Cross-Subnet Portal Authentication Across Vpns - HP 10500 Series Configuration Manual

authentication on the access interface, so the client can access the external network without
authentication.

Cross-subnet portal authentication across VPNs

Network requirements
As shown in
authentication for hosts in VPN 1 through communication with the RADIUS server and portal server in
VPN 3.
Figure 72 Network diagram
Configuration procedure
Before enabling portal authentication, be sure to configure the MPLS L3VPN capabilities properly and
specify VPN targets for VPN 1 and VPN 3 so VPN 1 and VPN 3 can communicate with each other. This
example gives only the access authentication configuration on the user-side PE. For information about
MPLS L3VPN, see MPLS Configuration Guide.
Configure the RADIUS server properly to provide normal authentication/accounting functions for users.
Configure Switch A:
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<SwitchA> system-view
[SwitchA] radius scheme rs1
# Configure the VPN instance to which the RADIUS scheme belongs as vpn3.
[SwitchA-radius-rs1] vpn-instance vpn3
# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to
extended.
[SwitchA-radius-rs1] server-type extended
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[SwitchA-radius-rs1] primary authentication 192.168.0.111
[SwitchA-radius-rs1] primary accounting 192.168.0.111
[SwitchA-radius-rs1] key accounting simple radius
[SwitchA-radius-rs1] key authentication simple radius
# Configure the device to not carry the ISP domain name in the username sent to the RADIUS
server.
[SwitchA-radius-rs1] user-name-format without-domain
# Specify the source IP address for RADIUS packets to be sent as 3.3.0.3.
Figure 72, Switch A (as the PE device connecting the user side) provides cross-subnet portal
163