Login
- Released At: 05-07-2024
- Page Views:
- Downloads:
- Related Documents
-
|
H3C IMC UAM |
|
Portal Authentication with NAT Traversal Configuration Examples |
|
|
Software version: IMC UAM 7.2 (E0403)
|
Copyright © 2016 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. |
|
Contents
Example: Configuring portal authentication with NAT traversal
Configuring the portal service
Introduction
This document provides examples for configuring portal authentication with NAT traversal.
The examples apply to scenarios where the authentication server (IMC UAM) is deployed on the public network and the internal users traverse ISP-grade NAT to perform portal authentication.
Prerequisites
Make sure the access device supports portal.
Example: Configuring portal authentication with NAT traversal
Network configuration
As shown in Figure 1, a UAM server that acts as a portal and AAA server is on the public network provided by an ISP. An access device and a PC are on a private network. A NAT device resides between the access device and the UAM server.
The iNode client on the PC is used to initiate portal authentication. The user accesses the network by using an account named natuser.
Portal authentication is enabled on the access device. The access device manages the portal user in an ISP domain named nat and includes the domain name in the usernames that are sent to UAM for authentication.
The access device and UAM use the shared key hello for secure RADIUS communication, and use port 1812 for authentication and port 1813 for accounting.
The access device and UAM use the key world for portal communication. The redirection URL of the portal server is http://200.2.2.100:8080/portal.
Software versions used
This configuration example was created and verified on the following platforms:
· IMC UAM 7.2 (E0403)
· Access device and NAT device: H3C S5820V2-54QS-GE Comware Software, Version 7.1.045, ESS 2415
· iNode PC 7.2 (E0403)
Restrictions and guidelines
When you configure portal authentication with NAT traversal, follow these restrictions and guidelines:
· Guidelines for configuring an IP group in UAM:
¡ For an IP pool, the end IP address cannot be lower than the start IP address.
¡ The private IP pool of the IP group must be the same as the private IP pool configured on the NAT device.
¡ The NAT address pool of the IP group must be the same as the public IP pool configured on the NAT device.
· Guidelines for configuring a portal device in UAM:
¡ When you configure the IP address of a Comware V5 device, use the static mapped address (NAT address) of the access device interface connected to the user.
¡ If you set the access method to Directly Connected, an unauthenticated user can access only the portal server and authentication-free network resources. The user's IP address can be manually configured or DHCP assigned. After authentication, the user can access network resources for authenticated users.
· The portal redirection URL and communication key configured in UAM must be the same as those configured for the portal server on the access device.
· The RADIUS port and shared key settings configured in UAM must be the same as those configured on the access device.
· Configure a service suffix for the portal user depending on the authentication domain and username format settings on the switch, as shown in Table 1.
Table 1 Determining the service suffix
|
Username in iNode |
Authentication domain on the switch |
Username format command on the switch |
Service suffix in UAM |
|
natuser@nat |
nat |
user-name-format with-domain |
nat |
|
user-name-format without-domain |
No suffix |
Configuring UAM
Configuring the portal service
Configuring a portal server
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Portal Service > Server.
The Server page opens.
3. Configure the portal server parameters, as shown in Figure 2:
a. Enter the redirection URL of the portal server in the Portal Page field.
This example uses http://200.2.2.100:8080/portal/.
b. Use the default values for other parameters.
Figure 2 Configuring a portal server
4. Click OK.
Configuring an IP group
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Portal Service > IP Group.
3. On the IP group list, click Add.
The Add IP Group page opens.
4. Configure the IP group parameters, as shown in Figure 3:
a. Enter natip in the IP Group Name field.
b. Enter 192.168.0.0 in the Start IP field.
c. Enter 192.168.255.255 in the End IP field.
d. Select NAT from the Action list.
e. Enter 200.1.1.10 in the After-action Start IP field.
f. Enter 200.1.1.29 in the After-action End IP field.
Figure 3 Configuring an IP group
5. Click OK.
The new IP group named natip is added to the IP group list, as shown in Figure 4.
Figure 4 Viewing the new IP group
Configuring a portal device
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Portal Service > Device.
3. On the device list, click Add.
The Add Device page opens.
4. Configure the portal device parameters, as shown in Figure 5:
a. Enter accessdev in the Device Name field.
b. Enter 200.1.1.51 in the IP Address field.
c. Enter world in the Key and Confirm Key fields.
d. Select Directly Connected from the Access Method list.
e. User the default values for other parameters.
