Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns - HP FlexNetwork 10500 Series Security Configuration Manual

Configuring cross-subnet portal authentication for MPLS
L3VPNs
Network requirements
As shown in
A portal server in VPN 3 acts as the portal authentication server, portal Web server, and RADIUS
server.
Configure cross-subnet portal authentication on Switch A, so the host can access Internet resources
after passing identity authentication.
Figure 66 Network diagram
Configuration prerequisites
•
Before enabling portal authentication, configure MPLS L3VPN and specify VPN targets for VPN
1 and VPN 3 so that VPN 1 and VPN 3 can communicate with each other. This example
describes only the access authentication configuration on the user-side PE. For information
about MPLS L3VPN configurations, see MPLS Configuration Guide.
•
Configure the RADIUS server correctly to provide authentication and accounting functions.
Configuration procedure
Perform the following tasks on Switch A.
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<SwitchA> system-view
[SwitchA] radius scheme rs1
# For the RADIUS scheme, specify the VPN instance that is bound to the interface connected to
the portal/RADIUS server. This example uses VPN instance vpn3.
[SwitchA-radius-rs1] vpn-instance vpn3
NOTE:
For the VPN instance information, see the MPLS L3VPN configuration on Switch A.
# Specify the primary authentication server and primary accounting server, and configure the
keys for communication with the servers.
[SwitchA-radius-rs1] primary authentication 192.168.0.111
[SwitchA-radius-rs1] primary accounting 192.168.0.111
[SwitchA-radius-rs1] key accounting simple radius
[SwitchA-radius-rs1] key authentication simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[SwitchA-radius-rs1] user-name-format without-domain
Figure 66, the PE device Switch A provides portal authentication for the host in VPN 1.
184