选择区域语言: EN CN HK

10-安全配置举例

02-H3C S12500 Portal典型配置举例

本章节下载  (233.83 KB)

docurl=/cn/Service/Document_Software/Document_Center/Switches/Catalog/S12500/S12500/Configure/Typical_Configuration_Example/H3C_S12500-R1825P01-6W100/10/201308/794672_30005_0.htm

02-H3C S12500 Portal典型配置举例

H3C S12500 Portal配置举例

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2013 杭州华三通信技术有限公司 版权所有,保留一切权利。

非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,

并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。

H3C_彩色.emf

 



1  简介

本文档介绍了IPv4 Portal的配置举例。

Portal认证通常也称为Web认证,即通过Web页面接受用户输入的用户名和密码,对用户进行身份认证,以达到对用户访问进行控制的目的。

2  配置前提

本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。

本文假设您已了解Portal特性。

3  使用限制

·     当在同一个VLAN、VLAN包含接口或全局配置QoS策略,同时又进行Portal认证时,则Portal认证失效。

·     由于Portal客户端以IP地址为身份标识,因此使用Portal业务时,在认证客户端、接入设备、Portal服务器、AAA服务器之间不能有配置NAT(Network Address Translation,网络地址转换)特性的设备,避免地址转换导致认证失败。

4  三层Portal认证配置举例

4.1  组网需求

·     如图1所示,Department A客户端通过Switch A->Switch B接入公司核心网络,要求在Switch B上配置Portal,对Department A的网络访问进行控制。

·     Department A下面的用户在通过Portal认证前,只能访问Portal服务器,无法访问内部其它网络或Internet。用户通过认证后,可以正常访问网络。

·     采用RADIUS服务器,对Portal用户接入进行认证、授权和计费。

·     在RADIUS服务器和客户端配置共享密钥来增强二者交互报文的安全性。

图1 Portal特性三层认证配置组网图

 

4.2  配置思路

·     为了对Department A的网络访问进行Portal认证,需要在Switch B上配置Portal服务器并且使能Portal认证。

·     为了实现通过RADIUS来对Portal用户进行认证、授权和计费,需要在Switch B上配置RADIUS方案并指定相应的认证、授权和计费服务器,并将其应用于Portal用户所属的认证域。

·     为了在Switch BRADIUS服务器之间安全地传输用户密码,并且能在Switch B上验证RADIUS服务器响应报文未被篡改,在Switch BRADIUS服务器上都要设置交互报文时所使用的共享密钥。

4.3  使用版本

本举例是在S12500-CMW520-R1825P01版本上进行配置和验证的。

4.4  配置注意事项

目前仅支持使用RADIUS服务器对Portal用户进行认证、授权和计费,同时服务器需要配置路由,可以访问认证端口及用户IP地址所在网段。

4.5  配置步骤

说明

请保证在RADIUS服务器和Portal服务器上完成相应的配置,例如设置与Switch交互报文时的共享密钥为imc等,具体配置步骤略。

 

# 在各设备上配置接口IP地址和路由协议,保证各台设备之间三层路由可达。在Switch A上配置到10.0.10.0/24网段的缺省路由,下一跳为10.0.11.1,具体配置步骤略。

# 配置Portal服务器:名称为newptIP地址为10.0.10.2,密钥为portal,端口为50100URLhttp:// 10.0.10.2/portal

<SwitchB>system-view

System View: return to User View with Ctrl+Z.

[SwitchB] portal server newpt ip 10.0.10.2 key portal port 50100 url http://10.0.10.2/portal

# 在与Switch A相连的接口上使能Portal认证,且配置认证网端为Department A所在网段。

<SwitchB> system-view

[SwitchB] interface Vlan-interface 11

[SwitchB-Vlan-interface11] portal auth-network 192.168.0.0 255.255.255.0

[SwitchB-Vlan-interface11] portal server newpt method layer3

[SwitchB-Vlan-interface11] quit

#配置免费规格,允许Switch A的路由协议报文通过。

[SwitchB] portal free-rule 0 source ip 10.0.11.2 mask 32

[SwitchB] quit

# 创建名字为imc的RADIUS方案并进入该方案视图。

<SwitchB> system-view

[SwitchB] radius scheme imc

New Radius scheme

# 配置RADIUS方案相关参数,包括RADIUS服务器地址,认证、计费密钥等。

[SwitchB-radius-imc] primary authentication 10.0.10.2

[SwitchB-radius-imc] primary accounting 10.0.10.2

[SwitchB-radius-imc] key authentication imc

[SwitchB-radius-imc] key accounting imc

[SwitchB-radius-imc] server-type extended

[SwitchB-radius-imc] user-name-format without-domain

[SwitchB-radius-imc] quit

[SwitchB] quit

# 配置名为portal.com的认证域,该域的Portal用户认证采用步骤3配置的RADIUS方案。

<SwitchB> system-view

[SwitchB] domain portal.com

[SwitchB-isp-portal.com] authentication portal radius-scheme imc

[SwitchB-isp-portal.com] accounting portal radius-scheme imc

[SwitchB-isp-portal.com] authorization portal radius-scheme imc

[SwitchB-isp-portal.com] quit

[SwitchB] quit

# 配置系统缺省的ISP域portal.com,所有接入用户共用此缺省域的认证、授权和计费方法,若用户登录时输入的用户名未携带ISP域名,则使用缺省域下的认证方法。

[SwitchB] domain default enable portal.com

4.6  验证配置

# 认证通过前,客户端只能访问Portal服务器,用户访问任何网页都被重定向到Portal服务器主页面。

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

# Portal认证页面输入正确用户名和密码,认证通过后,客户端可以正常访问网络。

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Reply from 10.0.11.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Reply from 10.0.10.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

# 设备上可以查看到通过认证的Portal用户信息。

<SwitchB>display portal user all

Index:3                                                                       

 State:ONLINE                                                                  

 SubState:NONE                                                                 

 ACL:NONE                                                                      

 Work-mode:stand-alone                                                         

 VPN instance:NONE                                                             

 MAC              IP                Vlan   Interface                           

 ----------------------------------------------------------------------------  

 0000-0000-0000   192.168.0.2       11      Vlan-interface11                     

 Total 1 user(s) matched, 1 listed.                                            

4.7  配置文件

#

domain default enable portal.com

#

portal server newpt ip 10.0.10.2 key cipher $c$3$c05cGkZePA4Ke+tMA4IehAeQfknE9t

F2PQ== url http://10.0.10.2/portal                                             

 portal free-rule 0 source ip 10.0.11.2 mask 255.255.255.255 destination ip any   

#

 forward-path check enable     

#     

vlan 1     

#      

vlan 10 to 11  

#   

radius scheme imc      

 server-type extended   

 primary authentication 10.0.10.2   

 primary accounting 10.0.10.2  

key authentication cipher $c$3$M30nGDQxiOCAxe2AJ9yEZdk8kjoWag==

 key accounting cipher $c$3$sLGxmc7H4MDmvUvmcaaee50JnNLPrA==                   

user-name-format without-domain

#

domain portal.com

 authentication portal radius-scheme imc 

 authorization portal radius-scheme imc    

 accounting portal radius-scheme imc   

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

domain system           

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

#                        

user-group system       

#                       

interface NULL0         

#                       

interface Vlan-interface10      

 ip address 10.0.10.1 255.255.255.0        

#   

interface Vlan-interface11    

 ip address 10.0.11.1 255.255.255.0     

 rip version 2 multicast

 portal auth-network 192.168.0.0 255.255.255.0    

 portal server newpt method layer3    

#                       

#                       

interface GigabitEthernet7/0/10    

 port link-mode bridge

port access vlan 10    

#                       

interface GigabitEthernet7/0/11 

 port link-mode bridge

port access vlan 11    

#    

 

#   

interface M-Ethernet0/0/0

#                       

rip 1                   

 version 2              

 network 10.0.0.0       

 import-route direct    

#                       

user-interface con 0    

user-interface aux 0    

user-interface vty 0 17 

#                       

5  三层Portal认证方式扩展功能配置举例

5.1  组网需求

·     如图2所示,Department A客户端通过Switch A->Switch B接入公司核心网络,要求在Switch B上配置Portal,对Department A的网络访问进行控制和安全检查。

·     用户认证通过前,只能访问Portal服务器,无法访问内部其它网络或Internet。

·     用户通过认证,但没有安装指定版本的防病毒软件,则对用户进行隔离,只允许访问病毒和补丁服务器;

·     用户通过认证,且安装了指定版本的防病毒软件,则通过安全策略检查,可正常访问网络。

·     采用RADIUS服务器对用户接入进行认证、授权和计费,并采用安全策略服务器对登录成功的用户进行安全检查。

图2 Portal三层认证扩展功能配置组网图

 

5.2  配置思路

·     为了对Department A的网络访问进行Portal认证,需要在Switch B上配置Portal服务器并且使能Portal认证,认证通过前,所有客户端只能访问Portal服务器,用户访问任何网页都被重定向到Portal服务器主页面。

·     为了实现通过RADIUS来进行认证、授权和计费,需要在Switch B上配置RADIUS方案并指定相应的认证、授权和计费服务器,并将其应用于Portal用户所属的认证域。

