Configuring direct portal authentication with a preauthentication domain

Network requirements

As shown in Figure 72, the host is directly connected to the switch (the access device). The host is assigned a public IP address through DHCP. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.

Configure direct portal authentication, so the host can access only subnet 192.168.0.0/24 before passing the authentication and access other network resources after passing the authentication.

Figure 71: Network diagram

Configuration prerequisites

Configuration procedure

Perform the following tasks on the switch.

  1. Configure a preauthentication IP address pool:

    # Configure DHCP address pool pre to assign IP addresses and other configuration parameters to clients on subnet 2.2.2.0/24.

    <Switch> system-view
    [Switch] dhcp server ip-pool pre
    [Switch-dhcp-pool-pre] gateway-list 2.2.2.1
    [Switch-dhcp-pool-pre] network 2.2.2.0 24
    [Switch-dhcp-pool-pre] quit
    

    # Enable the DHCP server on VLAN-interface 100.

    [Switch] interface vlan-interface 100
    [Switch–Vlan-interface100] dhcp select server
    [Switch–Vlan-interface100] quit
    
  2. Configure a preauthentication domain:

    # Create an ISP domain named abc and enter its view.

    [Switch] domain abc
    

    # Specify authorization ACL 3010 in the domain.

    [Switch-isp-abc] authorization-attribute acl 3010
    [Switch-isp-abc] quit
    

    # Configure a rule to permit access to the subnet 192.168.0.0/24.

    [Switch] acl advanced 3010
    [Switch-acl-ipv4-adv-3010] rule 1 permit ip destination 192.168.0.0 24
    [Switch-acl-ipv4-adv-3010] quit
    

    # Configure preauthentication domain abc on VLAN-interface 100.

    [Switch] interface vlan-interface 100
    [Switch–Vlan-interface100] portal pre-auth domain abc
    [Switch–Vlan-interface100] quit
    
  3. Configure portal authentication:

    # Configure a portal authentication server.

    [Switch] portal server newpt
    [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
    [Switch-portal-server-newpt] port 50100
    [Switch-portal-server-newpt] quit
    

    # Configure a portal Web server.

    [Switch] portal web-server newpt
    [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal
    [Switch-portal-websvr-newpt] quit
    

    # Enable direct portal authentication on VLAN-interface 100.

    [Switch] interface vlan-interface 100
    [Switch–Vlan-interface100] portal enable method direct
    

    # Reference the portal Web server newpt on VLAN-interface 100.

    [Switch–Vlan-interface100] portal apply web-server newpt
    

    # Configure the BAS-IP as 2.2.2.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.

    [Switch–Vlan-interface100] portal bas-ip 2.2.2.1
    [Switch–Vlan-interface100] quit
    

Verifying the configuration

# Verify the portal configuration by executing the display portal interface command. (Details not shown.)

# Display information about preauthentication portal users.

[Switch] display portal user pre-authenticate interface vlan-interface 100
MAC                IP                 VLAN   Interface
0015-e9a6-7cfe     10.10.10.4         100     Vlan-interface100
  State: Online
  VPN instance: --
  Authorization information:
    DHCP IP pool: N/A
    ACL number: 3010
    Inbound CAR: N/A
    Outbound CAR: N/A