Portal Authentication
Portal Authentication Overview
Portal authentication, as its name implies, helps control access to the Internet. Portal authentication is also called web authentication and a website implementing portal authentication is called a portal website.
With portal authentication, an access device forces all users to log into the portal website at first. A user can access the free services provided on the portal website without authentication; but to access the Internet, the user must pass portal authentication on the portal website.
A user can access a known portal website and enter the username and password for authentication. This authentication mode is called active authentication. There is still another authentication mode, namely forced authentication, in which the access device forces a user trying to access the Internet through HTTP to log in to a portal website for authentication.
The portal feature provides the flexibility for Internet service providers (ISPs) to manage services. A portal website can, for example, present advertisements, and deliver community services and personalized services. In this way, broadband network providers, equipment providers, and content service providers form an industrial ecological system.
Configuring Direct Portal Authenction
Network Diagram
Figure 1-1 Network diagram for direct portal authentication configuration
Networking and Configuration Requirements
l The switch is configured for direct portal authentication. Before portal authentication, users can access only the portal server. After passing portal authentication, they can access external networks.
l A RADIUS server serves as the authentication/accounting server.
Configuration Procedure
You need to configure IP addresses for the devices as shown in Figure 1-1 and ensure that routes are available between devices.
Configure the access device (Switch):1) Configure a RADIUS scheme# Create a RADIUS scheme named rs1.# Set the server type to extended.# Configure the primary authentication server, the primary accounting server, and the communication keys.# Specify that the ISP domain name should not be included in the username sent to the RADIUS server.2) Configure an authentication domain# Create an ISP domain named dm1 and enter its view.# Configure the ISP domain to use RADIUS scheme rs1.# Configure dm1 as the default ISP domain, allowing all users to share the default authentication and accounting modes.3) Configure portal authentication# Configure the portal server as follows:l Name: newptl IP address: 192.168.0.111l Key: portall Port number: 50100l URL: http://192.168.0.111/portal.# Enable portal authentication on the interface connecting the host.# Configure the IP address of the interface connected with the portal server.
Complete Configuration
# domain default enable dm1# # portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal# radius scheme rs1 server-type extended primary authentication 192.168.0.112 primary accounting 192.168.0.112 key authentication radius key accounting radius user-name-format without-domain# domain dm1 authentication portal radius-scheme rs1 authorization portal radius-scheme rs1 accounting portal radius-scheme rs1 #interface Vlan-interface2 ip address 192.168.0.100 255.255.255.0#interface Vlan-interface100 ip address 2.2.2.1 255.255.255.0 portal server newpt method direct#Configuration Guidelines
l The destination port number that the switch uses for sending packets to the portal server unsolicitedly must be the same as that the remote portal server actually uses.l The portal server parameters can be modified only before the portal server is applied to an interface.l The portal server to be referenced by a portal-enabled interface must exist.Configuring Re-DHCP Portal Authentication
Network Diagram
Figure 1-2 Network diagram for re-DHCP portal authentication configuration
Networking and Configuration Requirements
l The switch is configured for re-DHCP authentication. Users obtain IP addresses through the DHCP server. Before portal authentication, they get private IP addresses. After passing portal authentication, they get public IP addresses and then can access the Internet.l A RADIUS server serves as the authentication/accounting server.Configuration Procedure
l For re-DHCP authentication, you need to configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. The configuration steps are omitted. For DHCP configuration information, refer to DHCP Configuration in this manual.l For re-DHCP authentication, the access device must be configured as a DHCP relay agent (instead of a DHCP server) and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).l You need to configure IP addresses for the devices as shown in Figure 1-2 and ensure that routes are available between devices.l The following describes only the configurations related to re-DHCP authentication mode. For configurations about the RADIUS scheme and ISP domain, refer to Configuring Direct Portal Authentication.
Configure the access device:# Configure the portal server as follows:l Name: newptl IP address: 192.168.0.111l Key: portall Port number: 50100l URL: http://192.168.0.111/portal.# Configure the access device as a DHCP relay agent, and enable the invalid address check function.# Enable re-DHCP portal authentication on the interface connecting the host.# Configure the IP address of the interface connected with the portal server.
