< Home

Configuring Portal Authentication for Access Users on Huawei Agile Controller-Campus (Authentication Point on Aggregation Switch)

This section includes the following content:

Introduction to Portal authentication

Portal authentication is also called web authentication, when a user accesses the network, the user must be first authenticated on the Portal website. If the authentication fails, the user can access only certain network resources. After the authentication succeeds, the user can access other network resources. Portal authentication has the following advantages:

  • Ease of use: In most cases, Portal authentication does not require the client to have additional software installed and allows the client to be directly authenticated on a web page.
  • Convenient operations: Portal authentication achieves service expansion on the Portal page, including advertisement push, responsibility announcement, and enterprise publicity.
  • Mature technology: Portal authentication has been widely used in networks of carriers, fast food chains, hotels, and schools.
  • Flexible deployment: Portal authentication implements access control at the access layer or at the ingress of key data.
  • Flexible user management: Portal authentication can be performed on users based on the combination of user names and any one of VLANs, IP addresses, and MAC addresses.

Enterprises often choose Portal authentication for guests because they move frequently.

Networking Requirements

An enterprise needs to deploy an identity authentication system to control employees' network access rights and allow only authorized users to access the network. The enterprise has the following requirements:
  • The authentication operations should be simple. The authentication system only performs access authorization. Minimum client software is installed on user terminals.
  • Moderate security control is required. To facilitate maintenance, a moderate number of authentication points need to be deployed on the aggregation switch.
  • A unified identity authentication mechanism is used to authenticate all terminals accessing the campus network and deny access from unauthorized terminals.
  • R&D employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect to both the intranet (code library and issue tracking system) and Internet after being authenticated.
  • Marketing employees can connect only to public servers (such as the web and DNS servers) of the enterprise before the authentication, and can connect only to the Internet after being authenticated.
Figure 1 Portal authentication deployed at the aggregation layer

Configuration Logic

Figure 2 Configuration logic of Huawei switch
Table 1 Configuration logic of Huawei Agile Controller-Campus

Item

Description

Creating a department and an account

-

Adding switches

Set parameters for switches connected to the Agile Controller-Campus.

(Optional) adding an authentication rule

Configure the conditions for users to pass the authentication. If no authentication rule is created, the default authentication rule (that allows all users to pass the authentication) of the Agile Controller-Campus is used.

Adding an authorization result

Create network access right profiles so that users granted with different profiles have different network access rights.

Adding an authorization rule

Select network access right profiles and users in an authorization rule so that specified network access rights are granted to specific users.

Configuration Notes

  • This configuration example applies to all switches running V200R009C00 or a later version.
  • Huawei's Agile Controller-Campus in V100R001 functions as the Portal server and RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R001, V100R002, V100R003.
  • The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus server.
  • By default, the switch allows the packets from RADIUS and Portal servers to pass. You do not need to configure authentication-free rules for the two servers on the switch.
  • When you run the access-user arp-detect command to configure the IP address and MAC address of the user gateway as the source IP address and source MAC address of user offline detection packets, ensure that the MAC address of the gateway remains unchanged, especially in active/standby switchover scenarios. If the gateway MAC address is changed, ARP entries of terminals will be incorrect on the device, and the terminals cannot communicate with the device.

Data Plan

Table 2 VLAN plan

VLAN ID

Function

101

VLAN for R&D employees

102

VLAN for marketing employees

103

VLAN to which interfaces connecting to the servers belong
Table 3 Network data plan

Item

Data

Description

Access switch (connecting to the R&D department)

Interface number: GE0/0/1

VLAN: 101

Connects to employees' PCs.

Interface number: GE0/0/2

VLAN: 101

Connects to the aggregation switch.

Access switch (connecting to the marketing department)

Interface number: GE0/0/1

VLAN: 102

Connects to employees' PCs.

Interface number: GE0/0/2

VLAN: 102

Connects to the aggregation switch.

Aggregation switch

Interface number: GE1/0/1

VLAN: 101

VLANIF101 IP address: 192.168.0.1

Connects to the access switch of the R&D department.

Functions as the gateway for R&D employees.

Interface number: GE1/0/2

VLAN: 102

VLANIF102 IP address: 192.168.1.1

Connects to the access switch of the marketing department.

Functions as the gateway for marketing employees.

Interface number: GE1/0/3

VLAN: 103

VLANIF103 IP address: 172.16.1.254

Connects to the enterprise server area.

