[Router] radius session-control enable
2.
Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[RouterA] domain dm1
# Configure AAA methods for the ISP domain.
[RouterA-isp-dm1] authentication portal radius-scheme rs1
[RouterA-isp-dm1] authorization portal radius-scheme rs1
[RouterA-isp-dm1] accounting portal radius-scheme rs1
[RouterA-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP
domain name at login, the authentication and accounting methods of the default domain are used
for the user.
[Router] domain default enable dm1
3.
Configure portal authentication:
# Configure a portal authentication server.
[RouterA] portal server newpt
[RouterA-portal-server-newpt] ip 192.168.0.111 key simple portal
[RouterA-portal-server-newpt] port 50100
[RouterA-portal-server-newpt] quit
# Configure a portal Web server.
[Router] portal web-server newpt
[RouterA-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[RouterA-portal-websvr-newpt] quit
# Enable cross-subnet portal authentication on interface Ethernet 1/2.
[RouterA] interface ethernet 1/2
[RouterA–Ethernet1/2] portal enable method layer3
# Reference the portal Web server newpt on interface Ethernet 1/2.
[RouterA–Ethernet1/2] portal apply web-server newpt
# Configure the BAS-IP as 20.20.20.1 for portal packets sent from Ethernet 1/2 to the portal
authentication server.
[RouterA–Ethernet1/2] portal bas-ip 20.20.20.1
[RouterA–Ethernet1/2] quit
On Router B, configure a default route to subnet 192.168.0.0/24, specifying the next hop address as
20.20.20.1. (Details not shown.)
Configuring extended direct portal authentication
Network requirements
As shown in
assigned with a public IP address either manually or through DHCP. A portal server serves as both a
portal authentication server and a portal Web server. A RADIUS server serves as the
authentication/accounting server.
Configure extended direct portal authentication. If the host fails security check after passing identity
authentication, it can access only subnet 192.168.0.0/24. After passing security check, the host can
access Internet resources.
Figure
96, the host is directly connected to the router (the access device). The host is
320