Complete Configuration
# domain default enable dm1# portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal# radius scheme rs1 server-type extended primary authentication 192.168.0.112 primary accounting 192.168.0.112 key authentication radius key accounting radius user-name-format without-domain# domain dm1 authentication portal radius-scheme rs1 authorization portal radius-scheme rs1 accounting portal radius-scheme rs1 #interface Vlan-interface2 ip address 192.168.0.100 255.255.255.0#interface Vlan-interface100 ip address 20.20.20.1 255.255.255.0 ip address 10.0.0.1 255.255.255.0 sub dhcp select relay dhcp relay server-select 0 dhcp relay address-check enable portal server newpt method redhcp#Configuration Guidelines
In re-DHCP authentication mode, a user can send packets using a public IP address before portal authentication, but the corresponding response packets are restricted.Configuring Layer 3 Portal Authentication
Differences between Layer 3 and non-Layer 3 authentication modes:l Networking modeThe Layer 3 portal authentication mode allows Layer 3 forwarding devices to be present between the authentication client and the access device, while the non-Layer 3 portal authentication mode does not.l User identifierIn Layer 3 authentication mode, a client is uniquely identified by an IP address. This is because the mode supports Layer 3 forwarding devices between the authentication client and the access device and the access device does not learn the MAC address of the authentication client. In non-Layer 3 authentication mode, a client is uniquely identified by the combination of its IP address and MAC address because the access device can learn the MAC address of the authentication client.Due to the above differences,l In Layer-3 authentication mode, a new portal authentication will be triggered when the IP address of the authentication client changes even if its MAC address remains the same.l In non-Layer 3 authentication mode, a new portal authentication will be triggered only when both the MAC and IP address of the authentication client are changed.Network Diagram
Figure 1-3 Network diagram for Layer 3 portal authentication configuration
Networking and Configuration Requirements
l Switch A is configured for Layer 3 portal authentication. Before portal authentication, users can access only the portal server. After passing portal authentication, they can access external networks.l A RADIUS server serves as the authentication/accounting server.Configuration Procedure
l You need to configure IP addresses for the devices as shown in Figure 1-3 and ensure that routes are available between devices.l The following describes only the major configurations related to Layer 3 portal authentication. For configurations about the RADIUS scheme and ISP domain, refer to Configuring Direct Portal Authentication.
Configure Switch A:# Configure the portal server as follows:l Name: newptl IP address: 192.168.0.111l Key: portall Port number: 50100l URL: http://192.168.0.111/portal.# Enable portal authentication on the interface connecting Switch B.# Configure the IP address of the interface connected with the portal server.On Switch B, you need to configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. The configuration steps are omitted.Complete Configuration
# domain default enable dm1# portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal# radius scheme rs1 server-type extended primary authentication 192.168.0.112 primary accounting 192.168.0.112 key authentication radius key accounting radius user-name-format without-domain security-policy-server 192.168.0.113#domain dm1 authentication portal radius-scheme rs1 authorization portal radius-scheme rs1 accounting portal radius-scheme rs1#interface Vlan-interface2 ip address 192.168.0.100 255.255.255.0#interface Vlan-interface4 ip address 20.20.20.1 255.255.255.0 portal server newpt method layer3#Configuration Guidelines
Only Layer 3 authentication mode can be used in applications with Layer 3 forwarding devices present between the authentication clients and the access device. However, Layer 3 authentication does not require any Layer 3 forwarding devices between the access device and the authentication clients.Configuring Direct Portal Authentication for EAD
Network Diagram
Figure 1-4 Network diagram for configuring direct portal authentication for EAD
Networking and Configuration Requirements
l The switch is configured for direct portal authentication and EAD authentication. When users have passed identity authentication but have not passed security authentication, they can access only subnet 192.168.0.0/24. After passing security authentication, they can access the Internet.l A RADIUS server serves as the authentication/accounting server.l A security policy server is configured.Configuration Procedure
You need to configure IP addresses for the devices as shown in Figure 1-4 and ensure that routes are available between devices.
Configure the access device (Switch):1) Configure a RADIUS scheme# Create a RADIUS scheme named rs1 and enter its view.# Set the server type to extended.# Configure the primary authentication server, the primary accounting server, and the communication keys.# Configure the IP address of the security policy server.2) Configure an authentication domain# Create an ISP domain named dm1 and enter its view.# Configure the ISP domain to use RADIUS scheme rs1.# Configure dm1 as the default ISP domain, allowing all users to share the authentication and accounting modes of the default domain.3) Configure the ACL (ACL 3000 ) for restricted resources and the ACL (ACL 3001) for unrestricted resources
On the security policy server, you need to specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
4) Configure portal authentication# Configure the portal server as follows:l Name: newptl IP address: 192.168.0.111l Key: portall Port number: 50100l URL: http://192.168.0.111/portal.# Enable portal authentication on the interface connecting the host.# Configure the IP address of the interface connected with the portal server.
Complete Configuration
# domain default enable dm1# # portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal# radius scheme rs1 server-type extended primary authentication 192.168.0.112 primary accounting 192.168.0.112 key authentication radius key accounting radius user-name-format without-domain security-policy-server 192.168.0.113# domain dm1 authentication portal radius-scheme rs1 authorization portal radius-scheme rs1 accounting portal radius-scheme rs1 #acl number 3000 rule permit ip destination 192.168.0.0 0.0.0.255#acl number 3001 rule permit ip#interface Vlan-interface2 ip address 192.168.0.100 255.255.255.0#interface Vlan-interface100 ip address 2.2.2.1 255.255.255.0 portal server newpt method direct#Configuration Guidelines
For configuration about the security policy server, refer to CAMS EAD Security Policy Component User Manual.
Configuration Procedure
You need to configure IP addresses for the devices as shown in Figure 1-1 and ensure that routes are available between devices.
Configure the access device (Switch):
1) Configure a RADIUS scheme
# Create a RADIUS scheme named rs1.
# Set the server type to extended.
# Configure the primary authentication server, the primary accounting server, and the communication keys.
# Specify that the ISP domain name should not be included in the username sent to the RADIUS server.
2) Configure an authentication domain
# Create an ISP domain named dm1 and enter its view.
# Configure the ISP domain to use RADIUS scheme rs1.
# Configure dm1 as the default ISP domain, allowing all users to share the default authentication and accounting modes.
3) Configure portal authentication
# Configure the portal server as follows:
l Name: newpt
l IP address: 192.168.0.111
l Key: portal
l Port number: 50100
l URL: http://192.168.0.111/portal.
# Enable portal authentication on the interface connecting the host.
# Configure the IP address of the interface connected with the portal server.
Complete Configuration
#
domain default enable dm1
#
#
portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal
#
radius scheme rs1
server-type extended
primary authentication 192.168.0.112
primary accounting 192.168.0.112
key authentication radius
key accounting radius
user-name-format without-domain
#
domain dm1
authentication portal radius-scheme rs1
authorization portal radius-scheme rs1
accounting portal radius-scheme rs1
#
interface Vlan-interface2
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface100
ip address 2.2.2.1 255.255.255.0
portal server newpt method direct
#
Configuration Guidelines
l The destination port number that the switch uses for sending packets to the portal server unsolicitedly must be the same as that the remote portal server actually uses.
l The portal server parameters can be modified only before the portal server is applied to an interface.
l The portal server to be referenced by a portal-enabled interface must exist.
Configuring Re-DHCP Portal Authentication
Network Diagram
Figure 1-2 Network diagram for re-DHCP portal authentication configuration
Networking and Configuration Requirements
l The switch is configured for re-DHCP authentication. Users obtain IP addresses through the DHCP server. Before portal authentication, they get private IP addresses. After passing portal authentication, they get public IP addresses and then can access the Internet.
l A RADIUS server serves as the authentication/accounting server.
Configuration Procedure
l For re-DHCP authentication, you need to configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. The configuration steps are omitted. For DHCP configuration information, refer to DHCP Configuration in this manual.
l For re-DHCP authentication, the access device must be configured as a DHCP relay agent (instead of a DHCP server) and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).
l You need to configure IP addresses for the devices as shown in Figure 1-2 and ensure that routes are available between devices.
l The following describes only the configurations related to re-DHCP authentication mode. For configurations about the RADIUS scheme and ISP domain, refer to Configuring Direct Portal Authentication.
Configure the access device:
# Configure the portal server as follows:
l Name: newpt
l IP address: 192.168.0.111
l Key: portal
l Port number: 50100
l URL: http://192.168.0.111/portal.
# Configure the access device as a DHCP relay agent, and enable the invalid address check function.
# Enable re-DHCP portal authentication on the interface connecting the host.
# Configure the IP address of the interface connected with the portal server.
Complete Configuration
#
domain default enable dm1
#
portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal
#
radius scheme rs1
server-type extended
primary authentication 192.168.0.112
primary accounting 192.168.0.112
key authentication radius
key accounting radius
user-name-format without-domain
#
domain dm1
authentication portal radius-scheme rs1
authorization portal radius-scheme rs1
accounting portal radius-scheme rs1
#
interface Vlan-interface2
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface100
ip address 20.20.20.1 255.255.255.0
ip address 10.0.0.1 255.255.255.0 sub
dhcp select relay
dhcp relay server-select 0
dhcp relay address-check enable
portal server newpt method redhcp
#
Configuration Guidelines
In re-DHCP authentication mode, a user can send packets using a public IP address before portal authentication, but the corresponding response packets are restricted.
Configuring Layer 3 Portal Authentication
Differences between Layer 3 and non-Layer 3 authentication modes:
l Networking mode
The Layer 3 portal authentication mode allows Layer 3 forwarding devices to be present between the authentication client and the access device, while the non-Layer 3 portal authentication mode does not.
l User identifier
In Layer 3 authentication mode, a client is uniquely identified by an IP address. This is because the mode supports Layer 3 forwarding devices between the authentication client and the access device and the access device does not learn the MAC address of the authentication client. In non-Layer 3 authentication mode, a client is uniquely identified by the combination of its IP address and MAC address because the access device can learn the MAC address of the authentication client.
Due to the above differences,
l In Layer-3 authentication mode, a new portal authentication will be triggered when the IP address of the authentication client changes even if its MAC address remains the same.
l In non-Layer 3 authentication mode, a new portal authentication will be triggered only when both the MAC and IP address of the authentication client are changed.
Network Diagram
Figure 1-3 Network diagram for Layer 3 portal authentication configuration
Networking and Configuration Requirements
l Switch A is configured for Layer 3 portal authentication. Before portal authentication, users can access only the portal server. After passing portal authentication, they can access external networks.
l A RADIUS server serves as the authentication/accounting server.
Configuration Procedure
l You need to configure IP addresses for the devices as shown in Figure 1-3 and ensure that routes are available between devices.
l The following describes only the major configurations related to Layer 3 portal authentication. For configurations about the RADIUS scheme and ISP domain, refer to Configuring Direct Portal Authentication.
Configure Switch A:
# Configure the portal server as follows:
l Name: newpt
l IP address: 192.168.0.111
l Key: portal
l Port number: 50100
l URL: http://192.168.0.111/portal.
# Enable portal authentication on the interface connecting Switch B.
# Configure the IP address of the interface connected with the portal server.
On Switch B, you need to configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. The configuration steps are omitted.
Complete Configuration
#
domain default enable dm1
#
portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal
#
radius scheme rs1
server-type extended
primary authentication 192.168.0.112
primary accounting 192.168.0.112
key authentication radius
key accounting radius
user-name-format without-domain
security-policy-server 192.168.0.113
#
domain dm1
authentication portal radius-scheme rs1
authorization portal radius-scheme rs1
accounting portal radius-scheme rs1
#
interface Vlan-interface2
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface4
ip address 20.20.20.1 255.255.255.0
portal server newpt method layer3
#
Configuration Guidelines
Only Layer 3 authentication mode can be used in applications with Layer 3 forwarding devices present between the authentication clients and the access device. However, Layer 3 authentication does not require any Layer 3 forwarding devices between the access device and the authentication clients.
Configuring Direct Portal Authentication for EAD
Network Diagram
Figure 1-4 Network diagram for configuring direct portal authentication for EAD
Networking and Configuration Requirements
l The switch is configured for direct portal authentication and EAD authentication. When users have passed identity authentication but have not passed security authentication, they can access only subnet 192.168.0.0/24. After passing security authentication, they can access the Internet.
l A RADIUS server serves as the authentication/accounting server.
l A security policy server is configured.
Configuration Procedure
You need to configure IP addresses for the devices as shown in Figure 1-4 and ensure that routes are available between devices.
Configure the access device (Switch):
1) Configure a RADIUS scheme
# Create a RADIUS scheme named rs1 and enter its view.
# Set the server type to extended.
# Configure the primary authentication server, the primary accounting server, and the communication keys.
# Configure the IP address of the security policy server.
2) Configure an authentication domain
# Create an ISP domain named dm1 and enter its view.
# Configure the ISP domain to use RADIUS scheme rs1.
# Configure dm1 as the default ISP domain, allowing all users to share the authentication and accounting modes of the default domain.
3) Configure the ACL (ACL 3000 ) for restricted resources and the ACL (ACL 3001) for unrestricted resources
On the security policy server, you need to specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
4) Configure portal authentication
# Configure the portal server as follows:
l Name: newpt
l IP address: 192.168.0.111
l Key: portal
l Port number: 50100
l URL: http://192.168.0.111/portal.
# Enable portal authentication on the interface connecting the host.
# Configure the IP address of the interface connected with the portal server.
Complete Configuration
#
domain default enable dm1
#
#
portal server newpt ip 192.168.0.111 key portal url http://192.168.0.111/portal
#
radius scheme rs1
server-type extended
primary authentication 192.168.0.112
primary accounting 192.168.0.112
key authentication radius
key accounting radius
user-name-format without-domain
security-policy-server 192.168.0.113
#
domain dm1
authentication portal radius-scheme rs1
authorization portal radius-scheme rs1
accounting portal radius-scheme rs1
#
acl number 3000
rule permit ip destination 192.168.0.0 0.0.0.255
#
acl number 3001
rule permit ip
#
interface Vlan-interface2
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface100
ip address 2.2.2.1 255.255.255.0
portal server newpt method direct
#
Configuration Guidelines
For configuration about the security policy server, refer to CAMS EAD Security Policy Component User Manual.
Comments