Functions as the gateway for servers.

Server

Agile Controller-Campus (RADIUS server + Portal server)

IP address: 172.16.1.1

-

DNS server

IP address: 172.16.1.2

-

Web server

IP address: 172.16.1.3

-

Code library

IP address: 172.16.1.4

-

Issue tracking system

IP address: 172.16.1.5

-
Table 4 Service data plan

Item

Data

Description

Aggregation switch

Number of the ACL for R&D employees' post-authentication domain: 3001

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.

Number of the ACL for marketing employees' post-authentication domain: 3002

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.
Authentication server:
  • IP address: 172.16.1.1
  • Port number: 1812
  • RADIUS shared key: Admin@123
  • The Service Controller (SC) of the Agile Controller-Campus integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, authorization server, and Portal server are the SC's IP address.
  • Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server.
  • Configure an authorization server to enable the RADIUS server to deliver authorization rules to the switch. The RADIUS shared key of the authorization server must be the same as those of the authentication server and accounting server.
Accounting server:
  • IP address: 172.16.1.1
  • Port number: 1813
  • RADIUS shared key: Admin@123
  • Accounting interval: 15
Portal server:
  • IP address: 172.16.1.1
  • Port number that the switch uses to process Portal protocol packets: 2000
  • Destination port number in the packets that the switch sends to the Portal server: 50200
  • Portal authentication shared key: Admin@123

Agile Controller-Campus

Host name: access.example.com

Users can use the domain name to access the Portal server.

Device IP address: 172.16.1.254

-

Authentication port: 1812

-

Accounting port: 1813

-

RADIUS shared key: Admin@123

The RADIUS shared key must be the same as that configured on the switch.

Port number that the Portal server uses to receive packets: 50200

-

Portal shared key: Admin@123

It must be the same as the Portal authentication shared key configured on the switch.
Department: R&D
  • User: A
  • Account: A-123
  • Password: Huawei123
Department: Marketing
  • User: B
  • Account: B-123
  • Password: Huawei123

Two departments and two corresponding accounts have been created on the Agile Controller-Campus: R&D department and an R&D employee account A-123; Marketing department and a marketing employee account B-123.

Pre-authentication domain

Agile Controller-Campus (including RADIUS server and Portal server), DNS server, and web server

-

Post-authentication domain
  • R&D employees: code library, issue tracking system, and Internet
  • Marketing employees: Internet

-

Procedure

  1. Configure the access switch to ensure network connectivity.

    The following provides the configuration for SwitchA, the access switch connecting to the R&D department. The configuration for SwitchB, the access switch connecting to the marketing department, is similar.

    <HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 101
[SwitchA-vlan101] quit
[SwitchA] interface gigabitethernet 0/0/1    //Interface connected to the R&D department
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2    //Interface connected to the aggregation switch
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/2] quit

  2. Configure the aggregation switch.
    1. Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded.

      <HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] dhcp enable    //Enable the DHCP service.
[SwitchC] vlan batch 101 to 103
[SwitchC] interface gigabitethernet 1/0/1    //Interface of the access switch connected to the R&D department
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 101
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface vlanif 101
[SwitchC-Vlanif101] ip address 192.168.0.1 255.255.255.0    //IP address segment assigned to R&D employees
[SwitchC-Vlanif101] dhcp select interface
[SwitchC-Vlanif101] dhcp server dns-list 172.16.1.2
[SwitchC-Vlanif101] quit
[SwitchC] interface gigabitethernet 1/0/2    //Interface of the access switch connected to the marketing department
[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 102
[SwitchC-GigabitEthernet1/0/2] quit
[SwitchC] interface vlanif 102
[SwitchC-Vlanif102] ip address 192.168.1.1 255.255.255.0    //IP address segment assigned to marketing employees.
[SwitchC-Vlanif102] dhcp select interface
[SwitchC-Vlanif102] dhcp server dns-list 172.16.1.2
[SwitchC-Vlanif102] quit
[SwitchC] interface gigabitethernet 1/0/3    //Interface connected to the server area
[SwitchC-GigabitEthernet1/0/3] port link-type access
[SwitchC-GigabitEthernet1/0/3] port default vlan 103
[SwitchC-GigabitEthernet1/0/3] quit
[SwitchC] interface vlanif 103
[SwitchC-Vlanif103] ip address 172.16.1.254 255.255.255.0    //Configure the gateway address for the server area.
[SwitchC-Vlanif103] quit

    2. Configure network access rights for users after successful authentication.

      [SwitchC] acl 3001    //Configure the post-authentication domain for R&D employees.
[SwitchC-acl-adv-3001] rule 1 permit ip    //Allow R&D employees to access all resources.
[SwitchC-acl-adv-3001] quit
[SwitchC] acl 3002    //Configure the post-authentication domain for marketing employees.
[SwitchC-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0    //Prevent marketing employees from accessing the code library.
[SwitchC-acl-adv-3002] rule 2 deny ip destination 172.16.1.5 0    //Prevent marketing employees from accessing the issue tracking system.
[SwitchC-acl-adv-3002] rule 3 permit ip    //Allow marketing employees to access other resources.
[SwitchC-acl-adv-3002] quit

    3. Configure parameters for connecting to the RADIUS server.

      [SwitchC] radius-server template policy    //Create the RADIUS server template policy.
[SwitchC-radius-policy] radius-server authentication 172.16.1.1 1812 source ip-address 172.16.1.254    //Configure the IP address and port number of the RADIUS authentication server.
[SwitchC-radius-policy] radius-server accounting 172.16.1.1 1813 source ip-address 172.16.1.254    //Configure the IP address and port number of the RADIUS accounting server.
[SwitchC-radius-policy] radius-server shared-key cipher Admin@123    //Set the authentication key and accounting key to Admin@123.
[SwitchC-radius-policy] quit
[SwitchC] aaa    //Enter the AAA view.
[SwitchC-aaa] authentication-scheme auth    //Configure the authentication scheme auth.
[SwitchC-aaa-authen-auth] authentication-mode radius    //Set the authentication mode to RADIUS.
[SwitchC-aaa-authen-auth] quit
[SwitchC-aaa] accounting-scheme acco    //Configure the accounting scheme acco.
[SwitchC-aaa-accounting-acco] accounting-mode radius    //Set the accounting mode to RADIUS.
[SwitchC-aaa-accounting-acco] accounting realtime 15    //Set the real-time accounting interval to 15 minutes.
[SwitchC-aaa-accounting-acco] quit
[SwitchC-aaa] domain portal    //Configure a domain.
[SwitchC-aaa-domain-portal] authentication-scheme auth    //Bind the authentication scheme auth to the domain.
[SwitchC-aaa-domain-portal] accounting-scheme acco    //Bind the accounting scheme acco to the domain.
[SwitchC-aaa-domain-portal] radius-server policy    //Bind the RADIUS server template policy to the domain.
[SwitchC-aaa-domain-portal] quit
[SwitchC-aaa] quit
[SwitchC] domain portal  //Configure portal as the global default domain.

    4. Configure parameters for connecting to the Portal server.

      [SwitchC] web-auth-server portal_huawei    //Configure the Portal server template portal_huawei.
[SwitchC-web-auth-server-portal_huawei] server-ip 172.16.1.1    //Set the Portal server IP address.
[SwitchC-web-auth-server-portal_huawei] source-ip 172.16.1.254    //Set the IP address that the switch uses to communicate with the Portal server.
[SwitchC-web-auth-server-portal_huawei] port 50200    //Set the destination port number in the packets that the switch sends to the Portal server to 50200, which is the same as the port number that the Portal server uses to receive packets. The default destination port number on the switch is 50100, and you must change it to 50200 manually, so that it matches the port number on the Portal server.
[SwitchC-web-auth-server-portal_huawei] shared-key cipher Admin@123    //Configure the shared key for communication with the Portal server, which must be the same as that configured on the Portal server.
[SwitchC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal    //Configure the URL for the Portal authentication page, in which access.example.com indicates the host name of the Portal server. The domain name is recommended in the URL so that the Portal authentication page can be pushed to users faster and more securely. To use the domain name in the URL, you must configure the mapping between this domain name access.example.com and Portal server IP address on the DNS server in advance.
[SwitchC-web-auth-server-portal_huawei] quit
[SwitchC] web-auth-server listening-port 2000    //Configure the port number that the switch uses to process Portal protocol packets. The default port number is 2000. If the port number is changed on the server, change it accordingly on the switch.
[SwitchC] portal quiet-period    //Enable the quiet function for Portal authentication users. If the number of times that a Portal authentication user fails to be authenticated within 60 seconds exceeds the specified value, the device discards the user's Portal authentication request packets for a period to prevent impact of frequent authentication failures on the system.
[SwitchC] portal quiet-times 5    //Configure the maximum number of authentication failures within 60 seconds before the device quiets a Portal authentication user.
[SwitchC] portal timer quiet-period 240    //Set the quiet period to 240 seconds.