·     为了在Switch BRADIUS服务器之间安全地传输用户密码,并且能在Switch B上验证RADIUS服务器响应报文未被篡改,在Switch BRADIUS服务器上都要设置交互报文时所使用的共享密钥。

·     为了对登录成功的用户进行安全检查,需要创建ACL并制定规则,不符合检查要求的用户,只能访问病毒和补丁服务器,升级病毒库版本满足安全策略要求后,该用户才可访问所有网络资源。

5.3  使用版本

本举例是在S12500-CMW520-R1825P01版本上进行配置和验证的。

5.4  配置注意事项

目前仅支持使用RADIUS服务器对Portal用户进行认证、授权和计费,同时服务器需要配置路由,可以访问认证端口及用户IP地址所在网段。

5.5  配置步骤

说明

请保证在RADIUS服务器、Portal服务器和安全策略服务器上完成相应的配置,例如在RADIUS服务器上设置与Switch交互报文时的共享密钥为imc等,具体配置步骤略。

 

# 在各设备上配置接口IP地址和路由协议,保证各台设备之间三层路由可达。在Switch A上配置到10.0.10.0/24网段的缺省路由,下一跳为10.0.11.1,具体配置步骤略。

# 配置Portal服务器:名称为newptIP地址为10.0.10.2,密钥为portal,端口为50100URLhttp:// 10.0.10.2/portal

<SwitchB>system-view

[SwitchB]portal server newpt ip 10.0.10.2 key portal port 50100 url http://10.0.10.2/portal

# 在与Switch A相连的接口上使能Portal认证。

<SwitchB>system-view

System View: return to User View with Ctrl+Z.

[SwitchB]interface Vlan-interface 11

[SwitchB-Vlan-interface11]portal auth-network 192.168.0.0 255.255.255.0

[SwitchB-Vlan-interface11]portal server newpt method layer3

[SwitchB-Vlan-interface11]quit

# 配置免费规格,允许Switch A的路由协议报文通过。

[SwitchB]portal free-rule 0 source ip 10.0.11.2 mask 32

[SwitchB]quit

# 创建名字为imcRADIUS方案并进入该方案视图。

<SwitchB>system-view

System View: return to User View with Ctrl+Z.

[SwitchB]radius scheme imc

# 配置RADIUS方案相关参数,包括RADIUS服务器地址,认证、计费密钥等。

[SwitchB-radius-imc]primary authentication 10.0.10.2

[SwitchB-radius-imc]primary accounting 10.0.10.2

[SwitchB-radius-imc]key authentication imc

[SwitchB-radius-imc]key accounting imc

[SwitchB-radius-imc]server-type extended

[SwitchB-radius-imc]user-name-format without-domain

[SwitchB-radius-imc]quit

[SwitchB]quit

# 配置名为portal.com的认证域,该域的Portal用户认证采用步骤3配置的RADIUS方案。

<SwitchB>system-view

[SwitchB]

[SwitchB]domain portal.com

[SwitchB-isp-portal.com]authentication portal radius-scheme imc

[SwitchB-isp-portal.com]accounting portal radius-scheme imc

[SwitchB-isp-portal.com]authorization portal radius-scheme imc

[SwitchB-isp-portal.com]quit

[SwitchB]quit

# 配置系统缺省的ISP域portal.com,所有接入用户共用此缺省域的认证、授权和计费方法,若用户登录时输入的用户名未携带ISP域名,则使用缺省域下的认证方法。

[SwitchB] domain default enable portal.com

# 配置隔离acl number 3000,只允许访问补丁和病毒服务器。

<SwitchB>system-view

[SwitchB]acl number 3000

[SwitchB-acl-adv-3000]rule permit ip destination 10.0.12.2 0

[SwitchB-acl-adv-3000]rule permit ip destination 10.0.12.3 0

[SwitchB-acl-adv-3000]rule deny ip

[SwitchB-acl-adv-3000]quit

[SwitchB]quit

# 配置安全acl number 3001,允许访问所有网络目的。

<SwitchB>system-view

[SwitchB]acl number 3001 

[SwitchB-acl-adv-3001]rule permit ip

[SwitchB-acl-adv-3000]quit

[SwitchB]quit

5.6  验证配置

# 认证通过前,Client A只能访问Portal服务器。

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.1

Pinging 10.0.12.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.2

Pinging 10.0.12.2 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.2:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.3

Pinging 10.0.12.3 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.3:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

# 安全策略服务器端配置安全策略,采用隔离模式,配置隔离ACL和安全ACL分别为3000和3001。同时,对客户端进行病毒扫描,要求防病毒软件赛门铁客的病毒库最低版本高于客户端目前版本。

# Client A通过通过SwitchB iNode客户端,新建Portal连接,输入正确的用户名和密码,登录成功。然后,开始安全检查,安全检查不合格,进入隔离模式,查看设备上Portal用户,可看到下发了隔离ACL。

<SwitchB>display portal user all

 Index:77

 State:ONLINE

 SubState:NONE

 ACL:3000

Work-mode:stand-alone                                                         

VPN instance:NONE                                   

MAC              IP                Vlan   Interface

 ---------------------------------------------------------------------

 0000-0000-0000   192.168.0.2       11     Vlan-interface11

 Total 1 user(s) matched, 1 listed.

