Configuring direct portal authentication with a preauthentication domain
Network requirements
As shown in Figure 72, the host is directly connected to the switch (the access device). The host is assigned a public IP address through DHCP. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.
Configure direct portal authentication, so the host can access only subnet 192.168.0.0/24 before passing the authentication and access other network resources after passing the authentication.
Figure 71: Network diagram
Configuration prerequisites
Configure IP addresses for the host, switch, and servers as shown in Figure 72 and make sure they can reach each other.
Configure the RADIUS server correctly to provide authentication and accounting functions.
Configuration procedure
Perform the following tasks on the switch.
Configure a preauthentication IP address pool:
# Configure DHCP address pool pre to assign IP addresses and other configuration parameters to clients on subnet 2.2.2.0/24.
<Switch> system-view [Switch] dhcp server ip-pool pre [Switch-dhcp-pool-pre] gateway-list 2.2.2.1 [Switch-dhcp-pool-pre] network 2.2.2.0 24 [Switch-dhcp-pool-pre] quit
# Enable the DHCP server on VLAN-interface 100.
[Switch] interface vlan-interface 100 [Switch–Vlan-interface100] dhcp select server [Switch–Vlan-interface100] quit
Configure a preauthentication domain:
# Create an ISP domain named abc and enter its view.
[Switch] domain abc
# Specify authorization ACL 3010 in the domain.
[Switch-isp-abc] authorization-attribute acl 3010 [Switch-isp-abc] quit
# Configure a rule to permit access to the subnet 192.168.0.0/24.
[Switch] acl advanced 3010 [Switch-acl-ipv4-adv-3010] rule 1 permit ip destination 192.168.0.0 24 [Switch-acl-ipv4-adv-3010] quit
# Configure preauthentication domain abc on VLAN-interface 100.
[Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal pre-auth domain abc [Switch–Vlan-interface100] quit
Configure portal authentication:
# Configure a portal authentication server.
[Switch] portal server newpt [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit
# Configure a portal Web server.
[Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit
# Enable direct portal authentication on VLAN-interface 100.
[Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method direct
# Reference the portal Web server newpt on VLAN-interface 100.
[Switch–Vlan-interface100] portal apply web-server newpt
# Configure the BAS-IP as 2.2.2.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.
[Switch–Vlan-interface100] portal bas-ip 2.2.2.1 [Switch–Vlan-interface100] quit
Verifying the configuration
# Verify the portal configuration by executing the display portal interface command. (Details not shown.)
# Display information about preauthentication portal users.
[Switch] display portal user pre-authenticate interface vlan-interface 100 MAC IP VLAN Interface 0015-e9a6-7cfe 10.10.10.4 100 Vlan-interface100 State: Online VPN instance: -- Authorization information: DHCP IP pool: N/A ACL number: 3010 Inbound CAR: N/A Outbound CAR: N/A