Example for Configuring Portal Authentication to Control Internal User Access to the Enterprise Network (Authentication Point on Core Switch)

Latest reply: Mar 23, 2017 15:52:14 1683 1 0 0

 

 V200R009 and later vesions

Portal Authentication Overview

Portal authentication is a Network Admission Control (NAC) method. Portal authentication is also called web authentication. Generally, Portal authentication websites are referred to as Portal websites. Users must be authenticated by the Portal websites before they can use network services.

Portal authentication is insecure, but allows flexible networking as no client software is required on users' terminals. 802.1x authentication is another NAC method. It is more secure than Portal authentication, but requires the installation of client software on users' terminals, resulting in networking inflexibility. Like Portal authentication, MAC address authentication also does not require the installation of client software, but user terminals' MAC addresses must be registered on the authentication server. Network configuration and management is complex.

Portal authentication applies to the users who are sparsely distributed and move frequently, for example, guests of a company.

Configuration Notes

This example applies to all of the S series switches.

20170323102539993004.jpg

To know details about software mappings, see Version Mapping Search for Huawei Campus Switches.

Huawei's Agile Controller-Campus in V100R001 functions as the Portal server and RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001; V100R002; V100R003.

The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.

By default, the switch allows the packets from RADIUS and Portal servers to pass. You do not need to configure authentication-free rules for the two servers on the switch.

Networking Requirements

An enterprise needs to deploy an identity authentication system to control employees' network access rights and allow only authorized users to access the network.

The enterprise has the following requirements:

l   The authentication operations should be simple. The authentication system only performs access authorization. Minimum client software is installed on user terminals.

l   To facilitate network reconstruction and reduce investments, the enterprise requires the authentication point be deployed on the core switch.

l   A unified identity authentication mechanism is used to authenticate all terminals accessing the campus network and deny access from unauthorized terminals.

l   R&D employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect to both the intranet (code library and issue tracking system) and Internet after being authenticated.

l   Marketing employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect only to the Internet after being authenticated.

Figure 1-1 Portal authentication deployed at the core layer

20170323102540372005.png

 

Data Plan

Table 1-1 VLAN plan

VLAN ID

Function

101

VLAN for R&D employees

102

VLAN for marketing employees

103

VLAN for connection between the aggregation switch and core switch

104

VLAN to which interfaces connecting to the servers belong

 

Table 1-2 Network data plan

Item

Data

Description

Access switch (connecting to the R&D department)

Interface number: GE0/0/1

VLAN: 101

Connects to employees' PCs.

Interface number: GE0/0/2

VLAN: 101

Connects to the aggregation switch.

Access switch (connecting to the marketing department)

Interface number: GE0/0/1

VLAN: 102

Connects to employees' PCs.

Interface number: GE0/0/2

VLAN: 102

Connects to the aggregation switch.

Aggregation switch

Interface number: GE1/0/1

VLAN: 101

VLANIF101 IP address: 192.168.0.1

Connects to the access switch of the R&D department.

Functions as the gateway for R&D employees.

Interface number: GE1/0/2

VLAN: 102

VLANIF102 IP address: 192.168.1.1

Connects to the access switch of the marketing department.

Functions as the gateway for marketing employees.

Interface number: GE1/0/3

VLAN: 103

VLANIF103 IP address: 172.16.2.1

Connects to the core switch.

Core switch

Interface number: GE1/0/1

VLAN: 103

VLANIF103 IP address: 172.16.2.2

Connects to the aggregation switch.

Interface number: GE1/0/2

VLAN: 104

VLANIF104 IP address: 172.16.1.254

Connects to the server area and functions as the gateway for the servers.

Server

Agile Controller-Campus (RADIUS server + Portal server)

IP address: 172.16.1.1

-

DNS server

IP address: 172.16.1.2

-

Web server

IP address: 172.16.1.3

-

Code library

IP address: 172.16.1.4

-

Issue tracking system

IP address: 172.16.1.5

-

 

Table 1-3 Service data plan

Item

Data

Description

Core switch

Number of the ACL for R&D employees' post-authentication domain: 3001

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.

Number of the ACL for marketing employees' post-authentication domain: 3002

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.

