Example for Configuring Portal Authentication Escape (Used When Both the Active and Standby Servers Are Faulty)
Networking Requirements
On the enterprise network shown in Figure 1, SwitchA functions as the access device, and two RADIUS/Portal servers are deployed for Portal + RADIUS authentication of users on the enterprise network. Users can access the Internet only after being successfully authenticated. The administrator has the following user authentication requirements: When the two RADIUS/Portal servers are faulty, users bypass authentication and are granted the same network access rights as they are successfully authenticated. After the RADIUS/Portal servers recover, users are re-authenticated and re-authorized by the RADIUS servers.
Configuration Precautions
- This section describes only NAC configurations on SwitchA. The RADIUS/Portal server configurations are not provided here.
The RADIUS authentication and accounting keys configured on the RADIUS server must be the same as the shared key of the RADIUS server configured on the device.
- The Portal shared key and port number configured on the Portal server must be the same as the shared key configured on the device and the port number used by the device to listen to Portal protocol packets.
- The default outbound interface IP address of the device is used as the source IP address for sending RADIUS packets to the RADIUS server. This IP address must be the same as the device IP address configured on the RADIUS server. You can change the source IP address as follows:
- Run the radius-server authentication ip-address port source command to configure a RADIUS authentication server and specify the source IP address used by the device to send RADIUS packets to the RADIUS authentication server.
- Run the radius-server accounting ip-address port source command to configure a RADIUS accounting server and specify the source IP address used by the device to send RADIUS packets to the RADIUS accounting server.
- The default outbound interface IP address of the device is used as the source IP address for sending Portal packets to the Portal server. This IP address must be the same as the device IP address configured on the Portal server. You can run the source-interface or source-ip command to change this IP address.
- Trigger the RADIUS server Down event.
[SwitchA] radius-server dead-interval 7 [SwitchA] radius-server dead-count 1
Run the test-aaa command for four times. The RADIUS server then goes Down.
Configuration Roadmap
- Configure network connectivity to ensure that devices are routable to each other.
- Configure AAA to implement RADIUS authentication, authorization, and accounting for users.
- Configure Portal authentication and configure the escape rights granted to users when the RADIUS/Portal servers are faulty.
Procedure
- Configure network connectivity.
# Create VLANs, configure the allowed VLANs on interfaces, and configure IP addresses for interfaces.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 10 20 [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type access [SwitchA-GigabitEthernet0/0/2] port default vlan 20 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface vlanif 20 [SwitchA-Vlanif20] ip address 192.168.2.10 24 [SwitchA-Vlanif20] quit [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface vlanif 10 [SwitchA-Vlanif10] ip address 192.168.1.10 24 [SwitchA-Vlanif10] quit
# Configure a route destined for RADIUS servers. In this example, the next hop is 192.168.1.1.
[SwitchA] ip route-static 10.7.66.0 255.255.255.0 192.168.1.1 - Configure AAA.
# Create a RADIUS server template named controller.
[SwitchA] radius-server template controller# Configure IP addresses and port numbers of the active and standby RADIUS authentication and accounting servers, set the algorithm for selecting RADIUS servers to master/backup, and set the RADIUS authentication key.
[SwitchA-radius-controller] radius-server authentication 10.7.66.66 1812 weight 80 [SwitchA-radius-controller] radius-server accounting 10.7.66.66 1813 weight 80 [SwitchA-radius-controller] radius-server authentication 10.7.66.67 1812 weight 40 [SwitchA-radius-controller] radius-server accounting 10.7.66.67 1813 weight 40 [SwitchA-radius-controller] radius-server algorithm master-backup [SwitchA-radius-controller] radius-server shared-key cipher Huawei@123
# Enable automatic detection.
[SwitchA-radius-controller] radius-server testuser username test1 password cipher abc@123# Configure the automatic detection interval and detection packet timeout interval for RADIUS servers in Down state. (In this example, the default values are used.)
[SwitchA-radius-controller] radius-server detect-server interval 60 [SwitchA-radius-controller] radius-server detect-server timeout 3
# Configure the retransmission times and timeout interval for RADIUS authentication request packets. (In this example, the default values are used.)
[SwitchA-radius-controller] radius-server retransmit 3 timeout 5 [SwitchA-radius-controller] quit
# Configure the conditions for setting the status of a RADIUS server to Down. (In this example, the default values are used.)
[SwitchA] radius-server dead-interval 5 [SwitchA] radius-server dead-count 2 [SwitchA] radius-server detect-cycle 2 [SwitchA] radius-server max-unresponsive-interval 300
# Configure an authentication scheme named auth and set the authentication mode to RADIUS.
[SwitchA] aaa [SwitchA-aaa] authentication-scheme auth [SwitchA-aaa-authen-auth] authentication-mode radius [SwitchA-aaa-authen-auth] quit
# Configure an accounting scheme named acc and set the accounting mode to RADIUS.
[SwitchA-aaa] accounting-scheme acc [SwitchA-aaa-accounting-acc] accounting-mode radius [SwitchA-aaa-accounting-acc] quit
# Configure a domain named huawei, and apply the authentication scheme auth, accounting scheme acc, and RADIUS server template controller to the domain.
[SwitchA-aaa] domain huawei [SwitchA-aaa-domain-huawei] authentication-scheme auth [SwitchA-aaa-domain-huawei] accounting-scheme acc [SwitchA-aaa-domain-huawei] radius-server controller [SwitchA-aaa-domain-huawei] quit [SwitchA-aaa] quit
- Configure Portal authentication.
# Change the NAC mode to unified.
By default, the unified mode is enabled. After you change the NAT mode between common and unified, the device automatically restarts.
[SwitchA] authentication unified-mode# Configure Portal server templates server1 and server2.[SwitchA] web-auth-server server1 [SwitchA-web-auth-server-server1] server-ip 10.7.66.66 [SwitchA-web-auth-server-server1] port 50200 [SwitchA-web-auth-server-server1] url http://10.7.66.66:8080/portal [SwitchA-web-auth-server-server1] shared-key cipher Huawei@123 [SwitchA-web-auth-server-server1] server-detect max-times 3 interval 60 [SwitchA-web-auth-server-server1] quit [SwitchA] web-auth-server server2 [SwitchA-web-auth-server-server2] server-ip 10.7.66.67 [SwitchA-web-auth-server-server2] port 50200 [SwitchA-web-auth-server-server2] url http://10.7.66.67:8080/portal [SwitchA-web-auth-server-server2] shared-key cipher Huawei@123 [SwitchA-web-auth-server-server2] server-detect max-times 3 interval 60 [SwitchA-web-auth-server-server2] quit
# Configure a Portal access profile named web1 and bind it to Portal server templates server1 and server2.[SwitchA] portal-access-profile name web1 [SwitchA-portal-acces-profile-web1] web-auth-server server1 server2 direct [SwitchA-portal-acces-profile-web1] quit
# Configure the escape rights granted to users when RADIUS servers are faulty. In this example, service scheme-based authorization is used during user escape. For other authorization modes, see (Optional) Configuring Authentication Event Authorization Information.
[SwitchA] acl 3001 [SwitchA-acl-adv-3001] rule 1 permit ip source 192.168.2.0 0.0.0.255 [SwitchA-acl-adv-3001] quit [SwitchA] aaa [SwitchA-aaa] service-scheme s1 [SwitchA-aaa-service-s1] acl-id 3001 [SwitchA-aaa-service-s1] quit [SwitchA-aaa] quit [SwitchA] authentication-profile name p1 [SwitchA-authen-profile-p1] authentication event authen-server-down action authorize service-scheme s1 [SwitchA-authen-profile-p1] quit
# Configure the escape rights granted to users when Portal servers are faulty, and enable the re-authentication function when the Portal servers recover. In this example, service scheme-based authorization is used during user escape. For other authorization modes, see (Optional) Configuring the Portal Escape Function.
[SwitchA] portal-access-profile name web1 [SwitchA-portal-acces-profile-web1] authentication event portal-server-down action authorize service-scheme s1 [SwitchA-portal-acces-profile-web1] authentication event portal-server-up action re-authen [SwitchA-portal-acces-profile-web1] quit
# Bind the Portal access profile web1 to the authentication profile, and configure the forcible authentication domain huawei.com for users using this authentication profile.
After a forcible domain is configured in an authentication profile, users using this authentication profile are authenticated in the domain no matter whether the user names carry domain names or carry what kind of domain names.
[SwitchA] authentication-profile name p1 [SwitchA-authen-profile-p1] portal-access-profile web1 [SwitchA-authen-profile-p1] access-domain huawei.com force [SwitchA-authen-profile-p1] quit
# Bind the authentication profile p1 to interfaces GE0/0/2 to GE0/0/n, and enable 802.1X authentication. The following uses the configuration of GE0/0/2 as an example:
[SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] authentication-profile p1 [SwitchA-GigabitEthernet0/0/2] quit
- Verify the configuration.
- A user starts a terminal and attempts to access the Internet, triggering redirection. The user enters the user name and password on the redirection page, triggering Portal authentication. After the Portal authentication is successful, the user can access the Internet.
- When the RADIUS/Portal servers are Down, the user can access the Internet.
- When the active RADIUS server is Down, the standby RADIUS server authorizes the user so that the user can access the Internet. When both the active and standby RADIUS servers are Down, the user enters the escape state and can access specified network resources. When the active Portal server is Down, the standby Portal server is used to authenticate the user. When both the active and standby Portal servers are Down, the user enters the escape state and can access specified network resources.
- After the user goes online, run the display access-user ip-address command on SwitchA to check information about the online user.