R3303-HP 6600/HSR6600 Routers Security Configuration Guide
159
[RouterA-radius-rs1] key authentication simple radius
[RouterA-radius-rs1] user-name-format without-domain
# Configure the IP address of the security policy server.
[RouterA-radius-rs1] security-policy-server 192.168.0.113
[RouterA-radius-rs1] quit
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[RouterA] domain dm1
# Configure AAA methods for the ISP domain.
[RouterA-isp-dm1] authentication portal radius-scheme rs1
[RouterA-isp-dm1] authorization portal radius-scheme rs1
[RouterA-isp-dm1] quit
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username
without any ISP domain at logon, the authentication/authorization methods of the default domain
are used for the user.
[RouterA] domain default enable dm1
3. Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001)
for Internet resources:
[RouterA] acl number 3000
[RouterA-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[RouterA-acl-adv-3000] rule deny ip
[RouterA-acl-adv-3000] quit
[RouterA] acl number 3001
[RouterA-acl-adv-3001] rule permit ip
[RouterA-acl-adv-3001] quit
Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the
security policy server.
4. Configure extended portal authentication:
# Configure the portal server as follows:
{ Name: newpt
{ IP address: 192.168.0.111
{ Key: portal, in plain text
{ Port number: 50100
{ U R L : h t t p : / / 19 2.16 8 . 0 .111:8080/portal
[RouterA] portal server newpt ip 192.168.0.111 key simple portal port 50100 url
http://192.168.0.111:8080/portal
# Enable portal authentication on the interface connecting Router B.
[RouterA] interface gigabitethernet 3/0/2
[RouterA–GigabitEthernet3/0/2] portal server newpt method layer3
[RouterA–GigabitEthernet3/0/2] quit
On Router B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1.
(Details not shown.)