R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101
141
[Firewall-GigabitEthernet0/2] dhcp relay address-check enable
# Enable portal authentication on the interface connecting the host.
[Firewall–GigabitEthernet0/2] portal server newpt method redhcp
[Firewall–GigabitEthernet0/2] quit
Configuring cross-subnet portal authentication with extended
functions
Network requirements
As shown in Figure 122:
• Firewall A is configured for cross-subnet extended portal authentication. If a user fails security check
after passing identity authentication, the user can access only subnet 192.168.0.0/24. After
passing the security check, the user can access Internet resources.
• The host accesses Firewall A through Firewall B.
• A RADIUS server serves as the authentication/accounting server.
Figure 122 Network diagram
Configuration procedure
NOTE:
• Make sure that the IP address of the portal device added on the portal server is the IP address of the
interface connecting users (20.20.20.1 in this example), and the IP address
g
roup associated with the
portal device is the network segment where the users reside (8.8.8.0/24 in this example).
• Configure IP addresses for the host, Firewalls, and servers as shown in Figure 122 an
d make sure tha
t
routes are available between devices.
• Configure the RADIUS server properly to provide authentication/accounting functions for users.
1. Configure a RADIUS scheme on Firewall A.
# Create a RADIUS scheme named rs1 and enter its view.
<FirewallA> system-view
[FirewallA] radius scheme rs1