No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example of Configuring Portal Authentication over HTTPS

Example of Configuring Portal Authentication over HTTPS

Networking Requirements

On the network shown in Figure 3-17, an enterprise needs to deploy an identity authentication system in reception rooms to implement access control on guests who attempt to access the enterprise network. Only authenticated users can access the network. Because the reception rooms have medium security requirements, you do not need to deploy too many authentication points. It is required that the authentication control point be deployed on the aggregation device to facilitate maintenance.

Portal authentication features flexible deployment and is applicable to moving users. Therefore, you can deploy Layer 2 Portal authentication on the aggregation router. The aggregation router works with the RADIUS server (integrated with the Portal server) to implement access control on guests who attempt to access the enterprise network.

Figure 3-17  Networking for configuring Portal authentication over HTTPS

Configuration Roadmap

The following configurations are performed on the aggregation router. The configuration roadmap is as follows:

  1. Configure network interconnections.
  2. Configure AAA on the router to implement identity authentication on access users through the RADIUS server. The configuration includes configuring a RADIUS server template, an AAA scheme, and an authentication domain, and binding the RADIUS server template and AAA scheme to the authentication domain.
  3. Configure Portal authentication to control network access rights of the guests in the guest area. The configuration includes:
    1. Configure a Portal server template.
    2. Configure a Portal access profile.
    3. Configure an authentication-free rule profile.
    4. Configure an authentication profile.
    5. Enable Portal authentication on an interface.
NOTE:

Before performing operations in this example, ensure that user access terminals and the server can communicate.

Parameters including the RADIUS authentication shared key, RADIUS accounting shared key, Portal shared key, accounting interval, and port number must be kept consistent on the router and server.

Procedure

  1. Create a VLAN and add interfaces to the VLAN to ensure network communication.

    # Configure an IP address for a loopback interface.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] interface loopback 1
    [Router-LoopBack1] ip address 10.1.1.1 32
    [Router-LoopBack1] quit
    

    # Create VLAN 10 and VLAN 20.

    [Router] vlan batch 10 20
    

    # On the router, configure Eth2/0/0 and Eth2/0/1 connected to users as access interfaces, and add Eth2/0/0 and Eth2/0/1 to VLAN 10.

    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type access
    [Router-Ethernet2/0/0] port default vlan 10 
    [Router-Ethernet2/0/0] quit
    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] port link-type access
    [Router-Ethernet2/0/1] port default vlan 10 
    [Router-Ethernet2/0/1] quit

    # On the router, configure Eth2/0/2 connected to the RADIUS server as an access interface, and add Eth2/0/2 to VLAN 20.

    [Router] interface ethernet 2/0/2
    [Router-Ethernet2/0/2] port link-type access
    [Router-Ethernet2/0/2] port default vlan 20
    [Router-Ethernet2/0/2] quit

  2. Configure IP addresses for VLANIF 10 and VLANIF 20.

    [Router] interface vlanif 10
    [Router-Vlanif10] ip address 192.168.1.1 24
    [Router-Vlanif10] quit

    [Router] interface vlanif 20
    [Router-Vlanif20] ip address 192.168.3.1 24
    [Router-Vlanif20] quit

  3. Configure the DHCP server to assign IP addresses to terminals and notify the terminals of the DNS server address.

    [Router] dhcp enable
    [Router] interface vlanif 10
    [Router-Vlanif10] dhcp select interface
    [Router-Vlanif10] dhcp server dns-list 192.168.2.31
    [Router-Vlanif10] quit

  4. Configure a static route to the server area. In this example, the IP address for the server area to connect to the router is 192.168.2.1.

    [Router] ip route-static 192.168.2.0 255.255.255.0 192.168.2.1

  5. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

    # Create and configure the RADIUS server template rd1.

    [Router] radius-server template rd1
    [Router-radius-rd1] radius-server authentication 192.168.2.30 1812
    [Router-radius-rd1] radius-server shared-key cipher Huawei@2012
    [Router-radius-rd1] quit

    # Create AAA scheme abc and set the authentication mode to RADIUS.

    [Router] aaa
    [Router-aaa] authentication-scheme abc
    [Router-aaa-authen-abc] authentication-mode radius
    [Router-aaa-authen-abc] quit

    # Create authentication domain isp1, and bind the AAA scheme abc and RADIUS server template rd1 to authentication domain isp1.

    [Router-aaa] domain isp1
    [Router-aaa-domain-isp1] authentication-scheme abc
    [Router-aaa-domain-isp1] radius-server rd1
    [Router-aaa-domain-isp1] quit
    [Router-aaa] quit

    # Check whether a user can be authenticated using RADIUS authentication. (A user name test@huawei.com and password Huawei2012 have been configured on the RADIUS server.)

    [Router] test-aaa test@huawei.com Huawei2012 radius-template rd1
    Info: Account test succeed.

