No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Built-in Portal Authentication

Example for Configuring Built-in Portal Authentication

Networking Requirements

As shown in Figure 3-14, many users on a company access network through Eth2/0/0 of the Router (used as an access device). After the network operates for a period of time, attacks are detected. The administrator must control network access rights of user terminals to ensure network security. The Router allows user terminals to access Internet resources only after they are authenticated.

Figure 3-14  Networking diagram for configuring built-in Portal authentication

Configuration Roadmap

To control the network access permission of users, the administrator can configure Portal authentication on the Router after the server with the IP address 192.168.2.30 is configured as the RADIUS server. Due to limited device resources, the administrator uses the built-in Portal server and configures the IP address 192.168.1.30 of a loopback interface of the Router as the IP address for the built-in Portal server.

The configuration roadmap is as follows (configured on the Router):

  1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain; bind the RADIUS server template and the AAA scheme to the ISP domain. The Router can then exchange information with the RADIUS server.

  2. Configure Portal authentication to control network access rights of the visitors in the visitor area. The configuration includes:
    1. Configure the built-in Portal server.
    2. Configure a Portal access profile.
    3. Configure an authentication-free rule profile.
    4. Configure an authentication profile.
    5. Enable Portal authentication on an interface.
NOTE:

Before performing operations in this example, ensure that user access terminals and the server can communicate.

This example only provides the configurations on the Router. The configurations on the LAN switch and RADIUS server are not provided here.

Procedure

  1. Configure IP addresses for interfaces.

    <Huawei> system
    [Huawei] sysname Router
    [Router] interface gigabitethernet 1/0/0
    [Router-GigabitEthernet1/0/0] ip address 192.168.2.1 24
    [Router-GigabitEthernet1/0/0] quit

    [Router] vlan batch 10
    [Router] interface vlanif 10
    [Router-Vlanif10] ip address 192.168.3.1 24
    [Router-Vlanif10] quit
    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type access
    [Router-Ethernet2/0/0] port default vlan 10
    [Router-Ethernet2/0/0] quit

  2. Configure a static route to the server area. In this example, the IP address for the server area to connect to the router is 192.168.2.2.

    [Router] ip route-static 192.168.2.0 255.255.255.0 192.168.2.2

  3. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.

    # Create and configure RADIUS server template rd1.

    [Router] radius-server template rd1
    [Router-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Router-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Router-radius-rd1] quit

    # Create AAA scheme abc and set the authentication mode to RADIUS.

    [Router] aaa
    [Router-aaa] authentication-scheme abc
    [Router-aaa-authen-abc] authentication-mode radius
    [Router-aaa-authen-abc] quit

    # Create authentication domain isp1, and bind AAA scheme abc and RADIUS server template rd1 to authentication domain isp1.

    [Router-aaa] domain isp1
    [Router-aaa-domain-isp1] authentication-scheme abc
    [Router-aaa-domain-isp1] radius-server rd1
    [Router-aaa-domain-isp1] quit
    [Router-aaa] quit

    # Test whether a user can be authenticated using RADIUS authentication. A user name test@huawei.com and password Huawei2012 have been configured on the RADIUS server.

    [Router] test-aaa test@huawei.com Huawei2012 radius-template rd1
    Info: Account test succeed.

  4. Configure Portal authentication.

    # Configure an IP address for the built-in Portal server.

    [Router] interface loopback 6
    [Router-LoopBack6] ip address 192.168.1.30 32
    [Router-LoopBack6] quit
    [Router] portal local-server ip 192.168.1.30

    # Configure the SSL policy loaded on the built-in Portal authentication page.

    [Router] ssl policy s1 type server
    [Router-ssl-policy-s1] pki-realm default
    [Router-ssl-policy-s1] quit
    [Router] http secure-server ssl-policy s1
    [Router] portal local-server https ssl-policy s1
    NOTE:
    • Before loading a certificate for the SSL policy, ensure that the certificate file and key pair file have been stored on the device; otherwise, certificate loading will fail. In addition, the certificate file and key pair file must be saved in the subdirectory security under the system root directory. If the subdirectory security does not exist, create it.

    • Apply for the certificate loaded for the SSL policy from a trusted Certificate Authority (CA).

    • Before perform the configuration, ensure that the PKI domain default has been configured.

    # Configure the Portal access profile web1 and enable built-in Portal authentication.
    [Router] portal-access-profile name web1
    [Huawei-portal-acces-profile-web1] portal local-server enable
    [Router-portal-acces-profile-web1] quit
    # Configure the authentication-free rule profile default_free_rule.
    [Router] free-rule-template name default_free_rule
    [Router-free-rule-default_free_rule] free-rule 1 destination ip 192.168.2.31 mask 32 
    [Router-free-rule-default_free_rule] quit
    NOTE:

    Authentication-free rules can take effect immediately after being configured in an authentication-free profile. It is unnecessary to bind the authentication-free profile to an authentication profile.

    # Configure the authentication profile p1, bind the Portal access profile web1 and authentication-free rule profile default_free_rule to the authentication profile, and specify the domain isp1 as the forcible authentication domain in the authentication profile.

    [Router] authentication-profile name p1
    [Router-authen-profile-p1] portal-access-profile web1
    [Router-authen-profile-p1] access-domain isp1 force
    [Router-authen-profile-p1] free-rule-template default_free_rule
    [Router-authen-profile-p1] quit

    # Bind the authentication profile p1 to Eth2/0/0 and enable Portal authentication on the interface.

    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] authentication-profile p1
    [Router-Ethernet2/0/0] quit
    NOTE:

    The Layer 2 physical interfaces of AR100&AR120&AR150&AR160&AR200 do not support Layer 2 Portal authentication, and support only 802.1X authentication in multicast mode.

  5. Verify the configuration.

    1. Run the display portal local-server commands to check the built-in Portal authentication configuration.
    2. After starting the browser and entering any network address, the user is redirected to the Portal authentication page. The user then enters the user name and password for authentication.
    3. If the user name and password are correct, an authentication success message is displayed on the Portal authentication page. The user can access the network.
    4. After the user goes online, you can run the display access-user command on the device to check the online Portal authentication user information.

Configuration Files

Router configuration file

#
sysname Router
#
portal local-server ip 192.168.1.30
portal local-server https ssl-policy s1
#
pki entity abc
 common-name hello
 country CN
#
vlan batch 10
#
authentication-profile name p1
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain isp1 force
#
radius-server template rd1
 radius-server shared-key cipher %^%#5Cz2!R*M%NaEr^6.].')L/$!!xTKZ<!!!!!!!!!!%^%#
 radius-server authentication 192.168.2.30 1812 weight 80
#
ssl policy s1 type server
 pki-realm default
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.2.31 mask 255.255.255.255
#
portal-access-profile name web1
 portal local-server enable
#
aaa
 authentication-scheme abc
  authentication-mode radius
 domain isp1
  authentication-scheme abc
  radius-server rd1
#
interface Vlanif10
 ip address 192.168.3.1 255.255.255.0
#
interface Ethernet2/0/0
 port link-type access
 port default vlan 10
authentication-profile p1
#
interface GigabitEthernet1/0/0
 ip address 192.168.2.1 255.255.255.0
#
interface LoopBack1
 ip address 192.168.1.30 255.255.255.255
#
ip route-static 192.168.2.0 255.255.255.0 192.168.2.2
#
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112773

Downloads: 206

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next