Example for Configuring Portal Authentication to Control Internal User Access to the Enterprise Network (Authentication Point on Aggregation Switch)

Created: Mar 23, 2017 10:50:54Latest reply: Mar 23, 2017 15:52:52 1557 1 0 0

 

V200R009 and later versions

Portal Authentication Overview

Portal authentication is a Network Admission Control (NAC) method. Portal authentication is also called web authentication. Generally, Portal authentication websites are referred to as Portal websites. Users must be authenticated by the Portal websites before they can use network services.

Portal authentication is insecure, but allows flexible networking as no client software is required on users' terminals. 802.1x authentication is another NAC method. It is more secure than Portal authentication, but requires the installation of client software on users' terminals, resulting in networking inflexibility. Like Portal authentication, MAC address authentication also does not require the installation of client software, but user terminals' MAC addresses must be registered on the authentication server. Network configuration and management is complex.

Portal authentication applies to the users who are sparsely distributed and move frequently, for example, guests of a company.

Configuration Notes

This example applies to all of the S series switches.

20170323104921213004.jpg

To know details about software mappings, see Version Mapping Search for Huawei Campus Switches.

Huawei's Agile Controller-Campus in V100R001 functions as the Portal server and RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001; V100R002; V100R003.

The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.

By default, the switch allows the packets from RADIUS and Portal servers to pass. You do not need to configure authentication-free rules for the two servers on the switch.

Networking Requirements

An enterprise needs to deploy an identity authentication system to control employees' network access rights and allow only authorized users to access the network.

The enterprise has the following requirements:

l   The authentication operations should be simple. The authentication system only performs access authorization. Minimum client software is installed on user terminals.

l   Moderate security control is required. To facilitate maintenance, a moderate number of authentication points need to be deployed on the aggregation switch.

l   A unified identity authentication mechanism is used to authenticate all terminals accessing the campus network and deny access from unauthorized terminals.

l   R&D employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect to both the intranet (code library and issue tracking system) and Internet after being authenticated.

l   Marketing employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect only to the Internet after being authenticated.

Figure 1-1 Portal authentication deployed at the aggregation layer

20170323104922734005.png

 

Data Plan

Table 1-1 VLAN plan

VLAN ID

Function

101

VLAN for R&D employees

102

VLAN for marketing employees

103

VLAN to which interfaces connecting to the servers belong

 

Table 1-2 Network data plan

Item

Data

Description

Access switch (connecting to the R&D department)

Interface number: GE0/0/1

VLAN: 101

Connects to employees' PCs.

Interface number: GE0/0/2

VLAN: 101

Connects to the aggregation switch.

Access switch (connecting to the marketing department)

Interface number: GE0/0/1

VLAN: 102

Connects to employees' PCs.

Interface number: GE0/0/2

VLAN: 102

Connects to the aggregation switch.

Aggregation switch

Interface number: GE1/0/1

VLAN: 101

VLANIF101 IP address: 192.168.0.1

Connects to the access switch of the R&D department.

Functions as the gateway for R&D employees.

Interface number: GE1/0/2

VLAN: 102

VLANIF102 IP address: 192.168.1.1

Connects to the access switch of the marketing department.

Functions as the gateway for marketing employees.

Interface number: GE1/0/3

VLAN: 103

VLANIF103 IP address: 172.16.1.254

Connects to the enterprise server area.

Functions as the gateway for servers.

Server

Agile Controller-Campus (RADIUS server + Portal server)

IP address: 172.16.1.1

-

DNS server

IP address: 172.16.1.2

-

Web server

IP address: 172.16.1.3

-

Code library

IP address: 172.16.1.4

-

Issue tracking system

IP address: 172.16.1.5

-

 

Table 1-3 Service data plan

Item

Data

Description

Aggregation switch

Number of the ACL for R&D employees' post-authentication domain: 3001

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.

Number of the ACL for marketing employees' post-authentication domain: 3002

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.

Authentication server:

l  IP address: 172.16.1.1

l  Port number: 1812

l  RADIUS shared key: Admin@123

l  The Service Controller (SC) of the Agile Controller-Campus integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, authorization server, and Portal server are the SC's IP address.

l  Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server.

l  Configure an authorization server to enable the RADIUS server to deliver authorization rules to the switch. The RADIUS shared key of the authorization server must be the same as those of the authentication server and accounting server.

Accounting server:

l  IP address: 172.16.1.1

l  Port number: 1813

l  RADIUS shared key: Admin@123

l  Accounting interval: 15

Portal server:

l  IP address: 172.16.1.1

l  Port number that the switch uses to process Portal protocol packets: 2000

l  Destination port number in the packets that the switch sends to the Portal server: 50200

l  Portal authentication shared key: Admin@123

Agile Controller-Campus

Host name: access.example.com

Users can use the domain name to access the Portal server.

Device IP address: 172.16.1.254

-

Authentication port: 1812

-

Accounting port: 1813

-

RADIUS shared key: Admin@123

The RADIUS shared key must be the same as that configured on the switch.

Port number that the Portal server uses to receive packets: 50200

-

Portal shared key: Admin@123

It must be the same as the Portal authentication shared key configured on the switch.

Department: R&D

l  User: A

l  Account: A-123

l  Password: Huawei123

Department: Marketing

l  User: B

l  Account: B-123

l  Password: Huawei123

Two departments and two corresponding accounts have been created on the Agile Controller-Campus: R&D department and an R&D employee account A-123; Marketing department and a marketing employee account B-123.

Pre-authentication domain

Agile Controller-Campus (including RADIUS server and Portal server), DNS server, and web server

-

Post-authentication domain

l  R&D employees: code library, issue tracking system, and Internet

l  Marketing employees: Internet

-

 

Configuration Roadmap

1.         Configure the access switch and aggregation switch to ensure network connectivity.

2.         Configure Portal authentication on the aggregation switch to implement user access control. Configure parameters for connecting to the RADIUS server and those for connecting to the Portal server, enable Portal authentication, and configure network access rights for the pre-authentication domain and post-authentication domain.

3.         Configure the Agile Controller-Campus:

a.         Log in to the Agile Controller-Campus.

b.         Add user accounts to the Agile Controller-Campus.

c.         Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.

d.         Add authorization results and authorization rules to grant different access rights to R&D employees and marketing employees after they are successfully authenticated.

Procedure

                               Step 1     Configure the access switch to ensure network connectivity.

The following provides the configuration for SwitchA, the access switch connecting to the R&D department. The configuration for SwitchB, the access switch connecting to the marketing department, is similar.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1    
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] quit
<SwitchA> save   

                               Step 2     Configure the aggregation switch.

1.         Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] dhcp enable    
[SwitchC] vlan batch 101 to 103
[SwitchC] interface gigabitethernet 1/0/1    
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk pvid vlan 101
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 101
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface vlanif 101
[SwitchC-Vlanif101] ip address 192.168.0.1 255.255.255.0    
[SwitchC-Vlanif101] dhcp select interface
[SwitchC-Vlanif101] dhcp server dns-list 172.16.1.2
[SwitchC-Vlanif101] quit
[SwitchC] interface gigabitethernet 1/0/2    
[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] port trunk pvid vlan 102
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 102
[SwitchC-GigabitEthernet1/0/2] quit
[SwitchC] interface vlanif 102
[SwitchC-Vlanif102] ip address 192.168.1.1 255.255.255.0    
[SwitchC-Vlanif102] dhcp select interface
[SwitchC-Vlanif102] dhcp server dns-list 172.16.1.2
[SwitchC-Vlanif102] quit
[SwitchC] interface gigabitethernet 1/0/3    
[SwitchC-GigabitEthernet1/0/3] port link-type access
[SwitchC-GigabitEthernet1/0/3] port default vlan 103
[SwitchC-GigabitEthernet1/0/3] quit
[SwitchC] interface vlanif 103
[SwitchC-Vlanif103] ip address 172.16.1.254 255.255.255.0    
[SwitchC-Vlanif103] quit
[SwitchC] quit
<SwitchC> save   