Figure 5 Configuring a portal device
5. Click OK.
The portal device named accessdev is added to the portal device list, as shown in Figure 6.
Figure 6 Viewing the portal device
6. In the portal device list, click the Port Group icon 
in the Operation column
for the device named accessdev.
The Configure Port Group page opens.
7. On the port group list, click Add.
The Add Port Group page opens.
8. Configure the port group parameters, as shown in Figure 7:
a. Enter natport in the Port Group Name field.
b. Select Yes from the NAT or Not list.
c. Select CHAP from the Authentication Type list.
d. Select natip from the IP Group list.
e. Use the default values for other parameters.
Figure 7 Configuring a port group
9. Click OK.
The new port group named natport is added to the port group list, as shown in Figure 8.
Figure 8 Viewing the new port group
Configuring an access device
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
3. On the access device list, click Add.
The Add Access Device page opens, as shown in Figure 9.
Figure 9 Adding an access device
4. Add an access device.
You can add an access device by clicking Select or Add Manually in the Device List area. Follow these guidelines to configure the IP address of the access device:
¡ If you have configured the nas-ip command for the RADIUS scheme on the device, configure the NAS IP as the access device address in UAM.
¡ If you do not configure the nas-ip command for the RADIUS scheme, enter the IP address of the device's interface that connects to UAM for the access device.
The IP address cannot be modified if the device is selected from the IMC platform. It can be modified if the device is added manually.
To manually add an access device:
a. Click Add Manually in the Device List area.
The page for manually adding an access device opens.
b. Enter the IP address of the access device in the Device IP field, as shown in Figure 10.
This example uses 200.1.1.50, the static mapped address (NAT address) for the access device interface connected to the NAT device.
Figure 10 Manually adding an access device
c. Click OK to return to the page for adding an access device.
5. Configure access information for the access device, as shown in Figure 11:
a. Enter hello in the Shared Key and Confirm Shared Key fields.
b. Use the default values for other parameters.
Figure 11 Configuring access device parameters
6. Click OK.
On the page that opens, click the Back to Access Device List link to view the added access device in the access device list, as shown in Figure 12.
Figure 12 Viewing the added access device
Configuring an access policy
This example configures an access policy that does not implement access control. The access policy is used for the access service configuration.
To configure an access policy:
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Policy.
3. On the access policy list, click Add.
The Add Access Policy page opens.
4. Configure the access policy parameters, as shown in Figure 13:
a. Enter natpolicy in the Access Policy Name field.
b. Use the default values for other parameters.
Figure 13 Configuring an access policy
5. Click OK.
The new access policy named natpolicy is added to the access policy list, as shown in Figure 14.
Figure 14 Viewing the new access policy
Configuring an access service
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Service.
3. Click Add.
The Add Access Service page opens.
4. Configure the access service parameters, as shown in Figure 15:
a. Enter natserver in the Service Name field.
b. Enter nat in the Service Suffix field. For more information about determining the service suffix, see Table 1.
c. Select natpolicy from the Default Access Policy list.
d. Use the default values for other parameters.
Figure 15 Configuring an access service
5. Click OK.
The new access device named natserver is added to the access service list, as shown in Figure 16.
Figure 16 Viewing the new access service
Configuring an access user
1. Click the User tab.
2. From the navigation tree, select Access User > All Access Users.
3. On the access user list, click Add.
The Add Access User page opens.
4. In the User Name field, click Select to select an existing user account from the IMC Platform, or click Add User to add a new IMC Platform user.
This example uses the Add User option.
Configure the following parameters, as shown in Figure 17.
a. Enter natuser in the User Name field.
b. Enter natuser in the Identity Number field.
c. Use the default values for other parameters.
d. Click OK.
The Add User page closes.
Figure 17 Adding a new IMC platform user
5. On the Add Access User page, configure the following parameters for the access user, as shown in Figure 18:
a. Enter natuser in the Account Name field.
b. Enter 123 in the Password and Confirm Password fields.
c. Select the service named natserver from the Access Service list.
d. Use the default values for other parameters.
Figure 18 Adding an access user
6. Click OK.
The new access user named natuser is added to the access user list, as shown in Figure 19.