  6. Configure Portal authentication.

    # Enable the Portal interconnection function of the HTTPS protocol.
    [Router] ssl policy abcd type server
    [Router-ssl-policy-abcd] pki-realm default
    [Router-ssl-policy-abcd] quit
    [Router] http secure-server ssl-policy abcd
    [Router] portal web-authen-server https ssl-policy abcd
    NOTE:
    • Before loading a certificate for the SSL policy, ensure that the certificate file and key pair file have been stored on the device; otherwise, the certificate fails to be loaded. In addition, the certificate file and key pair file must be saved in the security subdirectory of the system root directory. If the security subdirectory does not exist, create it.

    • Apply to a trusted certificate authority for the certificate that needs to be loaded for the SSL policy.

    • Ensure that the PKI domain default has been configured.

    # Configure the Portal server template abc.
    [Router] web-auth-server abc
    [Router-web-auth-server-abc] protocol http
    [Router-web-auth-server-abc] http-method post login-success response redirect-url https://192.168.2.30/guest/page_name.php
    [Router-web-auth-server-abc] url https://192.168.2.30:8445/portal
    [Router-web-auth-server-abc] quit
    
    # Configure the Portal access profile web1.
    [Router] portal-access-profile name web1
    [Router-portal-acces-profile-web1] web-auth-server abc direct
    [Router-portal-acces-profile-web1] quit
    # Configure an IP address for the built-in Portal server.
    [Router] portal local-server ip 10.1.1.1
    NOTE:
    The Portal authentication login page may not be displayed when the aggregation router interconnects with a non-Huawei server. To address this issue, specify an IP address for the built-in Portal server so that the built-in Portal login page is displayed.
    # Configure the authentication-free rule profile default_free_rule.
    [Router] free-rule-template name default_free_rule
    [Router-free-rule-default_free_rule] free-rule 1 destination ip 192.168.2.31 mask 32
    [Router-free-rule-default_free_rule] free-rule 2 source ip 10.1.1.1 mask 32
    [Router-free-rule-default_free_rule] free-rule 3 destination ip 10.1.1.1 mask 32
    [Router-free-rule-default_free_rule] quit
    NOTE:

    Authentication-free rules can take effect immediately after being configured in an authentication-free profile. It is unnecessary to bind the authentication-free profile to an authentication profile.

    # Configure the authentication profile p1, bind the Portal access profile web1 and authentication-free rule profile default_free_rule to the authentication profile, and specify the domain isp1 as the forcible authentication domain in the authentication profile.

    [Router] authentication-profile name p1
    [Router-authen-profile-p1] portal-access-profile web1
    [Router-authen-profile-p1] access-domain isp1 force
    [Router-authen-profile-p1] free-rule-template default_free_rule
    [Router-authen-profile-p1] quit

    # Bind the authentication profile p1 to VLANIF 10 and enable Portal authentication on the interface.

    [Router] interface vlanif 10
    [Router-Vlanif10] authentication-profile p1
    [Router-Vlanif10] quit
    

  7. Verify the configuration.

    1. Run the display portal and display web-auth-server configuration commands to view the configuration of external Portal authentication.
    2. After starting a browser and entering any network address, a user is redirected to the Portal authentication page. The user then enters the user name and password for authentication.
    3. If the user name and password are correct, an authentication success message is displayed on the Portal authentication page. The user can access the network.
    4. After users go online, you can run the display access-user command on the aggregation router to view information about online Portal authentication users.

Configuration Files

Router configuration file

#
sysname Router
#
vlan batch 10 20
#
portal local-server ip 10.1.1.1                                                 
#  
authentication-profile name p1
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain isp1 force
#
portal web-authen-server https ssl-policy abcd
#
dhcp enable
#
radius-server template rd1
 radius-server shared-key cipher %^%#5Cz2!R*M%NaEr^6.].')L/$!!xTKZ<!!!!!!!!!!%^%#
 radius-server authentication 192.168.2.30 1812 weight 80
#
ssl policy abcd type server                                                   
 pki-realm default                                                              
# 
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.2.31 mask 255.255.255.255
 free-rule 2 source ip 10.1.1.1 mask 255.255.255.255
 free-rule 3 destination ip 10.1.1.1 mask 255.255.255.255
#
web-auth-server abc
 port 50100
 url https://192.168.2.30:8445/portal  
 protocol http
 http-method post login-success response redirect-url https://192.168.2.30/guest/page_name.php
#
portal-access-profile name web1
 web-auth-server abc direct
#
aaa
 authentication-scheme abc
  authentication-mode radius
 domain isp1
  authentication-scheme abc
  radius-server rd1
#
interface Vlanif10
 ip address 192.168.1.1 255.255.255.0
 authentication-profile p1
 dhcp select interface
 dhcp server dns-list 192.168.2.31
#
interface Vlanif20
 ip address 192.168.3.1 255.255.255.0
#
interface Ethernet2/0/0
 port link-type access
 port default vlan 10
#
interface Ethernet2/0/1
 port link-type access
 port default vlan 10
#
interface Ethernet2/0/2
 port link-type access
 port default vlan 20
#                                                                               
interface LoopBack1                                                             
 ip address 10.1.1.1 255.255.255.255  
#     
 http secure-server ssl-policy abcd                                           
#   
ip route-static 192.168.2.0 255.255.255.0 192.168.2.1
#
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95333

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next