NE40E Configuring Web Authentication

Web authentication refers to an interactive authentication mode in which a user opens the authentication page on the Web authentication server, and enters the user name and password for authentication. Fast authentication refers to an authentication mode in which a user opens the authentication page on the Web authentication server for authentication, without entering the user name and password.
Context

When configuring Web authentication or fast authentication, you need the following parameters:

IP address and VPN instance of the server

Port number of the server

Shared key of the server

Whether the NE40E reports its own IP address to the server

Portal protocol version, listening port number, and source interface sending portal packets

Pages to which users are redirected

Perform the following steps on the NE40E:
NOTE:

The new password is at least eight characters long and contains at least two of upper-case letters, lower-case letters, digits, and special characters.
When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.

Procedure

Configuring the Web Authentication Server
Run system-view

The system view is displayed.

Run web-auth-server ip-address [ vpn-instance instance-name ] [ port port-number ] [ key { simple simple-key | cipher cipher-key } ] [ nas-ip-address ][ detect-time detect-time ] [ user-query exclude pre-domain ]

The Web authentication server is configured.

(Optional) Configuring the Portal Protocol
Run system-view

The system view is displayed.

(Optional) Run web-auth-server version { v2 [ v1 ] | v3 }

The portal protocol version is set.

(Optional) run:

web-auth-server listening-port port

The number of the listening port on the NE40E is specified.

(Optional) run:

web-auth-server source interface interface-type interface-number

The source interface for sending packets is configured on the NE40E.

(Optional) run:

web-auth-server reply-message

The NE40E is configured to transparently transmit Remote Authentication Dial in User Service (RADIUS) packets.

Run web response-error-id enable

The host is enabled to send an Access-Reject packet with an error code to the Portal server.

(Optional) Configuring Mandatory Web Authentication

Mandatory web authentication means that the NE40E redirects the access request of a user to the specified web server for authentication if the user accesses a URL without permission before the authentication.
Run aaa

The AAA view is displayed.

(Optional) Run http-redirect enable

The HTTP packet redirection function is enabled.

Run domain domain-name

The view of the default pre-authentication domain is displayed.

(Optional) Run web-server url urlweb-server url-parameterweb-server ip-address [ ipv6–address ] [ slave ]web-server mode { get | post }web-server redirect-key { mscg-ip mscg-ip-key | mscg-name mscg-name-key | user-ip-address user-ip-key | user-location user-location-key | nas-logic-sysname nas-logic-sysname-key | user-mac-address { user-mac-key [ simple ] [ type1 ] | cipher aes128 } }, web-server redirect-key ap-mac-address ap-mac-key [ simple [ type1 ] | cipher aes128 ], web-server redirect-key ssid ssid-key, web-server redirect-key agent-remote-id agent-remote-id-key web-server url-parameter { shared-key shared-key | shared-key-cipher shared-key-cipher }web-server user-first-url-key { key-name | default-name }

The redirection URL address for forced web authentication is configured.

Or Run

The protocol adopted by Web authentication is set to the extension Portal protocol supported by the ISP.

Or Run

The IP address of web authentication server is configured.

The IPv6 address of web authentication server should be configured for a web dual-stack user.

Or Run

The HTTP mode of forced web authentication is configured.

Or Run

The keyword for attributes of a customized portal is configured.

(Optional) Or Run

Specifies the keyword for generating ciphertext user MAC address or AP MAC address to be displayed. After the web-server redirect-key command with cipher aes128 configured is run, this command is used to generate ciphertext user MAC address or AP MAC address to be displayed.

Or Run

The keywords for tracing the main page are configured.
NOTE:

Redirection URL must be configured in the preauthentication domain for a web dual-stack user. Otherwise, mandatory web authentication may fail.

(Optional) Run web-server { ip-address | url url } bind web-auth-server ip-address [ vpn-instance vpn-instance ]

The Web authentication server bound to the mandatory Web authentication server is configured.

(Optional) Run web-server { ip-address | url url } bind web-auth-server ip-address [ vpn-instance vpn-instance ] slave

The Web authentication server bound to the standby mandatory Web authentication server is configured.

(Optional) Run mac-authentication enable

The MAC address authentication is enabled.
NOTE:

MAC address authentication is used to simplify Web authentication. If MAC address authentication is enabled, the user for Web authentication only needs to input the user name and password at the first time and the RADIUS server records the user's MAC address. When the user attempts to pass the Web authentication again, the RADIUS server performs the authentication based on the users' MAC address and the user does not need to input the user name and password again.

In the existing network, this command is usually used together with the authening authen-fail online authen-domain domain-name command. If the MAC authentication fails, the user can perform the Web authentication by inputting the user name and password in the re-direction domain, and then enter the authentication domain and access the network resources.

(Optional) Run http-hostcar enable

The hostcar function is enabled on HTTP packets of forcible web users

Run quit

The AAA view is displayed.

Run quit

The system view is displayed.

(Optional) Configuring for Optimizing the Web Performance
Run system-view

The system view is displayed.

Run http-url deny urlstring

The URLs for which web authentication or portal redirection will be performed forcibly (blacklist) are configured.

Run http-url count enable slot [ interval interval-value ] [ aging aging-value ]

Statistics on URLs are collected based on the host field.

Run slot slotid

The slot view is displayed.

Run http-hostcar cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ]

Bandwidth limitations are configured for HTTP packets sent by users for authentication.

Run quit

The system view is displayed.

Run aaa

The AAA view is displayed.

