V200R005 to V200R008
Portal Authentication Overview
Portal authentication is a Network Admission Control (NAC) method. Portal authentication is also called web authentication. Generally, Portal authentication websites are referred to as Portal websites. Users must be authenticated by the Portal websites before they can use network services.
Portal authentication is insecure, but allows flexible networking as no client software is required on users' terminals. 802.1x authentication is another NAC method. It is more secure than Portal authentication, but requires the installation of client software on users' terminals, resulting in networking inflexibility. Like Portal authentication, MAC address authentication also does not require the installation of client software, but user terminals' MAC addresses must be registered on the authentication server. Network configuration and management is complex.
Portal authentication applies to the users who are sparsely distributed and move frequently, for example, guests of a company.
Configuration Notes
This example applies to all of the S series switches.
To know details about software mappings, see Version Mapping Search for Huawei Campus Switches.
Huawei's Agile Controller-Campus in V100R001 functions as the Portal server and RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001; V100R002; V100R003.
The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS and Portal servers to pass. You do not need to configure authentication-free rules for the two servers on the switch.
Networking Requirements
An enterprise needs to deploy an identity authentication system to control employees' network access rights and allow only authorized users to access the network.
The enterprise has the following requirements:
l The authentication operations should be simple. The authentication system only performs access authorization. Minimum client software is installed on user terminals.
l To facilitate network reconstruction and reduce investments, the enterprise requires the authentication point be deployed on the core switch.
l A unified identity authentication mechanism is used to authenticate all terminals accessing the campus network and deny access from unauthorized terminals.
l R&D employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect to both the intranet (code library and issue tracking system) and Internet after being authenticated.
l Marketing employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect only to the Internet after being authenticated.
Figure 1-1 Portal authentication deployed at the core layer
Data Plan
Table 1-1 VLAN plan
|
VLAN ID |
Function |
|
101 |
VLAN for R&D employees |
|
102 |
VLAN for marketing employees |
|
103 |
VLAN for connection between the aggregation switch and core switch |
|
104 |
VLAN to which interfaces connecting to the servers belong |
Table 1-2 Network data plan
|
Item |
Data |
Description |
|
|
Access switch (connecting to the R&D department) |
Interface number: GE0/0/1 VLAN: 101 |
Connects to employees' PCs. |
|
|
Interface number: GE0/0/2 VLAN: 101 |
Connects to the aggregation switch. |
||
|
Access switch (connecting to the marketing department) |
Interface number: GE0/0/1 VLAN: 102 |
Connects to employees' PCs. |
|
|
Interface number: GE0/0/2 VLAN: 102 |
Connects to the aggregation switch. |
||
|
Aggregation switch |
Interface number: GE1/0/1 VLAN: 101 VLANIF101 IP address: 192.168.0.1 |
Connects to the access switch of the R&D department. Functions as the gateway for R&D employees. |
|
|
Interface number: GE1/0/2 VLAN: 102 VLANIF102 IP address: 192.168.1.1 |
Connects to the access switch of the marketing department. Functions as the gateway for marketing employees. |
||
|
Interface number: GE1/0/3 VLAN: 103 VLANIF103 IP address: 172.16.2.1 |
Connects to the core switch. |
||
|
Core switch |
Interface number: GE1/0/1 VLAN: 103 VLANIF103 IP address: 172.16.2.2 |
Connects to the aggregation switch. |
|
|
Interface number: GE1/0/2 VLAN: 104 VLANIF104 IP address: 172.16.1.254 |
Connects to the server area and functions as the gateway for the servers. |
||
|
Server |
Agile Controller-Campus (RADIUS server + Portal server) |
IP address: 172.16.1.1 |
- |
|
DNS server |
IP address: 172.16.1.2 |
- |
|
|
Web server |
IP address: 172.16.1.3 |
- |
|
|
Code library |
IP address: 172.16.1.4 |
- |
|
|
Issue tracking system |
IP address: 172.16.1.5 |
- |
|
Table 1-3 Service data plan
|
Item |
Data |
Description |
|
Core switch |
Number of the ACL for R&D employees' post-authentication domain: 3001 |
You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus. |
|
Number of the ACL for marketing employees' post-authentication domain: 3002 |
