Tuesday, January 18, 2011

Portal Authentication

Portal Authentication Overview

With portal authentication, an access device forces all users to log into the portal website at first. A user can access the free services provided on the portal website without authentication; but to access the Internet, the user must pass portal authentication on the portal website.
A user can access a known portal website and enter the username and password for authentication. This authentication mode is called active authentication. There is still another authentication mode, namely forced authentication, in which the access device forces a user trying to access the Internet through HTTP to log in to a portal website for authentication.
The portal feature provides the flexibility for Internet service providers (ISPs) to manage services. A portal website can, for example, present advertisements, and deliver community services and personalized services. In this way, broadband network providers, equipment providers, and content service providers form an industrial ecological system.

Configuring Direct Portal Authenction

Network Diagram

Figure 1-1 Network diagram for direct portal authentication configuration

Networking and Configuration Requirements

l          A RADIUS server serves as the authentication/accounting server.

Configuration Procedure




You need to configure IP addresses for the devices as shown in Figure 1-1 and ensure that routes are available between devices.

Configure the access device (Switch):
1)        Configure a RADIUS scheme
# Create a RADIUS scheme named rs1.
# Set the server type to extended.
# Configure the primary authentication server, the primary accounting server, and the communication keys.
# Specify that the ISP domain name should not be included in the username sent to the RADIUS server.
2)        Configure an authentication domain
# Create an ISP domain named dm1 and enter its view.
# Configure the ISP domain to use RADIUS scheme rs1.
# Configure dm1 as the default ISP domain, allowing all users to share the default authentication and accounting modes.
3)        Configure portal authentication
# Configure the portal server as follows:
l          Name: newpt
l          IP address: 192.168.0.111
l          Key: portal
l          Port number: 50100
l          URL: http://192.168.0.111/portal.
# Enable portal authentication on the interface connecting the host.
# Configure the IP address of the interface connected with the portal server.

Complete Configuration

#
 domain default enable dm1
#                        
#
 portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal
#      
radius scheme rs1
 server-type extended
 primary authentication 192.168.0.112
 primary accounting 192.168.0.112
 key authentication radius
 key accounting radius
 user-name-format without-domain
#                                     
domain dm1
 authentication portal radius-scheme rs1
 authorization portal radius-scheme rs1
 accounting portal radius-scheme rs1      
#
interface Vlan-interface2
 ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface100
 ip address 2.2.2.1 255.255.255.0
 portal server newpt method direct
#

Configuration Guidelines

l          The destination port number that the switch uses for sending packets to the portal server unsolicitedly must be the same as that the remote portal server actually uses.
l          The portal server parameters can be modified only before the portal server is applied to an interface.
l          The portal server to be referenced by a portal-enabled interface must exist.

Configuring Re-DHCP Portal Authentication

Network Diagram

Figure 1-2 Network diagram for re-DHCP portal authentication configuration

Networking and Configuration Requirements

l          The switch is configured for re-DHCP authentication. Users obtain IP addresses through the DHCP server. Before portal authentication, they get private IP addresses. After passing portal authentication, they get public IP addresses and then can access the Internet.
l          A RADIUS server serves as the authentication/accounting server.

Configuration Procedure




l          For re-DHCP authentication, you need to configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. The configuration steps are omitted. For DHCP configuration information, refer to DHCP Configuration in this manual.
l          For re-DHCP authentication, the access device must be configured as a DHCP relay agent (instead of a DHCP server) and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).
l          You need to configure IP addresses for the devices as shown in Figure 1-2 and ensure that routes are available between devices.
l          The following describes only the configurations related to re-DHCP authentication mode. For configurations about the RADIUS scheme and ISP domain, refer to Configuring Direct Portal Authentication.

Configure the access device:
# Configure the portal server as follows:
l          Name: newpt
l          IP address: 192.168.0.111
l          Key: portal
l          Port number: 50100
l          URL: http://192.168.0.111/portal.
# Configure the access device as a DHCP relay agent, and enable the invalid address check function.
# Enable re-DHCP portal authentication on the interface connecting the host.
# Configure the IP address of the interface connected with the portal server.

Complete Configuration

#
 domain default enable dm1
#
 portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal
#       
radius scheme rs1
 server-type extended
 primary authentication 192.168.0.112
 primary accounting 192.168.0.112
 key authentication radius
 key accounting radius
 user-name-format without-domain
#                                     
domain dm1
 authentication portal radius-scheme rs1
 authorization portal radius-scheme rs1
 accounting portal radius-scheme rs1      
#
interface Vlan-interface2
 ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface100
 ip address 20.20.20.1 255.255.255.0
 ip address 10.0.0.1 255.255.255.0 sub
 dhcp select relay
 dhcp relay server-select 0
 dhcp relay address-check enable
 portal server newpt method redhcp
#

Configuration Guidelines

In re-DHCP authentication mode, a user can send packets using a public IP address before portal authentication, but the corresponding response packets are restricted.

Configuring Layer 3 Portal Authentication

Differences between Layer 3 and non-Layer 3 authentication modes:
l          Networking mode
The Layer 3 portal authentication mode allows Layer 3 forwarding devices to be present between the authentication client and the access device, while the non-Layer 3 portal authentication mode does not.
l          User identifier
In Layer 3 authentication mode, a client is uniquely identified by an IP address. This is because the mode supports Layer 3 forwarding devices between the authentication client and the access device and the access device does not learn the MAC address of the authentication client. In non-Layer 3 authentication mode, a client is uniquely identified by the combination of its IP address and MAC address because the access device can learn the MAC address of the authentication client.
Due to the above differences,
l          In Layer-3 authentication mode, a new portal authentication will be triggered when the IP address of the authentication client changes even if its MAC address remains the same.
l          In non-Layer 3 authentication mode, a new portal authentication will be triggered only when both the MAC and IP address of the authentication client are changed.

Network Diagram

Figure 1-3 Network diagram for Layer 3 portal authentication configuration

Networking and Configuration Requirements

l          Switch A is configured for Layer 3 portal authentication. Before portal authentication, users can access only the portal server. After passing portal authentication, they can access external networks.
l          A RADIUS server serves as the authentication/accounting server.

Configuration Procedure






l          You need to configure IP addresses for the devices as shown in Figure 1-3 and ensure that routes are available between devices.
l          The following describes only the major configurations related to Layer 3 portal authentication. For configurations about the RADIUS scheme and ISP domain, refer to Configuring Direct Portal Authentication.

Configure Switch A:
# Configure the portal server as follows:
l          Name: newpt
l          IP address: 192.168.0.111
l          Key: portal
l          Port number: 50100
l          URL: http://192.168.0.111/portal.
# Enable portal authentication on the interface connecting Switch B.
# Configure the IP address of the interface connected with the portal server.
On Switch B, you need to configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. The configuration steps are omitted.

Complete Configuration

#
 domain default enable dm1
#
 portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal
#      
radius scheme rs1
 server-type extended
 primary authentication 192.168.0.112
 primary accounting 192.168.0.112
 key authentication radius
 key accounting radius
 user-name-format without-domain
 security-policy-server 192.168.0.113
#
domain dm1
 authentication portal radius-scheme rs1
 authorization portal radius-scheme rs1
 accounting portal radius-scheme rs1
#
interface Vlan-interface2
 ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface4
 ip address 20.20.20.1 255.255.255.0
 portal server newpt method layer3
#

Configuration Guidelines

Only Layer 3 authentication mode can be used in applications with Layer 3 forwarding devices present between the authentication clients and the access device. However, Layer 3 authentication does not require any Layer 3 forwarding devices between the access device and the authentication clients.

Configuring Direct Portal Authentication for EAD

Network Diagram

Figure 1-4 Network diagram for configuring direct portal authentication for EAD

Networking and Configuration Requirements

l          The switch is configured for direct portal authentication and EAD authentication. When users have passed identity authentication but have not passed security authentication, they can access only subnet 192.168.0.0/24. After passing security authentication, they can access the Internet.
l          A RADIUS server serves as the authentication/accounting server.
l          A security policy server is configured.

Configuration Procedure




You need to configure IP addresses for the devices as shown in Figure 1-4 and ensure that routes are available between devices.

Configure the access device (Switch):
1)        Configure a RADIUS scheme
# Create a RADIUS scheme named rs1 and enter its view.
# Set the server type to extended.
# Configure the primary authentication server, the primary accounting server, and the communication keys.
# Configure the IP address of the security policy server.
2)        Configure an authentication domain
# Create an ISP domain named dm1 and enter its view.
# Configure the ISP domain to use RADIUS scheme rs1.
# Configure dm1 as the default ISP domain, allowing all users to share the authentication and accounting modes of the default domain.
3)        Configure the ACL (ACL 3000 ) for restricted resources and the ACL (ACL 3001) for unrestricted resources

On the security policy server, you need to specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.

4)        Configure portal authentication
# Configure the portal server as follows:
l          Name: newpt
l          IP address: 192.168.0.111
l          Key: portal
l          Port number: 50100
l          URL: http://192.168.0.111/portal.
# Enable portal authentication on the interface connecting the host.
# Configure the IP address of the interface connected with the portal server.

Complete Configuration

#
 domain default enable dm1
#                        
#
 portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal
#      
radius scheme rs1
 server-type extended
 primary authentication 192.168.0.112
 primary accounting 192.168.0.112
 key authentication radius
 key accounting radius
 user-name-format without-domain
 security-policy-server 192.168.0.113
#                                      
domain dm1
 authentication portal radius-scheme rs1
 authorization portal radius-scheme rs1
 accounting portal radius-scheme rs1      
#
acl number 3000
 rule permit ip destination 192.168.0.0 0.0.0.255
#
acl number 3001
 rule permit ip
#
interface Vlan-interface2
 ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface100
 ip address 2.2.2.1 255.255.255.0
 portal server newpt method direct
#

Configuration Guidelines

For configuration about the security policy server, refer to CAMS EAD Security Policy Component  User Manual.

Search & Buy Amazon Products at discounted rate!!

Newsletter

Subscribe to AtoZ-networking Newsletter

Do you want to receive Linux FAQs, Microsoft FAQ, Solaris FAQ, detailed Networking tutorials and tips published at atoz-networking? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

Sign-up for the newsletter