HP 5120 SI Series Security Configuration Manual page 169

NOTE:
Make sure that the host, switch, and servers can reach each other before portal authentication is
•
enabled.
Configure the RADIUS server properly to provide normal authentication/authorization/accounting
•
functions for users. In this example, you must create a portal user account with the account name userpt
on the RADIUS server, and configure an authorized VLAN for the account.
• On the DHCP server, you must specify the IP address ranges (192.168.1.0/24, 3.3.3.0/24, 2.2.2.0/24),
specify the default gateway addresses (192.168.1.1, 3.3.3.1, 2.2.2.1), exclude the update server's address
2.2.2.2 from the address ranges for address allocation, specify the leases for the assigned IP addresses
and make sure there is a route to the host. To shorten the IP address update time in case of an
authentication state change, set a short lease for each address.
Because the DHCP server and the DHCP client are not in the same subnet, you must configure a DHCP
•
relay agent on the subnet of the client. For more information about DHCP relay agent, see
Services Configuration Guide
1. Configure portal authentication
# Add Ethernet ports to related VLANs and configure IP addresses for the VLAN interfaces. (Details not
shown)
# Configure PKI domain pkidm, and apply for a local certificate and CA certificate. For more
configuration information, see the chapter "PKI configuration."
# Edit the user-defined authentication pages file, compress it into a zip file named defaultfile, and save
the file in the root directory of the access device.
# Configure SSL server policy sslsvr, and specify to use PKI domain pkidm.
<Switch> system-view
[Switch] ssl server-policy sslsvr
[Switch-ssl-server-policy-sslsvr] pki pkidm
[Switch-ssl-server-policy-sslsvr] quit
# Configure the local portal server to support HTTPS and reference SSL server policy sslsvr.
[Switch] portal local-server https server-policy sslsvr
# Configure the IP address of loopback interface 12 as 4.4.4.4.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify IP address 4.4.4.4 as the listening IP address of the local portal server for Layer 2 portal
authentication.
[Switch] portal local-server ip 4.4.4.4
# Enable portal authentication on port GigabitEthernet 1/0/1, and specify the Auth-Fail VLAN of the
port as VLAN 2.
[Switch] interface gigabitethernet 1/0/1
[Switch–GigabitEthernet1/0/1] port link-type hybrid
[Switch–GigabitEthernet1/0/1] mac-vlan enable
[Switch–GigabitEthernet1/0/1] portal local-server enable
[Switch–GigabitEthernet1/0/1] portal auth-fail vlan 2
[Switch–GigabitEthernet1/0/1] quit
2. Configure a RADIUS scheme
.
157
Layer 3—IP