Configuring extended cross-subnet portal authentication

Network requirements

As shown in Figure 64, Switch A supports portal authentication. The host accesses Switch A through Switch B. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.

Configure Switch A for extended cross-subnet portal authentication. Before passing portal authentication, the host can access only the portal server. After passing portal identity authentication, the host accepts security check. If the host fails the security check it can access only the subnet 192.168.0.0/24. After passing the security check, the host can access other network resources.

Figure 63: Network diagram

Configuration prerequisites and guidelines

Configuration procedure

Perform the following tasks on Switch A.

  1. Configure a RADIUS scheme:

    # Create a RADIUS scheme named rs1 and enter its view.

    <SwitchA> system-view
    [SwitchA] radius scheme rs1
    

    # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

    [SwitchA-radius-rs1] primary authentication 192.168.0.112
    [SwitchA-radius-rs1] primary accounting 192.168.0.112
    [SwitchA-radius-rs1] key accounting simple radius
    [SwitchA-radius-rs1] key authentication simple radius
    [SwitchA-radius-rs1] user-name-format without-domain
    

    # Specify the security policy server.

    [SwitchA-radius-rs1] security-policy-server 192.168.0.113
    [SwitchA-radius-rs1] quit
    

    # Enable RADIUS session control.

    [SwitchA] radius session-control enable
    
  2. Configure an authentication domain:

    # Create an ISP domain named dm1 and enter its view.

    [SwitchA] domain dm1
    

    # Configure AAA methods for the ISP domain.

    [SwitchA-isp-dm1] authentication portal radius-scheme rs1
    [SwitchA-isp-dm1] authorization portal radius-scheme rs1
    [SwitchA-isp-dm1] accounting portal radius-scheme rs1
    [SwitchA-isp-dm1] quit
    

    # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

    [SwitchA] domain default enable dm1
    
  3. Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.

    [SwitchA] acl advanced 3000
    [SwitchA-acl-ipv4-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
    [SwitchA-acl-ipv4-adv-3000] rule deny ip
    [SwitchA-acl-ipv4-adv-3000] quit
    [SwitchA] acl advanced 3001
    [SwitchA-acl-ipv4-adv-3001] rule permit ip
    [SwitchA-acl-ipv4-adv-3001] quit
    

[NOTE: ]

NOTE:

  • To avoid user login failure , do not specify a source IP address when you configure a rule in ACL 3000 and ACL 3001.

  • Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server.


    1. Configure portal authentication:

      # Configure a portal authentication server.

      [SwitchA] portal server newpt
      [SwitchA-portal-server-newpt] ip 192.168.0.111 key simple portal
      [SwitchA-portal-server-newpt] port 50100
      [SwitchA-portal-server-newpt] quit
      

      # Configure a portal Web server.

      [SwitchA] portal web-server newpt
      [SwitchA-portal-websvr-newpt] url http://192.168.0.111:8080/portal
      [SwitchA-portal-websvr-newpt] quit
      

      # Enable cross-subnet portal authentication on VLAN-interface 4.

      [SwitchA] interface vlan-interface 4
      [SwitchA–Vlan-interface4] portal enable method layer3
      

      # Reference the portal Web server newpt on VLAN-interface 4.

      [SwitchA–Vlan-interface4] portal apply web-server newpt
      

      # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 4 to the portal authentication server.

      [SwitchA–Vlan-interface4] portal bas-ip 20.20.20.1
      [SwitchA–Vlan-interface4] quit
      

    On Switch B, configure a default route to subnet 192.168.0.0/24, specifying the next hop address as 20.20.20.1. (Details not shown.)

    Verifying the configuration

    # Verify that the portal configuration has taken effect.

    [SwitchA] display portal interface vlan-interface 4
     Portal information of Vlan-interface4
         NAS-ID profile: Not configured
         VSRP instance : Not configured
         VSRP state    : N/A
         Authorization : Strict checking 
         ACL           : Disabled
         User profile  : Disabled
     IPv4:
         Portal status: Enabled
         Portal authentication method: Layer3
         Portal web server: newpt
         Authentication domain: Not configured
         Pre-auth domain: Not configured
         User-dhcp-only: Disabled
         Pre-auth IP pool: Not configured
         Max Portal users: Not configured
         Bas-ip: 20.20.20.1
         User Detection:  Not configured
         Action for server detection:
             Server type    Server name                        Action 
             --             --                                 -- 
         Layer3 source network:
             IP address               Mask
    
         Destination authenticate subnet:
             IP address               Mask
    IPv6:
         Portal status: Disabled
         Portal authentication method: Disabled
         Portal web server: Not configured
         Authentication domain: Not configured
         Pre-auth domain: Not configured
         User-dhcp-only: Disabled
         Pre-auth IP pool: Not configured
         Max Portal users: Not configured
         Bas-ip: Not configured
         User detection: Not configured
         Action for server detection:
             Server type    Server name                        Action
             --             --                                 --
         Layer3 source network:
             IP address                                        Prefix length
    
         Destination authenticate subnet: 
             IP address                                        Prefix length 
    

    Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.

    # After the user passes identity authentication and security check, use the following command to display information about the portal user.

    [SwitchA] display portal user interface vlan-interface 4
    Total portal users: 1
    Username: abc
      Portal server: newpt
      State: Online
      VPN instance: N/A
      MAC                IP                 VLAN   Interface
      0000-0000-0000     8.8.8.2            4    Vlan-interface4
      Authorization information:
        DHCP IP pool: N/A
        ACL: 3001
        CAR: N/A