Introduction· 1

Prerequisites 1

General configuration restrictions and guidelines 1

Example: Configuring Layer 3 portal authentication· 1

Network requirements 1

Requirements analysis 2

Software version used· 2

Configuration restrictions and guidelines 2

Configuration procedures 3

Verifying the configuration· 4

Configuration files 5

Example: Configuring Layer 3 extended portal authentication· 7

Network requirements 7

Requirements analysis 8

Software version used· 8

Configuration restrictions and guidelines 8

Configuration procedures 8

Verifying the configuration· 10

Configuration files 13

Related documentation· 15

 

Introduction

This document provides portal configuration examples.

Portal authentication, also called Web authentication, provides a flexible network access control method through Web interfaces.

Prerequisites

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of H3C portal authentication.

General configuration restrictions and guidelines

When you configure portal authentication, follow these restrictions and guidelines:

·     If a QoS policy has been configured in a VLAN, on a member port in a VLAN, or globally, do not configure portal authentication for the VLAN or the interface. Otherwise, portal authentication does not take effect.

·     A portal authentication client is identified by its IP address. Make sure no NAT device is configured between the portal authentication client, the access device, the portal server, and the AAA server. This is to avoid portal authentication failures caused by network address translation.

Example: Configuring Layer 3 portal authentication

Network requirements

As shown in Figure 1, the clients in Department A access the core network of the company through Switch A and Switch B. Switch B is configured with portal authentication to control network access behaviors from Department A.

Before portal authentication, a client can access only the portal server and all Web access requests are redirected to the portal server. After portal authentication, a client can access other internal resources of the company and Internet resources.

Use a RADIUS server as the AAA server for portal users.

Configure a shared key on both Switch B and the RADIUS sever for secure packet exchange.

Figure 1 Network diagram

 

Requirements analysis

To authenticate the clients through portal in Department A, configure a portal server and enable portal authentication on Switch B.

To implement AAA for users through the RADIUS server, configure a RADIUS scheme and specify the AAA servers on Switch B. Apply the scheme to the authentication domain to which the portal users belong.

The shared key can ensure secure password exchange between Switch B and the RADIUS server, and also prevents the response packets from the RADIUS server from being tampered with.

Software version used

The configuration examples were created and verified on S12500-CMW520-R1825P01.

Configuration restrictions and guidelines

Only RADIUS servers support AAA for portal users. Make sure you configure routes on the RADIUS server to the authentication port and the user's IP subnet.

Configuration procedures

1.     Complete configurations on the RADIUS server and the portal server, for example, configuring the shared key for packet exchange. (Details not shown.)

2.     Assign IP addresses to the interfaces and configure the routing protocol on the devices to make sure the routes to the devices are reachable at Layer 3. (Details not shown.)

3.     On Switch A, configure the default route to the subnet 10.0.10.0/24, with the next hop as 10.0.11.1. (Details not shown.)

4.     Configure Switch B:

# Configure a portal server as follows:

¡     Name: newpt

¡     IPv6 address: 10.0.10.2

¡     Key: portal

¡     Port number: 50100

¡     URL: http:// 10.0.10.2/portal

<SwitchB>system-view

System View: return to User View with Ctrl+Z.

[SwitchB] portal server newpt ip 10.0.10.2 key portal port 50100 url http://10.0.10.2/portal

# Enable portal authentication on the interface connected to Switch A, and configure the authentication subnet as the one where Department A resides.

<SwitchB> system-view

[SwitchB] interface Vlan-interface 11

[SwitchB-Vlan-interface11] portal auth-network 192.168.0.0 255.255.255.0

[SwitchB-Vlan-interface11] portal server newpt method layer3

[SwitchB-Vlan-interface11] quit

# Configure a portal-free rule to allow the routing protocol packets of Switch A to pass through.

[SwitchB] portal free-rule 0 source ip 10.0.11.2 mask 32

[SwitchB] quit

# Configure a RADIUS scheme named imc, and enter its view.

<SwitchB> system-view

[SwitchB] radius scheme imc

New Radius scheme

# Configure the RADIUS scheme parameters, including the RADIUS server IP address, shared key, username format, and server type.

