Configuring extended re-DHCP portal authentication

As shown in Figure 63, the host is directly connected to the switch (the access device). The host obtains an IP address through the DHCP server. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.

Configure extended re-DHCP portal authentication. Before passing portal authentication, the host is assigned a private IP address. After passing portal identity authentication, the host obtains a public IP address and accepts security check. If the host fails the security check, it can access only subnet 192.168.0.0/24. After passing the security check, the host can access other network resources.

• Configure IP addresses for the switch and servers as shown in Figure 63 and make sure the host, switch, and servers can reach each other.

• Configure the RADIUS server correctly to provide authentication and accounting functions.

• For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24) and a private address pool (10.0.0.0/24) on the DHCP server. (Details not shown.)

• For re-DHCP portal authentication:

  • The switch must be configured as a DHCP relay agent.

  • The portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).

  For information about DHCP relay agent configuration, see Layer 3—IP Services Configuration Guide.

• Make sure the IP address of the portal device added on the portal server is the public IP address (20.20.20.1) of the switch's interface connecting the host. The private IP address range for the IP address group associated with the portal device is the private subnet 10.0.0.0/24 where the host resides. The public IP address range for the IP address group is the public subnet 20.20.20.0/24.

Perform the following tasks on the switch.

1. Configure a RADIUS scheme:

   # Create a RADIUS scheme named rs1 and enter its view.

   <Switch> system-view
   [Switch] radius scheme rs1
   

   # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

   [Switch-radius-rs1] primary authentication 192.168.0.113
   [Switch-radius-rs1] primary accounting 192.168.0.113
   [Switch-radius-rs1] key accounting simple radius
   [Switch-radius-rs1] key authentication simple radius
   [Switch-radius-rs1] user-name-format without-domain
   

   # Specify the security policy server.

   [Switch-radius-rs1] security-policy-server 192.168.0.114
   [Switch-radius-rs1] quit
   

   # Enable RADIUS session control.

   [Switch] radius session-control enable
   

2. Configure an authentication domain:

   # Create an ISP domain named dm1 and enter its view.

   [Switch] domain dm1
   

   # Configure AAA methods for the ISP domain.

   [Switch-isp-dm1] authentication portal radius-scheme rs1
   [Switch-isp-dm1] authorization portal radius-scheme rs1
   [Switch-isp-dm1] accounting portal radius-scheme rs1
   [Switch-isp-dm1] quit
   

   # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

   [Switch] domain default enable dm1
   

3. Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.

   [Switch] acl advanced 3000
   [Switch-acl-ipv4-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
   [Switch-acl-ipv4-adv-3000] rule deny ip
   [Switch-acl-ipv4-adv-3000] quit
   [Switch] acl advanced 3001
   [Switch-acl-ipv4-adv-3001] rule permit ip
   [Switch-acl-ipv4-adv-3001] quit
   

4. Configure portal authentication:

   # Configure a portal authentication server.

   [Switch] portal server newpt
   [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
   [Switch-portal-server-newpt] port 50100
   [Switch-portal-server-newpt] quit
   

   # Configure a portal Web server.

   [Switch] portal web-server newpt
   [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal
   [Switch-portal-websvr-newpt] quit
   

   # Enable re-DHCP portal authentication on VLAN-interface 100.

   [Switch] interface vlan-interface 100
   [Switch–Vlan-interface100] portal enable method redhcp
   

   # Reference the portal Web server newpt on VLAN-interface 100.

   [Switch–Vlan-interface100] portal apply web-server newpt
   

   # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.

   [Switch–Vlan-interface100] portal bas-ip 20.20.20.1
   [Switch–Vlan-interface100] quit
   

	NOTE: To avoid user login failure , do not specify a source IP address when you configure a rule in ACL 3000 and ACL 3001. Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server.

1. Configure DHCP relay and authorized ARP:

   # Configure DHCP relay.

   [Switch] dhcp enable
   [Switch] dhcp relay client-information record
   [Switch] interface vlan-interface 100
   [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0
   [Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub
   [Switch-Vlan-interface100] dhcp select relay
   [Switch-Vlan-interface100] dhcp relay server-address 192.168.0.112
   

   # Enable authorized ARP.

   [Switch-Vlan-interface100] arp authorized enable
   [Switch-Vlan-interface100] quit
   

2. Configure portal authentication:

   # Configure a portal authentication server.

   [Switch] portal server newpt
   [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
   [Switch-portal-server-newpt] port 50100
   [Switch-portal-server-newpt] quit
   

   # Configure a portal Web server.

   [Switch] portal web-server newpt
   [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal
   [Switch-portal-websvr-newpt] quit
   

   # Enable re-DHCP portal authentication on VLAN-interface 100.

   [Switch] interface vlan-interface 100
   [Switch–Vlan-interface100] portal enable method redhcp
   

   # Reference the portal Web server newpt on VLAN-interface 100.

   [Switch–Vlan-interface100] portal apply web-server newpt
   

   # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.

   [Switch–Vlan-interface100] portal bas-ip 20.20.20.1
   [Switch–Vlan-interface100] quit
   

# Verify that the portal configuration has taken effect.

[Switch] display portal interface vlan-interface 100
 Portal information of Vlan-interface100
     NAS-ID profile: Not configured
     VSRP instance : Not configured
     VSRP state    : N/A
     Authorization : Strict checking 
     ACL           : Disabled
     User profile  : Disabled
 IPv4:
     Portal status: Enabled
     Portal authentication method: Redhcp
     Portal web server: newpt
     Authentication domain: Not configured
     Pre-auth domain: Not configured
     User-dhcp-only: Disabled
     Pre-auth IP pool: Not configured
     Max Portal users: Not configured
     Bas-ip: 20.20.20.1
     User Detection:  Not configured
     Action for server detection:
         Server type    Server name                        Action 
         --             --                                 -- 
     Layer3 source network:
         IP address               Mask

     Destination authenticate subnet:
         IP address               Mask
IPv6:
     Portal status: Disabled
     Portal authentication method: Disabled
     Portal web server: Not configured
     Authentication domain: Not configured
     Pre-auth domain: Not configured
     User-dhcp-only: Disabled
     Pre-auth IP pool: Not configured
     Max Portal users: Not configured
     Bas-ipv6: Not configured
     User detection: Not configured
     Action for server detection:
         Server type    Server name                        Action
         --             --                                 --
     Layer3 source network:
         IP address                                        Prefix length

     Destination authenticate subnet: 
         IP address                                        Prefix length 

Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.

• The user can access the resources permitted by ACL 3000 after passing only identity authentication.

• The user can access network resources permitted by ACL 3001 after passing both identity authentication and security check.

# After the user passes identity authentication and security check, use the following command to display information about the portal user.

[Switch] display portal user interface vlan-interface 100
Total portal users: 1
Username: abc
  Portal server: newpt
  State: Online
  VPN instance: N/A
  MAC                IP                 VLAN   Interface
  0015-e9a6-7cfe     20.20.20.2         100    Vlan-interface100
  Authorization information:
    DHCP IP pool: N/A
    ACL: 3001
    CAR: N/A