You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus. |
|
|
Authentication server: l IP address: 172.16.1.1 l Port number: 1812 l RADIUS shared key: Admin@123 |
l The Service Controller (SC) of the Agile Controller-Campus integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, authorization server, and Portal server are the SC's IP address. l Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server. l Configure an authorization server to enable the RADIUS server to deliver authorization rules to the switch. The RADIUS shared key of the authorization server must be the same as those of the authentication server and accounting server. |
|
|
Accounting server: l IP address: 172.16.1.1 l Port number: 1813 l RADIUS shared key: Admin@123 l Accounting interval: 15 |
||
|
Portal server: l IP address: 172.16.1.1 l Port number that the switch uses to process Portal protocol packets: 2000 l Destination port number in the packets that the switch sends to the Portal server: 50200 l Portal authentication shared key: Admin@123 |
||
|
Agile Controller-Campus |
Host name: access.example.com |
Users can use the domain name to access the Portal server. |
|
Device IP address: 172.16.1.254 |
- |
|
|
Authentication port: 1812 |
- |
|
|
Accounting port: 1813 |
- |
|
|
RADIUS shared key: Admin@123 |
The RADIUS shared key must be the same as that configured on the switch. |
|
|
Port number that the Portal server uses to receive packets: 50200 |
- |
|
|
Portal shared key: Admin@123 |
It must be the same as the Portal authentication shared key configured on the switch. |
|
|
Department: R&D l User: A l Account: A-123 l Password: Huawei123 Department: Marketing l User: B l Account: B-123 l Password: Huawei123 |
Two departments and two corresponding accounts have been created on the Agile Controller-Campus: R&D department and an R&D employee account A-123; Marketing department and a marketing employee account B-123. |
|
|
Pre-authentication domain |
Agile Controller-Campus (including RADIUS server and Portal server), DNS server, and web server |
- |
|
Post-authentication domain |
l R&D employees: code library, issue tracking system, and Internet l Marketing employees: Internet |
- |
Configuration Roadmap
1. Configure the access switch, aggregation switch, and core switch to ensure network connectivity.
2. Configure Portal authentication on the core switch to implement user access control. Configure parameters for connecting to the RADIUS server and those for connecting to the Portal server, enable Portal authentication, and configure network access rights for the pre-authentication domain and post-authentication domain.
3. Configure the Agile Controller-Campus:
a. Log in to the Agile Controller-Campus.
b. Add user accounts to the Agile Controller-Campus.
c. Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.
d. Add authorization results and authorization rules to grant different access rights to R&D employees and marketing employees after they are successfully authenticated.
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting to the R&D department. The configuration for SwitchB, the access switch connecting to the marketing department, is similar to that for SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] quit
<SwitchA> save
Step 2 Configure the aggregation switch to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] dhcp enable
[SwitchC] vlan batch 101 to 103
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk pvid vlan 101
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 101
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface vlanif 101
[SwitchC-Vlanif101] ip address 192.168.0.1 255.255.255.0
[SwitchC-Vlanif101] dhcp select interface
[SwitchC-Vlanif101] dhcp server dns-list 172.16.1.2
[SwitchC-Vlanif101] quit
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] port trunk pvid vlan 102
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 102
[SwitchC-GigabitEthernet1/0/2] quit
[SwitchC] interface vlanif 102
[SwitchC-Vlanif102] ip address 192.168.1.1 255.255.255.0
[SwitchC-Vlanif102] dhcp select interface
[SwitchC-Vlanif102] dhcp server dns-list 172.16.1.2
[SwitchC-Vlanif102] quit
[SwitchC] interface gigabitethernet 1/0/3
[SwitchC-GigabitEthernet1/0/3] port link-type trunk
[SwitchC-GigabitEthernet1/0/3] port trunk pvid vlan 103
[SwitchC-GigabitEthernet1/0/3] port trunk allow-pass vlan 103
[SwitchC-GigabitEthernet1/0/3] quit
[SwitchC] interface vlanif 103
[SwitchC-Vlanif103] ip address 172.16.2.1 255.255.255.0
[SwitchC-Vlanif103] quit
[SwitchC] ip route-static 172.16.1.0 255.255.255.0 172.16.2.2
[SwitchC] quit
<SwitchC> save
Step 3 Configure the core switch.