[SwitchB-radius-imc] primary authentication 10.0.10.2

[SwitchB-radius-imc] primary accounting 10.0.10.2

[SwitchB-radius-imc] key authentication imc

[SwitchB-radius-imc] key accounting imc

[SwitchB-radius-imc] server-type extended

[SwitchB-radius-imc] user-name-format without-domain

[SwitchB-radius-imc] quit

[SwitchB] quit

# Create an authentication domain named portal.com, and specify the RADIUS scheme for the domain.

<SwitchB> system-view

[SwitchB] domain portal.com

[SwitchB-isp-portal.com] authentication portal radius-scheme imc

[SwitchB-isp-portal.com] accounting portal radius-scheme imc

[SwitchB-isp-portal.com] authorization portal radius-scheme imc

[SwitchB-isp-portal.com] quit

[SwitchB] quit

# Specify the authentication domain portal.com as the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain.

[SwitchB] domain default enable portal.com

Verifying the configuration

# Before portal authentication, verify that the clients can access only the portal server, and any Web access request is redirected to the portal server.

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

# Enter the correct username and password on the portal authentication page. After successful authentication, the client can access the Internet.

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Reply from 10.0.11.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Reply from 10.0.10.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

# On the device, you can display the portal users who have passed portal authentication.

<SwitchB>display portal user all

Index:3                                                                        

 State:ONLINE                                                                  

 SubState:NONE                                                                 

 ACL:NONE                                                                       

 Work-mode:stand-alone                                                         

 VPN instance:NONE                                                             

 MAC              IP                Vlan   Interface                            

 ----------------------------------------------------------------------------  

 0000-0000-0000   192.168.0.2       11      Vlan-interface11                     

 Total 1 user(s) matched, 1 listed.                                             

Configuration files

#

domain default enable portal.com

#

 portal server newpt ip 10.0.10.2 key cipher $c$3$c05cGkZePA4Ke+tMA4IehAeQfknE9t

F2PQ== url http://10.0.10.2/portal                                             

 portal free-rule 0 source ip 10.0.11.2 mask 255.255.255.255 destination ip any   

#

 forward-path check enable     

#     

vlan 1     

#      

vlan 10 to 11  

#   

radius scheme imc      

 server-type extended   

 primary authentication 10.0.10.2   

 primary accounting 10.0.10.2  

key authentication cipher $c$3$M30nGDQxiOCAxe2AJ9yEZdk8kjoWag==

 key accounting cipher $c$3$sLGxmc7H4MDmvUvmcaaee50JnNLPrA==                   

user-name-format without-domain

#

domain portal.com

 authentication portal radius-scheme imc 

 authorization portal radius-scheme imc    

 accounting portal radius-scheme imc   

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

domain system           

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

#                       

user-group system       

#                       

interface NULL0         

#                       

interface Vlan-interface10      

 ip address 10.0.10.1 255.255.255.0        

#   

interface Vlan-interface11    

 ip address 10.0.11.1 255.255.255.0     

 rip version 2 multicast

 portal auth-network 192.168.0.0 255.255.255.0    

 portal server newpt method layer3    

#                       

#                       

interface GigabitEthernet7/0/10    

 port link-mode bridge

port access vlan 10    

#                       

interface GigabitEthernet7/0/11 

 port link-mode bridge

port access vlan 11    

#    

 

#   

interface M-Ethernet0/0/0

#                       

rip 1                   

 version 2              

 network 10.0.0.0       

 import-route direct    

#                       

user-interface con 0    

user-interface aux 0    

user-interface vty 0 17 

#                       

Example: Configuring Layer 3 extended portal authentication

Network requirements

As shown in Figure 2, the clients in Department A access the core network of the company through Switch A and Switch B. Switch B is configured with portal authentication to control network access behaviors from Department A and to implement security check.

Before portal authentication, a client can access only the portal server and all Web access requests are redirected to the portal server.

After passing identity authentication:

·     If the required antivirus software version is not installed, the user can access only the virus definitions update server and patch server.

·     If the required antivirus software version is installed, the user passes security authentication and can access the network resources.

Use a server to operate as a RADIUS server for AAA and as a security policy server for security check.

Figure 2 Network diagram

 

Requirements analysis

To implement AAA for users through the RADIUS server, configure a RADIUS scheme and specify the AAA servers on Switch B, and apply the scheme to the authentication domain to which the portal users belong.

To securely exchange user passwords between Switch B and the RADIUS server, and to make sure the response packets from the RADIUS server are not tampered with, configure a shared key on both Switch B and the RADIUS sever for packet exchange.

To implement security check for login users, create an ACL and configure rules. Only the users who meet the security check requirements can access network resources. The users who fail security check can access only the virus definitions update server and the patch server.