2.         Configure parameters for connecting to the RADIUS server.

<SwitchC> system-view
[SwitchC] radius-server template policy    
[SwitchC-radius-policy] radius-server authentication 172.16.1.1 1812 source ip-address 172.16.1.254    
[SwitchC-radius-policy] radius-server accounting 172.16.1.1 1813 source ip-address 172.16.1.254    
[SwitchC-radius-policy] radius-server shared-key cipher Admin@123    
[SwitchC-radius-policy] quit
[SwitchC] aaa    
[SwitchC-aaa] authentication-scheme auth    
[SwitchC-aaa-authen-auth] authentication-mode radius    
[SwitchC-aaa-authen-auth] quit
[SwitchC-aaa] accounting-scheme acco    
[SwitchC-aaa-accounting-acco] accounting-mode radius    
[SwitchC-aaa-accounting-acco] accounting realtime 15    
[SwitchC-aaa-accounting-acco] quit
[SwitchC-aaa] domain portal    
[SwitchC-aaa-domain-portal] authentication-scheme auth    
[SwitchC-aaa-domain-portal] accounting-scheme acco    
[SwitchC-aaa-domain-portal] radius-server policy    
[SwitchC-aaa-domain-portal] quit
[SwitchC-aaa] quit
[SwitchC] domain portal  

3.         Configure parameters for connecting to the Portal server.

[SwitchC] web-auth-server portal_huawei    
[SwitchC-web-auth-server-portal_huawei] server-ip 172.16.1.1    
[SwitchC-web-auth-server-portal_huawei] source-ip 172.16.1.254    
[SwitchC-web-auth-server-portal_huawei] port 50200    
[SwitchC-web-auth-server-portal_huawei] shared-key cipher Admin@123    
[SwitchC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal    
[SwitchC-web-auth-server-portal_huawei] quit
[SwitchC] web-auth-server listening-port 2000    
[SwitchC] portal quiet-period    
[SwitchC] portal quiet-times 5    
[SwitchC] portal timer quiet-period 240    

4.         Enable Portal authentication and configure network access rights for users in the pre-authentication domain and post-authentication domain.

# Set the NAC mode to unified.

[SwitchC] authentication unified-mode   

# Configure a Portal access profile.

[SwitchC] portal-access-profile name web1
[SwitchC-portal-acces-profile-web1] web-auth-server portal_huawei direct
[SwitchC-portal-acces-profile-web1] quit

# Configure an authentication-free rule profile and specify network access rights for users in the pre-authentication domain.

[SwitchC] free-rule-template name default_free_rule
[SwitchC-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255    
[SwitchC-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255    
[SwitchC-free-rule-default_free_rule] quit

# Configure an authentication profile.

[SwitchC] authentication-profile name p1
[SwitchC-authen-profile-p1] portal-access-profile web1    
[SwitchC-authen-profile-p1] quit

# Enable Portal authentication.

[SwitchC] interface vlanif 101
[SwitchC-Vlanif103] authentication-profile p1   
[SwitchC-Vlanif103] quit
[SwitchC] interface vlanif 101
[SwitchC-Vlanif103] authentication-profile p1   
[SwitchC-Vlanif103] quit

# Configure network access rights for the post-authentication domain.

[SwitchC] acl 3001    
[SwitchC-acl-adv-3001] rule 1 permit ip    
[SwitchC-acl-adv-3001] quit
[SwitchC] acl 3002    
[SwitchC-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0    
[SwitchC-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0    
[SwitchC-acl-adv-3002] rule 3 permit ip    
[SwitchC-acl-adv-3002] quit
[SwitchC] quit
<SwitchC> save   

                               Step 3     Configure the Agile Controller-Campus.

1.         Log in to the Agile Controller-Campus.

a.         Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.

The following table provides two types of Agile Controller-Campus addresses.

Address Format

Description

https://Agile Controller-Campus-IP:8443

In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address.

Agile Controller-Campus IP address

If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443.

 

b.         Enter the administrator account and password.

If you log in to the Agile Controller-Campus for the first time, use the super administrator account admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.

2.         Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.

a.         Choose Resource > User > User Management.

b.         Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.

20170323104923806006.jpg

20170323104923884007.png

c.         Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.

20170323104924892008.jpg

20170323104925841009.png

d.         Click 20170323104926789010.png in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password Huawei123.

20170323104927142011.png

e.         On the User tab page, select user A and click Transfer to add user A to the R&D department.

