HP VPN Firewall Appliances Access Control Configuration Guide
175
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the
username without the ISP domain at logon, the authentication and accounting methods of the
default domain are used for the user.
[Firewall] domain default enable dm1
3. Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001)
for Internet resources:
[Firewall] acl number 3000
[Firewall-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Firewall-acl-adv-3000] rule deny ip
[Firewall-acl-adv-3000] quit
[Firewall] acl number 3001
[Firewall-acl-adv-3001] rule permit ip
[Firewall-acl-adv-3001] quit
Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the
security policy server.
4. Configure extended portal authentication:
# Configure the portal server as follows:
{ Name: newpt
{ IP address: 192.168.0.111
{ Key: portal, in plain text
{ Port number: 50100
{ U R L : h t t p : / / 19 2 .16 8 . 0 .111:8080/portal
[Firewall] portal server newpt ip 192.168.0.111 key simple portal port 50100 url
http://192.168.0.111:8080/portal
# Enable extended portal authentication on the interface connecting the host.
[Firewall] interface gigabitethernet 0/2
[Firewall–GigabitEthernet0/2] portal server newpt method direct
[Firewall–GigabitEthernet0/2] quit
Configuring re-DHCP portal authentication with extended
functions
Network requirements
As shown in Figure 125, the host obtains an IP address from the DHCP server.
Configure the firewall to perform extended re-DHCP portal authentication for users on the host. Before a
user passes portal authentication, the DHCP server assigns a private IP address to the host. After the user
passes portal authentication, the DHCP server assigns a public IP address to the host. If a user fails
security check after passing identity authentication, the user can access only subnet 192.168.0.0/24.
After passing security check, the user can access Internet resources.
A RADIUS server serves as the authentication/accounting server.