Run domain domain-name

The domain view is displayed.

Run http-hostcar enable [ no-fast-reply ] enable

hostcar and quick reply are configured for HTTP packets of users on which web authentication is performed forcibly.

Run quit

The AAA view is displayed.

Run quit

The system view is displayed.

(Optional) Configuring IP address reallocation
Run domain domain-name

The view of the authentication domain is displayed.

Run reallocate-ip-address

IP address reallocation is enabled in a domain.

Currently, many PCs do not need to be authenticated and can be connected to the network. If public IP addresses are allocated to PCs after the PCs start, IP addresses will be wasted. With IP address reallocation, the NE40E allocates a private address to a user who is not authenticated, and then allocates a public address to a user who is authenticated. This solves the problem that public addresses are insufficient, and improves public address usage.

The reallocate-ip-address command is used only for Web users.

Run quit

The AAA view is displayed.

Run quit

The system view is displayed.

Configuring the Authentication Domain and Authentication Method on the BAS Interface

Web authentication users are considered unauthorized users before they are authenticated. Therefore, they cannot obtain IP addresses or access the web authentication server.

This means web authentication cannot be performed on web authentication users. To resolve this problem, all unauthenticated web authentication users are assigned to a default domain configured on an interface. This default domain is called the pre-authentication default domain. Unauthenticated web authentication users can obtain IP addresses through the pre-authentication default domain and access the web authentication server through the authorities granted to the pre-authentication default domain for web authentication.

Run interface interface-type interface-number

The interface view is displayed.

Run bas

The BAS interface view is displayed.

Run access-type layer2-subscriber

The user access type is set to Layer 2 subscriber access.

Run default-domain pre-authentication domain-name

The default pre-authentication domain is specified.

Run default-domain authentication [ force | replace ] domain-name

The default authentication domain is specified.

Run authentication-method { web | fast }authentication-method-ipv6 { web | fast }

or

The Web authentication or fast authentication is configured.

Run commit

The configuration is committed.

Configuring Binding Authentication

In addition to Web authentication, users can also be authenticated using binding authentication.
Context

Perform the following steps on the NE40E:
Procedure

Run system-view

The system view is displayed.

Run interface interface-type interface-number

The interface view is displayed.

Run bas

The BAS interface view is displayed.

Run access-type layer2-subscriber

The user access type is set to Layer 2 subscriber access.

Run default-domain pre-authentication domain-name

The default pre-authentication domain is specified.

Run default-domain authentication [ force | replace ] domain-name

The default authentication domain is specified.

Run authentication-method { { ppp | dot1x } * | bind }

PPP authentication, 802.1X authentication, or binding authentication is configured.

You can set the authentication mode for only Layer 2 users on the BAS interface. Multiple authentication modes can be configured on an interface except for the following:
Web authentication conflicts with fast authentication.
Binding authentication conflicts with the other authentication modes.

Run commit

The configuration is committed.

Verifying the Authentication Mode Configuration for IPoE Access

After an authentication mode is configured, you can view the authentication mode by checking the domain configuration.
Procedure

Run the display web-auth-server configuration command to check the configuration of the Web authentication server.
Run the display domain [ domain-name ] command to check the configuration of the domain.
Run the display aaa default-user-name [ template template-name | global ] command to check the mode in which pure IPoE user names are generated.
Run the display aaa default-password [ template template-name | global ] command to check the IPoE user password or the password generation mode.

Example

After the configuration is complete, you can run the display web-auth-server configuration command to view the configuration of the Web authentication server.

<HUAWEI> display web-auth-server configuration
Source interface : -
Listening port : 2000
Portal : version 1, version 2, version 3
Display reply message : enabled
------------------------------------------------------------------------
Server Share-Password Port NAS-IP Vpn-instance
------------------------------------------------------------------------
192.168.3.140 ****** 50100 NO
------------------------------------------------------------------------
1 Web authentication server(s) in total

After the configuration is complete, you can run the display domain [ domain-name ] command to view the configuration of the domain. For example:

<HUAWEI> display domain
------------------------------------------------------------------------------
Domain name State CAR Access-limit Online BODNum RptVSMNum
------------------------------------------------------------------------------
default0 Active 0 279552 0 0 0
default1 Active 0 279552 0 0 0
default_admin Active 0 279552 0 0 0
default Active 0 279552 0 0 0
isp1 Active 0 279552 0 0 0
------------------------------------------------------------------------------
Total 5,5 printed

After the configuration is complete, you can run the display aaa default-user-name command to view the mode in which IPoE user names are generated. For example:

<HUAWEI> display aaa default-user-name global
Global user name format:enable
Sysname:yes, separator :"-"
Gateway-address:-, separator :no
IP address:-, separator :no
MAC address:-, separator :no
Access-line-id: -, separator :no
Access-line-id circuit-id:-, separator :no, offset: -, parse-mode:%s
Access-line-id remote-id:-, separator :no,offset: -, parse-mode:%s
Vendor-class: -, separator: no,cn-format:-, sub-option:-, offset:-, length:-
Client-id:-, separator :no
DHCPv4 option12:-,separator :no
PE VLAN: -, separator :no
CE VLAN:-, separator :no
Port:-, separator :no
Slot:-, separator :no
Subslot:-, separator :no

After the configuration is complete, you can run the display aaa default-password command to view the IPoE user password or the mode in which IPoE user passwords are generated. For example:

<HUAWEI> display aaa default-password global
Global password:the default is ******