配置外置Portal认证示例(命令行)
外置Portal认证简介
Portal认证是网络接入控制方案(NAC)中的一种,Portal认证通常也称为Web认证。用户上网时,必须在门户网站进行认证,只有认证通过后才可以使用网络资源。Portal认证支持Portal2.0、HTTP和HTTPS协议认证,在AC与Aruba ClearPass对接场景中,Portal认证是采用基于HTTPS和HTTP协议认证方式。
AC和Aruba ClearPass对接时,Portal认证支持HTTPS和HTTP认证方式,本举例以HTTPS认证方式为例,HTTP认证方式的配置与之类似。
对于设备侧配置,如果您只需查阅外置Portal认证相关的配置方法,请直接参见在AC上配置外置Portal认证。
如果您只需查阅Aruba ClearPass服务器侧的配置方法,请直接参见配置Aruba ClearPass。
数据规划
配置项 |
数据 |
---|---|
管理VLAN |
VLAN100 |
业务VLAN |
VLAN101 |
DHCP服务器 |
AC作为DHCP服务器为AP分配IP地址,汇聚交换机SwitchB作为DHCP服务器为STA分配IP地址 |
AP的IP地址池 |
10.23.100.2~10.23.100.254/24 |
STA的IP地址池 |
10.23.101.2~10.23.101.254/24 |
AC的源接口IP地址池 |
VLANIF100:10.23.100.1/24 |
AC与服务器通信的IP地址 |
10.23.102.2 |
AC与用户通信的IP地址 |
10.0.0.1 |
AP组 |
|
域管理模板 |
|
SSID模板 |
|
安全模板 |
|
Portal认证参数 |
Portal认证方案名称:wlan-net Portal服务器模板名称:wlan-net,其中:
|
Portal接入模板 |
|
认证模板 |
|
VAP模板 |
|
操作步骤
- 配置网络互通
# 配置接入交换机SwitchA的接口GE0/0/1和GE0/0/2加入VLAN100和VLAN101。
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 101 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100 [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 [SwitchA-GigabitEthernet0/0/1] port-isolate enable [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 [SwitchA-GigabitEthernet0/0/2] quit
# 配置汇聚交换机SwitchB的接口GE0/0/1加入VLAN100和VLAN101,GE0/0/2加入VLAN100和VLAN102,GE0/0/3加入VLAN103,GE0/0/4加入VLAN104,创建VLANIF102、VLANIF103和VLANIF104接口,并配置下一跳为Router的缺省路由。<HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] vlan batch 100 to 104 [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] port link-type trunk [SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 [SwitchB-GigabitEthernet0/0/1] quit [SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] port link-type trunk [SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102 [SwitchB-GigabitEthernet0/0/2] quit [SwitchB] interface gigabitethernet 0/0/3 [SwitchB-GigabitEthernet0/0/3] port link-type trunk [SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103 [SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103 [SwitchB-GigabitEthernet0/0/3] quit [SwitchB] interface gigabitethernet 0/0/4 [SwitchB-GigabitEthernet0/0/4] port link-type trunk [SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104 [SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104 [SwitchB-GigabitEthernet0/0/4] quit [SwitchB] interface vlanif 102 [SwitchB-Vlanif102] ip address 10.23.102.1 24 [SwitchB-Vlanif102] quit [SwitchB] interface vlanif 103 [SwitchB-Vlanif103] ip address 10.23.103.2 24 [SwitchB-Vlanif103] quit [SwitchB] interface vlanif 104 [SwitchB-Vlanif104] ip address 10.23.104.1 24 [SwitchB-Vlanif104] quit [SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# 配置AC的接口GE0/0/1加入VLAN100和VLAN102,创建VLANIF102接口,并配置指向RADIUS服务器的静态路由。<AC6605> system-view [AC6605] sysname AC [AC] vlan batch 100 101 102 [AC] interface gigabitethernet 0/0/1 [AC-GigabitEthernet0/0/1] port link-type trunk [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102 [AC-GigabitEthernet0/0/1] quit [AC] interface vlanif 102 [AC-Vlanif102] ip address 10.23.102.2 24 [AC-Vlanif102] quit [AC] ip route-static 10.23.103.0 24 10.23.102.1
- 配置AC作为DHCP服务器为AP分配IP地址,SwitchB作为DHCP服务器为STA分配IP地址
# 在AC上配置VLANIF100接口为AP提供IP地址。
[AC] dhcp enable [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.23.100.1 24 [AC-Vlanif100] dhcp select interface [AC-Vlanif100] quit
# 在SwitchB上配置VLANIF101接口为STA提供IP地址。DNS服务器地址请根据实际需要配置。常用配置方法如下:- 接口地址池场景,需要在VLANIF接口视图下执行命令dhcp server dns-list ip-address &<1-8>。
- 全局地址池场景,需要在IP地址池视图下执行命令dns-list ip-address &<1-8>。
[SwitchB] dhcp enable [SwitchB] interface vlanif 101 [SwitchB-Vlanif101] ip address 10.23.101.1 24 [SwitchB-Vlanif101] dhcp select interface [SwitchB-Vlanif101] quit
# 配置指向10.0.0.1的静态路由。[SwitchB] ip route-static 10.0.0.1 32 10.23.102.2
- 配置AP上线
# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[AC] wlan [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] quit
# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC-wlan-view] regulatory-domain-profile name default [AC-wlan-regulate-domain-default] country-code cn [AC-wlan-regulate-domain-default] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile default Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit
# 配置AC的源接口。
[AC] capwap source interface vlanif 100
# 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域,命名此AP为area_1。ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth。
举例中使用的AP为AP5030DN,具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频,射频1为5GHz射频。
[AC] wlan [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC-wlan-ap-0] quit
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
[AC-wlan-view] display ap all Total AP information: nor : normal [1] ------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ------------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S - ------------------------------------------------------------------------------------------------- Total: 1
- 在AC上配置外置Portal认证
- 配置Aruba Clearpass
- 在AC上测试用户是否能够通过RADIUS认证
[AC] test-aaa test@huawei.com 470541 radius-template wlan-net Info: Account test succeed.
