Configuring Layer 2 portal authentication
Network requirements
As shown in
authentication on users connected to port Ethernet 1/0/1. More specifically,
Use the remote RADIUS server for authentication, authorization and accounting.
•
Use the remote DHCP server to assign IP addresses to users.
•
•
The listening IP address of the local portal server is 4.4.4.4. The local portal server pushes the
user-defined authentication pages to users and uses HTTPS to transmit authentication data.
Add users passing authentication to VLAN 3.
•
Add users failing authentication to VLAN 2, to allow the users to access resources on the update
•
server.
The host obtains an IP address through DHCP. Before authentication, the DHCP server assigns an IP
•
address in segment 192.168.1.0/24 to the host. When the host passes the authentication, the DHCP
server assigns an IP address in segment 3.3.3.0/24 to the host. When the host fails authentication,
the DHCP server assigns an IP address in segment 2.2.2.0/24 to the host.
Figure 68 Network diagram
Host
Configuration procedures
Follow these guidelines to configure Layer 2 portal authentication:
Make sure that the host, switch, and servers can reach each other before portal authentication is
•
enabled.
Configure the RADIUS server properly to provide normal authentication/authorization/accounting
•
functions for users. In this example, you must create a portal user account with the account name
userpt on the RADIUS server, and configure an authorized VLAN for the account.
•
On the DHCP server, you must specify the IP address ranges (192.168.1.0/24, 3.3.3.0/24,
2.2.2.0/24), specify the default gateway addresses (192.168.1.1, 3.3.3.1, 2.2.2.1), exclude the
update server's address 2.2.2.2 from the address ranges for address allocation, specify the leases
Figure
68, a host is directly connected to a switch. The switch performs Layer 2 portal
DHCP server
1.1.1.3/24
Vlan-int8
192.168.1.1/24
Eth1/0/1
Vlan-int2
2.2.2.1/24
Update server
2.2.2.2/24
RADIUS server
1.1.1.2/24
Vlan-int1
1.1.1.1
Switch
(DHCP relay)
Vlan-int3
3.3.3.1
182
IP network