Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual
Page 143
133
Configuration procedure
NOTE:
•
For re-DHCP authentication, configure a public address pool (20.20.20.0/24, in this example) and a
private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown.)
•
For re-DHCP authentication, the SecPath must be configured as a DHCP relay agent (instead of a DHCP
server) and the portal-enabled interface must be configured with a primary IP address (a public IP
address) and a secondary IP address (a private IP address). For information about DHCP relay agent
configuration, see
Network Management Configuration Guide.
•
Make sure that the IP address of the portal device added on the portal server is the public IP address of
the interface connecting users (20.20.20.1 in this example), the private IP address range for the IP
address group associated with the portal device is the private network segment where the users reside
(10.0.0.0/24 in this example), and the public IP address range for the IP address group is the public
network segment 20.20.20.0/24.
•
Configure IP addresses for the SecPath and servers as shown in
and make sure that the host,
SecPath, and servers can reach each other.
•
Configure the RADIUS server properly to provide authentication/accounting functions for users.
1.
Configure a RADIUS scheme on the SecPath:
# Create a RADIUS scheme named rs1, and enter its view.
[SecPath] radius scheme rs1
# Set the server type for the RADIUS scheme. When using the CAMS or IMC server, set the server
type to extended.
[SecPath-radius-rs1] server-type extended
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[SecPath-radius-rs1] primary authentication 192.168.0.113
[SecPath-radius-rs1] primary accounting 192.168.0.113
[SecPath-radius-rs1] key authentication radius
[SecPath-radius-rs1] key accounting radius
# Specify that the ISP domain name should not be included in the username sent to the RADIUS
server.
[SecPath-radius-rs1] user-name-format without-domain
[SecPath-radius-rs1] quit
2.
Configure an authentication domain on the SecPath:
# Create an ISP domain named dm1 and enter its view.
[SecPath] domain dm1
# Configure AAA methods for the ISP domain.
[SecPath-isp-dm1] authentication portal radius-scheme rs1
[SecPath-isp-dm1] authorization portal radius-scheme rs1
[SecPath-isp-dm1] accounting portal radius-scheme rs1
[SecPath-isp-dm1] quit
# Configure dm1 as the default ISP domain for all users. Then, if a user enters a username without
any ISP domain at logon, the authentication and accounting methods of the default domain will be
used for the user.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS