< Home

CLI: Example for Configuring Portal Authentication for Internet Access Users (the FW Participates in User Authentication+MAC Address-Prioritized Portal Authentication)

This section provides an example of configuring the FW that serves as the enterprise egress gateway to work with the Agile Controller for portal authentication and MAC authentication on users.

Networking Requirements

As shown in Figure 1, an enterprise has deployed the FW as the egress gateway at the network border to connect the intranet and Internet.

  • The network between the user and FW is a Layer 2 network, and the interface connecting the FW to the zone where the user resides is a Layer 2 interface.
  • The intranet portal server (a component of the Agile Controller) provides a portal authentication page. The FW redirects users' HTTP requests to the authentication page of the portal server.
  • The intranet RADIUS server (a component of the Agile Controller) stores user information and completes user authentication and MAC address-prioritized portal authentication.
  • Intranet users include R&D employees and marketing employees.
Figure 1 Example for configuring portal authentication for Internet access users (the FW participates in user authentication+MAC address-prioritized portal authentication)

An enterprise network administrator hopes to use the user management and authentication mechanism provided by the FW to identify IP addresses on the enterprise network as users. Specific requirements are as follows:

  • R&D employees and marketing employees can access HTTP services without proactively accessing the portal authentication page of the portal server, because their HTTP requests will be automatically redirected to the portal authentication page of the portal server.
  • R&D employees and marketing employees can access network resources only after they pass portal authentication.
  • After they pass portal authentication, if their device IP addresses change, the FW can perform MAC authentication on the users within a given time range. During MAC authentication, users are not required to enter authentication information and therefore are unaware of the authentication, facilitating their access to network resources. After they pass MAC authentication, they can directly access network resources.
  • The FW saves security group information, not user information. The permissions of authenticated users are controlled on the basis of the groups they belong to.

Configuration Roadmap

This example describes how to configure only users and user authentication.

  1. Configure user information, authorization information, Portal server information, RADIUS server information, and MAC address-prioritized portal authentication on the Agile Controller so that the Agile Controller can interwork with the FW.
  2. Configure interfaces and security policies on the FW.
  3. Configure the RADIUS server.
  4. Configure authentication, authorization, and accounting schemes.
  5. Configure an authentication domain and reference the authentication, authorization, and accounting schemes.
  6. Configure Portal2.0 authentication.
  7. Configure the portal authentication page.
  8. Configure MAC address-prioritized portal authentication.
  9. Configure an authentication policy.

Data Planning

Item

Data

Description

Agile Controller
R&D user information:
  • Account: user_0001
  • Password: Admin@123
  • Role: role1
  • Security group: research
Marketing user information:
  • Account: user_0002
  • Password: Admin@123
  • Role: role2
  • Security group: marketing

When a user is redirected to the portal authentication page of the portal server, the user needs to enter the account and password for authentication.
RADIUS parameters:
  • Authentication and accounting key: Admin@123
  • Authorization key: Admin@123

The RADIUS parameters configured on the Agile Controller must be consistent with those on the FW.
Portal authentication parameters:
  • Port: 2000
  • Portal key: Admin@123
  • Access device IP address list: 10.3.0.0/24
  • Portal protocol: Huawei Portal protocol
  • Enable heartbeat detection between the access device and Portal server
  • Portal server IP address: 10.2.0.50

The Portal parameters configured on the Agile Controller must be consistent with those on the FW.
  • Enable MAC address-prioritized portal authentication
  • MAC address validity period: 60 minutes

The MAC address validity period is 60 minutes, indicating that the Agile Controller can authenticate a user's MAC address in the 60 minutes since it receives the user's MAC address.

FW
RADIUS server:
  • Authentication/Accounting/Authorization server IP address: 10.2.0.50
  • Authentication port: 1812
  • Accounting port: 1813
  • Authentication and accounting key: Admin@123
  • Authorization key: Admin@123

The RADIUS server parameters configured on the FW must be consistent with those on the Agile Controller.
Portal server:
  • IP address: 10.2.0.50
  • Port: 50100
  • Portal key: Admin@123
  • Probe interval and probe retry count: 100s and 5
  • User synchronization period and synchronization count: 300s and 5
  • Portal authentication page: http://10.2.0.50:8080/portal

The portal server parameters configured on the FW must be consistent with those on the Agile Controller.

FW listening port: 2000

The port must be set on both the Agile Controller and FW. The port is the one for Portal authentication on the Agile Controller.

MAC address-prioritized portal authentication:

  • Enable MAC address-prioritized portal authentication
  • MAC authentication response failure time: 2 seconds
  • Enable online user MAC address check

To use MAC address-prioritized portal authentication, you need to enable online user MAC address check.

If the FW detects that the mapping between the IP address and MAC address changes, it forces the user out and re-initiates MAC address-prioritized portal authentication.

Procedure

  1. Configure user information, authorization information, portal server information, and RADIUS server information, and enable MAC address-prioritized portal authentication on the Agile Controller.
    1. Choose Resource > User > Role Management to create a role.

    2. Choose Resource > User > User Management to create a user and associate the user with the role.

    3. Choose Policy > Permission Control > Authentication & Authorization > Authorization Result to configure the authorization result. The attribute value research is the security group of the user and must the same as that on the 7.

    4. Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule to configure an authorization rule. Reference the authorization result and role in the rule and associate the authorization result and role.

      The process for configuring marketing user information and authorization information is similar to the process for configuring R&D user and authorization information.

    5. Choose Resource > Device > Device Management to add a device and configure the portal server and RADIUS server.

      Parameter

      Description

      IP address

      The interface on the FW must be able to communicate with the Agile Controller.

      RADIUS parameter

      Authentication and accounting key

      The key must be the same as the shared key (configured in 4) used by the FW to communicate with the authentication server and accounting server.

      Authorization key

      The key must be the same as the shared key (configured in 4) used by the FW to communicate with the authorization server.

      Realtime account period

      This parameter is optional.

      Device series

      Use the default value.

      Portal authentication parameters:

      Port

      The port must be the same as the listening port configured in 8.

      Portal key

      The key must be the shared key configured in 8.



    6. Choose System > Terminal Configuration > Global Parameters > Access Management to enable MAC address-prioritized portal authentication.

  2. Configure interfaces on the FW and assign them to security zones.

    After completing the preceding configurations on the Agile Controller, perform the following configurations on the FW.

    Configure GigabitEthernet 0/0/3 as a Layer 2 interface.

    <FW> system-view
[FW] vlan batch 20
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] portswitch
[FW-GigabitEthernet0/0/3] port link-type access
[FW-GigabitEthernet0/0/3] port default vlan 20
[FW-GigabitEthernet0/0/3] quit

    # Configure VLANIF 20.

    [FW] interface vlanif 20
[FW-Vlanif20] ip address 10.3.0.1 24
[FW-Vlanif20] quit

    # Assign VLANIF 20 to security zone.

    [FW] firewall zone trust
[FW-zone-trust] add interface vlanif 20
[FW-zone-trust] quit

    Configure other interfaces as Layer 3 interfaces. Configuring GigabitEthernet 0/0/2 is described as an example.

    <FW> system-view
[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.2.0.1 24
[FW-GigabitEthernet0/0/2] quit
[FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/2
[FW-zone-dmz] quit

  3. Create security policies on the FW.
    1. Configure a security policy for the Trust (where users reside) -> DMZ (where the portal server resides) interzone for users to access the portal authentication page of the portal server.

      [FW] security-policy
[FW-policy-security] rule name sec_policy_tsm
[FW-policy-security-rule-sec_policy_tsm] source-zone trust
[FW-policy-security-rule-sec_policy_tsm] source-address 10.3.0.0 24
[FW-policy-security-rule-sec_policy_tsm] destination-zone dmz
[FW-policy-security-rule-sec_policy_tsm] destination-address 10.2.0.0 24
[FW-policy-security-rule-sec_policy_tsm] action permit
[FW-policy-security-rule-sec_policy_tsm] quit

      If the URL of the authentication page is a domain name and a DNS server for resolving the domain name is deployed in the DMZ, you need to enable the DNS server from the Trust zone to the DMZ.

    2. Configure a security policy for the DMZ (where the portal and RADIUS servers reside) -> Local interzone to allow the portal and RADIUS servers to communicate with the FW.

      [FW-policy-security] rule name local_policy_01
[FW-policy-security-rule-local_policy_01] source-zone local
[FW-policy-security-rule-local_policy_01] destination-zone dmz
[FW-policy-security-rule-local_policy_01] action permit
[FW-policy-security-rule-local_policy_01] quit
[FW-policy-security] rule name local_policy_02
[FW-policy-security-rule-local_policy_02] source-zone dmz
[FW-policy-security-rule-local_policy_02] destination-zone local
[FW-policy-security-rule-local_policy_02] action permit
[FW-policy-security-rule-local_policy_02] quit

  4. Configure the RADIUS server on the FW. The parameters must be consistent with those on the RADIUS server.

    # Configure the IP address and port of the RADIUS authentication and accounting server and the shared key for the FW to interact with the authentication and accounting server.

    [FW] radius-server template auth_server_radius 
[FW-radius-auth_server_radius] radius-server authentication 10.2.0.50 1812
[FW-radius-auth_server_radius] radius-server accounting 10.2.0.50 1813
[FW-radius-auth_server_radius] radius-server shared-key cipher Admin@123
[FW-radius-auth_server_radius] test-aaa testname testpassword radius-template auth_server_radius
[FW-radius-auth_server_radius] quit

    # Configure the IP address of the RADIUS authorization server and the shared key for the FW to interact with the authorization server.

    [FW] radius-server authorization 10.2.0.50 shared-key cipher Admin@123

  5. Configure authentication, authorization, and accounting schemes.

    # Configure an authentication scheme and set the authentication mode to RADIUS.

    [FW] aaa
[FW-aaa] authentication-scheme radius   //Configure authentication scheme radius.
[FW-aaa-authen-radius] authentication-mode radius
[FW-aaa-authen-radius] quit

    # Configure an authorization scheme and set the authorization mode to RADIUS.

    [FW] aaa
[FW-aaa] authorization-scheme radius   //Configure authorization scheme radius.
[FW-aaa-author-radius] authorization-mode radius
[FW-aaa-author-radius] quit

    # Configure an accounting scheme and set the accounting mode to RADIUS.

    [FW] aaa
[FW-aaa] accounting-scheme radius   //Configure accounting scheme radius.
[FW-aaa-accounting-radius] accounting-mode radius
[FW-aaa-accounting-radius] quit

  6. Configure an authentication domain and reference the RADIUS server template and authentication, authorization, and accounting schemes.

    [FW-aaa] domain default
[FW-aaa-domain-default] authentication-scheme radius   //Bind the authentication domain with authentication scheme radius.
[FW-aaa-domain-default] authorization-scheme radius   //Bind the authentication domain with authorization scheme radius.
[FW-aaa-domain-default] accounting-scheme radius   //Bind the authentication domain with accounting scheme radius
[FW-aaa-domain-default] radius-server auth_server_radius   //Bind the authentication domain with the server template.
[FW-aaa-domain-default] service-type internetaccess
[FW-aaa-domain-default] quit
[FW-aaa] quit

  7. Configure a security group where Internet access users reside.

    [FW] user-manage security-group research
[FW-securitygroup-research] security-group-type static
[FW-securitygroup-research] quit
[FW] user-manage security-group marketing
[FW-securitygroup-marketing] security-group-type static
[FW-securitygroup-marketing] quit

  8. Configure Portal2.0 authentication.

    # Configure a portal server template and create portal server information in the portal server template.

    [FW] web-auth-server default
[FW-web-auth-server-default] server-ip 10.2.0.50
[FW-web-auth-server-default] port 50100
[FW-web-auth-server-default] shared-key cipher Admin@123
[FW-web-auth-server-default] server-detect interval 100 max-times 5 action log
[FW-web-auth-server-default] user-sync interval 300 max-times 5
[FW-web-auth-server-default] quit

    # Configure the Portal2.0 listening port and enable the device to transparently transmit user authentication messages replied by the RADIUS server to the Agile Controller server.

    [FW] web-auth-server listening-port 2000
[FW] web-auth-server reply-message

    # Configure a portal access template and bind it with the portal server template.

    [FW] portal-access-profile name default
[FW-portal-acces-profile-default] web-auth-server default
[FW-portal-acces-profile-default] quit

    # Configure an authentication template and bind it with the portal access template. In this scheme, you can only create an authentication template named portal_authen_default.

    [FW] authentication-profile name portal_authen_default
[FW-authentication-profile-portal_authen_default ] portal-access-profile default
[FW-authentication-profile-portal_authen_default ] quit

    # Configure a loopback0 interface and apply the authentication template to the loopback0 interface. Currently, you can only bind the authentication template named portal_authen_default to the loopback0 interface.

    [FW] interface loopback 0
[FW-LoopBack0] authentication-profile portal_authen_default
[FW-LoopBack0] quit

  9. Configure the portal authentication page. The portal URL shall be consistent with that of the authentication page actually used by the portal.

    [FW] user-manage portal-template portal
[FW-portal-template-portal] portal-url http://10.2.0.50:8080/portal
[FW-portal-template-portal] portal-url push information
[FW-portal-template-portal] server-detect web-auth-server default
[FW-portal-template-portal] quit

  10. Configure MAC address-prioritized portal authentication.

    # Enable MAC address-prioritized portal authentication and set the MAC entry aging time and MAC authentication response failure time.

    [FW] user-manage mac-access enable
[FW] user-manage mac-access aging-time 1
[FW] user-manage mac-access no-ack-time 2

    # Enable online user MAC address check.

    [FW] user-manage online-user mac-address check enable

    # Configure the MAC access template. Currently, only the default MAC access template mac_access_profile can be used.

    [FW] mac-access-profile name mac_access_profile

    # Configure an authentication template and bind it with the MAC access template.

    [FW] authentication-profile name portal_authen_mac
[FW-authentication-profile-portal_authen_mac ] access-domain default
[FW-authentication-profile-portal_authen_mac ] mac-access-profile mac_access_profile

    # Apply the authentication template to Layer 2 interface GigabitEthernet 0/0/3.

    [FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] authentication-profile portal_authen_mac

  11. Configure the action of the authentication policy for users to access the portal server to No authentication so that the users' authentication packets can go through the FW to the portal server. Set the action of the authentication policy for users to access other services to Portal authentication.

    [FW] auth-policy
[FW-policy-auth] rule name auth_policy_tsm
[FW-policy-auth-rule-auth_policy_tsm] source-zone trust
[FW-policy-auth-rule-auth_policy_tsm] destination-zone dmz 
[FW-policy-auth-rule-auth_policy_tsm] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_tsm] destination-address 10.2.0.50 32
[FW-policy-auth-rule-auth_policy_tsm] action none
[FW-policy-auth-rule-auth_policy_tsm] quit
[FW-policy-auth] rule name auth_policy_service
[FW-policy-auth-rule-auth_policy_service] source-zone trust
[FW-policy-auth-rule-auth_policy_service] destination-zone untrust
[FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24
[FW-policy-auth-rule-auth_policy_service] action auth portal-template portal

  12. After completing the preceding configurations, reference the security group when configuring a security policy, PBR, proxy policy, audit policy and quota control policy.

Verification

  • When R&D employees and marketing employees access extranet resources for the first time, they are redirected to the portal authentication page. After they successfully log in using the user accounts and passwords on the Agile Controller, they can access network resources.
  • If device IP addresses of R&D employees and marketing employees change, they can still access network resources in the next 60 minutes (the FW performs MAC authentication on them, and they are unaware of the MAC authentication).
  • Run the display user-manage online-user verbose command on the FW to display online user information.

Configuration Scripts

sysname FW
#
vlan batch 20

#
authentication-profile name portal_authen_default
 portal-access-profile default               
authentication-profile name portal_authen_mac
 mac-access-profile mac_access_profile
#                                            
 user-manage portal-template portal
 portal-url push information          
 portal-url http://10.2.0.50:8080/portal
 server-detect web-auth-server default
#
security-policy
 rule name sec_policy_tsm  
  source-zone trust 
  destination-zone dmz
  source-address 10.3.0.0 24
  destination-address 10.2.0.0 24
  action permit
 rule name local_policy_01  
  source-zone local 
  destination-zone dmz
  action permit
 rule name local_policy_02
  source-zone dmz
  destination-zone local
  action permit
 rule name sec_policy_01
  source-address 10.3.0.0 24
  source-zone trust
  destination-zone untrust
  action permit        
#                                                                               
radius-server template auth_server_radius                                       
 radius-server shared-key cipher %^%#H**3(i3_k%ugc;,fvZG!,-:|*=(A5(y4Q_2t'3P%^%
#                                                                               
 radius-server authentication 10.2.0.50 1812 weight 80                          
 radius-server accounting 10.2.0.50 1813 weight 80                              
 radius-server group-filter class                                               
radius-server authorization 10.2.0.50 shared-key cipher %^%#K}(^&0opP~Q%fMUr3k*(
59%N:,+H$*!(Vs%%^%#                                                          
#                                                                               
web-auth-server default                                                         
 server-ip 10.2.0.50                                                            
 port 50100                                                                     
 shared-key cipher %^%#/.6y+B[H{Q'wPG"lpVK,bx*Yg9C*5VEC;'-K7~Z%^%#             
 server-detect interval 100 max-times 5 action log                              
 user-sync max-times 5                                                          
#                                                                               
portal-access-profile name default                                              
 web-auth-server default 
#                                                                               
mac-access-profile name mac_access_profile 
#                                                                               
user-manage mac-access enable
user-manage mac-access aging-time 1
user-manage mac-access no-ack-time 2
#                                                                               
user-manage online-user mac-address check enable
#                                                                               
aaa                                                                             
 authentication-scheme radius                                                   
  authentication-mode radius                                                    
 authorization-scheme radius                                                    
  authorization-mode radius                                                     
 accounting-scheme radius                                                       
  accounting-mode radius                                                        
 domain default                                                                 
  authentication-scheme radius                                                  
  accounting-scheme radius                                                      
  authorization-scheme radius                                                   
  radius-server auth_server_radius                                              
  service-type internetaccess                                                   
  internet-access mode password                                                 
#                                                                               
interface Vlanif20
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3           
 portswitch
 port link-type access
 port default vlan 20
 authentication-profile portal_authen_mac
interface GigabitEthernet0/0/2           
 undo shutdown                                                                  
 ip address 10.2.0.1 24                                               
#
interface LoopBack0                                                             
 authentication-profile portal_authen_default
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface Vlanif20      
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/1      
#                                                                               
firewall zone dmz                                                               
 set priority 50 
 add interface GigabitEthernet0/0/2   
#                                                                               
auth-policy                                                                     
 rule name auth_policy_tsm                                                      
  source-zone trust                                                             
  destination-zone dmz                                                          
  source-address 10.3.0.0 mask 255.255.255.0                                    
  destination-address 10.2.0.50 mask 255.255.255.255                            
  action none                                                                   
 rule name auth_policy_service                                                  
  source-zone trust                                                             
  destination-zone untrust                                                      
  source-address 10.3.0.0 mask 255.255.255.0                                    
  action auth portal-template portal                                            
#                                                                                                                                                                     
return
Parent Topic: User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >