Authenticating users through a firewall – Cabletron Systems SmartSwitch User Manual

SmartSwitch Router User Reference Manual

217

Chapter 13: IP Policy-Based Forwarding Configuration Guide

The following is the IP policy configuration for the Policy Router in

Figure 20

:

Authenticating Users through a Firewall

You can define an IP policy that authenticates packets from certain users via a firewall
before accessing the network. If for some reason the firewall is not responding, the packets
to be authenticated are dropped.

Figure 21

illustrates this kind of configuration.

Figure 21. Using an IP policy to authenticate users through a firewall

Packets from users defined in the “contractors” group are sent through a firewall. If the
firewall cannot be reached packets from the contractors group are dropped. Packets from
users defined in the “full-timers” group do not have to go through the firewall.

interface create ip premium-customer address-netmask 10.50.1.1/16 port
et.1.1

interface create ip standard-customer address-netmask 11.50.1.1/16 port
et.1.2

acl premium-customer permit ip 10.50.0.0/16 any any any 0
acl standard-customer permit ip 11.50.0.0/16 any any any 0

ip-policy p1 permit acl premium-customer next-hop-list "100.1.1.1
100.1.1.2" action policy-first sequence 20

ip-policy apply interface premium-customer

ip-policy p2 permit acl standard-customer next-hop-list 200.1.1.1
action policy-only sequence 30

ip-policy apply interface standard-customer

full-timers

10.50.2.0/24

Servers

Rut-

Firewall

Policy

Router

Router

contractors

10.50.1.0/24

11.1.1.1

12.1.1.1