R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101
143
[FirewallA] portal server newpt ip 192.168.0.111 key portal port 50100 url
http://192.168.0.111:8080/portal
# Enable portal authentication on the interface connecting Firewall B.
[FirewallA] interface GigabitEthernet 0/2
[FirewallA–GigabitEthernet0/2] portal server newpt method layer3
[FirewallA–GigabitEthernet0/2] quit
On Firewall B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1.
(Details not shown.)
Configuring portal server detection and portal user information
synchronization
Network requirements
As shown in Figure 123, a host is directly connected to a Firewall (the access device) and must pass
portal authentication before it can access the Internet. A RADIUS server serves as the
authentication/accounting server.
Detailed requirements are as follows:
• The host is assigned with a public network IP address either manually or through DHCP. Before
passing portal authentication, the host can access only the portal server. After passing portal
authentication, the host can access the Internet.
• The access device (Firewall) can detect whether the portal server is reachable and send trap
messages upon state changes. When the portal server is unreachable due to, for example, a
connection failure, network device failure, or portal server failure, the access device can disable
portal authentication, allowing users to access the Internet without authentication.
• The access device can synchronize portal user information with the portal server periodically.
Figure 123 Network diagram
Configuration considerations
1. Configure the portal server and enable portal server heartbeat function and the portal user
heartbeat function.
2. Configure the RADIUS server to implement authentication and accounting.
3. Configure direct portal authentication on interface GigabitEthernet 0/2, which is directly
connected with the host.