Configuring direct portal authentication using the local portal Web server
Network requirements
As shown in Figure 86, the host is directly connected to the router (the access device). The host is assigned a public IP address either manually or through DHCP. The router acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.
Configure direct portal authentication on the router. Before a user passes portal authentication, the user can access only the local portal Web server. After passing portal authentication, the user can access other network resources.
Figure 79: Network diagram
Configuration prerequisites and guidelines
Configure IP addresses for the host, router, and server as shown in Figure 86 and make sure they can reach each other.
Configure the RADIUS server correctly to provide authentication and accounting functions.
Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the router.
Configuration procedure
Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<Router> system-view [Router] radius scheme rs1
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
[Router-radius-rs1] primary authentication 192.168.0.112 [Router-radius-rs1] primary accounting 192.168.0.112 [Router-radius-rs1] key authentication simple radius [Router-radius-rs1] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit
# Enable RADIUS session control.
[Router] radius session-control enable
Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Router] domain dm1
# Configure AAA methods for the ISP domain.
[Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
[Router] domain default enable dm1
Configure portal authentication:
# Create a local portal Web server. Use HTTP to exchange authentication information with clients.
[Router] portal local-web-server http
# Specify file abc.zip as the default authentication page file for local portal authentication. (Make sure the file exist under the root directory of the router.)
[Router–portal-local-websvr-http] default-logon-page abc.zip
# Set the HTTP service listening port number to 2331 for the local portal Web server.
[Router–portal-local-webserver-http] tcp-port 2331 [Router–portal-local-websvr-http] quit
# Configure the portal Web server name as newpt and URL as the IP address of the portal authentication-enabled interface or a loopback interface (except 127.0.0.1).
[Router] portal web-server newpt [Router-portal-websvr-newpt] url http://2.2.2.1:2331/portal [Router-portal-websvr-newpt] quit
# Enable direct portal authentication on GigabitEthernet 1/0/2.
[Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] portal enable method direct
# Specify the portal Web server newpt on GigabitEthernet 1/0/2.
[Router–GigabitEthernet1/0/2] portal apply web-server newpt [Router–GigabitEthernet1/0/2] quit
Verifying the configuration
# Verify that the portal configuration has taken effect.
[Router] display portal interface gigabitethernet 1/0/2
Portal information of GigabitEthernet1/0/2
VSRP instance: --
VSRP state: N/A
Authorization Strict checking
ACL Disabled
User profile Disabled
IPv4:
Portal status: Enabled
Authentication type: Direct
Portal Web server: newpt(active)
Secondary portal Web server: Not configured
Authentication domain: Not configured
Pre-auth domain: Not configured
User-dhcp-only: Disabled
Pre-auth IP pool: Not configured
Max portal users: Not configured
Bas-ip: Not configured
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Mask
Destination authenticate subnet:
IP address Mask
IPv6:
Portal status: Disabled
Authentication type: Disabled
Portal Web server: Not configured
Secondary portal Web server: Not configured
Authentication domain: Not configured
Pre-auth domain: Not configured
User-dhcp-only: Disabled
Pre-auth IP pool: Not configured
Max portal users: Not configured
Bas-ipv6: Not configured
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Prefix length
Destination authenticate subnet:
IP address Prefix length
A user can perform portal authentication through a Web page. Before passing the authentication, the user can access only the authentication page http://2.2.2.1:2331/portal and all Web requests will be redirected to the authentication page. After passing the authentication, the user can access other network resources.
# After the user passes authentication, use the following command to display information about the portal user.
[Router] display portal user interface gigabitethernet 1/0/2
Total portal users: 1
Username: abc
Portal server: newpt
State: Online
VPN instance: --
MAC IP VLAN Interface
0015-e9a6-7cfe 2.2.2.2 -- GigabitEthernet1/0/2
Authorization information:
IP pool: N/A
User profile: N/A
ACL: N/A
CAR: N/A