Configuring re-DHCP portal authentication with a preauthentication domain

Network requirements

As shown in Figure 85, the host is directly connected to the router (the access device). The host obtains an IP address through the DHCP server. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.

Configure re-DHCP portal authentication. Before passing the authentication, the host is assigned a private IP address and can access only the subnet 192.168.0.0/24. After passing the authentication, the host gets a public IP address and can access other network resources.

Figure 78: Network diagram

Configuration prerequisites and guidelines

Configure IP addresses for the router and servers as shown in Figure 85 and make sure the host, router, and servers can reach each other.
Configure the RADIUS server correctly to provide authentication and accounting functions.
For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24) and a private address pool (10.0.0.0/24) on the DHCP server. (Details not shown.)
For re-DHCP portal authentication:
- The router must be configured as a DHCP relay agent.
- The portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).
For information about DHCP relay agent configuration, see Layer 3—IP Services Configuration Guide.
Make sure the IP address of the portal device added on the portal server is the public IP address (20.20.20.1) of the router's interface connecting the host. The private IP address range for the IP address group associated with the portal device is the private subnet 10.0.0.0/24 where the host resides. The public IP address range for the IP address group is the public subnet 20.20.20.0/24.
If you have configured a preauthentication IP address pool on portal-enabled interfaces, configure a DHCP relay address pool with the same name on the device. For the DHCP relay address pool, specify the subnet address where the unauthenticated users reside (with the export-router keyword specified) and the DHCP server address.

Configuration procedure

Perform the following tasks on the router.

Configure a preauthentication domain:

# Create an ISP domain named abc and enter its view.

<Router> system-view
[Router] domain abc

# Specify authorization ACL 3010 in the domain.

[Router-isp-abc] authorization-attribute acl 3010
[Router-isp-abc] quit

# Configure a rule to permit access to the subnet 192.168.0.0/24.

[Router] acl advanced 3010
[Router-acl-ipv4-adv-3010] rule 1 permit ip destination 192.168.0.0 24
[Router-acl-ipv4-adv-3010] quit

# Configure preauthentication domain abc on GigabitEthernet 1/0/2.

[Router] interface gigabitethernet 1/0/2
[Router–GigabitEthernet1/0/2] portal pre-auth domain abc
[Router–GigabitEthernet1/0/2] quit

Configure DHCP relay and authorized ARP.

# Configure DHCP relay.

[Router] dhcp enable
[Router] dhcp relay client-information record
[Router] interface gigabitethernet 1/0/2
[Router–GigabitEthernet1/0/2] ip address 20.20.20.1 255.255.255.0
[Router–GigabitEthernet1/0/2] ip address 10.0.0.1 255.255.255.0 sub
[Router-GigabitEthernet1/0/2] dhcp select relay
[Router-GigabitEthernet1/0/2] dhcp relay server-address 192.168.0.112

# Enable authorized ARP.

[Router-GigabitEthernet1/0/2] arp authorized enable
[Router-GigabitEthernet1/0/2] quit

Configure portal authentication:

# Configure a portal authentication server.

[Router] portal server newpt
[Router-portal-server-newpt] ip 192.168.0.111 key simple portal
[Router-portal-server-newpt] port 50100
[Router-portal-server-newpt] quit

# Configure a portal Web server.

[Router] portal web-server newpt
[Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[Router-portal-websvr-newpt] quit

# Enable re-DHCP portal authentication on GigabitEthernet 1/0/2.

[Router] interface gigabitethernet 1/0/2
[Router–GigabitEthernet1/0/2] portal enable method redhcp

# Reference the portal Web server newpt on GigabitEthernet 1/0/2.

[Router–GigabitEthernet1/0/2] portal apply web-server newpt

# Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 1/0/2 to the portal authentication server.

[Router–GigabitEthernet1/0/2] portal bas-ip 20.20.20.1
[Router–GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify the portal configuration by executing the display portal interface command. (Details not shown.)

# Display information about preauthentication portal users.

[Router] display portal user pre-auth interface gigabitethernet 1/0/2
MAC                IP                 VLAN   Interface
0015-e9a6-7cfe     10.10.10.4         --     GigabitEthernet1/0/2
  State: Online
  VPN instance: --
    DHCP IP pool: N/A
    User profile: N/A
    ACL number: 3010
    Inbound CAR: N/A
    Outbound CAR: N/A

prev	up	next
Configuring direct portal authentication with a preauthentication domain	home	Configuring direct portal authentication using the local portal Web server