(1) Configure the WEB authentication server and user group:
Web-auth-server enable
Web-auth-server source interface LoopBack 1
Web-auth-server 167.1.1.1 port 2000 key cipher Huawei
User-group pre
(2) Configure the source interface of the ME60 and WEB authentication server:
Interface LoopBack 1
Ip address 1.1.1.1 32 (This address should be interworked with the WEB authentication server address)
(3) Configure the pre-domain of WEB authentication, the domain name pre-domain; the IP address of the WEB server (forced page server) is 168.1.1.1, and configure DNS redirection to be assigned to this address:
Domain pre-domain
Authentication-scheme default0
Accounting-scheme default0
Ip pool pool_web
Dns primary-ip 222.0.0.3
User-group pre
Dns-redirect web-server 168.1.1.1 ---- DNS redirected to the web server
(4) Configure the interface between the ME60 and the WEB server.
Interface GigabitEthernet1/0/2
Ip address 168.1.1.2 24
(5) Configure the post-authentication domain
Domain isp01 ----radius authentication
Authentication-scheme default1
Accounting-scheme default1
Radius-server group web
(6) Interface configuration:
Interface GigabitEthernet1/1/0.1
User-vlan 1
Bas
Access-type layer2-subscriber default-domain pre-authentication pre-domain authentication isp01
Authentication-method web ---- need to be configured as web authentication
(7) Flow policy configuration:
Configure user pre-domain access permissions Allow users to access partial IP addresses:
Acl number 6000
Rule 5 permit ip source user-group pre destination ip-address 222.0.0.3 0 ----DNS server
Rule 15 permit ip source user-group pre destination ip-address 168.1.1.1 0 ----WEB server
Traffic classifier web-before operator or
If-match acl 6000
Traffic behavior web-before
The pre-configuration domain cannot access the address:
Acl number 6001
Rule 5 permit ip source user-group pre
Traffic classifier web-before-deny
If-match acl 6001
Traffic behavior deny1
Deny
Configure an ACL to identify DNS packet redirection:
Acl number 6002
Rule 5 permit udp source-port eq dns destination user-group pre --- identify DNS packets
Traffic classifier dns operator or
If-match acl 6002
Traffic behavior redirect
Dns-redirect --- DNS message is sent to the CPU
(8) Globally enabled traffic policy template
Traffic policy web-before
Share-mode
Classifier web-before behavior web-before ------- This configuration must be in the first line, indicating that the underlying forwarding message is allowed.
Classifier web-before-deny behavior deny1 ---- The rest of the message deny
Traffic policy https-redirect
Share-mode
Classifier dns behavior redirect ----- DNS packet redirection
Enable policy template
[huawei]traffic-policy web-before inbound
[huawei]traffic-policy https-redirect outbound
(9) Configure the dns redirect whitelist, and the dns packets that hit the whitelist will not be redirected.
Dns-url permit www.icbc.com (Configure the whitelist, you need to add the corresponding IP address to Permit in the uplink UCL)