Make sure the IP address of the portal device added on the portal server is the IP address
•
(20.20.20.1) of the router's interface connecting the host. The IP address group associated with the
portal device is the subnet of the host (8.8.8.0/24).
Configuration procedure
Perform the following configurations on Router A.
1.
Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<RouterA> system-view
[RouterA] radius scheme rs1
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[RouterA-radius-rs1] primary authentication 192.168.0.112
[RouterA-radius-rs1] primary accounting 192.168.0.112
[RouterA-radius-rs1] key authentication simple radius
[RouterA-radius-rs1] key accounting simple radius
[RouterA-radius-rs1] user-name-format without-domain
# Specify the security policy server.
[RouterA-radius-rs1] security-policy-server 192.168.0.113
[RouterA-radius-rs1] quit
# Enable RADIUS session control.
[RouterA] radius session-control enable
2.
Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[RouterA] domain dm1
# Configure AAA methods for the ISP domain.
[RouterA-isp-dm1] authentication portal radius-scheme rs1
[RouterA-isp-dm1] authorization portal radius-scheme rs1
[RouterA-isp-dm1] accounting portal radius-scheme rs1
[RouterA-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP
domain name at login, the authentication and accounting methods of the default domain are used
for the user.
[RouterA] domain default enable dm1
3.
Configure ACL 3000 for resources on subnet 192.168.0.0/24 and ACL 3001 for Internet
resources:
[RouterA] acl number 3000
[RouterA-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[RouterA-acl-adv-3000] rule deny ip
[RouterA-acl-adv-3000] quit
[RouterA] acl number 3001
[RouterA-acl-adv-3001] rule permit ip
[RouterA-acl-adv-3001] quit
326