R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

161

162

163

164

165

166

167

168

169

170

155

• Make sure the IP address of the portal device added on the portal server is the IP address of the

interface connecting users (20.20.20.1 in this example), and the IP address group associated with

the portal device is the network segment where the users reside (8.8.8.0/24 in this example).

Configuration procedure

1. Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1 and enter its view.

<RouterA> system-view

[RouterA] radius scheme rs1

# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to

extended.

[RouterA-radius-rs1] server-type extended

# Specify the primary authentication/authorization server, and configure the keys for

communication with the servers.

[RouterA-radius-rs1] primary authentication 192.168.0.112

[RouterA-radius-rs1] key authentication simple radius

[RouterA-radius-rs1] user-name-format without-domain

# Configure the IP address of the security policy server.

[RouterA-radius-rs1] security-policy-server 192.168.0.113

[RouterA-radius-rs1] quit

2. Configure an authentication domain:

# Create an ISP domain named dm1 and enter its view.

[RouterA] domain dm1

# Configure AAA methods for the ISP domain.

[RouterA-isp-dm1] authentication portal radius-scheme rs1

[RouterA-isp-dm1] authorization portal radius-scheme rs1

[RouterA-isp-dm1] quit

# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username

without any ISP domain at logon, the authentication/authorization methods of the default domain

are used for the user.

[RouterA] domain default enable dm1

3. Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001)

for Internet resources:

[RouterA] acl number 3000

[RouterA-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255

[RouterA-acl-adv-3000] rule deny ip

[RouterA-acl-adv-3000] quit

[RouterA] acl number 3001

[RouterA-acl-adv-3001] rule permit ip

[RouterA-acl-adv-3001] quit

Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the

security policy server.

4. Configure extended portal authentication:

# Configure the portal server as follows:

{ Name: newpt

{ IP address: 192.168.0.111