Software version used

The configuration examples were created and verified on S12500-CMW520-R1825P01.

Configuration restrictions and guidelines

Only RADIUS servers support AAA for portal users. Make sure you configure routes on the RADIUS server to the authentication port and the user's IP subnet.

Configuration procedures

1.     Complete configurations on the RADIUS server and the portal server, for example, configuring the shared key for packet exchange. (Details not shown.)

2.     Assign IP addresses to the interfaces, and configure the routing protocol on the devices to make sure the routes to the devices are reachable at Layer 3. (Details not shown.)

3.     On Switch A, configure the default route to the subnet 10.0.10.0/24, with the next hop as 10.0.11.1. (Details not shown.)

4.     Configure Switch B:

# Configure a portal server as follows:

¡     Name: newpt

¡     IPv6 address: 10.0.10.2

¡     Key: portal

¡     Port number: 50100

¡     URL: http:// 10.0.10.2/portal

<SwitchB>system-view

[SwitchB]portal server newpt ip 10.0.10.2 key portal port 50100 url http://10.0.10.2/portal

# Enable portal authentication on the interface connected to Switch A, and configure the authentication subnet as the one where Department A resides.

<SwitchB>system-view

System View: return to User View with Ctrl+Z.

[SwitchB]interface Vlan-interface 11

[SwitchB-Vlan-interface11]portal auth-network 192.168.0.0 255.255.255.0

[SwitchB-Vlan-interface11]portal server newpt method layer3

[SwitchB-Vlan-interface11]quit

# Configure a portal-free rule to allow the routing protocol packets of Switch A to pass through.

[SwitchB]portal free-rule 0 source ip 10.0.11.2 mask 32

[SwitchB]quit

# Configure a RADIUS scheme named imc, and enter its view.

<SwitchB>system-view

System View: return to User View with Ctrl+Z.

[SwitchB]radius scheme imc

# Configure the RADIUS scheme parameters, including the RADIUS server IP address, shared key, username format, and server type.

[SwitchB-radius-imc]primary authentication 10.0.10.2

[SwitchB-radius-imc]primary accounting 10.0.10.2

[SwitchB-radius-imc]key authentication imc

[SwitchB-radius-imc]key accounting imc

[SwitchB-radius-imc]server-type extended

[SwitchB-radius-imc]user-name-format without-domain

[SwitchB-radius-imc]quit

[SwitchB]quit

# Create an authentication domain named portal.com, and specify the RADIUS scheme for the domain.

<SwitchB>system-view

[SwitchB]

[SwitchB]domain portal.com

[SwitchB-isp-portal.com]authentication portal radius-scheme imc

[SwitchB-isp-portal.com]accounting portal radius-scheme imc

[SwitchB-isp-portal.com]authorization portal radius-scheme imc

[SwitchB-isp-portal.com]quit

[SwitchB]quit

# Specify the authentication domain portal.com as the default ISP domain. Users without any domain name carried in their usernames are considered to be in the default domain.

[SwitchB] domain default enable portal.com

# Configure ACL 3000 to allow only the packets destined for the virus definitions update server and patch server to pass through.

<SwitchB>system-view

[SwitchB]acl number 3000

[SwitchB-acl-adv-3000]rule permit ip destination 10.0.12.2 0

[SwitchB-acl-adv-3000]rule permit ip destination 10.0.12.3 0

[SwitchB-acl-adv-3000]rule deny ip

[SwitchB-acl-adv-3000]quit

[SwitchB]quit

# Configure ACL 3001 to allow access to all network destinations.

<SwitchB>system-view

[SwitchB]acl number 3001 

[SwitchB-acl-adv-3001]rule permit ip

[SwitchB-acl-adv-3000]quit

[SwitchB]quit

Verifying the configuration

# Before portal authentication, verify that Client A can access only the portal server.

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.1

Pinging 10.0.12.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.2

Pinging 10.0.12.2 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.2:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.3

Pinging 10.0.12.3 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.3:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

# On the security policy server, configure a security policy to use isolation mode. Configure the isolation ACL as ACL 3000 and security ACL as ACL 3001. Perform virus scanning for the client, and configure the required version of Symantec virus definition higher than the virus definition version on the client.

# Use Client A to establish a portal connection through the iNode client on Switch B. After entering the correct username and password, the user can log in successfully. After that, the security check begins but fails, and the client is quarantined. Displaying the portal user information on the device, you can see that the isolation ACL is used for the client.