Authentication server:

l  IP address: 172.16.1.1

l  Port number: 1812

l  RADIUS shared key: Admin@123

l  The Service Controller (SC) of the Agile Controller-Campus integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, authorization server, and Portal server are the SC's IP address.

l  Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server.

l  Configure an authorization server to enable the RADIUS server to deliver authorization rules to the switch. The RADIUS shared key of the authorization server must be the same as those of the authentication server and accounting server.

Accounting server:

l  IP address: 172.16.1.1

l  Port number: 1813

l  RADIUS shared key: Admin@123

l  Accounting interval: 15

Portal server:

l  IP address: 172.16.1.1

l  Port number that the switch uses to process Portal protocol packets: 2000

l  Destination port number in the packets that the switch sends to the Portal server: 50200

l  Portal authentication shared key: Admin@123

Agile Controller-Campus

Host name: access.example.com

Users can use the domain name to access the Portal server.

Device IP address: 172.16.1.254

-

Authentication port: 1812

-

Accounting port: 1813

-

RADIUS shared key: Admin@123

The RADIUS shared key must be the same as that configured on the switch.

Port number that the Portal server uses to receive packets: 50200

-

Portal shared key: Admin@123

It must be the same as the Portal authentication shared key configured on the switch.

Department: R&D

l  User: A

l  Account: A-123

l  Password: Huawei123

Department: Marketing

l  User: B

l  Account: B-123

l  Password: Huawei123

Two departments and two corresponding accounts have been created on the Agile Controller-Campus: R&D department and an R&D employee account A-123; Marketing department and a marketing employee account B-123.

Pre-authentication domain

Agile Controller-Campus (including RADIUS server and Portal server), DNS server, and web server

-

Post-authentication domain

l  R&D employees: code library, issue tracking system, and Internet

l  Marketing employees: Internet

-

 

Configuration Roadmap

1.         Configure the access switch, aggregation switch, and core switch to ensure network connectivity.

2.         Configure Portal authentication on the core switch to implement user access control. Configure parameters for connecting to the RADIUS server and those for connecting to the Portal server, enable Portal authentication, and configure network access rights for the pre-authentication domain and post-authentication domain.

3.         Configure the Agile Controller-Campus:

a.         Log in to the Agile Controller-Campus.

b.         Add user accounts to the Agile Controller-Campus.

c.         Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.

d.         Add authorization results and authorization rules to grant different access rights to R&D employees and marketing employees after they are successfully authenticated.

Procedure

                               Step 1     Configure the access switch to ensure network connectivity.

The following provides the configuration for SwitchA, the access switch connecting to the R&D department. The configuration for SwitchB, the access switch connecting to the marketing department, is similar to that for SwitchA.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1    
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] quit
<SwitchA> save   

                               Step 2     Configure the core switch.

1.         Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] vlan batch 103 104
[SwitchD] interface gigabitethernet 1/0/1    
[SwitchD-GigabitEthernet1/0/1] port link-type trunk
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 103
[SwitchD-GigabitEthernet1/0/1] quit
[SwitchD] interface vlanif 103
[SwitchD-Vlanif103] ip address 172.16.2.2 255.255.255.0
[SwitchD-Vlanif103] quit
[SwitchD] interface gigabitethernet 1/0/2    
[SwitchD-GigabitEthernet1/0/2] port link-type access
[SwitchD-GigabitEthernet1/0/2] port default vlan 104
[SwitchD-GigabitEthernet1/0/2] quit
[SwitchD] interface vlanif 104
[SwitchD-Vlanif104] ip address 172.16.1.254 255.255.255.0    
[SwitchD-Vlanif104] quit
[SwitchD] ip route-static 192.168.0.0 255.255.255.0 172.16.2.1    
[SwitchD] ip route-static 192.168.1.0 255.255.255.0 172.16.2.1    
[SwitchD] quit
<SwitchD> save   

