No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring External Portal Authentication to Control Internal User Access

Example for Configuring External Portal Authentication to Control Internal User Access

Networking Requirements

As shown in Figure 3-16, many users on a company access network through Eth2/0/0 of the Router (used as an access device). After the network operates for a period of time, attacks are detected. The administrator must control network access rights of user terminals to ensure network security. The Router allows user terminals to access Internet resources only after they are authenticated.

Figure 3-16  Networking diagram for configuring Portal authentication

Configuration Roadmap

To control the network access permission of users, the administrator can configure Portal authentication on the Router after the server with the IP address 192.168.2.30 is used as the RADIUS server, and configure the IP address 192.168.2.20 as the IP address for the Portal server.

The configuration roadmap is as follows (configured on the Router):

  1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain. Bind the RADIUS server template and the AAA scheme to the ISP domain. The Router can then exchange information with the RADIUS server.
  2. Configure Portal authentication.
    1. Create and configure a Portal server template to ensure normal information exchange between the device and the Portal server.
    2. Enable Portal authentication to authenticate access users.
    3. Configure a shared key that the device uses to exchange information with the Portal server to improve communication security.
NOTE:

Before configuring this example, ensure that devices can communicate with each other in the network.

Procedure

  1. Create VLANs and configure the VLAN allowed by the interface to ensure network communication.

    # Create VLAN 10 and VLAN 20.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 10 20
    

    # On the Router, set Eth2/0/0 connecting to users as a access interface, and add Eth2/0/0 to VLAN 10.

    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type access
    [Router-Ethernet2/0/0] port default vlan 10 
    [Router-Ethernet2/0/0] quit
    NOTE:

    Configure the interface type and VLANs according to the actual situation. In this example, users are added to VLAN 10.

    # On the Router, set Eth2/0/1 connecting to the RADIUS server as an access interface, and add Eth2/0/1 to VLAN 20.

    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] port link-type access
    [Router-Ethernet2/0/1] port default vlan 20
    [Router-Ethernet2/0/1] quit

  2. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.

    # Create and configure RADIUS server template rd1.

    [Router] radius-server template rd1
    [Router-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Router-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Router-radius-rd1] quit

    # Create AAA scheme abc and set the authentication mode to RADIUS.

    [Router] aaa
    [Router-aaa] authentication-scheme abc
    [Router-aaa-authen-abc] authentication-mode radius
    [Router-aaa-authen-abc] quit

    # Create authentication domain isp1, and bind AAA scheme abc and RADIUS server template rd1 to authentication domain isp1.

    [Router-aaa] domain isp1
    [Router-aaa-domain-isp1] authentication-scheme abc
    [Router-aaa-domain-isp1] radius-server rd1
    [Router-aaa-domain-isp1] quit
    [Router-aaa] quit

    # Configure the default domain isp1 in the system view.When a user enters the user name in the format of user@isp1, the user is authenticated in the authentication domain isp1. If the user name does not carry the domain name or carries a nonexistent domain name, the user is authenticated in the default domain.

    [Router] domain isp1

    # Test whether a user can be authenticated using RADIUS authentication. A user name test@huawei.com and password Huawei2012 have been configured on the RADIUS server.

    [Router] test-aaa test@huawei.com Huawei2012 radius-template rd1
    Info: Account test succeed.

  3. Configure Portal authentication.

    # Create and configure Portal server template abc.

    <Router> system-view
    [Router] web-auth-server abc
    [Router-web-auth-server-abc] server-ip 192.168.2.20
    [Router-web-auth-server-abc] port 50200
    [Router-web-auth-server-abc] url http://192.168.2.20:8080/webagent
    [Router-web-auth-server-abc] quit
    
    NOTE:

    Ensure that the port number configured on the device is the same as that used by the Portal server.

    # Enable Portal authentication.

    [Router] interface vlanif 10 
    [Router-Vlanif10] web-auth-server abc direct
    [Router-Vlanif10] quit
    

    # Set the shared key in cipher text to Huawei@123.

    [Router] web-auth-server abc
    [Router-web-auth-server-abc] shared-key cipher Huawei@123
    [Router-web-auth-server-abc] quit
    
    NOTE:

    In this example, users are allocated static IP addresses. If the users obtain IP addresses through DHCP and the DHCP server is upstream connected to Router, use the portal free-rule command to create authentication-free rules and ensure that the DHCP server is included in the authentication-free rules.

    In addition, if the URL of Portal server needs to be analyzed by DNS and the DNS server is upstream connected to Router, you also need to create authentication-free rules and ensure that the DNS server is included in the authentication-free rules.

  4. Verify the configuration.

    1. Run the display portal and display web-auth-server configuration commands to check the Portal authentication configuration. The command output (web-auth-server layer2(direct)) shows that the Portal server template has been bound to the interface vlanif10.
    2. After starting the browser and entering any network address, the user is redirected to the Portal authentication page. The user then enters the user name and password for authentication.
    3. If the user name and password are correct, an authentication success message is displayed on the Portal authentication page. The user can access the network.
    4. After the user goes online, you can run the display access-user command on the device to check the online Portal authentication user information.

Configuration Files

Configuration file of the Router

#
sysname Router  
#                                                                               
vlan batch 10 20  
#                                                                               
domain isp1
#
radius-server template rd1
 radius-server shared-key cipher %^%#BS'$!w:u7H.lu:/&W9A5=pUt%^%#
 radius-server authentication 192.168.2.30 1812 weight 80
#
web-auth-server abc                                                             
 server-ip 192.168.2.20                                                         
 port 50200                                                                     
 shared-key cipher %^%#n{tj5)rRhJ]NM3C>#brWsy8[~z4%'($U6m3Hrj'"%^%#                          
 url http://192.168.2.20:8080/webagent      
#
aaa
 authentication-scheme abc
  authentication-mode radius
 domain isp1
  authentication-scheme abc
  radius-server rd1
#
interface Vlanif10                                                             
 web-auth-server abc direct  
#
interface Ethernet2/0/0
 port link-type access
 port default vlan 10  
#                                                                              
interface Ethernet2/0/1            
 port link-type access                                                          
 port default vlan 20
# 
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13322

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next