F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Configuration Guide-6PW100

175

[Firewall–GigabitEthernet0/2] quit

216BConfiguring cross-subnet portal authentication

392BNetwork requirements

As shown in 683HFigure 131, configure cross-subnet portal authentication on the firewall to authenticate users

on the host. Before a user passes portal authentication, the user can access only the portal server. After

the user passes portal authentication, the user can access Internet resources.

A RADIUS server serves as the authentication/accounting server.

Figure 131 Network diagram

393BConfiguration prerequisites and guidelines

• Configure IP addresses for the host, firewalls, and servers as shown in 684HFigure 131 and make sure

they can reach each other.

• Configure the RADIUS server properly to provide authentication and accounting functions for users.

• Make sure the IP address of the portal device added on the portal server is the IP address of the

interface connecting users (20.20.20.1 in this example), and the IP address group associated with

the portal device is the network segment where the users reside (8.8.8.0/24 in this example).

394BConfiguration procedure

1. Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1 and enter its view.

<Firewall> system-view

[Firewall] radius scheme rs1

# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to

extended.

[Firewall-radius-rs1] server-type extended

# Specify the primary authentication server and primary accounting server, and configure the keys

for communication with the servers.

[Firewall-radius-rs1] primary authentication 192.168.0.112

[Firewall-radius-rs1] primary accounting 192.168.0.112

[Firewall-radius-rs1] key authentication simple radius

[Firewall-radius-rs1] key accounting simple radius

# Specify that the ISP domain name should not be included in the username sent to the RADIUS

server.