No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Layer 2 External Portal Authentication

Example for Configuring Layer 2 External Portal Authentication

Networking Requirements

As shown in Figure 3-15, an enterprise needs to deploy an identity authentication system in reception rooms to implement access control on visitors who attempt to connect to the enterprise network, ensuring that only authenticated users can access the network. Because the reception rooms have medium security requirements, you do not need to deploy too many authentication points. It is required that the authentication control point be deployed on the aggregation device to facilitate maintenance.

Portal authentication features flexible deployment and is applicable to moving users. The aggregation router and visitors' terminals communicate at Layer 2. Therefore, you can deploy Layer 2 Portal authentication on the aggregation router. The aggregation router works with the RADIUS server (integrated with the Portal server) to implement access control on visitors who attempt to connect to the enterprise network.

Figure 3-15  Networking diagram for configuring Layer 2 external Portal authentication

Configuration Roadmap

The following configurations are performed on the aggregation router. The configuration roadmap is as follows:

  1. Configure network interconnections.
  2. Configure AAA on the router to implement identity authentication on access users through the RADIUS server. The configuration includes configuring a RADIUS server template, an AAA scheme, and an authentication domain, and binding the RADIUS server template and AAA scheme to the authentication domain.
  3. Configure Portal authentication to control network access rights of the visitors in the visitor area. The configuration includes:
    1. Configure a Portal server template.
    2. Configure a Portal access profile.
    3. Configure an authentication-free rule profile.
    4. Configure an authentication profile.
    5. Enable Portal authentication on an interface.
NOTE:

Before performing operations in this example, ensure that user access terminals and the server can communicate.

This example only provides the configurations on the Router. The configurations on the LAN switch and RADIUS server are not provided here.

Parameters including the RADIUS authentication shared key, RADIUS accounting shared key, Portal shared key, accounting interval, and port number must be kept consistent on the router and server.

Procedure

  1. Create VLANs and configure the allowed VLANs on interfaces to ensure network connectivity.

    # Create VLAN 10 and VLAN 20.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 10 20
    

    # On the router, configure Eth2/0/0 and Eth2/0/1 connecting to users as access interfaces, and add Eth2/0/0 and Eth2/0/1 to VLAN 10.

    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type access
    [Router-Ethernet2/0/0] port default vlan 10 
    [Router-Ethernet2/0/0] quit
    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] port link-type access
    [Router-Ethernet2/0/1] port default vlan 10 
    [Router-Ethernet2/0/1] quit

    # On the router, configure Eth2/0/2 connecting to the RADIUS server as an access interface, and add Eth2/0/2 to VLAN 20.

    [Router] interface ethernet 2/0/2
    [Router-Ethernet2/0/2] port link-type access
    [Router-Ethernet2/0/2] port default vlan 20
    [Router-Ethernet2/0/2] quit

  2. Configure IP addresses for VLANIF 10 and VLANIF 20.

    [Router] interface vlanif 10
    [Router-Vlanif10] ip address 192.168.1.1 24
    [Router-Vlanif10] quit

    [Router] interface vlanif 20
    [Router-Vlanif20] ip address 192.168.3.1 24
    [Router-Vlanif20] quit

  3. Configure the DHCP server to assign IP addresses to terminals and notify the terminals of the DNS server address.

    [Router] dhcp enable
    [Router] interface vlanif 10
    [Router-Vlanif10] dhcp select interface
    [Router-Vlanif10] dhcp server dns-list 192.168.2.31
    [Router-Vlanif10] quit

  4. Configure a static route to the server area. In this example, the IP address for the server area to connect to the router is 192.168.2.1.

    [Router] ip route-static 192.168.2.0 255.255.255.0 192.168.2.1

  5. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

    # Create and configure the RADIUS server template rd1.

    [Router] radius-server template rd1
    [Router-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Router-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Router-radius-rd1] quit

    # Create the AAA authentication scheme abc and set the authentication mode to RADIUS.

    [Router] aaa
    [Router-aaa] authentication-scheme abc
    [Router-aaa-authen-abc] authentication-mode radius
    [Router-aaa-authen-abc] quit

    # Create the authentication domain isp1, and bind the AAA authentication scheme abc and RADIUS server template rd1 to the domain.