- 检查配置结果
- 完成配置后,用户可通过无线终端搜索到SSID为wlan-net的无线网络。
- STA关联到无线网络上后,能够被分配相应的IP地址。
- STA上打开浏览器访问网络时,会自动跳转到外置Portal服务器提供的认证页面,在页面上输入正确的用户名和密码后,STA认证成功并可以正常访问网络。
无线用户接入后,在AC上执行命令display access-user access-type,可以看到用户的在线信息。
[AC] display access-user access-type portal ------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------ 460 huawei 10.23.101.254 8000-6e74-e78a Success ------------------------------------------------------------------------------ Total: 1, printed: 1
配置文件
SwitchA的配置文件
# sysname SwitchA # vlan batch 100 to 101 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 port-isolate enable group 1 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 to 101 # return
SwitchB的配置文件
# sysname SwitchB # vlan batch 100 to 104 # dhcp enable # interface Vlanif101 ip address 10.23.101.1 255.255.255.0 dhcp select interface # interface Vlanif102 ip address 10.23.102.1 255.255.255.0 # interface Vlanif103 ip address 10.23.103.2 255.255.255.0 # interface Vlanif104 ip address 10.23.104.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 102 # interface GigabitEthernet0/0/3 port link-type trunk port trunk pvid vlan 103 port trunk allow-pass vlan 103 # interface GigabitEthernet0/0/4 port link-type trunk port trunk pvid vlan 104 port trunk allow-pass vlan 104 # ip route-static 0.0.0.0 0.0.0.0 10.23.104.2 ip route-static 10.0.0.1 255.255.255.255 10.23.102.2 # return
Router的配置文件
# sysname Router # interface GigabitEthernet0/0/1 ip address 10.23.104.2 255.255.255.0 # ip route-static 10.23.101.0 255.255.255.0 10.23.104.1 # return
AC的配置文件
# sysname AC # http secure-server ssl-policy sslserver http server enable # portal https-redirect enable # vlan batch 100 102 # authentication-profile name wlan-net portal-access-profile wlan-net free-rule-template default authentication-scheme wlan-net radius-server wlan-net # portal web-authen-server https ssl-policy sslserver # dhcp enable # radius-server template wlan-net radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%# radius-server authentication 10.23.103.1 1812 source ip-address 10.23.102.2 weight 80 radius-attribute set NAS-Identifier huaweiac # pki realm abc pki import-certificate ca realm abc pem filename rootca.pem pki import-certificate local realm abc pkcs12 filename localcert.p12 pki import rsa-key-pair key1 pkcs12 localcert.p12 password Huawei@123 # ssl policy sslserver type server pki-realm abc version tls1.0 tls1.1 tls1.2 ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256 # free-rule-template name default free-rule 0 destination ip 10.0.0.1 mask 255.255.255.255 # web-auth-server wlan-net server-ip 10.23.103.1 url https://10.23.103.1/guest/huawei.php source-ip 10.23.102.2 protocol http # portal-access-profile name wlan-net web-auth-server wlan-net layer3 # aaa authentication-scheme wlan-net authentication-mode radius # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 dhcp select interface # interface Vlanif102 ip address 10.23.102.2 255.255.255.0 interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 102 # interface LoopBack0 ip address 10.0.0.1 255.255.255.255 # ip route-static 10.23.103.0 255.255.255.0 10.23.102.1 # capwap source interface vlanif100 # wlan security-profile name wlan-net ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net authentication-profile wlan-net regulatory-domain-profile name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 ap-mac 60de-4476-e360 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # return