CLI: Example for Configuring RADIUS Authentication on Remote Access Users Using EAP authentication IPSec VPN

This section describes how to configure EAP authentication IPSec VPN between an AP and the FW in wireless solutions.

Networking Requirements

As shown in Figure 1, a FW serves as a security gateway at the core network border. An IPSec VPN tunnel is set up between the AP and the FW to ensure data security. When EAP authentication IPSec VPN is used, the FW uses a RADIUS server to authenticate the AP. The tunnel can be set up only after the AP is authenticated.

Figure 1 RADIUS authentication on remote access users using EAP authentication IPSec VPN

Configuration Roadmap

This example describes only how to configure user management and authentication.

Set parameters for the FW to communicate with the RADIUS server and configure the FW to work as a client of the RADIUS server by sending user names and passwords to the RADIUS server for authentication.
Configure an authentication scheme and set the authentication mode to RADIUS.
On the FW, set the authentication domain name to be the same as the domain name stored on the SIM card on the AP, set the access control method to IKEEAP access, and reference the RADIUS server and authentication scheme.

Data Planning

Item	Data	Description
RADIUS server	Name: auth_server_radius Shared Key: secret Primary Authentication Server IP: 10.2.0.50 Port: 1812	On the FW, set the parameters for communicating with a RADIUS server. The parameters on the FW must be consistent with those on the RADIUS server.
Authentication domain	Name: example.org Access Control: IKE EAP access Authentication Server: auth_server_radius	The example.org authentication domain is used during authentication. The domain name is stored in the SIM card of the AP, and you must obtain the domain name in advance. The format of the domain name is similar to example.mnc001.mcc460.3gppnetwork.org.

Item

Data

Description

RADIUS server

Name: auth_server_radius
Shared Key: secret
Primary Authentication Server IP: 10.2.0.50
Port: 1812

On the FW, set the parameters for communicating with a RADIUS server.

The parameters on the FW must be consistent with those on the RADIUS server.

Authentication domain

Name: example.org
Access Control: IKE EAP access
Authentication Server: auth_server_radius

The example.org authentication domain is used during authentication.

The domain name is stored in the SIM card of the AP, and you must obtain the domain name in advance. The format of the domain name is similar to example.mnc001.mcc460.3gppnetwork.org.

Procedure

Set interface IP addresses and assign interfaces to security zones on the FW. The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure other interfaces based on the networking diagram.

<FW> system-view
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

Set the parameters for communication with a RADIUS server.

[FW] radius-server template auth_server_radius 
[FW-radius-auth_server_radius] radius-server shared-key cipher secret
[FW-radius-auth_server_radius] radius-server authentication 10.2.0.50 1812
[FW-radius-auth_server_radius] quit

Configure an authentication scheme.

[FW] aaa
[FW-aaa] authentication-scheme eap
[FW-aaa-authen-eap] authentication-mode radius
[FW-aaa-authen-eap] quit

Configure an authentication domain.

[FW-aaa] domain example.org
[FW-aaa-domain-example.org] authentication-scheme eap
[FW-aaa-domain-example.org] radius-server auth_server_radius
[FW-aaa-domain-example.org] service-type ike
[FW-aaa-domain-example.org] quit
[FW-aaa] quit

Configure a security policy to allow the FW to communicate with the RADIUS server.

[FW-policy-security] rule name policy_local_02
[FW-policy-security-rule-policy_local_02] source-zone local
[FW-policy-security-rule-policy_local_02] destination-zone dmz
[FW-policy-security-rule-policy_local_02] destination-address 10.2.0.50 32
[FW-policy-security-rule-policy_local_02] action permit
[FW-policy-security-rule-policy_local_02] quit

Verification

The AP user can access the core network using IPSec VPN.

Configuration Scripts

#
 sysname FW
#         
radius-server template auth_server_radius 
 radius-server shared-key cipher %$%$73pu<+^]XV9mn=*qd}_,r3*!%$%$
 radius-server authentication 10.2.0.50 1812
 #
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
#
aaa 
 authentication-scheme eap
  authentication-mode radius
 #
 domain example.org
  authentication-scheme eap
  radius-server auth_server_radius 
  service-type ike
 # 
security-policy
  rule name policy_local_02       
  source-zone local          
  destination-zone dmz    
  destination-address 10.2.0.50 32 
  action permit
#
return