R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

331

332

333

334

335

336

337

338

339

340

326

Configuration prerequisites

• Configure IP addresses for the host, router, and servers as shown in Figure 100 and make sure they

can reach each other before extended portal is enabled.

• Configure the RADIUS server correctly to provide authentication and authorization functions for

users.

Configuration procedure

1. Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1 and enter its view.

<Router> system-view

[Router] radius scheme rs1

# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to

extended.

[Router-radius-rs1] server-type extended

# Specify the primary authentication/authorization server, and configure the keys for

communication with the servers.

[Router-radius-rs1] primary authentication 192.168.0.112

[Router-radius-rs1] key authentication radius

[Router-radius-rs1] user-name-format without-domain

# Configure the IP address of the security policy server.

[Router-radius-rs1] security-policy-server 192.168.0.113

[Router-radius-rs1] quit

2. Configure an authentication domain:

# Create an ISP domain named dm1 and enter its view.

[Router] domain dm1

# Configure AAA methods for the ISP domain.

[Router-isp-dm1] authentication portal radius-scheme rs1

[Router-isp-dm1] authorization portal radius-scheme rs1

[Router-isp-dm1] quit

# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the

username without the ISP domain at logon, the authentication and authorization methods of the

default domain are used for the user.

[Router] domain default enable dm1

3. Configure ACL 3000 for resources on subnet 192.168.0.0/24 and ACL 3001 for Internet

resources:

[Router] acl number 3000

[Router-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255

[Router-acl-adv-3000] rule deny ip

[Router-acl-adv-3000] quit

[Router] acl number 3001

[Router-acl-adv-3001] rule permit ip

[Router-acl-adv-3001] quit

Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the

security policy server.

4. Configure extended portal authentication:

# Configure the portal server as follows: