R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

111

112

113

114

115

116

117

118

119

120

105

[FirewallA-radius-rs1] key accounting radius

# Specify that the ISP domain name should not be included in the username sent to the RADIUS server.

[FirewallA-radius-rs1] user-name-format without-domain

[FirewallA-radius-rs1] quit

2. Configure an authentication domain

# Create an ISP domain named dm1 and enter its view.

[FirewallA] domain dm1

# Configure the ISP domain to use RADIUS scheme rs1.

[FirewallA-isp-dm1] authentication portal radius-scheme rs1

[FirewallA-isp-dm1] authorization portal radius-scheme rs1

[FirewallA-isp-dm1] accounting portal radius-scheme rs1

[FirewallA-isp-dm1] quit

# Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the

ISP domain at login, the authentication and accounting methods of the default domain will be used for

the user.

[FirewallA] domain default enable dm1

3. Configure portal authentication

# Configure the portal server as follows:

• Name: newpt

• IP address: 192.168.0.111

• Key: portal

• Port number: 50100

• U R L : h t t p : / / 19 2.16 8 . 0 .111/portal.

[FirewallA] portal server newpt ip 192.168.0.111 key portal port 50100 url

http://192.168.0.111/portal

# Enable Layer 3 portal authentication on the interface connecting Firewall B.

[FirewallA] interface gigabitethernet 0/1

[FirewallA–GigabitEthernet0/1] portal server newpt method layer3

[FirewallA–GigabitEthernet0/1] quit

On Firewall B, you need to configure a default route to subnet 192.168.0.0/24, setting the next hop as

20.20.20.1. The configuration steps are omitted.

Configuring direct portal authentication with extended

functions

Network requirements

As shown in Figure 78:

• The host is directly connected to the firewall and the firewall is configured for direct portal

authentication. The host is assigned with a public network IP address manually or automatically by

a DHCP server. When users using the host have passed identity authentication but have not passed

security check, they can access only subnet 192.168.0.0/24. After passing security check, they can

access Internet resources.

• A RADIUS server serves as the authentication/accounting server.