Specification
This example applies to all AR models of all versions.
NOTE:
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support NAC.
Networking Requirements
As shown in Figure 1, an enterprise needs to deploy an identity authentication system in reception rooms to implement access control on guests who attempt to connect to the enterprise network, ensuring that only authenticated users can access the network. To facilitate future network reconstruction and save investment, it is required that the authentication control point be deployed on the core device.
Portal authentication features flexible deployment and is applicable to moving users. The core device RouterA and guests' terminals communicate at Layer 3. Therefore, you can deploy Layer 3 Portal authentication on RouterA to implement access control on guests who attempt to connect to the enterprise network. The RADIUS server and Portal server are integrated on the same device.
Figure 1 Networking diagram for configuring Layer 3 Portal authentication
Procedure
Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
domain isp1 //Configure the global default authentication domain.
#
portal free-rule 1 destination ip 192.168.3.30 mask 255.255.255.0 //Configure an authentication-free rule so that the router allows packets to the DNS server to pass through.
#
dhcp enable //Enable DHCP.
#
radius-server template rd1 //Configure a RADIUS server template.
radius-server shared-key cipher %@%@@ny/&X<2DAnv8-265cj$rD9E%@%@ //Configure RADIUS authentication and accounting shared keys.
radius-server authentication 192.168.3.20 1812 weight 80 //Configure the IP address of the authentication server.
radius-server accounting 192.168.3.20 1813 weight 80 //Configure the IP address of the accounting server.
#
web-auth-server s1 //Configure a Portal server template.
server-ip 192.168.3.20 //Configure the IP address of the Portal server.
port 50200 //Configure the destination port number for the router to proactively send packets to the Portal server.
shared-key cipher %@%@,xFqU#9nf,!pRu4A'g#'(;%Z%@%@ //Configure the shared key for communication with the Portal server.
url http://192.168.3.20:8080/webagent //Configure the URL of the Portal authentication page.
#
ip pool p1 //Configure a global address pool, network segment of IP addresses in the pool, and IP address of the DNS server.
network 10.10.10.0 mask 255.255.255.0
dns-list 192.168.3.30
#
aaa
authentication-scheme auth //Configure an authentication scheme.
authentication-mode radius
accounting-scheme acc //Configure an accounting scheme.
accounting-mode radius
accounting realtime 15
domain isp1 //Configure a domain and bind the authentication scheme, accounting scheme, and RADIUS server template to the domain.
authentication-scheme auth
accounting-scheme acc
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
web-auth-server s1 layer3 //Enable Layer 3 Portal authentication.
dhcp select global //Configure the DHCP server to assign IP addresses to guests.
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0 //Configure the gateway address of the server zone.
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
ip route-static 192.168.3.0 255.255.255.0 192.168.2.2 //Configure a route to the server zone.
ip route-static 10.10.10.0 255.255.255.0 192.168.1.2 //Configure a route to terminals.
#
return
Configure RouterB.
#
sysname RouterB
#
vlan batch 10 20
#
dhcp enable //Enable DHCP.
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.10.1 255.255.255.0 //Configure the gateway address of terminals.
dhcp select relay //Enable the DHCP relay function.
dhcp relay server-ip 192.168.1.1 //Specify the IP address of the DHCP server.
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
ip route-static 0.0.0.0 0.0.0.0 192.168.1.1
#
return
Verify the configuration.
The Portal authentication page is pushed to a guest when the guest attempts to access the network. After the guest enters the correct user name and password, the requested web page is automatically displayed.
After the authentication succeeds, run the display access-user command. Information about online users is displayed.
Configuration Notes
Before performing the configuration, ensure that devices on the network can communicate.
The RADIUS authentication shared key, RADIUS accounting shared key, and Portal shared key must be kept consistent on the router and server.
If you have any problems, please post them in our Community. We are happy to solve them for you!
