0.112 [RouterA-radius-rs1] primary accounting 192.168.0.112 [RouterA-radius-rs1] key authentication simple radius [RouterA-radius-rs1] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[RouterA-radius-rs1] user-name-format without-domain [RouterA-radius-rs1] quit
# Enable RADIUS session control.
[Router] radius session-control enable
Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[RouterA] domain dm1
# Configure AAA methods for the ISP domain.
[RouterA-isp-dm1] authentication portal radius-scheme rs1 [RouterA-isp-dm1] authorization portal radius-scheme rs1 [RouterA-isp-dm1] accounting portal radius-scheme rs1 [RouterA-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
[Router] domain default enable dm1
Configure portal authentication:
# Configure a portal authentication server.
[RouterA] portal server newpt [RouterA-portal-server-newpt] ip 192.168.0.111 key simple portal [RouterA-portal-server-newpt] port 50100 [RouterA-portal-server-newpt] quit
# Configure a portal Web server.
[Router] portal web-server newpt [RouterA-portal-websvr-newpt] url http://192.168.0.111:8080/portal [RouterA-portal-websvr-newpt] quit
# Enable cross-subnet portal authentication on GigabitEthernet 1/0/2.
[RouterA] interface gigabitethernet 1/0/2 [RouterA–GigabitEthernet1/0/2] portal enable method layer3
# Reference the portal Web server newpt on GigabitEthernet 1/0/2.
[RouterA–GigabitEthernet1/0/2] portal apply web-server newpt
# Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 1/0/2 to the portal authentication server.
[RouterA–GigabitEthernet1/0/2] portal bas-ip 20.20.20.1 [RouterA–GigabitEthernet1/0/2] quit
On Router B, configure a default route to subnet 192.168.0.0/24, specifying the next hop address as 20.20.20.1. (Details not shown.)
Verifying the configuration
# Verify that the portal configuration has taken effect.
[RouterA] display portal interface gigabitethernet 1/0/2
Portal information of GigabitEthernet1/0/2
NAS-ID profile: Not configured
VSRP instance : Not configured
VSRP state : N/A
Authorization : Strict checking
ACL : Disabled
User profile : Disabled
IPv4:
Portal status: Enabled
Authentication type: Layer3
Portal Web server: newpt(active)
Authentication domain: Not configured
Pre-auth domain: Not configured
User-dhcp-only: Disabled
Pre-auth IP pool: Not configured
Max portal users: Not configured
Bas-ip: 20.20.20.1
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Mask
Destination authenticate subnet:
IP address Mask
IPv6:
Portal status: Disabled
Authentication type: Disabled
Portal Web server: Not configured
Authentication domain: Not configured
Pre-auth domain: Not configured
User-dhcp-only: Disabled
Pre-auth IP pool: Not configured
Max portal users: Not configured
Bas-ipv6: Not configured
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Prefix length
Destination authenticate subnet:
IP address Prefix length
A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.
# After the user passes authentication, use the following command to display information about the portal user.
[RouterA] display portal user interface gigabitethernet 1/0/2
Total portal users: 1
Username: abc
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0015-e9a6-7cfe 8.8.8.2 -- GigabitEthernet1/0/2
Authorization information:
DHCP IP pool: N/A
User profile: N/A
ACL: N/A
CAR: N/A