Manualshelf

R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
111112113114115116117118119120
107
[Firewall-isp-dm1] quit
# Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without any
ISP domain at login, the authentication and accounting methods of the default domain are used for the
user.
[Firewall] domain default enable dm1
3. Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001)
for Internet resources
NOTE:
On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
[Firewall] acl number 3000
[Firewall-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Firewall-acl-adv-3000] quit
[Firewall] acl number 3001
[Firewall-acl-adv-3001] rule permit ip
[Firewall-acl-adv-3001] quit
4. Configure extended portal authentication
# Configure the portal server as follows:
Name: newpt
IP address: 192.168.0.111
Key: portal
Port number: 50100
U R L : h t t p : / / 19 2.16 8 . 0 .111/portal.
[Firewall] portal server newpt ip 192.168.0.111 key portal port 50100 url
http://192.168.0.111/portal
# Enable extended portal authentication on the interface connecting the host.
[Firewall] interface gigabitethernet 0/1
[Firewall–GigabitEthernet0/1] portal server newpt method direct
[Firewall–GigabitEthernet0/1] quit
Configuring re-DHCP portal authentication with extended
functions
Network requirements
As shown in Figure 79:
The host is directly connected to the firewall and the firewall is configured for re-DHCP extended
portal authentication. The host is assigned with an IP address through the DHCP server. Before
extended portal authentication, the host uses an assigned private IP address. After passing the
authentication, the host can get a public IP address.
When users using the host have passed identity authentication but have not passed security check,
they can access only subnet 192.168.0.0/24. After passing security check, they can access Internet
resources.
A RADIUS server serves as the authentication/accounting server.