    5. Enable Portal authentication and configure network access rights for users in the pre-authentication domain and post-authentication domain.

      # Set the NAC mode to unified.

      [SwitchC] authentication unified-mode    //Set the NAC mode to unified. By default, the switch works in unified mode. After changing the NAC mode from common to unified, save the configuration and restart the switch to make the configuration take effect.

      # Configure a Portal access profile.

      [SwitchC] portal-access-profile name web1
[SwitchC-portal-acces-profile-web1] web-auth-server portal_huawei direct
[SwitchC-portal-acces-profile-web1] quit

      # Configure an authentication-free rule profile and specify resources that users can access without authentication.

      In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by DNS and the DNS server is on the upstream network of the NAS device, you also need to create authentication-free rules and ensure that the DNS server is included in the authentication-free rules. In V200R012C00 and later versions, the NAS device automatically allows DNS packets to pass through and no authentication-free rule is required in Portal authentication.

      [SwitchC] free-rule-template name default_free_rule
[SwitchC-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255    //Configure authentication-free rules for Portal authentication users, so that these users can access the DNS server before the authentication.
[SwitchC-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255    //Configure authentication-free rules for Portal authentication users, so that these users can access the web server before the authentication.
[SwitchC-free-rule-default_free_rule] quit

      # Configure an authentication profile.

      [SwitchC] authentication-profile name p1
[SwitchC-authen-profile-p1] portal-access-profile web1    ///Bind the Portal access profile web1.
[SwitchC-authen-profile-p1] quit

      # Enable Portal authentication.

      [SwitchC] interface vlanif 101
[SwitchC-Vlanif101] authentication-profile p1   //Enable Portal authentication on the interface connecting to the R&D department.
[SwitchC-Vlanif101] quit
[SwitchC] interface vlanif 102
[SwitchC-Vlanif102] authentication-profile p1   //Enable Portal authentication on the interface connecting to the marketing department.
[SwitchC-Vlanif102] quit

      # (Recommended) Configure the source IP address and source MAC address for offline detection packets in a specified VLAN. You are advised to set the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets. This function does not take effect for users who use Layer 3 Portal authentication.

      [SwitchC] access-user arp-detect vlan 101 ip-address 192.168.0.1 mac-address 2222-1111-1234
[SwitchC] access-user arp-detect vlan 102 ip-address 192.168.1.1 mac-address 2222-1111-1234

  3. Configure the Agile Controller-Campus.
    1. Log in to the Agile Controller-Campus.

      1. Open the Internet Explorer, enter the Agile Controller-Campus address in the address box, and press Enter.
        The following table provides two types of Agile Controller-Campus addresses.

        Address Format

        Description

        https://Agile Controller-Campus-IP:8443

        In the address, Agile Controller-Campus-IP indicates the Agile Controller-Campus IP address.

        Agile Controller-Campus IP address

        If port 80 is enabled during installation, you can access the Agile Controller-Campus by simply entering its IP address without the port number. The Agile Controller-Campus address will automatically change to https://Agile Controller-Campus-IP:8443.
      2. Enter the administrator account and password.

        If you log in to the Agile Controller-Campus for the first time, use the super administrator account admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.

    2. Create departments and accounts. The following describes how to create the R&D department. Create the Marketing department similarly.

      1. Choose Resource > User > User Management.
      2. Click the Department tab in the operation area on the right. Then click Add under the Department tab, and add the department R&D.

      3. Click the User tab in the operation area on the right. Then click Add under the User tab, and add the user A.

      4. Click in the Operation column on the right of user A. The Account Management page is displayed. Click Add, and create a common account A-123 with the password Huawei123.

      5. On the User tab page, select user A and click Transfer to add user A to the R&D department.

    3. Add a switch to the Agile Controller-Campus and configure related parameters to ensure normal communication between the Agile Controller-Campus and switch.

