As shown in Figure 1:
Users user10001, user10002, and user10003 use static IP addresses, and they must pass portal authentication to access the network.
Device is a firewall and acts as a NAS for the users to access the network. The NAS uses the RADIUS server to authenticate the users.
The RADIUS server is installed with IMC components. For portal authentication, the server acts as both the portal authentication server and portal Web server.
The RESTful server stores user account information. The server can synchronize user identity information to Device (the firewall).
The firewall performs the following identity-based access control on the users that have passed portal authentication:
Users user10001 and user10002 cannot access the Internet.
User user10003 can access the Internet.
Users from the Internet cannot access the hosts in the Trust and DMZ security zones.
Figure 2 Analysis diagram
This configuration example was created and verified on version 7.1.064, ESS 0701 of the MSR26-30 router.
This configuration example was created and verified on E8371 of the F5000-AI160 device.
The RADIUS and portal server is installed with IMC PLAT 7.3 (E0606), IMC UAM 7.3 (E0503), IMC CAMS 7.3 (E0501), and IMC EIA 7.3 (E0512).
An IMC server logs off an online user only after it receives an accounting-stop request for that user. For the NAS to send accounting-stop requests to the server, you need to configure accounting settings in the authentication domain of the user on the NAS. However, you do not need to configure accounting parameters on the IMC server since accounting is not required.
Perform the tasks in this section to ensure the network connectivity of the router.
# Assign IP address 20.2.1.1 to GigabitEthernet 0/0.
<Router> system-view
[Router] interface gigabitethernet 0/0
[Router-GigabitEthernet0/0] ip address 20.2.1.1 255.255.255.0
[Router-GigabitEthernet0/0] quit
# Assign IP address 20.2.2.1 to GigabitEthernet 0/1.
[Router] interface gigabitethernet 0/1
[Router-GigabitEthernet0/1] ip address 20.2.2.1 255.255.255.0
[Router-GigabitEthernet0/1] quit
# Configure a default route to ensure that the router can reach the Internet.
[Router] ip route-static 0.0.0.0 0.0.0.0 20.2.2.2
# Enable the SNMP agent.
<Device> system-view
[Device] snmp-agent
# Enable all SNMP versions, create the read-only community public and the read and write community private.
[Device] snmp-agent sys-info version all
[Device] snmp-agent community read public
[Device] snmp-agent community write private
# Enable NETCONF over SOAP over HTTP.
[Device] netconf soap http enable
# Enable NETCONF over SOAP over HTTPS.
[Device] netconf soap https enable
# Enable RESTful over HTTP.
[Device] restful http enable
# Enable RESTful over HTTPS.
[Device] restful https enable
# On the top navigation bar, click Network.
# From the navigation pane, select Interface Configuration > Interfaces.
# Click the Edit icon for GE 1/0/1.
# In the dialog box that opens, configure the interface:
Select the DMZ security zone.
Click the IPv4 Address tab, and then enter the IP address and mask of the interface. In this example, enter 192.168.100.88/24.
Use the default settings for other parameters.
Click OK.
# Add GE 1/0/2 to the Trust security zone and set its IP address to 20.2.2.2/24 in the same way you configure GE 1/0/1.
# Add GE 1/0/3 to the Untrust security zone and set its IP address to 12.1.1.1/24 in the same way you configure GE 1/0/1.
Configure a route to ensure that the firewall and the users can reach each other.
This step uses static routing as an example. To use dynamic routing, configure a dynamic routing protocol.
# On the top navigation bar, click Network.
# From the navigation pane, select Routing > Static Routing.
# On the IPv4 Static Routing tab, click Create.
# In the dialog box that opens, configure the IPv4 static route:
Enter 20.2.1.0 in the Destination address field.
Enter 24 in the Mask length field.
Enter 20.2.2.1 as the next hop address in the Next hop field.
Use the default settings for other parameters.
# Click OK.
Configure a default route to ensure that the firewall can reach the Internet.
This step uses static routing as an example. To use dynamic routing, configure a dynamic routing protocol.
# On the top navigation bar, click Network.
# From the navigation pane, select Routing > Static Routing.
# On the IPv4 Static Routing tab, click Create.
# In the dialog box that opens, configure the IPv4 static route:
Enter 0.0.0.0 in the Destination address field.
