S300, S500, S2700, S5700 and S6700 V200R23C00 Configuration Guide - User Access and Authentication
This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, Policy Association, and Kerberos Snooping.
This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, Policy Association, and Kerberos Snooping.
Example for Configuring External Portal Authentication (Using the HTTP Protocol)
Networking Requirements
On the network shown in Figure 2-68, users in a company's guest area access the company's intranet through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information. Therefore, the administrator requires that the Switch should control users' network access rights to ensure internal network security.
For guest users, Portal authentication is used and the RADIUS server authenticates the users.
Procedure
- Configure network connectivity.
# Create VLANs, configure the allowed VLANs on interfaces, and configure IP addresses for interfaces.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20 [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 20 [Switch-GigabitEthernet0/0/2] quit [Switch] interface vlanif 20 [Switch-Vlanif20] ip address 192.168.2.10 24 [Switch-Vlanif20] quit [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type trunk [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet0/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 192.168.1.10 24 [Switch-Vlanif10] quit
- Configure AAA.
# Create and configure the RADIUS server template rd1.
[Switch] radius-server template rd1 [Switch-radius-rd1] radius-server authentication 192.168.2.30 1812 [Switch-radius-rd1] radius-server shared-key cipher YsHsjx_202206 [Switch-radius-rd1] quit# Create the AAA authentication scheme abc and set the authentication mode to RADIUS.
[Switch] aaa [Switch-aaa] authentication-scheme abc [Switch-aaa-authen-abc] authentication-mode radius [Switch-aaa-authen-abc] quit
# Create the authentication domain example.com, and bind the AAA authentication scheme abc and RADIUS server template rd1 to the domain.
[Switch-aaa] domain example.com [Switch-aaa-domain-example.com] authentication-scheme abc [Switch-aaa-domain-example.com] radius-server rd1 [Switch-aaa-domain-example.com] quit [Switch-aaa] quit
# Check whether a user can pass RADIUS authentication. (The test user test and password YsHsjx_2022061 have been configured on the RADIUS server.)
[Switch] test-aaa test YsHsjx_2022061 radius-template rd1 Info: Account test succeeded. - Configure Portal authentication.# Set the NAC mode to unified.
![]()
By default, the unified mode is enabled. After the NAC mode is changed, the device automatically restarts.
[Switch] authentication unified-mode
# Enable the HTTP-based Portal interconnection function. In V200R020C10SPC100 and later versions, you also need to set the local gateway address used to receive and respond to the packets sent by terminals to 192.168.2.10.[Switch] portal web-authen-server http [Switch] portal web-authen-server server-source ip-address 192.168.2.10
# Configure the URL template abc.
[Switch] url-template name abc [Switch-url-template-abc] url http://192.168.2.30:8080/portal [Switch-url-template-abc] url-parameter login-url switch_url http://192.168.1.10:8000 [Switch-url-template-abc] quit
![]()
The login-url parameter is used by terminals to send account information to the device. If a Portal server does not support the login URL setting, you need to run the url-parameter command with the login-url parameter specified, so that terminals can send the login URL to the Portal server. In the URL specified by the login-url parameter, the IP address is the switch's local IP address (permitted in the authentication-free rule profile to ensure Layer 3 reachability between terminals and the switch), and the port number is that specified using the portal web-authen-server http command (8000 by default).
# Configure the Portal server template abc.[Switch] web-auth-server abc [Switch-web-auth-server-abc] server-ip 192.168.2.30 [Switch-web-auth-server-abc] protocol http [Switch-web-auth-server-abc] http-method post cmd-key cmd1 [Switch-web-auth-server-abc] url http://192.168.2.30:8080/portal [Switch-web-auth-server-abc] url-template abc [Switch-web-auth-server-abc] quit
![]()
In this example, only the cmd-key parameter is configured in the http-method post command, and other parameters for parsing POST request packets use the default values. These parameter values must be the same as those on the Portal server; otherwise, the Switch fails to communicate with the Portal server.
# Configure a Portal access profile named web1.[Switch] portal-access-profile name web1 [Switch-portal-access-profile-web1] web-auth-server abc direct [Switch-portal-access-profile-web1] quit
# Configure an authentication-free rule profile. If users access the network using domain names, the device must allow DNS packets destined for the DNS server to pass through. The following configuration assumes that the IP address of the DNS server is 192.168.3.10.
[Switch] free-rule-template name default_free_rule [Switch-free-rule-default_free_rule] free-rule 1 destination ip 192.168.3.10 mask 24 [Switch-free-rule-default_free_rule] quit
# Configure the authentication profile p1, bind the Portal access profile web1 to the authentication profile, specify the domain example.com as the forcible authentication domain in the authentication profile, set the user access mode to multi-authen (indicating that the device allows multiples users to go online and authenticates each user), and set the maximum number of access users to 100.
[Switch] authentication-profile name p1 [Switch-authen-profile-p1] portal-access-profile web1 [Switch-authen-profile-p1] access-domain example.com force [Switch-authen-profile-p1] authentication mode multi-authen max-user 100 [Switch-authen-profile-p1] quit
# Bind the authentication profile p1 to GE0/0/1 and enable Portal authentication on the interface.
[Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] authentication-profile p1 [Switch-GigabitEthernet0/0/1] quit
- Verify the configuration.
- After a user opens a browser and enters any website address, the user is redirected to the Portal authentication page. The user then enters the user name and password for authentication.
- If the user name and password are correct, an authentication success message is displayed on the Portal authentication page. The user can access the network.
- After users go online, you can run the display access-user access-type portal command on the access device to view information about online Portal authentication users.
Configuration Files
# sysname Switch # vlan batch 10 20 # authentication-profile name p1 portal-access-profile web1 access-domain example.com force authentication mode multi-authen max-user 100 # radius-server template rd1 radius-server authentication 192.168.2.30 1812 radius-server shared-key cipher %^%#b<4UC_J36%l@*;E]1\s6fJIY85mHu68SrhKtU%"B%^%# # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.3.10 mask 24 # url-template name abc url http://192.168.2.30:8080/portal url-parameter login-url switch_url http://192.168.1.10:8000 # web-auth-server abc server-source ip-address 192.168.2.10 //V200R020C10SPC100 and later versions: You also need to configure the local gateway address used by the device to receive and respond to packets sent by the Portal server, so that Portal authentication can be used. server-ip 192.168.2.30 protocol http http-method post cmd-key cmd1 url http://192.168.2.30:8080/portal url-template abc # portal-access-profile name web1 web-auth-server abc direct # interface gigabitethernet 0/0/1 port link-type trunk port trunk allow-pass vlan 10 authentication-profile p1 # interface gigabitethernet 0/0/2 port link-type access port default vlan 20 # interface vlanif 10 ip address 192.168.1.10 255.255.255.0 # interface vlanif 20 ip address 192.168.2.10 255.255.255.0 # aaa authentication-scheme abc authentication-mode radius domain example.com authentication-scheme abc radius-server rd1 # portal web-authen-server http portal web-authen-server server-source ip-address 192.168.2.10 # return