Maipu Administration Guide

Configure Ordinary L3 Portal Authentication

Network Requirements

PC1 and PC2 on one LAN are connected to IP Network via Device, and enable the ordinary L3 Portal authentication on Device.
The authentication mode adopts the RADIUS authentication.
Before passing the authentication, PC1 can only access Update Server. After passing the authentication, PC1 can access IP Network.
PC2 can access Update Server.

Network Topology

Networking of configuring the ordinary L3 Portal authentication

Figure 13-8 Networking of configuring the ordinary L3 Portal authentication

Configuration Steps

#On Device, create VLAN128, VLAN129, VLAN130, and VLAN131.

Device#configure terminal
Device(config)#vlan 128,129,130,131
Device(config)#exit

#Configutre the link type of port gigabitethernet0/2 as Access, permitting the services of VLAN128 to pass.

Device#configure terminal
Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#switchport mode access
Device(config-if-gigabitethernet0/2)#switchport access vlan 128
Device(config-if-gigabitethernet0/2)#end

#Configutre the port link type on gigabitethernet0/1 of Device as Access, permitting the services of VLAN131 to pass. Configure the port link type on gigabitethernet0/3 of Device as Access, permitting the services of VLAN130 to pass. Configutre the port link type on gigabitethernet0/4-gigabitethernet 0/5 of Device as Access, permitting the services of VLAN129 to pass. (omitted)

Step 2: Configure the interface IP address of Device, ensuring that the network route is reachable.

#Configure the IP address of VLAN128 as 128.255.36.10/24.

Device#configure terminal
Device(config)#interface vlan 128
Device(config-if-vlan128)#ip address 128.255.36.10 255.255.255.0
Device(config-if-vlan128)#end

#Configure the IP address of VLAN129 as 129.255.43.10/24.

Device#configure terminal
Device(config)#interface vlan 129
Device(config-if-vlan129)#ip address 129.255.43.10 255.255.255.0
Device(config-if-vlan129)#end

#Configure the IP address of VLAN130 as 130.255.28.10/24.

Device#configure terminal
Device(config)#interface vlan 130
Device(config-if-vlan130)#ip address 130.255.28.10 255.255.255.0
Device(config-if-vlan130)#end

#Configure the IP address of VLAN131 as 131.255.28.10/24.

Device#configure terminal
Device(config)#interface vlan 131
Device(config-if-vlan131)#ip address 131.255.28.10 255.255.255.0
Device(config-if-vlan131)#end

Step 3: Configure the AAA authentication.

#On Device, enable the AAA authentication, adopt the RADIUS authentication mode, the RADIUS server address is 129.255.43.90/24, the key value is admin, and the priority is 1.

Device#configure terminal
Device(config)#aaa new-model
Device(config)#aaa authentication connection default radius
Device(config)#radius-server host 129.255.43.90 priority 1 key admin

Step 4: Configure the AAA server.

#On the AAA server, configure the user name, password, and key value as admin (omitted).

Step 5: Configure the ordinary L3 Portal authentication.

#On Device, configure the Portal server named server1.

Device(config)# portal server server1 ip 129.255.43.99 key admin url http://129.255.43.99:8080/portal

#On Device, enable the ordinary L3 Portal authentication.

Device#configure terminal
Device(config)#interface vlan 128
Device(config-if-vlan128)#portal server server1 method layer3 ip
Device(config-if-vlan128)#exit

#Configure one secure channel named channel, permitting PC1 and PC2 to access Update Server.

Device#configure terminal
Device(config)#hybrid access-list advanced channel
Device(config-adv-hybrid-nacl)#permit ip any any host 130.255.28.20 any

#Apply the secure channel named channel.

Device#configure terminal
Device(config)#global security access-group channel
Device(config)#exit

Step 6: Configure the Portal server.

#On the Portal server, configure the IP address, Device adderss and key value of PC1 as admin (omitted).

Step 7: Check the result.

#Query the configuration information of the secure channel.

Device#show portal global config 

  portal global configuration information: 
  authentication method list : default 
  accounting method list      : default 
 
  global security access-group : channel

#Before passing the authentication, PC1 can access Update Serrver, and cannot access IP Network.

#PC1 can pass the authentication and can access Update Server and IP Network. PC2 can access Update Server, and cannot access IP Network.

Device#show portal user 
-----------------------------------------
NO 1:IP_ADDRESS= 128.255.36.1 STATUS=     Authorized   USER_NAME= admin 
     INTERFACE= vlan128       CTRL_METHOD= L3_IP          AUTH_STATE= AUTHENTICATED 
     BACK_STATE= AAA_SM_IDLE 
 
  Total: 1 Authorized: 1 Unauthorized/Guest/Critical: 0/0/0