R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

111

112

113

114

115

116

117

118

119

120

109

[Firewall-radius-rs1] security-policy-server 192.168.0.114

[Firewall-radius-rs1] quit

2. Configure an authentication domain

# Create an ISP domain named dm1 and enter its view.

[Firewall] domain dm1

# Configure the ISP domain to use RADIUS scheme rs1.

[Firewall-isp-dm1] authentication portal radius-scheme rs1

[Firewall-isp-dm1] authorization portal radius-scheme rs1

[Firewall-isp-dm1] accounting portal radius-scheme rs1

[Firewall-isp-dm1] quit

# Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the

ISP domain at login, the authentication and accounting methods of the default domain will be used for

the user.

[Firewall] domain default enable dm1

3. Configure the ACL (ACL 3000 ) for resources in subnet 192.168.0.0/24 and the ACL (ACL 3001)

for Internet resources

NOTE:

On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.

[Firewall] acl number 3000

[Firewall-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255

[Firewall-acl-adv-3000] quit

[Firewall] acl number 3001

[Firewall-acl-adv-3001] rule permit ip

[Firewall-acl-adv-3001] quit

4. Configure extended portal authentication

# Configure the portal server as follows:

• Name: newpt

• IP address: 192.168.0.111

• Key: portal

• Port number: 50100

• U R L : h t t p : / / 19 2.16 8 . 0 .111/portal.

[Firewall] portal server newpt ip 192.168.0.111 key portal port 50100

url http://192.168.0.111/portal

# Configure the firewall as a DHCP relay agent, and enable the invalid address check function.

[Firewall] dhcp enable

[Firewall] dhcp relay server-group 0 ip 192.168.0.112

[Firewall] interface gigabitethernet 0/1

[Firewall–GigabitEthernet0/1] ip address 20.20.20.1 255.255.255.0

[Firewall–GigabitEthernet0/1] ip address 10.0.0.1 255.255.255.0 sub

[Firewall-GigabitEthernet0/1] dhcp select relay

[Firewall-GigabitEthernet0/1] dhcp relay server-select 0

[Firewall-GigabitEthernet0/1] dhcp relay address-check enable

# Enable portal authentication on the interface connecting the host.