Enter 0 in the Mask length field.
Enter 12.1.1.2 as the next hop address in the Next hop field.
Specify the IP address of the device that connects to the firewall in the Internet as the next hop address. In this example, the next hop address is 12.1.1.2.
Use the default settings for other parameters.
# Click OK.
# On the top navigation bar, click System.
# From the navigation pane, select Administrators > Administrators.
# Click the Edit icon for administrator admin.
# In the dialog box that opens, select the HTTP service as shown in Figure 3.
Figure 3 Modifying administrator information
# Click OK.
Perform the tasks in this section to ensure that the firewall can import identity user information from the IMC server.
# On the top navigation bar, click Policies.
# From the navigation pane, select Security Policies > Security Policies.
# Click Create > Create a policy.
# Configure security policy dmz-local to permit traffic from zone DMZ to zone Local:
Enter security policy name dmz-local.
Select source security zone DMZ.
Select destination security zone Local.
Select type IPv4.
Select action Permit.
Use the default settings for other parameters.
# Click OK.
# Configure security policy local-dmz in the same way you configure security policy dmz-local to permit traffic from zone Local to zone DMZ:
Enter security policy name local-dmz.
Select source security zone Local.
Select destination security zone DMZ.
Select type IPv4.
Select action Permit.
Use the default settings for other parameters.
# Configure security policy trust-dmz in the same way you configure security policy dmz-local to permit traffic between zone Trust and zone DMZ. This task allows the NAS to send and receive AAA and portal authentication packets for the users and IMC server.
Enter security policy name trust-dmz.
Select source security zones Trust and DMZ.
Select destination security zones Trust and DMZ.
Select type IPv4.
Select action Permit.
Use the default settings for other parameters.
# On the top navigation bar, click Objects.
# From the navigation pane, select User > Authentication > RADIUS.
# Click Create.
# In the dialog box that opens, create a RADIUS authentication server and a RADIUS accounting server and configure advanced settings, as shown in Figure 4, Figure 5, and Figure 6.
Figure 4 Creating a RADIUS scheme (authentication servers)
Figure 5 Creating a RADIUS scheme (accounting servers)
Figure 6 Creating a RADIUS scheme (advanced settings)
# Click OK.
# On the top navigation bar, click Objects.
# From the navigation pane, select User > Authentication > ISP Domains.
# Click Create.
# In the dialog box that opens, configure the access types and the AAA methods for portal users, as shown in Figure 7 and Figure 8.
Figure 7 Adding ISP domain dm1 (access types)
Figure 8 Adding ISP domain dm1 (AAA methods for portal users)
# Click OK.
Configuring the portal authentication server:
# On the top navigation bar, click Objects.
# From the navigation pane, select User > Access Control > Portal.
# On the Portal Authentication Servers tab, click Create.
# In the dialog box that opens, configure the portal authentication server:
Enter server name newpt.
Set the IP address to 192.168.100.244.
Enter key admin.
Set the port to 50100.
Figure 9 Creating a portal authentication server
# Click OK.
Configure the portal Web server:
# On the top navigation bar, click Objects.
# From the navigation pane, select User > Access Control > Portal.
# Click the Portal Web Servers tab.
# Click Create.
# In the dialog box that opens, configure the server name and URL, as shown in Figure 10. In this example, the URL is http://192.168.100.244:8080/portal.
Figure 10 Creating a portal Web server
# Click OK.
Configure an interface portal policy and enable IPv4 portal on GE 1/0/2:
# On the top navigation bar, click Objects.
# From the navigation pane, select User > Access Control > Portal.
# Click the Interface Portal Policies tab.
# Click Create.
# In the dialog box that opens, configure the interface portal policy, as shown in Figure 11.
Figure 11 Creating an interface portal policy
# Click OK.
Enable user identification:
# On the top navigation bar, click Objects.
# From the navigation pane, select User > User Management > Online Users.
# On the Online Users tab, click Enable user identification.
Figure 12 Enabling user identification
Create RESTful server rest1:
# On the top navigation bar, click Objects.
# From the navigation pane, select User > Authentication > RESTful Server.
# Click Create.
# In the dialog box that opens, configure the following parameters for the RESTful server:
Enter server name rest1.
Enter username admin.
Enter password admin.
Set the Get-user-account URI to http://192.168.100.244:8080/imcrs/uam/acmUser/acmUserList.
Set the Get-online-user URI to http://192.168.100.244:8080/imcrs/uam/online.
Set the Get-user-group URI to http://192.168.100.244:8080/imcrs/uam/acmUser/userGroup.
|
|
For an IMC RESTful server, URIs are in a fixed format. You cannot modify any parameters in the above URIs except for the IP address. |
Figure 13 Creating the RESTful server
# Click OK.
Create user import policy imc:
# On the top navigation bar, click Objects.
# From the navigation pane, select User > User Management > User Import Policies.
# Click Create.
# In the dialog box that opens, configure parameters for the user import policy, as shown in Figure 14.
Figure 14 Creating user import policy imc
# Click OK.
# After the firewall and the IMC server can communicate with each other, enter the User Import Policies page and click the Manually import identity users icon for policy imc to import the user accounts on the IMC server to the firewall.
Figure 15 Importing user accounts
Perform this task to create a security policy to permit user user10003 to access the Internet and deny users from the Internet from accessing the internal network.
# On the top navigation bar, click Policies.
# From the navigation pane, select Security Policies > Security Policies.
# Click Create > Create a policy.
# In the dialog box that opens, configure the security policy:
Enter security policy name user10003.
Select source security zone Trust.
Select destination security zone Untrust.
Select type IPv4.
Select action Permit.
Select user user10003.
Use the default settings for other parameters.
# Click OK.
# Add the firewall to IMC for IMC to monitor and manage the firewall.
Log in to IMC:
# Enter the IMC URL in the address bar of the Web browser. In this example, the URL is http://192.168.100.244:8080/imc/.
# Enter username admin and password admin.
Add the firewall to IMC:
# Click the Resource tab.
# From the navigation tree, select Resource Management > Add Device.
# On the page that opens, configure parameters as shown in Figure 16:
Set the username and password to admin in the Telnet Settings area.
Use the default values for other parameters.
By default, the read-only SNMP community string is public and the read and write SNMP community string is private.
Figure 16 Adding the firewall to IMC
# Click OK.
Modify NETCONF settings:
# Click the Resource tab.
# From the navigation tree, select View Management > Device View.
# Click the link in the Device Label column for the target device.
Figure 17 Device list
# In the right pane, click Configure > Modify NETCONF Settings.
# In the dialog box that opens, click the plus sign (+) to add a protocol as shown in Figure 18.
In this example, set the username and password to admin.
Figure 18 Modifying NETCONF settings
# Click OK.
Synchronize security services from the firewall to the IMC server to ensure that the configuration and user information is consistent between the firewall and IMC server.
# Click the Service tab.
# From the navigation tree, select Security Service Manager > Device Management.
# On the Devices tab, the firewall is displayed in the device list, as shown in Figure 19.
Figure 19 Page for security device management (not synchronized)
# Select the firewall in the device list and click Synchronize. You can view the synchronization status from the Sync Status column, as shown in Figure 20 and Figure 21.
The synchronization process might take a long time. Please wait.
Figure 20 Page for security device management (synchronizing)
Figure 21 Page for security device management (synchronization succeeded)
Configure user authentication system parameters and user notification parameters to ensure that the IMC server synchronizes user online and offline information to the firewall in real time.
# Click the Service tab.
# From the navigation tree, select Security Service Manager > Global Parameters.
# Configure the user authentication system parameters, as shown in Figure 22.
Select a protocol depending on the protocol of the portal authentication server. Make sure the username and password is the same as that used to log in to the IMC server.
Figure 22 Configuring user authentication system parameters
# Click OK.
# Click the User tab.
# From the navigation tree, select User Access Policy > Service Parameters > System Settings.
# Click the Configure icon for User Notification Parameters.
# On the page that opens, click Add.
# On the Add User Notification page, configure the parameters as shown in Figure 23. In this example, you can enter a shared key randomly.
Figure 23 Configuring user notification parameters
# Click OK.
Add the firewall to the IMC server as an access device:
# Click the User tab.
# From the navigation tree, select User Access Policy > Access Device Management > Access Device.
# Click Add.
# In the Access Configuration area, set the shared key to admin, as shown in Figure 24.
# In the Device List area, click Select or Add Manually to add the device at 192.168.100.88 as an access device.
You must specify the source IP address of outgoing RADIUS packets on the firewall as the IP address of the access device on the server.
On the firewall, the source IP address is configured by using the nas-ip or radius nas-ip command. The IP address configured by using the nas-ip command has a higher priority than the IP address configured by using the radius nas-ip command. If no IP address is specified as the source IP address, the IP address of the packet outbound interface is used as the source IP address. In this example, the IP address of the packet outbound interface is used, which is 192.168.100.88.
Figure 24 Adding an access device
# Click OK.
Add an access policy:
# Click the User tab.
# From the navigation tree, select User Access Policy > Access Policy.
# Click Add.
# On the Add Access Policy page, set the access policy name to Portal, as shown in Figure 25.
Figure 25 Adding an access policy
# Click OK.
Add an access service:
# Select the User tab.
# From the navigation tree, select User Access Policy > Access Service.
# Click Add.
# On the Add Access Service page, set the service name to Portal and select Portal from the Default Access Policy list.
Figure 26 Adding an access service
# Click OK.
Add an access user:
# Click the User tab.
# From the navigation tree, select Access User > All Access Users.
# Click Add.
# On the Add Access User page, configure parameters as shown in Figure 27.
Enter user in the User Name field.
Enter user10001 in the Account Name field.
Enter admin in the Password and Confirm Password fields.
Select Portal in the Access Service area.
Figure 27 Adding an access user
# Click OK.
# Add user accounts user10002 and user10003 in the same way you add user account user10001.
Configure the portal server:
# Click the User tab.
# From the navigation tree, select User Access Policy > Portal Service > Server.
# Configure the parameters in Figure 28 depending on the network conditions. In this example, the default values are used.
Figure 28 Portal server configuration
# Click OK.
Add an IP group:
# Click the User tab.
# From the navigation tree, select User Access Policy > Portal Service > IP Group.
# Click Add.
# On the Add IP Group page, configure the IP group parameters as shown in Figure 29.
# Click OK.
Add a portal device:
# Click the User tab.
# From the navigation tree, select User Access Policy > Portal Service > Device.
# Click Add.
# On the Add Device page, set the key to admin and configure other parameters as shown in Figure 30.
Figure 30 Adding portal device configuration
# Click OK.
Associate the portal device with the IP group:
# Click the User tab.
# From the navigation tree, select User Access Policy > Portal Service > Device.
# Click the Port Group icon in the Operation column for the firewall
Figure 31 Device list
# On the page that opens, click Add.
# On the page that opens, configure a port group as shown in Figure 32.
# Click OK.
# Configure the IP address, network mask, and default gateway settings for each host. Make sure the hosts can communicate with the devices in the network. (Details not shown.)
On the hosts, verify that the users can pass portal authentication.
# Enter the URL of the portal Web server in the address bar of the Web browser to log in to the portal authentication page. In this example, the URL is http://192.168.100.244:8080/portal.
# Enter the username and password.
# Click Log In.
# Verify that the user has passed portal authentication.
Figure 33 Portal authentication success page
On the IMC server, verify that users user10001, user10002, and user10003 are in the online user list after they pass portal authentication. To view the online user list, click the User tab and select Access User > Online Users from the navigation tree.
On the firewall, display information about all portal users.
[Device] display portal user all
Total portal users: 3
Username: user10001
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0011-95e4-4aa9 20.2.1.13 -- GigabitEthernet1/0/2
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Username: user10002
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0011-95e4-4aa3 20.2.1.13 -- GigabitEthernet1/0/2
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Username: user10003
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0011-95e4-4aa2 20.2.1.13 -- GigabitEthernet1/0/2
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
On the firewall, display identity user information.
# Display information about all identity users.
[Device] display user-identity all user
User ID Username
0x2 user10001
0x3 user10002
0x4 user10003
# Display information about online identity user user10001.
[Device] display user-identity online-user null-domain name user10001
User name: user10001
IP : 20.2.1.11
MAC : 0011-95e4-4aa9
Type: Dynamic
Total 1 records matched.
# Display information about online identity user user10002.
[Device] display user-identity online-user null-domain name user10002
User name: user10002
IP : 20.2.1.12
MAC : 0011-95e4-4aa3
Type: Dynamic
Total 1 records matched.
# Display information about online identity user user10003.
[Device] display user-identity online-user null-domain name user10003
User name: user10003
IP : 20.2.1.13
MAC : 0011-95e4-4aa2
Type: Dynamic
Total 1 records matched.
Verify that the firewall can perform identity-based access control on the users:
# Verify that user user10001 cannot ping any host in the Internet. In this example, the user pings the host at 12.1.1.2.
C:\>ping 12.1.1.2
Pinging 12.1.1.2 with 32 bytes of data:
Request time out.
Request time out.
Request time out.
Request time out.
Ping statistics for 12.1.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
# Verify that user user10003 can ping hosts in the Internet. In this example, the user pings the host at 12.1.1.2.
C:\>ping 12.1.1.2
Pinging 12.1.1.2 with 32 bytes of data:
Reply from 12.1.1.2: bytes=32 time=36ms TTL=253
Reply from 12.1.1.2: bytes=32 time<1ms TTL=253
Reply from 12.1.1.2: bytes=32 time<1ms TTL=253
Reply from 12.1.1.2: bytes=32 time<1ms TTL=253
Ping statistics for 12.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 36ms, Average = 9ms
# When user user10003 pings the host in the Internet, the firewall generates a message.
[Router] display current-configuration
#
interface GigabitEthernet0/0
port link-mode route
ip address 20.2.1.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
ip address 20.2.2.1 255.255.255.0
#
interface GigabitEthernet3/0
port link-mode route
combo enable copper
#
ip route-static 0.0.0.0 0 20.2.2.2
#
snmp-agent
snmp-agent local-engineid 800063A28074258A37B5F500000001
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOh
babIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type telnet http
authorization-attribute user-role network-admin
#
return
[Device] display current-configuration
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 192.168.100.88 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 20.2.2.2 255.255.255.0
portal enable method direct
portal domain dm1
portal apply web-server newpt
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 12.1.1.1 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
import interface GigabitEthernet1/0/1
#
security-zone name Untrust
import interface GigabitEthernet1/0/3
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 12.1.1.2
ip route-static 20.2.1.0 24 20.2.2.1
#
snmp-agent
snmp-agent local-engineid 800063A280487ADA9593B700000001
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 192.168.100.244 params securityn
ame public v2c
#
radius scheme rs1
primary authentication 192.168.100.244
primary accounting 192.168.100.244
key authentication cipher $c$3$hhbEbD5Ycvw7VWqljAoMoU7hQRgcUjtg
user-name-format without-domain
#
domain dm1
authentication portal radius-scheme rs1
authorization portal radius-scheme rs1
accounting portal radius-scheme rs1
#
domain system
#
domain default enable system
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOh
babIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type ssh telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
portal web-server newpt
url http://192.168.100.244:8080/portal
#
portal server newpt
ip 192.168.100.244 key cipher $c$3$+UmaGOco7eHsjOqlrp8lI4eYe0A8NpYU
#
netconf soap http enable
netconf soap https enable
restful http enable
restful https enable
#
user-identity enable
user-identity user-account auto-import policy imc
#
user-identity restful-server rest1
login-name admin password cipher $c$3$phGy00HA6OP6pIpGI0KOKZEOPuLVbtt/
uri get-user-database http://192.168.100.244:8080/imcrs/uam/acmUser/acmUserList
uri get-user-group-database http://192.168.100.244:8080/imcrs/uam/acmUser/userGroup
uri get-online-user http://192.168.100.244:8080/imcrs/uam/online
#
user-identity user-import-policy imc
account-update-interval 1
restful-server rest1
#
security-policy ip
rule 0 name dmz-local
action pass
source-zone dmz
destination-zone local
rule 1 name local-dmz
action pass
source-zone local
destination-zone dmz
rule 2 name trust-dmz
action pass
source-zone trust
source-zone dmz
destination-zone dmz
destination-zone trust
rule 3 name user10003
action pass
logging enable
source-zone trust
destination-zone untrust
user user10003
#