20170323104928548012.png

3.         Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.

a.         Choose Resource > Device > Device Management.

b.         Click Add.

c.         Configure parameters for the switch.

Parameter

Value

Description

Name

SW

-

IP Address

172.16.1.254

The interface must be able to communicate with the SC.

Device series

Huawei Quidway Series

-

Authentication Key

Admin@123

It must be the same as the shared key of the RADUIS authentication server configured on the switch.

Charging Key

Admin@123

It must be the same as the shared key of the RADUIS accounting server configured on the switch.

Real-time charging interval (minute)

15

It must be the same as the real-time accounting interval configured on the switch.

Port

2000

This is the port that the switch uses to communicate with the Portal server. Retain the default value.

Portal Key

Admin@123

It must be the same as the Portal shared key configured on the switch.

Allowed IP Addresses

192.168.0.1/24; 192.168.1.1/24

-

 

20170323104928308013.png

d.         Click OK.

1.         Configure employee authorization. This example describes how to configure R&D employee authorization. The configuration procedure for marketing employees is the same, except that the network resources the two types of employees can access are different.

a.         Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.

Parameter

Value

Description

Name

R&D employee post-authentication domain

-

Service Type

Access Service

-

ACL Number/AAA User Group

3001

The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

 

20170323104929570014.png

b.         Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and specify the authorization conditions for R&D employees.

Parameter

Value

Description

Name

R&D employee authorization rule

-

Service Type

Access User

-

Department

R&D

-

Authorization Result

R&D employee post-authentication domain

-

 

20170323104930310015.png

                               Step 4     Verify the configuration.

l   Employees can access only the Agile Controller-Campus, DNS, and web servers before authentication.

l   The Portal authentication page is pushed to an employee when the employee attempts to visit an Internet website. After the employee enters the correct account and password, the requested web page is displayed.

l   R&D employee A can access the Internet, code library, and issue tracking system after authentication. Marketing employee B can access the Internet but not the code library and issue tracking system after authentication.

l   After an employee is authenticated, run the display access-user command on the switch. The command output shows that the employee is online.

----End

Configuration Files

# Configuration file of the access switch for the R&D department

#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 101
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
return

# Configuration file of the access switch for the marketing department

#
sysname SwitchB
#
vlan batch 102
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 102
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 102
#
return

# Configuration file of the aggregation switch

#
sysname SwitchC
#
vlan batch 101 to 103
#
authentication-profile name p1
 portal-access-profile web1
#
domain portal
#
dhcp enable
#
radius-server template policy
 radius-server shared-key cipher %#%#lJIB8CQ<:A;x$h2V5+;+C>HwC+@XAL)ldpQI}:$X%#%#
 radius-server authentication 172.16.1.1 1812 source ip-address 172.16.1.254 weight 80
 radius-server accounting 172.16.1.1 1813 source ip-address 172.16.1.254 weight 80
#
acl number 3001
 rule 1 permit ip
acl number 3002
 rule 1 deny ip destination 172.16.1.4 0
 rule 2 deny ip destination 172.16.1.5 0
 rule 3 permit ip
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
 free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255

web-auth-server portal_huawei
 server-ip 172.16.1.1
 port 50200
 shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
 url http://access.example.com:8080/portal
 source-ip 172.16.1.254
#
portal-access-profile name web1 
 web-auth-server portal_huawei direct 
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme acco
  accounting-mode radius
  accounting realtime 15
 domain portal
  authentication-scheme auth
  accounting-scheme acco
  radius-server policy
#
interface Vlanif101
 ip address 192.168.0.1 255.255.255.0
 authentication-profile p1 
 dhcp select interface
 dhcp server dns-list 172.16.1.2
#
interface Vlanif102
 ip address 192.168.1.1 255.255.255.0
 authentication-profile p1 
 dhcp select interface
 dhcp server dns-list 172.16.1.2
#
interface Vlanif103
 ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk pvid vlan 101
 port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk pvid vlan 102
 port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
 port link-type access
 port default vlan 103
#
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return

This post was last edited by 交换机在江湖 at 2017-05-31 16:48.
  • x
  • convention:

user_2790689     Created Mar 23, 2017 15:52:52 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top