4000 Router Series Security Configuration Guide

319

Configuring cross-subnet portal authentication

Network requirements

As shown in Figure 95, Router A supports portal authentication. The host accesses Router A through

Router B. A portal server serves as both a portal authentication server and a portal Web server. A

RADIUS server serves as the authentication/accounting server.

Configure Router A for cross-subnet portal authentication. Before passing the authentication, the host can

access only the portal server. After passing the authentication, the user can access Internet resources.

Figure 95 Network diagram

Configuration prerequisites and guidelines

• Configure IP addresses for the router and servers as shown in Figure 95 and make sure the host,

router, and servers can reach each other.

• Configure the RADIUS server correctly to provide authentication and accounting functions.

• Make sure the IP address of the portal device added on the portal authentication server is the IP

address (20.20.20.1) of the router's interface connecting the host. The IP address group associated

with the portal device is the subnet of the host (8.8.8.0/24).

Configuration procedure

Perform the following configurations on Router A.

1. Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1 and enter its view.

<RouterA> system-view

[RouterA] radius scheme rs1

# Specify the primary authentication server and primary accounting server, and configure the keys

for communication with the servers.

[RouterA-radius-rs1] primary authentication 192.168.0.112

[RouterA-radius-rs1] primary accounting 192.168.0.112

[RouterA-radius-rs1] key authentication simple radius

[RouterA-radius-rs1] key accounting simple radius

# Exclude the ISP domain name from the username sent to the RADIUS server.

[RouterA-radius-rs1] user-name-format without-domain

[RouterA-radius-rs1] quit

# Enable RADIUS session control.