Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns - HP MSR2000 Configuration Manual

Configuring cross-subnet portal authentication for MPLS
L3VPNs
Network requirements
As shown in
portal server in VPN 3 serves as the portal authentication server, portal Web server, and RADIUS server.
Configure cross-subnet portal authentication on Router A, so the host can access Internet resources after
passing identity authentication.
Figure 105 Network diagram
Configuration prerequisites
Before enabling portal authentication, configure the MPLS L3VPN function and specify VPN targets
•
for VPN 1 and VPN 3 so that VPN 1 and VPN 3 can communicate with each other. This example
describes only the access authentication configuration on the user-side PE. For information about
MPLS L3VPN configurations, see MPLS Configuration Guide.
Configure the RADIUS server correctly to provide authentication and accounting functions.
•
Configuration procedure
Perform the following configurations on Router A.
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<RouterA> system-view
[RouterA] radius scheme rs1
# Specify the VPN instance vpn3 for the RADIUS scheme.
[RouterA-radius-rs1] vpn-instance vpn3
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[RouterA-radius-rs1] primary authentication 192.168.0.111
[RouterA-radius-rs1] primary accounting 192.168.0.111
[RouterA-radius-rs1] key accounting simple radius
[RouterA-radius-rs1] key authentication simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[RouterA-radius-rs1] user-name-format without-domain
# Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. This address must be the
same as that of the portal device specified on the portal authentication server to avoid
authentication failures.
Figure 105, the PE device Router A provides portal authentication for the host in VPN 1. A
333