beautypg.com

H3C Technologies H3C SecPath F1000-E User Manual

Page 24

background image

23

NOTE:

For re-DHCP authentication, you need to configure a public address pool (20.20.20.0/24, in this
example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. The

configuration steps are omitted. For DHCP configuration information, see

DHCP Configuration in the

Firewall Web Configuration Manual.

For re-DHCP authentication, Device must be configured as a DHCP relay agent (instead of a DHCP
server) and the portal-enabled interface must be configured with a primary IP address (a public IP

address) and a secondary IP address (a private IP address).

Make sure that the IP address of the portal device added on the portal server is the private IP address of
the interface connecting users (10.0.0.1 in this example), and the IP address group associated with the

portal device is the private network segment where the users reside (10.0.0.0/24 in this example).

You need to configure IP addresses for Device and the servers as shown in

Figure 10

and ensure that

they can reach each other.

Perform configurations on the RADIUS server to ensure that the user authentication and accounting
functions can work normally.

Perform the following configuration on Device:

Step1

Configure a RADIUS scheme.

# Create a RADIUS scheme named rs1, and enter its view.

system-view

[Device] radius scheme rs1

# Set the server type for the RADIUS scheme. When using the CAMS or iMC server, you need to set the
server type to extended.

[Device-radius-rs1] server-type extended

# Specify the primary authentication server and primary accounting server, and configure the keys for

communication with the servers.

[Device-radius-rs1] primary authentication 192.168.0.113

[Device-radius-rs1] primary accounting 192.168.0.113

[Device-radius-rs1] key authentication radius

[Device-radius-rs1] key accounting radius

# Specify that the ISP domain name should not be included in the username sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

Step2

Configure an authentication domain

# Create an ISP domain named dm1 and enter its view.

[Device] domain dm1

# Configure the ISP domain to use RADIUS scheme rs1.

[Device-isp-dm1] authentication portal radius-scheme rs1

[Device-isp-dm1] authorization portal radius-scheme rs1

[Device-isp-dm1] accounting portal radius-scheme rs1

[Device-isp-dm1] quit

# Configure dm1 as the default ISP domain for all users. Then, if a user enters a username without any

ISP domain at logon, the authentication and accounting methods of the default domain will be used for

the user.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: