R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101
135
Configuring cross-subnet portal authentication
Network requirements
As shown in Figure 119:
• Firewall A is configured for cross-subnet portal authentication. Before passing portal authentication,
a user can access only the portal server. After passing portal authentication, the user can access
Internet resources.
• The host accesses Firewall A through Firewall B.
• A RADIUS server serves as the authentication/accounting server.
Figure 119 Network diagram
Configuration procedure
NOTE:
• Make sure that the IP address of the portal device added on the portal server is the IP address of the
interface connecting users (20.20.20.1 in this example), and the IP address
g
roup associated with the
portal device is the network segment where the users reside (8.8.8.0/24 in this example).
• Configure IP addresses for the host, Firewalls, and servers as shown in Figure 119 an
d make sure that
they can reach each other.
• Configure the RADIUS server properly to provide authentication/accounting functions for users.
1. Configure a RADIUS scheme on the Firewall.
# Create a RADIUS scheme named rs1 and enter its view.
<FirewallA> system-view
[FirewallA] radius scheme rs1
# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to
extended.
[FirewallA-radius-rs1] server-type extended
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[FirewallA-radius-rs1] primary authentication 192.168.0.112
[FirewallA-radius-rs1] primary accounting 192.168.0.112
[FirewallA-radius-rs1] key authentication radius
[FirewallA-radius-rs1] key accounting radius
Firewall A
Host
8.8.8.2/24
GE0/2
20.20.20.1/24
Portal server
192.168.0.111/24
RADIUS server
192.168.0.112/24
GE0/1
192.168.0.100/24
Firewall B
GE0/2
8.8.8.1/24
GE0/1
20.20.20.2/24