Got it

【Mr Gateway After-sales Service】Example for AR Routers Configuring Layer 2 Porta Highlighted

Latest reply: Mar 18, 2016 11:15:10 2516 1 0 0 0


This example applies to all AR models of all versions.


The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support NAC.

Networking Requirements

As shown in Figure 1, an enterprise needs to deploy an identity authentication system in reception rooms to implement access control on guests who attempt to connect to the enterprise network, ensuring that only authenticated users can access the network. Because the reception rooms have medium security requirements, you do not need to deploy too many authentication points. It is required that the authentication control point be deployed on the aggregation device to facilitate maintenance.

Portal authentication features flexible deployment and is applicable to moving users. The aggregation router and guests' terminals communicate at Layer 2. Therefore, you can deploy Layer 2 Portal authentication on the aggregation router to implement access control on guests who attempt to connect to the enterprise network. The RADIUS server and Portal server are integrated on the same device.

Figure 1 Networking diagram for configuring Layer 2 Portal authentication
【Mr Gateway After-sales Service】Example for AR Routers Configuring Layer 2 Porta-1071271-1


  1. Configure Router.

     sysname Router
    vlan batch 10 20
    domain isp1    //Configure the global default authentication domain.
    portal free-rule 1 destination ip mask    //Configure an authentication-free rule so that Router allows packets to the DNS server to pass through.
    dhcp enable    //Enable DHCP.
    radius-server template rd1    //Configure a RADIUS server template.
     radius-server shared-key cipher %@%@@ny/&X<2DAnv8-265cj$rD9E%@%@    //Configure RADIUS authentication and accounting shared keys.
     radius-server authentication 1812 weight 80    //Configure the IP address of the authentication server.
     radius-server accounting 1813 weight 80    //Configure the IP address of the accounting server.
    web-auth-server s1    //Configure a Portal server template.
     server-ip    //Configure the IP address of the Portal server.
     port 50200    //Configure the destination port number for Router to proactively send packets to the Portal server.
     shared-key cipher %@%@,xFqU#9nf,!pRu4A'g#'(;%Z%@%@    //Configure the shared key for communication with the Portal server.
     url    //Configure the URL of the Portal authentication page.
     authentication-scheme auth    //Configure an authentication scheme.
      authentication-mode radius
     accounting-scheme acc    //Configure an accounting scheme.
      accounting-mode radius
      accounting realtime 15
     domain isp1    //Configure a domain and bind the authentication scheme, accounting scheme, and RADIUS server template to the domain.
      authentication-scheme auth
      accounting-scheme acc
      radius-server rd1
    interface Vlanif10
     ip address
     web-auth-server s1 direct    //Enable Layer 2 Portal authentication.
     dhcp select interface    //Configure the DHCP server to assign IP addresses to guests.
     dhcp server dns-list    //Notify guests of the IP address of the DNS server.
    interface Vlanif20
     ip address    //Configure the gateway address of the server zone.
    interface Ethernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 10
    interface Ethernet2/0/1
     port link-type trunk
     port trunk allow-pass vlan 10
    interface Ethernet2/0/2
     port link-type trunk
     port trunk allow-pass vlan 20
    ip route-static    //Configure a route to the server zone.

  2. Verify the configuration.

    • The Portal authentication page is pushed to a guest when the guest attempts to access the network. After the guest enters the correct user name and password, the requested web page is automatically displayed.
    • After the authentication succeeds, run the display access-user command. Information about online users is displayed.

Configuration Notes

Before performing the configuration, ensure that devices on the network can communicate.

The RADIUS authentication shared key, RADIUS accounting shared key, and Portal shared key must be kept consistent on the router and server.

  • x
  • convention:

Created Mar 18, 2016 11:15:10

Thank you.
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.