2.         Configure parameters for connecting to the RADIUS server.

<SwitchD> system-view
[SwitchD] radius-server template policy    
[SwitchD-radius-policy] radius-server authentication 172.16.1.1 1812    
[SwitchD-radius-policy] radius-server accounting 172.16.1.1 1813    
[SwitchD-radius-policy] radius-server shared-key cipher Admin@123    
[SwitchD-radius-policy] quit
[SwitchD] aaa    
[SwitchD-aaa] authentication-scheme auth    
[SwitchD-aaa-authen-auth] authentication-mode radius    
[SwitchD-aaa-authen-auth] quit
[SwitchD-aaa] accounting-scheme acco    
[SwitchD-aaa-accounting-acco] accounting-mode radius    
[SwitchD-aaa-accounting-acco] accounting realtime 15    
[SwitchD-aaa-accounting-acco] quit
[SwitchD-aaa] domain portal    
[SwitchD-aaa-domain-portal] authentication-scheme auth    
[SwitchD-aaa-domain-portal] accounting-scheme acco    
[SwitchD-aaa-domain-portal] radius-server policy    
[SwitchD-aaa-domain-portal] quit
[SwitchD-aaa] quit
[SwitchD] domain portal  

3.         Configure parameters for connecting to the Portal server.

[SwitchD] web-auth-server portal_huawei    
[SwitchD-web-auth-server-portal_huawei] server-ip 172.16.1.1    
[SwitchD-web-auth-server-portal_huawei] source-ip 172.16.1.254    
[SwitchD-web-auth-server-portal_huawei] port 50200    
[SwitchD-web-auth-server-portal_huawei] shared-key cipher Admin@123    
[SwitchD-web-auth-server-portal_huawei] url http://access.example.com:8080/portal    
[SwitchD-web-auth-server-portal_huawei] quit
[SwitchD] web-auth-server listening-port 2000    
[SwitchD] portal quiet-period    
[SwitchD] portal quiet-times 5    
[SwitchD] portal timer quiet-period 240    

4.         Enable Portal authentication and configure network access rights for users in the pre-authentication domain and post-authentication domain.

# Set the NAC mode to unified.

[SwitchD] authentication unified-mode   

# Configure a Portal access profile.

[SwitchD] portal-access-profile name web1
[SwitchD-portal-acces-profile-web1] web-auth-server portal_huawei layer3
[SwitchD-portal-acces-profile-web1] quit

# Configure an authentication-free rule profile and specify network access rights for users in the pre-authentication domain.

[SwitchD] free-rule-template name default_free_rule
[SwitchD-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255    
[SwitchD-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255    
[SwitchD-free-rule-default_free_rule] quit

# Configure an authentication profile.

[SwitchD] authentication-profile name p1
[SwitchD-authen-profile-p1] portal-access-profile web1    
[SwitchD-authen-profile-p1] quit

# Enable Portal authentication.

[SwitchD] interface vlanif 103
[SwitchD-Vlanif103] authentication-profile p1
[SwitchD-Vlanif103] quit

# Configure network access rights for the post-authentication domain.

[SwitchD] acl 3001    
[SwitchD-acl-adv-3001] rule 1 permit ip    
[SwitchD-acl-adv-3001] quit
[SwitchD] acl 3002    
[SwitchD-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0    
[SwitchD-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0    
[SwitchD-acl-adv-3002] rule 3 permit ip    
[SwitchD-acl-adv-3002] quit
[SwitchD] quit
<SwitchD> save   

                               Step 3     Configure the Agile Controller-Campus.

1.         Log in to the Agile Controller-Campus.

a.         Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.

The following table provides two types of Agile Controller-Campus addresses.

Address Format

Description

https://Agile Controller-Campus-IP:8443

In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address.

Agile Controller-Campus IP address

If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443.

 

b.         Enter the administrator account and password.

If you log in to the Agile Controller-Campus for the first time, use the super administrator account admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.

2.         Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.

a.         Choose Resource > User > User Management.

b.         Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.

20170323102541337006.jpg

20170323102542002007.png

c.         Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.

20170323102542804008.jpg

20170323102543571009.png

d.         Click 20170323102544568010.png in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password Huawei123.

20170323102545966011.png

e.         On the User tab page, select user A and click Transfer to add user A to the R&D department.

20170323102546694012.png

3.         Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.

a.         Choose Resource > Device > Device Management.

b.         Click Add.

c.         Configure parameters for the switch.

Parameter

Value

Description

Name

SW

-

IP Address

172.16.1.254

The interface must be able to communicate with the SC.

Device series

Huawei Quidway Series

-

Authentication Key

Admin@123

It must be the same as the shared key of the RADUIS authentication server configured on the switch.

Charging Key

Admin@123

It must be the same as the shared key of the RADUIS accounting server configured on the switch.

Real-time charging interval (minute)

15

It must be the same as the real-time accounting interval configured on the switch.

Port

2000

This is the port that the switch uses to communicate with the Portal server. Retain the default value.

Portal Key

Admin@123

It must be the same as the Portal shared key configured on the switch.

Allowed IP Addresses

192.168.0.1/24; 192.168.1.1/24

-

 

20170323102547243013.png

d.         Click OK.

1.         Configure employee authorization. This example describes how to configure R&D employee authorization. The configuration procedure for marketing employees is the same, except that the network resources the two types of employees can access are different.

a.         Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.

Parameter

Value

Description

Name

R&D employee post-authentication domain

-

Service Type

Access Service

-

ACL Number/AAA User Group

3001

The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

 

20170323102548911014.png

b.         Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and specify the authorization conditions for R&D employees.

Parameter

Value

Description

Name

R&D employee authorization rule

-

Service Type

Access User

-

Department

R&D

-

Authorization Result

R&D employee post-authentication domain

-

 

20170323102549097015.png

                               Step 4     Verify the configuration.

l   Employees can access only the Agile Controller-Campus, DNS, and web servers before authentication.

l   The Portal authentication page is pushed to an employee when the employee attempts to visit an Internet website. After the employee enters the correct account and password, the requested web page is displayed.

l   R&D employee A can access the Internet, code library, and issue tracking system after authentication. Marketing employee B can access the Internet but not the code library and issue tracking system after authentication.

l   After an employee is authenticated, run the display access-user command on the switch. The command output shows that the employee is online.

----End

Configuration Files

# Configuration file of the access switch for the employee department (The configuration file of the access switch for the marketing department is similar.)

#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 101
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
return

# Configuration file of the aggregation switch

#
sysname SwitchC
#
vlan batch 101 to 103
#
dhcp enable
#
interface Vlanif101
 ip address 192.168.0.1 255.255.255.0
 dhcp select interface
 dhcp server dns-list 172.16.1.2
#
interface Vlanif102
 ip address 192.168.1.1 255.255.255.0
 dhcp select interface
 dhcp server dns-list 172.16.1.2
#
interface Vlanif103
 ip address 172.16.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk pvid vlan 101
 port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk pvid vlan 102
 port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk pvid vlan 103
 port trunk allow-pass vlan 103
#
ip route-static 172.16.1.0 255.255.255.0 172.16.2.2
#
return

# Configuration file of the core switch

#
sysname SwitchD
#
vlan batch 103 to 104
#
authentication-profile name p1
 portal-access-profile web1
#
domain portal
#
radius-server template policy
 radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
 radius-server authentication 172.16.1.1 1812 weight 80
 radius-server accounting 172.16.1.1 1813 weight 80
#
acl number 3001
 rule 1 permit ip
acl number 3002
 rule 1 deny ip destination 172.16.1.4 0
 rule 2 deny ip destination 172.16.1.5 0
 rule 3 permit ip
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
 free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255

web-auth-server portal_huawei
 server-ip 172.16.1.1
 port 50200
 shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
 url http://access.example.com:8080/portal
 source-ip 172.16.1.254
#
portal-access-profile name web1 
 web-auth-server portal_huawei layer3 
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme acco
  accounting-mode radius
  accounting realtime 15
 domain portal
  authentication-scheme auth
  accounting-scheme acco
  radius-server policy
#
interface Vlanif103
 ip address 172.16.2.2 255.255.255.0
 authentication-profile p1
#
interface Vlanif104
 ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 103
#
interface GigabitEthernet1/0/2
 port link-type access
 port default vlan 104
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return

This post was last edited by 交换机在江湖 at 2017-05-31 16:46.
  • x
  • convention:

Created Mar 23, 2017 15:52:14 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top