H3C Access Controllers
Comware 7 Service Template-Based Direct Portal Authentication
Configuration Example

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Overview·· 1

Prerequisites· 1

Example: Configuring service template-based direct portal authentication· 1

Network configuration· 1

Procedures· 2

Configuring the AC· 2

Configuring the switch· 7

Configuring the RADIUS server 7

Verifying the configuration· 9

Related documentation· 10

 

Overview

The following information provides an example for configuring service template-based direct portal authentication.

Prerequisites

The following information applies to Comware 7-based access controllers. Procedures and information in the examples might be slightly different depending on the software or hardware version of the H3C access controllers.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of portal authentication.

Example: Configuring service template-based direct portal authentication

The configuration procedure for IPv4 and IPv6 direct portal authentication are the same. This example uses IPv4 direct portal authentication.

Network configuration

As shown in Figure 1, the switch acts as a DHCP server to assign IPv4 addresses to the AP and the wireless client. The AC acts as both a portal Web server and a portal authentication server. A RADIUS server is used as the authentication and accounting server.

Configure the AC to perform direct portal authentication on the client.

Figure 1 Network diagram

 

Procedures

Configuring the AC

Configuring IP addresses

# Assign an IP address to each interface and make sure the client, the servers, and the AC can reach each other. (Details not shown.)

Configuring a RADIUS scheme

1.     Click the Network View tab at the bottom of the page.

2.     From the navigation pane, select Network Security > Authentication.

3.     Click the RADIUS tab.

4.     Click the Add button  to create a RADIUS scheme.

a.     Enter the scheme name rs1.

b.     Configure the primary authentication server:

-     Select IP address from the Type field.

-     Enter 192.168.3.2 in the Host field.

-     Enter 1812 in the Port field.

-     Enter radius in the Modified Key field.

-     Select Active from the State field.

c.     Configure the primary accounting server:

-     Select IP address from the Type field.

-     Enter 192.168.3.2 in the Host field.

-     Enter 1813 in the Port field.

-     Enter radius in the Modified Key field as the shared key.

-     Select Active from the State field.

Figure 2 Creating a RADIUS scheme

 

5.     Click Show advanced settings to configure the advanced settings for the RADIUS scheme.

a.     Specify 192.168.1.1 as the source IPv4 address for outgoing RADIUS packets.

b.     Select Excludes the domain name from the Format for the usernames sent to the RADIUS server field.

c.     Use the default settings for the other parameters.

Figure 3 Configuring advanced settings

6.     Click Apply.

Configuring an ISP domain

1.     From the navigation pane, select Network Security > Authentication.

2.     Click the ISP Domains tab.

3.     Click the Add button  to create an ISP domain.

a.     Enter the domain name dm1.

b.     Set the state to Active.

c.     Select Portal from the Service type field.

d.     Select RADIUS for authentication and authorization and None for accounting.

e.     Click Apply.

Figure 4 Configuring an ISP domain

 

Configuring portal authentication

1.     From the navigation pane, select Network Security > Access Control.

2.     Click the Portal tab.

3.     Click the right chevron button  in the Portal Web server row and then click the Add button  to create a portal Web server.

a.     Enter the server name newptv4.

b.     Enter the URL http://192.168.2.1/portal.

c.     Enter URL parameter name wlanuserip.

d.     Use the default setting for the other parameters.

e.     Click Apply.

Figure 5 Configuring a portal Web server

 

4.     Click the right chevron button  in the Local portal Web server row and then click the Add button  to create a local portal Web server.

a.     Select HTTP.

b.     Specify defaultfile.zip as the default logon page.

c.     Use the default settings for the other parameters.

d.     Click Apply.

Figure 6 Configuring a local portal Web server

 

2.     Click the right chevron button  in the Portal-free rule row and then click the Add button  to create a portal-free rule.

a.     Set the rule ID to 1.

b.     Select IP-based.

c.     Select Destination IP.

d.     Select Any IPv4.

e.     Select TCP port, and set the port number to 53.

f.     Use the default settings for the other parameters.

g.     Click Apply.

Figure 7 Configuring portal-free rule 1

 

3.     Click the right chevron button  in the Portal-free rule row and then click the Add button  to create a portal-free rule.

a.     Set the rule ID to 2.

b.     Select IP-based.

c.     Select Destination IP.

d.     Select Any IPv4.

e.     Select UDP port, and set the port number to 53.

f.     Use the default settings for the other parameters.

g.     Click Apply.

Figure 8 Configuring portal-free rule 2

 

5.     Click the right chevron button  in the Portal-free rule row and then click the Add button  to create a portal-free rule.

a.     Set the rule ID to 3.

b.     Select Source-based to configure a source-based portal-free rule.

c.     Select BAGG1 from the Source interface field.

d.     Use the default settings for the other parameters.

e.     Click Apply.

Figure 9 Configuring portal-free rule 3

 

Configuring the WLAN service

1.     From the navigation pane, select Wireless Configuration > Wireless Networks.

2.     Click the Add button  to create a service template.

a.     In the Basic area, set the service template name to st1, set the SSID to service, enable the service template, and set the default VLAN to 200.

b.     In the Authentication area, select With Portal Authentication, enter dm1 in the Domain Name field, and enter newptv4 in the Portal Web Server field.

c.     Use the default settings for the other parameters.

d.     Click Apply.

Figure 10 Configuring a wireless network

 

Creating an AP and binding service template st1 to the AP

Details not shown.

Configuring the switch

Details not shown.

Configuring the RADIUS server

In this example, the RADIUS server runs IMC PLAT 7.1(E0303) and IMC UAM 7.1(E0304).

Adding the AC to IMC as an access device

1.     Log in to IMC and click the User tab.

2.     From the navigation tree, select User Access Policy > Access Device Management > Access Device.

3.     Click Add.

The Add Access Device page opens.

4.     In the Access Configuration area, set the shared key to radius. The shared key must be the same as that set in the RADIUS configuration on the AC.

5.     In the Device List area, click the Add Manually button to add an access device.

6.     On the Add Access Device Manually page, enter 192.168.1.1 in the Start IP field and click Apply.

7.     Use the default settings for the other parameters.

8.     Click OK.

Figure 11 Adding an access device

 

Adding an access policy

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Access Policy.

3.     Click Add.

4.     On the Add Access Policy page, configure an access policy.

a.     Enter the access policy name AccessPolicy.

b.     Select a service group. This example uses Ungrouped.

c.     Use the default settings for the other parameters.

e.     Click OK.

Figure 12 Adding an access policy

 

Adding an access service

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Access Service.

3.     Click Add.

4.     On the Add Access Service page, configure the following parameters:

a.     Enter the access service name.

b.     Select an access policy as the default access policy.

c.     Use the default settings for the other parameters.

d.     Click OK.

Figure 13 Adding an access service

 

Adding an access user

1.     Click the User tab.

2.     From the navigation tree, select Access User > All Access Users.

3.     Click Add. The Add Access User page opens.

4.     In the Access Information area, configure the following parameters:

a.     Click Select to select an existing user or click Add User to add a new user.

b.     Enter the account name in the Account Name field.

c.     Enter the user password in the Password and Confirm Password fields.

5.     In the Access Service area, select the access service RadiusServer from the list.

6.     Click OK.

Figure 14 Adding an access user account

 

Verifying the configuration

# On the client, use the configured user account to perform portal authentication through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.2.1/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.

# After the user passes portal authentication, verify that the user has come online on the AC.

1.     Click the Network View tab at the bottom of the page.

2.     From the navigation pane, select Network Security > Access Control.

3.     Click the Portal tab.

4.     Click the right chevron button  in the Online users row.

The information about the user is displayed in the online user list.

Related documentation

H3C Access Controllers Web-Based Configuration Guide