Login
- Table of Contents
-
- 10-Security Configuration Examples
- 00-S12500_AAA_Configuration_Examples
- 01-S12500_MAC_Authentication_Configuration_Examples
- 02-S12500_Portal_Configuration_Examples
- 03-S12500_IPv6_Portal_Authentication_Configuration_Examples
- 04-S12500_SSH_Configuration_Examples
- 05-S12500_IP_Source_Guard_Configuration_Examples
- 06-S12500_Attack_Protection_Configuration_Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-S12500_IPv6_Portal_Authentication_Configuration_Examples | 111.24 KB |
Contents
General configuration restrictions and guidelines
Example: Configuring cross-subnet IPv6 portal authentication
Configuration restrictions and guidelines
Introduction
This document provides IPv6 portal configuration examples.
Portal authentication, also called Web authentication, provides a flexible network access control method through Web interfaces.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of H3C portal authentication.
General configuration restrictions and guidelines
When you configure IPv6 portal authentication, follow these restrictions and guidelines:
· If a QoS policy has been configured in a VLAN, on a member interface in a VLAN, or globally, do not configure portal authentication for the VLAN or on the interface. Otherwise, portal authentication does not take effect.
· A portal authentication client is identified by its IP address. Network address translation can cause portal authentication failure. To avoid a failure, make sure no NAT device is configured between the portal authentication client, the access device, the portal server, and the AAA server.
Example: Configuring cross-subnet IPv6 portal authentication
Network requirements
As shown in Figure 1, the clients in department A access the core network of the company through Device A.
Configure portal authentication on Device A to control network access of the clients. Before passing portal authentication, a client can access only the portal server and all Web access requests are redirected to the portal server. After portal authentication, a client can access other internal resources of the company and Internet resources.
Use a RADIUS server as the AAA server for portal users.
Configure a shared key on both Device A and the RADIUS sever for secure packet exchange.
Table 1 shows the VLAN and IP address assignment.
Table 1 VLAN and IP address assignment
|
Device |
Interface |
IP address |
|
Device A |
VLAN-interface 5 (GE 9/0/24) |
2193::1/64 |
|
Device A |
VLAN-interface 6 (GE 9/0/16) |
2001::1234/64 192.168.3.1/24 |
Requirements analysis
To authenticate the clients through portal in Department A, configure a portal server and enable portal authentication on Device A.
To implement AAA for users through the RADIUS server, configure a RADIUS scheme and specify the AAA servers on Device A. Apply the scheme to the authentication domain to which the portal users belong.
The shared key can ensure secure password exchange between Device A and the RADIUS server, and also prevents the response packets from the RADIUS server from being tampered with.
Software version used
The configuration examples were created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure cross-subnet IPv6 portal authentication, follow these restrictions and guidelines:
· Before configuring IPv6 portal authentication, perform the following operations to make sure the device supports IPv6 ACLs and IPv6 forwarding.
¡ Enable IPv6 forwarding.
¡ Use the acl ipv6 enable command to enable IPv6 ACL for the cards suffixed with EC1 and EF.
¡ Use the acl mode advanced command to enable IPv6 ACL for the cards suffixed with EB and EC2.
· Only RADIUS servers support AAA for portal users. Make sure you configure routes on the RADIUS server to the authentication port and the user's IP subnet.
· To implement cross-subnet portal authentication, configure the authentication mode as layer3. To implement direct portal authentication, configure the authentication mode as direct. IPv6 portal authentication does not support re-DHCP authentication mode.
