Configuring cross-subnet portal authentication

Network requirements

As shown in Figure 61, Switch A supports portal authentication. The host accesses Switch A through Switch B. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.

Configure Switch A for cross-subnet portal authentication. Before passing the authentication, the host can access only the portal Web server. After passing the authentication, the user can access other network resources.

Figure 60: Network diagram

Configuration prerequisites and guidelines

Configuration procedure

Perform the following tasks on Switch A.

  1. Configure a RADIUS scheme:

    # Create a RADIUS scheme named rs1 and enter its view.

    <SwitchA> system-view
    [SwitchA] radius scheme rs1
    

    # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

    [SwitchA-radius-rs1] primary authentication 192.168.0.112
    [SwitchA-radius-rs1] primary accounting 192.168.0.112
    [SwitchA-radius-rs1] key authentication simple radius
    [SwitchA-radius-rs1] key accounting simple radius
    

    # Exclude the ISP domain name from the username sent to the RADIUS server.

    [SwitchA-radius-rs1] user-name-format without-domain
    [SwitchA-radius-rs1] quit
    

    # Enable RADIUS session control.

    [SwitchA] radius session-control enable
    
  2. Configure an authentication domain:

    # Create an ISP domain named dm1 and enter its view.

    [SwitchA] domain dm1
    

    # Configure AAA methods for the ISP domain.

    [SwitchA-isp-dm1] authentication portal radius-scheme rs1
    [SwitchA-isp-dm1] authorization portal radius-scheme rs1
    [SwitchA-isp-dm1] accounting portal radius-scheme rs1
    [SwitchA-isp-dm1] quit
    

    # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

    [SwitchA] domain default enable dm1
    
  3. Configure portal authentication:

    # Configure a portal authentication server.

    [SwitchA] portal server newpt
    [SwitchA-portal-server-newpt] ip 192.168.0.111 key simple portal
    [SwitchA-portal-server-newpt] port 50100
    [SwitchA-portal-server-newpt] quit
    

    # Configure a portal Web server.

    [SwitchA] portal web-server newpt
    [SwitchA-portal-websvr-newpt] url http://192.168.0.111:8080/portal
    [SwitchA-portal-websvr-newpt] quit
    

    # Enable cross-subnet portal authentication on VLAN-interface 4.

    [SwitchA] interface vlan-interface 4
    [SwitchA–Vlan-interface4] portal enable method layer3
    

    # Reference the portal Web server newpt on VLAN-interface 4.

    [SwitchA–Vlan-interface4] portal apply web-server newpt
    

    # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 4 to the portal authentication server.

    [SwitchA–Vlan-interface4] portal bas-ip 20.20.20.1
    [SwitchA–Vlan-interface4] quit
    

On Switch B, configure a default route to subnet 192.168.0.0/24, specifying the next hop address as 20.20.20.1. (Details not shown.)

Verifying the configuration

# Verify that the portal configuration has taken effect.

[SwitchA] display portal interface vlan-interface 4
 Portal information of Vlan-interface4
     NAS-ID profile: Not configured
     VSRP instance : Not configured
     VSRP state    : N/A
     Authorization : Strict checking 
     ACL           : Disabled
     User profile  : Disabled
 IPv4:
     Portal status: Enabled
     Portal authentication method: Layer3
     Portal web server: newpt
     Authentication domain: Not configured
     Pre-auth domain: Not configured
     User-dhcp-only: Disabled
     Pre-auth IP pool: Not configured
     Max Portal users: Not configured
     Bas-ip: 20.20.20.1
     User Detection:  Not configured
     Action for server detection:
         Server type    Server name                        Action 
         --             --                                 -- 
     Layer3 source network:
         IP address               Mask

     Destination authenticate subnet:
         IP address               Mask
IPv6:
     Portal status: Disabled
     Portal authentication method: Disabled
     Portal web server: Not configured
     Authentication domain: Not configured
     Pre-auth domain: Not configured
     User-dhcp-only: Disabled
     Pre-auth IP pool: Not configured
     Max Portal users: Not configured
     Bas-ipv6: Not configured
     User detection: Not configured
     Action for server detection:
         Server type    Server name                        Action
         --             --                                 --
     Layer3 source network:
         IP address                                        Prefix length

     Destination authenticate subnet: 
         IP address                                        Prefix length 

A user can perform portal authentication by using the HPE iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.

# After the user passes authentication, use the following command to display information about the portal user.

[SwitchA] display portal user interface vlan-interface 4
Total portal users: 1
Username: abc
  Portal server: newpt
  State: Online
  VPN instance: N/A
  MAC                IP                 VLAN   Interface
  0000-0000-0000     8.8.8.2            4      Vlan-interface4
  Authorization information:
    DHCP IP pool: N/A
    ACL: N/A
    CAR: N/A