CLI: Example for Configuring HTTPS Web Login (RADIUS Server Authentication+Administrator Account Not on the Local Device)
This section provides an example for configuring HTTPS web login using the CLI. The administrator account is stored on the RADIUS server, and the FW authenticates the administrator through the RADIUS server.
Networking Requirements
As shown in Figure 1, the FW connects to the RADIUS server to authenticate and authorize the administrator.
Data Planning
Item |
Data |
Description |
|---|---|---|
Administrator |
|
The account name and password should be easy to remember. |
RADIUS server |
|
Ensure that the configuration on the RADIUS server is consistent with that on the RADIUS server. |
Port: |
|
Interface for communicating with the RADIUS server |
|
Interface for communicating with the administrator's PC. |
Configuration Roadmap
- Configure FW interfaces and security policies.
- Configure the web service on the device and enable the HTTPS service on interfaces so that the administrator can log in to the web UI through HTTPS.
- Configure a RADIUS server template, authentication scheme, authorization scheme, and authentication domain.
- Create an administrator on the RADIUS server and specify the administrator level.
Procedure
- Configure the FW.
- Enable the HTTPS service and set the service port and timeout period of the web service.
By default, the HTTPS service is enabled, and the default port number of the HTTPS service is 8443.
<FW> system-view [FW] web-manager security enable port 8443 [FW] web-manager timeout 10
- Enable the HTTPS service and set the service port and timeout period of the web service.
- Configure the RADIUS server. For the configuration methods of the RADIUS server you use, refer to related documents.
Verification
- User administrator password/password radiusadmin@radius/Admin@123 to log in to the FW through HTTPS. The login succeeds.
- Run the display manager-user online-user command on the FW. The command output shows the administrator information is correct.
<FW> display manager-user online-user ---------------------------------------------------------------------------- UserID : 26 Username : radiusadmin@radius IP address : 172.16.0.100 Access-type : web User-level : 3 Authen method : RADIUS Author method : RADIUS Login time : 2017/03/27 09:55 ----------------------------------------------------------------------------
Configuration Scripts
Only the configuration scripts related to the FW are provided.
# web-manager security version tlsv1 tlsv1.1 tlsv1.2 web-manager enable web-manager security enable web-manager timeout 10 # radius-server template myradius radius-server shared-key cipher %@%@9hlwD}%l$-M+Dj/$IpO91e3I%@%@ radius-server authentication 10.2.0.155 1812 weight 80 undo radius-server user-name domain-included radius-server group-filter class # aaa authentication-scheme radius authentication-mode radius authorization-scheme radius authorization-mode radius domain radius authentication-scheme radius authorization-scheme radius radius-server myradius service-type administrator-access internet-access mode password reference user current-domain # interface GigabitEthernet0/0/2 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet 0/0/3 ip address 172.16.0.1 255.255.255.0 service-manage https permit # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/2 # security-policy action permit rule name policy02 source-zone local destination-zone dmz destination-address 10.2.0.155 mask 255.255.255.0 action permit #