# 查看Client A的网络访问情况,通过Client A只能访问Portal服务器、补丁服务器和病毒服务器。

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.1

Pinging 10.0.12.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.2

Pinging 10.0.12.2 with 32 bytes of data:

Reply from 10.0.12.2: bytes=32 time=2ms TTL=126

Ping statistics for 10.0.12.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 2ms, Average = 2ms

C:\>ping -n 1 10.0.12.3

Pinging 10.0.12.3 with 32 bytes of data:

Reply from 10.0.12.3: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.12.3:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

# 升级Client A的病毒库,版本满足安全策略要求。客户端断开后,重新登录,认证成功后,进行安全检查,客户端提示安全检查合格,设备上查看通过认证的Portal用户信息,可见下发了安全ACL 3001。

<SwitchB>display portal user all

 Index:79

 State:ONLINE

 SubState:NONE

 ACL:3001

Work-mode:stand-alone                                                         

VPN instance:NONE                                   

 MAC              IP                Vlan   Interface

 ---------------------------------------------------------------------

 0000-0000-0000   192.168.0.2       11     Vlan-interface11

 Total 1 user(s) matched, 1 listed.

# 查看Client A的网络访问情况,客户端可以正常访问网络。

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Reply from 10.0.10.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Reply from 10.0.11.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.12.1

Pinging 10.0.12.1 with 32 bytes of data:

Reply from 10.0.12.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.12.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.12.2

Pinging 10.0.12.2 with 32 bytes of data:

Reply from 10.0.12.2: bytes=32 time=2ms TTL=126

Ping statistics for 10.0.12.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 2ms, Average = 2ms

C:\>ping -n 1 10.0.12.3

Pinging 10.0.12.3 with 32 bytes of data:

Reply from 10.0.12.3: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.12.3:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

5.7  配置文件

#    

 domain default enable portal.com    

#                       

 portal server newpt ip 10.0.10.2 key cipher $c$3$NutFYbU0hYwh72HWnP2zrtfThyQfRb

6pmw url http://10.0.10.2/portal       

 portal free-rule 0 source ip 10.0.11.2 mask 255.255.255.255 destination ip any   

#   

 forward-path check enable 

#

acl number 3000

 rule 0 permit ip destination 10.0.12.2 0

 rule 5 permit ip destination 10.0.12.3 0

 rule 10 deny ip

acl number 3001

 rule 0 permit ip

#

vlan 1

#

vlan 10 to 11           

#     

radius scheme imc      

 server-type extended   

 primary authentication 10.0.10.2

 primary accounting 10.0.10.2

key authentication cipher $c$3$M30nGDQxiOCAxe2AJ9yEZdk8kjoWag==

key accounting cipher $c$3$sLGxmc7H4MDmvUvmcaaee50JnNLPrA==

 user-name-format without-domain

domain portal.com 

 authentication portal radius-scheme imc

 authorization portal radius-scheme imc

 accounting portal radius-scheme imc

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

domain system           

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

#                       

user-group system       

#                       

interface NULL0         

#                       

interface Vlan-interface10   

 ip address 10.0.10.1 255.255.255.0  

#                       

interface Vlan-interface11    

 ip address 10.0.11.1 255.255.255.0      

 rip version 2 multicast

 portal auth-network 192.168.0.0 255.255.255.0

 portal server newpt method layer3

#

interface Vlan-interface12

 ip address 10.0.12.1 255.255.255.0

 

#

interface GigabitEthernet7/0/10

 port link-mode bridge

port access vlan 10    

#

interface GigabitEthernet7/0/11

 port link-mode bridge

port access vlan 11  

#

interface GigabitEthernet7/0/12

 port link-mode bridge

port access vlan 12

#

 

#

interface M-Ethernet0/0/0

rip 1 

 version 2 

 network 10.0.0.0

 import-route direct

#

user-interface con 0

user-interface aux 0

user-interface vty 0 17 

#

6  相关资料

·     《H3C S12500系列路由交换机  安全配置指导》中的“Portal”

·     《H3C S12500系列路由交换机  安全命令参考》中的“Portal”

 

不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!