Configuration procedures
1. Complete configurations on the RADIUS server and the portal server, for example, adding users. (Details not shown.)
2. Configure IPv6 forwarding and IPv6 ACL:
# Enable IPv6 forwarding globally.
<DeviceA> system-view
[DeviceA]ipv6
[DeviceA]quit
# Enable IPv6 ACL.
<DeviceA> system-view
[DeviceA]acl ipv6 enable
[DeviceA]quit
3. Configure interface addresses:
# Assign GigabitEthernet 9/0/24 to VLAN 5, and assign an IPv6 address to VLAN-interface 5.
<DeviceA> system-view
[DeviceA]vlan 5
[DeviceA-vlan5]port GigabitEthernet 9/0/24
[DeviceA-vlan5]quit
[DeviceA]interface GigabitEthernet 9/0/24
[DeviceA-GigabitEthernet9/0/24]undo shutdown
[DeviceA-GigabitEthernet9/0/24]quit
[DeviceA]interface Vlan-interface 5
[DeviceA-Vlan-interface5]undo shutdown
[DeviceA-Vlan-interface5]ipv6 address 2193::1 64
[DeviceA-Vlan-interface5]quit
[DeviceA]quit
# Assign GigabitEthernet 9/0/16 to VLAN 6, and assign an IPv6 address to VLAN-interface 6.
<DeviceA> system-view
[DeviceA]vlan 6
[DeviceA-vlan6]port GigabitEthernet 9/0/16
[DeviceA-vlan6]quit
[DeviceA]interface GigabitEthernet 9/0/16
[DeviceA-GigabitEthernet9/0/16]undo shutdown
[DeviceA-GigabitEthernet9/0/16]quit
[DeviceA]interface Vlan-interface 6
[DeviceA-Vlan-interface6]undo shutdown
[DeviceA-Vlan-interface6]ipv6 address 2001::1234 64
[DeviceA-Vlan-interface6]quit
[DeviceA]quit
4. Configure a RADIUS scheme:
# Create a RADIUS scheme and enter its view.
<DeviceA> system-view
[DeviceA]radius scheme imc
New Radius scheme
# Configure the RADIUS scheme parameters, including the RADIUS server IP address, shared key, username format, and server type.
[DeviceA-radius-imc]primary authentication 192.168.3.13
[DeviceA-radius-imc]primary accounting 192.168.3.13
[DeviceA-radius-imc]key authentication imc
[DeviceA-radius-imc]key accounting imc
[DeviceA-radius-imc]user-name-format without-domain
[DeviceA-radius-imc]server-type extended
[DeviceA-radius-imc]quit
[DeviceA] quit
5. Configure an authentication domain:
# Create an ISP domain named H3C.com, and specify the RADIUS scheme for the domain.
<DeviceA> system-view
[DeviceA] domain H3C.com
[DeviceA-isp-H3C.com] authentication portal radius-scheme imc
[DeviceA-isp-H3C.com] accounting portal radius-scheme imc
[DeviceA-isp-H3C.com] authorization portal radius-scheme imc
[DeviceA-isp-H3C.com] quit
[DeviceA] quit
6. Configure portal authentication:
# Configure a portal server as follows:
¡ Name: portal_v6
¡ IPv6 address: 2001::2
¡ Key: portal
¡ Port number: 50100
¡ URL: http://[2001::2]:8080/portal
<DeviceA>system-view
System View: return to User View with Ctrl+Z.
[DeviceA]portal server portal_v6 ipv6 2001::2 key portal url http://[2001::2]:8080/portal
# Enable portal authentication on VLAN-interface 5, and specify the configured authentication domain and the NAS-IP on the interface.
<DeviceA> system-view
[DeviceA] interface Vlan-interface 5
[DeviceA-Vlan-interface5] portal server portal_v6 method layer3
[DeviceA-Vlan-interface5] portal nas-ip ipv6 2001::1234
[DeviceA-Vlan-interface5] portal domain ipv6 H3C.com
[DeviceA-Vlan-interface5] quit
[DeviceA] quit
Verifying the configuration
Before passing portal authentication, verify that Client A, Client B, and Client C can ping the server IP 2001::2, but cannot ping the gateway IP address 2193::1 or subnet IP 2001::1234.
After passing portal authentication, verify that Client A, Client B, and Client C can ping the server IP 2001::2, the gateway IP address 2193::1, and the subnet IP 2001::1234.
Configuration files
<Sysname>display current-configuration
#
version 5.20.101, Demo 1824
#
sysname Sysname
#
domain default enable system
#
ipv6
#
portal server portal_v6 ipv6 2001::2 key cipher $c$3$RTeW9Do7i/oJ044lGqRsCoKGCf
jfpLt4Qw== url http://[2001::2]:8080/portal
#
xbar load-single
#
forward-path check enable
acl ipv6 enable
acl mode advanced
undo vpn popgo
system working mode standard
hardware-failure-detection chip isolate
hardware-failure-detection board isolate
hardware-failure-detection forwarding isolate
#
vlan 1
#
vlan 5 to 6
#
radius scheme imc
server-type extended
primary authentication 192.168.3.13
primary accounting 192.168.3.13
key authentication cipher $c$3$SEu0jaO8p8BCI5xC9lPVIdN3zPzvXUk=
key accounting cipher $c$3$KiW/1TrX38ql2PEgH3C36bfRdraI34og=
user-name-format without-domain
#
domain H3C.com
authentication portal radius-scheme imc
authorization portal radius-scheme imc
accounting portal radius-scheme imc
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
stp enable
#
interface NULL0
#
interface Vlan-interface5
ipv6 address 2193::1/64
portal server portal_v6 method layer3
portal domain ipv6 H3C.com
portal nas-ip ipv6 2001::1234
#
interface Vlan-interface6
ipv6 address 2001::1234/64
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet9/0/16
port link-mode bridge
port access vlan 6
#
interface GigabitEthernet9/0/24
port link-mode bridge
port access vlan 5
#
interface M-Ethernet0/0/0
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface aux 0
authentication-mode none
user privilege level 3
user-interface vty 0 17
#
return
Related documentation
· H3C S12500 Routing Switch Series Security Configuration Guide
· H3C S12500 Routing Switch Series Security Command Reference