Figure 19 Viewing the new access user
Configuring the access device
1. Configure a RADIUS scheme:
# Create RADIUS scheme uam.
[AccessDev]radius scheme uam
# Configure UAM as the authentication and accounting server.
[AccessDev-radius-uam]primary authentication 200.2.2.100 1812
[AccessDev-radius-uam]primary accounting 200.2.2.100 1813
# Set the shared key to hello for authentication and accounting communication.
[AccessDev-radius-uam]key authentication hello
[AccessDev-radius-uam]key accounting hello
# Configure the access device to carry the ISP domain name in the usernames sent to the RADIUS server.
[AccessDev-radius-uam]user-name-format with-domain
[AccessDev-radius-uam]quit
2. Configure an ISP domain:
# Create ISP domain nat.
[AccessDev]domain nat
# Configure the ISP domain to use the RADIUS scheme uam for authentication, authorization, and accounting for portal users.
[AccessDev-isp-nat]authentication portal radius-scheme uam
[AccessDev-isp-nat]authorization portal radius-scheme uam
[AccessDev-isp-nat]accounting portal radius-scheme uam
[AccessDev-isp-nat]quit
3. Configure portal authentication:
# Configure UAM as a portal server named imc. Configure the key for portal communication and the redirection URL.
[AccessDev]portal server imc
[AccessDev-portal-server-imc]ip 200.2.2.100 key simple world
[AccessDev-portal-server-imc]quit
# Specify the URL for the portal Web server.
[AccessDev]portal web-server imc
[AccessDev-portal-websvr-imc]url http://200.2.2.100:8080/portal
[AccessDev-portal-websvr-imc]quit
# Enable direct portal authentication on Ethernet 1/0/23.
[AccessDev]interface Ethernet1/0/23
[AccessDev-Ethernet1/0/23]portal enable method direct
# Specify the portal Web server named imc on Ethernet 1/0/23 for portal authentication.
[AccessDev-Ethernet1/0/23]portal apply web-server imc
[AccessDev-Ethernet1/0/23]quit
Configuring the NAT device
1. Configure an ACL to identify the private IP pool to be translated:
# Create ACL 3000.
[NATDev]acl number 3000
# Configure ACL 3000 to permit all packets from network 192.168.0.0/16.
[NATDev-acl-adv-3000]rule 0 permit ip source 192.168.0.0 0.0.255.255
[NATDev-acl-adv-3000]rule 1 deny ip
[NATDev-acl-adv-3000]quit
2. Configure a public IP pool.
[NATDev]nat address-group 0 200.1.1.10 200.1.1.29
3. On the interface connected to the public network, associate ACL 3000 with the public IP pool.
[NATDev]interface GigabitEthernet 0/1
[NATDev-GigabitEthernet0/1]nat outbound 3000 address-group 0
4. Map the private IP address to a public IP address for the access device interface connected to the NAT device.
[NATDev-GigabitEthernet0/1]nat static outbound 192.168.2.1 200.1.1.50
5. Map the private IP address to a public IP address for the access device interface connected to the PC.
[NATDev-GigabitEthernet0/1]nat static outbound 192.168.1.254 200.1.1.51
[NATDev-GigabitEthernet0/1]quit
6. Enable static NAT on GigabitEthernet 0/1.
[NATDev]interface GigabitEthernet 0/1
[NATDev-GigabitEthernet0/1]nat static enable
Verifying the configuration
1. On the iNode client, click Portal Connection.
The Portal Connection window opens.
2. Click the Refresh icon 
next to the Server field to obtain
the IP address of the portal server, as shown in Figure 20.
Figure 20 Obtaining the portal server IP address
3. Enter the username and password, and click Connect, as shown in Figure 21.
Figure 21 Triggering portal authentication
The authentication process starts. The authentication result shows that the connection has been established, as shown in Figure 22.
Figure 22 Viewing the authentication result
Viewing online users in UAM
1. Click the User tab.
2. From the navigation tree, select Access User > Online Users.
3. Click the Local tab.
4. Verify that user natuser has been added to the online user list, as shown in Figure 23.
Figure 23 Viewing the online user
5. Click the Operation
icon 
for user natuser and select Detail from the shortcut menu.
As shown in Figure 24, IMC obtains the private IP address of user natuser, and the real and NAT IP addresses of the access device.
Figure 24 Viewing the online user details
