HP VPN Firewall Appliances Access Control Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

171

172

173

174

175

176

177

178

179

180

171

# Specify that the ISP domain name should not be included in the username sent to the RADIUS

server.

[Firewall-radius-rs1] user-name-format without-domain

[Firewall-radius-rs1] quit

2. Configure an authentication domain:

# Create an ISP domain named dm1 and enter its view.

[Firewall] domain dm1

# Configure AAA methods for the ISP domain.

[Firewall-isp-dm1] authentication portal radius-scheme rs1

[Firewall-isp-dm1] authorization portal radius-scheme rs1

[Firewall-isp-dm1] accounting portal radius-scheme rs1

[Firewall-isp-dm1] quit

# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username

without any ISP domain at logon, the authentication and accounting methods of the default

domain are used for the user.

[Firewall] domain default enable dm1

3. Configure portal authentication:

# Configure the portal server as follows:

{ Name: newpt

{ IP address: 192.168.0.111

{ Key: portal, in plain text

{ Port number: 50100

{ U R L : h t t p : / / 19 2 .16 8 . 0 .111:8080/portal

[Firewall] portal server newpt ip 192.168.0.111 key simple portal port 50100 url

http://192.168.0.111:8080/portal

# Configure the firewall as a DHCP relay agent, and enable the IP address check function.

[Firewall] dhcp enable

[Firewall] dhcp relay server-group 0 ip 192.168.0.112

[Firewall] interface gigabitethernet 0/2

[Firewall–GigabitEthernet0/2] ip address 20.20.20.1 255.255.255.0

[Firewall–GigabitEthernet0/2] ip address 10.0.0.1 255.255.255.0 sub

[Firewall-GigabitEthernet0/2] dhcp select relay

[Firewall-GigabitEthernet0/2] dhcp relay server-select 0

[Firewall-GigabitEthernet0/2] dhcp relay address-check enable

# Enable re-DHCP portal authentication on the interface connecting the host.

[Firewall–GigabitEthernet0/2] portal server newpt method redhcp

[Firewall–GigabitEthernet0/2] quit

Configuring cross-subnet portal authentication

Network requirements

As shown in Figure 123, configure cross-subnet portal authentication on the firewall to authenticate users

on the host. Before a user passes portal authentication, the user can access only the portal server. After

the user passes portal authentication, the user can access Internet resources.

A RADIUS server serves as the authentication/accounting server.