      1. Choose Resource > Device > Device Management.
      2. Click Add.
      3. Configure parameters for the switch.

        Parameter

        Value

        Description

        Name

        SW

        -

        IP Address

        172.16.1.254

        The interface must be able to communicate with the SC.

        Device series

        Huawei Quidway Series

        -

        Authentication Key

        Admin@123

        It must be the same as the shared key of the RADIUS authentication server configured on the switch.

        Charging Key

        Admin@123

        It must be the same as the shared key of the RADIUS accounting server configured on the switch.

        Real-time charging interval (minute)

        15

        It must be the same as the real-time accounting interval configured on the switch.

        Port

        2000

        This is the port that the switch uses to communicate with the Portal server. Retain the default value.

        Portal Key

        Admin@123

        It must be the same as the Portal shared key configured on the switch.

        Allowed IP Addresses

        192.168.0.1/24; 192.168.1.1/24

        -

      4. Click OK.

    4. Configure employee authorization. This example describes how to configure R&D employee authorization. The configuration procedure for marketing employees is the same, except that the network resources the two types of employees can access are different.

      1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and configure resources that R&D employees can access after authentication and authorization.

        Parameter

        Value

        Description

        Name

        R&D employee post-authentication domain

        -

        Service Type

        Access Service

        -

        ACL Number/AAA User Group

        3001

        The ACL number must be the same as the number of the ACL configured for R&D employees on the switch.

      2. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and specify the authorization conditions for R&D employees.

        Parameter

        Value

        Description

        Name

        R&D employee authorization rule

        -

        Service Type

        Access User

        -

        Department

        R&D

        -

        Authorization Result

        R&D employee post-authentication domain

        -

  4. Verify the configuration.

    • Employees can access only the Agile Controller-Campus, DNS, and web servers before authentication.
    • The Portal authentication page is pushed to an employee when the employee attempts to visit an Internet website. After the employee enters the correct account and password, the requested web page is displayed.
    • R&D employee A can access the Internet, code library, and issue tracking system after authentication. Marketing employee B can access the Internet but not the code library and issue tracking system after authentication.
    • After an employee is authenticated, run the display access-user command on the switch. The command output shows that the employee is online.

Configuration Files

# Configuration file of the access switch for the R&D department
#
sysname SwitchA
#
vlan batch 101
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 101
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
return
# Configuration file of the access switch for the marketing department
#
sysname SwitchB
#
vlan batch 102
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 102
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 102
#
return

# Configuration file of the aggregation switch

#
sysname SwitchC
#
vlan batch 101 to 103
#
authentication-profile name p1
 portal-access-profile web1
#
domain portal
#
access-user arp-detect vlan 101 ip-address 192.168.0.1 mac-address 2222-1111-1234
access-user arp-detect vlan 102 ip-address 192.168.1.1 mac-address 2222-1111-1234
#
dhcp enable
#
radius-server template policy
 radius-server shared-key cipher %#%#lJIB8CQ<:A;x$h2V5+;+C>HwC+@XAL)ldpQI}:$X%#%#
 radius-server authentication 172.16.1.1 1812 source ip-address 172.16.1.254 weight 80
 radius-server accounting 172.16.1.1 1813 source ip-address 172.16.1.254 weight 80
#
acl number 3001
 rule 1 permit ip
acl number 3002
 rule 1 deny ip destination 172.16.1.4 0
 rule 2 deny ip destination 172.16.1.5 0
 rule 3 permit ip
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
 free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255
# 
web-auth-server portal_huawei
 server-ip 172.16.1.1
 port 50200
 shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
 url http://access.***.com:8080/portal
 source-ip 172.16.1.254
#
portal-access-profile name web1 
 web-auth-server portal_huawei direct 
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme acco
  accounting-mode radius
  accounting realtime 15
 domain portal
  authentication-scheme auth
  accounting-scheme acco
  radius-server policy
#
interface Vlanif101
 ip address 192.168.0.1 255.255.255.0
 authentication-profile p1 
 dhcp select interface
 dhcp server dns-list 172.16.1.2
#
interface Vlanif102
 ip address 192.168.1.1 255.255.255.0
 authentication-profile p1 
 dhcp select interface
 dhcp server dns-list 172.16.1.2
#
interface Vlanif103
 ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
 port link-type access
 port default vlan 103
#
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return
Parent Topic: Typical NAC Configuration (Unified Mode) (the Agile Controller-Campus as the Authentication Server) (V200R009C00 and Later Versions)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >