Example for Configuring Portal Authentication to Control User Access to the Enterprise Network (Authentication Point on Aggregation Switch)

Portal Authentication Overview

Portal authentication is a Network Admission Control (NAC) method. Portal authentication is also called web authentication. Generally, Portal authentication websites are referred to as Portal websites. Users must be authenticated by the Portal websites before they can use network services.

Portal authentication is insecure, but allows flexible networking as no client software is required on users' terminals. 802.1X authentication is another NAC method. It is more secure than Portal authentication, but requires the installation of client software on users' terminals, resulting in networking inflexibility. Like Portal authentication, MAC address authentication also does not require the installation of client software, but user terminals' MAC addresses must be registered on the authentication server. Network configuration and management is complex.

Portal authentication applies to the users who are sparsely distributed and move frequently, for example, guests of a company.

Configuration Notes

This configuration example applies to all switches running V200R009C00 or a later version.
Huawei's Agile Controller-Campus in V100R001 functions as the Portal server and RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001, V100R002, V100R003.
The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS and Portal servers to pass. You do not need to configure authentication-free rules for the two servers on the switch.

When you run the access-user arp-detect command to configure the IP address and MAC address of the user gateway as the source IP address and source MAC address of user offline detection packets, ensure that the MAC address of the gateway remains unchanged, especially in active/standby switchover scenarios. If the gateway MAC address is changed, ARP entries of terminals will be incorrect on the device, and the terminals cannot communicate with the device.

Networking Requirements

An enterprise needs to deploy an identity authentication system to control employees' network access rights and allow only authorized users to access the network. The enterprise has the following requirements:

The authentication operations should be simple. The authentication system only performs access authorization. Minimum client software is installed on user terminals.
Moderate security control is required. To facilitate maintenance, a moderate number of authentication points need to be deployed on the aggregation switch.
A unified identity authentication mechanism is used to authenticate all terminals accessing the campus network and deny access from unauthorized terminals.
R&D employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect to both the intranet (code library and issue tracking system) and Internet after being authenticated.
Marketing employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect only to the Internet after being authenticated.

Figure 1 Portal authentication deployed at the aggregation layer

Data Plan

**Table 1** VLAN plan
VLAN ID	Function
101	VLAN for R&D employees
102	VLAN for marketing employees
103	VLAN to which interfaces connecting to the servers belong

**Table 2** Network data plan
Item		Data	Description
Access switch (connecting to the R&D department)		Interface number: GE0/0/1 VLAN: 101	Connects to employees' PCs.
Access switch (connecting to the R&D department)		Interface number: GE0/0/2 VLAN: 101	Connects to the aggregation switch.
Access switch (connecting to the marketing department)		Interface number: GE0/0/1 VLAN: 102	Connects to employees' PCs.
Access switch (connecting to the marketing department)		Interface number: GE0/0/2 VLAN: 102	Connects to the aggregation switch.
Aggregation switch		Interface number: GE1/0/1 VLAN: 101 VLANIF101 IP address: 192.168.0.1	Connects to the access switch of the R&D department. Functions as the gateway for R&D employees.
		Interface number: GE1/0/2 VLAN: 102 VLANIF102 IP address: 192.168.1.1	Connects to the access switch of the marketing department. Functions as the gateway for marketing employees.
		Interface number: GE1/0/3 VLAN: 103 VLANIF103 IP address: 172.16.1.254	Connects to the enterprise server area. Functions as the gateway for servers.
Server	Agile Controller-Campus (RADIUS server + Portal server)	IP address: 172.16.1.1	-
	DNS server	IP address: 172.16.1.2	-
	Web server	IP address: 172.16.1.3	-
	Code library	IP address: 172.16.1.4	-
	Issue tracking system	IP address: 172.16.1.5	-

**Table 3** Service data plan
Item	Data	Description
Aggregation switch	Number of the ACL for R&D employees' post-authentication domain: 3001	You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.
	Number of the ACL for marketing employees' post-authentication domain: 3002	You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.
	Authentication server: IP address: 172.16.1.1 Port number: 1812 RADIUS shared key: Admin@123	The Service Controller (SC) of the Agile Controller-Campus integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, authorization server, and Portal server are the SC's IP address. Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server. Configure an authorization server to enable the RADIUS server to deliver authorization rules to the switch. The RADIUS shared key of the authorization server must be the same as those of the authentication server and accounting server.
	Accounting server: IP address: 172.16.1.1 Port number: 1813 RADIUS shared key: Admin@123 Accounting interval: 15
	Portal server: IP address: 172.16.1.1 Port number that the switch uses to process Portal protocol packets: 2000 Destination port number in the packets that the switch sends to the Portal server: 50200 Portal authentication shared key: Admin@123
Agile Controller-Campus	Host name: access.example.com	Users can use the domain name to access the Portal server.
	Device IP address: 172.16.1.254	-
	Authentication port: 1812	-
	Accounting port: 1813	-
	RADIUS shared key: Admin@123	The RADIUS shared key must be the same as that configured on the switch.
	Port number that the Portal server uses to receive packets: 50200	-
	Portal shared key: Admin@123	It must be the same as the Portal authentication shared key configured on the switch.
	Department: R&D User: A Account: A-123 Password: Huawei123 Department: Marketing User: B Account: B-123 Password: Huawei123	Two departments and two corresponding accounts have been created on the Agile Controller-Campus: R&D department and an R&D employee account A-123; Marketing department and a marketing employee account B-123.
Pre-authentication domain	Agile Controller-Campus (including RADIUS server and Portal server), DNS server, and web server	-
Post-authentication domain	R&D employees: code library, issue tracking system, and Internet Marketing employees: Internet	-

Configuration Roadmap

Configure the access switch and aggregation switch to ensure network connectivity.
Configure Portal authentication on the aggregation switch to implement user access control. Configure parameters for connecting to the RADIUS server and those for connecting to the Portal server, enable Portal authentication, and configure network access rights for the pre-authentication domain and post-authentication domain.
Configure the Agile Controller-Campus:
1. Log in to the Agile Controller-Campus.
2. Add user accounts to the Agile Controller-Campus.
3. Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.
4. Add authorization results and authorization rules to the Agile Controller-Campus to grant different access rights to R&D employees and marketing employees after they are successfully authenticated.

Procedure

Configure the access switch to ensure network connectivity.

The following provides the configuration for SwitchA, the access switch connecting to the R&D department. The configuration for SwitchB, the access switch connecting to the marketing department, is similar.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1    //Interface connected to the R&D department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    //Interface connected to the aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit

Configure the aggregation switch.

Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] dhcp enable    //Enable the DHCP service.
[SwitchC] vlan batch 101 to 103
[SwitchC] interface gigabitethernet 1/0/1    //Interface of the access switch connected to the R&D department
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 101
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface vlanif 101
[SwitchC-Vlanif101] ip address 192.168.0.1 255.255.255.0    //IP address segment assigned to R&D employees
[SwitchC-Vlanif101] dhcp select interface
[SwitchC-Vlanif101] dhcp server dns-list 172.16.1.2
[SwitchC-Vlanif101] quit
[SwitchC] interface gigabitethernet 1/0/2    //Interface of the access switch connected to the marketing department
[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 102
[SwitchC-GigabitEthernet1/0/2] quit
[SwitchC] interface vlanif 102
[SwitchC-Vlanif102] ip address 192.168.1.1 255.255.255.0    //IP address segment assigned to marketing employees.
[SwitchC-Vlanif102] dhcp select interface
[SwitchC-Vlanif102] dhcp server dns-list 172.16.1.2
[SwitchC-Vlanif102] quit
[SwitchC] interface gigabitethernet 1/0/3    //Interface connected to the server area
[SwitchC-GigabitEthernet1/0/3] port link-type access
[SwitchC-GigabitEthernet1/0/3] port default vlan 103
[SwitchC-GigabitEthernet1/0/3] quit
[SwitchC] interface vlanif 103
[SwitchC-Vlanif103] ip address 172.16.1.254 255.255.255.0    //Configure the gateway address for the server area.
[SwitchC-Vlanif103] quit

Configure parameters for connecting to the RADIUS server.

[SwitchC] radius-server template policy    //Create the RADIUS server template policy.
[SwitchC-radius-policy] radius-server authentication 172.16.1.1 1812 source ip-address 172.16.1.254    //Configure the IP address and port number of the RADIUS authentication server.
[SwitchC-radius-policy] radius-server accounting 172.16.1.1 1813 source ip-address 172.16.1.254    //Configure the IP address and port number of the RADIUS accounting server.
[SwitchC-radius-policy] radius-server shared-key cipher Admin@123    //Set the authentication key and accounting key to Admin@123.
[SwitchC-radius-policy] quit
[SwitchC] aaa    //Enter the AAA view.
[SwitchC-aaa] authentication-scheme auth    //Configure the authentication scheme auth.
[SwitchC-aaa-authen-auth] authentication-mode radius    //Set the authentication mode to RADIUS.
[SwitchC-aaa-authen-auth] quit
[SwitchC-aaa] accounting-scheme acco    //Configure the accounting scheme acco.
[SwitchC-aaa-accounting-acco] accounting-mode radius    //Set the accounting mode to RADIUS.
[SwitchC-aaa-accounting-acco] accounting realtime 15    //Set the real-time accounting interval to 15 minutes.
[SwitchC-aaa-accounting-acco] quit
[SwitchC-aaa] domain portal    //Configure a domain.
[SwitchC-aaa-domain-portal] authentication-scheme auth    //Bind the authentication scheme auth to the domain.
[SwitchC-aaa-domain-portal] accounting-scheme acco    //Bind the accounting scheme acco to the domain.
[SwitchC-aaa-domain-portal] radius-server policy    //Bind the RADIUS server template policy to the domain.
[SwitchC-aaa-domain-portal] quit
[SwitchC-aaa] quit
[SwitchC] domain portal  //Configure portal as the global default domain.

Configure parameters for connecting to the Portal server.

[SwitchC] web-auth-server portal_huawei //Configure the Portal server template portal_huawei.
[SwitchC-web-auth-server-portal_huawei] server-ip 172.16.1.1 //Set the Portal server IP address.
[SwitchC-web-auth-server-portal_huawei] source-ip 172.16.1.254 //Set the IP address that the switch uses to communicate with the Portal server.
[SwitchC-web-auth-server-portal_huawei] port 50200 //Set the destination port number in the packets that the switch sends to the Portal server to 50200, which is the same as the port number that the Portal server uses to receive packets. The default destination port number on the switch is 50100, and you must change it to 50200 manually, so that it matches the port number on the Portal server.
[SwitchC-web-auth-server-portal_huawei] shared-key cipher Admin@123 //Configure the shared key for communication with the Portal server, which must be the same as that configured on the Portal server.
[SwitchC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal //Configure the URL for the Portal authentication page, in which access.example.com indicates the host name of the Portal server. The domain name is recommended in the URL so that the Portal authentication page can be pushed to users faster and more securely. To use the domain name in the URL, you must configure the mapping between this domain name access.example.com and Portal server IP address on the DNS server in advance.
[SwitchC-web-auth-server-portal_huawei] quit
[SwitchC] web-auth-server listening-port 2000 //Configure the port number that the switch uses to process Portal protocol packets. The default port number is 2000. If the port number is changed on the server, change it accordingly on the switch.
[SwitchC] portal quiet-period //Enable the quiet function for Portal authentication users. If the number of times that a Portal authentication user fails to be authenticated within 60 seconds exceeds the specified value, the device discards the user's Portal authentication request packets for a period to prevent impact of frequent authentication failures on the system.
[SwitchC] portal quiet-times 5 //Configure the maximum number of authentication failures within 60 seconds before the device quiets a Portal authentication user.
[SwitchC] portal timer quiet-period 240 //Set the quiet period to 240 seconds.

Enable Portal authentication.

[SwitchC] authentication unified-mode    //Set the NAC mode to unified. By default, the unified mode is enabled. After the NAC mode is changed, save the configuration and restart the device to make the configuration take effect.
[SwitchC] interface vlanif 101
[SwitchC-Vlanif101] authentication portal    //Enable Portal authentication on the interface.
[SwitchC-Vlanif101] web-auth-server portal_huawei direct    //Bind the Portal server template to the interface, so the interface can control user access to the enterprise network. If user terminals and the switch are connected through a Layer 2 network, set the Portal authentication mode to direct. If user terminals and the switch are connected through a Layer 3 network, set the Portal authentication mode to layer3.
[SwitchC-Vlanif101] quit
[SwitchC] interface vlanif 102
[SwitchC-Vlanif102] authentication portal    //Enable Portal authentication on the interface connecting to the marketing department.
[SwitchC-Vlanif102] web-auth-server portal_huawei direct    //Bind the Portal server template to the interface, so the interface can control user access to the enterprise network. If user terminals and the switch are connected through a Layer 2 network, set the Portal authentication mode to direct. If user terminals and the switch are connected through a Layer 3 network, set the Portal authentication mode to layer3.
[SwitchC-Vlanif102] quit

# (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets. This function does not take effect for users who use Layer 3 Portal authentication.

[SwitchC] access-user arp-detect vlan 101 ip-address 192.168.0.1 mac-address 2222-1111-1234
[SwitchC] access-user arp-detect vlan 102 ip-address 192.168.1.1 mac-address 2222-1111-1234

Configure network access rights for the pre-authentication domain and post-authentication domain.

[SwitchC] authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255    //Configure authentication-free rules for Portal authentication users, so that these users can access the DNS server before the authentication.
[SwitchC] authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255    //Configure authentication-free rules for Portal authentication users, so that these users can access the web server before the authentication.
[SwitchC] acl 3001    //Configure the post-authentication domain for R&D employees.
[SwitchC-acl-adv-3001] rule 1 permit ip    //Allow R&D employees to access all resources.
[SwitchC-acl-adv-3001] quit
[SwitchC] acl 3002    //Configure the post-authentication domain for marketing employees.
[SwitchC-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0    //Prevent marketing employees from accessing the code library.
[SwitchC-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0    //Prevent marketing employees from accessing the issue tracking system.
[SwitchC-acl-adv-3002] rule 3 permit ip    //Allow marketing employees to access other resources.
[SwitchC-acl-adv-3002] quit

Configure the Agile Controller-Campus.

Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.

The following table provides two types of Agile Controller-Campus addresses.

Address Format	Description
https://Agile Controller-Campus-IP:8443	In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address.
Agile Controller-Campus IP address	If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443.

Enter the administrator account and password.
If you log in to the Agile Controller-Campus for the first time, use the super administrator account admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.

Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.
1. Choose Resource > User > User Management.
2. Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.
3. Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.
4. Click in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password Huawei123.
5. On the User tab page, select user A and click Transfer to add user A to the R&D department.

Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.

Choose Resource > Device > Device Management.
Click Add.

Configure parameters for the switch.

Parameter	Value	Description
Name	SW	-
IP Address	172.16.1.254	The interface must be able to communicate with the SC.
Device series	Huawei Quidway Series	-
Authentication Key	Admin@123	It must be the same as the shared key of the RADIUS authentication server configured on the switch.
Charging Key	Admin@123	It must be the same as the shared key of the RADIUS accounting server configured on the switch.
Real-time charging interval (minute)	15	It must be the same as the real-time accounting interval configured on the switch.
Port	2000	This is the port that the switch uses to communicate with the Portal server. Retain the default value.
Portal Key	Admin@123	It must be the same as the Portal shared key configured on the switch.
Allowed IP Addresses	192.168.0.1/24; 192.168.1.1/24	-

Click OK.

Configure employee authorization. This example describes how to configure R&D employee authorization. The configuration procedure for marketing employees is the same, except that the network resources the two types of employees can access are different.

Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.

Parameter	Value	Description
Name	R&D employee post-authentication domain	-
Service Type	Access Service	-
ACL Number/AAA User Group	3001	The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and specify the authorization conditions for R&D employees.
Parameter

Value

Description

Name

R&D employee authorization rule

-

Service Type

Access User

-

Department

R&D

-

Authorization Result

R&D employee post-authentication domain

-

Verify the configuration.
- Employees can access only the Agile Controller-Campus, DNS, and web servers before authentication.
- The Portal authentication page is pushed to an employee when the employee attempts to visit an Internet website. After the employee enters the correct account and password, the requested web page is displayed.
- R&D employee A can access the Internet, code library, and issue tracking system after authentication. Marketing employee B can access the Internet but not the code library and issue tracking system after authentication.
- After an employee is authenticated, run the display access-user command on the switch. The command output shows that the employee is online.

Parameter	Value	Description
Name	R&D employee authorization rule	-
Service Type	Access User	-
Department	R&D	-
Authorization Result	R&D employee post-authentication domain	-

Switch Configuration File

# Configuration file of the access switch for the R&D department

#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 101
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
return

# Configuration file of the access switch for the marketing department

#
sysname SwitchB
#
vlan batch 102
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 102
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 102
#
return

# Configuration file of the aggregation switch

#
sysname SwitchC
#
vlan batch 101 to 103
#
domain portal
#
access-user arp-detect vlan 101 ip-address 192.168.0.1 mac-address 2222-1111-1234
access-user arp-detect vlan 102 ip-address 192.168.1.1 mac-address 2222-1111-1234
#
dhcp enable
#
radius-server template policy
 radius-server shared-key cipher %#%#lJIB8CQ<:A;x$h2V5+;+C>HwC+@XAL)ldpQI}:$X%#%#
 radius-server authentication 172.16.1.1 1812 source ip-address 172.16.1.254 weight 80
 radius-server accounting 172.16.1.1 1813 source ip-address 172.16.1.254 weight 80
#
acl number 3001
 rule 1 permit ip
acl number 3002
 rule 1 deny ip destination 172.16.1.4 0
 rule 2 deny ip destination 172.16.1.5 0
 rule 3 permit ip
#
web-auth-server portal_huawei
 server-ip 172.16.1.1
 port 50200
 shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
 url http://access.***.com:8080/portal
 source-ip 172.16.1.254
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme acco
  accounting-mode radius
  accounting realtime 15
 domain portal
  authentication-scheme auth
  accounting-scheme acco
  radius-server policy
#
interface Vlanif101
 ip address 192.168.0.1 255.255.255.0
 web-auth-server portal_huawei direct
 authentication portal
 dhcp select interface
 dhcp server dns-list 172.16.1.2
#
interface Vlanif102
 ip address 192.168.1.1 255.255.255.0
 web-auth-server portal_huawei direct
 authentication portal
 dhcp select interface
 dhcp server dns-list 172.16.1.2
#
interface Vlanif103
 ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
 port link-type access
 port default vlan 103
#
authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return