No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Layer 3 External Portal Authentication

Example for Configuring Layer 3 External Portal Authentication

Networking Requirements

As shown in Figure 3-16, an enterprise needs to deploy an identity authentication system in reception rooms to implement access control on visitors who attempt to connect to the enterprise network, ensuring that only authenticated users can access the network. To facilitate future network reconstruction and save investment, it is required that the authentication control point be deployed on the core device.

Portal authentication features flexible deployment and is applicable to moving users. The core device RouterA and visitors' terminals communicate at Layer 3. Therefore, you can deploy Layer 3 Portal authentication on the core device RouterA. RouterA works with the RADIUS server (integrated with the Portal server) to implement access control on visitors who attempt to connect to the enterprise network.

Figure 3-16  Networking diagram for configuring Layer 3 external Portal authentication

Configuration Roadmap

The following configurations are performed on RouterA. The configuration roadmap is as follows:

  1. Configure network interconnections.
  2. Configure AAA on RouterA to implement identity authentication on access users through the RADIUS server. The configuration includes configuring a RADIUS server template, an AAA scheme, and an authentication domain, and binding the RADIUS server template and AAA scheme to the authentication domain.
  3. Configure Portal authentication to control network access rights of the visitors in the visitor area. The configuration includes:
    1. Configure a Portal server template.
    2. Configure a Portal access profile.
    3. Configure an authentication-free rule profile.
    4. Configure an authentication profile.
    5. Enable Portal authentication on an interface.
NOTE:

Before performing operations in this example, ensure that user access terminals and the server can communicate.

This example only provides the configurations on the Router. The configurations on the LAN switch and RADIUS server are not provided here.

Parameters including the RADIUS authentication shared key, RADIUS accounting shared key, Portal shared key, accounting interval, and port number must be kept consistent on the router and server.

Procedure

  1. Configure RouterB to ensure network connectivity.

    # Create VLAN 10.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] vlan batch 10
    

    # On RouterB, configure Eth2/0/0 and Eth2/0/1 connecting to users as access interfaces, and add Eth2/0/0 and Eth2/0/1 to VLAN 10.

    [RouterB] interface ethernet 2/0/0
    [RouterB-Ethernet2/0/0] port link-type access
    [RouterB-Ethernet2/0/0] port default vlan 10 
    [RouterB-Ethernet2/0/0] quit
    [RouterB] interface ethernet 2/0/1
    [RouterB-Ethernet2/0/1] port link-type access
    [RouterB-Ethernet2/0/1] port default vlan 10 
    [RouterB-Ethernet2/0/1] quit

    # On RouterB, configure an IP address for GE1/0/0 connecting to RouterA.

    [RouterB] interface gigabitEthernet 1/0/0
    [RouterB-GigabitEthernet1/0/0] ip address 192.168.1.2 24
    [RouterB-GigabitEthernet1/0/0] quit

    # Configure an IP address for VLANIF 10 and configure VLANIF 10 as the DHCP relay agent.

    [RouterB] dhcp enable
    [RouterB] interface vlanif 10
    [RouterB-Vlanif10] ip address 10.10.10.1 24
    [RouterB-Vlanif10] dhcp select relay
    [RouterB-Vlanif10] dhcp relay server-ip 192.168.1.1
    [RouterB-Vlanif10] quit

    # Configure the default route.

    [RouterB] ip route-static 0.0.0.0 0.0.0.0 192.168.1.1

  2. Configure RouterA to ensure network connectivity.

    # On RouterA, configure an IP address for GE1/0/0 connecting to RouterB.

    [RouterA] interface gigabitEthernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24
    [RouterA-GigabitEthernet1/0/0] quit

    # On RouterA, configure an IP address for GE2/0/0 connecting to the server area.

    [RouterA] interface gigabitEthernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip address 192.168.3.1 24
    [RouterA-GigabitEthernet2/0/0] quit

    # Enable the DHCP server function, and configure the DHCP server to assign IP addresses to terminals and notify the terminals of the DNS server address and gateway address.

    [RouterA] dhcp enable
    [RouterA] ip pool pool1
    [RouterA-ip-pool-pool1] network 10.10.10.0 mask 24
    [RouterA-ip-pool-pool1] gateway-list 10.10.10.1
    [RouterA-ip-pool-pool1] dns-list 192.168.2.31
    [RouterA-ip-pool-pool1] quit
    [RouterA] interface gigabitEthernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] dhcp select global
    [RouterA-GigabitEthernet1/0/0] quit

    # Configure static routes from RouterA to user terminals and the server area, respectively. In this example, the IP address for the server area to connect to RouterA is 192.168.2.1.

    [RouterA] ip route-static 10.10.10.0 255.255.255.0 192.168.1.2
    [RouterA] ip route-static 192.168.2.0 255.255.255.0 192.168.2.1

  3. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

    # Create and configure the RADIUS server template rd1.

    [RouterA] radius-server template rd1
    [RouterA-radius-rd1] radius-server authentication 192.168.2.30 1812
    [RouterA-radius-rd1] radius-server shared-key cipher Huawei@2012
    [RouterA-radius-rd1] quit

    # Create the AAA authentication scheme abc and set the authentication mode to RADIUS.

    [RouterA] aaa
    [RouterA-aaa] authentication-scheme abc
    [RouterA-aaa-authen-abc] authentication-mode radius
    [RouterA-aaa-authen-abc] quit

    # Create the authentication domain isp1, and bind the AAA authentication scheme abc and RADIUS server template rd1 to the domain.

    [RouterA-aaa] domain isp1
    [RouterA-aaa-domain-isp1] authentication-scheme abc
    [RouterA-aaa-domain-isp1] radius-server rd1
    [RouterA-aaa-domain-isp1] quit
    [RouterA-aaa] quit

    # Check whether a user can pass RADIUS authentication. (The test user test@huawei.com and password Huawei2012 have been configured on the RADIUS server.)

    [RouterA] test-aaa test@huawei.com Huawei2012 radius-template rd1
    Info: Account test succeed.

  4. Configure Portal authentication.

    # Configure the Portal server template abc.
    [RouterA] web-auth-server abc
    [RouterA-web-auth-server-abc] server-ip 192.168.2.30
    [RouterA-web-auth-server-abc] port 50200
    [RouterA-web-auth-server-abc] url http://192.168.2.30:8080/webagent
    [RouterA-web-auth-server-abc] shared-key cipher Huawei@123
    [RouterA-web-auth-server-abc] quit
    
    # Configure the Portal access profile web1.
    [RouterA] portal-access-profile name web1
    [RouterA-portal-acces-profile-web1] web-auth-server abc layer3
    [RouterA-portal-acces-profile-web1] quit
    # Configure the authentication-free rule profile default_free_rule to allow packets to the DNS server and DHCP server to pass through.
    [RouterA] free-rule-template name default_free_rule
    [RouterA-free-rule-default_free_rule] free-rule 1 destination ip 192.168.2.31 mask 32
    [RouterA-free-rule-default_free_rule] free-rule 2 destination ip 192.168.1.1 mask 32
    [RouterA-free-rule-default_free_rule] quit
    NOTE:

    Authentication-free rules can take effect immediately after being configured in an authentication-free profile. It is unnecessary to bind the authentication-free profile to an authentication profile.

    # Configure the authentication profile p1, bind the Portal access profile web1 and authentication-free rule profile default_free_rule to the authentication profile, and specify the domain isp1 as the forcible authentication domain in the authentication profile.

    [RouterA] authentication-profile name p1
    [RouterA-authen-profile-p1] portal-access-profile web1
    [RouterA-authen-profile-p1] access-domain isp1 force
    [RouterA-authen-profile-p1] free-rule-template default_free_rule
    [RouterA-authen-profile-p1] quit

    # Bind the authentication profile p1 to GE1/0/0 and enable Portal authentication on the interface.

    [RouterA] interface gigabitEthernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] authentication-profile p1
    [RouterA-GigabitEthernet1/0/0] quit

  5. Verify the configuration.

    1. Run the display portal and display web-auth-server configuration commands on RouterA to view the configuration of external Portal authentication. The web-auth-server layer3 field in the command output shows that the Portal server template has been bound to GE1/0/0.
    2. After a user opens the browser and enters any website address, the user will be redirected to the Portal authentication page. The user then can enter the user name and password for authentication.
    3. If the user name and password are correct, an authentication success message is displayed on the Portal authentication page. The user can access the network.
    4. After users go online, you can run the display access-user command on RouterA to view information about online Portal authentication users.

Configuration Files

  • RouterA configuration file

    #
    sysname RouterA
    #
    authentication-profile name p1
     portal-access-profile web1
     free-rule-template default_free_rule
     access-domain isp1 force
    #
    dhcp enable
    #
    radius-server template rd1
     radius-server shared-key cipher %^%#5Cz2!R*M%NaEr^6.].')L/$!!xTKZ<!!!!!!!!!!%^%#
     radius-server authentication 192.168.2.30 1812 weight 80
    #
    free-rule-template name default_free_rule
     free-rule 1 destination ip 192.168.3.31 mask 255.255.255.255
     free-rule 2 destination ip 192.168.1.1 mask 255.255.255.255
    #
    web-auth-server abc
     server-ip 192.168.2.30
     port 50200
     shared-key cipher %^%#'=oP;*.KKUSPqB7M5Cf2G)!!!t/&,$!!!!!!!!!!%^%#
     url http://192.168.2.30:8080/webagent
    #
    portal-access-profile name web1
     web-auth-server abc layer3
    #
    ip pool pool1                                                                                                                         
     gateway-list 10.10.10.1                                                                                                           
     network 10.10.10.0 mask 255.255.255.0 
     dns-list 192.168.2.31
    #
    aaa
     authentication-scheme abc
      authentication-mode radius
     domain isp1
      authentication-scheme abc
      radius-server rd1
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.1.1 255.255.255.0
     authentication-profile p1
     dhcp select global
    #
    interface GigabitEthernet2/0/0
     ip address 192.168.3.1 255.255.255.0
    #
    ip route-static 10.10.10.0 255.255.255.0 192.168.1.2
    ip route-static 192.168.2.0 255.255.255.0 192.168.2.1
    #
    return
    
  • RouterB configuration file

    #
    sysname RouterB
    #
    vlan batch 10
    #
    dhcp enable
    #
    interface Vlanif10
     ip address 10.10.10.1 255.255.255.0
     dhcp select relay                                                                                                                  
     dhcp relay server-ip 192.168.1.1 
    #
    interface Ethernet2/0/0
     port link-type access
     port default vlan 10
    #
    interface Ethernet2/0/1
     port link-type access
     port default vlan 10
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.1.2 255.255.255.0
    #
    ip route-static 0.0.0.0 0.0.0.0 192.168.1.1
    #
    return
    
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95763

Downloads: 58

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next