R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

341

342

343

344

345

346

347

348

349

350

328

• For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this

example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details

not shown.)

• For re-DHCP portal authentication, the router must be configured as a DHCP relay agent and the

portal-enabled interface must be configured with a primary IP address (a public IP address) and a

secondary IP address (a private IP address). For information about DHCP relay agent configuration,

see Layer 3—IP Services Configuration Guide.

• Make sure the IP address of the portal device added on the portal server is the public IP address of

the interface connecting users (20.20.20.1 in this example), the private IP address range for the IP

address group associated with the portal device is the private network segment where the users

reside (10.0.0.0/24 in this example), and the public IP address range for the IP address group is

the public network segment 20.20.20.0/24.

Configuration procedure

1. Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1 and enter its view.

<Router> system-view

[Router] radius scheme rs1

# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to

extended.

[Router-radius-rs1] server-type extended

# Specify the primary authentication/authorization server, and configure the keys for

communication with the servers.

[Router-radius-rs1] primary authentication 192.168.0.113

[Router-radius-rs1] key authentication simple radius

[Router-radius-rs1] user-name-format without-domain

# Configure the IP address of the security policy server.

[Router-radius-rs1] security-policy-server 192.168.0.114

[Router-radius-rs1] quit

2. Configure an authentication domain:

# Create an ISP domain named dm1 and enter its view.

[Router] domain dm1

# Configure AAA methods for the ISP domain.

[Router-isp-dm1] authentication portal radius-scheme rs1

[Router-isp-dm1] authorization portal radius-scheme rs1

[Router-isp-dm1] quit

# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the

username without the ISP domain at logon, the authentication and authorization methods of the

default domain are used for the user.

[Router] domain default enable dm1

3. Configure ACL 3000 for resources on subnet 192.168.0.0/24 and ACL 3001 for Internet

resources:

[Router] acl number 3000

[Router-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255

[Router-acl-adv-3000] rule deny ip

[Router-acl-adv-3000] quit

[Router] acl number 3001