    [Router-aaa] domain isp1
    [Router-aaa-domain-isp1] authentication-scheme abc
    [Router-aaa-domain-isp1] radius-server rd1
    [Router-aaa-domain-isp1] quit
    [Router-aaa] quit

    # Check whether a user can pass RADIUS authentication. (The test user test@huawei.com and password Huawei2012 have been configured on the RADIUS server.)

    [Router] test-aaa test@huawei.com Huawei2012 radius-template rd1
    Info: Account test succeed.

  6. Configure Portal authentication.

    # Configure the Portal server template abc.
    [Router] web-auth-server abc
    [Router-web-auth-server-abc] server-ip 192.168.2.30
    [Router-web-auth-server-abc] port 50200
    [Router-web-auth-server-abc] url http://192.168.2.30:8080/webagent
    [Router-web-auth-server-abc] shared-key cipher Huawei@123
    [Router-web-auth-server-abc] quit
    
    # Configure the Portal access profile web1.
    [Router] portal-access-profile name web1
    [Router-portal-acces-profile-web1] web-auth-server abc direct
    [Router-portal-acces-profile-web1] quit
    # Configure the authentication-free rule profile default_free_rule to allow packets to the DNS server to pass through.
    [Router] free-rule-template name default_free_rule
    [Router-free-rule-default_free_rule] free-rule 1 destination ip 192.168.2.31 mask 32
    [Router-free-rule-default_free_rule] quit
    NOTE:

    Authentication-free rules can take effect immediately after being configured in an authentication-free profile. It is unnecessary to bind the authentication-free profile to an authentication profile.

    # Configure the authentication profile p1, bind the Portal access profile web1 and authentication-free rule profile default_free_rule to the authentication profile, and specify the domain isp1 as the forcible authentication domain in the authentication profile.

    [Router] authentication-profile name p1
    [Router-authen-profile-p1] portal-access-profile web1
    [Router-authen-profile-p1] access-domain isp1 force
    [Router-authen-profile-p1] free-rule-template default_free_rule
    [Router-authen-profile-p1] quit

    # Bind the authentication profile p1 to VLANIF 10 and enable Portal authentication on the interface.

    [Router] interface vlanif 10
    [Router-Vlanif10] authentication-profile p1
    [Router-Vlanif10] quit
    

  7. Verify the configuration.

    1. Run the display portal and display web-auth-server configuration commands to view the configuration of external Portal authentication. The web-auth-server layer2(direct) field in the command output shows that the Portal server template has been bound to VLANIF 10.
    2. After a user opens the browser and enters any website address, the user will be redirected to the Portal authentication page. The user then can enter the user name and password for authentication.
    3. If the user name and password are correct, an authentication success message is displayed on the Portal authentication page. The user can access the network.
    4. After users go online, you can run the display access-user command on the device to view information about online Portal authentication users.

Configuration Files

Router configuration file

#
sysname Router
#
vlan batch 10 20
#
authentication-profile name p1
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain isp1 force
#
dhcp enable
#
radius-server template rd1
 radius-server shared-key cipher %^%#5Cz2!R*M%NaEr^6.].')L/$!!xTKZ<!!!!!!!!!!%^%#
 radius-server authentication 192.168.2.30 1812 weight 80
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.2.31 mask 255.255.255.255
#
web-auth-server abc
 server-ip 192.168.2.30
 port 50200
 shared-key cipher %^%#'=oP;*.KKUSPqB7M5Cf2G)!!!t/&,$!!!!!!!!!!%^%#
 url http://192.168.2.30:8080/webagent
#
portal-access-profile name web1
 web-auth-server abc direct
#
aaa
 authentication-scheme abc
  authentication-mode radius
 domain isp1
  authentication-scheme abc
  radius-server rd1
#
interface Vlanif10
 ip address 192.168.1.1 255.255.255.0
 authentication-profile p1
 dhcp select interface
 dhcp server dns-list 192.168.2.31
#
interface Vlanif20
 ip address 192.168.3.1 255.255.255.0
#
interface Ethernet2/0/0
 port link-type access
 port default vlan 10
#
interface Ethernet2/0/1
 port link-type access
 port default vlan 10
#
interface Ethernet2/0/2
 port link-type access
 port default vlan 20
#
ip route-static 192.168.2.0 255.255.255.0 192.168.2.1
#
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112617

Downloads: 206

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next