1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] vlan batch 103 104
[SwitchD] interface gigabitethernet 1/0/1
[SwitchD-GigabitEthernet1/0/1] port link-type trunk
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 103
[SwitchD-GigabitEthernet1/0/1] quit
[SwitchD] interface vlanif 103
[SwitchD-Vlanif103] ip address 172.16.2.2 255.255.255.0
[SwitchD-Vlanif103] quit
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] port link-type access
[SwitchD-GigabitEthernet1/0/2] port default vlan 104
[SwitchD-GigabitEthernet1/0/2] quit
[SwitchD] interface vlanif 104
[SwitchD-Vlanif104] ip address 172.16.1.254 255.255.255.0
[SwitchD-Vlanif104] quit
[SwitchD] ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
[SwitchD] ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
[SwitchD] quit
<SwitchD> save
2. Configure parameters for connecting to the RADIUS server.
<SwitchD> system-view
[SwitchD] radius-server template policy
[SwitchD-radius-policy] radius-server authentication 172.16.1.1 1812
[SwitchD-radius-policy] radius-server accounting 172.16.1.1 1813
[SwitchD-radius-policy] radius-server shared-key cipher Admin@123
[SwitchD-radius-policy] quit
[SwitchD] aaa
[SwitchD-aaa] authentication-scheme auth
[SwitchD-aaa-authen-auth] authentication-mode radius
[SwitchD-aaa-authen-auth] quit
[SwitchD-aaa] accounting-scheme acco
[SwitchD-aaa-accounting-acco] accounting-mode radius
[SwitchD-aaa-accounting-acco] accounting realtime 15
[SwitchD-aaa-accounting-acco] quit
[SwitchD-aaa] domain portal
[SwitchD-aaa-domain-portal] authentication-scheme auth
[SwitchD-aaa-domain-portal] accounting-scheme acco
[SwitchD-aaa-domain-portal] radius-server policy
[SwitchD-aaa-domain-portal] quit
[SwitchD-aaa] quit
[SwitchD] domain portal
3. Configure parameters for connecting to the Portal server.
[SwitchD] web-auth-server portal_huawei
[SwitchD-web-auth-server-portal_huawei] server-ip 172.16.1.1
[SwitchD-web-auth-server-portal_huawei] source-ip 172.16.1.254
[SwitchD-web-auth-server-portal_huawei] port 50200
[SwitchD-web-auth-server-portal_huawei] shared-key cipher Admin@123
[SwitchD-web-auth-server-portal_huawei] url http://access.example.com:8080/portal
[SwitchD-web-auth-server-portal_huawei] quit
[SwitchD] web-auth-server listening-port 2000
[SwitchD] portal quiet-period
[SwitchD] portal quiet-times 5
[SwitchD] portal timer quiet-period 240
4. Enable Portal authentication.
[SwitchD] authentication unified-mode
[SwitchD] interface vlanif 103
[SwitchD-Vlanif103] authentication portal
[SwitchD-Vlanif103] web-auth-server portal_huawei layer3
[SwitchD-Vlanif103] quit
5. Configure network access rights for the pre-authentication domain and post-authentication domain.
[SwitchD] authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
[SwitchD] authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
[SwitchD] acl 3001
[SwitchD-acl-adv-3001] rule 1 permit ip
[SwitchD-acl-adv-3001] quit
[SwitchD] acl 3002
[SwitchD-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0
[SwitchD-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0
[SwitchD-acl-adv-3002] rule 3 permit ip
[SwitchD-acl-adv-3002] quit
[SwitchD] quit
<SwitchD> save
Step 4 Configure the Agile Controller-Campus.
1. Log in to the Agile Controller-Campus.
a. Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.
The following table provides two types of Agile Controller-Campus addresses.
|
Address Format |
Description |
|
https://Agile Controller-Campus-IP:8443 |
In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address. |
|
Agile Controller-Campus IP address |
If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443. |
b. Enter the administrator account and password.
If you log in to the Agile Controller-Campus for the first time, use the super administrator account admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.
2. Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.
a. Choose Resource > User > User Management.
b. Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.
c. Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.
d. Click 
in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password Huawei123.
e. On the User tab page, select user A and click Transfer to add user A to the R&D department.
3. Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.
a. Choose Resource > Device > Device Management.
b. Click Add.
c. Configure parameters for the switch.
|
Parameter |
Value |
Description |
|
Name |
SW |
- |
|
IP Address |
172.16.1.254 |
The interface must be able to communicate with the SC. |
|
Device series |
Huawei Quidway Series |
- |
|
Authentication Key |
Admin@123 |
It must be the same as the shared key of the RADUIS authentication server configured on the switch. |
|
Charging Key |
Admin@123 |
It must be the same as the shared key of the RADUIS accounting server configured on the switch. |
|
Real-time charging interval (minute) |
15 |
It must be the same as the real-time accounting interval configured on the switch. |
|
Port |
2000 |
This is the port that the switch uses to communicate with the Portal server. Retain the default value. |
|
Portal Key |
Admin@123 |
It must be the same as the Portal shared key configured on the switch. |
|
Allowed IP Addresses |
192.168.0.1/24; 192.168.1.1/24 |
- |
d. Click OK.
1. Configure employee authorization. This example describes how to configure R&D employee authorization. The configuration procedure for marketing employees is the same, except that the network resources the two types of employees can access are different.
a. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.
|
Parameter |
Value |
Description |
|
Name |
R&D employee post-authentication domain |
- |
|
Service Type |
Access Service |
- |
|
ACL Number/AAA User Group |
3001 |
The ACL number must be the same as the number of the ACL configured for R&D employees on the switch. |
b. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and specify the authorization conditions for R&D employees.
|
Parameter |
Value |
Description |
|
Name |
R&D employee authorization rule |
- |
|
Service Type |
Access User |
- |
|
Department |
R&D |
- |
|
Authorization Result |
R&D employee post-authentication domain |
- |
Step 5 Verify the configuration.
l Employees can access only the Agile Controller-Campus, DNS, and web servers before authentication.
l The Portal authentication page is pushed to an employee when the employee attempts to visit an Internet website. After the employee enters the correct account and password, the requested web page is displayed.
l R&D employee A can access the Internet, code library, and issue tracking system after authentication. Marketing employee B can access the Internet but not the code library and issue tracking system after authentication.
l After an employee is authenticated, run the display access-user command on the switch. The command output shows that the employee is online.
----End
Configuration Files
# Configuration file of the access switch for the employee department (The configuration file of the access switch for the marketing department is similar.)
#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
return
# Configuration file of the aggregation switch
#
sysname SwitchC
#
vlan batch 101 to 103
#
dhcp enable
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server dns-list 172.16.1.2
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface
dhcp server dns-list 172.16.1.2
#
interface Vlanif103
ip address 172.16.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk pvid vlan 102
port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
ip route-static 172.16.1.0 255.255.255.0 172.16.2.2
#
return
# Configuration file of the core switch
#
sysname SwitchD
#
vlan batch 103 to 104
#
domain portal
#
radius-server template policy
radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
radius-server authentication 172.16.1.1 1812 weight 80
radius-server accounting 172.16.1.1 1813 weight 80
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 1 deny ip destination 172.16.1.4 0
rule 2 deny ip destination 172.16.1.5 0
rule 3 permit ip
#
web-auth-server portal_huawei
server-ip 172.16.1.1
port 50200
shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
url http://access.example.com:8080/portal
source-ip 172.16.1.254
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
authentication-scheme auth
accounting-scheme acco
radius-server policy
#
interface Vlanif103
ip address 172.16.2.2 255.255.255.0
web-auth-server portal_huawei layer3
authentication portal
#
interface Vlanif104
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 103
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 104
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return