<SwitchB>display portal user all

 Index:77

 State:ONLINE

 SubState:NONE

 ACL:3000

Work-mode:stand-alone                                                         

VPN instance:NONE                                  

MAC              IP                Vlan   Interface

 ---------------------------------------------------------------------

 0000-0000-0000   192.168.0.2       11     Vlan-interface11

 Total 1 user(s) matched, 1 listed.

# Display network access information about Client A. Client A can access only the portal server, patch server, and virus definitions update server.

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.1

Pinging 10.0.12.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.2

Pinging 10.0.12.2 with 32 bytes of data:

Reply from 10.0.12.2: bytes=32 time=2ms TTL=126

Ping statistics for 10.0.12.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 2ms, Average = 2ms

C:\>ping -n 1 10.0.12.3

Pinging 10.0.12.3 with 32 bytes of data:

Reply from 10.0.12.3: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.12.3:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

# Update the virus definitions on Client A to satisfy the virus definitions version requirement. Tear down the portal connection and log in again. After identity authentication, the security check begins, and the iNode client is notified that the security check has succeeded. Displaying the portal user information on the device, you can see that the security ACL is now used for the client.

<SwitchB>display portal user all

 Index:79

 State:ONLINE

 SubState:NONE

 ACL:3001

Work-mode:stand-alone                                                         

VPN instance:NONE                                  

 MAC              IP                Vlan   Interface

 ---------------------------------------------------------------------

 0000-0000-0000   192.168.0.2       11     Vlan-interface11

 Total 1 user(s) matched, 1 listed.

# Display network access information about Client A. Client A can access network resources.

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Reply from 10.0.10.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Reply from 10.0.11.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.12.1

Pinging 10.0.12.1 with 32 bytes of data:

Reply from 10.0.12.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.12.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.12.2

Pinging 10.0.12.2 with 32 bytes of data:

Reply from 10.0.12.2: bytes=32 time=2ms TTL=126

Ping statistics for 10.0.12.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 2ms, Average = 2ms

C:\>ping -n 1 10.0.12.3

Pinging 10.0.12.3 with 32 bytes of data:

Reply from 10.0.12.3: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.12.3:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Configuration files

#    

 domain default enable portal.com    

#                        

 portal server newpt ip 10.0.10.2 key cipher $c$3$NutFYbU0hYwh72HWnP2zrtfThyQfRb

6pmw url http://10.0.10.2/portal       

 portal free-rule 0 source ip 10.0.11.2 mask 255.255.255.255 destination ip any   

#   

 forward-path check enable 

#

acl number 3000

 rule 0 permit ip destination 10.0.12.2 0

 rule 5 permit ip destination 10.0.12.3 0

 rule 10 deny ip

acl number 3001

 rule 0 permit ip

#

vlan 1

#

vlan 10 to 11           

#     

radius scheme imc      

 server-type extended   

 primary authentication 10.0.10.2

 primary accounting 10.0.10.2

key authentication cipher $c$3$M30nGDQxiOCAxe2AJ9yEZdk8kjoWag==

key accounting cipher $c$3$sLGxmc7H4MDmvUvmcaaee50JnNLPrA==

 user-name-format without-domain

# 

domain portal.com 

 authentication portal radius-scheme imc

 authorization portal radius-scheme imc

 accounting portal radius-scheme imc

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

domain system           

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

#                       

user-group system       

#                       

interface NULL0         

#                       

interface Vlan-interface10   

 ip address 10.0.10.1 255.255.255.0  

#                       

interface Vlan-interface11    

 ip address 10.0.11.1 255.255.255.0      

 rip version 2 multicast

 portal auth-network 192.168.0.0 255.255.255.0

 portal server newpt method layer3

#

interface Vlan-interface12

 ip address 10.0.12.1 255.255.255.0

# 

 

#

interface GigabitEthernet7/0/10

 port link-mode bridge

port access vlan 10    

#

interface GigabitEthernet7/0/11

 port link-mode bridge

port access vlan 11  

#

interface GigabitEthernet7/0/12

 port link-mode bridge

port access vlan 12

#

 

#

interface M-Ethernet0/0/0

# 

rip 1 

 version 2 

 network 10.0.0.0

 import-route direct

#

user-interface con 0

user-interface aux 0

user-interface vty 0 17 

#

Related documentation

·     H3C S12500 Routing Switch Series Security Configuration Guide

·     H3C S12500 Routing Switch Series Security Command Reference