R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

141

142

143

144

145

146

147

148

149

150

136

# Specify that the ISP domain name should not be included in the username sent to the RADIUS

server.

[FirewallA-radius-rs1] user-name-format without-domain

[FirewallA-radius-rs1] quit

2. Configure an authentication domain on the Firewall.

# Create an ISP domain named dm1 and enter its view.

[FirewallA] domain dm1

# Configure AAA methods for the ISP domain.

[FirewallA-isp-dm1] authentication portal radius-scheme rs1

[FirewallA-isp-dm1] authorization portal radius-scheme rs1

[FirewallA-isp-dm1] accounting portal radius-scheme rs1

[FirewallA-isp-dm1] quit

# Configure dm1 as the default ISP domain for all users. Then, if a user enters a username without

any ISP domain at logon, the authentication and accounting methods of the default domain will be

used for the user.

[FirewallA] domain default enable dm1

3. Configure portal authentication on the Firewall.

# Configure the portal server as follows:

{ Name: newpt

{ IP address: 192.168.0.111

{ Key: portal

{ Port number: 50100

{ U R L : h t t p : / / 19 2.16 8 . 0 .111:8080/portal.

[FirewallA] portal server newpt ip 192.168.0.111 key portal port 50100 url

http://192.168.0.111:8080/portal

# Enable Layer 3 portal authentication on the interface connecting Firewall B.

[FirewallA] interface GigabitEthernet 0/2

[FirewallA–GigabitEthernet0/2] portal server newpt method layer3

[FirewallA–GigabitEthernet0/2] quit

On Firewall B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1.

(Details not shown.)

Configuring direct portal authentication with extended

functions

Network requirements

As shown in Figure 120:

• The host is directly connected to the Firewall and the Firewall is configured for direct portal

authentication. The host is assigned with a public network IP address either manually or through

DHCP. If a user fails security check after passing identity authentication, the user can access only

subnet 192.168.0.0/24. After the user passes security check, the user can access Internet resources.

• A RADIUS server serves as the authentication/accounting server.