Configuration prerequisites and guidelines
Make sure the IP address of the portal device added on the portal server is the IP address of the
•
interface connecting users (20.20.20.1 in this example), and the IP address group associated with
the portal device is the network segment where the users reside (8.8.8.0/24 in this example).
Configure IP addresses for the host, switches, and servers as shown in
•
can reach each other.
Configure the RADIUS server properly to provide authentication and accounting for users.
•
Configuration procedure
Configure a RADIUS scheme:
1.
# Create a RADIUS scheme named rs1 and enter its view.
<SwitchA> system-view
[SwitchA] radius scheme rs1
# Set the server type for the RADIUS scheme. When using the IMC server, you need set the server
type to extended.
[SwitchA-radius-rs1] server-type extended
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[SwitchA-radius-rs1] primary authentication 192.168.0.112
[SwitchA-radius-rs1] primary accounting 192.168.0.112
[SwitchA-radius-rs1] key accounting simple radius
[SwitchA-radius-rs1] key authentication simple radius
# Specify to exclude ISP domain from the usernames to be sent to the RADIUS server.
[SwitchA-radius-rs1] user-name-format without-domain
# Configure the IP address of the security policy server.
[SwitchA-radius-rs1] security-policy-server 192.168.0.113
[SwitchA-radius-rs1] quit
Configure an authentication domain:
2.
# Create an ISP domain named dm1 and enter its view.
[SwitchA] domain dm1
# Configure AAA methods for the ISP domain.
[SwitchA-isp-dm1] authentication portal radius-scheme rs1
[SwitchA-isp-dm1] authorization portal radius-scheme rs1
[SwitchA-isp-dm1] accounting portal radius-scheme rs1
[SwitchA-isp-dm1] quit
# Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without
the ISP domain at login, the authentication and accounting methods of the default domain are used
for the user.
[SwitchA] domain default enable dm1
Configure the ACL (ACL 3000 ) for resources on segment 192.168.0.0/24 and the ACL (ACL
3.
3001) for Internet resources.
NOTE:
On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
[SwitchA] acl number 3000
134
Figure 49
and make sure they